Digital World: Google's secrets - and yours

Google hacking sounds bad, but it's not "real" hacking - and it isn't illegal, either. A true hacker tries to extract sensitive information off a private, secure server that s/he must attain access to illicitly.

By DAVID SHAMAH
May 9, 2006 07:18
google logo 88

google logo 88. (photo credit: )

 
X

Dear Reader,
As you can imagine, more people are reading The Jerusalem Post than ever before. Nevertheless, traditional business models are no longer sustainable and high-quality publications, like ours, are being forced to look for new ways to keep going. Unlike many other news organizations, we have not put up a paywall. We want to keep our journalism open and accessible and be able to keep providing you with news and analyses from the frontlines of Israel, the Middle East and the Jewish World.

As one of our loyal readers, we ask you to be our partner.

For $5 a month you will receive access to the following:

  • A user uxperience almost completely free of ads
  • Access to our Premium Section and our monthly magazine to learn Hebrew, Ivrit
  • Content from the award-winning Jerusalem Repor
  • A brand new ePaper featuring the daily newspaper as it appears in print in Israel

Help us grow and continue telling Israel’s story to the world.

Thank you,

Ronit Hasin-Hochman, CEO, Jerusalem Post Group
Yaakov Katz, Editor-in-Chief

UPGRADE YOUR JPOST EXPERIENCE FOR 5$ PER MONTH Show me later Don't show it again

Warren Buffett can feel confident about sinking his $4 billion into Israel - at least from an electronic security point of view. I can say with utmost certainty that the country's most sensitive secrets are safely stowed away on secure servers, inaccessible to the public. Try as I might, I couldn't find any Word documents marked "top secret" regarding Israel's plans regarding Iran on the Ministry of Foreign Affairs Web site (www.mfa.gov.il); no Powerpoint presentations on Israel's alleged nuclear weapons program on the Ministry of Defense site (http://www.mod.gov.il); no PDFs on future political plans on the main government site (http://www.info.gov.il) - nothing, nada not a thing! Even using the special advanced "Google hacking" techniques I learned from Johnny (johnny.ihackstuff.com), I couldn't get an untoward, scandalous or headline-making fact on any of the burning issues of the day. One less thing for Warren Buffett to worry about. Google hacking sounds bad, but it's not "real" hacking - and it isn't illegal, either. A true hacker tries to extract sensitive information off a private, secure server that s/he must attain access to illicitly. Of course stealing information off such a server is prosecutable in most places - and often punished harshly. Google hacking, on the other hand, "attacks" publicly available Web sites that don't require anything more to enter than typing an address into a Web browser. Using Google's advanced search techniques and operators in creative ways, you can discover a world of information you never imagined existed on the publicly available worldwide web. Did you know, for example, that you can search a specific site for nearly any file type, including PDFs, MS Word files, Powerpoint presentations, Excel spreadsheets and many others. Or, that using Google's "site" operator (for example, typing into the Google search box "site:Microsoft.com"), you can map an entire site and list all the Web pages on your Google results list, without having to visit that site at all - thereby allowing you access to information about your target without letting the site's server record your IP address on a site hit? That you can use the "intitle" operator to determine what Web server your target site is using and thereby determine the best way to hack into it using the server's built-in proven weaknesses? It may come as a shock to many, but little ol' Google can be, and is being, used to get at information that site administrators never intended to make public - and never imagined would be publicly visible. And Johnny (whose surname is Long), a former "bad boy" hacker who has climbed onto the straight and narrow, is just the guy to teach these techniques, which he developed during an apparently colorful hacking career breaking into secure sites as a cyber-hoodlum. He now does the exact same thing working on the side of good, getting paid by large corporations to break into their servers in order to ensure that they are secure and check for weaknesses. The basic document on the subject is The Google Hacker's Guide, a PDF file available at Johnny's site (he's also written a more extensive book the subject, at tinyurl.com/o5sls. The Google Hacker's Guide contains not only details on the secrets behind Google's advanced operators (which you can read all about at http://www.google.com/help/operators.html - it also gives concrete examples of how these techniques can be used to find "interesting" stuff, just this side of the legal barriers against illicit electronic snooping. Google, of course, gets its information through the not so judicious use of Web search bots, which traverse the cybersphere recording information about sites and associating them with keywords in the Google database. Any site you can click on and enter using a Google search is technically fair game for super snooping (if it weren't, it would be password protected) - and sometimes (quite often, apparently), administrators leave publicly accessible information that was supposed to be hidden, making them "Googledorks" as far as Johnny and his fans are concerned. And among the features of the site is a very active forum dedicated to coming up with exploits that can be used to ferret out the messy work of Googledorks. And don't think that sensitive information goes away after a Googledork realizes his or her errors and secures the server - Google lets you search its cache of documents, meaning that you can hack into Google's back pages and ferret out sensitive information, even if it's no longer publicly accessible! And again, all this is legal - at least technically. However, these techniques can definitely - and often easily - be used to undertake "shady" operations, like obtaining passwords to hack into individuals' accounts at Web sites that demand IDs - even sites that charge money for access. Using some of the very basic searches at tinyurl.com/lcpzum, for example, I could have accessed, if I so wanted, a bunch of private sites after having Googled for password files which were in areas of Unix servers that were supposed to be off-limits, including some "off color" sites. If any electronic law enforcement folk are reading this, by the way, note that I said "could have" as opposed to "did" (my lawyer told me to write that!). Close examination of the forums will reveal even more advanced techniques and searches that can, if aimed at the right server, yield you a whole lot of sensitive information, and if you know what you're looking for on a particular Web site, chances are good you're going to find it using these techniques if the system administrator is anything less than 100% competent. Of course, once a site gets on Johnny's list, it gets fixed up right away. But the real power of Google hacking is that anybody can be a victim - and in the wrong hands, it can be as dangerous, if not more so, than "real" hacking because you won't be able to easily touch the hacker legally. Luckily, Johnny gives you ideas on how to protect yourself at his site - and if you're a site administrator, you're going to want to check out Johnny's site very carefully. Ds@newzgeek.com

Related Content

[illustrative photo]
September 24, 2011
Diabetes may significantly increase risk of dementia

By UNIVERSITY OF MICHIGAN HEALTH SYSTEM