'Diggity' family of search tools will help security teams and pen testers find searchable flaws before bad guys, Stach & Liu researchers say.
Go Google-hack yourself.
No, it's not a curse. It's a bit of advice being prepared by two researchers who will present a new batch of search engine-based hacking tools at the Black Hat USA conference in Las Vegas next month.
Fran Brown and Rob Ragan, both researchers at the consulting firm Stach & Liu, are planning to roll out a series of tools--dubbed "Diggity"--that speed the process of finding security vulnerabilities via Google or Bing. The tools are designed to help enterprises "Google hack" themselves to identify potential avenues of attack before the bad guys do.
"We wanted to find a way to bring search engine hacking back into light because it's a pretty effective method of finding vulnerabilities, and we see it being used more and more [by malicious attackers]," Ragan said.
Indeed, just last week, the Stach & Liu researchers offered evidence that the LulzSec hacker group used Google hacking to choose its targets during its run of hacks on the websites and databases of well-known companies and government organizations.
At Black Hat, the researchers will demonstrate how enterprises can use Google hacking tools on themselves to expose flaws in their data and applications that might be found using a search engine. The tools--each of which carries the name "Diggity"--enable enterprises to search across multiple domains to identify Google-searchable flaws that might lead to common attacks, such as SQL injection and cross-site scripting.
"You can do this yourself with Google, but you would typically have to do it on one domain at a time, and that can be incredibly time-consuming when you're an enterprise that has hundreds of domains," Brown says.
Brown compares the Diggity tools to an intrusion detection system that searches for known attacks.
Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.
Dark Reading Tech Digest, Dec. 19, 2014Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Published: 2015-02-01 Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...
Published: 2015-02-01 ASUS JAPAN RT-AC87U routers with firmware 220.127.116.11.378.3754 and earlier, RT-AC68U routers with firmware 18.104.22.168.376.3715 and earlier, RT-AC56S routers with firmware 22.214.171.124.376.3715 and earlier, RT-N66U routers with firmware 126.96.36.199.376.3715 and earlier, and RT-N56U routers with firmware 188.8.131.52.376....
Published: 2015-02-01 Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 184.108.40.206.378.3754 and earlier, RT-AC68U routers with firmware 220.127.116.11.376.3715 and earlier, RT-AC56S routers with firmware 18.104.22.168.376.3715 and earlier, RT-N66U routers with firmware 22.214.171.124.376.3715 and earl...
Published: 2015-02-01 Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...
Published: 2015-02-01 Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.