Remember Google hacking? Well, it's back and it's sexier as a pair of researchers built tools that making Google-hacking yourself faster and more efficient.
Fran Brown and Rob Ragan, researchers for Stach & Liu, wrote a series of tools called Diggity that speed up the process of detecting security vulnerabilities via Google or Bing searches. The goal is for enterprises to find those bugs -- SQL injection, cross-site scripting, etc. -- in their servers before attackers do.
"We wanted to find a way to bring search engine hacking back into light because it's a pretty effective method of finding vulnerabilities, and we see it being used more and more [by malicious attackers]," Ragan said.
DIY Google-hacking typically requires searching one domain at a time, and that just doesn't scale when you're talking an enterprise of hundreds of domains. Brown says Diggity tools are akin to an IDS that sniffs out known attacks. The tools are compromised of databases of known Google and Bing hacks, Foundstone's repository of search engine hacks, and Stach & Liu's own database of known vulnerabilities and hacks.
It works like this: When a tool finds a potential hack, they send a Google alert to the enterprise, which then can have Google halt indexing them. That gives them time to fix the flaws offline.
Brown says Diggity could prevent disasters such as when the user database of Groupon's Indian subsidiary Sosata.com was inadvertently published online and exposed emails and passwords of its 300,000 users. "To put it in perspective, if Groupon.com had been using our tools, they would have gotten an alert via iPhone or Droid and found the vulnerability before anyone else did," Brown said.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.