The Next Generation Search Engine Hacking Arsenal

Pierluigi Paganini November 13, 2011

The title is borrowed from a presentation made by Francis Brown of Stach & Liu, Hacker Halted 2011 in Miami.
The presentation focus on two topics that are crucial in the modern scenario:

  • Cloud Computing
  • Search engines

demonstrating the fact that the overall safety of complex systems can be impacted by incorrect implementation of the “cloud” paradigm. Through the knowledge of authentication mechanisms is relatively easy to retrieve access codes, passwords and secret keys necessary for access to data stored within a cloud as happened for Amazon’s EC3.

Let me remind you the OSINT definition

“a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available

sources and analyzing it to produce actionable intelligence.”

LulzSec and Anonymous believed to use Google Hacking as a primary means of identifying vulnerable targets, it is camplete and updated source where is possible to retrieve info regarding

  • Advisories and Vulnerabilities
  • Error Messages
  • Files containing juicy info
  • Files containing passwords
  • Files containing usernames
  • Footholds
  • Pages containing login portals

Application developers and system administrators who want to deploy their applications on cloud infrastructures should be aware that files can be subject to indexing of search engines through an ordinary Google search.

Francis Brown of Stach & Liu LCC has proved this during the event … I invite all to the careful reading of the paper. That is incredible!

Pulpe Google Hacking

I conclude saying that the maturity of a paradigm like the cloud can be measured through the security processes implemented and through the level of knowledge of administrators and developers who intend to use it.

Unfortunately today the scenario is still far from reassuring.

you might also like

leave a comment