Categories: Hacking

The Next Generation Search Engine Hacking Arsenal

The title is borrowed from a presentation made by Francis Brown of Stach & Liu, Hacker Halted 2011 in Miami.
The presentation focus on two topics that are crucial in the modern scenario:

Cloud Computing
Search engines

demonstrating the fact that the overall safety of complex systems can be impacted by incorrect implementation of the “cloud” paradigm. Through the knowledge of authentication mechanisms is relatively easy to retrieve access codes, passwords and secret keys necessary for access to data stored within a cloud as happened for Amazon’s EC3.

Let me remind you the OSINT definition

“a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available

sources and analyzing it to produce actionable intelligence.”

LulzSec and Anonymous believed to use Google Hacking as a primary means of identifying vulnerable targets, it is camplete and updated source where is possible to retrieve info regarding

Advisories and Vulnerabilities
Error Messages
Files containing juicy info
Files containing passwords
Files containing usernames
Footholds
Pages containing login portals

Application developers and system administrators who want to deploy their applications on cloud infrastructures should be aware that files can be subject to indexing of search engines through an ordinary Google search.

Francis Brown of Stach & Liu LCC has proved this during the event … I invite all to the careful reading of the paper. That is incredible!

Pulpe Google Hacking

I conclude saying that the maturity of a paradigm like the cloud can be measured through the security processes implemented and through the level of knowledge of administrators and developers who intend to use it.

Unfortunately today the scenario is still far from reassuring.

http://www.darkreading.com/cloud-security/167901092/security/vulnerabilities/231902718/cloud-services-credentials-easily-stolen-via-google-code-search.html

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.