Pierluigi Paganini
August 29, 2014
On July 7th, the FBI and the National Counterterrorism Center issued a memo to warn law enforcement and private security agencies about the practice of Google Dorking and its capabilities.
The FBI warns the recipients of the memo on the possible use of Google Dorking to “locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks.”
The Bureau is concerned about the possibility that information gathered with Google Dorking could be used to gather sensitive information to use in cyber attacks, a common practice in the hacking and the intelligence community.
“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks,” “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.” states the memo.
The memo mentions the Advanced Operators for Web Search and their possible use to locate specific contents based on site, file type, URL and much more.
The FBI isn’t the unique agency interested to Google Dorking, in May 2013 it was revealed the existence of the book written by Robyn Winder and Charlie Speight for the NSA, titled Untangling the Web: A Guide to Internet Research, which also includes a specific session on the Google Hacking. NSA reserved an entire chapter to instruct its agents on how to conduct complex research thanks to queries composed with advanced operators.
The memo highlights an incident occurred in 2011 when a group of hackers discovered Social Security numbers of 43,000 people affiliated with Yale University using to Google Dorking.
Another similar incident mentioned in the memo occurred in October 2013, when nearly 35,000 websites compromised by hackers that used Google Dorking to locate vulnerable vBulletin installations.
The memo explains how it is possible to retrieve content and documents indexed in the government space, data that an attacker could use for various kinds of attacks like spear phishing.
Using the following query is possible to discover Government documents containing confidential data
filetype:"xls | xlsx | doc | docx | ppt | pptx | pdf" site:gov "FOUO" | "NOFORN" | "Confidential"
there FOUO states for “For Official Use Only” and NOFORN states means “Not for release to foreign nationals“.
The memo also provides the following suggestions to prevent Google Dorking used to search sensitive information:
» (U//FOUO) Minimize putting sensitive information on the web. If you must put sensitive information on the web, ensure it is
password protected and encrypted.
» (U//FOUO) Use tools such as the Google Hacking Database, found at http://www.exploit-db.com/google-dorks, to run pre-made
dork queries to find discoverable proprietary information and website vulnerabilities.
» (U//FOUO) Ensure sensitive websites are not indexed in search engines. GoogleUSPER provides webmaster tools to remove entire
sites, individual URLs, cached copies, and directories from Google’s index. These can be found at:
https://www.google.com/webmasters/tools/ home?hl=en.
» (U//FOUO) Use the robots.txt file to prevent search engines from indexing individual sites, and place it in the top-level directory of
the web server.
» (U//FOUO) Test your website using a web vulnerability scanner.
(Security Affairs – Google Dorking, FBI)
