I recently completed a presentation for a security group at RIT called "Google Hacking." Essentially, Google hacking involves using certain logical search operators to find critical files that Google has indexed that shouldn't technically be indexed. This is usually the fault of the designers of the website because they did not specifically prevent Google from reading the content on their servers.
So what is the risk of having Google index your files? Well, let's think about the following search:
- intitle:“Index of..etc" passwd
Now, here lies the problem. Imagine if someone were to get a hold of the passwords stored in "passwd." These passwords, which are typically hashed, can actually be broken using simple tools such as John the Ripper. After completing many of these searches, I determined that a surprising number of results were returned when searching for these types of files.
The web designers (or hosts) who are creating these websites need to secure these files, either by hiding them from search engines or preferably encrypting the actual files. Here is my presentation:
No comments:
Post a Comment