By Robert McMillan
IDG News Service
Somewhere out on the Internet, an Electric Bong may be in danger. The
threat: a well-crafted Google query that could allow a hacker to use
Google's massive database as a resource for intrusion.
"Electric Bong" was one of a number of household devices that security
researcher Johnny Long came across when he found an unprotected Web
interface to someone's household electrical network. To the right of
each item were two control buttons, one labelled "on," the other,
Long, a researcher with Computer Sciences Corp. and author of the
book, "Google Hacking for Penetration Testers," was able to find the
Electric Bong simply because Google contains a lot of information that
wasn't intended to lie unexposed on the Web. The problem, he said at
the Black Hat conference in Las Vegas last week, lies not with Google
itself but with the fact that users often do not realize what Google's
powerful search engine has been able to dig up.
In addition to power systems, Long and other researchers were able to
find unsecured Web interfaces that gave them control over a wide
variety of devices, including printer networks, PBX (private branch
exchange) enterprise phone systems, routers, Web cameras, and of
course Web sites themselves. All can be uncovered using Google, Long
But the effectiveness of Google as a hacking tool does not end there.
It can also be used as a kind of proxy service for hackers, Long said.
Although security software can identify when an attacker is performing
reconnaissance work on a company's network, attackers can find network
topology information on Google instead of snooping for it on the
network they're studying, he said. This makes it harder for the
network's administrators to block the attacker. "The target does not
see us crawling their sites and getting information," he said.
Often, this kind of information comes in the form of apparently
nonsensical information - something that Long calls "Google Turds."
For example, because there is no such thing as a Web site with the URL
"nasa," a Google search for the query "site:nasa" should turn up zero
results. instead, it turns up what appears to be a list of servers,
offering an insight into the structure of the U.S. National
Aeronautics and Space Administration's (NASA) internal network, Long
Combining well-structured Google queries with text processing tools
can yield things like SQL passwords and even SQL error information.
This could then be used to structure what is known as a SQL injection
attack, which can be used to run unauthorized commands on a SQL
database. "This is where it becomes Google hacking," he said. "You can
do a SQL injection, or you can do a Google query and find the same
Although Google traditionally has not concerned itself with the
security implications of its massive data store, the fact that it has
been an unwitting participant in some worm attacks has the search
engine now rejecting some queries for security reasons, Long said.
"Recently, they've stepped into the game."
Sept 16-18th, 2005
San Diego, California