By Andy Greenberg
When Johnny Long wants information online, he turns to the same tool as
most people: Google. But unlike the average Web user, Long isn't usually
looking for Paris Hilton news and movie reviews. He's digging for credit
card information, Social Security numbers and other private data stashed
on corporate servers.
Long isn't a cybercriminal--he just plays one in his day job, as a
researcher for the IT security firm Computer Sciences (nyse: CSC - news
- people ). But he is a hacker, one with a talent for innovating new
ways to penetrate corporate servers, albeit for testing purposes only.
He's also the author of Google Hacking for Penetration Testers , a
best-selling book that shows how to use seemingly harmless Google
(nasdaq: GOOG - news - people ) searches to uncover surprisingly
Long spoke with Forbes.com about his forthcoming book, a more general
kind of "Hacking for Dummies" guide to hacking without technical
knowledge, and the tricky question of whether to publicize hacking
techniques that require little more than a search engine and two hands.
Forbes.com: What is "Google hacking"?
Long: Google hacking is really just a subset of something I call
"no-tech hacking." You use un-technological methods to break technology.
After 10 years of trying, I've discovered a whole pile of ways to do
that. Dumpster diving (looking in office trash for security
information); tailgating someone into a secured facility; pretending to
be a UPS guy or a repair guy or a delivery guy ... these things work
almost all the time and require very little technical knowledge.
So where does Google come in?
In the beginning, we'd use Google to case the companies we'd be trying
to penetrate. But we discovered that the Google searches we were running
were returning more information about the company than they might
realize. Just by doing a search on a Web site, we'd find a password or
usernames that would grant us access.
Google hacking grew out of that. You perform a Google search looking for
sensitive information that either gives direct access to a network, or
something subtle that could be used in conjunction with other finds.
What kinds of vulnerabilities in Web sites have you found through Google
We have examples where you can put in a Google query and immediately get
access to part of a site that already has you logged in as an
administrator. We discovered that just by searching for certain terms,
you could find personal information like credit card numbers, Social
Security numbers, anything an attacker would need for identify theft. On
some education institution sites, we'd find entire Excel spreadsheets
with students' names, Social Security numbers and even grades. But
that's low-hanging fruit.
Without getting too technical, what's an example of a more subtle case,
where you combine Google hacking with more advanced hacking?
For example, Google can help you find where an SQL server is vulnerable.
SQL is basically the language of databases. Just by putting the right
terms into a form on the Web, like a registration form on a site, you
can do something called "SQL injection." Basically, your input into the
form is confused with SQL code, and that can allow you to read data
directly from a database, simply by typing into a Web login form.
Google allows you to find those vulnerabilities. If you type "MySQL
error with query" into Google, some of the results will tell you which
Web sites have had this error message, and that's the first step to an
SQL injection. It's a nice way to do reconnaissance. It probes the Web
very broadly without interacting directly with any target site, so it's
difficult to detect.
Is Google becoming a more powerful tool for hackers?
Search engine popularity in general has been growing. But more
importantly, the Web 2.0 movement means that everything is moving out to
the Web. There's an absolute explosion of corporate and personal
information out there.
Do you worry about the ethics of publicly discussing these tricks?
It's a huge debate in our industry. There are two camps: One camp says
that when you talk about vulnerabilities you give bad guys ideas, but
another camp says that you're helping good guys protect against bad
guys. In the case of Google hacking, certain queries, like credit card
queries, are very deadly stuff. So I've never talked about how to do a
credit card query, though I've talked about the risk. It's a very fine
line. I have to leave out enough information to avoid getting someone
into trouble, but give the audience an idea of what's going on. So I
always try to think about what it would mean to be on the other side of
getting hacked, and I keep my professional clients in mind.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com