A hacker’s next target is just a web search
“Google idiot”. Sounds awkward, but it might just be the ticket for a hacker looking to wreak havoc.
The search technique is one of the many methods that criminals can use to find vulnerable computer systems and trace them to a specific location on the Internet. All they have to do is type in the right search terms, and they’re on the right track.
This is how an Iranian hacker found a vulnerable roadblock in the United States, according to a The story of the Wall Street Journal which quoted people familiar with the federal investigation into the security breach.
It’s a troubling example of what security researchers have long known: A computer system with outdated software is a constant target. This is because information about old and buggy software and how to hack it has a way of reaching the public very quickly.
Add Dorking (or “Google hack,” a term preferred by some cybersecurity professionals) to a growing list of tools that, when used together, can help automate the process of finding and exploiting weak spots anywhere, from a piece of a city’s infrastructure to a surveillance camera in your home or a business network that holds records of all of your personal information. Google is only one layer of this approach, and other search engines from Microsoft’s Bing to specialized Shodan.io can substitute for it.
Experts say that with these tools, a hacker could get out of bed, check their emails, and find alerts with information on how to hack you before breakfast.
“If you like it, you can attack it,” said Srinivas Mukkamala, managing director of cybersecurity firm RiskSense.
“I don’t need to know anything, and I can be a really bad guy.”
What saved the day in the case of the small Bowman Avenue dam in Rye Brook, New York, was that at the time of the breach in 2013, the dam, under maintenance, had been disconnected from the computer system that controlled him. Otherwise, the hacker could have taken control of the valve.
Similar techniques are known to have been used in espionage efforts.
Scary, right? But these search engines and warning systems only make it easier to find information that is already public.
More importantly, said Mati Aharoni of cybersecurity firm Offensive Security, these services help the good people more than they could possibly help malicious hackers, who will get their hands on information in some way. another one.
Aharoni trains people to use his company’s repository of known hacking attacks, the Exploit Database. Interns are great guys who need to track fatal flaws fast, he said. Hackers already have access to illegal tools that the good guys can’t use. “We are helping level the playing field.”
Shodan CEO John Matherly, whose Shodan.io search tool is used by security companies to find specific computers, agreed. If you are a hacker looking for vulnerable systems, “you can do it yourself for a relatively low price,” he said.
Hacking made easy
Above all research services are systems capable of sending automated alerts. One is the Google Hacking Diggity Project. It relies on services like Google Alerts, so you may receive a message letting you know when a search engine indexes new information on a particular topic. Google is not involved in the creation or operation of Diggity.
A lazy hacker could potentially use it to receive an alert when a vulnerable system and a tool to hack it are both available, RiskSense’s Mukkamala said.
But Diggity creator Fran Brown said his tools help people who defend websites and computer networks – or, for that matter, Internet-connected roadblocks – know quickly when their systems leak sensitive information or have a known vulnerability.
“Basically you can stumble upon dangerous and sensitive information just by searching on Google”,
said Brown, co-founder of cybersecurity consulting firm Bishop Fox.
It is not clear exactly how the Iranian hacker entered the dam’s systems after he found his location on the internet using Google. He was indicted along with six other Iranian hackers by the US Department of Justice for the dam attack and the attacks on banks.
He may have used the same vulnerability that reported the dam in a Google dork search to break in, or he may have used an unrelated attack.
But the hack always highlights what can go wrong if a security vulnerability persists on a system after it is released. When a manufacturer announces a fix, it’s a race against time to fix the problem. It’s also a race that those responsible for many internet-connected systems are losing, said Michael Bazzell, a former FBI cybercrime investigator.
“If this system hasn’t been fixed in the last few years,” Bazzell said, “it’s pretty trivial to go into it.”