Search Engines like Google turned into Hacking Tool!
How do the hackers use search engines as a free hacking tool?
The search engines are the most useful and handy tool in the cyber world. No matter what kind of information you need, all you need is a browser and an Internet connection and you get everything that you are looking for. But most of us forget that things that are normally created to do good to people can also be misused by people whose only hobby or profession is to get their hands on what they are not allowed to. You would be surprised to know that the only thing that turns search engines like Google into an easy but deadly weapon is the laziness or less knowledge of people who has got their stuff online. Unfortunately a big majority of those people are the System Administrators of the companies, who fail to protect the important confidential information that belongs to their employer. I am not writing this article to teach somebody how to get somebody’s confidential info or download illegal stuff. I should not be held responsible for any kind of misuse of the information contained in this article.
What kind of data can one actually search and download?
Nearly everything that can be downloaded or accessed over Internet through other means, can be downloaded or accessed more easily and safely with the help of search engines. This can be the confidential electronic data of your company such as xls, doc, pdf, jpg etc files or this can be illegal music or videos etc, and this is not all; this can be the lists of your passwords etc too which can open access to your mail accounts, bank accounts or other databases etc.
How does it happen?
The answer is more then just simple. Let’s take the the mother of search engines "The Google" as an example. The search engines give you the facility to search specific data types and that is the option that is normally being misused. Imagine yourself as a cyber thief who wants to get certain information. Then think what format could be the files that would probably contain the information you need. Ok how about getting some password files? Oh Yes! They can most probably be either .txt files or .xls files which can be opened with Notepad or Microsoft Excel program. You would then use the Index of and filetype strings to search the possible name of the file along with the data type. To do that you would simply go to www.google.com and search for the following phrase:
Index of /passwords filetype:txt
Or
Index of /passwords filetype:xls
The first query will return all the results where the file types would be .txt and the second one will show you all files that are .xls type with the passwords as the part of the names. Everything that a thief needs is now on the screen. Isn’t it scary? Such an easy access to such a sensitive data! Or consider getting a collection of .mp3 songs free to download. The cyber thief only needs the name of the song and he will get it even in multiple formats. Suppose he wants to download the song "Push The Button" in mp3 format. He just goes to Google and searches for:
Intitle:index.of "push the button" mp3
Wow, a whole list of web URLs where this song is freely available to download and not just this, the person who whose URL provides the access to songs has got his whole music albums uploaded there. Normally those are URLs of web spaces where some people or companies upload their data and music etc but forget that their site is listed in search engines and without password protection the folders and data can be exposed to outside world. Now the cyber thief is just a little bit scared if he is accessing a big company’s data, because the web site logs the information such as IP addresses and other details of their visitors. In that case an expert thief uses a second method for his safety "Anonymous Proxy Servers". That means that he involves a third party to reflect the data to him. The anonymous proxy servers masks the IP address and host information of the visitor so that means that if you are using a proxy server and access my site; I would not be able to see the real information that can be used to identify you. Anyway, the topic of proxy servers can be discussed in the next article as right now we can not go much in detail.
Ok, that was how the evil brains turn the useful search engines into a weapon. Now let’s have a look at how can you save yourself if your data is also unwillingly listed.
1. Password protect your directories which contains confidential information or preferably make new directories with new names and passwords and move your data to the new locations so that the link listed in the search engines can not be used to access your data.
2. Make create robots.txt file in the root directory of your web space and include the names of the directories which you don’t want to be listed in search engines listings. So that the Google and other search engine bots will not crawl those directories and this way they will not get listed.
3. Try to avoid putting your confidential data online as much as possible, because no matter what somebody says, there is no perfect protection for anything that is online. It is often said in the world of Networking that the only computer that is safe on the network is the one which is not connected.
There are other strings as well that can be very useful to search with Google. I am writing a little about the syntax of that too only for the positive use and knowledge of those who want to know.
Inurl:YourSearchWord inurl: lets you search the URLs with specific words. Suppose if you search a URL that contains the word "Dog" you would search the phrase:
Inurl:dog
This will return the results for only the list of URLs containing the word Dog.
Site: This string is used to search for the sites with a specified domain name extension. For example .net .com .uk .mil etc. So if you search for:
Site:net computing
You will get the list of the sites having .net as the domain name extension and having the word "computing" as the search or keyword.
Index of This option allows you to find the directory listings of specific folders on servers. For example if you want to search the directory listings of admin folders then:
index.of.admin
This would give you the directory listings of admin folders.
Intitle: This string gives you the ability to search for html files that have a certain word or phrase in their titles.
Intitle:your word or phrase
Would show you the listing of those html files which have "your word or phrase" in the title.
If you look at all those options, you will find out that all of them are basically for positive use. They help you get more specific results if you are searching through a search engine but there are always black sheep who would try to find out a negative use for almost everything that they know. I hope that none of the readers would use the above information in any illegal activity. I also request a direct feedback or comments in email again for future so that I can improve myself too. Good Luck!
CyberScout.Net!
My Cyber Home!
My Cyber Home!
|
No comments:
Post a Comment