X

McAfee automates Google hacking

Web sites can check whether they are leaking info about their security to Google. But is the service a security tool or a hacking helper?

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
McAfee has released an update to its tool that uses Google to automatically search for security holes in Web sites.

SiteDigger 2.0, delivered on Monday, looks for information about a Web site's security by sending specific queries to Google's Web database. Known as Google hacking, such searches can turn up easily exploitable flaws and sensitive information, including credit card numbers and user account information.

The free service should help Webmasters stay informed about what information is out there regarding their sites, said Chris Prosise, vice president of worldwide professional services for security technology company McAfee.

"We built this tool really as an awareness tool," Prosise said, adding that SiteDigger highlights problems that Webmasters might otherwise not know about. "As a victim, you would never really know that someone was using this information."

SiteDigger does not discern whether the person using it is an authorized administrator of the site or a potential attacker looking for weaknesses. Prosise agreed that this means the tool could be used against a site, but pointed out that Google requires that any user of an automated service sign up with its Web services development program.

Recently, the Santy worm used Google queries to find potentially vulnerable computers, which the program would then try to infect with its code. Several other tools have been created by other research groups to comb for flaws using Google's database.

Google could not immediately be reached for comment on SiteDigger.

Johnny Long, a senior engineer at Computer Sciences Corp. and author of the book "Google Hacking for Penetration Testers," said such tools are necessary for Web administrators to keep their sites safe.

"There is no way for a security team to stay on top of Google without automation," he said. "They can't spend all the time trolling through Google."

Long maintains a site of more than 800 signatures of common security problems that can be searched for with Google. SiteDigger and other tools use the signatures to query the search engine for the problems.

While stressing that SiteDigger benefits Web sites with knowledgeable security personnel--usually the larger sites--Long acknowledged that smaller, less security-conscious sites would likely be at a disadvantage against potential attackers. Such sites typically aren't aware of the threats posed by Google hacking.

"The little guys are going to lose whenever a new tool comes out," he said. "The smaller site you are, the more you have to worry about."