A hacker was recently indicted by the U.S. government for illegally accessing a computer connected to a municipal dam in Rye, New York. According to the U.S. attorney general’s allegations, the hacker was working on behalf of a foreign government when he located an unprotected computer at the dam and gained access to its industrial-control system, giving him the capability to remotely operate the dam’s sluice gate.
The only reason he was unable to manipulate the sluice gate was that it had been manually disconnected due to maintenance during the time of his intrusion. Otherwise, federal authorities fear the hacker would have opened the sluice gate and flooded the surrounding area, causing millions of dollars of property damage.
How did this hacker, a network manager for a computer company, discover the existence of an unprotected computer in a tony New York suburb more than 6,000 miles away? He googled it, of course.
Like countless hackers before him, he employed “Google dorking,” an advanced search technique that lets a person create a very specific, targeted search. One can specify a search to a specific website, to a specific file type, or to a specific word or phrase (say, “strictly confidential”). For cybercriminals, nation-states, and other malicious types who want to sniff out sensitive information that an enterprise doesn’t want to be published in search engine results, Google dorking is an essential investigative tool.
Google dorking is used to locate two different types of information. One type is general info, like admin passwords and Excel spreadsheets stuffed with business secrets. The second is specific web vulnerabilities, such as an outdated WordPress plugin that enables a cybercriminal to seize control of a WordPress site and use it as part of a vast botnet.
Google dorking itself is a legal activity, but bad characters have been using its search results for illegal purposes, such as industrial espionage, identity theft, and cyberterrorism, probably soon after Google first introduced advanced search operators like “insite” and “filetype.”
5 ways enterprises can protect their network from Google dorking
Fortunately, CIOs can take specific measures to harden their organization’s defense against Google dorking. Here are five recommendations:
Launch a prolonged Google dorking expedition against your company’s web domains to discover what data assets or security vulnerabilities are visible to nosy hackers.
Once you have dorked your web presence and uncovered all of the wayward information, use Google Webmaster tools to wipe it from Google’s search index.
Google and Bing can produce different results for the same advanced search term, so once you have strengthened your organization’s defense via Google, it’s time to do the same with Bing and eliminate any worrisome websites, URLs, cached copies, and directories from its index.
Reduce your web presence
It’s difficult for a hacker to Google dork a domain of yours if it doesn’t appear in any search engine results. Therefore, security experts urge putting the robots.txt file in the top-level directory of a web server to stop Google and other search engines from indexing a particular site.
Be a data guardian
Eliminate or minimize the amount of sensitive information that you store on web-connected computers. Also, an embarrassing number of businesses still store passwords and other high-target information in plain text files. Protect your data with multiple layers of defense, including strong encryption.
Update your software
One of hackers’ main attack vectors into an enterprise is unpatched or otherwise vulnerable software. Everyone, from bored teenagers to old-school security pros, focuses on Google dorking vulnerable software, so it is imperative that you update your software promptly.
Create a bug bounty program
Increasingly, organizations are offering bug bounty programs. These programs entice a hacker, when he/she finds a software vulnerability like a zero-day exploit on your site, to submit it to your bug bounty program and receive a financial reward, as opposed to selling it to the highest bidder on the dark web.
A threat that won’t go away
For CIOs, Google dorking is an always-present security threat. As long as search engines exist, anyone with a computer and internet access can Google dork your organization. As one anonymous British white hat hacker noted, “It’s just so bloody simple, any 14-year-old can do it. The possibilities look unlimited—the only restriction is your own creativity.”
Perhaps you have some lessons or experiences of your own to share. Let us know in the comments below.