Cult of the Dead Cow says scanning software can find Web site holes via Google searches
The Cult of the Dead Cow hacker group has released an open-source tool designed to enable IT workers to quickly scan their Web sites for security vulnerabilities and at-risk sensitive data, using a collection of specially crafted Google search terms.
The group, which refers to itself as the cDc, acknowledged that the Goolag Scanner tool could also be used by malicious attackers to look for vulnerable Web sites. "We're not stupid," a cDc member who goes by the name Oxblood Ruffin said. "We know some bored teenagers and criminals will try to exploit vulnerabilities [using the new tool]."
But such uses are "not something that we or anyone can control," Ruffin added. "What we're trying to do is two things: One, to provide a very easy and legitimate tool for security professionals to test their own Web sites for vulnerabilities, and two, to raise awareness about Web security in and of itself."
Goolag Scanner is a Windows-based auditing tool that was built around the concept of "Google hacking," a form of vulnerability research created by a hacker who uses the name Johnny I Hack Stuff. Google hacking involves the use of certain types of search queries to look for Web site vulnerabilities. More than 1,500 such queries -- or Googledorks, as they as well as the people who leave their Web sites exposed to them are sometimes known -- have been compiled into a database by Johnny I Hack Stuff over the past few years.
Although the queries ostensibly are supposed to be used by Web administrators to test their sites for data leaks and vulnerabilities, they also are widely used by hackers with malicious intent who are looking for ways to break into sites.
With Goolag Scanner, users can use Googledork queries to run automated vulnerability scans on Web sites, instead of having to copy and paste each search term into a Google search field. According to Ruffin, the tool stores all of the known Googledorks in one file and enables users to add new search terms as they find them.
"Essentially, what we have done with the scanner is created an automated form of Google hacking," he said. "It's like Google hacking on steroids. It operates in a very quick manner."
The new tool also is "very easy to use for everybody, not just security professionals," Ruffin said. "It's probably something that your mother could use without a whole lof of instructions."
Johnny I Hack Stuff previously released a similar tool called Gooscan that also automates the query process, but it runs only on Linux.
Ruffin said that as part of its testing of Goolag Scanner, the cDc ran the tool against commercial, government and military Web sites in North America, Europe and the Middle East, discovering significant security holes in many of them. Most of the scans done in North America were run against government sites "because they are really starting to migrate to the Web," he said.
Information about roughly a dozen "pretty scary holes" that were discovered as part of those scans has been turned over to the proper authorities, Ruffin added.
Goolag Scanner won't find any new kinds of security threats on Web sites, but it does give IT administrators a handier way to look for flaws and leaks that could be exposed via Google searches, said Amichai Shulman, chief technology officer at Imperva Inc., a vendor of firewall and database security software in Foster City, Calif.
The tool's user interface is easy to use, Shulman said, adding that Goolag Scanner could be an eye-opener for company officials and other Web site owners who still need to be convinced about the extent of their exposure to security risks.
And despite the concerns about malicious uses of the tool, Shulman said that he thinks the automated querying offered by Goolag Scanner is unlikely to be of much help to would-be attackers. Over the past few years, Google Inc. has increasingly improved the ability of its software to detect and stop large-scale automated searches, according to Shulman. People who frequently try to run such searches via Goolag Scanner could find their IP addresses being blocked by Google, he said.
Even companies that want to use the tool might need Google's enterprise search software in order to successfully run the scanner against their Web sites without problems, Shulman said.