The Next Generation Search Engine Hacking Arsenal

Saturday, January 14, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

The title is borrowed from a presentation made by Francis Brown of Stach & Liu, Hacker Halted 2011 in Miami.

The presentation focus on two topics that are crucial in the modern scenario:

  • Cloud Computing
  • Search engines

The presentation demonstrated the fact that the overall safety of complex systems can be impacted by incorrect implementation of the "cloud" paradigm. 

Through the knowledge of authentication mechanisms is relatively easy to retrieve access codes, passwords and secret keys necessary for access to data stored within a cloud as happened for Amazon's EC3.

Let me remind you the OSINT definition:

"A form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence."

LulzSec and Anonymous are believed to use Google Hacking as a primary means of identifying vulnerable targets, as it provides a complete and regularly updated source where it is possible to retrieve info regarding:

  • Advisories and Vulnerabilities
  • Error Messages
  • Files containing juicy info
  • Files containing passwords
  • Files containing usernames
  • Footholds
  • Pages containing login portals

Application developers and system administrators who want to deploy their applications on cloud infrastructures should be aware that files can be subject to indexing of search engines through an ordinary Google search.

Francis Brown of Stach & Liu LCC has proved this during the event... I invite all to the careful reading of the paper. That is incredible!

I will conclude by saying that the maturity of a paradigm like the cloud can be measured through the security processes implemented and through the level of knowledge of administrators and developers who intend to use it.

Unfortunately today the scenario is still far from reassuring.

References

http://www.darkreading.com/cloud-security/167901092/security/vulnerabilities/231902718/cloud-services-credentials-easily-stolen-via-google-code-search.html

Cross-posted from Security Affairs

Possibly Related Articles:
14553
Cloud Security
Information Security
Cloud Security Network Security Anonymous Hacktivist Search Engine Lulzsec AntiSec OSINT Google Hacking Pierluigi Paganini
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked