Now, I'm all for Google. I mean they've given me a blog and all sorts other cool things like unlimited mail and an awesome task/reminder service. But there are moments when their technology, well sort of, scares the heck out of me. My membership with ASIS has proven invaluable once again. An article written in Security Management talks about another tool hackers have come up with to make find vulnerabilities that much easier.
According to SM, "The new web auditing tool is known as Goolag Scanner, which uses Google's search engine to scour the Web for passwords and security holes."
A hacking group calling itself cDC or Cult of the Dead Cow (cDc). This is the same group who created a little program called "Back Orifice". Sounds a tad bit perverted, but I can assure you the IT departments and users this little software caused grief didn't think it was some laughing matter. "Back Orifice" created a "back door" for hackers to remotely control any computer they gained access to.
Scared yet? Well, don't go calling IT in a panic yet. It turns out that this tool just uses Google to sniff out information you and I could find ourselves through Google. Now it would take us a lot longer. Why is this something not to worry about? Because this program can tell you what hackers may already know about your setup or what you don't. What is that exactly - How secure is your website?
According to cDc, they realize this threat and its the reason they created it. "It's no big secret that the Web is the platform," said cDc spokesmodel Oxblood Ruffin. "And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."
It turns out DHS was made aware of the vulnerability a few weeks ago according to Ruffin. Security experts are now taking a look at the software to ascertain where they're vulnerable.
For now, let's make sure you're doing the same. Check out the article here. InformationWeek's article can also be found here as well.
