While it seems years too late, DHS, FBI and NCTC issued a bulletin warning website admins about malicious cyber actors using Google dorking advanced search techniques to find vulnerabilities that can be exploited in cyber attacks. If you are good at research by using Google searches, does that make you a malicious cyber actor? Of course not, but DHS, FBI and NCTC (National Counterterrorism Center) have issued a bulletin warning about malicious “Google dorking” cyber actors. If using advanced search techniques on Google or Bing is considered suspicious, what does that make Shodan users who specifically target SCADA, ICS, VoIP, routers, switches, webcams and printers to name but a few? Of course, Google dorking is just a phrase that applies to using advanced queries on any search engine. Searching for vulnerabilities in this way is common among penetration testers as well as bad guys, but there’s nothing new about Google dorking. While it seems as if the bulletin was issued years too late, attackers are still pwning sites by using advanced search techniques. The same could be said of getting hacked by leaving the default username and password in applications; sadly, it still happens to this day. Google dorking can find website vulnerabilities that can later be used in cyberattacks. The fed-issued bulletin states: By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries. The bulletin referenced Search Diggity, another not-new project, which includes “free online tool suite that enables users to automate Google dork queries. It contains both offensive and defensive tools and over 1,600 pre-made dork queries that leverage advanced search operators.” June 2013 was the most recent update to SearchDiggity 3.1, “the primary attack tool of the Google Hacking Diggity Project. It is Bishop Fox’s MS Windows GUI application that serves as a front-end to the most recent versions of our Diggity tools: GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotInMyBackYard Diggity.” There are “lists” of over 20,000 Google dorks to exploit SQL on Pastebin; the fed-issued memo mentioned when 35,000 websites were compromised in Oct. 2013 as a result of attackers using Google dorking to find vulnerabilities. Other lists are specifically focused on Havij, an SQL injection tool which has been around for years and is so easy that “even a three-year-old can be a successful hacker.” Google hacking for fun and profit was an “issue” by at least 2005 when security expert Johnny Long warned network defenders to stay current with the “latest Google-hacking techniques to keep ahead of the bad guys.” Folks have been Google dorking to discover passwords since at least 2003. As the years rolled by, there have been numerous Dork scanners as well as an up-to-date Google hacking database on Exploit Database. The feds made several recommendations for website administrators such as protecting sensitive information with a password and encryption, making sure it isn’t indexed, running Google Hacking Database “queries to find discoverable proprietary information and website vulnerabilities,” and running a vulnerability scanner. DHS, FBI, NCTC Seriously, if you don’t know about Google dorking and you are running a site, it’s way past time to learn and close any vulnerable holes. Related content news analysis Apple confirms it will open up the iPad in Europe this fall The latest efforts to comply with Europe’s Digital Markets Act mean developers can offer to side load apps to both iPhones and iPads in the EU. Apple has also taken steps to improve what it offers to smaller and non-commercial developers in the By Jonny Evans May 02, 2024 6 mins iPad Apple Mobile Apps news Udacity offers laid-off US workers free access to its courses for 30 days Sign-ups will be available over the next 30 days By Lucas Mearian May 02, 2024 4 mins Technology Industry IT Jobs IT Skills opinion Why you’ll soon have a digital clone of your own AI isn’t going to replace you at work. You will. By Mike Elgan May 02, 2024 7 mins Augmented Reality Generative AI Virtual Reality news analysis Workers with these AI skills are getting cash premiums As AI deployments become more critical to digital transformation projects, organizations are struggling to find skilled workers to support the new technology, so they're paying premiums for prospective hires or current employees who obtain the n By Lucas Mearian May 01, 2024 7 mins Generative AI IT Jobs IT Skills Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe