Remember when the Internet was young and we spent endless time with the just-introduced Google search engine?
Google was the underdog newcomer that provided search without the garbage–just the answers.
Well, the Internet has aged and Google is sometimes perceived as yet another evil giant, up there with IBM, Microsoft and even once-pure Apple. Google is still a verb, however, in most of our casual conversations (i.e., I’m going to Google my daughter’s new boyfriend) and we’ve come to dread the information that a Google search might reveal of each of us (those vacation pictures must belong to another Alan Nichols Wlasuk; I would never be that stupid).
Google Search: The Good, the Bad and the Scary
Just so you feel even less secure, let’s spend a bit of time thinking about another potential problem that Google (and all search engines) brings to our worlds. To set the stage, I’m sure you all know that the role of a search engine is to crawl the entirety of the Internet and match words, phrases or whatever you enter as a search criteria against information on the Internet. This is great for finding the correct time needed to hard boil an egg or digging up your boss’ vacation pictures.
Unfortunately, a well-constructed Google search can also be used to look for information or files that allow a hacker to easily find websites that are vulnerable to attacks. An attacker might ask Google to find arbitrary login portals, and then pick a few of the websites associated with those portals for dedicated attacks. So in this case, when it comes to finding a vulnerable website Google has done the hard part; the hacker is just cherry picking.
As you might imagine, there are many search queries that can be used for the single purpose of finding potentially vulnerable websites. And, not surprisingly, various organizations have collected the more popular of these queries in a database (we are all hoping they are doing this for good reasons) called the Google Hacking Database (GHDB). On the bright side, most commercial vulnerability scanner tools will use this GHDB as a reference as your website is scanned and let you know where in your site you want to be more careful.
Even if the information revealed about your website by GHDB does not indicate major security vulnerabilities, this information can still be of interest to hackers. In other words, though the information might not be so bad, you still don’t want Google waving a red flag about it. Telling hackers about minor website vulnerabilities is sort of like leaving the empty box from your new iPad on the seat of your car while it’s parked in a mall parking lot; it just gets the guy with a brick all excited for no reason.