HNS MAIN FEED
Thursday, 19:12 EDT
- Android wallpaper app stealing user data and sending it to China
- Black Hat USA 2010: A recession proof conference?
- Apple improves App Store security
- ATMs hacked and spitting up money at Black Hat
- Trojan masquerades as iPhone jailbreaking software
- Authentication management platform for any and every authentication factor
- Google has two times more malware than Bing, Yahoo! and Twitter combined
- New assurance mark of software application security
- Sourcefire's open source framework for deep threat inspection
- 100 million Facebook pages published on torrent site
- Cell-phone call interception demonstration at Defcon might not be a sure thing
- Critical ToolTalk Database Server Parser vulnerability discovered
Q&A: Google hacking
Robert Abela is a Technical Manager at Acunetix and in this interview he discusses the importance of Google for security research, provides tips on Google for information gathering and more.
Based on your experience, how important is Google for security research?
Everyone who uses the internet knows that Google is the answer to every question. Google is a powerful search engine, and also a tool. Being such a good tool, almost like everything else on the internet today, Google’s capabilities are unfortunately being misused. To keep up to date, typically a security researcher refers to Google. This helps him learn more about new hacking trends, tools, and previous hacking incidents. Unfortunately, unless you are a hacker yourself, you cannot imagine what a hacker can be up to, since a typical security researcher can be quite naive and innocent, when compared to a real hacker. Therefore by searching and learning more on previous incidents, one can increase his knowledge and will perform better at securing websites and web applications.
Apart from that, when securing a web application, one should make sure that he looks at the whole picture. So basically, fixing all the vulnerabilities in the web application itself, and implementing perimeter network is not enough. One should also use tools which hackers typically use to get to know more about your web application and infrastructure, such as Google.
Let’s say you're doing a penetration test. What kind of information about a target can you find out by using Google?
Anything connected to the web, is indexed by Google. Even administrator's portals of devices connected to the web, such as printers and webcams are crawled and discovered by Google. You’ll be surprised by how many unprotected webcams are connected to the internet, streaming live video from people’s living rooms, or university dormitories.
By using Google, one can find out more about a configuration or version of a web server, web technology, such as PHP or .NET, and also well known web application, such as Wordpress. Having access to a configuration of specific software, or its version, can be enough to help me start an attack. Unfortunately when web and network administrators encounter specific application problems, they seek for support from public forums where they tend to post extra configuration and setup information. Such information exposure can be enough to help a hacker know more about the actual web application he wants to attack.
1 | 2 | 3 | Next page >>
- A closer look at Panda Cloud Antivirus Free Edition
- Q&A: Strong authentication
- Secure by design
- Q&A: Sandbox for Adobe Reader
- Can you trust a product that doesn't have the right certification?
