Computerworld

NZ sites vulnerable to Google hacking

"Google hacking" is on the rise, according to a study by masters student Natalia Nehring and Ellen Rose, senior lecturer at the Institute of Information and Mathematical Sciences at Massey University.

The term refers to online attacks that use search engines to look for vulnerabilities. The study found that New Zealand websites are more vulnerable to hackers using the Google search engine than Australian or U.S. Web sites.

There are several databases collecting useful queries typed into Google's search engine. One of them, johnny.ihackstuff.com, specializes in Google hacking, Rose said.

"These databases have been known to turn up interesting information like credit card numbers or systems that have a default configuration," she said. "You can write your own program to run these queries, which is what we did, or you can just type them in."

Rose and Nehring committed search engine hacking for three months collecting data from New Zealand, Australia, the US and the Czech Republic.

The study investigated the situation in New Zealand and Australia, compared with the U.S., which is fairly open to information flow, and the Czech Republic, which is still controlled in many ways.

Rose and Nehring got more hits that lead to sensitive information when searching on the .nz sub-domains compared to the sub-domains in the other three countries.

"One of the reasons for that is that a lot of people would rather presume that they are not going to be hit. If they are hit they try to deal with it afterwards. They don't do many pro-active things," Rose said.

"In Australia there is a lot of tightening up in terms of security and policies after 9/11 and issues around that," she said.

The study found that in New Zealand, vulnerabilities related to backup files were open the longest, followed by remote administration vulnerabilities. Rose and Nehring got the largest number of hits in the .co.nz and .org.nz sub-domains, within the categories of error messages and backup files, Rose said.

Using Google as a hacking tool is a fairly recent phenomenon, she said. She thinks this type of hacking is an upcoming threat, but adds that it takes significant effort to actually find information useful to hackers. According to the study, on average 49 percent of the hits did not point to sensitive information. However, Rose has been monitoring the database and it is constantly growing, she said.

Tony Krzyzewski, managing director of Auckland-based security specialists Kaon Technologies, said "Automated tools make it easier to find vulnerabilities, they are not introducing new vulnerabilities. It's just another tool."