Saturday, January 31, 2009


Google hacking involves using the popular Google search engine to locate sensitive online information, which should be protected but is not.

Dr Ellen Rose, a senior lecturer at the Institute of Information and Mathematical Sciences, and graduate student Natalia Nehring, ran Google search queries known to return sensitive information from the Google database.

They wrote a computer program that for three months ran 170 daily queries against the Google database, looking at sites in New Zealand, Australia, the United States and the Czech Republic.

They found that sensitive data was now easier to obtain and that New Zealand sites are more vulnerable to hackers than Australian or United States sites.

The study aimed to ascertain how vulnerable we are to hackers. The researchers say any internet user can now easily find sensitive information using only a browser and a few carefully chosen keywords. They point out website administrators can use the same techniques to discover their own vulnerabilities.

Google hacking, how it works and how to protect against it is extensively reported on a range of articles that can be found through the Google search engine itself.

Dr Rose and Ms Nehring say about half of their hits pointed to sensitive information although some types of sensitive information were only available for a small window of time.

Vulnerabilities related to backup files were open the longest, followed by remote administration vulnerabilities.

They got the most hits in New Zealand in the organisational domains (.co and .org) and within the categories of error messages and backup files.

The average number of days a potential vulnerability remained open across all domains and all categories was similar in the US (48.85 days, 46 per cent from the duration of test period) and Australia (49.54 days, 50 per cent from the duration of test period) with New Zealand vulnerabilities remaining open somewhat longer (60.96 days, 57 per cent from the duration of test period). Very little vulnerability could be detected in the Czech Republic.

Dr Rose said she felt it would be unethical to name the sites where personal information could be found but Massey’s own website was found to have about 50 vulnerabilities, which they had alerted the University’s technology services department to.


Post a Comment