Google hacks

Allow me to show you how to hack into your own Web site. You don’t need any specialized tools, and you don’t need any specialized skills either. All you need is a Web browser and the ability to enter the appropriate search syntax to Google your own site, or anybody else’s for that matter. It doesn’t take much time, and the payoffs could be huge: an intruder could easily obtain a copy of your most sensitive data in about the time it takes to read through this essay.

The trick is using Google’s search engine to look for specific terms, such as passwords, salary details, and customer details. The opportunities are enormous. Many Web sites contain inherent design flaws that leave them ripe for exploitation.These flaws are not immediately obvious and the fixes are not simple.

I wrote about this exploit, called Google Hacking, in an article for today’s New York Times Circuits section.

It was a fun story to report, and I thought I would take a moment to tell you about things that didn’t make it in there.

First and foremost is an updated version of a great book that O’Reilly has of the same name.

The term really refers to a lot of different things. In my NYT article, I talk about the dark side, about ways that bad guys can uncover sensitive information, or pages that you might not realize are available to the general public. But there are a lot of neat things that you can do with Google that are much more benign and fun, and can really stretch your ability to look for particular information. Here is one that you probably didn’t know about: you can type in “13 miles in kilometers” in Google’s search box and it will do the conversion for you.

Back to the dark side though. I spoke to a lot of different people in law enforcement, and one of the things that struck me during these interviews is how hard it is to prosecute someone who has been using Google to illegally use information. You need to have some tangible, physical evidence and the very nature of the Google hack is that you never leave any footprints on the target site. Still, I was impressed with how technically savvy the police are, at least the ones that I spoke to who understand these issues and aren’t taking these exploits lightly.

While these exploits have been known for many years among the IT community, they aren’t well known for the general business and consumer audience, which is why I wanted to write about them. Some people may say, why give these people the information to cause trouble? In my article, I actually show a sample piece of search syntax that can bring up vulnerable sites, which probably is a first for the Times.

I look at it differently: the bad guys already know about these exploits, and the challenge will be to educate the general population, especially the smaller businesses, that don’t always protect themselves. This isn’t just leaving your back door open, it is putting a 40 foot neon sign out front with a big arrow pointing out that millions of valuables can be found in your top dresser drawer. And the problem intensifies if someone can take over your site and use it to launch their own mischief or worse, illegal activities.

The article mentions two Web sites that are great resources for more technical folks. One is Johnny Long’s site.

Long compiles hundreds of vulnerabilities that have already been indexed by Google, and the site is full of great examples of search terms that you can plug in to find passwords and default configuration pages that will take you to some interesting places.

The other site is OWASP.org. The chair of this industry organization is Jeff Williams. He told me “most Web applications respond to attacks quite happily, without detecting them and without taking any defensive actions. Network security mechanisms like firewalls, intrusion detection, and hardened operating systems can’t detect or prevent these attacks because they don’t know anything about company’s custom application code and how it works. And, unfortunately, the innocent code doesn’t defend itself.”

Speaking of defending yourself, what can you do? First, make sure you are secure. Williams says, “companies that don’t know whether their applications are secure or not should start by verifying a few of them to find out.” And if you have information that you don’t want Google to index, remove it.
Here is some information that Google publishes to show site operators how they can remove their content from the search index.

Second, take security audits seriously, and do them often. Howard Schmidt, the former federal cyber security chief, talks about how you have to do security scans continuously. You can’t just rely on an annual audit, or even a quarterly audit, because sites are organically changing and new exploits are being uncovered every day.

Third, train your developers to be aware of these and other common exploits, and reserve some funding for security assessments as part of all contracting projects you do in the future. Use the sample legal contract language from OWASP.org when you have to hire out for help, and also take a look at their tutorials to harden your site.

Fourth, don’t just think that Google hacks are the only story. There are plenty of other ways to get information from Web sites. Read my white paper for Breach Security about SQL injection if you haven’t already, to see how easy this exploit is.

Finally, keep what Long told me in mind: “Google hacking, cross-site scripting and SQL injection vulnerabilities have been present in every Web site and application I have audited. Every single one. Bear in mind that some Google-hacking style vulnerabilities are more revealing than others, but it is a pervasive threat.”

Online Storage Solutions for VARs

With AOL/Xdrive announcing this month that they will offer 5 GB of free online storage, it is time to take a closer look at what VARs can do with this technology. While simple to understand, there is more to online storage than meets the eye. And even with AOL giving away gobs of gigabytes, there are plenty of opportunities here for the right combination of products and services.

In my column for eWeek this month, I talk about ways that VARs can make online storage pay for them.

Broadband on the go

Do you find yourself wishing that your Wi-Fi connection would be faster or more pervasive when you are on the road? Are you frustrated with the BlackBerry’s keyboard and long for your laptop? Then it might be time to consider one of the high-speed data plans from one of the major cellphone carriers. However, good luck trying to get information to make a rational decision — the carriers have made information about these services hard to come by.

Lucky for you, I have done the research and you can read the story here, called Broadband wireless data on the go

Sprezzatura

The news of the past couple of weeks has me confused; so let me see if I have this straight. MTV is now doing a game where you can play as one of the characters from one of their reality TV shows, a show that employs script writers. These are different writers from the ones who not too long ago were protesting that they weren’t paid enough and had to falsify their time sheets to show that they worked fewer hours.

Then there are people making money off of selling Second Life businesses that sell virtual goods to others inside their virtual world. There are others that auction on eBay virtual items that enable game players to advance to higher levels, and these items are assembled by real low-wage workers who spend their days playing the games to accumulate these virtual items. There are Web pages for real people on MySpace that are fakes, created by fans (or detractors). There are also real Web pages for fake people too, and some of them were created by advertising and PR people who wanted to push a particular brand or agenda. (Insert your favorite joke about ad/PR people here.)

Earlier this month, a reporter for a national magazine was suspended when his employer found out that he was posting praising comments to his own blog under a pseudonym “sprezzatura” which means doing something without apparent effort. His blog was removed by the magazine’s editors.

One of the most popular You Tube videos is about a lonely teenager talking about her life. But it turns out she is really an actress playing a part. I don’t know if they employ script writers or if these writers have to fake their time sheets too. And this has created an entire genre of other popular videos — those people who are tagging their creations with lonelygirl tags so others will view them. Meanwhile, college courses on ethics have already incorporated the whole mess into their curricula.

Then there is a documentary show that ABC-TV aired last week on 9/11, but interwove fictional dialogue spoken by actors playing real people. While it failed to attract any sponsors, ABC promoted it as a commercial-free public service.

Finally, the chairwoman of HP paid professional investigators to make believe that they were reporters to obtain the reporters private phone records, so they could investigate boardroom leaks. One of these efforts involved emailing a reporter a Word document with a Trojan keylogger inserted.

Am I the only one having a problem with all of this? Is it getting harder to distinguish between what is real, and what isn’t, anymore? Remember those simple days of yesteryear, when a reporter for a national magazine who wrote a book of fiction under the “Anonymous” was finally outted to much fanfare? Or magazine covers that had manipulated images were called on their photoshopping? Or how about corporate CEOs that were satisfied with just falsifying their own booking sheets or stock option grant awards? Back then, all we had was the Matrix, which wasn’t real either, but had some fine CGI to entertain us.

Welcome to the new real virtuality. I can absolutely guarantee that I wrote this column with my own hands. Everything else, that’s your own construct.

[A version of this article was published in October in TidBITS.com]

Freddie Mac Cashes in on Web Services

If you’ve bought a house, chances are Freddie Mac has touched your loan. A leader in the secondary mortgage market, Freddie Mac–the Federal Home Loan Mortgage Corp.–owns one-sixth of all American mortgages. Its computers process tens of billions of dollars every day and exchange critical information with a host of banks, brokers and investors.

So when the company decided to migrate critical applications from mainframes to Web services, the executive team knew the transition would be a high-wire act without a net. A single misstep could choke off the flow of transactions, compromise security and land Freddie Mac in serious trouble. But the payoff–streamlined operations that would save billions of dollars–was worth the risk.

I visited with Freddie Mac earlier this summer, and got the scoop on their transformation to a Web Services shop for the current issue of Network Computing. It is nice to be back there, after so many years (I headed the original launch team back in 1990.)

You can read the entire feature story here

A look back to 1995

Web Informant turns 11 this month. Hard to believe that for the most part I have been writing these things for so long. Harder still to believe that many of you have been reading them (and commenting on them too) for so long. So first off, a boat load of thanks. It has been a lot of fun to write these things, and I hope I can keep them coming for another 11 years.

I got into a reflective mood this morning, after taking a trip down memory lane by reading Techweb’s excellent historical view of the Web.

They claim that the Web was invented in the summer of 1991, although I have seen references to earlier than that. Most of us didn’t start really using it until the first Windows and Mac browsers came out a few years later.

So let’s go into the Wayback machine and see where what was happening 11 years ago:

We had browsers that were just beginning to display tables and images in-line, and Netscape was still the dominant force in browsing technology. They began developing their own browser extensions then, which was the beginning of their demise, helped by Microsoft, too many programmers, and AOL along the way. Now Microsoft is losing browser mind share to Firefox. Funny how the pendulum swings back and forth.

If you got a copy of these early browsers, they fit on a single floppy disk, and we still had PCs that came with floppies too. For those of you too young to remember these, the ones we used in 1995 could hold a megabyte of data and were small enough that you carry in your shirt pocket, back when shirts had pockets. Now we can buy USB key drives that hold 1000 times as much for about $50. I guess it is time to throw out my collection of floppies now.

Around 1994 the Web started to take off, with some reports putting the growth in actual sites from the low thousands to more than 25,000 sites by the end of the year. Back then, email and FTP traffic were the dominant information flows, and let’s not forget about Gopher, the first hypertext protocol, too.

Before 1994, we had computers that had integrated TCP/IP protocols in them, they were called Unix computers. For the rest of us, we had to deal with installing a separate piece of software that handled communications. Remember NetManage? Microsoft Windows for Workgroups and the Mac OS 7.5 both included support for TCP/IP in their operating systems that year.

Back in 1995, OS/2 was still a viable operating system and IBM had high hopes that it would still become popular, even going so far to take its Warp codename and use on the product. And OS/2 had built-in TCP/IP protocols, if memory serves correctly, long before Windows did. I remember that IBM had Kate Mulgrew appear at the launch event — she played Captain Janeway on one of the Star Trek series. Linus Torvalds was still in graduate school working on the thesis that would eventually spawn Linux and reinvigorate the open source world and make Unix safe for the rest of us.

Back in 1995, I first started writing about how the browser was turning into its own operating system and computing environment. Now we have plug-ins galore for all of the major browser versions, and many commercial software products have some kind of browser interface too.

Back in 1995, there weren’t too many affordable choices for broadband access — indeed, I don’t think the term was in much use then. I think I was still using an ISDN line, and happy to get all of that 112 Kbps of connectivity that I got. Cable modems and DSL lines would happen later. Back then, we had lots more phone companies too before they all started combining with each other. And AT&T was still selling just long distance and not the local provider for the middle of the country. MCI was still doing business, and UUnet was one of the stronger ISPs around. Neither had gotten involved with Bernie Ebbers’ thievery yet.

Back in 1995, I already had my own domain name strom.com for several years, which seemed like a novelty at the time. It was easy to obtain a domain name — and they didn’t cost anything either. Cybersquatting, phishing, ad banner tracking, and cookie stuffing were all still relatively unknown. Blogs hadn’t been invented, nor podcasts, wikis, or mashups. We were still using Yahoo to search the Internet. It was a time of relative innocence. No one used VPNs. Routers still cost thousands of dollars. Ethernet was locked in a battle with Token Ring, and wireless networks were expensive and not found anywhere near places selling coffee.

If you want to go into the Wayback machine back 20 years, take a look at something that wrote here.

15 Years of Web History

Techweb has done a nice job packaging a series of stories on the history of the Web, including screen shots of the early browsers and documenting the shots fired in the browser wars. It is worth reviewing.

How to Dissuade Yourself from Becoming a Blogger

Somewhat tongue-in-cheek, but amusing and insightful nonetheless. From WikiHow, which is a great compendeum of practical how-to information on all sorts of topics.

Two managed DSL routers reviewed

The idea of having a managed security service bundled with a soho firewall/router/gateway all-in-box isn’t new, but this year two new products have extended the idea with the addition of built-in DSL modems to the package. Both SofaWare, a division of Checkpoint Software, and TrustEli have come out with these kitchen-sink products.

Read my review in Computerworld.com here.

Pretext and ID theft

Pretext is in the news today regarding the latest HP boardroom shake-up, and how the information got out of the boardroom. Back in the day, we used to call this kind of thing “social engineering” — Hi, my name is Joe Smith, and I lost my ID badge. Can you look up my account online? sort of thing. These warnings about pretexting from the Federal Trade Commisssion are worth reviewing with your family and others who might be inclined to divuldge personal information via that most insecure of communications devices, the phone.

One of the things that my father taught me at an early, pre-Internet age, was never give out this information to someone. Thanks, Dad!