Security Blog and Googling for Vulnerabilities

First, I want to let you know that we've added a new section to our Web site and this newsletter. If you visit the Web site regularly and subscribe to our security-related Really Simple Syndication (RSS) feed, then you know we recently launched a new blog: Security Matters. Each week in this newsletter, you'll find a summary of the most recent blog postings.

You can visit the Security Matters blog to add your comments to a given posting. If you have a tip, tidbit of information, resource, commentary, or other content that you think might be of interest to others, then certainly send me an email (mark at ntsecurity / net) with that content and I'll consider posting it to the blog.

Last week, I mentioned the Information Security Writers Web site, which publishes security papers written by many authors. In the past week, the site has published a few new papers, one of which is "Demystifying Google Hacks," by Debasis Mohanty.

http://www.infosecwriters.com/texts.php?op=display&id=191

The paper outlines several ways in which someone can use a particular search syntax in Google to query for sites that might have known vulnerabilities. For example, Google supports query syntax that includes the commands intitle:, inurl:, allinurl:, filetype:, intext:, and more. Google isn't the only search engine that provides the use of this sort of query syntax. MSN Search, AlltheWeb, Yahoo!, and others support a similar syntax to varying degrees.

If intruders are using search engines, you should try the same techniques to check your own Web sites for vulnerabilities. Repeating the searches when new Web-related vulnerabilities are published might also be wise. Think of it as another method for scanning your systems. You can also build false URLs into a honeypot that supports Web services, then add the honeypot URLs to various search engines.

A drawback of using search engines to search for vulnerabilities on your Web sites is that typing or pasting in query after query can become tedious work. One obvious solution is to use scripts to store queries and automate the actual querying and result gathering process. Foundstone released a free tool in May that automates the process of using Google to scan for vulnerabilities in a given site. I've used SiteDigger a few times, and it works really well.

http://www.foundstone.com/resources/proddesc/sitedigger.htm

Site Digger has a list of more than 100 predefined queries (vulnerability signatures) in which you simply enter a Web site address and click a button to start the Google query process. After the query is complete, you can easily export a report to HTML format.

The signatures are stored in XML format, so you can add more or customize the current rules if you need to. If you do, be aware that the tool also has an update feature that lets you download new queries from the Foundstone Web site when they're available. I'm not sure whether the update process totally overwrites the signature file or not; you might want to save a copy of your custom signatures in case it does.

Our Instant Poll this week asks, "Do you use search engines to look for vulnerabilities in the Web sites you manage?" Visit http://www.winnetmag.com/windowssecurity and give us your answer.

End of Article