sjb007

Search engines such as Google are still widely being used by hackers against web applications that hold sensitive data, according to a security expert.

Even with rising awareness about data security, it takes all of a few seconds to pluck Social Security numbers from websites using targeted search terms, said Amichai Shulman, founder and chief technology officer for database and application security company Imperva.

The fact that Social Security numbers are even on the web is a human error; the information should never be published in the first place. But hackers are using Google in more sophisticated ways to automate attacks against websites, Shulman said.

Shulman said Imperva recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.

In a SQL injection attack, a malicious instruction is entered on a web-based form and answered by a web application. It often can yield sensitive information from a backend database or be used to plant malicious code on the web page.

Shulman declined to give details on how the attack works during his presentation at the UK RSA Conference on Monday, but said it involves Google's advertising system. Google has been notified, he said.

Manipulating Google is particularly useful since it offers anonymity for a hacker plus an automated attack engine, Shulman said.

Tools such as Goolag and Gooscan could execute broad searches across the web for specific vulnerabilities and return lists of websites that have those problems.

"This is no more a script kiddy game - this is a business," Shulman said. "This is a very powerful hacking capability."

Full article here - http://www.techworld.com/news/index....&NewsID=106207