Search engine attacks to dig out sensitive information
Download
1 / 14

SEARCH ENGINE ATTACKS to dig Out sensitive information - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

SEARCH ENGINE ATTACKS to dig Out sensitive information. By Creighton Linza for IT IS 3200. Introduction. Search Engine an information retrieval system that searches its database for matches based on a query Web Crawler a program or script that automatically browses the web. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SEARCH ENGINE ATTACKS to dig Out sensitive information' - calvin-holcomb


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Search engine attacks to dig out sensitive information
SEARCH ENGINE ATTACKSto dig Out sensitive information

By Creighton Linza for IT IS 3200


Introduction
Introduction

  • Search Engine

    • an information retrieval system that searches its database for matches based on a query

  • Web Crawler

    • a program or script that automatically browses the web


Introduction1
Introduction

  • Search Engine Attacks

    • Passive

    • Stealth

    • Have the ability to use the ‘huge memory’ of the internet


Main issues
Main Issues

  • Exploits in software used to secure databases

  • ‘Simple’ Identity theft

    • Little information required to get the attacker going

  • Financial threats


Who benefits from this research
Who benefits from this research?

  • The Good

    • Security personnel

    • Individual Users

  • The Bad

    • Hackers

    • Solicitors


Who has worked with this research
Who has worked with this research?

  • Founders of Search Engine Attacks

    • Oliver Peek

    • Kristjan Lepik

  • What they did

    • Found press releases in advance

    • Overall made 7.8 million dollars



General attacks
General Attacks

  • Search for Passwords

    • “index of” htpasswd / passwd

    • filetype:xls + Search Terms

    • “WS_FTP.LOG”

  • Web help forums


General attacks cont d
General Attacks (cont’d)

  • Google cache

    • Bad for those who thought their problem was fixed

  • Google Code Search

    • Exploitable code

  • Common files and directories

    • “index of” “listener.ora”


Database attacks
Database Attacks

  • Potentially vulnerable web applications searched for via a search engine

    • Allow for advanced, specific, target-oriented searching

  • Use exploits to attack holes

  • ‘Protected’ databases found completely exposed by web crawlers


Oracle attacks example
Oracle Attacks Example

  • Oracle servers/database attack on iSQLPlus

    • Java servlet that listens on port 7777 or 5560

  • If either port is exposed to the internet

    • Web server and applications can be inventoried by a web crawler

    • A route to access an internal database is created

      • From here, user accounts can be easily stolen

  • Do-it-yourself

    • allinurl: “/isqlplus”



What can be improved
What can be improved

  • Latest updates and patches

  • Disable directory browsing

  • No sensitive information online

    • Unless using proper authentication

  • Analyze server’s log for web crawler’s access

  • Ask the search engine provider to remove any necessary content


Conclusion1
Conclusion

  • Web Crawler program/script overhaul

    • Google Webmaster Tools

  • More security

  • Workload

    • WYSIWYG (me)


ad