Search engine attacks to dig out sensitive information
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

SEARCH ENGINE ATTACKS to dig Out sensitive information PowerPoint PPT Presentation


  • 49 Views
  • Uploaded on
  • Presentation posted in: General

SEARCH ENGINE ATTACKS to dig Out sensitive information. By Creighton Linza for IT IS 3200. Introduction. Search Engine an information retrieval system that searches its database for matches based on a query Web Crawler a program or script that automatically browses the web. Introduction.

Download Presentation

SEARCH ENGINE ATTACKS to dig Out sensitive information

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Search engine attacks to dig out sensitive information

SEARCH ENGINE ATTACKSto dig Out sensitive information

By Creighton Linza for IT IS 3200


Introduction

Introduction

  • Search Engine

    • an information retrieval system that searches its database for matches based on a query

  • Web Crawler

    • a program or script that automatically browses the web


Introduction1

Introduction

  • Search Engine Attacks

    • Passive

    • Stealth

    • Have the ability to use the ‘huge memory’ of the internet


Main issues

Main Issues

  • Exploits in software used to secure databases

  • ‘Simple’ Identity theft

    • Little information required to get the attacker going

  • Financial threats


Who benefits from this research

Who benefits from this research?

  • The Good

    • Security personnel

    • Individual Users

  • The Bad

    • Hackers

    • Solicitors


Who has worked with this research

Who has worked with this research?

  • Founders of Search Engine Attacks

    • Oliver Peek

    • Kristjan Lepik

  • What they did

    • Found press releases in advance

    • Overall made 7.8 million dollars


Examples of attacks

Examples of attacks


General attacks

General Attacks

  • Search for Passwords

    • “index of” htpasswd / passwd

    • filetype:xls + Search Terms

    • “WS_FTP.LOG”

  • Web help forums


General attacks cont d

General Attacks (cont’d)

  • Google cache

    • Bad for those who thought their problem was fixed

  • Google Code Search

    • Exploitable code

  • Common files and directories

    • “index of” “listener.ora”


Database attacks

Database Attacks

  • Potentially vulnerable web applications searched for via a search engine

    • Allow for advanced, specific, target-oriented searching

  • Use exploits to attack holes

  • ‘Protected’ databases found completely exposed by web crawlers


Oracle attacks example

Oracle Attacks Example

  • Oracle servers/database attack on iSQLPlus

    • Java servlet that listens on port 7777 or 5560

  • If either port is exposed to the internet

    • Web server and applications can be inventoried by a web crawler

    • A route to access an internal database is created

      • From here, user accounts can be easily stolen

  • Do-it-yourself

    • allinurl: “/isqlplus”


Conclusion

CONCLUSION


What can be improved

What can be improved

  • Latest updates and patches

  • Disable directory browsing

  • No sensitive information online

    • Unless using proper authentication

  • Analyze server’s log for web crawler’s access

  • Ask the search engine provider to remove any necessary content


Conclusion1

Conclusion

  • Web Crawler program/script overhaul

    • Google Webmaster Tools

  • More security

  • Workload

    • WYSIWYG (me)


  • Login