Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Happy birthday to"] [Next entry: "Yong Huang's web site is excellent"]

Google hacking is on the up!

I saw Franks post to his blog last night titled Google Your site for Security Vulnerabilities and read it with interest as I have also talked a few times about google hacking here recently.

Basically Franks post points us at an article on the O'Reilly web site titled "Google Your Site For Security Vulnerabilities" written by Nitesh Dhanjani in either July or October 2004 (depends on whether American dates or UK dates are used.)

This is a superb article that provokes plenty of thought on this subject. Basically the premise goes, any page on your website that google can index will be found and indexed. This could include forms servers, reports servers, listener.logs, alert.logs, application code, you name it, google could find it unless you make sure its not accessible and also make sure that google cannot index it.

The article starts by talking about default resources - pages installed on web servers by default, then directory listings or how to find them on google, next error messages that includes an Oracle example for ORA-00921, then a search for remote services and even vulnerabilities reports for popular tools such as Nessus that may have been run against your servers.

The paper goes on to present a PHP script that can be run to automate checks against google for a list of known problems. It goes on to present an example execution which doesn't show much as all the data returned has been removed. The article finishes with some comments on the script and lessons learned.

This is an excellent article and well worth reading. All DBA's and security managers should read this paper and should run some tests to see what information and services that are part of their Oracle database and oracle based applications are exposed to google and other search engine indexes.

I cover this new idea in the new 6 day hands on Oracle security training course that I have just written for the SANS Institute that will be taught first in April 2005 in San Diego.

I also, as i have said talked about google hacking recently here as well in a few Oracle Security weblog posts. There include "Bruce Schneier talks about google desktop search security", "Information leakage and goole hacking" and a post about information leakage titled "An interesting example of information leakage posted to my blog entry".

This is becoming a more and more talked about area of security and will undoubtedly become a tool more often used by hackers to gain information about your databases, applications and servers. Be warned!