Welcome to WebmasterWorld Guest from 3.209.80.87

Forum Moderators: open

Message Too Old, No Replies

Google Aids Hacking

In a UK national paper ¦ More Backlash

     
8:16 am on Jul 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


I had the nasty experience of catching a bus this morning :) and was intrigued to read an 1/3 page article in Metro. For those not familiar with the paper it a free paper that you can pick up all over the uk in places like bus and train stations and from annoying geezers who thrust them through your car window at traffic lights.

Back on topic the article title was:

Want to get hacking? All you need to use is Google

In my best paraphrasing, hackers get all the information they need to hack from Google, they don’t actually have to visit the intended site before they start to hack. Before Google hackers had to visit the site to find vulnerabilities but now they can find them with Google. Using the cached version of the page they can get the information they need without alerting the website owners. Some geezer called Danny Sullivan tells it more like what it is, that Google can aid the hacker as well as the user.

This has also been reported in the New Scientist [newscientist.com]

So two very public articles on the street, sort of mis-informing the world and Joe Public. This sort of information can only aid backlash articles and comments we are seeing more of.

I know many people on the street who will misinterpret this so when someone says "why not use Google?" I expect to hear, "No! they aid hackers, I read it in the paper". Before long the brand will be tarnished further.

Could Google alleviate this by removing the caching feature? Not sure, but they need to do something.

Cheers

8:32 am on July 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 3, 2002
posts:1590
votes: 0


Not sure, but they need to do something.

I don't think they do. Hackers have used search engines for ages to search for websites that are vounerable because they haven't been patched properly or whatever.

It isn't the search engines' fault that people don't know how to secure their servers and sites... People just need to start investing more in security.

8:36 am on July 31, 2003 (gmt 0)

Senior Member from MY 

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 1, 2003
posts:4847
votes: 0


the fact remains that the security flaw exists and can be found _with or without_ the cache. the only difference is that the site supposedly is not informed of the attempt (forgot about the images and stylesheets etc still coming from server?). google doesn't decrease security at all.
8:38 am on July 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


>>Not sure, but they need to do something.

Sorry, I meant from a PR perspective. It is up to the webmaster to secure thier site. Hackers will find the information if they want to.

8:43 am on July 31, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:May 22, 2003
posts:354
votes: 0


These are hardly mainstream rags, I don't think they're likely to cause a mass exodus to other SE's
8:50 am on July 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 3, 2002
posts:1590
votes: 0


other SE's

Other SE's than Google? Where? Surely not. ;)

Google are unlikely to worry about this - hackers can use other search engines as well to find this info (or their address bar). It isn't as if Google created a hacker toolbar or something.

8:54 am on July 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


I would hardly call the NS a rag :)

WRT Metro, they have coverage to the public and that counts. If it appeared in the FT in some oscure section I cant see it causing any great "panic" but Metro is all over the gaff with a big reading public.

I found this on my travels, can put a date on it but

Metro (London) remains the largest free regional morning with a distribution of 375,328

More than enough web using public will get that, and that is London only, I got this in town near Birmingham.

9:17 am on July 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 5, 2001
posts:2466
votes: 0


I understand where you are coming from Ukgimp, we discussed a similar thing about Joe publics perception of the word Spam on SE forums.

To me spam is and always will be UCE but google decided to to call hidden text and anything which is dark seo as Spam.

Search google for spam it does mention hidden text in fact the serps return mainly site about UCE. So when webmaster world members post about spam joe public think we are talking about UCE and not hidden text, it puts WebmasterWorld in a bad light just the same has headlines like "google aids hackers"

Joe public starts saying things like I read if you use google people can hacker you site or computer.

DaveN

9:18 am on July 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


Given that site security is NOT being affected by Google, this story will simply blow over. It says more about the rag printing it than it does about Google.

Kaled.

9:30 am on July 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


Dont underestimate "The Rag" [univ-pau.fr]

"It's the Sun wot won it"

11:15 am on July 31, 2003 (gmt 0)

New User

10+ Year Member

joined:July 3, 2003
posts:4
votes: 0


I too am familiar with 'The Metro' on the number 16 bus into Hockley. Most of them end up littered all over the place so it's not taken all that seriously.
4:48 pm on July 31, 2003 (gmt 0)

Full Member

10+ Year Member

joined:July 7, 2003
posts:282
votes: 0


Maybe google makes the work shorter for hackers, but not easier. As the same way they can inspect the cached pages in google, they can enter once the website and copy it partially to the hard drive to work off line. Many users do this to access the page while they are not connected to internet (oh, yes! The mortals are not like the webmasters. they are not always on-line ;)), and not many webmasters suspect when this is done. But google does not help hackers (nor any other reverse-enginyers that are not hackers) to find security holes in remote systems. The webpages that are cached in google do not use to contain interesting information for a hacker (unless it is the cache of a hackers' site ;)). So don't worry by this. If a hacker is able to enter your system, s/he will be able to do it with our without google; and in any case you will notice her/his "visit".
6:37 pm on July 31, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 26, 2002
posts:173
votes: 0


A major german magazine "spiegel online" (a reputable one, too, though mostly on political/social topics) also ran the story. Interestingly they've had one or two "anti-google" articles in the last couple months, which for knowledgable folks are just laughable.

I still can't see how it is "aiding hacking", if you are into security by obscurity there may be a little chance under some rather unlikely circumstances(*) someone who wanted to hack your site, might have a slight advantage. Although removing the cache feature would not stop anyone. The german article also said:

Die dort abgebildeten Seiten sind weitgehend funktionsfähig, das Vorhandensein vieler Sicherheitslücken lässt sich schon anhand des Caches überprüfen. Das gibt dem Cracker eine Gelegenheit zur "Generalprobe": Der am Ende erfolgende Angriff ist dann zielgerichteter und schwerer zu bemerken, als wenn ihm eine Phase des "Stocherns" vorausgeht.
which roughly translates to
The [cached pages] are mostly functional, the existence of many security holes can be confirmed via the cache. This lets the cracker rehearse the attack: The finally successful and real attack will be more "on target" and harder to notice, because no poking around on the real site will be necessary.

That is pure and plain FUD. Nobody can run rehearsal attacks on cached pages; they are not "mostly funtional", it's plain html. There must be a couple journalists that are either really dumb or really dangerous, spreading targeted paranioa like that.

RE: unlikely curcomstances(*):
The only scenario where the cache would be useful that I can think of is this:
1) the site is using a widely known application on the webserver AND
2) an exploit has been published AND
3) instead of fixing the hole, you try to "cover it up" by making it look like your site is safe, e.g. by changing version numbers, de-linking those pages etc. AND
4) The attackers are checking google in the few weeks between you making the changes, and google updating the cache.

[Without 3+4 any and every searchengine w/o cache will achive the same]

It's just ridiculous trying to make an actual story out of this.

11:50 pm on Aug 1, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


When you look at the Google cache your visit is NOT invisible. You cannot hide.

The external CSS, external JS, and all of the images are still pulled from the real live domain.

12:21 am on Aug 2, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 4, 2002
posts:1069
votes: 2


<<Some geezer called Danny Sullivan tells it more like what it is, that Google can aid the hacker as well as the user.>>

"Geezer"?

5:37 am on Aug 4, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Apr 24, 2003
posts:216
votes: 0


That article is silly.

You can't "hide" your visit by using the Google cache.

8:42 am on Aug 4, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


>>That article is silly

We know that, but your average web surfing geezer (i'll get to that :)) will just assume the worst. If you read something whether it is true technially or not, in a well distributed newspaper a lot of people will believe it. That is the point I am trying to make, that public perception can make big difference whether it is true or not.

>>Geezer

a slang phrase for a bloke :), as in he's a bit of a geezer, lad, jack about town etc. You can also be an "old geezer" but that is a little different. You gotta loove the English language and all our slang :)

If you are having problems with the words some of us British chaps use :)

www.peevish.co.uk/slang/g.htm (the second definition is where is was)

9:24 am on Aug 4, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:May 22, 2003
posts:354
votes: 0


Why does this affect the surfer, it's more a concern - if anything - for webmasters!

This is a mountain out of a molehill - Anyone readin that article - if anyone did, bar interested webmasters/SEO's - will have already forgotten about it... fish & chips wrapping paper 'n' all that.

9:32 am on Aug 4, 2003 (gmt 0)

Senior Member from ZA 

WebmasterWorld Senior Member 10+ Year Member

joined:July 15, 2002
posts:1723
votes: 4


If the BBC and the New Scientist are covering it and with most threads here getting a good ranking the public will find it if they want, so its not just the Metro that will carry news of it.

Craig

9:42 am on Aug 4, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


twp

If you dont wish to belive that untruths can and do have impact take a look at this:

www.ojr.org/ojr/glaser/1059692646.php

This is the most unpolitical one I can think of or is not close to monster can of worms in subject matter. It was a blatant lie but somehow got onto TV. Factor into a story about being hacked and you can see how far something "could" go.

Cheers

9:59 am on Aug 4, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Feb 5, 2002
posts:333
votes: 0


google aids everyone, including hackers. if say a cms developer issues a bug alert a hacker could download the cms onto their own machine, check out the exploit/vulnerability on their own system, then use google to search out websites that use that cms. in all likelihood there will be lots of websites that haven't applied the fix and the hacker can hack to his hearts content.
10:09 am on Aug 4, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 3, 2002
posts:1590
votes: 0


in all likelihood there will be lots of websites that haven't applied the fix and the hacker can hack to his hearts content.

This is what I said in my post - but I also mentioned that it isn't the search engines that are responsible for updating the CMS systems of the websites that they index.

10:25 am on Aug 4, 2003 (gmt 0)

Junior Member from GB 

10+ Year Member Top Contributors Of The Month

joined:Oct 16, 2002
posts:182
votes: 3


What are they on about?

Even IF the Google cache didn't show anything in the server logs, when a cracker (hacker is the wrong word IMO but I know it is not for some) viewed a page on the site how does that alert an admin to him being a cracker anyway?

'Look Janice someone from xxx.xxx.xxx.xxx viewed our homepage today, we'd better be careful it looks like a cracker to me....' hmmmm...

These are public pages which anybody could be viewing all the time anyway.

Complete rubbish unless I'm missing something.

10:51 am on Aug 4, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


I think, in common usage, a cracker works on local software trying to get past registration lockouts, etc. whilst a hacker works with networks trying to get past security, etc. I tend to use the terms interchangably but I think they used the right term in the article.

Frankly, I don't think this is even a storm in a teacup. More like the flap of a butterfly's wings in a concert hall.

Kaled.

PS
Please, no chaos-theory-nonsense in reply.

11:11 am on Aug 4, 2003 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38256
votes: 115


Anyone find the old thread from 2000? Same story - different year...

[news.com.com...]
[vnunet.com...]
[internetnews.com...]
[wired.com...]
[kilwinning.org...]
[foi.missouri.edu...]

11:52 am on Aug 4, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 15, 2003
posts:2412
votes: 5


Every year around summer unskilled journalists who still have to prove that they are worth the monthly paycheck see their sources for news disappearing for a while, as governments and companies embrace the holiday season. Then, they have to (*) dig up something, make up something, or just write about minor news, ie. bathwater temperatures or cucumber sizes.

/claus



(*) added: unless they want do do some research and write real stories of course.
1:44 pm on Aug 4, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:May 22, 2003
posts:354
votes: 0


Ok, let's get some perspective on it; It's been nigh on a week since this was (again) reported... Has anyone got a reliable damage assessment, GoogleGuy?
4:15 pm on Aug 4, 2003 (gmt 0)

Full Member

10+ Year Member

joined:July 7, 2003
posts:282
votes: 0


First, I wan't to defend the art of hacking:
A hacker is not a cracker. A hacker is only a curious person that enters systems only to make a sunday afternoon lightier or to take a look to an interesting connfiguration, like a kender. A cracker is a @#$%& that enters a system and trully atacks it: takes and sells private data, harms the system, etc. like a thief.
So don't use the word hacker to speak about crackers nor take the hackers as if the were crackers. Thanks :)

And now, returning to the topic, it has been said too many times:
A hacker or cracker that wants to enter some site can use the google cache, of course. But what use is this? If she/he does not use the cache, the hacker or cracker will do the same "noise" that a random surfer or an interested visitor. Even, going further, the cache is not allways up to date. A cracker could find holes inthe cache that are not longer in the "true" site and, when trying to enter thru them, get caught. So, if a site is well maintained and frequently checked, then google cache can even be a trap for crackers and undesidered visitors.

Herenvardö

5:12 pm on Aug 4, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 30, 2001
posts:1739
votes: 0


Why stop at hacking?

Google aids organized crime! It finds restaurants and bars within the gang's area, so they can be visited with threats and extortion...

Google aids terrorists! It provides maps to vulnerable targets, and schedules for hijackable airline flights.

Google aids telemarketers! It provides access to phone numbers.

Google aids Republicans! It provides access to companies who are potential donors.

This is stupider than stupid -- this is ... JOURNALISM. <rant>Reporters who probably have trouble finding the ANY key, who flunked out of 5th grade arithmetic and never even HEARD of formal logic, trying to explain technical details with no tools except a glib command of grade-school grammar and the unshakeable confidence that can only come through total, intractable ignorance of the entire scientific and technical history of the last 6 millenia.

6:44 pm on Aug 4, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


You all seem to be missing my point. I know the article is horse but Joe Public who does not have our technical know how does not. Articles like this can and do influence the public. The Sun in the UK is hardly a top class newspaper, but it s contents are widely read and widely believed. Now add that sort of coverage to a few repected publications (New Scientist)and you have fuel. The article may be re writtent para phrased plagiarism but it is still out there and that was all I was trying to get across, not a critique of how technically correct the content of the piece is.

Cheers

This 39 message thread spans 2 pages: 39