The Cult of the Dead Cow hacker group has released an open-source tool designed to enable IT workers to quickly scan their websites for security vulnerabilities and at-risk sensitive data, using a collection of specially crafted Google search terms.
The group, which refers to itself as the cDc, acknowledged that the Goolag Scanner tool could also be used by malicious attackers to look for vulnerable websites.
"We're not stupid," a cDc member who goes by the name Oxblood Ruffin says. "We know some bored teenagers and criminals will try to exploit vulnerabilities [using the new tool]."
But such uses are "not something that we or anyone can control," Ruffin adds. "What we're trying to do is two things: One, to provide a very easy and legitimate tool for security professionals to test their own websites for vulnerabilities, and two, to raise awareness about web security in and of itself."
Goolag Scanner is a Windows-based auditing tool that was built around the concept of "Google hacking," a form of vulnerability research created by a hacker who uses the name Johnny I Hack Stuff. Google hacking involves the use of certain types of search queries to look for website vulnerabilities. More than 1,500 such queries — or Googledorks, as they as well as the people who leave their websites exposed to them are sometimes known — have been compiled into a database by Johnny I Hack Stuff over the past few years.
Although the queries ostensibly are supposed to be used by web administrators to test their sites for data leaks and vulnerabilities, they are also widely used by hackers with malicious intent who are looking for ways to break into sites.
With Goolag Scanner, users can use Googledork queries to run automated vulnerability scans on websites, instead of having to copy and paste each search term into a Google search field. According to Ruffin, the tool stores all of the known Googledorks in one file and enables users to add new search terms as they find them.
"Essentially, what we have done with the scanner is created an automated form of Google hacking," he says. "It's like Google hacking on steroids. It operates in a very quick manner."
The new tool also is "very easy to use for everybody, not just security professionals," Ruffin says. "It's probably something that your mother could use without a whole lof of instructions."
Johnny I Hack Stuff previously released a similar tool called Gooscan that also automates the query process, but it runs only on Linux.
Ruffin said that as part of its testing of Goolag Scanner, the cDc ran the tool against commercial, government and military websites in North America, Europe and the Middle East, discovering significant security holes in many of them. Most of the scans done in North America were run against government sites "because they are really starting to migrate to the web," he says.
Information about roughly a dozen "pretty scary holes" that were discovered as part of those scans has been turned over to the proper authorities, Ruffin adds.
Goolag Scanner won't find any new kinds of security threats on websites, but it does give IT administrators a handier way to look for flaws and leaks that could be exposed via Google searches, says Amichai Shulman, chief technology officer at Imperva., a vendor of firewall and database security software in California.
The tool's user interface is easy to use, Shulman says, adding that Goolag Scanner could be an eye-opener for company officials and other website owners who still need to be convinced about the extent of their exposure to security risks.
And despite the concerns about malicious uses of the tool, Shulman says that he thinks the automated querying offered by Goolag Scanner is unlikely to be of much help to would-be attackers. Over the past few years, Google has increasingly improved the ability of its software to detect and stop large-scale automated searches, according to Shulman. People who frequently try to run such searches via Goolag Scanner could find their IP addresses being blocked by Google, he says.
Even companies that want to use the tool might need Google's enterprise search software in order to successfully run the scanner against their web sites without problems, Shulman says.