Transcript Slides - Personal Web Pages

By Creighton Linza for IT IS 3200
Introduction
 Search Engine
 an information retrieval system that searches its
database for matches based on a query
 Web Crawler
 a program or script that automatically browses
the web
Introduction
 Search Engine Attacks
 Passive
 Stealth
 Have the ability to use the ‘huge memory’ of the
internet
Main Issues
 Exploits in software used to secure databases
 ‘Simple’ Identity theft
 Little information required to get the attacker going
 Financial threats
Who benefits from this research?
 The Good
 Security personnel
 Individual Users
 The Bad
 Hackers
 Solicitors
Who has worked with this research?
 Founders of Search Engine Attacks
 Oliver Peek
 Kristjan Lepik
 What they did
 Found press releases in advance
 Overall made 7.8 million dollars
General Attacks
 Search for Passwords
 “index of” htpasswd / passwd
 filetype:xls + Search Terms
 “WS_FTP.LOG”
 Web help forums
General Attacks (cont’d)
 Google cache
 Bad for those who thought their problem was fixed
 Google Code Search
 Exploitable code
 Common files and directories
 “index of” “listener.ora”
Database Attacks
 Potentially vulnerable web applications
searched for via a search engine
 Allow for advanced, specific, target-oriented searching
 Use exploits to attack holes
 ‘Protected’ databases found completely
exposed by web crawlers
Oracle Attacks Example
 Oracle servers/database attack on iSQLPlus
 Java servlet that listens on port 7777 or 5560
 If either port is exposed to the internet
 Web server and applications can be inventoried by a
web crawler
 A route to access an internal database is created
 From here, user accounts can be easily stolen
 Do-it-yourself
 allinurl: “/isqlplus”
What can be improved
 Latest updates and patches
 Disable directory browsing
 No sensitive information online
 Unless using proper authentication
 Analyze server’s log for web crawler’s access
 Ask the search engine provider to remove any
necessary content
Conclusion
 Web Crawler program/script overhaul
 Google Webmaster Tools
 More security
 Workload
 WYSIWYG (me)