LAS VEGAS, NV — (Marketwire) — 07/28/11 — In a talk at next week-s conference in Las Vegas, researchers Francis Brown and Rob Ragan will show how the power of Google-s indexing capabilities can be harnessed to identify vulnerabilities — particularly SQL injection flaws — that can be used to take over millions of websites that are at risk. By searching for the right string of information, an attacker can find massive amounts of sensitive data and extract it with a few simple exploits.
Brown and Ragan will also show how Google hacking was used in several other recent, high profile attacks:
Late last month, the entire user database of Groupon-s Indian subsidiary, Sosasta.com, was accidentally published to the Internet and indexed by Google, exposing the email addresses and clear text passwords of the site-s 300,000 users.
In the spring, the Liza Moon virus affected more than four million websites, injecting malicious SQL codes into popular websites and redirecting users to sites that deliver malware.
A similar mass SQLi attack last year compromised thousands of websites, including The Jerusalem Post and The Wall Street Journal.
Last year, Brown and Ragan completely revolutionized the way Google and Bing hacking is done in an under-hyped Black Hat presentation called “Lord of the Bing.” That presentation only scratched the surface of what-s truly possible with Google hacking. Over the past year, Stach & Liu has built what may be the world-s — in fact, over 3,000 new vulnerable websites are added per day to this database via real-time RSS feed updates from both Google and Bing. After a year of collecting this research, Brown and Ragan are returning to Black Hat to give the security community the defensive tools they-ve been asking for to help solve this problem.
, Brown and Ragan will showcase a full arsenal of Stach & Liu-s new and free “Diggity Hacking” tools and give live demonstrations to the crowd of how they work at Black Hat USA in Las Vegas. They will also discuss modern defense techniques and how vulnerable sites across the web are being added to this repository.
“Since our Black Hat talk a year ago, our team has worked diligently to develop and deliver this full arsenal of defensive Google and Bing hacking tools that can take in millions of vulnerabilities and identify when your websites are vulnerable to attack,” said Francis Brown, Managing Partner at Stach & Liu. “Google has made it incredibly easy to find these types of vulnerabilities through their indexing and that has left many sites at risk. To put it in perspective, if Groupon.com had been using our tools, they would have gotten an alert via iPhone or Droid apps and found the vulnerability before anyone else did.”
Here are the session details for this Black Hat talk:
Francis Brown, Managing Partner, Stach & Liu
Rob Ragan, Senior Security Associate, Stach & Liu
“Pulp Google Hacking – The Next Generation Search Engine Hacking Arsenal”
Wednesday, August 3, 2011
4:45pm – 6:00pm PDT
Black Hat Briefings, Caesar-s Palace, Las Vegas, NV
For more information on this presentation, please visit:
To learn more about Stach & Liu-s Google Hacking project, please visit:
Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients. Francis has presented his research at leading conferences such as Black Hat USA, DEFCON, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications.
Rob Ragan is a Senior Security Associate at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Rob served as Software Engineer with the Application Security Center team of Hewlett-Packard (formerly SPI Dynamics) where he developed automated web application security testing tools, performed penetration tests, and researched vulnerability assessment and identification techniques. Rob has presented his research at leading conferences such as InfoSec World, Black Hat USA, and DEFCON. Rob has also published several white papers and is a contributing author to the upcoming Hacking Exposed: Web Applications 3rd edition. Rob holds a Bachelor of Science from the Pennsylvania State University with a major in Information Sciences and Technology and a focus on System Development. While at Penn State, Rob worked as a full-time web application developer for the Office of IT and was an active member of the Information Assurance Club where he gave training on web application security.
Stach & Liu provides IT security consulting services to help companies secure their business, networks, and applications. Based in Phoenix, Arizona, the privately-held company was founded in 2005 by a team of industry leading experts to help companies secure their businesses, networks, and applications. Its professionals have worked in government intelligence, the Fortune 100, and Big 4 consulting and possess over 150 years of combined security experience. In addition to authoring several best-selling security books, writing numerous industry articles, and being cited in well-respected journals, the Stach & Liu team has been presenting its security research for over a decade. Stach & Liu speakers have made presentations at many top security industry venues, including Black Hat, DEFCON, Security B-Sides, ToorCon, RSA, InfoSecWorld, OWASP, SANS, and Microsoft BlueHat.
Vinnie Liu
+1 (480) 621-8967
You must be logged in to post a comment Login