Black Hats and Google Hacks

PageRank is double edged sword. When it analyzes pages based on their relevance to the query it takes into account every single webpage that the query manager might have interest in, even if those webpages are not generally considered hubs or are only superficially connected to the original search terms. The issue is that PageRank is so good at network mapping that it can lead villains to places they shouldn’t be able to go. PageRank’s scope makes it dangerous – by searching for a specific site (say “yahoo.com”) and systematically eliminating hub-nodes via  specification of search terms, PageRank can become a very useful tool to black hat hackers (the bad guys).

For example, consider a search for site: “yahoo.com.” The phrasing is no accident – we’re looking for a website, specifically “yahoo.com.” This is different than searching for the un-quotationed yahoo.com because that search would be interpreted as yahoo+.+com. Pages with any one of those would be included in our results, which is too massive for us. Yahoo.com yields 7,490,000,000 results whereas site:”yahoo.com” yields 85,200,000 results. The latter is only 1% of the former. If we begin eliminating highly ranked but deviant results like travel.yahoo, weather.yahoo and shine.yahoo we could theoretically end up with a list of every yahoo email address (specific nodes that aren’t hubs). It takes no prior knowledge or experience – all anyone has to do is develop an awareness of Google query terminology.

Unfortunately, there is more to be gained for the nefarious by PageRank hacking than a long list of email addresses. Consider your printers, webcams, security cameras and cell phones. Specific devices are actually easier to search for with google than anonymous email addresses, all you need is the correct terminology and the make and model of the device. PageRank generates a list of vulnerable devices, many of which accept you as the administrator when you click on them. You can configure or shut down firewalls, change passwords or steal information without leaving a trace. It’s shockingly easy to gain access to office and industrial equipment this way.

This poses a national security threat. It’s not only possible, but quite easy, to gain access to power grids with a clever google search. Passwords mean almost nothing to the black hats who have mastered this trick. First of all because almost no one uses passwords on their office devices and second of all because passwords can be quite easily cracked at all but the highest levels of encryption. No one expects these attacks because they are so unorthodox, so the passwords are generally quite weak, or even worse, left at default. With the basic application of a dictionary attack (which applies everything in a dictionary of your choice in every combination possible against a login screen to gain access), a novice user can read the documents you’ve sent to your printer, watch you through your security cameras, or shut off the power to your house. All thanks to PageRank.

 

www.blackhat.com/presentations/bh-europe…/BH_EU_05-Long.pdf

Advertisements

2 thoughts on “Black Hats and Google Hacks”

  1. This is a very interesting article pointing out the power PageRank and search engines own. The power of search engines is mostly seen as a very positive process which can satisfy more and more customer needs on an advanced level. That is why it is very important to take a look at the downside of the fast development of these search engines as well. I was not aware of the power they have from a negative perspective and I have learned through this article. Nevertheless, I cannot see what customers can do about the availability of their data on the internet.

  2. I thought the conclusion to your blog was very frightening. Everything you stated seems theoretically possible, and I am hoping that there is some security from this happening, and that there aren’t many out there with any bad intentions. I’m hoping that google makes sure that (at least for gmail) emails are not just searchable using that technique. I’m also so amazed by the sheer power and size of the search engine and the web. Using pagerank/Google also makes us have to search in a very specific way. To get these anonymous emails, the searcher must not search for the anonymous emails, but eliminate everything that is not the anonymous emails.

Comments are closed.