Saturday, April 04, 2015

FBI Warns: Google Used by Malicious Hackers


By Sam Vaknin
Author of “Malignant Self-love: Narcissism Revisited”

Q. In July 2014, the Department of Homeland Security in the USA and the FBI warned the various branches of the US government, police, and public safety and security organizations of a malicious online activity called “Google Dorking”. What is it?

A. “Google dorking” or “Google hacking” is the use of advanced search queries in Google, Bing, or Yahoo to locate sensitive information, such as usernames and passwords, account numbers, social security numbers, etc. The FBI explains it well in its confidential circular which, ironically, was leaked to the press:

“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.”

Oddly and disconcertingly, these data are often available publicly. High schools post mostly valid passwords and usernames to expensive subscription databases and for-pay media on their internet-facing library portals; Public libraries publish the first 8 or 9 digits of their library card numbers or barcodes, making it relatively easy to guess the rest; a variety of service providers neglect to deny to search engines access to client lists, social security numbers, confidential and sensitive commercial information, and even state secrets (all it takes to deny Google’s spider access is a robot.txt file on the server); sites like Bugmenot encourage users to create fake email accounts and submit thousands of usernames and passwords to numerous restricted online services and products; and government agencies and other national bodies are as leaky as sieves. The syntax of the search strings needed to elicit these bits of sometimes crucial data is laughably simple.

Both malicious actors and more benign types avail themselves of this cornucopia. The less savory operators hide behind proxy servers and applications or online anonymizers and harvest (dump) prodigious amounts of data from databases, sometimes using automated tools and scripts.

White hackers, grey hackers, and intrepid reporters openly conduct penetration testing or simply verify the validity of publicly posted access credentials. These types of actors end up sharing their findings in order to improve the overall safety of the Internet and they never disguise their identity. Then there are “collectors” who amass huge piles of information but never make use of it and students and, more rarely, faculty who illegally access specific databases for limited periods of time in order to conduct targeted studies.

Q. But is Google dorking legal?

A. The situation is not helped by the fact that laws in the USA and the EU are outdated or exceedingly vague allowing criminals to go unpunished or overzealous prosecutors to terrorize minor infringers for mere contractual violations of terms of service. In 2013, a prominent Net activist and the inventor of the web feed format RSS, Aaron Swartz, committed suicide in the wake of such a ruthless investigation of what many – including the victim, the online database JSTOR - perceived to have been a misdemeanour.

Q. Where do most of these hackers come from?

A. During a 2-months period, I came across dozens of forums in Iran and other developing countries where students and faculty posted usernames and passwords for online academic and research databases. Via YouTube, I found websites which provide simultaneous access to the ezproxies (access points) of several universities or force-download full text documents from paid subscription academic and research databases.

This surprised me. I knew that many of these databases were supposed to be made available at reduced rates or at no charge to poor and developing nations and to their intellectuals. Yet, nothing could be further from the truth. Individuals (even students or faculty members in countries which are not subject to sanctions like Iran) are actually unable to obtain legal access to databases in their dirt-poor locales. Even the cheapest, most heavily subsidized repositories (for example: the UN’s HINARI) are available solely to select to institutions and only for the exorbitant equivalent of 6-24 monthly salaries ($1500).

The repugnant avarice of most database providers and academic publishers has already spawned phenomena like the open access movement: scholarly publishing at no cost to the reader. But the last few years witnessed a virtual onslaught of indignant hackers from developing and impoverished countries who feel that knowledge should be democratized and made available to all, subject to differential pricing. While it may be reasonable to charge $50 per published academic paper in the USA, UK, or Norway – it is usurious in countries like Mali and Macedonia.

Even legitimate sites, such as Scribd, are now inundated with pirated copies of textbooks, lists of passwords for research databases, and usernames for university ezproxies. It is nothing short of a rebellion, civil disobedience, a protest movement the magnitude and effects of which are kept under wraps by its victims.

The overwhelming majority of these hackers are mostly idealists - though they do charge a pittance for the information they harvest in order to defray the hosting and bandwidth costs. They still naively believe that the academic community is about furthering learning, not about turning a profit. Many cannot help but feel that while these crackers may be acting illegally, they are not the only Bad Guys in this outright war of attrition.

Q. What can commercial providers of research or academic databases do to protect themselves?

A. Three simple steps would reduce malicious cracking and unauthorized access and use to almost nil: (1) Authenticate users not only with a username and password, but also with their IP address (where the Internet connection is initiated and coming from), a practice known as geolocation; (2) Implement rigorous database audit and monitoring (DAM) tools to spot, alert, and block intrusions; and (3) Welcome white hat and grey hat hackers and investigative reporters to test the systems and offer their insights. Shockingly, the current practice is to sue and prosecute such helpful people as malicious crackers even if they helpfully share their findings with the affected database providers and vendors!


Sam Vaknin ( http://samvak.tripod.com ) is the author of Malignant Self-love: Narcissism Revisited and After the Rain - How the West Lost the East, as well as many other books and ebooks about topics in psychology, relationships, philosophy, economics, international affairs, and award-winning short fiction.

He is the Editor-in-Chief of Global Politician and served as a columnist for Central Europe Review, PopMatters, eBookWeb , and Bellaonline, and as a United Press International (UPI) Senior Business Correspondent. He was the editor of mental health and Central East Europe categories in The Open Directory and Suite101.

Visit Sam’s Web site at http://www.narcissistic-abuse.com