 Thanks for making it out today. There's a lot of people here. Hope you guys are ready to learn some very interesting things based on our research of search engine hacking. My name is Rob Reagan. This is Fran Brown. We work at Stack & Lou doing security assessments. And we are the lords of the Bing. That's right. So basically we set out to we set out to improve upon search engine hacking and we realized that most tools that exist were getting blocked. Most tools... Most slides don't work when you need them to. But we actually, we realized that we thought it was a shame, really a crying shame that Google hacking seemed to be a dying technique. I had a bit of a weep. You guys though, if you also weep with me then you can stop now. There's no need to cry anymore because we are bringing it back. We sought out to make tools that don't get blocked. We sought out to actually make practical techniques that maybe you don't actually have to go out and scan actively. You can just have something that's running all the time and letting you know what happens. And we also just wanted people to really think differently about the way you approach Google hacking and also to blow your minds, as you can see by the icon. Have a nice blow your mind icon there. So we basically decided that Google and Bing were our favorite search engines. Yahoo is good and that's something we're going to explore more as well but what we focused on now was these indexes because they're the biggest treasure troves on the internet to openly find free information on error messages that are occurring in websites, vulnerable software that's being used in websites. And really, like I said before, we just really thought it was a shame that not many people actively are using Google hacking to find this information and we basically decided that these crawlers are the best to gather this information and they had cache it so that it's forever available to you. And... How many people here have done Google hacking before are familiar with Google hacking? Yeah, I assumed everyone is. I assumed everybody, right? How many people have Google hacked your company that you work for? How many people here have Google hacked a person? You can't Google hack a person, that's just stalking. You guys seem to be familiar with Google hacking for the most part. The types of things we're looking for here is just looking at the old Google hack database, is advisories, error messages, files containing passwords, things like that. Just as an example, looking for some SQL errors being dumped at the screen or some password lists in the URL. These are our new tools. These are the ones that you're going to use from now on. Basically, we're leveraging the Google Ajax API now that doesn't get you blocked. It doesn't violate terms of service if that's something you could... No one at Defconn cares about that. You guys want to violate the hell out of some services. So these are the tools you're going to use because we have... We're utilizing the Google custom search engine. How many of you have heard of that? What it lets you do is create customized search results. Let's say you only care about star.fedex.com or something like that. Maybe you only want to see results that come out of that. You can set a Google custom search interface that will only give you the wildcards that you specify. And you can utilize that in our tools. And for the first time ever, we also released a Bing hacking tool that actually will give vulnerability information. It's not just giving you kind of like passive footprinting information. It's actually... We made a Bing hacking database that we converted the traditional Johnny Long's Google hacking database from 2003 to 2004 to work with Bing. And enumerate things such as URLs from sites. And also, Bing has a feature that a lot of people I think don't know about that I wanted to make you aware of that you can search by IP address. And this is really interesting because you can see things like virtual hosts to IP address. You can see server farms that are something like Rackspace that has a lot of domains all on the same IP address. I actually was talking to some people yesterday at Black Hat that they had done pentests where they saw at a site administrator actually hosting his personal site or porn site on corporate infrastructure. And no one knew about that because they kind of had that as a closely guarded secret, but Bing knew about it. So you could put in things like just the IP address of your server and then see all the domains that are hosted on it that are publicly available. And we also, for those people that I know, I know all of you do, want to violate the hell out of some terms of service, are releasing a script that everyone kind of knew was theoretically possible. I just didn't know of anything that was out there and available for you to use that would utilize a list of open proxies that are known to work to just pull results from Google. And this will indefinitely dump millions of URLs for whatever type of information you're trying to scrape. So either have an army of people ready to analyze it or be ready to write your own tools to analyze it because it's something that's going to give you massive amounts of information. And it also utilizes some things that we found deep in the Google documentation such as the user IP query string parameter. That lets you, basically it's designed for the AJAX API and it's designed for people that are embedding widgets in their site that kind of makes them the middle man proxy between their client users and then people that want to search that site using Google. And we just can specify random value for that to reduce getting blocked by Google. Also, it scrapes the mobile interface which is what comes up automatically based on your user agent when you hit Google from your iPhone or your Android phone. And that we're utilizing because it seems to have less restrictions on getting you blocked. It also is very lightweight. It has nothing like advertisements or other superfluous links that you would be more overhead in scraping this type of information. So just a little background on this. I don't know how many of you know, but the Google Soap API, they stopped issuing keys back in like 2006 and most of the existing Google hacking tools that kind of hobbled along until then finally just all stopped working last September when Google finally closed that down altogether. Our primary tool uses the Google Ajax API as we mentioned which is the approved way of doing it but it does have several limitations notably of which is that it limits you to 64 results per query which is fine if you're just trying to Google hack a small company or something along those lines. It does make footprinting using Google pretty much impossible. If you want to enumerate URLs of an application you're trying to footprint or domains for your company 64 results is going to limit you whereas Google Scrape Diggity while violating terms of service probably will give you a thousand results just like the web interface so it's the primary reason for doing that. As we see on that, they're right there. How many of you guys are familiar with Scroogle? Anyone use Scroogle? A few people. But that kind of inspired us for this because they found other interfaces that were stripped down didn't have advertisements that are easy to scrape. This is just one here. They shut down the old interface but this was actually scraping Windows Mobile or Windows Mobile, Google Mobile which is a nice stripped down interface easier for us to scrape. Like we said, for the first time ever we've created a Bing hacking database that would actually give you good vulnerability disclosures from Bing. A lot of the disparate features between Google and Bing made it that the known Google hacking queries didn't work. Things such as in URL you can't use in Bing. But there are substitute features if you read into the documentation, things like in anchor instead of in URL. Things like the file type are very limited in title but basically this is just something we made for you to utilize and we're giving away for free via our website. So we have close to a thousand queries in the Bing hacking database now and I haven't seen any. The limited amount of painting tools we've seen in the past have just been strictly foot printing type tools not actually finding vulnerabilities. And we're also giving away the stack and loo database which is just a list of queries we compiled from forums and kind of underground lists that were beyond the Johnny Long Google hacking database and the FoundStone database. And it's also stuff that we actually have in turn actively adding to. Change to a desk. Yeah, just banging out stuff. And he's also working on some other stuff from Google code search which I'll tell you about a little bit later. So we're not happy just giving you the old stuff converter. We're going to be continuing to develop new regexes and adding them to this. Yeah, like this first one here, this first example, actually I found sites that they were giving away or they had exposed to the internet their salary information. Basically their pay band of what employees make what amount. Like that's definitely a sensitive information leak that you don't want on your website and you could use this search to find it in Google's index. So now we're going to demonstrate some of our tools to you. We basically decided that all the old tools that we didn't want to use anymore needed improved upon for several reasons. And we came up with this user interface to utilize our new techniques on Google and Bing. They appreciate with the FoundStone database, the Google hacking database and SLDB and allow you to do things like multiple domains. That was one thing that all the previous tools didn't do. You had to do one domain at a time which is completely unrealistic if you're actually trying to monitor a company of any sort of size. Most of our clients are Fortune 100 companies and one of them has 700 domains. It's just completely unrealistic to say I want to do one at a time. And you can also plug in the Google custom search key that's provided as I mentioned before that allows you to filter your results just down to things you care about. So basically for that client, we created a Google custom search engine that just filtered on those 700 domains. Then they could just check every box and just run it against that and make it a lot easier for them to Google hack themselves. But on an unrelated note, how many people are tired of looking at socks that are just normal and you want to get two socks that have pictures of wolves on them or clothes that have pictures of wolves on them in general? You have some wolf wardrobe? Yeah, wolf sweaters. Yeah, that was one of the funnest things about just looking at these results. One of the searches looks for OpenX shopping cart software that's known to have several vulnerabilities in it. And we found a website that actually specializes in selling clothing with wolves on it that's using that shopping cart. So if you want some free wolf clothes, go to people.com. And you'll be stocked with all the wolf socks you can possibly have. Look at that. Even for the children who use socks. They get them early. Yeah, so basically the fact that that Powered by X cart shopping cart software that's known to have vulnerabilities in the page was what Google finds and as it's indexing the content of the page and then allows us to generate queries to find vulnerable software in use. Yeah. So we got Bing. And the Bing interface, actually, you have to have a SOAP key. We actually provided a link for you to go to the site and associate your hotmail or live account, whatever Microsoft Passport account you have. Just make one up. And you don't issue a key for free. And you just need to plug that in. And as I said before, Bing has a really nice feature that allows you to search by IP address. And as someone that does network risk assessments, we don't even get domain names. We get, you know, an IP address range. So you can plug in IP addresses there up in the top right. You can either specify one at a time, a start IP, end IP, or a class. And it'll enumerate all of those for sites and then dump the results from whatever Google queries you're specifying. We also allowed you to specify any queries appended to the end of all of the things loaded in via the flat files, which you can go to the file menu or Google hack and queries that you want to keep secret. Or if they're just something that maybe no one else cares about, that you just want to use to monitor your sites or whatever you're interested in. And also on the simple tab, there's just an interface to plug in any query you want that would be akin to just hitting the web interface, which I think most people do now. Yeah, so again, this is just the Bing interface and to show that Bing does have tons of information about vulnerabilities. Just doing a simple search on it will give us, you know, some SNAP servers online. Yeah, this is, you know, you're hitting someone's web storage just by finding this and able to look through their information. Cool. Oh, and last but not least, this is still in prototype phase, but the Google scrape diggity, just to kind of illustrate, we could take in either a query or a query file full of regexes from the Google hack database, a list of Google servers, proxy lists, max results, and just to show you to enumerate them for footprinting purposes. That's a quote. At the end of the Perl file extension. Yeah, I mean, obviously, we're not going to demo downloading millions of URLs right now, but this is something that can go beyond the AJAX API 64 result limit. Yeah. So we see 73 results here, clearly about 64, and utilizing it in a way that's that's practical. If I was trying to do an assessment of stackglue.com, I might want a list of every URL that they have in Google for this. This makes it possible. One thing we realized is that, you know, the traditional defenses against this, finding these sensitive information leaks or vulnerable software was to just Google hack yourself. How many people that are responsible for guarding the security of a domain actually do this on a regular basis? Like a few hands. And yeah, and that's, most of the people we talk to just don't do this. And most of the people, if they do, maybe once a quarter, which just isn't good enough. There could be something that happens, you know, between quarters that you can entirely miss because it was added to the index and maybe removed after another, after the Googlebot crawls that site again. You know, other things that people do to protect against this or update robots.txt or put meta tags into their pages to prevent it from being indexed by Google, we also kind of realized that's not really, you know, that's something you should be doing, but it's not something that always happens when new features or new applications are launched on the website. Another thing that people do is they use data loss prevention tools that take a hash of your intellectual property and then monitor anything that's going out via email or anything that's going across the network to see if employees are leaking things, which is something you can do, but also we realized not really good enough to prevent this type of thing. Also, you should be using policies and legal restrictions, but again, it's only so much protection. So to really take it to the next level, to really do prevention in depth, we realized that all these failed and we needed something better. See all the stuff, forget it, it's dead, this is done. This way of doing things is over. It's not effective. As we saw one or two guys raise their hands that they Google hacked themselves on a regular basis. I think they were probably lying. Nobody does it. Probably lying to you. The Wolfsock companies of the world are left insecure and it's just a scary place. So now we're going to tell you about some more advanced techniques that we came up with. Protect your net, fool. Protect your net. As we said, the tools exist, but they're not convenient, we realized. We realized that you don't get real-time updates, you don't get multi-engine results, you don't have any way to monitor the data and keep a historical log of everything that's found and you don't have multi-domain searching, but that's until now. We're going to tell you a little bit about Google Hacking Alerts and Bing Alerts, which is something we came up with. How many people here have heard of Google Alerts? Do you use Google Alerts? Maybe you get email updates on things that you care about on the web. Put your own name in there and see what's going on with your Google. If you're really narcissistic like me, you do that. So we took the entire Google Hacking Database, NRSLDB, and loaded it into Google Alerts. And we set it up as soon as something's added to the Google index. Let us know via an RSS feed that maybe there's a SQL injection in this site or maybe there's a password file that's been disclosed on this site and it's monitoring the entire web. We have over 2400 queries that are loaded into there and we're getting basically 3000 to 4000 updates a day and finding really interesting things like James Bond's website, vulnerable to SQL injection. James Bond is in trouble. He needs some help. He's dumping MySQL errors right to the screen. Yeah, mi6.co.uk, which is a really dangerous domain to have SQL injection on. This is just the interface where they sell things like James Bond DVDs and T-shirts and other merchandise actually dumping MySQL error messages. And one thing that I realized about this into Google Reader that really makes it beneficial is all RSS feeds that come from Google are going through feed burner. That means they're cached forever. And basically if there was a situation like let's say a user started complaining about this error message on James Bond's website and so the developer's like alright fine I'll just hide that error message. Now the SQL injection is not fixed, as you know it's just become blind SQL injection and let's say you Google hacked yourself at start of Q2 and then Google hacked yourself at start of Q3 you would have missed something like that. You would have missed that they covered up that error message. But setting up a Google alert for the string of MySQL error messages would catch that. And then you'd actually have all this historical data archive of everything that was ever found and you would be able to see that oh well okay we had SQL injection to the developer actually fix it or did they just hide that error message. And that's one of the benefits of actually having it imported into your RSS feeder which I recommend Google's because you get that cache and you get that great searching ability. Also I don't know if you guys are familiar with this but if you do perform a Bing search and you append and format equals RSS you can actually turn Bing search results into RSS feeds then also update. So we took our over 900 Bing hacking database queries and turned them all into RSS feeds as well. And have that piping to us as we could see and it provides nice little snippets in Google Reader Forest there to see what we're looking at for vulnerabilities in Bing. And you know shit this. Franek basically was like I want to know as soon as anything happens to the sites that we're carrying about and he created also some thick clients such as like a Google desktop reader. So this is important so I just want to just restate this just so it sinks in. At this point for both Google and Bing any new site that gets indexed by Google or Bing that matches any one of these several thousand hacking database queries as they get indexed are being sent to us live feeds in an organized fashion. So from this point forward every single thing that meets the Google hacking database or Bing hacking database is being sent to us and organized for us. We're talking it's up to hundreds of thousands of vulnerabilities and climbing by three, four thousand, five thousand a day of vulnerable websites on the internet. And the great thing is we did all the footwork for you. We loaded all of those queries into Google Alerts and we can give you it's available for download right now from our website the OPML file for this Google Reader subscription. That's just the XML file that allows anyone to import these types of alerts into their RSS Reader. So you just download this file you subscribe to all the feeds, they're automatically nice and organized for you, you can start searching this is probably one of the largest repositories of live vulnerabilities on the internet hundreds of thousands of vulnerable websites. Now obviously our intent with this was just a way to monitor our site that we care about but this is also the next generation of mass injection tools. Obviously people kind of glaze over the fact that when malware is spreading via mass injection step one is search Google for vulnerable classic ASP pages that have SQL injection vulnerabilities in them but I probably see as malware writers get a little bit smarter about that, they'll actually have maybe an RSS feed that's feeding their mass injection worm so that as soon as there's a new site discovered in the index that it's infected with their attack. I know Rob mentioned this briefly but just to hit it, if you're not interested in looking through Google Reader at hundreds of thousands of vulnerabilities of everything on the internet and you're just interested for just yourself, you can download our Google desktop gadget and just specify your domains as many as you want and it'll take those RSS feeds and filter them for you and give you a nice little system tray alerts that you have a new vulnerability also a droid app coming soon so that you'll get these alerts right on your phone yeah so you actually cannot leave home without our Google Diggity and Bing Diggity hacking alerts so you have to have it with you at all times if you have it on your droid so basically all the problems that we saw with this act of just every once in a while searching yourself is really replaced by just having Google's cron system always just run as soon as new things are added to the index and give you these alerts you're getting them in real time you're getting them off multiple engines because we took the Bing hacking database feature of appending format equals RSS to all of those searches imported those into Google Reader as well and you're getting historical data that you can search you'll never miss a vulnerability on those index you'll basically see everything that happens you kind of get a timeline of what happened when and as I said they're really the most convenient way to do it and one thing that we're seeing and another reason that we wanted to investigate Google hacking was that the techniques were kind of waning and no one was really actively developing it but the search engines were still adapting Bing's coming out with new features all the time Google is having an app explosion in the last five years they've bought a ton of companies they're integrating those and creating new apps Google health is a thing that they have now want their healthcare and health records indexed by Google nice easily searchable interface for us to exploit yeah and there's things like the Google code search which we're going to talk about in a minute we're talking about the Google insights for search basically that's their zeitgeist feature just of what people are searching for now get the trends we identified that this treasure trove of information is really useful for spearfishing we've been calling Eric Schmidt every day he hasn't returned any of our phone calls yet so I mean basically for those of you that don't know he's the CEO of Google and he if you're looking for information on specific people that you maybe want to find their individual email address or their phone number to try to social engineer them or try to basically send them malware via an email and we're also leveraging Google code search how many of you guys are familiar with Google code search about half so what this lets you do is actually use Google to search open source code repositories things like sourceforge things like Microsoft's codeplex and even Google's code the repository that they provide it's just subversion but it indexes all of that code and you can write regular expressions against it things you can search for things such as a select query utilizing request.queryString in the same line and identify SQL injection, identify remote file includes identify cross-site scripting and we realize that this is extremely valuable information I just want to skip over that demo basically we're finding that we can develop these regular expressions actually I found things like someone's tennis match scheduling software for them and their friends like okay that had SQL injection and no one really cares it's just them and their friends scheduling tennis matches not much you can do with that but we're also finding popular open source software like PHP commenting systems, PHP forums and blog software and verifying the vulnerabilities are indeed legit and then if they're used by a lot of people it's worth publishing an advisory over that and adding a query that would find those sites that are vulnerable to our SLDB and this is another thing we have an intern just chained to a desk doing and so we're seeing one thing that he found he actually reads Chinese which was helpful because he found a site that is a blog software that's vulnerable that has a powered by this blog name, version number at the bottom of the page and then you can also so you can search for that string and then you can search for inurlmember.asp which is the vulnerable page and we're seeing thousands of results of people in China using this blog software that's vulnerable so it's kind of a two-stage process of using Google code search to look for SQL injection software to begin with finding a vulnerable blog software then developing a regex for powered by that blog software and then finding I think for that particular case it was over 25,000 people who were actually using that blog software that we knew was vulnerable to SQL injection and conversely the blackout side of this is that this is going to be another evolution of the way mass injection attacks will spread you'll do that same process rather than doing the good guy thing and publishing an advisory and putting out something to help people find these sites you can just search the web and mass-inject them how many people have heard of blackout SEO? it's search engine optimization basically the concept of getting search results for certain terms that are searched to the top of the results ideally in the top 10 Google results and you're going to get the most visitors blackouts are using this technique to actually take whatever is the popular search term of the day maybe when Twitter comes out Twilight comes out a lot of people are searching that when the World Cup was out it was identified that a lot of malware links were rising to the top of results for the World Cup was it like some kid you grew up with on Fox News talking about the Twilight results yeah some kid I grew up with he got himself a spot on Fox News as an internet expert and he gave a short segment on when Twilight came out about blackout SEO and basically said the defenses were to eyeball the URLs and Google results and see if it looks okay or not which is possibly the worst device that you could possibly give yeah there's no way you can tell these links are actually trying to attack you maybe you're expertise a little bit better than your mom's but your mom doesn't know that the fake AV software that her computer box is telling her that she needs is something that she shouldn't install but one thing that Google provides is the Google trends and Google insight for search to kind of get an idea of what people are searching for the most so this is the technique that these attackers are using one thing that was identified was that since 2004 is it that lyrics was the number one search term yeah and I guess that makes kind of sense I mean you're in a car you hear a song that you like you know it's Lady Gaga you know poker face or something like that and poker face and you go home you want to know the name of the song obviously it's poker face but you type in Lady Gaga the couple lyrics that you heard that you remember and the word lyrics and click go and lyric sites come up and that's how you find the song that you can then illegally download or buy the CD so this is just a perfect example this was a couple months ago people wait they waited for a job exploit to come out within a number within a few hours of an exploit being released these people put up Lady Gaga and Rihanna fake lyrics websites and then they use search engine optimization or black head search engine optimization to make their their fake lyric websites come up top in the Google results so if you went home heard poker poker face or any Rihanna song typed it in to Google all the first pages of results if you clicked on any of them automatically owned your computer's taken over exploiting this java book within a few hours of it coming out so obviously the solution to this is that artists just need to sing more clearly so that no one has to search to understand what the lyrics actually said which is not always easy I mean you can get it could work against you with incorrect lyrics like I've become a wet dream tomato have you guys heard of that elitist key song in Jay-Z the Empire State of Mind the New York one next time you listen to it next time you listen to that song it's still on the radio a lot when she comes in with the hook or you were going to hear from this point on is I've become a wet dream tomato nothing you can't do you will not hear anything else from now and I promise you like that I won't put my day job so actually rather than artists singing more clearly which might be a difficult task some of the defenses that you can utilize are things that the major the search providers and browser providers are already building for us they're trying to protect users by building the Google Safe Browsing API which is a blacklist of known malware and known phishing sites that if you've ever gone to a page that said this is a reported attack site continue at your own risk that's something they're integrating into search results especially useful for anyone that's utilizing Black Hat SEO techniques to get those search results to the top they're going to protect you from that but sandboxing software is another thing that's becoming much more useful anyone here use sandboxy? I do, yeah you guys do my friend Oscar told me about it I know he uses it basically you're going to run your browser or any application for that matter in a sandbox that's protecting right access to things on your system such as anything that you download it's going to say you want to recover this outside your sandbox or if anywhere malware were to actually exploit your system it's protecting from things like such as rights to the registry such as name pipe access or anything that's sensitive on the system and if you were to get infected by something you can just throw that sandbox away so you browse all the malware Rihanna lyric sites that you want all day and then just throw the sandbox away when you're done which is really the way to go and it seems to be the trend I think in the last week or a week and a half alone Dell released their own version of a secure browser using sandboxing Adobe released their next version of Reader is going to have a protected mode that's utilizing sandboxing and I believe Office 2010 has a sandboxing mode as well so this is really the you know as good of a defense as eyeballing up your URLs and Google results is to see if it's if it's good or not sandboxing is really the way to go and really this seems to be the trend basically that malware writers are unleashing things on the web maybe because they have a decided purpose one example just last month was some guys in China wanted to release this malware that would steal passwords to some online games in China and it got out of control basically as I said like the fact that people glaze over that step one is search Google for vulnerable websites it started hitting things like the ad providers for Wall Street Journal and for Jerusalem Post was another site that ended up distributing this malware that was trying to steal Chinese game passwords and this is a common problem that I only expect to increase especially as they get smarter about scraping the results and scraping the new vulnerable websites from Google and it's important to note I read like 20 articles on this and all the ones you read are very vague about how this actually started I mean if you see in the bottom right there they believe they compromise the total number of websites of 7000 to 114000 websites it's kind of a big range of I don't know how many there are let's say a billion gajillion, I don't know but they don't really cover how that happened to begin with and it's our belief that people are utilizing either Google or Bing or things like that to find 100,000 vulnerable websites to begin with before they do these mass-equal injection attacks and as we said it's great that they're providing these black lists of known domains that are spreading this information but one idea that I had was how can we mine that information to monitor our websites because the fact of the matter is most website administrators have no idea when they get out of that black list this is something I found on the NetSec list on Reddit it said that this guy says some dickhead emailed me a few weeks ago and told me that my site he said it was malware basically saying that his site was in the black list and when people were visiting it in Chrome it would say reported a tax site he said no way this is possible but then he actually checked it and realized oh yeah it is saying that why am I on this black list and I just thought we have all this capabilities and all these features in Google and Bing to be able to identify what we're linking to and what's linking to us why not have something better than dickhead alert system to let us know this is the existing defense the dickhead notification alert system some dickhead emailed me and told me that my site is serving up malware basically like I just wanted to investigate what would be better than that what can we do for the average person to know if they've been added to these black lists and so one of the advanced techniques we came up with was to protect your neck something that we're calling malware to get at this point and Google or rather Bing has a great feature called link from domain that you can get all of the offsite links all the sites basically that you'll dump all the URLs on your site that aren't linking to that domain so let's say we want link from domain stacklue.com that has every external host that we're linking to and I wanted to take those results and compare them to URLs that are in this black list see if they're see if any of those URLs are phishing websites or malware websites and that would help you get kind of an alert system together to let you know if you've been a victim of one of these mass injections and even to get that information more real time we can still we can use the append format equals RSS onto those Bing results to actively monitor any new links let's say you have user generated content on your site like a commenting system or a forum and anyone's allowed to add a link I came up with this idea when I was doing an assessment of a site that was kind of like MySpace it was what MySpace was supposed to be it let venues and artists and fans log in and upload music and basically share information about concerts and after they fixed all the cross site scripting that I found they also still wanted to allow external links they still wanted to let people link to whatever they wanted and I just thought about there's some risk in that that you might be utilized as a phishing platform especially with your large user base and especially your prime target for distributing malware as well so you should actually integrate some code into your app that uses the Google Safe Browsing API to identify any new links that users are adding but they basically were like well we don't have time to do that we're going to launch the site anyway you could utilize something like just Google's crawler or Bing's crawler to let you know of any links on your site that are in that blacklist so how many of you guys are familiar with what happened last month with the Wall Street Journal incident not many people right I'm surprised about that 100,000 websites compromised and nobody's heard about it basically just to give you a quick visual of what it is is they had 10,000 or 100,000 or whatever you could imagine a number of websites scoped out for SQL injection and they waited they waited for a browser bug to come out I believe it was an Adobe Flash vulnerability as soon as that did what they did was create an exploit for that they SQL injected all 100,000 of these websites appended to every page you know include this piece of JavaScript that's an offsite link that exploits this browser bug so that anyone who went to any one of these websites the next day including the Wall Street Journal if you went to that website it linked you to this piece of malware that exploited your browser and popped you so everyone who went to those websites that day automatically gets their browsers out so it was one to 10,000 to God knows how many people went to those sites and there's still tons of them actually if you just Google for these links these offsite links and if using our tools malware diggity you can sit there and monitor what's linking off of my site and compare it against these lists and not have to have some dickhead email you that you know that hey by the way everyone comes to your site is getting owned or fake AV installed you can now get a you have a new offsite link and by the way it's in this malware list maybe you should look into that it's a little better than the existing defenses and this is just a demonstration of the results for like I actually this this worked really well for monitoring new links on Twitter that were distributing malware phishing I was getting a lot of hits based on comparing those URLs to what's in the blacklist and that's just one example of a good way to use this technique also yahoo has a site explorer that lets you see inlinks to your site so I thought it would be interesting to see take a known malware URL like the URL for the Wall Street Journal injection was robint.us so if you could just and put that URL in yahoo site explorer and it's bot had gone out and indexed all of the sites that are linking to that so we know all the ones that are infected that that's also use information that you can gather and if you want something a little bit more professional a little more enterprise that's actually going out and crawling your site and identifying things doing things like JavaScript the obfuscation and analyzing all the content on your site actively Armorize has a new thing called hack alert but if you want something free and crude you can use these techniques from Bing that we were providing and so basically we identified that it was possible to monitor our external links and our incoming links and then compare those to the blacklist and then detect infections and then alert you to that but my friend asked me is it possible to get people added to the blacklist and I was like hmm that would be devastating because the black hat side of this is that you can if you show the next slide identify the links that are in those blacklists and mass inject your competition via comment spam or if they have any user generated content or forums and then basically let's say you want to wipe out all the other distributors of wolf socks on the internet so that you're the primary retailer of wolf socks you could have your competition blacklisted and then their page rank goes to zero and basically they're not going to show up in the top results of google anymore if people do click the link they're going to get warned that it's a reported attack site and you can't go there anymore and basically this is something that companies could profit from this technique is actively being used the algorithm that identifies the links that belong in blacklist is a closely guarded secret and this is something I want to test some more to be able to identify how you could get someone added to the blacklist but I could see this as a service line that the Russian business network might offer saying like we'll take out your competition or as mafia techniques they could say something like either give us money or we'll add you to the blacklist and this is just something that's kind of unexplored that information that you can easily gather from the search engines I think could be utilized to do something like that I could tell you how I would use it if you google for Fran Brown you will not find our research or me in any way you will find the Fran Brown College of Beauty so if I can get that knocked off the google page results I'm going to use this search engine deoptimization future predictions so just to wrap things up with where we think things are going because things are rapidly changing they've been a little stagnant since 2004 2005 but we're kicking things back off again as we mentioned earlier I believe there's going to be continued data explosion google index health records to phone records to open source code to anything that could possibly index and make providing easily searchable interface to so we're going to see a lot more data index real time streaming updates I also believe that we're going to see renewed tool development both on the hacker side as well as the security side so we're stepping things up on the security side but we're going to start seeing things like more automated google worms real time detection and exploitation people are just sitting there waiting in real time finding these vulnerabilities on google and automatically exploiting them and then finally I believe that google involvement as well as well as being involvement well they'll start getting involved more google has been getting a lot of a lot of heat from security from losing their custom authentication code to China allegedly and stealing everyone's wireless in Europe that they're going around so there's a lot of heat on google right now from a security perspective and I know it's led to them hiring a lot more in the security department I think this will be lower on their priority list but I think they'll start getting more involved in the google hacking and being hacking side of things and just to share I don't know if you guys have ever messed with this interface just regular google if you expand the side and go to updates and they are providing you can see what was indexed and what was going on in twitter and google five minutes ago or at 2 p.m. this afternoon google is providing real time streaming updates of this information so we're going to start seeing more and more real time uses of this information in exploitation so I will be available for questions after the talk I hope you appreciate what we shared today