Google with all its glamour and popularity shines forth as the best search engine in the cyber world. However, it often acts imprecise. Suppose you are in the middle of a heavy lecture and you need to look up certain information hurriedly and Google shows you some terrible out-of-the-world search results, what would you do? That’s exactly where the exciting trick called Power Search comes to your rescue. It is widely known that the Power Search technique bulk searches combinations of words to quickly check a large selection of potential domain names. This hastens the search speed and also increases accuracy. Have you ever wondered about the prospect of such an advanced search technique being used for hacking? Hackers exploit power search to find critical information about you, be it your card information or seeing you in real time! Here’s how it’s done.
Google Dorking
The practice of applying specialised search methods and advanced search engine parameters to locate confidential information is typically termed as Google Dorking. It is simply Power Search taken to a greater level. The penetration testers in the cyber security arena often use this technology to locate any loophole within a particular website. Simultaneously, hackers can use Google Dorking tactics to reveal data that companies and individuals do not wish to make available through a web search.
Hackers also have a wide range of freely available online tools. They can use them to run automated scans that execute multiple Google Dorking queries, enabling them to perform hacking operations in a jiffy. Five instances show you how dorking can pose a serious threat to your interactions online. We have necessary solutions as well, read on:
1. Hacking Security Cameras:
Internet Protocol based security cameras are used all over the world to monitor activities remotely. Shop owners use them to monitor activities of their employees and parents use cameras to keep an eye on their children when they are not around. Vulnerabilities in the firmware of these cameras enable hackers apart from the owners to see the live footage of a house and shop.
inurl:”viewerframe?mode=motion”
The above set of keywords is the master key to enter a number of unprotected live camera’s domain. Hackers can actually gain full control of a security camera using this method. Live cameras once tapped can be used to commit massive crimes. The owner on the other side however understands nothing.
Solution: Remote online monitoring is a process that regulates a security camera online. An app or website is used to remotely log in to the security system and manage each camera. This feature is generally kept “enabled” by most brands. So if you are not using it, turn it off. When in use, a strong password is a must.
Lastly, consider purchasing security equipments through trusted sources. Here are some DIY steps.
2. Hacking Webcams:
Hackers can track down unprotected webcams and can watch the person on the opposite side secretly without giving the slightest hint. The following set of operators can be used to exploit webcams:
intitle:”EvoCam” inurl:”webcam.html”
Several cases have been reported till date speaking of webcam hacks and hence this is not something very difficult for efficient cybercriminals. Last year’s Miss Teen USA Cassidy Wolf’s webcam was hacked by hackers using Remote Administration Tool. Hackers used to spy on her using her web cam and even sold the access to cam in underground forums. Later, the hacker was tracked and jailed for 18-months. Unwanted webcam streaming kills your privacy completely.
Solution: It is advisable to keep your virus protection software’s profile database always up to date. Update your webcam software on a regular basis. A good firewall might help more tech-savvy people to determine if their webcams are streaming data to an external source. Check out these DIY Steps.
3. Hacking Personal Documents:
filetype:php inurl:list/admin/ intitle:”payment methods”
Such a set of operators might give access to a repository with detailed information of the customer names, payment methods and order amounts.
intitle:index.of finances.xls
With this set you might cross path with confidential bank information and customer details.
Solution: Try to avoid publishing sensitive information online. If you must publish the information, make sure that it is password protected and encrypted. Use .htaccess (a directory-level configuration file supported by several web servers) to protect your directories from Google crawlers. Check out these DIY steps.
4. Hacking Vulnerable Websites:
The insecure websites which are prone to SQL injection can be traced and pounced upon very easily by the hackers using dorks. The simple way is to add a “;” at the end of the URL. There are more complex methods as well. Databases of a website is where all the sensitive data is stored. Once it is compromised, a hacker can get access to stored credit card details, phone number and house address of users using that websites.
Solution: Use tools to run pre-populated dork queries to locate any freely available sensitive information on the concerned website. Do not index sensitive websites on Google. Use robots.txt to prevent search engines from indexing your website. Frequently test your website using a web vulnerability scanner. Make sure the admin panel has custom names, www.site.com/admin is easily guessable but www.site.com/91029random/ isn’t. You can find some DIY Steps here.
5. Hacking Wi-Fi Routers:
Advanced search filters can be used to hack vulnerable Wi-Fi networks. Hackers can grab controls of a network and wreck havoc if they find it unprotected. Dorking in a specialised way can actually reveal an array of vulnerable networks which are not properly secured. The dorks used to hack routers can be:
inurl:”cgi-bin” “No password set!” “ There is no password set on this router.”
intitle:”router”inurl:”home.asp”
Hackers often route their traffic through hacked routers. This helps them in staying anonymous while hacking systems. When traced, the person whose router was used to route traffic is caught.
Solution: Firmware upgrade is the foremost precaution when it comes to routers. Use cryptic passwords to give hackers a hard time. WPA2 (Wi-Fi Protected Access 2) encryption is always recommended as it is difficult to hack. Lastly, consider enabling MAC filtering. You can find some DIY Steps here.
Shodan – a bane or a boon?
CNN Money while interviewing John Matherly, the creator, calls Shodan “the scariest search engine on the Internet”. While Google simply crawls the web to trace vulnerable websites, Shodan navigates the internet’s back channels. It can hunt down several servers, webcams, printers, routers and all the other stuff that is connected to the Internet. It even allows searches for exploits and vulnerabilities. The main issue is not that Shodan locates insecure devices, but that so many devices lack real security. Penetration testers, security professionals and law enforcement agencies are the primary users of Shodan. Cybersecurity professionals use it to locate loopholes and warn the concerned association beforehand.
Using VPN or IP filters in your firewall can protect your device from being discovered by Shodan. A firewall typically regulates the packets processed by the device and blocks all interactions from unknown hosts, by closing unused ports and protocols. Now let’s catch a quick glimpse at some case studies where attackers utilised the above methods and more to hack everyone.
1. Webcam Hack Harasses Teen Celebrity
In August 2013, the Miss Teen USA fame Cassidy Wolf received an email that featured nude photographs of her secretly taken via her own webcam by a hacker at her school. Through an anonymous email address, the cyber stalker blackmailed Wolf for sexual favours. Cyber stalker turned out to be Jared Abrahams, who had installed Blackshades malware on her laptop and had been secretly watching her for one whole year!
2. Neighbour Takes Revenge through Brutal Wi-Fi Hack
This case dates back to 2009 in Minnesota, where Barry Ardolf, 46, repeatedly hacked his next-door neighbours’ Wi-Fi network, and used it to frame the family for child pornography, sexual harassment and professional misconducts. He even sent threatening e-mails to politicians, including the Vice President Joe Biden. The entire attack was craftily conducted through the victim’s own email id! Investigators examined the packet logs and nabbed the hacker.
3. Insecam Publicizes 73,000 Surveillance Cameras
In 2014, the cyber world was petrified when a website was reported to have collected the streaming footage from over 73,000 IP cameras whose owners did not chang their default passwords. Insecam – “the world’s biggest directory of online surveillance security cameras” as they describe themselves, claimed to feature feeds from IP cameras all over the world. This website put all the streams in a place where anyone could find them effortlessly.
4. Mafia ‘Demon’ Boy’s Website Hacks Give Corporate Biggies a Hard Time
Famously known as “Mafia Boy” in the media, this youngster launched a series of highly publicised denial-of-service attacks in February 2000 against large commercial websites like Amazon, Yahoo!, FIFA, Dell Inc., CNN and eBay. Jailed at the age of 15, his real name is Michael Demon Calce. Mafiaboy was the first to show how easily our personal data could be retrieved from some of the world’s largest websites! The attack was reported to have caused $7.5 million in global economic damages.
5. Celebrities and Ordinary Netizens Together Face Personal Data Hack
In 2013, the ID details of US First Lady Michelle Obama and many other celebrities like Bill Gates, Beyonce Knowles, Jay-Z and Ashton Kutcher were exposed in a massive cyber breach. About four million Americans seem to have lost their confidential data at the hands of a mysterious data-selling site.
Let’s learn from these incidents and realise that exciting features in the cyber world can any time backstab us by allowing the hackers to enter our private domain. Hackers are not magicians, they utilise the same technology we use, but in a negative way.
What can protect us? Well, awareness and precautions can!
The contributor Kathakali Banerjee works at Czar Securities, which is in the Cyber Security domain.
This article was first published in February 2016 issue of Digit magazine. To read Digit’s articles in print first, subscribe here.
