The use of operators making results more specific has been dubbed "Google dorking"

Aug 28, 2014 12:42 GMT  ·  By

Law enforcement organizations in the US received a document from the Department of Homeland Security (DHS) and the FBI informing how they can protect sensitive information from being discovered through advanced search techniques on Google, dubbed “dorking.”

A Roll Call Release intended for police, public safety and security organizations details how “Google dorking” can be used to retrieve information website administrators did not intend to be found by the public, but somehow failed to implement the necessary security measures.

Dorking is nothing but a term describing the use of parameters for filtering the search results so only specific ones are shown. Basically, by using operators such as “define:” or “site:” access to restricted information is obtained.

Of course, this happens if the website administrator did not make the effort to secure it or at least to keep the Google bots outside that area.

“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. ‘Google dorking’ has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities,” says the document.

If not properly secured, data such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities can be exposed to the public.

It appears that multiple hacking incidents took place based on the advanced operators, threat actors being able to learn about websites running vulnerable software, which led to committing offenses.

The document from the DHS and the FBI is a simple warning for organizations to take the necessary steps for securing the information on the servers and eliminate the possibility of accessing it via publicly available search engines.

One of the suggested methods involves minimizing storage of sensitive details on the web, and if this cannot be avoided, they should be treated with encryption and password protection.

A recommendation is to test the website with the Google Hacking Database tool that executes pre-made “dork queries” and offers results about the online visibility of restricted details.

However, one of the chief measures is to make sure that the sensitive areas are not crawled by search engine bots and indexed.

This can be easily done through the “robots.txt” file, which defines the off-limit areas on the website. “Use the robots.txt file to prevent search engines from indexing individual sites, and place it in the top-level directory of the web server,” advises the document.

Securing sensitive information about websites and the information they hold should be common practice as threat actors can leverage tools designed for better usage of search engines.