[LINK] The Register - Google as an attack engine
Rachel Polanskis
grove@zeta.org.au
Fri, 30 Nov 2001 13:46:24 +1100 (EST)
On Fri, 30 Nov 2001, Chirgwin, Richard wrote:
> http://www.theregister.co.uk/content/6/23069.html
>
> The Google attack engine
> By Thomas C Greene in Washington
> Posted: 28/11/2001 at 12:25 GMT
>
> <RC>
> This is only moderately novel. Back when SATAN was young, Richard Farmer
> (the author) mentioned in a security paper that a great many systems
> administrators were careless with login information, and that somebody
> patiently using a search engine could find login lists that had been
> accidentally left where the search engines would index them.
>
> Here, we have a similar occurrence. This time, the systems admins will have
> forgotten that the ubiquitous embedded "simple to administer" Web servers
> are just that - Web servers. And that unless you administer them, they'll
> respond quite happily to things like search engine robots.
For those of you who recall,
http://www.anu.edu.au/mail-archives/link/link9605/0226.html
This was a similar occurance that happened to me, remarked about on
Link back in 1996! I also consider it somewhat of a precedent.
The problem is not the search engine (which is doing only what it
is designed to do) but a poorly managed and understood web server
config. The search engines are just the messengers. Mind you it is
a very clever use of them to promote an exploit.
The lesson I learnt from my altavista experience taught me a lot
about being mindful of how you maintain your web (and other) services.
Somewhere out there, there is somebody waiting for opportunities like
these and it is not paranoia to be concerned...
rachel
--
Rachel Polanskis Kingswood, Greater Western Sydney, Australia
grove@zeta.org.au http://www.zeta.org.au/~grove/grove.html
"People don't say sorry in this country" - Max Connors (Seachange)