Slashdot Mirror
The "Google Hack" Honeypot
An anonymous reader writes "On the heels of Google Hacking for Penetration Testers, and Johnny Long's talks at Blackhat/Defcon over the weekend, comes the "Google Hack" Honeypot, a honeypot designed to lure in malicious search engine activity. They had a second release of their tools on monday, according to their site."
seriously, what good does this serve society? If you can prove that google hacking makes information more free, or that tearing down the barriers helps, well, fine.
If you want to see if you can secure data so it doesn't get google hacked - ok.
If you just want to show how nifty you are at using commonly available tools - there never has been any such thing as total privacy and there never will be.
-- Tigger warning: This post may contain tiggers! --
From squirrelmail.org: Several cross site scripting (XSS) vulnerabilties have been discovered in SquirrelMail versions 1.4.0 - 1.4.4.
I assume, that's the reason for the 1.4.4 login screen at their demo page.
From what I can gather, SquirrelMail 1.4.4 contains a vunerability enabling you to do nasty things. By adding honeypot sites, it makes real sites to hack slightly more difficult if you're trying to find them via Google.
OK, simply:
Tool creates fake web pages that look like vulnerable Web apps.
Google indexes fake pages.
Bad Guy searches Google for likely victims.
Google returns indexes of pages created by tool.
Bad Guy follows links.
Tool logs Bad Guy's IP and other information.
No Profit for Bad Guy.
Good Guys watch Bad Guy try to |-|@><0r the page, and log everything his does.
Good Guys contact Law Enforcement, present evidence.
Good Guys contact Bad Guy's ISP, present evidence.
(now, there are 2 possible outcomes - the ideal and the real.)
Ideal outcome
Law Enforcement goes after Bad Guy.
Bad Guy's ISP shuts Bad Guy down.
Bad Guy gets caught, convicted, and spends several years playing "Hide The Sausage" with his new friend Benjamin Dover the Serial Sodomist.
Real outcome
Law Enforcement ignores evidence as no money was lost.
Bad Guy's ISP ignores evidence as there is no Law Enforcement involvement, and Good Guys are not ISP's customers.
Bad Guy is distracted for a while and doesn't get to |-|@><0r as many systems.
www.eFax.com are spammers
Do what ? Say i deliberately have a directory on my site that is called /etc/passwd ? It is a highly relevant page containing stories and articles I have written
Say I have pages up with the same strings that are relevant to a number of Google hacks, like "Admin Panel powered by" etc etc ?
This stupid pre-emptive doctrine that has poisoned everything since 9/11 has to stop. Nothing has been 'settled' in the real world where things actually count.
if it was private
The Downing Street memo and numerous other leaks were intended to be private. Are you suggesting that the world shouldn't know what is happening ?
Stop being such an old granny.
"These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users."
how is your crappy site being indexed by google the fault of "insecure tools"? you have stuff to hide? don't put it where google can get it!
the only insecure "tool" is the site designer who exposes his own data...