Anonymizing RFI Attacks Through Google

← Back to Stories (view on slashdot.org)

Anonymizing RFI Attacks Through Google

Posted by ryuzaki0 on Thursday November 23, 2006 @01:37AM from the anonymizing-isn't-in-my-spellchecker dept.

netbuzz writes "Noam Rathaus on his SecuriTeam blog describes a technique by which 'Google can be utilized to hack into websites — actively exploiting them (not information gathering by the use of "Google hacking," although that is how most of the sites vulnerable to RFI attacks are found).' He cites examples in the wild and even mentions that the technique could be used as a 'covert' communications channel."

3 of 66 comments (clear)

Min score:

Reason:

Sort:

but is it a crime... by Sensor · 2006-11-23 01:48 · Score: 5, Interesting

There is actually quite an interesting aside to this, would someone who used this technique actually be guilty of hacking? Afterall they don't run the exploit and arguably can't guarentee that anyone will.

If I happen to create a utility capable of cracking a site but then store it for research, never distribute and never actively use then I've not committed a crime. If I distribute it to other researchers in good faith then I'm covered - at present its only the person who actively uses it that is guilty of a crime.

However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location. I'm not sure that would completely stand up given the recent ammendment to the UKs computer misuse act (i.e. reasonable belief that the tool would not be used in that fashion), but still...

As always it comes down to people...

PS:
Aas an aside I am currently running a survey for my MSc dissertation on IT admin access to confidential information. If you'd like to help out (and would like a shot at winning a £25 or $40 amazon voucher) then please take a look at:

https://msc-survery.priogenus.com/amazon.php
How not Who by MartinJW · 2006-11-23 01:56 · Score: 5, Informative

If your web application is vulnerable to attack then I would have thought it makes no difference where that attack comes from - be it a 'real' person or a search bot. You should spend more time worrying about whether your application is secure, the how is more important than the who.
RFI? How about defining this? by Ashtead · 2006-11-23 02:14 · Score: 5, Informative

Radio Frequency Interference? Request for Information? Radio France Internationale? Rodent Fangs Implementation? WHAT?
How about explaining what such an ambigious acronym actually means initially. As neither TFA nor the summary seems to have done so, I therefore will have do it here, just to make heads and tails of the rest of the discussion and perhaps illuminate someone else. Hit Google, slog through a pile of links indicating one of the above, or some company whose name includes the three letters. There are many of these. On Page 3 I found the Wikipedia page for this TLA, on which there is a dead link to what this must be: Remote File Inclusion.
How about that.
I was wondering if it was just me, that I had been off-line for too long (like 2 days) and missed out on the latest and greatest buzzword, again?

--
SIGBUS @ NO-07.308