Security Assessment through Google Tools

-Focusing on the Korea University Website

Mi Young Bae1,1, Hankyu Lim1,

1Department of Multimedia Engineering, Andong National University,

388 Seongcheon-Dong, Andong-City, Gyeongsangbuk-Do, Republic of Korea

mybae73@naver.com, hklim@anu.ac.kr

Abstract. Recent cyber-attacks have been targeted at websites in most cases.

Therefore, in the present study, the security vulnerability of home pages will be

diagnosed through Googling that can collect information the most easily based

on the home pages of universities in South Korea. The present study is

intended to promote people’s awareness of Google search engine’s methods of

attacking vulnerability and present countermeasures that can defend security

vulnerability revealed by Google hacking.

Keywords: Secure coding, Google Hacking, Security Assessment, Web site.

1 Introduction

Since software of today exchanges data in Internet environments, the possibility to be

attacked by malicious hackers always exists.

Target attacking activities that occurred in one year of 2013 increased by 91%

compared to the previous year and the number of spill accidents increased by 62%.

Through the spill accidents, more than 552 million IDs were exposed[1].

In addition, the number of web-based attack cases increased by 23% and one out of

eight lawful websites were shown to have serious vulnerable points.

As cyber-crimes become more and more rampant, the costs and time to solve

related problems are continuously increasing. This is part of facts revealed through

the 5th annual cyber-crime cost study conducted by Ponemon Institute. Through an

international study conducted in 2014 in seven countries by a US based company, it

was revealed that the average cyber-crime cost of US companies increased by 9% in

one year from 11.6 million dollars in 2013 to 12.7 million dollars in 2014. It was also

shown that the average time taken to solve cyber-crimes also increased from 32 days

in 2013 to 45 days in 2014[2, 3].

The recognition that to resolve this security vulnerability, rather than reinforcing

security systems against external environments, the development of sturdy software

by programmers is the most essential and effective is increasing.

Nevertheless, the number of pieces of personal information spilt over the last five

years reaches as high as 200 million including 10.81 million through auction hacking

(Feb. 2008), SK Broadband 6 million (April 2008), GS Caltex 11.25 million (Sept.

1 Corresponding Author : Hankyu Lim, hklim@anu.ac.kr

Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015), pp.9-13

http://dx.doi.org/10.14257/astl.2015.93.03

ISSN: 2287-1233 ASTL Copyright © 2015 SERSC

2008), SK Coms 35 million (July 2011) plus those cases of information spill that were

omitted from submitted data for the reason of personal information work transfer[4].

Although methods of stealing personal information which is so serious a problem

are diverse including hacking by outsiders and spills by insiders, ‘Googling’ through

Google searches is regarded as the easiest method.

Therefore, in the present study, the security vulnerability of home pages will be

examined through Googling that can collect information the most easily based on the

home pages of universities in South Korea and people’s awareness of Google search

engine’s methods of attacking vulnerability will be promoted. In addition,

countermeasures that can defend security vulnerability revealed by Google hacking

will be presented.

2 Checking Website Security Vulnerabilities

Since 2012, stepwise mandatory application of security by software development has

been institutionalized for public web services of domestic public institutions as a

countermeasure against security threats[5].

In particular, according to the 2014 educational institution home page security

vulnerability checking promotion plan, home page security vulnerability checking

items were distributed as part of the reinforcement of the checking of security

vulnerability in home pages operated by educational institutions such as si/do

education offices and universities. The detailed contents of the security vulnerability

checking items are as shown in <Table 1> and <Table 2>.

Table 1. OWASP Security vulnerability assessment items

Security Vulnerability Type

1 Injection 6 Sensitive Data Exposure

2 Broken Authentication and Session Management 7 Missing Function Level Access

3 Cross-Site Scripting (XSS) 8 Cross-Site Request Forgery (CSRF)

4 Insecure Direct Object References 9 Using Components with Known Vulnerabilities

5 Security Misconfiguration 10 Unvalidated Redirects and Forwards

Table 2. NIS Security vulnerability assessment items

Security Vulnerability Type

1 Directory listing vulnerability 5 WebDAV Vulnerability

2 File Download Vulnerability 6 Tech note Vulnerability

3 Cross-Site Scripting (XSS) 7 ZeroBoard Vulnerability

4 File Upload Vulnerability 8 SQL injection Vulnerability

Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015)

10 Copyright © 2015 SERSC

Programmers want vulnerability in their programs to be completely removed so

that their programs can operate as secure programs. However, expertise about

vulnerability items cannot be obtained easily and there are difficulties in recognizing

how vulnerability items can be corrected.

3 Google Hacking

Google collect information through many major media. The types of collected

information include those pieces of information that are directly provided when major

tools of Google are used, those pieces of information that are collected by Google

robots web crawlers, those pieces of information that are provided by others when

they use Google’s tools, and those pieces of information that are obtained from third

party databases and business partners[6].

Googling is using Google searches to obtain information from the Web. However,

Googling has been abused and established as an easy way to extract personal

information. Although large firms that are highly interested in security are

implementing defensive measures against such extraction of personal information,

entities such as schools and hospitals are still vulnerable to such attacks.

Googling is used not only in extracting personal information but also in attacks that

find company computing system administrator account information and push

malignant codes onto the accounts because by searching under certain options, even

important personal information existing in the relevant sites can be identified.

4 Security Vulnerabilities Diagnosis through Google Hacking

A. Personal Information Disclosure Vulnerability

Even simple search words such as “member list” and “member list.xls” produced

approximately 450,000 search results and quite some of which were files containing

students’ birth days, phone numbers, and addresses. The contents could be seen

through downloading and file opening without any restriction.

Fig. 1. Google search results and disclosure of personal information file

This security vulnerability corresponds to the exposure of important information

among OWAP security vulnerability items and the file download vulnerability among

the security vulnerability checking items of the National Intelligence Service.

Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015)

Copyright © 2015 SERSC 11

B. SQL Injection Vulnerability

This is a vulnerability item that enables attackers to insert SQL sentences into the

input form and URL input section in web applications interlocked with databases to

read and manipulate information in the database.

To find administrator pages in order to inject SQLs, administrator pages were

searched in Google using the keyword inurl:admin site:ac.kr. Through the searches,

quite a few of approximately 26,900 websites exposed administrator log-in screens as

they were.

Fig. 2. Google search results and administrator mode

C. Directory listing vulnerability

Since there was vulnerability that all directories or directories that contain

important information are listed outside due to the failure of setting index security in

public servers, Googling with intitle:index.of inurl:ac.kr produced approximately

1,610,000 search results and quite a few of them listed directories as they were.

Fig. 3. Google search results and directory listings

D. Error messages vulnerability

Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015)

12 Copyright © 2015 SERSC

Since AP installation information, ID/PW information, and SQL injection attack

information are provided when error messages are searched at Google, detailed

information on server invasion pathways is provided.

This is the result of a search at Google using the keyword, ORA-00921:unexpected

end of SQL command inurl:ac.kr.

Fig. 4. Google search results and the error message exposure

5 Conclusion

In the present study, security vulnerability of the home pages of universities in South

Korea was diagnosed using very simple Google search words. According to the

diagnosis, quite some part with security vulnerability existed.

Nevertheless, concrete guidelines for methods for preventing or checking security

incidents by Google hacking are still insufficient.

To prevent Google hacking, vulnerability scanning of web servers should be

conducted using Google hacking vulnerability scanners and if any vulnerable points

are found, the cause should be grasped and necessary actions should be taken.

Hereafter, the security vulnerability of home pages of universities in South Korea

will be analyzed using Google hacking vulnerability scanners and methods for solving

the vulnerability will be presented based on the results of the analysis.

References

1. Symantec: Internet Security Threat Report, 2013 Trends, Volume 19, (2014)

2. Ministry of Public Administration and Security, Software Development Security Guide,

2012.5

3. http://www8.hp.com/kr/ko/software-solutions/ponemon-cyber-security-report/

4. Kim Namil,"Revealed personal information during 5 years is 200 millions, the penalty is

94.39 million won for 14 cases", 「Hankyeorae」, (2014)

5. Ministry of Security and Public Administration: Secure Coding Inspection Guide for e-gow

SW,(2014)

6. Greg Conti: Google knows you, Bpanbooks, (2009)

Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015)

Copyright © 2015 SERSC 13