Friday, February 11, 2011

Google Alerts For Security Monitoring


Google's web spider "Googlebot" crawl billions of pages on the Internet, tireless indexing content and meta-information. While this indexing operation fuels Google's overall search experience it also has some decent utility for security monitoring.

This is made possible by Google Alerts, a free service that allows you to automate searches and receive email or rss notices for new search results. It is ALWAYS a good idea to do some "introspective" searches for your websites and setting up Google Alerts for this purpose is very easy (see link above); Here a brief list of some ways it can be employed:

Detecting Spamdexing
Spamdexing describes a variety of efforts that attackers can undertake to inject their links and text onto target servers to facilitate Blackhat SEO (search engine optimization). In these attacks, the attacker uses collections of often self-referring injected links to increase the page ranking of a master link-farm page. The end goal is to have the final link-farm page listed as high as possible in search engine search results to capture web-traffic and garner referral fees or to commit fraud.

Often blog/wiki spamming is used for these purposes, however Spamdexing is frequently also used after a compromise of a web-application (particularly some popular open source CMS systems) or associated hosting accounts which in turn are used for hosting injected content. Very frequently, the targeted keywords and phrases that are often used in Spamdexing SEO relate to purchasing "cheap goods" so it isn't hard to look for these as indicators of potential problems.

You can monitor for some for potential indication of a successful Spamdexing attack using Google Site Alerts couple with some basic searches. Here are some quick examples:

site:mydomain.com viagra OR cialis OR levitra (click for example)
site:mydomain.com buy windows OR buy office (click for example)

Unfortunately, there is usually no shortage of sites that have been impacted by these types of attacks.

Detecting Data Leaks
Another easy and useful alert to key in on are the document types that may be visible to Google on your external facing web-sites. This is made possible through filetype searches. These searches help address the risk of potential information leaks that can occur if a user uploads materials to your public site that were not intended for public-disclosure.

Some useful searches in the area include:
site:mydomain.com filetype:docx
site:mydomain.com filetype:csv
etc ....

Also if you have sensitive documents that have some unique textual content, then these can be used as a textual watermark for some searches to determine your organizations material that might have found their way onto internal/external web-pages or online document storage venues.

Keeping An Eye Out For Blackhat SEO
Another item that Google Alerts can assist with is detecting the presence of external web-sites that may be set up to attempt to draw in unsuspecting users who are searching for terms/topics related to your organization. Often automated SEO bots will search the Internet and collide keyword terms/topics in hopes of finding a combination that will result in a high page rank. A good way to keep an eye out for this is to set up alerts based on your organization's name, abbreviations, product lines etc... In addition to assisting with the detecting of Blackhat SEO methods, this always gives your security team some extremely valuable insight into link-structures, web postings, and other areas that may relate to your organization's web resources, data, and reputation.

These broad searches can generate a good bit of info so they have to be tailored, but the results can greatly assist in an overall environmental awareness of external web-development, posts, or methods that may have relevance to your security program.

Vulnerability and Misconfig. Scanning
Last but certainly not least, it is worth mentioning that Google Searches can of course also have some use for looking for known vulnerabilities or misconfiguration of Internet facing devices. The newly reborn Google Hacking Database has a lot of useful information of some "Google-Dork" security searches that can be useful.