Hackers Pick Up Clues From Google’s Internet Indexing

In 2013, the Westmore News, a small newspaper serving the suburban community of Rye Brook, New York, ran a feature on the opening of a sluice gate at the Bowman Avenue Dam. Costing some $2 million, the new gate, then nearing completion, was designed to lessen flooding downstream.

The event caught the eye of a number of local politicians, who gathered to shake hands at the official unveiling. “I’ve been to lots of ribbon-cuttings,” county executive Rob Astorino was quoted as saying. “This is my first sluice gate.”

But locals apparently weren’t the only ones with their eyes on the dam’s new sluice. According to an indictment handed down late last week by the U.S. Department of Justice, Hamid Firoozi, a well-known hacker based in Iran, gained access several times in 2013 to the dam’s control systems. Had the sluice been fully operational and connected to those systems, Firoozi could have created serious damage. Fortunately for Rye Brook, it wasn’t.

Hack attacks probing critical U.S. infrastructure are nothing new. What alarmed cybersecurity analysts in this case, however, was Firoozi’s apparent use of an old trick that computer nerds have quietly known about for years.

It’s called “dorking” a search engine — as in “Google dorking” or “Bing dorking” — a tactic long used by cybersecurity professionals who work to close security vulnerabilities.

Now, it appears, the hackers know about it as well.

Hiding in open view

“What some call dorking we really call open-source network intelligence,” said Srinivas Mukkamala, co-founder and CEO of the cyber-risk assessment firm RiskSense. “It all depends on what you ask Google to do.”

FILE - U.S. Attorney General Loretta Lynch and FBI Director James Comey hold a news conference to announce indictments on Iranian hackers for a coordinated campaign of cyber attacks on several U.S. banks and a New York dam, at the Justice Department in Washington, March 24, 2016.

FILE – U.S. Attorney General Loretta Lynch and FBI Director James Comey hold a news conference to announce indictments on Iranian hackers for a coordinated campaign of cyber attacks on several U.S. banks and a New York dam, at the Justice Department in Washington, March 24, 2016.

Mukkamala says that search engines are constantly trolling the Internet, looking to record and index every device, port and unique IP address connected to the Web. Some of those things are designed to be public — a restaurant’s homepage, for example — but many others are meant to be private — say, the security camera in the restaurant’s kitchen. The problem, says Mukkamala, is that too many people don’t understand the difference before going online.

“There’s the Internet, which is anything that’s publicly addressable, and then there are intranets, which are meant to be only for internal networking,” he told VOA. “The search engines don’t care which is which; they just index. So if your intranet isn’t configured properly, that’s when you start seeing information leakage.”

While a restaurant’s closed-circuit camera may not pose any real security threat, many other things getting connected to the Web do. These include pressure and temperature sensors at power plants, SCADA systems that control refineries, and operational networks — or OTs — that keep major manufacturing plants working.

Whether engineers know it or not, many of these things are being indexed by search engines, leaving them quietly hiding in open view. The trick of dorking, then, is to figure out just how to find all those assets indexed online.

As it turns out, it’s really not that hard.

An asymmetric threat

“The thing with dorking is you can write custom searches just to look for that information [you want],” he said. “You can have multiple nested search conditions, so you can go granular, allowing you to find not just every single asset, but every other asset that’s connected to it. You can really dig deep if you want,” said RiskSense’s Mukkamala.

Most major search engines like Google offer advanced search functions: commands like “filetype” to hunt for specific types of files, “numrange” to find specific digits, and “intitle,” which looks for exact page text. Moreover, different search parameters can be nested one in another, creating a very fine digital net to scoop up information.

FILE - The sluice gate of the Boman Avenue Dam is pictured in Rye, New York, December 23, 2015. Iranian hackers breached the control system of a dam near New York City in 2013.

FILE – The sluice gate of the Boman Avenue Dam is pictured in Rye, New York, December 23, 2015. Iranian hackers breached the control system of a dam near New York City in 2013.

For example, instead of just entering “Brook Avenue Dam” into a search engine, a dorker might use the “inurl” function to hunt for webcams online, or “filetype” to look for command and control documents and functions. Like a scavenger hunt, dorking involves a certain amount of luck and patience. But skillfully used, it can greatly increase the chance of finding something that should not be public.

Like most things online, dorking can have positive uses as well as negative. Cybersecurity professionals increasingly use such open-source indexing to discover vulnerabilities and patch them before hackers stumble upon them.

Dorking is also nothing new. In 2002, Mukkamala says, he worked on a project exploring its potential risks. More recently, the FBI issued a public warning in 2014 about dorking, with advice about how network administrators could protect their systems.

The problem, says Mukkamala, is that almost anything that can be connected is being hooked up to the Internet, often without regard for its security, or the security of the other objects it, in turn, is connected to.

“All you need is one vulnerability to compromise the system,” he told VOA. “This is an asymmetric, widespread threat. They [hackers] don’t need anything else than a laptop and connectivity, and they can use the tools that are there to start launching attacks.

“I don’t think we have the knowledge or resources to defend against this threat, and we’re not prepared.”

That, Mukkamala warns, means it’s more likely than not that we’ll see more cases like the hacker’s exploit of the Bowman Avenue Dam in the years to come. Unfortunately, we might not be as lucky the next time.