Automated security scanning with Google

The other day Robin Good posted a link, via George Siemens, to a Register article by Scott Granneman. The article illustrates Google queries that find passwords, web-accessible databases, and financial data. Nobody should be surprised by what these queries reveal, but I'm sure a lot of folks will be.

A couple of websites have even sprung up dedicated to listing words and phrases that reveal sensitive information and vulnerabilities. My favorite of these, Googledorks, is a treasure trove of ideas for the budding attacker. As a protective countermeasure, all security pros should visit this site and try out some of the suggestions on the sites that they oversee or with whom they consult. With a little elbow grease, some Perl, and the Google Web API, you could write scripts that would automate the process and generate some nice reports that you could show to your clients. [The Register: The Perils of Googling]

Indeed. What does surprise me is that there isn't a well-known tool for doing this. It would be the 21st-century equivalent of SATAN, the first security scanner I pointed at my website back in the mid 1990s. Or more recently, Nessus.

Perhaps such a tool is well-known, but not yet to the good guys? It would be really useful. The mechanism, as Granneman points out, is trivial, but assembling the database of vulnerabilities isn't. If a credible project has formed around this idea, I'd like to know about it.


Former URL: http://weblog.infoworld.com/udell/2004/03/12.html#a943