Johnny Long says he has never met a Google employee. And yet he is at the center of a community of security experts and search engine enthusiasts that might be developing some of the most interesting uses of Google technology today.
For the past 10 years, Long has made his living as a penetration tester, a "white hat" hacker who is asked to break into computer systems to test their security vulnerabilities.
His johnny.ihackstuff.com Web site is the starting point for anyone looking to turn Google into a hacker's tool. At its heart is a repository of sneaky queries called the Google Hacking Database, which got its start nearly six years ago, when Long posted a few of what he refers to as "funny, or interesting, or dangerous," Google queries in the Internet.
Initially, Long, who goes by the name Johnny Hax, did not expect the idea of using Google to break into computer networks to attract any kind of serious study.
"It was sort of a joke actually," he says. "The whole Google hacking thing was supposed to be tongue-in-cheek, because I knew that the real hackers would get their feathers all ruffled."
Instead of being bent out of shape, the hackers were intrigued, and Long's Google hacking community now boasts nearly 60,000 members.
At the recent Black Hat security conference in Las Vegas, Long's talk on Google hacking was a standing-room-only affair, and the Google Hacking Database now stands at about 1,500 queries.
"It evolved into this very visible thing," says Long, a researcher with Computer Sciences Corp. and author of Google Hacking for Penetration Testers. "The sheer weight and breadth of the stuff that we dug up just made people go, 'Wow.'"
Long, who talks about his Google hacks with a comic's timing and a laid-back style, says that he has always been a hacker at heart. He claims to have legitimately broken into hundreds of computer networks in his capacity as a professional security researcher, a job he came to only after abandoning his "wear a stupid suit and climb the corporate ladder phase."
The list of what Long and his fellow Google hackers have been able to dig up is impressive: passwords, credit card numbers and unsecured Web interfaces to things like PBXs, routers and Web sites.
Hackers also use Google for reconnaissance. One of the most basic techniques is to wait for a major security bulletin and then use Google to search for Web sites that are "powered by" the buggy software. Attackers can also map out computer networks using Google's database, making it impossible for the networks' administrators to block the snooper.
Often, this kind of information comes in the form of apparently nonsensical information, something that Long calls "Google turds." For example, because there is no such thing as a Web site with the URL "nasa," a Google search for the query "site:nasa" should turn up zero results. Instead, it turns up what appears to be a list of servers, offering an insight into the structure of NASA's internal network, he says.
But some of the most interesting hacks occur when Google's servers are tricked into doing work for the hackers, Long says. A recent trend has been to create Web pages with thousands of fake links that trick Google into doing hacker reconnaissance work. The technique works on Web sites that require URLs with embedded user names and passwords for access to some areas.
"You load up this page so it has the same user name, but you try a bunch of different passwords in the links," Long says. "Then the search engine picks up those links and tries to follow them all, but only caches the one that works. So then you go back and pick up your results, and you've actually got the search engine doing your dirty work."
Although hackers used search engines before Long made a name for himself, the power and comprehensiveness of today's engines, including Microsoft's MSN Search, make them critical tools for computer attackers, says Mikko Hypponen, chief research officer with security company F-Secure.
From the Google Hacking DatabaseA sampling of popular hacks:
"Search engines are probably the first step, because they are a really easy way of getting to know the target, and the target has no idea of what you're doing," he says. "Nowadays, pretty much any hacking incident most likely begins with Google."
To what extent Google is paying attention to the nefarious possibilities of its search engine is unclear. Google confirmed that it has employees who work in this area, but the company wouldn't allow any of them to be interviewed for this story.
The company does make a practice of blocking many of the Google Hacking Database queries (often right after Long makes a public presentation of them), but it keeps a low profile at security shows, including Black Hat.
"Google is very user-friendly, but the general consensus is that they're not very involved in the security community," Long says. If Google ever does pay any serious attention to the hackers, it could end up developing a whole new line of business, Long believes. Why not, for example, create a kind of Google Security Alerts system that would let customers know when some of the vulnerabilities that Long and his hacker friends have been discovering are found on a specific Web site?
In fact, it's possible that Google might have such a product in the works. Long says he suggested this idea to Google Information Security Officer Stephen Hansen nearly two years ago, right after Hansen had signed up as a member of the Google Hacking Database Web site, Long says.
"I shot him an e-mail back, and I said, 'It's good to have you here. If you have any questions or problems, then let me know.' And then I fired the idea at him about a security service," he says. I didn't hear anything back from him. And that was actually the only contact I've ever had with somebody at Google."
Learn more about this topicHackers for hire
06/20/05Router flaw sparks battle
08/01/05Google dives deeper into networking