Google Hacking Tools-Focusing on the US Government Website

Because various software use internet to transmit data in recent internet environment, there is always a possibility of malicious attacks by hackers. With Google search, with a few search words servers with desired vulnerabilities can be randomly searched. The study used SiteDigger that automatically searches Google which can most easily collect data to explore the security vulnerability status of US State Department web sites and analyzed the detected security vulnerabilities. In the future, based on the analyzed security vulnerabilities, the study plans to develop a webpage security diagnostics tool.


INTRODUCTION
With the development of internet search engines, it has become possible to search desired data from vast amounts of data for the purpose of information search. But also it has become possible to maliciously use search engines for hacking.
Within the year of 2013 targeted attack activity has increased by 91% compared to the previous year, data leakage has also increased by 62%, and through data leakages, over 552 million IDs have been exposed [1].
Cyber-crime average costs for US-based companies conducted in seven countries in 2014 increased 9% yearly and from the $11.6 million in 2013, it rose to $12.7 million. The average time consumed solving cyber-crime has also rose from 32 days in 2013 to 45 days, as reported by the cyber-crime costs research conducted by Ponemon Institute [2].
There are increased cases of finding and attacking vulnerable servers through Google search and because with a few search words, desired servers with vulnerabilities can be randomly searched, all servers searched can easily be a target of attack.
For diagnostic method of web security vulnerability, individual developers input individual diagnostic codes for individual security vulnerability or based on the results of web access in an unauthorized method find security vulnerabilities then edit web application source code or web firewall according to each element.
During diagnosing security vulnerabilities, because it is difficult for a person to find various security vulnerabilities by looking at the source code, by using an automated tool that inspect security vulnerabilities in short time, software security vulnerabilities can be effectively diagnosed and removed but currently there is lack of automatic analysis tools for inspecting web security vulnerabilities [3].
Diagnosis on the software security weakness can be divided into static analysis, which verifies input data and detects diverse security weaknesses such as weak API use by analyzing source code without running the software, and dynamic analysis, which conducts analysis from a functional operational aspect by running the software.
Static and dynamic automatized analytic tools depend on diagnosis rule and false positive can possibly exist in the diagnosis result. Hence, securing the reliability of the tool is critical [4].
The static analytic tools for secure software development that can analyze the security weakness are widely used these days. In case the surveillance corporation uses automatized tool based on static analytic tool of 'Source Code Security Weakness Analytic Tool' for diagnosing security weakness when inspecting KOREA national information-oriented business, using assessed and certified products(CC-certified product) became mandatory according to the 'Guideline for Information Protection System Assessment and Certification'. Two types of certified analytic tools launched in May 2014 [5].
In international cases, NIST SAMATE project provides a variety of tools that can be used in each stage of software development aiming at improvement of quality and security of software, which include security weakness analytic tool based on static analysis (commercial and public). Table I summarizes the analytic tools for source code security weakness [6].
The study used Googledork (Google search hack) tool SiteDigger is a method to more easily inspect web security vulnerabilities to explore the security vulnerability status of US State Department homepages and diagnosed and analyzed the security vulnerabilities of web pages.

II. GOOGLEDORK TOOL
Google collects data from various major media. Types of collected data include data directly provided when using main Google tools, data collected by Google bot web crawler, data provided by people when they use Google tools, and data acquired from third-party databases and business partners [7].
Googling refers to using Google search to acquire data from the web. However googling is being exploited to become an easy way to steal personal information. Googling is not only used in simple personal data leakages, but finding administrator's account information from IT systems to be used in attacks inserting malicious codes. This is because by searching using specific options, one can search even major personal information existing within a specific site.
There are various types of GoogleDork tools. Among them, Sqli Hunter is an automated tool that automatically detects SQL injection vulnerabilities of a website. Dork Searcher is a small utility type tool that automatically detects SQL injection vulnerabilities and GoogleDork is a simple Python script designed so that google dorking can be used directly in command line. Pentest-tools.com is a site where one can input a desired URL to search about nine types of Google hacking and then to see the Google's search results. SiteDigger searches Google cache to find security vulnerabilities of websites such as vulnerability errors, composition problems and proprietary information.
The list of vulnerabilities that can be automatically detected by SiteDigger is represented in Table II. FSDB is Found Stone database and SiteDigger is developed by Found Stone [8]. GHDB is Google hacking database [9]. According to each item, there are Google hacking related search words and for the inputted homepage address, a total of 1642 Googling is conducted using Google hacking related operator.

III. SECURITY VULNERABILITY DIAGNOSIS USING SITEDIGGER
The study used SiteDigger to diagnose security vulnerabilities of 50 US State Department homepages. The list of the 50 US State Department homepages and the detected security vulnerabilities are represented in Table III.  The area where many security vulnerabilities were found was 'Configuration Management' item and there was exposure of files that could represent handling methods of components.
The next area where much vulnerability was found was 'Sensitive Directories' item and this is an item where directories that could contain web security sensitive data are searched and there was 'Files containing passwords' item which showed there were many security vulnerabilities.

IV. CONCLUSION
The study used SiteDigger, a Google automation search tool that can conveniently conduct webpage security diagnosis, to diagnose security of US State Department homepages. Overall, there were not too many security vulnerabilities.
However this is only numerical figure and it is difficult to compare security status with numbers.
While there are many tools that analyze software security vulnerabilities, there are lacking development of homepage security vulnerability diagnosis tools.
Programmers want their programs to operate securely with vulnerabilities completely removed. However it is difficult to acquire professional knowledge about vulnerability items and there are difficulties in recognizing how the vulnerabilities must be edited. Therefore, it is necessary for development of homepage security vulnerability analysis tools. In the future, the study plans to develop a tool diagnosing web security vulnerabilities appropriate for global standard system characteristics.