Have You Been Google-Dorked? It’s Possible.
(This post originally appeared on Inc.)
Last week, the U.S. Justice Department charged seven Iranian nationals with hacking into various U.S. computer systems. While the attacks were primarily targeted at financial firms and banks, what caught most people’s attention was one incident where a computer that controlled a small dam in New York State was compromised.
According to this report: The 2013 attack on the Bowman Avenue Dam startled U.S. authorities, sparking concerns that reached the White House. The dam is a small structure less than 20 miles north of New York City used mostly for flood control, and gaining control likely posed little threat. But the move underscored that hackers were targeting U.S. infrastructure.
How did a lone hacker based thousands of miles away compromise a piece of U.S. infrastructure? Was he some sort of genius? Not really. He did this pretty easily. He just used a technique called Google dorking.
Google Dorking is a relatively easy way for someone to check if there are security holes in a network or individual computers. According to this definition a Google dork query “is a search string that uses advanced search operators to find information that is not readily available on a website,” which “includes information that is not intended for public viewing but that has not been adequately protected. As a passive attack method, Google dorking can return usernames and passwords, email lists, sensitive documents, personally identifiable financial information (PIFI) and website vulnerabilities.” It’s all legal. The tools are readily available from Google. You can even check out a number of YouTube videos if you’d like to learn how to do this.
Google dorking was intended for the good guys as a means to test their organization’s network security. But unfortunately, the bad guys know about this. The Iranian guy who hacked into the dam was just trolling around the Internet (for months) looking for any device he could compromise. And then he found one. Of course, once inside you’ll need a little more tech knowledge than the average bear. But finding people with this knowledge isn’t so hard either.
Here’s the good news: you’re only at risk if your computers are older, or running out of date operating systems. This was exactly the case in the Bowman Avenue Dam infiltration. Unfortunately, it underscores a huge issue: it doesn’t matter how big or small your company is or what you do. There are thousands (maybe even more) hackers that are also online as I write this and they looking for systems that they can compromise. The tools to do this are readily available. It’s easy. Your business might be storing credit card information, social security numbers, bank account password codes and tax returns on your servers. And think about it: a guy halfway around the world who’s making pennies doesn’t need to bring down the U.S. electrical grid to make the equivalent of a fortune in his home country–he’s more than happy with a few credit card numbers he can swipe to earn a living. It’s that easy.
Getting hacked can kill your business. Your customers may sue you. The Federal government may sue you (and if you don’t believe that, just look at what happened to Wyndham Hotels a few months ago). The loss could be a public relations nightmare. Or it could be fatally disruptive to your operations.
If there’s anything to be learned from the Bowman Avenue Dam hack it’s that everyone’s vulnerable, and the tools–like Google dorking–are easier to find and use then most of us thought. Engage a tech firm now. Have them do a security analysis on your network and your cloud based systems. Let them install security software. Contract with them to monitor your systems and perform updates. Get rid of older computers. Upgrade all of your operating systems to their latest versions. Train your employees on the best practices for avoiding malicious software and for noticing potential breaches. Buy cyber-insurance to provide you with an extra level of comfort in case something bad does happen.
Yes, this will all cost you money. Welcome to the world of 2016 technology. These are costs your parents never had when they ran the business. But then again, they never had the benefits of the great technology that you have today. So make that investment. Otherwise, you’re just being a dork.