Security Assessment through Google Tools -Focusing on the Korea University Website

Transcription

1 , pp Security Assessment through Google Tools -Focusing on the Korea University Website Mi Young Bae 1,1, Hankyu Lim 1, 1 Department of Multimedia Engineering, Andong National University, 388 Seongcheon-Dong, Andong-City, Gyeongsangbuk-Do, Republic of Korea mybae73@naver.com, hklim@anu.ac.kr Abstract. Recent cyber-attacks have been targeted at websites in most cases. Therefore, in the present study, the security vulnerability of home pages will be diagnosed through Googling that can collect information the most easily based on the home pages of universities in South Korea. The present study is intended to promote people s awareness of Google search engine s methods of attacking vulnerability and present countermeasures that can defend security vulnerability revealed by Google hacking. Keywords: Secure coding, Google Hacking, Security Assessment, Web site. 1 Introduction Since software of today exchanges data in Internet environments, the possibility to be attacked by malicious hackers always exists. Target attacking activities that occurred in one year of 2013 increased by 91% compared to the previous year and the number of spill accidents increased by 62%. Through the spill accidents, more than 552 million IDs were exposed[1]. In addition, the number of web-based attack cases increased by 23% and one out of eight lawful websites were shown to have serious vulnerable points. As cyber-crimes become more and more rampant, the costs and time to solve related problems are continuously increasing. This is part of facts revealed through the 5th annual cyber-crime cost study conducted by Ponemon Institute. Through an international study conducted in 2014 in seven countries by a US based company, it was revealed that the average cyber-crime cost of US companies increased by 9% in one year from 11.6 million dollars in 2013 to 12.7 million dollars in It was also shown that the average time taken to solve cyber-crimes also increased from 32 days in 2013 to 45 days in 2014[2, 3]. The recognition that to resolve this security vulnerability, rather than reinforcing security systems against external environments, the development of sturdy software by programmers is the most essential and effective is increasing. Nevertheless, the number of pieces of personal information spilt over the last five years reaches as high as 200 million including million through auction hacking (Feb. 2008), SK Broadband 6 million (April 2008), GS Caltex million (Sept. 1 Corresponding Author : Hankyu Lim, hklim@anu.ac.kr ISSN: ASTL Copyright 2015 SERSC

2 2008), SK Coms 35 million (July 2011) plus those cases of information spill that were omitted from submitted data for the reason of personal information work transfer[4]. Although methods of stealing personal information which is so serious a problem are diverse including hacking by outsiders and spills by insiders, Googling through Google searches is regarded as the easiest method. Therefore, in the present study, the security vulnerability of home pages will be examined through Googling that can collect information the most easily based on the home pages of universities in South Korea and people s awareness of Google search engine s methods of attacking vulnerability will be promoted. In addition, countermeasures that can defend security vulnerability revealed by Google hacking will be presented. 2 Checking Website Security Vulnerabilities Since 2012, stepwise mandatory application of security by software development has been institutionalized for public web services of domestic public institutions as a countermeasure against security threats[5]. In particular, according to the 2014 educational institution home page security vulnerability checking promotion plan, home page security vulnerability checking items were distributed as part of the reinforcement of the checking of security vulnerability in home pages operated by educational institutions such as si/do education offices and universities. The detailed contents of the security vulnerability checking items are as shown in <Table 1> and <Table 2>. Table 1. OWASP Security vulnerability assessment items Security Vulnerability Type 1 Injection 6 Sensitive Data Exposure 2 Broken Authentication and Session Management 7 Missing Function Level Access 3 Cross-Site Scripting (XSS) 8 Cross-Site Request Forgery (CSRF) 4 Insecure Direct Object References 9 Using Components with Known Vulnerabilities 5 Security Misconfiguration 10 Unvalidated Redirects and Forwards Table 2. NIS Security vulnerability assessment items Security Vulnerability Type 1 Directory listing vulnerability 5 WebDAV Vulnerability 2 File Download Vulnerability 6 Tech note Vulnerability 3 Cross-Site Scripting (XSS) 7 ZeroBoard Vulnerability 4 File Upload Vulnerability 8 SQL injection Vulnerability 10 Copyright 2015 SERSC

3 Programmers want vulnerability in their programs to be completely removed so that their programs can operate as secure programs. However, expertise about vulnerability items cannot be obtained easily and there are difficulties in recognizing how vulnerability items can be corrected. 3 Google Hacking Google collect information through many major media. The types of collected information include those pieces of information that are directly provided when major tools of Google are used, those pieces of information that are collected by Google robots web crawlers, those pieces of information that are provided by others when they use Google s tools, and those pieces of information that are obtained from third party databases and business partners[6]. Googling is using Google searches to obtain information from the Web. However, Googling has been abused and established as an easy way to extract personal information. Although large firms that are highly interested in security are implementing defensive measures against such extraction of personal information, entities such as schools and hospitals are still vulnerable to such attacks. Googling is used not only in extracting personal information but also in attacks that find company computing system administrator account information and push malignant codes onto the accounts because by searching under certain options, even important personal information existing in the relevant sites can be identified. 4 Security Vulnerabilities Diagnosis through Google Hacking A. Personal Information Disclosure Vulnerability Even simple search words such as member list and member list.xls produced approximately 450,000 search results and quite some of which were files containing students birth days, phone numbers, and addresses. The contents could be seen through downloading and file opening without any restriction. Fig. 1. Google search results and disclosure of personal information file This security vulnerability corresponds to the exposure of important information among OWAP security vulnerability items and the file download vulnerability among the security vulnerability checking items of the National Intelligence Service. Copyright 2015 SERSC 11

4 B. SQL Injection Vulnerability This is a vulnerability item that enables attackers to insert SQL sentences into the input form and URL input section in web applications interlocked with databases to read and manipulate information in the database. To find administrator pages in order to inject SQLs, administrator pages were searched in Google using the keyword inurl:admin site:ac.kr. Through the searches, quite a few of approximately 26,900 websites exposed administrator log-in screens as they were. Fig. 2. Google search results and administrator mode C. Directory listing vulnerability Since there was vulnerability that all directories or directories that contain important information are listed outside due to the failure of setting index security in public servers, Googling with intitle:index.of inurl:ac.kr produced approximately 1,610,000 search results and quite a few of them listed directories as they were. Fig. 3. Google search results and directory listings D. Error messages vulnerability 12 Copyright 2015 SERSC

5 Since AP installation information, ID/PW information, and SQL injection attack information are provided when error messages are searched at Google, detailed information on server invasion pathways is provided. This is the result of a search at Google using the keyword, ORA-00921:unexpected end of SQL command inurl:ac.kr. Fig. 4. Google search results and the error message exposure 5 Conclusion In the present study, security vulnerability of the home pages of universities in South Korea was diagnosed using very simple Google search words. According to the diagnosis, quite some part with security vulnerability existed. Nevertheless, concrete guidelines for methods for preventing or checking security incidents by Google hacking are still insufficient. To prevent Google hacking, vulnerability scanning of web servers should be conducted using Google hacking vulnerability scanners and if any vulnerable points are found, the cause should be grasped and necessary actions should be taken. Hereafter, the security vulnerability of home pages of universities in South Korea will be analyzed using Google hacking vulnerability scanners and methods for solving the vulnerability will be presented based on the results of the analysis. References 1. Symantec: Internet Security Threat Report, 2013 Trends, Volume 19, (2014) 2. Ministry of Public Administration and Security, Software Development Security Guide, Kim Namil,"Revealed personal information during 5 years is 200 millions, the penalty is million won for 14 cases", Hankyeorae, (2014) 5. Ministry of Security and Public Administration: Secure Coding Inspection Guide for e-gow SW,(2014) 6. Greg Conti: Google knows you, Bpanbooks, (2009) Copyright 2015 SERSC 13