Researchers use search engines to beef up data security in the cloud

31 juillet 2012

It appears that cloud computing is the latest technology soundbite and new software designed to find vulnerabilities before criminals do is the latest weapon in the war against cybercrime.

According to Dark Reading, researchers will be making available cloud data security software that uses search engines to identify potential threats to enterprises that rely on the cloud for data storage and file transfer. Developed over a period of two years, "Search Diggity" has been developed to prevent what is known as Google Hacking, a technique that uses the search engine to find holes in the computer code or, in some cases, the specific text of an instruction.

Francis Brown and Robert Ragan unveiled their software at the recent Def Con conference in Las Vegas, with the researchers confident that these tools will allow enterprises to find gaps in their cloud computing data security before nefarious others do. The pair believe that over the past two years they have collected a large database of "search engine-exposed vulnerabilities," and this will be made available for free to security professionals and other researchers.

Diggity tools will use search engines
One of the tools is called 'NotInMyBackYardDiggity,' and it allows businesses to search every site that may have information about what they do and who they do business with. Companies can scan popular shared cloud services such as Dropbox and Google Docs for data pertinent to their enterprises while another tool, CloudDiggity, is aimed at security professionals who mine sites for more sensitive personal information that could be used to perpetrate identity theft or financial loss.

A third Diggity tool concentrates on open source software code, popular among developers of apps and other social media tools, while PortScanDiggity has been developed to search domain names and IP addresses that could be open to attack.

"With these tools, we’re giving security professionals an opportunity to identify and remediate security vulnerabilities and exposed data before an attacker can find and exploit them," said Ragan, a senior security associate at Stach & Liu. "These tools will help organizations stay one step ahead."

The full scope of the information that Brown and Ragan have been gathering comes with AlertDiggityDB, a database that has the details of "vulnerabilities indexed by Google, Bing and other research engines" since April 2010. The researchers claim that it is the "largest repository ever compiled," and forms the final piece of the Diggity puzzle.
"The cloud search capabilities are the most important part of what we're releasing at Def Con," said Brown, also a managing partner at Stach & Liu.

Twenty years of Def Con
Def Con is one of the largest hacker conventions in the world, and has been running successfully for 20 years with 12,000 individuals attending the event in 2011. It draws a mixed crowd of attendees with many cybersecurity firms using it as an expo for their latest products. The majority of those who go to the convention are interested in hacking with lawyers, law enforcement agents and cryptographers all making the most of the opportunity to socialize.

There have been concerns that the convention has been used by some as a chance to promote malware, but the organizers have denied that this is the case. The convention is popular with hackers from all areas of the software and technology industry and this year the organisers were able to persuade General Keith B Alexander, Director of the National Security Agency to deliver a keynote entitled 'Shared Values, Shared Responsibility.'

-McAfee Cloud Security