Earlier this week, the US blamed Iranian hackers for a series of attacks in 2012 and 2013 on several targets, including a New York City dam.
The attack on the dam gave the hacker info about water levels and the dam’s sluice gate, which could have allowed the attacker to open the gate and flood part of the city, the US Department of Justice said.
But the hacker was foiled because the sluice gate happened to be offline for maintenance during the hack.
How did the accused person get access to this dam? He Googled it, according to the Wall Street Journal.
It’s a technique called “Google Dorking” which involves using Google’s advanced search techniques to dig up information on the internet that doesn’t easily pop up during a normal search.
In 2014, the Feds even issued a warning to U.S. businesses to be on the lookout for Google Dorking activity as a sign of hackers.
Despite the funny name, “Google Dorking” isn’t an April’s Fool joke. It’s a real thing.
For instance, Google offers a feature called “site,” that lets you search a single website for a keyword or photos. (Here’s a tutorial on how to use that.) Google also has special search commands called “filetype” and “datarange.”
The kind of Google Dorking the feds are worried about, and that hackers use in their attacks, goes further. It’s when malicious hackers use these advanced techniques looking for stuff that companies didn’t mean to put online.
In the case of the New York dam, the hacker used Google from the other side of the world to find US infrastructure sites that had vulnerable hardware systems attached to the internet, reports the Wall Street Journal.
Of course, Google Dorking is just as often used for good as for evil. Good guy hackers, called “white hats,” use these same advanced techniques to test security systems and see if and how they can be breached by the bad guys.
The Infosec Institute, an organisation that trains people to be computer security pros, shows how using Google can easily turn up things like username and passwords, sensitive documents, even bank account details.
There are entire projects dedicated to that effort, too, like The Diggity Project and the Google Hacking Database. These projects keep lists of pre-made dorking queries that companies can run on their own websites to see what turns up.