Cybersecurity: Importance of Google dorking

By Connie L. Braun

Law360 Canada (August 3, 2023, 9:47 AM EDT) --
Connie Braun
Several years ago, I was asked to prepare and deliver a short presentation on Google dorking, a topic about which I knew nothing at all. The librarian in me went into high gear starting the research, learning everything I could, talking with friends and acquaintances in IT. Given the growing importance of cybersecurity and its relationship with information governance, I thought to share what I have learned with you.

Consider all of the information about you out there in the ether and whether or not it is held safely and confidentially. There is a lot of information about which you will be aware and a lot you will not. This leads to the question of how the information was acquired and if it was obtained fairly. What if information about you is inaccurate, unreliable, or out of date? This is one area where it seems that lack of access to justice can thrive.

Most of the time, we trust that the information will be used ethically. Sadly, as some people and companies have learned, there are many opportunities where individuals take advantage and use information unethically. How to discover what kind of information is out there?

Google dorking is a searching technique used by those who are security conscious, hackers and others, like you, to locate information exposed to the Internet, inadvertently or by chance. This searching technique helps seekers to identify weakness and vulnerabilities that could then be used by bad actors.

By itself, this type of searching does not allow an individual to hack websites. What may be found, though, are helpful details that enable a website owner to prevent breaches or provide enough information for an individual to try to correct inaccurate information. For the individual pursuing information unethically, the information discovered could be used to successfully hack a website using other tools. See more about the development of Google dorking via this Wikipedia article.

Google dorking involves submitting custom queries, using a specific syntax intended to locate certain elements in websites. By combining technical and semantic elements, it is possible to take full advantage of the fact that web content is constantly scanned and indexed by machines. The main goal is to uncover sensitive information that usually is locked behind firewalls and security systems by using these custom queries.

Google dorking elements can be used to uncover:

  • Log files that contain usernames and passwords
  • Financial information such as bank account or credit card details
  • Other personal information
  • Much more …

The format of a Google dorking element is: operator:search_term (no spaces between the operator, the colon and the search term). Use of Google dorking operators is remarkably simple as long as you pay close attention to the syntax. To view a list of available elements, go to  https://www.exploit-db.com/google-hacking-database/ (there are thousands).

Give a try by opening an Internet browser and navigating to Google to find out about yourself on the Internet. To search for webpages where all given terms are matched within the entire text (add quotes for precision), in the search box, enter: allintext: “firstname lastname.”

Note that while trying to search like this, Google may challenge you to prove that you are not a robot performing these searches; this is normal and expected.

There are ways to protect against Google dorking. For individuals, perform Google dorking searches on your own name from time to time. Should you discover that sensitive information is available, try to do something about it. You may be able to help in preventing fraud against yourself. For companies, running queries regularly may do a lot to protect against breaches.

To succeed at improving one’s own cybersecurity, information governance has a significant role to play. For many years, technology has been changing how much information is collected about us. Spurred on by the pandemic, a lot of these changes occurred at a much faster pace than anyone might have expected. Think of the virtual legal proceedings, meetings, church and concerts; online schooling; shopping for everything online.

Usually, we have more time to learn about and adjust to technological developments and advancements. That does not seem to be the case any longer. With the pace at which new and different things are arriving, how do we best protect ourselves and each other against the myriad of challenges that we face? We need to see massive and public efforts made by governments, legal systems, technology developers, big and small business, education at all levels, that will allow us to express confidence in helping us to protect ourselves.

As we wait for enhanced legislation and information governance, improvements to security and testing, robust reporting mechanisms for breaches and limitations, continuing research on societal risks and more, we all have a responsibility for helping to look out for our own cybersecurity. Do what you can!
 
Connie L. Braun is a product adoption and learning consultant with LexisNexis Canada.
 
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the author’s firm, its clients, Law360 Canada, LexisNexis Canada, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.  

Photo credit / ikuvshinov
 ISTOCKPHOTO.COM 

Interested in writing for us? To learn more about how you can add your voice to Law360 Canada, contact Analysis Editor Peter Carter at peter.carter@lexisnexis.ca or call 647-776-6740.