"Goolag" search-scan tool unlikely to spawn major attacks

Share this article:

A new scanning tool that uses the Google search engine to scan websites for vulnerabilities – released last week by the flamboyant Texas-based hacking consortium known as Cult of the Dead Cow (cDc), which is offering free downloads – is not likely to enable a wave of new attacks mounted by hackers making use of the tool, according to security experts.

When the new tool, dubbed Goolag, was unveiled with great fanfare by cDc spokesman Oxblood Ruffin, he said the hacking group's release of the search engine scanner was designed to “make the web a safer place” by “enabling everyone to audit his or her own website via Google.”

This positive spin was immediately overshadowed by concern that making such a tool readily available might enable novice hackers to automate their activities and spawn a new wave of attacks.

However, security experts noted that the expertise now in play in most hacking operations is much more sophisticated than the capability offered by Goolag, which allows a user to rapidly scan Google's index for files on websites that might reveal vulnerabilities.

“Some amateurs may make use of it, but the real hackers out there are far more sophisticated and don't need it,” Roger Thornton, founder and CTO of applications security software vendor Fortify, told SCMagazineUS.com on Monday.

In a statement posted on the Goolag website – which is adorned with red stars and a hammer and sickle evoking the similar sounding “gulag,” the infamous Soviet prison camp system – cDc said its new scanner, which it called a “web auditing tool,” was based on “Google hacking,” a form of vulnerability research it said had been developed by a hacker calling himself “Johnny I Hack Stuff.”

The Lubbock, Texas-based hacking group said it had conducted random tests using the Goolag scanner and discovered significant security holes in a variety of sites, including some sensitive U.S. government sites that Ruffin declined to identify. 

“We've seen some pretty scary holes through random tests with the scanner in North America, Europe and the Middle East,” Ruffin said in the statement posted on the group's website. “If I were a government, a large corporation or anyone with a large website, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”

According to the cDc statement, Goolag scanner – currently existing exclusively as a standalone Windows GUI-based application, using one XML-based configuration file for its settings – soon will be released in an open-source configuration under the GNU Affero General Public License. Free downloads of the Windows application are offered on the Goolag site.

Ruffin also announced that Goolag is dedicated to the memory of Wau Holland, founder of the Chaos Computer Club, whom he called “a true champion of privacy rights.”

 

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.