“Goolag” search-scan tool unlikely to spawn major attacks

A new scanning tool that uses the Google search engine to scan websites for vulnerabilities – released last week by the flamboyant Texas-based hacking consortium known as Cult of the Dead Cow (cDc), which is offering free downloads – is not likely to enable a wave of new attacks mounted by hackers making use of the tool, according to security experts.

When the new tool, dubbed Goolag, was unveiled with great fanfare by cDc spokesman Oxblood Ruffin, he said the hacking group's release of the search engine scanner was designed to “make the web a safer place” by “enabling everyone to audit his or her own website via Google.”

This positive spin was immediately overshadowed by concern that making such a tool readily available might enable novice hackers to automate their activities and spawn a new wave of attacks.

However, security experts noted that the expertise now in play in most hacking operations is much more sophisticated than the capability offered by Goolag, which allows a user to rapidly scan Google's index for files on websites that might reveal vulnerabilities.

“Some amateurs may make use of it, but the real hackers out there are far more sophisticated and don't need it,” Roger Thornton, founder and CTO of applications security software vendor Fortify, told on Monday.

In a statement posted on the Goolag website – which is adorned with red stars and a hammer and sickle evoking the similar sounding “gulag,” the infamous Soviet prison camp system – cDc said its new scanner, which it called a “web auditing tool,” was based on “Google hacking,” a form of vulnerability research it said had been developed by a hacker calling himself “Johnny I Hack Stuff.”

The Lubbock, Texas-based hacking group said it had conducted random tests using the Goolag scanner and discovered significant security holes in a variety of sites, including some sensitive U.S. government sites that Ruffin declined to identify. 

“We've seen some pretty scary holes through random tests with the scanner in North America, Europe and the Middle East,” Ruffin said in the statement posted on the group's website. “If I were a government, a large corporation or anyone with a large website, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”

According to the cDc statement, Goolag scanner – currently existing exclusively as a standalone Windows GUI-based application, using one XML-based configuration file for its settings – soon will be released in an open-source configuration under the GNU Affero General Public License. Free downloads of the Windows application are offered on the Goolag site.

Ruffin also announced that Goolag is dedicated to the memory of Wau Holland, founder of the Chaos Computer Club, whom he called “a true champion of privacy rights.”


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.