Lord of the Bing: Taking Back Search Engine Hacking from Google and Bing

Presented at DEF CON 18 (2010), July 30, 2010, 2 p.m. (50 minutes)

During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the teamís resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior. Not anymore. Our demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques. Weíll also be releasing the first ever 'live vulnerability feed', which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This presentation will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.

Presenters:

• Francis Brown - Managing Partner at Stach & Liu
  Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients. Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology.
• Rob Ragan - Security Associate at Stach & Liu
  Rob Ragan is a Security Associate at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Rob served as Software Engineer with the Application Security Center team of Hewlett-Packard (formerly SPI Dynamics) where he developed automated web application security testing tools, performed penetration tests, and researched vulnerability assessment and identification techniques. Rob has presented his research at leading conferences such as InfoSec World and is a contributing author to the upcoming Hacking Exposed: Web Applications 3rd edition.

Links:

• https://defcon.org/html/defcon-18/dc-18-speakers.html#Ragan
• https://infocon.org/cons/DEF CON/DEF CON 18/DEF CON 18 video and slides/DEF CON 18 - Rob Ragan and Francis Brown - Lord of the Bing - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=36oMqam-bMc

Similar Presentations:

• Black Hat USA 2010 / Lord of the Bing: Taking back search engine hacking from Google and Bing
• ToorCon San Diego 12 (2010) / Lord of the Bing: Taking back search engine hacking from Google and Bing
• DEF CON 20 (2012) / Tenacious Diggity: Skinny Dippin' in a Sea of Bing