May 9, 2013
There’s a reason they call it cyberspace: Like space, the Internet has grown so expansive that we’ll likely never know all its secrets. Indeed, cyberspace is so deep and complex that even the National Security Agency’s top cyberspies are struggling to comprehend it. But that hasn’t stopped them from trying.
Thanks to a FOIA request filed in April by MuckRock, a service that files FOIA requests on behalf of journalists and others, you can learn to surf the web like one of the NSA’s top cyber sleuths. The agency recently released a 643-page book, called “Untangling the Web: A Guide to Internet Research,” that is full of tips on doing web research -- including an entire section dedicated to “Google Hacking.”
What is Google hacking? The author of NSA’s book is quick to note that there is nothing unknown or illegal about the practice -- noting that much of it was first revealed in Johnny Long’s 2004 book “Google Hacking for Penetration Testers” -- but that it will help you “access publicly available information that almost certainly was not intended for public distribution” (cybersecurity professionals, take note).
Five of the hacking tips the author recommends include:
1. Limit search by site:
“This can be as broad as a country [site:fr] or as specific as an individual server on a company website [site:office.microsoft.com].”
2. Be as specific as possible:
“You will have a lot more success searching for information within the Chinese Ministry of Foreign Affairs [site:fmprce.cn.gov] than looking at all the sites indexed for China [site:cn] or even for the government of China [site:gov.cn].”
3. Add keywords
“Here’s where your subject matter knowledge and creativity really help. You are the best source of information about what words are most likely to yield the best quality and quantity of useful information. As a general rule, more uncommon words work best (consider using unusual proper names).”
4. Limit search by file type
“Most of the best information found by Google hackers is not on webpages (HTML) but in other types of files. Try all or most of the file types one at a time (these are not the only searchable types; check the particular search engine’s documentation . . . for others.”
5. Use Google hacking techniques to search inside websites requiring registration
“You will frequently encounter a website, perhaps a database, that requires registration to view its contents. On occasion you can use Google to get at that data without registering.”
The author of the document is quick to note that nobody should use these techniques for cracking -- i.e. breaking into websites and servers -- but rather, the author encourages readers to “hack” their own websites “to see what kinds of information is being revealed inadvertently via Google and other search engines.”
So, perhaps, it’s best to view it as a cyber defense manual . . . unless, of course, that’s not how you intend to use it.
Read more about the NSA’s web research book at Wired’s Threat Level blog.
May 9, 2013