Charles Arthur On Technology

Google-eyed monsters
Click to follow
The Independent Online

I can't recall where or how I first heard the title of John Brunner's book, The Shockwave Rider, but know that the conjunction of those words intrigued me long before I got the chance to read it. What would a "shockwave rider" do? What would they look like?

I can't recall where or how I first heard the title of John Brunner's book, The Shockwave Rider, but know that the conjunction of those words intrigued me long before I got the chance to read it. What would a "shockwave rider" do? What would they look like?

On finding the book, some time in the 1980s, I discovered that Brunner had imagined a future world of computers linked with each other, forming a giant network retaining huge amounts of information. The central theme was of the hero's struggle to expose the forces trying to keep information secret; the shock wave he unleashes on the world is a program called a "worm" that passes from computer to computer and gets each one to declassify its secrets, making all knowledge available to everyone.

Oh, how clichéd, you say. Except that Brunner wrote it in the early 1970s, long before the internet, and not long after the concept of computer viruses had been developed. His book described an internet society rather well, given that Brunner had to imagine how it would work from first principles. As he later observed, his insight was simply to assume that human nature would continue as normal, and that the technology would be warped to fit our needs, for good or bad. Most of all, he noticed that people tend to take the path of least resistance in trying to solve a problem, which can leave all sorts of loopholes that can be exploited by those who understand the underlying system. Fast forward 30 years from Brunner's work, and we have the internet, and we have search engines which can act rather like his imagined worm, logging every last detail of what's out there.

Let's start with a gentle example. Type the phrase "Welcome to Adobe GoLive 5" into Google, and you'll get 459,000 results. From the top result (a page on Def Jam records for Ashanti) through to the last, they've all got that text somewhere on the page. Where? Well, right at the top of the window - it's the default title of a page written using Adobe's web design tool, and if a designer doesn't get rid of it at the draft stage, the mistake will remain for all to see. Step up a gear. What if you wrote a piece of software which will insert an invisible bit of text on a webpage which has been produced with a copy that hasn't been properly registered? The text could be part of a HTML tag, perhaps a comment or footer, which wouldn't stand out to the inexperienced user as meaningful. But when you, running the software company, did a search engine sweep for that particular tag, you could instantly pick up those copies which were unpaid for.

The all-seeing eyes of the search engines cut both ways. Webmasters are torn between the conflicting desire to let search engines' "spiders" into their site to index what's there (so people looking for relevant things will come there) and the wish to constrain where those spiders go amidst the documents. It might sound simple, but on a sprawling site that pulls in pages from many directories, it isn't. And that is how Google has begun to be used as a resource by hackers looking to find ways into sites, seeking out valid credit card numbers and holes in the system - along the lines of "Welcome to Adobe GoLive 5", but more sophisticated - that they can exploit. Some even go as far as to change the way their browser presents itself to sites, so they appear to be the "Googlebot". And most sites will let that one in, even to view paid-for content, in the hope people will be directed towards those pages via the search engine index.

But that also means that all sorts of content that used to require a lot of physical effort to find - a trip to the courts or local council - can now be done online. And sensitive information can be left for all to see. "If you don't want the world to see it, keep it off the web," Johnny Long, a computer researcher and author of Google Hacking for Penetration Testers told the ExtraMSN news site recently. He has his own site, at http://johnny.ihackstuff.com, with many examples of "malicious" Google searches. "The spread of web-based applications, such as message boards and remote administrative tools, has resulted in an increase in the number of misconfigured and vulnerable web applications on the net," he says. Pair that with something as powerful as Google's index, and "you have a convenient attack vector for malicious users".

But it's not just administrators of bulletin boards who need to worry. In the US, the explosion of public documentson the web has led to many security holes: confidential files from the US Department of Homeland Security have been indexed, and people can even access electrical control systems. "One Google query, a couple of buttons and you can turn off power to someone's house," Mr Long says.

But there are some key differences between the US and UK. First, the UK government has been slow to move online, so less data is available. Secondly, the UK and Europe has rigorous data protection laws covering personal information, and companies are reluctant to make documents available that contain data which can identify someone directly. Even so, make sure that there's nothing to worry about. One way to start, if you value your privacy and bank balance, is to try a search for your phone number (if you're ex-directory, as an increasing number of people are) and for your credit card number, with and without spaces. Don't do the latter search in a public area, such as a wireless hot-spot or internet café; you'll be sending the number over an unencrypted link, which isn't wise.

If you find your phone number coming up when you don't want it to, and much more important your credit card number, then get in touch with the respective sites. In the case of the credit card, cancel it right away, and check your balance; if you could find the number you can be sure that somewhere out there is a hacker who has set a program running to churn through the potential valid numbers for a credit card against Google, and to follow any links to websites. Google does remove pages like this from its index, but only when told. Meanwhile, hackers will have grabbed them if they can.

"A malicious community of Google hackers has formed and a response has become necessary," Mr Long writes on his webpage.

If Brunner was alive, no doubt he'd be nodding his head in amused recognition. Here comes the shock wave. Now, try to ride it.

www.charlesarthur.com/blog

Comments