everwas

SiteDigger 2.0

Foundstone, a subsidiary of McAffe publishes software called SiteDigger. The publishers describes it’s purpose:

SiteDigger 2.0 searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.

The package is free for the download and all you need is a Google API key to run it. Obviously, if you’re responsible for any web site, the first thing you’re going to do is download this thing and run it against your site. The first thing you’re going to do if you’re trying to break into a site is download this tool and run it against a site you want to hit. I’m not sure which side the makers of this software fall, especially after seeing that they describe exploits as "nuggets," a word usually associated with gold and something traded in by prospectors for currency.

The release and publicity of such a tool brings up an interesting ethical conundrum. If the software gets into the wrong hands, it could actually assist someone in breaking into a site. If it’s used by those responsible for security, it could help secure a site by pointing out holes that may have been overlooked.

Either way, it’s a nice way to drum up some consulting business.

Posted

in

by

Ian Kennedy

Tags:

Comments

One response to “SiteDigger 2.0”

  1. JW Avatar
    JW

    You pose an interesting question for authors of security tools about the tools in the wrong hands. In this case I think we may assume they already have the tools.

    I believe word “nuggets” may come from Googleturds as explained in the Google Hackers Guide by Johnny Long. That document is subtitled “Understanding and Defending Against the Google Hacker.” Like the “Know your Enemy” Series by Lance Spitzner, these types of articles and tools seek to provide systems administrators with intelligence about how the enemy operates so that we may better fight them.

    On other thing to put your mind at rest in this issue, the Google API key identifies the user to Google. And the API key is restricted to 1000 queries per day which seems hardley engough for a hacker who wishes to scan much larger portions of the network.

    Reply

Leave a comment