Cult of the Dead Cow releases ‘Goolag’ beta

Hactivists Cult of the Dead Cow (cDc) have released a Windows-only beta of Goolag, a rich client for the Google Hacking techniques pioneered by hacker J0hnny I Hack Stuff.

Basically, Goolag makes it easy to use Google to search out security vulnerabilities related to your web site — or, presumably, others.  From cDc’s blog:

SECURITY ADVISORY: The following program may screw a large Internet search engine and make the Web a safer place.

LUBBOCK, TX, February 20th — Today CULT OF THE DEAD COW (cDc), the world’s most attractive hacker group, announced the release of Goolag Scanner, a web auditing tool…

“It’s no big secret that the Web is the platform,” said cDc spokesmodel Oxblood Ruffin. “And this platform pretty much sucks from a security perspective…. If I were a government, a large corporation, or anyone with a large web site, I’d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”

Google Hacking’s a great example of leveraging the wisdom of the crowds: Google essentially gives you access to everything, useful or otherwise, that people have posted about vulnerabilities of particular sites and versions of software. Of course as with so much crowdly wisdom, there’s a lot of chaff in with the wheat, so good user interaction can help make it easier for people who aren’t security experts to deploy the technique.

Matthew Broerma’s Infoworld article has more:

The tool is a stand-alone Windows .Net application, licensed under the open source GNU General Public License, that provides about 1,500 customized searches under categories such as “vulnerable servers,” “sensitive online shopping information,” and “files containing juicy information.”

The results are displayed as a list of links that can be opened directly in a browser. Example results include tell-tale error messages and Java applets for the remote control of surveillance cameras, according to CDC.


Of course, as well as being a valuable tool for those who want to secure their web sites, it’s also something that can be used by criminals or other malicious hackers to find vulnerabilities to exploit. Information is power …