Dubai: It takes nothing more than a simple Google search and the use of an appropriate keyword string to get access to the web server of some of the largest companies in the Middle East, a recent trial of German web hacking experts has shown.
They said they were able to access web servers of the world's largest oil exploration company, Saudi Aramco, of the Pearl Qatar development and several other regional company networks.
According to a member of the German hacker community, who informed Gulf News but understandably does not want to have his name published, Aramco's "poorly secured" web server is "like an open book" for those who conduct a specially crafted search query to reach file directories. The web specialists were able to access and download confidential documents such as technical drawings, detailed information on oil rigs and even blueprints of the infrastructure, fire protection system and communication network of the world's largest oil field, Al Ghawar. Some of the downloaded documents can be viewed on the hackers' website.
‘Not even hacking'
"Technically, this is not even hacking. Everybody can gain access to these documents via Google, with intent or by accident," the web expert said. The hacker who found his way into the web servers had no criminal intention, he added. He even approached Saudi Aramco by phone and email afterwards and tried to describe the security problem they are facing, but hasn't received an answer yet. "Possibly they didn't take him seriously. This is quite careless for such a big company."
But Aramco is not the only company with open gaps in its corporate network. Using the same procedure, the hacker got access to the web server of the Al Seal Residential Tower, part of the West Bay-Pearl Qatar development in Doha, where he was able to access numerous PDF (portable document format) documents of the fire protection system and the entire security system.
A search on the web server of the Hleytan Tower in Doha's Old Salata district revealed technical details of the electrical system, the fire alarm centre, the water supply and sewer layout as well as the elevator control and air conditioning system. The web server of the Retaj Hotel in Doha exposed detailed floor plans and the entire communication network layout. On the web server of one of Dubai's City Centre malls, an overview of the CCTV surveillance structure was available, among other confidential files.
"These are not loopholes in the system which only can be opened and accessed with sophisticated hacking tools, this is mere negligence of the IT personnel at the companies," the web expert said.
Inquiries by Gulf News to Saudi Aramco on how they rate their network security remained unanswered at the time of going to press. Hala R. Nasreddine, spokesperson of United Development Company, developer of Pearl Qatar, said the company has not heard of such an incident and will investigate.
On Friday, an Aramco spokesperson reacted to our inquiries an sent the following statement:
"Saudi Aramco confirms that no such access to sensitive Company data has occurred, and stresses that there is no factual basis for what was reported. The Company gives the highest priority to information security and employs state-of-the-art systems to safeguard its data and information from intrusion, and any other unlawful Internet activity. Furthermore, the Company remains ready to pursue legal action against unlawful intrusions into its web servers from any location in the world."
