The new desktop tools expand on the Google Diggity and Bing Diggity Web tools that they released in 2010. Additionally, Stach and Liu are expanding their search hacking tools to Chinese search engine Baidu.

“Baidu is the largest search engine used by people in China and it’s the best indexer of Chinese websites,” Brown said. “So if you’re a U.S. government employee that is inclined to find vulnerabilities in China, this should be your tool.”

Brown noted that in a sample scan he found thousands of MySQL error messages in Chinese government websites. Those MySQL errors could potentially be indicative of SQL Injection vulnerabilities that might be exploitable.

“So we can hack China back,” Brown said.

Looking beyond Web search results Stach and Liu are now also searching Google Code results. The addition of Google Code enables code bases to be scanned in an automated way.

Brown noted that using search engines to find vulnerabilities is likely a key attack vector that the Lulzsec hacking group might have used to exploit dozens of sites so far in 2011.

“Lulzsec are basically Google hackers, finding vulnerabilities that are interesting and then exploiting them,” Brown said. “With all the headlines that Lulzsec has grabbed over the last six or seven months, it’s a good possibility that Google hacking was the primary mode they used to indentify people to go after.”

While Stach and Liu’s goals with releasing their new tools for identify security risk is to help company’s protect themselves, the tools could potentially also be used by attackers, as well.

“Could they use our tools in attacks today? It’s possible,” Brown said.

In addition to searching for potential vulnerabilities, Stach and Liu are now releasing a new tool to help identify sensitive documents that might be on the Web. The DiggityDLP (digital loss prevention) tool searches for and downloads documents, PDFs and spreadsheet from a target domain. The tool will then go through the content looking for credit card numbers, social security and other private information that shouldn’t be public.

When it comes to what Stach and Liu have found when they scan websites for clients, there is a long list of different vulnerabilities and risks. In one case, Brown noted that a GoogleDiggity scan found that a client company was hosting a high-school reunion site on a corporate server. That reunion site has vulnerabilities in it that could have potentially put the whole enterprise at risk.

“In general, we role the dice and find a random issue that could have some kind of sensitive data or security risk,” Brown said.

Brown noted that all the Diggitty tools including Google, Bing and DLP versions are freely available. The code itself, however, is not open source.

“We’re a pure play service company and all these tools are released for free as a function of marketing for our consulting services,” Brown said.