Canadian security experts evaluate Google holes
- — 21 December, 2007 08:08
Canadian analysts said the two Google-related hacks which surfaced recently should cause IT managers to look at employee Web surfing as a security hazard rather than a time waster.
Earlier this week, independent vulnerability researcher Aviv Raff posted a scenario on his personal blog outlining how a hacker could install malicious software on a system using Google Toolbar. The toolbar's security hole stems from the mechanism the application uses to add new buttons to its user's browser. Raff wrote that ambitious hackers could spoof the origin of their harmful toolbar buttons and launch a phishing attack against their victims. Google spokespeople later confirmed it was working to fix the problem.
Also this week, another Google-focused vulnerability occurred on the California-based search giant's Orkut site. The social networking service was hit with a worm that added hundreds of thousands of users to an Orkut group, called "Infected by the Orkut virus," simply by viewing a malicious Orkut user's profile. The description of the group indicated that the worm was only designed to demonstrate the dangers Orkut posed to users, even without them clicking or accepting a malicious file. The bug did not steal any personal information from the infected users.
And while no damage was done in either of these incidents, some analysts believe it can serve as a warning on the increasingly vulnerability of Web-based applications and social networking sites.
"Now, I don't believe that these stories will usher in a sea change in what PCs in Canadian firms are used for, but they do add to the overall awareness of Web-related vulnerabilities and lead us in the direction of less personal activity occurring on business machines," David Senf, director of security and software research at Toronto-based IDC Canada, said.
James Quin, senior research analyst with Ontario-based Info-Tech Research Group, said that the average user certainly wouldn't be tricked by many of the phishing techniques currently on the Internet. In the case of the Google Toolbar attack, a user would first have to be conned into clicking a Web pop up asking them if they want to install the custom button. After that the user would then have to click the button and agree to run an executable file. And although most experts agree that only the least Web savvy users would be fooled by something like that, the case highlights the broadening scale of attacks on today's Internet.
"For most enterprises, the Google Toolbar thing wouldn't be a problem, because they are going to have content, spam and phishing filters that will block these downloads," Quin said. "But while the Google Toolbar issue, for instance, is not something that is going to be a problem for enterprises in its current incarnation, what it demonstrates is the potential that threats can be leveraged by something seemingly innocuous like a toolbar."
For Quin, the key to the security of any enterprise is its ability to maintain control. And with the proliferation of Web 2.0 applications and Web sites, IT managers need to take the necessary precautions. In the toolbar case, Quin pointed to the newest incarnation of Microsoft Internet Explorer, which has search functionality built right into its toolbar, minimizing the value of Google's tool. He said IT managers need to keep abreast of the latest Web applications in order to inform users of this information.
"Web 2.0 functionalities have been pulled along very quickly," Quin said. "It's slashy, hip and cool, but at the end of the day, I don't think a lot of the potential security issues have been addressed. And a lot of data breaches that occur are not malicious, but rather inadvertent and accidental."
The need to maintain control was also echoed by Senf. He said if there is a business legitimate reason to have certain Web applications running, IT managers will have no choice and will need to adapt to deal with the risks. But, he said, more and more firms will need to take an active role in limiting what potentially unnecessary applications and sites such as the Google Toolbar, Facebook or Microsoft Instant Messenger.
"In doing so, the attack surface is reduced and the potential for something bad happening has likewise been reduced," Senf said. "This may sound draconian -- and may give the appearance that the employee like they're not trusted, but that's not the case. The point is to keep the bad guys out, while running a business."
And while neither analyst advised IT managers to start banning applications like the Google Toolbar anytime soon, both warned that enterprises need to become as aware of potential security risks as they do in concerning themselves with employee productivity drain.