Canadian security experts evaluate Google holes

IT managers should look at employee Web surfing as a security hazard rather than a time waster, analysts say.

Canadian analysts said the two Google-related hacks which surfaced recently should cause IT managers to look at employee Web surfing as a security hazard rather than a time waster.

Earlier this week, independent vulnerability researcher Aviv Raff posted a scenario on his personal blog outlining how a hacker could install malicious software on a system using Google Toolbar. The toolbar's security hole stems from the mechanism the application uses to add new buttons to its user's browser. Raff wrote that ambitious hackers could spoof the origin of their harmful toolbar buttons and launch a phishing attack against their victims. Google spokespeople later confirmed it was working to fix the problem.

Also this week, another Google-focused vulnerability occurred on the California-based search giant's Orkut site. The social networking service was hit with a worm that added hundreds of thousands of users to an Orkut group, called "Infected by the Orkut virus," simply by viewing a malicious Orkut user's profile. The description of the group indicated that the worm was only designed to demonstrate the dangers Orkut posed to users, even without them clicking or accepting a malicious file. The bug did not steal any personal information from the infected users.

And while no damage was done in either of these incidents, some analysts believe it can serve as a warning on the increasingly vulnerability of Web-based applications and social networking sites.

"Now, I don't believe that these stories will usher in a sea change in what PCs in Canadian firms are used for, but they do add to the overall awareness of Web-related vulnerabilities and lead us in the direction of less personal activity occurring on business machines," David Senf, director of security and software research at Toronto-based IDC Canada, said.

James Quin, senior research analyst with Ontario-based Info-Tech Research Group, said that the average user certainly wouldn't be tricked by many of the phishing techniques currently on the Internet. In the case of the Google Toolbar attack, a user would first have to be conned into clicking a Web pop up asking them if they want to install the custom button. After that the user would then have to click the button and agree to run an executable file. And although most experts agree that only the least Web savvy users would be fooled by something like that, the case highlights the broadening scale of attacks on today's Internet.

"For most enterprises, the Google Toolbar thing wouldn't be a problem, because they are going to have content, spam and phishing filters that will block these downloads," Quin said. "But while the Google Toolbar issue, for instance, is not something that is going to be a problem for enterprises in its current incarnation, what it demonstrates is the potential that threats can be leveraged by something seemingly innocuous like a toolbar."

For Quin, the key to the security of any enterprise is its ability to maintain control. And with the proliferation of Web 2.0 applications and Web sites, IT managers need to take the necessary precautions. In the toolbar case, Quin pointed to the newest incarnation of Microsoft Internet Explorer, which has search functionality built right into its toolbar, minimizing the value of Google's tool. He said IT managers need to keep abreast of the latest Web applications in order to inform users of this information.

"Web 2.0 functionalities have been pulled along very quickly," Quin said. "It's slashy, hip and cool, but at the end of the day, I don't think a lot of the potential security issues have been addressed. And a lot of data breaches that occur are not malicious, but rather inadvertent and accidental."

The need to maintain control was also echoed by Senf. He said if there is a business legitimate reason to have certain Web applications running, IT managers will have no choice and will need to adapt to deal with the risks. But, he said, more and more firms will need to take an active role in limiting what potentially unnecessary applications and sites such as the Google Toolbar, Facebook or Microsoft Instant Messenger.

"In doing so, the attack surface is reduced and the potential for something bad happening has likewise been reduced," Senf said. "This may sound draconian -- and may give the appearance that the employee like they're not trusted, but that's not the case. The point is to keep the bad guys out, while running a business."

And while neither analyst advised IT managers to start banning applications like the Google Toolbar anytime soon, both warned that enterprises need to become as aware of potential security risks as they do in concerning themselves with employee productivity drain.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Rafael Ruffolo

ComputerWorld Canada
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?