Canadian security experts evaluate Google holes

IT managers should look at employee Web surfing as a security hazard rather than a time waster, analysts say.

Canadian analysts said the two Google-related hacks which surfaced recently should cause IT managers to look at employee Web surfing as a security hazard rather than a time waster.

Earlier this week, independent vulnerability researcher Aviv Raff posted a scenario on his personal blog outlining how a hacker could install malicious software on a system using Google Toolbar. The toolbar's security hole stems from the mechanism the application uses to add new buttons to its user's browser. Raff wrote that ambitious hackers could spoof the origin of their harmful toolbar buttons and launch a phishing attack against their victims. Google spokespeople later confirmed it was working to fix the problem.

Also this week, another Google-focused vulnerability occurred on the California-based search giant's Orkut site. The social networking service was hit with a worm that added hundreds of thousands of users to an Orkut group, called "Infected by the Orkut virus," simply by viewing a malicious Orkut user's profile. The description of the group indicated that the worm was only designed to demonstrate the dangers Orkut posed to users, even without them clicking or accepting a malicious file. The bug did not steal any personal information from the infected users.

And while no damage was done in either of these incidents, some analysts believe it can serve as a warning on the increasingly vulnerability of Web-based applications and social networking sites.

"Now, I don't believe that these stories will usher in a sea change in what PCs in Canadian firms are used for, but they do add to the overall awareness of Web-related vulnerabilities and lead us in the direction of less personal activity occurring on business machines," David Senf, director of security and software research at Toronto-based IDC Canada, said.

James Quin, senior research analyst with Ontario-based Info-Tech Research Group, said that the average user certainly wouldn't be tricked by many of the phishing techniques currently on the Internet. In the case of the Google Toolbar attack, a user would first have to be conned into clicking a Web pop up asking them if they want to install the custom button. After that the user would then have to click the button and agree to run an executable file. And although most experts agree that only the least Web savvy users would be fooled by something like that, the case highlights the broadening scale of attacks on today's Internet.

"For most enterprises, the Google Toolbar thing wouldn't be a problem, because they are going to have content, spam and phishing filters that will block these downloads," Quin said. "But while the Google Toolbar issue, for instance, is not something that is going to be a problem for enterprises in its current incarnation, what it demonstrates is the potential that threats can be leveraged by something seemingly innocuous like a toolbar."

For Quin, the key to the security of any enterprise is its ability to maintain control. And with the proliferation of Web 2.0 applications and Web sites, IT managers need to take the necessary precautions. In the toolbar case, Quin pointed to the newest incarnation of Microsoft Internet Explorer, which has search functionality built right into its toolbar, minimizing the value of Google's tool. He said IT managers need to keep abreast of the latest Web applications in order to inform users of this information.

"Web 2.0 functionalities have been pulled along very quickly," Quin said. "It's slashy, hip and cool, but at the end of the day, I don't think a lot of the potential security issues have been addressed. And a lot of data breaches that occur are not malicious, but rather inadvertent and accidental."

The need to maintain control was also echoed by Senf. He said if there is a business legitimate reason to have certain Web applications running, IT managers will have no choice and will need to adapt to deal with the risks. But, he said, more and more firms will need to take an active role in limiting what potentially unnecessary applications and sites such as the Google Toolbar, Facebook or Microsoft Instant Messenger.

"In doing so, the attack surface is reduced and the potential for something bad happening has likewise been reduced," Senf said. "This may sound draconian -- and may give the appearance that the employee like they're not trusted, but that's not the case. The point is to keep the bad guys out, while running a business."

And while neither analyst advised IT managers to start banning applications like the Google Toolbar anytime soon, both warned that enterprises need to become as aware of potential security risks as they do in concerning themselves with employee productivity drain.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Rafael Ruffolo

ComputerWorld Canada
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?