Network World
Saturday, November 22, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Google Subnet Blog

Google Subnet
NetworkWorld.com > Community > Google Subnet Blog

Navigation

Google security under fire at Black Hat

By Google Subnet on Thu, 08/07/2008 - 5:13am.

Google has some explaining to do, at least that's InformationWeek's Thomas Claburn's take on a recent Black Hat session. In the session, noted security experts Robert Hansen of SecTheory and Tom Stracener of Cenzic had less than glowing reports of Google's current attitude toward security--especially in its Gadgets platform. As Hansen said: "Google cares more about tracking users than they do about consumer safety."

As proof, Hansen said that when he alerted Google, eBay, DoubleClick and Visa to a Web redirection vulnerability used by phishers, Visa closed the hole in hours. DoubleClick had a partial fix in days, eBay took several weeks to fix the problem, but Google still hasn't fixed it. And it's been four years since it was notified.

The biggest Google security hole is Gadgets, say Hansen and Stracener, and Google is simply ignoring the problem. While Hansen and Stracener say Gadgets currently can be used as a launching pad for a litany of malicious activity, including JavaScript and HTML injection, Web site defacement, data poisoning, content and gateway spoofing, surveillance and spyware, exposure and theft of data, gmalware (DDoS, cookie theft, zombies), worms, and other coercive functionality, Google says not to worry. That's just how Gadgets work.

If Hansen and Stracener's position is correct--and there is a gray area here in that Hansen readily admits that his relationship with Google is less than cordial--Google can't simply ignore it and hope it goes away. As Claburn sums up:

Google owes its users an explanation. It cannot afford to treat security the way it treats privacy, as something to be sacrificed in the name of new services. It cannot afford to treat malicious content like copyrighted content, as something someone else is responsible for.

Exactly. Google is fast becoming a platform for real everyday computing and it has to start acting like it (Gadgets is even being preloaded on Linux netbooks). As more consumers become comfortable with Web computing and all it offers, Google needs to better protect both privacy and security. Or risk losing the market it's worked so hard to win.

Permalink
Tags:

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Google Subnet Blog

RSS feed

The Google Subnet blog is the official blog of Network World's Google Subnet community. Google Subnet is the independent voice of Google customers and is your gateway to daily Google news, blogs, tips and more. Visit the Google Subnet home page daily.

Google Subnet Blog archive.

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: