SES Chicago - December 7-11, 2009

August 28, 2009

Proposed Bill to Give White House Authority to Control Internet in Emergency

A proposed Bill in the U.S. Senate would give the White House control of the internet in the case of emergency. The bill, S.773 introduced by Sen. Jay Rockefeller (D-WV) and Sen. Olympia Snow (R-ME) is pretty vague, which is alarming to internet companies and civil rights groups alike.

According to CNET, the bill would allow the White House to declare cybersecurity emergencies. It also allows the government to choose which internet companies they deem "critical." These companies would then be subject to regulations surrounding hiring employees, information that would need to be disclosed and when the government could take over their network.

What do you think of this bill? Let us know by leaving a comment.

Posted by Nathania Johnson at 3:27 PM | Permalink | Comments (24)

August 7, 2009

Yesterday's DoS Attacks Included Google, Possible Cyberwarfare Suspected

As news broke yesterday about the Denial of Service (DoS) attacks affecting Twitter, revelations began to unfold about how widespread the attacks really were. Facebook slowed down and produced error pages. LiveJournal experienced downtime as well.

While Google didn't go down, they were affected. This statement from a Google spokesperson explains their involvment:

We are aware that a handful of non-Google sites were impacted by a DoS attack this morning, and are in contact with some affected companies to help investigate this attack. Google systems prevented substantive impact to our services.

While not explicitly saying they were attacked, I think it's pretty clear they're just more prepared for malicious attacks of all kinds.

Of course, they've been around for a longer period of time than Facebook, Twitter and LiveJournal. But social media sites are going to have to beef up their security, especially considering the nature of the attacks.

It turns out that the attacks were aimed at a Georgian blogger who had accounts on Facebook, Twitter, LiveJournal, YouTube and Google's Blogger. While not confirmed, it seems pretty obvious to anyone following events in the region, that Russia could be behind the attack.

As Patrica Skinner at Search Engine Journal points out, this isn't the first time Russia has been involved in a cyberwarfare attack. Plus, it's hardly a coincidence any longer that the US Marines this week were barred from using social media.

All of this comes the same week that the acting White House Cybersecurity Czar stepped down. Melissa Hathaway resigned just months after replacing the last Cybersecurity Chief, Rod Beckstrom, left the post. Beckstrom left because cybersecurity is mostly handled by the NSA, a division of the Department of Defense. Beckstrom felt that cybersecurity should be handled by a civilian agency.

Hathaway left after being marginalized by political opponents within the White House. She was a holdover from the Bush administration, who lost favor with Obama's economic advisors when she said there should be cybersecurity regulations for the private-sector.

Hopefully, this week's attacks will encourage bipartisan action on addressing what is increasingly becoming very serious cybersecurity threats.

Posted by Nathania Johnson at 2:25 PM | Permalink | Comments (0)

July 17, 2009

Twittergate: Hacked Docs Stir Up Questions of Ethics and Security

Recently a hacker obtained confidential documents containing information about Twitter's business plans as well as user accounts and passwords. The hacker sent the documents to two blogs: Silicon Valley's TechCrunch and Korben, a tech news site in France.

TechCrunch has spent the better part of a week publishing a few of the documents one blog post at a time. (Can we just call them TwitterCrunch at this point?) They claim to be working with Twitter and their legal team to determine which ones to post, but Twitter has denied giving permission for publication of any of the documents. Many comments left on TechCrunch's blog were in opposition to the publication, as well.

Twitter and TechCrunch have agreed on one thing - the documents were not ready for prime time. Many of them were handwritten notes, for example.

I personally haven't read the documents that have been released, though obviously it's been hard not to catch a whim of what was included here and there. They were stolen. They're confidential. I suppose that makes me a bad blogger/journalist, but I've got this "Do unto others" philosophy that I try to live by.

Taking ethics out of the question, I'm primarily more interested in what IS rather than is hoped for. After all, "The best laid plans of mice and men often go astray." (Have you seen Pirates of Silicon Valley? What were Jobs' and Gates' original plans? Where was Apple in the late 1990s?)

What would you have done if you had received the documents? Publish them? Blackmail Twitter? Let us know your gut reaction in the comments below.

Posted by Nathania Johnson at 12:18 AM | Permalink | Comments (3)

April 15, 2009

Ford Motor Co. Target of Malicious SEO Campaign

Panda Labs has discovered over 1 million links with Ford-related anchor text that lead to malware dressed up as anti-virus applications. The user is berated with warnings from "MS Antispyware 2009" that they need to buy software to protect their computers. Of course, MS Antispyware 2009 is not an official Microsoft product and does pretty much the exact opposite of what it advertises.

Here's what happens:

1. Internet user clicks on Ford link which leads to a video. 2. User must install a codec to watch video. 3. Once codec is installed, message pops up warning of Malware. 4. User is offered opportunity to purchase $79 anti-virus application 5. User buys and is scammed

There are fake SSL forms and the whole shebang.

Here's a video explaining more about the attack:

Targeted Blackhat SEO Attack against Ford Motor Co. from Panda Security on Vimeo.

h/t Tech Herald

Related Reading: Google Offers Browser Security Handbook Live Search Flags Questionable Sites Organic Results Showing Many Malware Sites, Google Expunges Thousands Google Adds Malware Tool To Webmaster Central Tools

Posted by Nathania Johnson at 11:36 AM | Permalink | Comments (1)

November 10, 2006

Hack Reveals How To Remove Sites From MSN Live Search?

Boogybonbon.com has revealed how you can potentially de-list your competitor's site from Microsoft's search engine. In short, most sites return a 200 status header for when you go to a page like domain.com/index.html?test=test or domain.com/index.html?test=test1234, etc. You can play on that by convincing Microsoft that a particular site has hundreds or thousands of duplicate pages, and at some point, Microsoft may penalize the site with a duplicate content penalty, where they de-list your site and home page. That is the short story, if you want the long write up visit Boogybonbon.com.

Postscript: Other coverage at Threadwatch and Search Engine Watch Forums.

Posted by Barry Schwartz at 9:32 AM | Permalink

November 9, 2006

Google Sends Porn Worm To 50,000+ Subscribers

'Porn' worm sent to 50,000 after Google blunder from Silicon.com covers how Google accidentally sent a worm to the official Google Video Blog email list

The worm apparently, which came in the form of pornography sent to the group, which had over 50,000 subscribers at the time. The Kama Sutra email, also known as W32/Kapser.A worm, was "designed to overwrite files on infected computers on a specific date."

If you got this email and downloaded the file, it is important that you run antivirus software on your computer. Google promised to try to not do that again.

Postscript From Danny: Google has a post about it here, which gives them a chance to pitch getting free antivirus software through the Google Pack.

Posted by Barry Schwartz at 7:43 AM | Permalink

October 18, 2006

Another Odd Post To An Official Google Blog Raises Security Concerns

Does another odd post to one of Google official blogs mean Google losing it in terms of security? It spurred Michael Arrington to fire up a list over at TechCrunch of other security issues, a couple I wouldn't agree were breaches. But I can add to the list as well, and there's no doubt these type of things hurt Google when during its expansion, it needs all the goodwill and trust it can get.

Yesterday, Google Blogoscoped wrote about a strange post on Blogger Buzz, the official blog for Google's Blogger. It turned out to be a case of someone who writes for the Blogger Buzz accidentally posting something meant for her personal blog on Blogger to the official one.

I can completely sympathize with this. About two weeks ago, I posted something to the Search Engine Watch Blog that I meant for my personal blog Daggle. Both use Movable Type, on completely different systems. But I had browser windows open to both of them and just picked the wrong one.

Unfortunately, the mistaken post (which is still up on Blogger Buzz for me) comes about a week after the Official Google Blog was hacked with a fake post. Add that to some other things, and people might be getting worried.

That's certainly Michael Arrington view at TechCrunch. He writes:

The fact that unauthorized document access is a simple password guess or government “request” away already works against them. But the steady stream of minor security incidents we've seen (many very recently) can also hurt Google in the long run. Running applications for businesses is serious stuff, and Google needs to be diligent about security.

Another minor incident came up this evening - a Google employee intended to post on her personal blog and wrote on the official Google blog covering Blogger instead....

Google product teams work in cells, which allows them to quickly launch and iterate products. However, there could be a disadvantage to this as well with regard to security, as their does not seem to be one central policy or security group ensuring strict compliance across the entire company. Every security incident damages Google's credibility and reputation. Microsoft has been dealing with security issues forever - Google may need to start fighting the same war.

The post includes eight examples of security incidents since 2004. Some I don't agree with, but others I do -- and there are more not on the list. I posted about these at TechCrunch, but my comments aren't showing yet (and possibly didn't go through properly). Here's what I wrote:

Goodness knows I'm not going to defend them on a lot of this stuff. The repeated problems with Blogger security are becoming absurd. Three strikes on their own blog? But Mike, some perspective is probably in order.

Accidentally released Platypus? Sounds like Philipp has a contact at Google that leaked it to him. I suppose that's a security issue, but it's not really a user security issue. Lumping it in there doesn't feel fair. And if you're going to do that, then any time someone from any company leaks you something, you should be reporting that as a security breach from that company.

Some of the other items are iffy on the user security side. They left stuff in a Writely doc, similar to how they left stuff in that analyst presentation a few months before. Sloppy, yes. Security breach, no. Worthy of concern? Yes, because sloppy there could mean sloppy elsewhere.

To add others to your list:

Overall, I agree with you. These incidents hurt Google's reputation and the trust users may have with them. What I can't tell is how they stack up in trust compared to someone like Microsoft. I suspect they're still well ahead there. But it's not "may need" to fight the war. They're in that war now, and every new app increases their exposure to exploits.

Posted by Danny Sullivan at 7:40 AM | Permalink

October 9, 2006

Official Google Blog Gets Hacked After Message On Security

The Official Google Blog was hacked over the weekend, happening embarrassingly after Google had just posted about how seriously it takes security. It's also follows a pseudo-hack earlier this year, when someone else took over the Google Blog when the company accidentally deleted it.

The hack was covered in various places. Google Blogoscoped has a good write-up on what was initially posted (and screenshot here), an anonymous message saying that Google's click-to-call project had been cancelled:

After concientiously considering, Google has decided not to continue with Google Click-to-call project. The project has been in the media on last days because of the notice of Google agreement with e-Bay. We finally consider click-to-call agreement with e-Bay a monopolistic aproach that would damage small companies in the CRM area.

It felt like a hack to many, certainly to me as well, and I posted the same to Google Blogoscoped:

Got to be a hack. Especially notice what's currently tops on the Google blog, a post all about how "Google takes security very seriously and designs all of its services and applications to protect your privacy and data security." This almost certainly is someone reading how "we keep the bad guys out of our systems" and thumbing Google's nose to show nope, they don't.

That post from the Google Blog about security says in full:

Most readers of this blog are familiar with our mission to organize the world's information and make it universally accessible and useful. Maintaining the trust of our users and ensuring a positive experience using our products and services is paramount to our ability to accomplish our mission. As a result, Google takes security very seriously and designs all of its services and applications to protect your privacy and data security. Behind the scenes of these efforts is the Google Security Team. We keep the bad guys out of our systems and have brought you features like the anti-phishing extension in Google Toolbar and warnings about Internet malware. As part of our commitment to security, we're putting up some additional help content to let users and security researchers know how to quickly contact us on these issues. We've learned that when security is done right, it's done as a community, and this includes everybody: the people who use Google services (thank you all!), the software developers who make our applications, and the external security enthusiasts who keep us on our toes. These combined efforts go a long way toward making the Internet safer and more secure. Please visit our new security page and feel free to contact us anytime at security@google.com.

The post is incredibly ironic given what's now posted at the top of the blog:

A bug in Blogger enabled an unauthorized user to make a fake post on the Google Blog last night, claiming that we've discontinued our AdWords click-to-call test. The bug was fixed quickly and the post removed. As for the click-to-call test, it is progressing on schedule, and we're pleased with the results thus far.

A bug, also known as a security problem. So much for that trust Google was hoping to maintain with its users. It also happens ironically after publicity about Google shifting attention to improving existing projects, rather than rolling out new ones.

Philipp Lenssen at Google Blogoscoped pointed out what a nice visual contrast the two posts make and posted a screenshot. I couldn't help doing the same:

In March, Google deleted its own blog accidentally, allowing someone else the ability to claim the old Google URL and keep the blog running for a short time outside of Google's control. Official Google Blog Deleted, Blogger Registers googleblog.blogspot.com has more about that.

Finally, the hacked post was published by someone calling themselves Maximal. I found a post from another Maximal on Google Groups asking for help recently with the Google Data API.

Hi, I am making tests with Google Data API to publish my posts. The problem is ... my posts are being published into "the Honourable Dr Mantombazana Tshabalala-Msimang South Africa's Minister of Health" blog (I don't have to say I am not the minister of health of South Africa).

Any help before Honourable Minister of Health of South Africa would speak with Interpol would be apreciated.

Perhaps related?

Posted by Danny Sullivan at 6:16 AM | Permalink

August 4, 2006

Google Provides Warnings Of Potentially Hazardous Search Results

Philipp Lenssen found a Google Systems post that discovered Google now provides an intermediary page, for some search results, informing you that the result you clicked on may "harm your computer." You can see this intermediary page for yourself by clicking here, it looks like Google is calling it an interstitial page. Why even list the site in the search results if they may be harmful to your computer? Well, the key terms are "may be harmful," so let the user decide. I wonder if these potentially risky pages get some sort of downgrade in rankings?

Posted by Barry Schwartz at 9:35 AM | Permalink

July 31, 2006

Yahoo Finance Hacked & Defaced

Zone-H reports that earlier today, Yahoo's Finance section at biz.yahoo.com was hacked into and defaced. I have not seen any official confirmation or report from Yahoo on this story. They have mirrored the defacement here and here.

Posted by Barry Schwartz at 10:19 AM | Permalink

July 18, 2006

Malware Search Engine Powered By Google

H.D. Moore of Metasploit designed a vertical search engine using the Google API to search specifically for malware. The search engine can be found here.

This follows news last week of a private search engine having been developed to do the same thing.

Ryan Naraine at eWeek has an excellent write up on how the engine works, describing that the search engine has been coded with 300 malware signatures with hopes to increase that to 6,000. The engine then searches the web according to Google and finds executable files that match those signatures.

Steven Bryant from Google Watch notes that Metasploit changed the logo to "censored" it after possibly receiving a cease and desist letter from Google. Here is the before and after.

Looks to me that Metasploit is having fun with this. I really don't know if Google complained to Metasploit that he used the colors of the Google logo for this logo. But it is funny, nonetheless.

Now, is this a good thing for the public to have access to? I got other news to report, you can debate that question yourself.

Posted by Barry Schwartz at 8:47 AM | Permalink

July 12, 2006

Google Pages & Yahoo Geocities Phishing Attacks

We learn from VNUnet.com that there are phishing scams on Google Pages and we also learn from Slashdot that Yahoo's Geocities has a similar issue. A email goes out telling people they can win a "$500 cash prize, and that the money can be paid automatically if they click on the embedded web link."

Posted by Barry Schwartz at 10:53 AM | Permalink

July 10, 2006

Google Binary Search Not Only Finds Malware But Also Shows Signs Of More

PCWorld reports that Google's binary search feature came in handy to locate "thousands of malicious Web sites, as well as several legitimate sites that have been hacked." The feature reads executable files and can locate some malicious code within those files. It was used to help find malicious sites and programs by a security vendor named Websense. The article also explains that binary search may be a sign that "Google may be thinking about becoming a file searching service."

Posted by Barry Schwartz at 8:15 AM | Permalink

July 6, 2006

Google Fixes XSS Security Holes

A security vulnerability in Google, discovered and posted at ha.ckers.org was patched quickly by Google. Both Philipp Lenssen and JasonD posted about the XSS hole that enables hackers to deploy phishing scams, cookie stealing, and creation of worms. Matt Cutts of Google was quick to reply to the Threadwatch post stating that the hole has "either fixed or the fix is going out."

Posted by Barry Schwartz at 9:00 AM | Permalink

June 26, 2006

Follow-Up: School Couldn't Reach Google Until Injunction Filed

Catawba County Schools in North Carolina obtained an injunction to remove private material from Google because it had no luck getting action from the search engine after trying other routes, the district tells me. The school district also stressed that it didn't claim that Google had somehow hacked into its servers. Here's what Catawba County School's chief technology officer Judith Ray emailed me about the situation:

We asserted that Google had somehow bypassed our login information, not that they had hacked their way into the system. Hacking, to me assumes malicious intent and we never intended to imply that Google was doing anything other than spidering all the web sites available.

There is also miscommunication about "all users" being required to log in. The DocuShare server is a repository for both public and private information with logins being required for users who are authorized to view the restricted information. There are hundreds of pages of information that we share from DocuShare with users around the state. These are completely open and are not supposed to [be] password protected.

We did troubleshoot this situation by searching for the students' information at Yahoo, Dogpile, and AltaVista. We did not find any information on these three search engine returns and we attempted the searches over a three-day period.

We acted so aggressively with Google because, until the media got involved, we could not get beyond an operator at Google. We could not get operators to connect us with technical support, the legal department, or to anyone higher up in the organization. We were only given an email address to which we could submit a complain - which we did but got no response. Google has a link to submit an emergency request [see here] but on both Thursday and Friday of last week, the link took you to a dead page. Only when the news media submitted its own inquiry to Google did we get a call regarding the situation. And [Google] has been most helpful in working through this situation with us.

Of course, none of us who are employed with Catawba County Schools at the current time were involved when Xerox set up this server. We are trying to ascertain if the server was incorrectly setup/protected or if the appropriate include meta tags or strings were not included.

Google Blamed For Indexing Student Test Scores & Social Security Numbers from us earlier has more background on the injunction plus how I was finding pages from what the district said was a password protected area to still be available through Yahoo. As clarified above, some of these pages indeed didn't require a login to view.

Our story originally was headlined "Google Blamed For Hacking & Indexing Students Test Scores & Social Security Numbers" and said in one part, "the school [district] blames Google for some how breaking into a password protected area and indexing the content."

As stated above, the school district itself never appears to have said anything about being hacked, only that Google somehow got into information it believed was password protected, as it says on the home page of the district site:

We do not know how Google was able to access the secure, password-protected site. Once Google does access a site, it places a copy of the data on its own server. We immediately called and emailed Google, requesting the urgent removal of the link and site data. We have eliminated the link from our end and it appears that as of Friday night, June 23, 2006, Google eliminated the site from their end.

The hacking reference seems to come from the "Google 'hacked our website'" story at The Inquirer, which we linked to in our original story. While the headline says "hacked" in quotes, the story itself doesn't have anyone from the school district saying this.

Digg also has a School claimed google hacked it's private servers and then posted that data article. Again, the school district isn't alleging hacking, only that Google somehow got into information it believed was restricted. How that happened is still being investigated.

As for the reference to Xerox in the school district's explanation, in doing some investigating in our original piece, I noted that the server seemed to be managed by Xerox and shared by other companies as well, with material for those companies appearing to be hosted on the school district's domain. As noted, the school district doesn't know why this was happening, and it remains something they are looking at.

Finally, Google's had problems with the automated page removal tool before, though not that it was down but instead allowing people to remove pages from sites they didn't own. More on that in our 2004 story, Google Confirms Automated Page Removal Bug.

Posted by Danny Sullivan at 1:35 PM | Permalink

Google Blamed For Indexing Student Test Scores & Social Security Numbers

Google "hacked our website" from The Inquirer points to Blame game from the Hickory Record, a story about how the Catawba County Schools in North Carolina has gained a temporary injunction for "Google to remove any information pertaining to Catawba County Schools Board of Education from its server and index and alleges conversion and trespass against the corporation." The school blames Google for some how getting into a password protected area and indexing the content.

Let me make this clear, Google cannot submit forms or type in usernames and passwords. Someone at the school must of left an opening for Google. The security hole came from possibly someone publishing the content publicly, somehow, or by letting down the security or by posting a hyper-linked URL with an embedded password in the URL.

I agree, Google should remove this sensitive information, which they did on Friday after the judge issued the temporary injunction. But Google should not be blamed for this.

Postscript From Danny: As Barry notes, this isn't a case of Google deserving blame. It cannot guess at a protected server's usernames or passwords, nor is it configured to try and hack its way in. If this information got into Google, that's almost certainly because it was left unprotected somehow despite the school's "very secure site."

Since the school says all personal information has now been removed and is protected, I'll explain more at what I guess happened.

The story mentions that somehow, information from the site's supposedly protected DocuShare server got onto the web. OK, where is that server? The story doesn't say, but this search at over at Yahoo gives the likely location:

docushare catawba

Fifth down is this:

DocuShare Authorization Error Not Authorized. You are currently listed as Guest, which means you are not logged in. ... Password: Domain: DocuShare Catawba County. Copyright © 1996-2003 Xerox Corporation ... docucentre.catawba.k12.nc.us/docushare/dsweb/View/Collection-1546 - 6k - Cached - More from this site - Save

That shows you that Yahoo tried to access a protected page on the DocuShare server at docucentre.catawba.k12.nc.us. Is this the secure server that Google somehow managed to penetrate? Probably, given that this search shows nothing at Google now:

site:docucentre.catawba.k12.nc.us

That search comes up with no matches. That's probably because Google responded to the complaint last Friday to remove all pages from this domain. But since no one contacted Yahoo, there's a good chance pages from the domain still show over there. And in fact, that search at Yahoo currently shows 13,500 matches.

Are any of these the pages the ones with sensitive information? I did some searches that I felt should bring up whatever the page was that Google was finding and had no luck. This means:

  • Yahoo didn't have it, because it didn't crawl as deep
  • Yahoo didn't have it, because Google really did somehow manage to get pass a password barrier
  • Yahoo didn't have it, because I'm not guessing at the right words in the document

Yahoo clear has some information that the school district itself says:

This site was a DocuShare password-protected site that required all users to log-in

No, not all users had to log-in. If that was the case, you wouldn't see any cached documents at all, such as this one. Clearly, some content was accessible without being logged in -- which makes it possible that some content wasn't properly placed behind password protection.

Postscript 2: See our follow-up, Follow-Up: School Couldn't Reach Google Until Injunction Filed

Posted by Barry Schwartz at 8:51 AM | Permalink

June 14, 2006

Clickbot.A Click Fraud Network Dismantled

ClickZ reports that the Clickbot.A virus that infected 34,000 machines (last report more than 50,000 PCs) and auto clicked on an unknown amount of PPC ads, has been shut down. Panda Software and RSA Security worked together to dismantle the virus. Read the full details over at Panda Software.

Posted by Barry Schwartz at 9:01 AM | Permalink

June 13, 2006

Yamanner Worm Targets Yahoo Mail Users

Silicon.com reports on a Yahoo Mail worm named Yamanner that comes in the form of an email named "New Graphic Site." When you open the email, it infects your computer and spreads the worm to your Yahoo Mail address book.

Posted by Barry Schwartz at 11:20 AM | Permalink

May 17, 2006

Belgian Company Suing Google Over Google Suggest Suggestions

Philipp Lenssen points to a press release that shows when you begin to type your search at Google Suggest on "ServersCheck" it brings up results for "ServersCheck Crack," ServersCheck Serial," and other suggested searches of illegal versions of the ServersCheck products. Is this just a ploy for ServersCheck to get some free PR? Google Suggest is used on the Google Toolbar and was added to the Firefox toolbar.

Posted by Barry Schwartz at 9:46 AM | Permalink

May 12, 2006

5% Of Search Results Lead To "Dangerous Sites"

Andy Beal reports on a Wall Street Journal article that claims 9% of paid search ads lead to "dangerous sites." Three-percent of organic results lead to risky sites, in comparison to the PPC ads. So on average, the article shows that "roughly 5% of the search results on average were risky sites." The SiteAdvisor study estimates a searcher will click to an "unsafe site from a search engine once every 15 days." Risky sites are defined as sites that can "infect consumers' personal computers or expose them to nuisances such as spam email."

Postscript by Detlev Johnson: You can find additional information at BBC with respect to natural listings that lead to risky sites. As much as 4-6% of search results in natural listings are categorized as risky, while sites in the sponsored listings can be 2-4 times as numerous.

The sheer volume of clicks this can account for is scary - 285 million per month. Search engines are known to try limiting their users from accessing risky sites through their search engines; at least as much as they combat spam. Their efforts will need to continue and be ongoing similarly to fighting search engine spam.

Posted by Barry Schwartz at 9:16 AM | Permalink

March 3, 2006

Gmail Fixes JavaScript Security Hole Via Slashdot, Vulnerability in Gmail covers how JavaScript code sent from Yahoo Mail to Gmail reportedly would run in the preview pane of Gmail. Google quickly fixed this security hole, as reported by News.com soon after.

Posted by Barry Schwartz at 9:07 AM | Permalink

February 20, 2006

Google Account Security Breach with Book Search

Philipp Lenssen reports a Google Book Search Security Hole where someone can login to your Google account if they get access, somehow, to your URL string of your Google Book search result page. This is how it works; a person goes to book.google.com does a special search, clicks on a result, logs in and then copies the URL and sends it off to a friend. When the friend gets the URL and clicks on it, it should login the friend to Google as the person who sent the link, giving the friend access to Google Account information that is not his.

Posted by Barry Schwartz at 8:46 AM | Permalink

January 20, 2006

Weinberg on Blocking Certain Types of Search Queries and the Precedent It Might Be Setting

Nathan Weinberg at InsideGoogle reports that Google and MSN might be blocking certain query strings used by "script kiddies" and other hackers. Nathan reports that he hasn't been able to confirm on his own and asks for help. Weinberg then moves into a thought provoking discussion that asks some important questions about the implications of blocking queries. He writes that in some cases, like looking for vulnerabilities, blocking is a public service but he's not sure of the precedent it might be setting, assuming this is actually happening in the first place.

Weinberg writes: What if, in the future, Google decides to block all commonly used searches that can be used to harm others. For example, what if Google decides to block ?i am 9..12 years old?, a query that can be used by pedophiles to find children of a certain age range? What if Google decided to block searches for gun trade shows, or steroids, or porn?...Even as Google fights the Department of Justice for our privacy rights, it is important to remember that we have the right to search for the wrong things.

Kudos to Nathan on an excellent post.

Posted by Gary Price at 6:10 PM | Permalink

January 4, 2006

Malware Alters Google AdSense Links

Via JenSense, Trojan Horse program that targets Google Adsense ads has been detected by an Indian Web publisher at TechShout looks at covers malware that replaces Google AdSense links with ads for other sites.

Posted by Danny Sullivan at 10:08 AM | Permalink

December 29, 2005

Malik Looks at Issues for Google AdSense and Other Ad Programs in 2006

Om Malik has compliled and written an excellent post that discusses what might be some big issues for AdSense and other programs in 2006. Om writes:

From scraper sites, to click fraud to trojan horses, looks like the most profitable money making mechanism, aka AdSense might be facing some tough times.

Malik's post includes links to articles from:

+ Paul Kedrosky Kedroksy predicts that click fraud will go "mainstream" in 2006.

Kedroksy writes: With some estimating that in certain categories click-fraud accounts for as much as 20% of fees, this is a stock-schwacking issue, one that threatens the core of Google's advertising business.

+ Charles Mann's new three page article in Wired titled: How Click Fraud Could Swallow the Internet

and a very interesting report from TechShout that's title says it all: A Trojan Horse program that targets Google ads has been detected by an Indian Web publisher.

Om adds that: TechShout folks say that Google AdSense team confirmed the existence of these problems.

As the 80's group Asia tells us, "only time will tell."

Posted by Gary Price at 3:15 PM | Permalink

December 2, 2005

A Flaw Could Cause Problems for Google Desktop Users Who Use Internet Explorer

Google Spokesperson, Sonya Boralv, has told News.com that Google has just learned about and is looking into a possible flaw with Internet Explorer that lets unknowing users of both IE and Google Desktop to have information stolen from their database of content. The bug was first reported by Matan Gillon, a researcher in Israel.

A security expert quoted in the story said that the bug looks is an IE/MS issue and not one for Google.

From the article: "This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains," Gillon wrote in his description of the attack method. He crafted a Web page that--when viewed in IE on a computer with Google Desktop installed--uses the search tool and returns results for the query "password." To exploit the flaw, an attacker has to lure a victim to a malicious Web page. "Thousands of Web sites can be exploited, and there isn't a simple solution against this attack, at least until IE is fixed," Gillon wrote.

Microsoft is also investigating the issue.

Gillion also mentions in his report that the flaw was not found with Firefox or Opera. He suggests the use of one of those browsers or disabling javascript in IE.

More in the article: IE flaw lets intruders into Google Desktop.

Postscript from Google Spokesperson: "Google takes the security of its users very seriously. We just learned of this issue and are looking into it."

Posted by Gary Price at 9:48 PM | Permalink

November 22, 2005

Google Mini Security Issue Patched

Via WebProNews, Metasploit explains how it discovered flaws in the Google Mini enterprise search appliance that could be abused to do "cross-site scripting, file discovery, service enumeration and arbitrary command execution." The flaw was reported to Google apparently privately earlier this year in June, a patch issued August and news of the issue released yesterday. Metasploit praised Google for responding immediately and being helpful through the fix and testing process.

Posted by Danny Sullivan at 9:29 AM | Permalink

November 21, 2005

Google Base Security Flaw Found

Google Closes Security Holes in Google Base from Netcraft covers an apparent security hole in Google base that may have exposed sensitive information stored on Google. The person discovering it details more here. Computerworld reports that the problem has been patched. Google's not cited as the source of that, nor is there any statement, but that's likely the case.

Posted by Danny Sullivan at 10:00 AM | Permalink

November 18, 2005

Major Security Flaw With Google Sitemaps Stats

David Naylor points out, as does this WebmasterWorld thread spotted via Threadwatch, a pretty surprising security oversight with Google's new Sitemaps stats system that can allow anyone access to stats of other web sites, if those web sites don't report 404/File Not Found errors correctly. Right now, I'm looking at stats for eBay and AOL, as well as Google's own Orkut!

In order to see stats for a site, you have to verify you own it by installing a special file on your server. Google randomly generates a filename to use, you install this file, then Google checks to see if it exists. If it does, you can view stats for that site.

The problem is, some web sites will respond that any page exists, even if it doesn't. Rather than sending out a 404 File Not Found error message, they'll dynamically generate the page with content anyway or they'll tell the user the file doesn't exist, but the server code sent to a browser says differently.

For example, try this:

http://www.ebay.com/djkfjkdjfkjd

You'll see that eBay responds that the page doesn't exist. However, behind the scenes it redirects the request (sending a 301 server code) to another page that has a 200 Page Found code. As a result, along with Dave and Barry, I'm now looking at eBay's stats, along with AOL's stats.

How could we all three of us get access? Because both eBay and AOL will turn any request into a page found code -- and remember, we were all given unique file URLs to enter. As far Google is concerned, we all have correctly installed these files.

That's another security issue. You'd think the system was smart enough that if one person verified ownership, no one else could. Not so, not at the moment.

Want to ensure you are protected? Be sure you are sending out proper 404 error codes for pages that don't exist. Rex Swain's HTTP Viewer is an excellent place to check this.

When the stats system came out, I did ask Google why they didn't go with a more common verification system of putting special code on a page. That would have been safer, plus easier for some people who don't have the ability in content management systems to easily generate files of a particular nature. I never got a reply to that.

Another solution would be for special code to have bee installed within a robots.txt file as a way of verifying a site with Google.

Want to discuss or comment? Visit our forum thread, Google Loses Trust with Sitemaps.

Postscript: It should be stressed that top query data isn't particularly private. Anyone with enough money can buy more extensive data through companies like Hitwise or comScore. The seriousness is really in that what was supposed to be a secure verification system failed. Especially consider Google's words on the system:

8. What is being done to protect my privacy?

We use the verification process to keep unauthorized users from seeing detailed statistics about your site. Only you can see these details, and only once we verify you own the site. We don't use the verification file we ask you to create for any purpose other than to make sure you can upload files to the site. You can read more about our commitment to privacy here.

Postscript 2: Google has sent this statement:

This morning we learned of an issue with the Google Sitemaps tool that may have temporarily enabled users to view statistics about sites they do not own. We acted quickly and fixed the issue. To ensure the security of all sites using the Google Sitemaps tool, we will re-verify all sites added in the last 48 hours.

Posted by Danny Sullivan at 9:22 AM | Permalink

November 17, 2005

Gmail Never Hacked, Google Says

While Red Herring reports that Gmail was vulnerable to hacking, Google says Gmail was never hacked and that Gmail users were never at any serious threat.

According to Google, the vulnerability would only work if someone knowingly provided the authentication token that appears in the browser address field after someone logs in. The token is that big stream of numbers and letters, such as:

http://mail.google.com/mail/?auth=hdhd9dmndsa8a7nmnmnds89a8fnm43nmn4589pnbmnfpnusdaa8

I've bolded it (and the characters are just something I made up, but they illustrate what you might see when logging in).

If you were to give that URL to someone else, then with further work, they might be able to log-in to your account.

Of course, if you were to give someone your Gmail account name and password, they might be able to log-in your account as well. Neither situation is likely, but the latter is much more in the realm of possibility.

Regardless, Google says it's since fixed the vulnerability, just to be absolutely safe. As for solving the problem of people sending their much more easily accessible log-in information, that remains up to the user, of course.

FYI, the 5 million Gmail user number in the story didn't come from Google, the company says. It says it still has never disclosed the total number of Gmail users out there.

Posted by Danny Sullivan at 6:56 PM | Permalink

November 9, 2005

Phishing Scam Purports Google To Be Giving Away $400

They might give you $1 to download Firefox, Picasa for free and all the web searches you can eat, but Google is not giving away $400, as an apparent phishing scam is saying. Google phishing scam promises a $400 windfall from News.com has some additional details, and Websense gives even more in this alert, complete screenshots of the very believable site.

Posted by Danny Sullivan at 5:42 AM | Permalink

May 6, 2005

Google Web Accelerator Raises Worries

The new Google Web Accelerator released earlier this week is raising concerns about data privacy and webmaster issues.

Much Controversy Over Google's Accelerator from Nathan over at Inside Google looks at how the Something Awful forums found that the tool seems to have cached forum pages personalized for a particular user. In other words, those using the software came into the site as if they were logged in as someone else. If true, that's pretty worrisome.

Inside Google also raises the specter of how the software is helping Google keep a record of what everyone does, which it might datamine in various ways. Sure, that's a valid fear. But Google hardly needs Web Accelerator to do it. It already has millions of people using its Google Toolbar. For years, the Google Toolbar has given Google records of what people are looking at all over the web. So monitoring what people do on the web isn't anything new, for Google.

The article touches on issues of how the accelerator might injure site stats, providing some links to disabling it if you are a webmaster. Nathan also suggests that people won't do this, because Google will probably use accelerator data to help rank sites. Ban accelerator, and you'll ban what Google knows about your site -- and potentially then lose rankings.

I wouldn't worry about that at all. Sites have already banned Google from caching their pages and still done well despite this potential big red flag. Don't want accelerator caching your site? Go ahead and ban it.

Nathan's had further posts touching on other issues:

Google Blogoscoped highlights another issue in Google Accelerator Deleting by Prefetching, while Threadwatch points to Fantomaster's How To Block Google?s Web Accelerator page.

Want to discuss? Visit our forum threads:

Postscript: News.com's FAQ: Hard facts about Google's Web Accelerator does a Q&A on some of the issues involved with the software.

 

Posted by Danny Sullivan at 12:27 PM | Permalink

March 9, 2005

Using Web Engines to Spread Malware

Websense, a computer security firm. has just released a new report that includes a brief discussion about the use of web engines to spread malware. You can read about the report in the vnunet.com article: Hackers 'poison' search engine results.

[We] believe that an increase in 'poisoning' search results and DNS servers from the most popular search engines is possible," said report author Dan Hubbard, senior director at Websense.

"In this scenario, attackers ensure that their sites appear high in the return lists of queries. When users visit those sites, they are infected. For example, in a search for anti-spyware a list of sites infected with spyware might actually top the list."

If you would like to read the full text of the report, it's available here.

Posted by Gary Price at 11:03 AM | Permalink

January 18, 2005

Shame On You: Tsunami Search Spammers

From Silicon.com, Tsunami scammers manipulate Google rankings explains that an alleged phishing site is ranking higher on Google than the actual China Charity Federation web site, potentially causing people donating to tsunami relief to send their money to the wrong place.

The site in question, www.chinacharity.cn.net, is still ranking tops at Google despite the web site apparently having been closed down. The site is also ranked first and second at Yahoo, third at Ask Jeeves but not at all at the MSN Search beta.

Kudos to MSN? Well, the official web site of www.china.org.cn is second at Google, tenth at Yahoo and Ask Jeeves but not in the first page of results at all over at MSN. So MSN doesn't send you to the wrong place -- but neither do you get to the right one.

FYI, the story reports that the real site is at www.chinacharity.cn, but that domain isn't working for me. My assumption is that the correct address is the one shown above.

Postscript: A reader tells me chinacharity.cn is the correct site.

Posted by Danny Sullivan at 10:06 AM | Permalink

January 17, 2005

Security Issue With Google Accounts Cookie Said Fixed

Google says it has now fixed a security problem with its Google Accounts service, which provides a cookie-based way for people to log into various Google services.

Last Thursday, Google Blogoscope pointed to a forum discussion (and also here) that suggested Google's Froogle service in particular might inadvertently let people access Gmail accounts, because account information embedded in the Google cookie could be hijacked.

I emailed Google about this on Friday and received back the following statement:

Google was recently alerted to a potential security vulnerability affecting Froogle. We have since fixed this vulnerability, and all current and future Froogle users are protected.

Spotted via Organized Shopping, eWeek has a nice write-up in Google Plugs Cookie-Theft Data Leak on what happened, with quotes from Nir Goldshlager, a security research who spotted the hole. He also warns that anyone who had their cookie stolen would still be at risk.

Posted by Danny Sullivan at 9:45 AM | Permalink

January 12, 2005

Bug Found in Gmail

BetaNews is reporting that UNIX developers at HBX Networks have found a bug in Gmail that, "allows access to other users' personal e-mails. By altering the "From" address field of an e-mail sent to the service, hackers could potentially find out a user's personal information, including passwords." All of the details in the story: Gmail Bug Exposes E-mails to Hackers.

Postscript (from Danny): Google says they've now fixed this, with posts from them in the story above and at Slashdot: Gmail Messages Are Vulnerable To Interception.

Posted by Gary Price at 8:32 PM | Permalink

January 10, 2005

New Tool: Is Your Site is Google "Hack" Proof?

The News.com article: McAfee automates Google hacking, introduces SiteDigger 2.0, some new and free software from Net security firm McAfee that will help webmasters see if sensitive info from their site is being indexed and exposed by Google.

The free service should help Webmasters stay informed about what information is out there regarding their sites, said Chris Prosise, vice president of worldwide professional services for security technology company McAfee.

You'll need a Google API license to use SiteDigger 2.0.

Good idea. Sure. However, I don't understand why Google is always the only web engine mentioned when it comes to "hacking." Yes, Google is most popular engine right now but other large web databases exist and simply thinking that sensitive and unsecure info can only be found in one specific web database is not accurate. Here's an August post from Search Engine Optimization and Marketing News North that shows material from MoveOn.org which was then available in Google (and reported on by News.com) was also accessible via Yahoo.

Posted by Gary Price at 4:00 PM | Permalink

January 5, 2005

The Google Webcam "Hack" Story

Several stories and posts on the web today about Google providing access to unsecure webcams. A couple of quick comments:

1) A VNU.net article quotes Duncan Parry saying that webmasters should protect pages from crawlers by using password protection and robots.txt files. Yes, these are good ideas. However, I'll add a caveat. Only using a robots.txt MIGHT NOT keep the url completely out of the Google database. As I've said in the past and others have also pointed out, even if a webmaster utilizes a robots.txt tag on their server, Google might still include the urls (not the text) from the robots.txt blocked pages if they're discovered via links on other pages. Limiting searches to inurl: can often reveal these types of pages. Of course, they can also show up with other types of queries.

In other words, just using robots.txt does NOT mean that the page or pages will not be found in the Google index. As Dan Brandt correctly points out, "filenames can be very revealing."

Bottom Line: I think that the use of robots.txt would be another important topic for the summit that Danny proposed earlier today.

2) The same VNU article points out that Google is currently showing links to about 2000 cameras via this url.. However, even if you wanted to look at all 2000 it would be difficult. Google limits search result sets to about 1000 results.

Actually, when you get to the 208th result, the Google duplicate filter kicks in. If you turn the dupe removal filter off, you'll see that many urls are for the same camera.

Posted by Gary Price at 3:16 PM | Permalink

December 22, 2004

Google Now Blocking Santy Worm

The good news is that Google is now blocking the Santy worm.

The the bad news is that people in the antivirus and computer security communities believe that Google could have and should have responded sooner.

From a News.com article:

When the Santy.a worm started spreading on Tuesday, Mikko Hypponen [research director for antivirus company F-Secure] knew he had a way to stop the worm in its tracks. The only problem: He had trouble finding the right people to talk to at search giant Google..."It is frustrating from our point of view when we know that one little change could stop this worm, right now," he said Tuesday morning. "Someone over there needs to wake up, get some coffee and shut this thing down."

Timothy Keanini, chief technology officer for security appliance maker NCircle, adds: "The ironic thing is that, with the threat being very well known and with some Google employees being the smartest people in security, they aren't being very responsive to threats that they should have known about," he said.

Google's Marissa Mayer tells News.com: "Security is something that we have to have even more renewed focus on"...To make information accessible and usable, it's implicit that you have to do it in a secure way. That makes security a precursor to our mission."

Posted by Gary Price at 9:52 AM | Permalink

December 21, 2004

Web Worm Uses Google To Spread

News.com reports that a web worm named Santy is utilizing Google to help it spread to web bulletin boards using the PHP scripting language.

The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.

The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time that a program used Google to identify victims for an attack.

More info in this news release from Kapersky Lab.

Posted by Gary Price at 3:29 PM | Permalink

December 20, 2004

Google Desktop Search: Security Flaw Found and Fixed

John Markoff in the New York Times reports that a computer science professor and two of his students have discovered a "composition flaw" in Google's desktop search application. Google was notified about the problem in November and is bega distributing a version of GDS with the security flaw fixed on December 10th.

The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw - a security weakness that emerges when separate components interact...The researchers said that the Google security weakness lay in the way that Google Desktop was designed to intercept outgoing network connections from the user's computer.

The Rice researchers said that it was possible for users to tell if their version of the Google program had been patched by examining the "about" page from the Google Desktop icon in the browser task bar. Version numbers above 121,004 indicate a newer edition of the program.

Posted by Gary Price at 10:33 AM | Permalink

December 14, 2004

Gartner Tells Businesses To Stay Away from Google Desktop Search

In Google desktop search not enterprise-ready from News.com, you'll read about Gartner telling businesses to avoid GDS in a corporate setting.

"We have no problem with it being used for personal use," said Gartner research director Maurene Grey. "Our concern is (that) when it is used in a corporation, we have some security and privacy issues. Google says it will collect only nonpersonal data, but in a corporation how can you monitor what's being collected?"

You can read about how desktop search tools might eventually become a new target for virus writers from News.com.

Posted by Gary Price at 5:58 PM | Permalink

October 20, 2004

Google Repairs Security Flaw

In the article: Google fixes security hole, Stefanie Olsen reports that Google has fixed a flaw that was first reported on a Bugtraq list yesterday.

Google's new Desktop Search tool did not prevent a hacker from inserting JavaScript, a programming language, into the Web address of its page image, or logo. "Google was recently alerted to a potential security vulnerability affecting users of our Web site," a company representative said. "We have since fixed this vulnerability, and all current and future Google.com users are protected."

Posted by Gary Price at 9:55 PM | Permalink | Comments (0)

September 15, 2004

Gmail Invites as Phishing Bait

Scammers use Gmail invite as phishing hook Source: News.com

Looks like some scam artists are using the allure of Gmail as bait in a phishing scheme.

Posted by Gary Price at 5:49 PM | Permalink | Comments (0)

See More Posts From:

This Week | This Month

  var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); var pageTracker = _gat._getTracker("UA-564586-7"); pageTracker._setDomainName(".searchenginewatch.com"); pageTracker._trackPageview(); window.collarity_appid = "incmedia"; //> //>
Top Jobs
more Jobs

Account Manager
Varick Media Management New York, United States

Reporting and Data Analyst
Varick Media Management New York, United States

Director of Marketing Communications
Avery Dennison Brea, United States

Publisher
Confidential Leading Publisher New York, United States

White Papers
more Research

0