Google facing Microsoft-style security, image issues Tuesday January 11, 2005 (12:03 PM GMT) Topic: Businesses By: Jay Lyman http://software.itmanagersjournal.com/software/05/01/05/0132217.shtml
A series of security issues around search superstar and open source poster child Google's software have been mitigated to the point that users are not at risk, but in the process of studying Google's security, the world is learning more about the code that makes Google go. While Google is a well-known open source user and advocate -- and in fact, is a prime example of the advantages of Linux and open source from the start -- its use of open source, which is believed to be quite extensive, is largely kept quiet. Nevertheless, the company's increasing exposure -- both in the media and in the crosshairs of computer attackers -- is giving it some new challenges. Some of those security issues and top-dog-targeting are the baggage that come with such exposure, which recently included a 60 Minutes segment. Despite its do-gooder approach that turns traditional tech business culture on its head, the challenges facing Google are also reminiscent of another software company that quickly ascended to supremacy: Microsoft. Insecurity and image The PHP exploit issues of last month paved the way for Google to be used maliciously by the Santy worm as it searched for more victims. The issue had been addressed with an update before the virus spread and Google managed to win some praise for its response to a security hole in its desktop search and the Santy worm as last year wound down. However, there was also criticism that earlier desktop search issues and the spread of the worm were answered by Google gaffs. In addition, as the source code for Santy surfaced in the attacker underground, security experts also indicated that search engines and desktop searches -- now pitting dominant players such as MSN and Yahoo against Google for market share -- will be an increasing tool for attackers. Some analysts, such as Webroot vice president of threat research Richard Stiennon, indicate that attackers may even look to download desktop search tools along with Trojans and backdoors to assist in ill deeds. Along with the increased security dangers comes a responsibility to respond appropriately. The begrudged and forced response from Microsoft to increasingly quicker vulnerability exploitation is an example of how bad it can get. Google, it appears, is trying to learn from Microsoft's and others' mistakes and proactively work to ensure its products are rolled out securely. Nevertheless, Google is now the kind of target -- for both computer attackers and competitors -- that Microsoft made itself, albeit for different reasons. With dominance comes a need for defense, and as the rush of search engine announcements ending the year illustrated, security is not the only priority of providers. Google may also be experiencing some of the image backlash that comes with a dominant position. The company's open source dedication has been questioned, with some saying Google has only benefited from open source without paying back. Secret open source A reported user of Linux, Apache, MySQL, PostgreSQL, PHP, Perl, Python, and other open source software, there is no doubt that Google has, in fact, benefited from open source. Some who use the company as an example of open source in action indicate that Google's success is payback enough. However, the company is far from vocal about the software it uses, regardless of whether it is open source or not. IDC analyst Sue Feldman said while the basic pieces of Google's search engine are very well known, the search algorithms and associated code are as secret as anything Redmond's ever had. "They're very proprietary about that, and rightly so," Feldman said, referring to hundreds of various software elements that are included in the search formula. "That's sort of their secret sauce." Closing holes, opening code Google's use of open source may be limited largely to speculation beyond the basic building blocks of its search engine and site, but recent security issues and Google's response have provided more detailed and concrete evidence of its FOSS use. In an advisory from Netcraft last October, when Google was forced to respond to a phishing vulnerability in its Web search, the Internet analysis company indicated that it had stumbled upon Google source code when confirming an application error. "Interestingly, while confirming the fix, Netcraft discovered another application error, which this time revealed fragments of the source code, file structures and application logic that powers the mysterious search behemoth, which we have in turn reported back to Google," Netcraft said. "At a glance, it is not clear whether the web application stack trace would be useful to an attacker; however, it does confirm the widely held belief that Google are users of the Python programming language." iDefense director of malicious code intelligence Ken Dunham warned that search engines will increasingly come under attack and use by attackers. The security expert also said with their evolutionary approach to attacking computers and software, attackers will also be benefiting from open disclosure of closed code such as Google's search technology. "Certainly, everybody learns from history, and history does repeat itself," Dunham said. "Cyber criminals are certainly getting tricks from the people before them, so it's a case of been there, done that." Dunham, who said the amount of communication and media coverage around Google and other search engine and software vulnerabilities will also draw "malicious actors" to the technology, added that the companies have an obligation to security. "Search engines have to realize now they are responsible for how their services are used and abused," Dunham said. "They need to ramp up security accordingly." You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
