Canadian security experts evaluate Google holes

IT managers should look at employee Web surfing as a security hazard rather than a time waster, analysts say.

Canadian analysts said the two Google-related hacks which surfaced recently should cause IT managers to look at employee Web surfing as a security hazard rather than a time waster.

Earlier this week, independent vulnerability researcher Aviv Raff posted a scenario on his personal blog outlining how a hacker could install malicious software on a system using Google Toolbar. The toolbar's security hole stems from the mechanism the application uses to add new buttons to its user's browser. Raff wrote that ambitious hackers could spoof the origin of their harmful toolbar buttons and launch a phishing attack against their victims. Google spokespeople later confirmed it was working to fix the problem.

Also this week, another Google-focused vulnerability occurred on the California-based search giant's Orkut site. The social networking service was hit with a worm that added hundreds of thousands of users to an Orkut group, called "Infected by the Orkut virus," simply by viewing a malicious Orkut user's profile. The description of the group indicated that the worm was only designed to demonstrate the dangers Orkut posed to users, even without them clicking or accepting a malicious file. The bug did not steal any personal information from the infected users.

And while no damage was done in either of these incidents, some analysts believe it can serve as a warning on the increasingly vulnerability of Web-based applications and social networking sites.

"Now, I don't believe that these stories will usher in a sea change in what PCs in Canadian firms are used for, but they do add to the overall awareness of Web-related vulnerabilities and lead us in the direction of less personal activity occurring on business machines," David Senf, director of security and software research at Toronto-based IDC Canada, said.

James Quin, senior research analyst with Ontario-based Info-Tech Research Group, said that the average user certainly wouldn't be tricked by many of the phishing techniques currently on the Internet. In the case of the Google Toolbar attack, a user would first have to be conned into clicking a Web pop up asking them if they want to install the custom button. After that the user would then have to click the button and agree to run an executable file. And although most experts agree that only the least Web savvy users would be fooled by something like that, the case highlights the broadening scale of attacks on today's Internet.

"For most enterprises, the Google Toolbar thing wouldn't be a problem, because they are going to have content, spam and phishing filters that will block these downloads," Quin said. "But while the Google Toolbar issue, for instance, is not something that is going to be a problem for enterprises in its current incarnation, what it demonstrates is the potential that threats can be leveraged by something seemingly innocuous like a toolbar."

For Quin, the key to the security of any enterprise is its ability to maintain control. And with the proliferation of Web 2.0 applications and Web sites, IT managers need to take the necessary precautions. In the toolbar case, Quin pointed to the newest incarnation of Microsoft Internet Explorer, which has search functionality built right into its toolbar, minimizing the value of Google's tool. He said IT managers need to keep abreast of the latest Web applications in order to inform users of this information.

"Web 2.0 functionalities have been pulled along very quickly," Quin said. "It's slashy, hip and cool, but at the end of the day, I don't think a lot of the potential security issues have been addressed. And a lot of data breaches that occur are not malicious, but rather inadvertent and accidental."

The need to maintain control was also echoed by Senf. He said if there is a business legitimate reason to have certain Web applications running, IT managers will have no choice and will need to adapt to deal with the risks. But, he said, more and more firms will need to take an active role in limiting what potentially unnecessary applications and sites such as the Google Toolbar, Facebook or Microsoft Instant Messenger.

"In doing so, the attack surface is reduced and the potential for something bad happening has likewise been reduced," Senf said. "This may sound draconian -- and may give the appearance that the employee like they're not trusted, but that's not the case. The point is to keep the bad guys out, while running a business."

And while neither analyst advised IT managers to start banning applications like the Google Toolbar anytime soon, both warned that enterprises need to become as aware of potential security risks as they do in concerning themselves with employee productivity drain.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Rafael Ruffolo

ComputerWorld Canada
Show Comments

Most Popular Reviews

Best Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?