Canadian security experts evaluate Google holes

IT managers should look at employee Web surfing as a security hazard rather than a time waster, analysts say.

Canadian analysts said the two Google-related hacks which surfaced recently should cause IT managers to look at employee Web surfing as a security hazard rather than a time waster.

Earlier this week, independent vulnerability researcher Aviv Raff posted a scenario on his personal blog outlining how a hacker could install malicious software on a system using Google Toolbar. The toolbar's security hole stems from the mechanism the application uses to add new buttons to its user's browser. Raff wrote that ambitious hackers could spoof the origin of their harmful toolbar buttons and launch a phishing attack against their victims. Google spokespeople later confirmed it was working to fix the problem.

Also this week, another Google-focused vulnerability occurred on the California-based search giant's Orkut site. The social networking service was hit with a worm that added hundreds of thousands of users to an Orkut group, called "Infected by the Orkut virus," simply by viewing a malicious Orkut user's profile. The description of the group indicated that the worm was only designed to demonstrate the dangers Orkut posed to users, even without them clicking or accepting a malicious file. The bug did not steal any personal information from the infected users.

And while no damage was done in either of these incidents, some analysts believe it can serve as a warning on the increasingly vulnerability of Web-based applications and social networking sites.

"Now, I don't believe that these stories will usher in a sea change in what PCs in Canadian firms are used for, but they do add to the overall awareness of Web-related vulnerabilities and lead us in the direction of less personal activity occurring on business machines," David Senf, director of security and software research at Toronto-based IDC Canada, said.

James Quin, senior research analyst with Ontario-based Info-Tech Research Group, said that the average user certainly wouldn't be tricked by many of the phishing techniques currently on the Internet. In the case of the Google Toolbar attack, a user would first have to be conned into clicking a Web pop up asking them if they want to install the custom button. After that the user would then have to click the button and agree to run an executable file. And although most experts agree that only the least Web savvy users would be fooled by something like that, the case highlights the broadening scale of attacks on today's Internet.

"For most enterprises, the Google Toolbar thing wouldn't be a problem, because they are going to have content, spam and phishing filters that will block these downloads," Quin said. "But while the Google Toolbar issue, for instance, is not something that is going to be a problem for enterprises in its current incarnation, what it demonstrates is the potential that threats can be leveraged by something seemingly innocuous like a toolbar."

For Quin, the key to the security of any enterprise is its ability to maintain control. And with the proliferation of Web 2.0 applications and Web sites, IT managers need to take the necessary precautions. In the toolbar case, Quin pointed to the newest incarnation of Microsoft Internet Explorer, which has search functionality built right into its toolbar, minimizing the value of Google's tool. He said IT managers need to keep abreast of the latest Web applications in order to inform users of this information.

"Web 2.0 functionalities have been pulled along very quickly," Quin said. "It's slashy, hip and cool, but at the end of the day, I don't think a lot of the potential security issues have been addressed. And a lot of data breaches that occur are not malicious, but rather inadvertent and accidental."

The need to maintain control was also echoed by Senf. He said if there is a business legitimate reason to have certain Web applications running, IT managers will have no choice and will need to adapt to deal with the risks. But, he said, more and more firms will need to take an active role in limiting what potentially unnecessary applications and sites such as the Google Toolbar, Facebook or Microsoft Instant Messenger.

"In doing so, the attack surface is reduced and the potential for something bad happening has likewise been reduced," Senf said. "This may sound draconian -- and may give the appearance that the employee like they're not trusted, but that's not the case. The point is to keep the bad guys out, while running a business."

And while neither analyst advised IT managers to start banning applications like the Google Toolbar anytime soon, both warned that enterprises need to become as aware of potential security risks as they do in concerning themselves with employee productivity drain.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Rafael Ruffolo

ComputerWorld Canada
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?