Philosophically Secure

Google has some good content about web security available on their Google Code University portal. There’s introdutory course material, and even some videos. The one titled “How to Break Web Software” is pretty interesting.

This is a great lesson in why not to blindly trust random software that you find on the Internet. G-Archiver, a program created to help users locally save their Gmail messages, has a piece of code in it that sends your Gmail login and password to the author. You can see a scary screen shot of his inbox, since the guy had his own Gmail credentials hard coded right into the program, which was obviously discovered.

The details are at SANS ISC (source code) and Coding Horror (screen shot).

This short interview with Vint Cert, by Dark Reading, gives an inside look at Vint’s daily life. He talks a lot about his role at Google, as well as his many other responsibilities. I’m always amazed at how someone can be actively and productively involved in several organizations, all at once. He also mentions some of his personal hobbies and aspirations beyond work, as well as his opinion on improving Internet security. For example, the one person Vint says he would love to meet is Richard Dawkins. That alone should give you some insight into his beliefs.

According to SC Magazine, the newly released Google business application suite provides greater security than locally controlled applications, such as MS Office. I agree with some of their points. It’s true that application patches to Google’s offerings will be applied automatically by Google. However, how do you, as the customer, know that these patches wont break a feature that you rely on? Regardless, you don’t have the option to apply a patch sooner, or skip it altogether.

Since these Google applications are obviously all web-based, users now have to worry about additional exposure to web-based attacks, such as cross-site scripting. Also, are your proprietary word processor and spreadsheet documents more secure stored on a Google server, or locally? That depends on how well you do local security, but with the Google option the control is not in your hands. A business must rely on Google to keep its data confidential and out of the hands of its competitors.

As for availability, a business that is dependent on Google applications would be in serious trouble if the server went down, or if they were having Internet connectivity problems. I would say keep a frequently updated local backup is a must. Those of us who use GMail are very familiar with the occasional “server unavailable” message.

On the more positive side, I think this could be a great feature to get a business up and running with minimal infrastructure costs. As the business grows and it needs more functionality and control over its information, it could easily migrate to a standard business application suite.

A research paper released today by Watchfire talks about a possible vulnerability in Google Desktop [pdf]. They were able to exploit flaws in the application and its integration with the web to obtain “remote and persistent access” to data on the target system. This was just announced, so we’ll have to see if it stands up to scrutiny. At first glance, the paper seems reasonable, but the situation has to be just right to successfully attack a system, and may require getting the user to click on a malicious link.