Security Watch

Legal Implications of Google Desktop

An online file storing feature for users, though secure, could get Google stuck in other people's legal quagmires.

• By Russ Cooper
• 03/27/2006

Hacking
Security experts have strongly recommended that businesses carefully consider preventing Google Desktop Beta to be deployed on their networks. A new feature in the beta, called "Search Across Computers," is the cause. The feature allows users to store files from their computers on Google servers so you can access them while at other computers. It's not rocket science: If you let your users store their files on Google's servers (or anyone else's for that matter), you certainly have the potential to lose sensitive information, customer contacts, sales leads, your IPO information…in other words, anything and everything you might deem valuable to your company that could be transmitted electronically.

But as Google appropriately pointed out in their press release, the same is true if you don't control e-mail. Sending attachments out of your organization is no difficult task. Search Across Computers, however, certainly introduces the possibility that a user transmits your information without their knowledge. It relies on users telling it which folders to make available, rather than individual files, so a user could inadvertently put something into a shared folder that shouldn't have been shared. I should also mention that the feature is disabled by default in the beta, so a user has to make the choice to enable it. It seems to me that Google has taken the appropriate security stance with the feature.

One has to wonder, however, whether Google considered the potential legal implications, especially to themselves. If I was going to sue Company A, and found out one or more of their users was using this feature, I could subpoena Google to get copies of anything Company A's users might have stored on Google's servers. Google did say the data would only be stored there for 30 days, but regardless, backups might exist or the subpoena might be presented in a timely fashion. Either way, Google certainly stands at risk of filling their days satisfying subpoena requests. I won't even get into the possibility that the police might want to make daily scans looking for porn, or the recording industry looking for copyright violations...

Novell Common Authentication Service Adapter (CASA) Buffer Overflow Vulnerability: Novell Common Authentication Service Adapter contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code with elevated privileges. Patches are available.

The vulnerability exists in the Linux version, not the Windows or Mac versions. If SSH is installed also, then remote exploitation is possible by connections to SSHd. Also, the nature of CASA is to allow for single sign-on, so if other applications are employing it to perform authentication from remote clients, then those too are potential attack vectors.

Denial of Service
NetCraft is reporting that blogs are becoming targets for DDoS attacks. According to Darren Rowse, his ProBlogger blog was attacked -- a site he says earned more than $100,000 in 2005 through advertising. Michelle Malkin's blog was also attacked after she led a movement to mirror the controversial Dutch cartoons of the Prophet Mohammad.

Blogs may be targets, but it sure sounds like someone is reaching for a story line here. Why shouldn't blogs be attacked, as any other Internet resource might be? A blog is less likely to have the resources to defend itself against attack and may be less well connected to its service provider because the revenue model is less obvious (or just less). But there's no reason to believe that blogs won't be considered targets.

Malicious Code
A U.K. security firm has announced they have tracked 150,000 bot-controlled PCs to a single spam distribution scam which is sending out 50 million identical spam messages every day. They say this leads them to believe that spammers are adopting stealthy tactics attempting to perform their criminal activities on compromised systems without the victims noticing the activity.

From this we're supposed to be impressed with the intelligence of these criminals for attempting to fly under the radar, but honestly, what smart person sends out 50 million identical pieces of spam every day? It's highly unlikely, if not impossible, that the spammers have "good" e-mail addresses, so their scatter-gun approach belies their alleged intelligence at flying under the radar.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Human Factors
An IT training firm in the U.K. conducted a stunt (or promotion, depending on your feelings about it) to demonstrate that users in London's Golden Mile, its financial district, need more security training. They stood alongside the road and handed out CDs claiming to contain a special Valentine's Day promotion. While no numbers have been provided, a spokesperson for the firm indicated that the CD, when inserted, would "call home" to the firm indicating the user had run it.

The CDs had written on the outside that you ought not to do this because it might be a violation of policy. Despite this, some employees ran the CDs anyway.

Governance
The U.K.'s Internet Service Providers Association (ISPA) awarded the British government with its "Internet Villain of the Year Award" for pushing through the "data retention directive" that forces ISPs to retain customer data for two years.

Those who wrote the regulations are getting upset that their own words are being used too strictly or too harshly by auditors. The auditors are taking the "mays" and turning them into "musts." Not the first time we've seen that happen.