Legal Implications of Google Desktop
An online file storing feature for users, though secure, could get Google stuck in other people's legal quagmires.
Security experts have strongly recommended that businesses carefully consider
preventing Google Desktop Beta
to be deployed on their networks. A new
feature in the beta, called "Search Across Computers
," is the
cause. The feature allows users to store files from their computers on Google
servers so you can access them while at other computers. It's not rocket science:
If you let your users store their files on Google's servers (or anyone else's
for that matter), you certainly have the potential to lose sensitive information,
customer contacts, sales leads, your IPO information…in other words, anything
and everything you might deem valuable to your company that could be transmitted
But as Google appropriately pointed out in their press release, the same is
true if you don't control e-mail. Sending attachments out of your organization
is no difficult task. Search Across Computers, however, certainly introduces
the possibility that a user transmits your information without their knowledge.
It relies on users telling it which folders to make available, rather than individual
files, so a user could inadvertently put something into a shared folder that
shouldn't have been shared. I should also mention that the feature is
disabled by default in the beta, so a user has to make the choice to enable
it. It seems to me that Google has taken the appropriate security stance with
One has to wonder, however, whether Google considered the potential legal implications,
especially to themselves. If I was going to sue Company A, and found out one
or more of their users was using this feature, I could subpoena Google to get
copies of anything Company A's users might have stored on Google's servers.
Google did say the data would only be stored there for 30 days, but regardless,
backups might exist or the subpoena might be presented in a timely fashion.
Either way, Google certainly stands at risk of filling their days satisfying
subpoena requests. I won't even get into the possibility that the police might
want to make daily scans looking for porn, or the recording industry looking
for copyright violations...
Novell Common Authentication Service Adapter (CASA) Buffer Overflow Vulnerability:
Novell Common Authentication Service Adapter contains a buffer overflow vulnerability
that could allow a remote attacker to execute arbitrary code with elevated privileges.
Patches are available.
The vulnerability exists in the Linux version, not the Windows or Mac versions.
If SSH is installed also, then remote exploitation is possible by connections
to SSHd. Also, the nature of CASA is to allow for single sign-on, so if other
applications are employing it to perform authentication from remote clients,
then those too are potential attack vectors.
Denial of Service
NetCraft is reporting that blogs are becoming targets for DDoS
attacks. According to Darren Rowse, his ProBlogger blog was attacked -- a site
he says earned more than $100,000 in 2005 through advertising. Michelle Malkin's
blog was also attacked after she led a movement to mirror the controversial
Dutch cartoons of the Prophet Mohammad.
Blogs may be targets, but it sure sounds like someone is reaching for a story
line here. Why shouldn't blogs be attacked, as any other Internet resource
might be? A blog is less likely to have the resources to defend itself against
attack and may be less well connected to its service provider because the revenue
model is less obvious (or just less). But there's no reason to believe
that blogs won't be considered targets.
A U.K. security firm has announced they have tracked 150,000 bot-controlled
PCs to a single spam distribution scam which is sending out 50 million
identical spam messages every day. They say this leads them to believe that
spammers are adopting stealthy tactics attempting to perform their criminal
activities on compromised systems without the victims noticing the activity.
From this we're supposed to be impressed with the intelligence of these
criminals for attempting to fly under the radar, but honestly, what smart person
sends out 50 million identical pieces of spam every day? It's highly unlikely,
if not impossible, that the spammers have "good" e-mail addresses,
so their scatter-gun approach belies their alleged intelligence at flying under
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
An IT training firm in the U.K. conducted a stunt (or promotion, depending
on your feelings about it) to demonstrate that users in London's Golden Mile,
its financial district, need more security training. They stood alongside the
road and handed out CDs claiming to contain a special Valentine's Day promotion.
While no numbers have been provided, a spokesperson for the firm indicated that
the CD, when inserted, would "call home" to the firm indicating the
user had run it.
The CDs had written on the outside that you ought not to do this because it
might be a violation of policy. Despite this, some employees ran the CDs anyway.
The U.K.'s Internet Service Providers Association (ISPA) awarded the
British government with its "Internet Villain of the Year Award"
for pushing through the "data retention directive" that forces ISPs
to retain customer data for two years.
Those who wrote the regulations are getting upset that their own words are
being used too strictly or too harshly by auditors. The auditors are taking
the "mays" and turning them into "musts." Not the first
time we've seen that happen.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.