Staff Writer, CNET News.com
When the Santy.a worm started spreading on Tuesday, Mikko Hypponen knew he had a way to stop the worm in its tracks. The only problem: He had trouble finding the right people to talk to at Google.
The Santy.a worm used the search engine to select potential victims. Armed with the list, the worm sent code designed to compromise the potentially vulnerable sites. Because its search engine was a linchpin for the attack, if Google had been ready for the eventuality, the company could have stopped the worm cold, said Hypponen, the research director for antivirus company F-Secure.
"It is frustrating from our point of view when we know that one little change could stop this worm, right now," he said Tuesday morning. "Someone over there needs to wake up, get some coffee and shut this thing down."
By the time Google put defenses in place, as many as 40,000 sites had been defaced by the worm, according to search statistics from Microsoft's search engine, a competitor to Google's service. By late Tuesday, Google had set up filters to weed out the worm's queries and prevent its spread. The company did not address why it took as long as it did to respond to antivirus makers' requests.
The worm attack spotlights the dark side of Google's success: The search giant has become a target, and tool, for hackers. With the release of its desktop search software and its e-mail service, Gmail, the company has an increasing number of applications and services that have to be checked for security. Google has quickly found that the seeming legions of security hobbyists and professionals are perfectly willing to find and publicize flaws, whether the company approves or not.
"More people are looking at us from a security analysis standpoint, because there are more applications out from Google, and we are also higher profile," said Marissa Mayer, director of consumer Web products for the company.From malicious hackers using Google to hunt for sensitive information, to the increasing scrutiny of the security of Google's services and software, the search giant's popularity has a significant downside.
"Market leadership is a double-edged sword in that you have a special responsibility to be accountable," said Debbie Fry Wilson, director of product management for the security response center at Microsoft, a rival of Google in search and some Internet services. "At the same time, you have become an attractive target."
It's a situation with which Microsoft has experience. The software giant has had numerous flaws pointed out by security professionals, sometimes without giving the company a chance to design a fix for the problem. In addition, Microsoft's Web sites and e-mail service on the Microsoft Network, or MSN, have repeatedly come under attack.
"It is hard to say what motivates malicious attackers," Wilson said. "From Microsoft's perspective, since we have such market penetration, that's why we have become a target."
Security researchers have found several flaws in the last few months in Google's popular, albeit still in test mode, products. This week, university researchers publicized a flaw they found in the company's desktop search product, which could have opened users to attack from the Internet. Another security researcher found a flaw in Google's Groups service. The company fixed that flaw this weekend, the researcher said in an e-mail to CNET News.com.
While the company has become a target for flaw finders, it has also become a valuable tool for attackers. The reliance on Google's ability to find information about Web sites has security experts and attackers alike using the company's database to find sites with the latest flaws. Known as Google hacking, the activity mines Google's search for specific signs of flaws or sensitive information.
"The spidering that Google does prior to searching is a great resource for reconnaissance information," said Timothy Keanini, chief technology officer for security appliance maker NCircle.
Yet the search engine is not just being used by attackers. Malicious programmers are now coding their tools to automatically use the search engine as well.
The Santy.a worm, which started spreading Tuesday, searched through the Google database for signs of Web sites that were vulnerable to a specific flaw in phpBB. A variant of the MyDoom virus attempted to use Google and other search engines to find additional e-mail addresses to which it could send copies of the virus.
These threats have evolved slowly enough that Google should have been ready, said NCircle's Keanini.
"The ironic thing is that, with the threat being very well known and with some Google employees being the smartest people in security, they aren't being very responsive to threats that they should have known about," he said.
The latest attack threw a curve ball at the search giant. While the company had learned to fend off the large influx of data that results from a denial-of-service, or DoS, attack, having its search engine become a core component of a worm is relatively new. Antivirus researchers, however, warned about viruses using the company's search features just the week before.
"I think their security response team is geared toward protecting Google," said F-Secure's Hypponen of Google's response to the Santy worm. "This worm is not attacking Google, but using Google to attack others. They weren't ready for that."
Google says it knows that security needs to be a primary focus for the company.
Mayer stressed that Google has rigorously tested its products internally and conducts extensive beta tests. In fact, many of the products in which vulnerabilities are found are beta versions the company is publicly testing. The desktop search application in which university researchers found a flaw was in beta. Moreover, Google reacted quickly to that report, Mayer said. Still, she stressed that the battle is far from over.
"Security is something that we have to have even more renewed focus on," Mayer said.
The company has put some thought into its product security. When a flaw was found in its desktop search software, Google had the tools to automatically update all its users. That's a lesson that took a few years for Microsoft—and Windows users—to learn. Where Windows Update used to always ask before installing any new updates, with the latest security update to Windows XP, known as Service Pack 2, the default setting calls for automatic installation.
"Market leaders have to realize that customers have to be protected against potential risks...without making it an onerous process for them," said Microsoft's Wilson. "The ideal scenario is that those kinds of attacks would not be able to penetrate, or you closed down the vectors."
Like Microsoft, Google has made a broad push to hire security people. Nearly a dozen job listings for software security engineers and operations security are posted on the company's site.
Those security professionals will have their work cut out for them, because some of Google's security risks are hardly any different from their security products, said Mike Murray, director of vulnerability research for NCircle.
"There is a tough balance between providing information to customers and providing information that can be harmful in the hands of an attacker," he said. "Many times, the product they provide is no different from the vulnerability itself."
In the latest incident, a proactive security expert could search for Web servers running a vulnerable version of phpBB to warn the Webmaster of the issue. To Google, however, such a search would look no different than an attack.
"You are at a point where intention of the user becomes the actual qualifier," Murray said. "Google doesn't know who is sitting on the other side of the request."
Even for Google, divining intent may be too tall an order. Yet the company is all about finding the right information, so it's unlikely to give up easily.
"Google's mission is to organize the world's information," Mayer said. "To make information accessible and usable, it's implicit that you have to do it in a secure way. That makes security a precursor to our mission."