Googlified

Google now has a page on their site where you can report sites that you suspect hosting malicious software. Previously, Google recommend you to report the suspecting sites on StopBadware.org.

[via Google Online Security Blog]

MustLive from WebSecurity.com.ua [Ukrainian] found a XSS vulnerability in Google Search Appliance, “an integrated hardware and software search appliance used by thousands of organizations to find and share information on corporate networks or websites” [Google Press Release, Sept. 2006], including the United Nations and MI5.

What does that mean? Well, it differs from site to site. Some sites may only be affected a little bit while important data (e.g. user info, password, etc…) of some other sites may end up in the wrong hands.

“Security is only there to keep the good guys good.” - Ronald van den Heetkamp

[via Ha.ckers.org]

A longer password doesn’t always mean securer, but most likely it will. That’s why Google now requires new users to have a password of at least 8 characters (it was 6 characters, I think). The new requirement also applies if you are changing your password.

Google has a page that offers tips for choosing a secure password and what things to avoid when creating a password if you are scratching your head for a Kennwort.

And no, my security question is not “What was your first phone number?” :)

[hat tip to Avrohom]

YouTube’s Help Center says when you set your YouTube videos private, they “will only be viewable by those select members” you gave permission to. Well, that’s just like Gmail saying “you’ll never need to delete another message” - no guarantee.

I don’t know whether Google’s considering this a feature or not, given that it’s been around for a really long time, but sure it isn’t something the privacy advocates on YouTube would like: you can download any private videos. :)

Now, the impatient you ask, “How can I download a private YouTube video then?” It’s so darn easy, just enter the video ID in the text field below and click on “Get Video”. Voilà! (finding a private video isn’t that easy though)

“Your privacy is an illusion“, love that. :D

Google Docs now allows users to hide their document from the “All items” view and the ability to sort the documents by the name, date of last update, and how you share the document. You can also sort the documents by their star-status.

Now I am really concerned about Google Docs’ security after I found a XSS vulnerability in ThinkFree Online (reported, but not yet fixed). This is logically hypothetical: if a XSS vulnerability is present in Google Docs (which is very likely), then all active users’ documents may be accessible to, err, the bad guys.

So wouldn’t it be nice if there’s a feature that allows users to add an additional security layer (like requiring users to verify password) for the documents/folders the users choose to protect?

Comparing the number of new blogs Google’s been creating, I knew there would be another acquisition coming. Sure enough, Google today announced that they have acquired Postini, “a company that offers security and corporate compliance solutions for email, IM, and other web-based communications”, in Google’s word.

The acquisition will cost Google $625 million in cash, according to this FAQ Google provides. Postini will become a wholly-owned subsidiary of Google after the acquisition, but Google would probably use their technology to improve Google Apps’ security.

Postini already serves more than 35,000 businesses and 10 million users and was one of [Google’s] first Google Enterprise Partners for Google Apps.

More details about the acquisition can be found on the Official Google Blog, Google Enterprise Blog, this FAQ, and their press release on this acquisition.

related: Google Acquired GreenBorder

RSnake of web security site Ha.ckers.org reports a serious XSS vulnerability in Google’s online office suite - Google Docs, that’s used by hundreds of thousands users and businesses.

Technically, one can inject malicious code into a document and trick Google Docs so whenever a logged-in Google user visits the Google Docs document, the user’s cookies will be sent and recorded on a non-Google server. Non-technically, some bad guys can have full access to your Google Docs documents without your knowledge and do whatever they want, if you step on a wrong site. I advise you to only visit trusted sites or install AdBlock Plus and configure to block the Google Docs’ site. I heard that it helps, can’t guarantee though.

Another vulnerability, not a direct threat to your Google data, but to the sites that uses Google’s Custom Search Engine. So just as above, some bad guys can steal your data (information) of whatever site you are on.

Also, security research Christian posted an ultimatum on the Sla.ckers’ forum regarding to multiple security holes in the YouTube system that can cause a privacy concern for YouTube users. He said that he would fully disclose the vulnerabilities in two weeks if Google doesn’t work with him to solve the issue. This is after he informed the Google security team, which handled his email carelessly.

None of these seem to be fixed as I am writing this, so keep an careful eye on the sites you are visiting. Good luck. :)

Google on May 11 acquired an online security company called the GreenBorder Technologies.

Headquartered in Mountain View, California, GreenBorder Technologies was founded in 2001 to bring a new approach to enterprise security. GreenBorder, the industry’s first Desktop DMZ software for Windows, keeps Internet invaders out and enterprise data in. It allows users to safely connect anywhere, go to any website, open any Internet email or attachment, and use any downloaded files without worry. GreenBorder’s unique, signature-less approach never needs updating and provides continuous protection against corruption, theft and invasion of business data systems.

[cache of GreenBorder’s About page from Internet Archive]

Featured on eWeek in 2005, Andrew Garcia called it “a novel approach to combating Microsoft Corp. Outlook- or Internet Explorer-borne malware.” And according to KeyLabs (now part of AppLabs), “GreenBorder was broader than and superior to that afforded by traditional anti-spyware and antivirus packages.”

Just as most of the other companies Google acquired, GreenBorder will not accept new customers until the product is relaunched as a Google property (hopefully for free). Existing customers, of course, will “continue to have uninterrupted access to [their] GreenBorder products!”

[thanks Jay Neely]