Google's search for security

When the Santy.A worm started spreading on Tuesday, Mikko Hypponen knew he had a way to stop the worm in its tracks. The only problem: He had trouble finding the right people to talk to at Google.

The Santy worm used the search engine to select potential victims. Armed with the list, the worm sent code designed to compromise the potentially vulnerable sites. Because its search engine was a linchpin for the attack, if Google had been ready for the eventuality, the company could have stopped the worm cold, said Hypponen, the research director for antivirus company F-Secure.

"It is frustrating from our point of view when we know that one little change could stop this worm, right now," he said Tuesday morning. "Someone over there needs to wake up, get some coffee and shut this thing down."

News.context

What's new:
With malicious hackers, and now worms themselves, using Google to wreak havoc, the search powerhouse is getting a taste of the dark side of success.

Bottom line:
Google is aware that security is a priority, but it has its work cut out for it. Its mission, after all, involves making it easy for people to find information. But "people" can include troublemakers, and even Google would have a hard time determining the intent--benign or malignant--of its users.

More stories about Google and security

By the time Google put defenses in place, as many as 40,000 sites had been defaced by the worm, according to search statistics from Microsoft's search engine, a competitor to Google's service. By late Tuesday, Google had set up filters to weed out the worm's queries and prevent its spread. The company did not address why it took as long as it did to respond to antivirus makers' requests.

The worm attack spotlights the dark side of Google's success: The search giant has become a target, and tool, for hackers. With the release of its desktop search software and its e-mail service, Gmail, the company has an increasing number of applications and services that have to be checked for security. Google has quickly found that the seeming legions of security hobbyists and professionals are perfectly willing to find and publicize flaws, whether the company approves or not.

"More people are looking at us from a security analysis standpoint, because there are more applications out from Google, and we are also higher profile," said Marissa Mayer, director of consumer Web products for the company.

From malicious hackers using Google to hunt for sensitive information, to the increasing scrutiny of the security of Google's services and software, the search giant's popularity has a significant downside.

"Market leadership is a double-edged sword in that you have a special responsibility to be accountable," said Debbie Fry Wilson, director of product management for the security response center at Microsoft, a rival of Google in search and some Internet services. "At the same time, you have become an attractive target."

It's a situation with which Microsoft has experience. The software giant has had numerous flaws pointed out by security professionals, sometimes without giving the company a chance to design a fix for the problem. In addition, Microsoft's Web sites and e-mail service on the Microsoft Network, or MSN, have repeatedly come under attack.

"It is hard to say what motivates malicious attackers," Wilson said. "From Microsoft's perspective, since we have such market penetration, that's why we have become a target."

Security researchers have found several flaws in the last few months in Google's popular, albeit still in test mode, products. This week, university researchers publicized a flaw they found in the company's desktop search product, which could have opened users to attack from the Internet. Another security researcher found a flaw in Google's Groups service. The company fixed that flaw this weekend, the researcher said in an e-mail to CNET News.com.

While the company has become a target for flaw finders, it has also become a valuable tool for attackers. The reliance on Google's ability to find information about Web sites has security experts and attackers alike using the company's database to find sites with the latest flaws. Known as Google hacking, the activity mines Google's search for specific signs of flaws or sensitive information.

"The spidering that Google does prior to searching is a great resource for reconnaissance information," said Timothy Keanini, chief technology officer for security appliance maker NCircle.

Yet the search engine is not just being used by attackers. Malicious programmers are now coding their tools to automatically use the search engine as well.

The Santy.A worm, which started spreading Tuesday, searched through the Google database for signs of Web sites that were vulnerable to a specific flaw in phpBB. A variant of the MyDoom virus attempted to use Google and other search engines to find additional e-mail addresses to which it could send copies of the virus.

These threats have evolved slowly enough that Google should have been ready, said NCircle's Keanini.

"The ironic thing is that, with the threat being very well known and with some Google employees being the smartest people in security, they aren't being very responsive to threats that they should have known about," he said.

The latest attack threw a curve ball at the search giant. While the company had learned to fend off the large influx of data that results from a denial-of-service, or DoS, attack, having its search engine become a core component of a worm is relatively new. Antivirus researchers, however, warned about viruses using the company's search features just the week before.

"I think their security response team is geared toward protecting Google," said F-Secure's Hypponen of Google's response to the Santy