Google is not warning its users of its role in one of largest cyber-security breaches ever on the Net

-By Scott Cleland

USA Today broke a much under-appreciated and potentially blockbuster Internet security breach story: “Google searchers could end up with a new type of bug.” Kudos to Byron Acohido and Jon Swartz, who reported it in USA Today, and also blogged on it at ZeroDayThreat.com, a site for their book “Zero Day Threat” which defines a Zero Day Threat as “a threat so new that no viable protections against it exist.”

In a nutshell, the article and blog post explain how cybercrook hackers have figured out how to use and leverage Google’s search engine results “to spread spam, and carry out scams. Typically it also lets the attacker embed a keystroke logger, which collects and transmits your passwords and any other sensitive data you type online.”

This new cyber scam ring is expected to spread rapidly, increasing from a “few dozen major websites” today, to “hundreds of high-profile websites” in the next few weeks.

“…in March alone… security researchers found several hundred thousand corrupted Web pages returned in common Google search queries.”

Why this is a big deal?

First, for hackers and cybercrooks, cracking Google’s system, even indirectly like this, is the motherlode; Google is the ultimate viral distribution mechanism to reach more Internet users more quickly than any other Internet vehicle. For example: Over 65% of Americans, and over 75% of Europeans use Google, meaning roughly 700 million users world wide are open and vulnerable to this new and growing data-security breach daily.

Google partners with over a million websites globally (90% share) making Google by far the best search engine to target, because Google can spread the scam several times faster and broader than smaller search engines like Yahoo, Microsoft, or Ask.com.

In addition, Google-DoubleClick serve hundreds of thousands of advertisers — over 90% of advertisers advertising online. There simply is not a better Internet vehicle for scammers to ride and leverage than Google.

Second, Google has not warned its seven hundred million odd users—in any way—that they currently are at an increased and serious risk of identity theft, phishing and other cyber-scams because cyber-crooks have devised a new and ingenious way to “ride” Google search results to reach and scam unsuspecting Google users who think they are safe and secure.

Third, the reason for Google not informing their users is the conflict of interest in their advertising business model. Google does not get paid by users. Google gets paid by advertisers and websites who do not want to sully their brands online by having Google identify which of its website clients and which advertising has been infected and are the source for these new rapidly spreading cyber-scams. Google also does not want to discourage searching in any way, because they get paid only when users search.

Google claims their business is based on user trust and that it would never do anything to undermine that trust. Well in this instance, it is clear that there is a growing pernicious scam riding on Google search results and Google is keeping it all hush hush because it doesn’t want to hurt its own business, or hurt its real paying clients: website content providers and advertisers.

In this situation, Google users are like tech bubble investors who were burned by trusting that investment banking research was looking out for their investor interests and not companies’ financial interests. And, just like then, there are no disclaimers on Google’s home page that the financial interests of websites/advertisers come before users’ interests.

In other words, there is no “User Beware” warning on Google’s website.

Fourth, Google claims its “open” systems are secure. The problem here is that the hackers have figured out an “open source” Javascript method to turn Google’s “open” search engine into the ultimate viral carrier, a modern day “typhoid Larry.”

As the leading proponent of “openness” (open source software, open access, opensocial, etc.), Google is understandably concerned about the bad PR for “openness” from such a pernicious “open source” hacking method and scam being carried and enabled by Google’s “openness.”

Bottom line:

Everyone should be surprised and dismayed that Google has not warned its users of their new and serious vulnerability to this pernicious and fast-growing cyber-scam threat. At a minimum, if Google worked for, or cared about, its users, Google would warn them on their home page to avoid clicking on the sites or webpages that Google in fact knows to be infected and unsafe.

It certainly seems as if Google is putting Google’s interests, and the interests of Google’s website/advertiser clients ahead of the interests of users. Given the carnage that identity theft and other fraud can cause, and given Google’s repeated claims to work for users, Google’s actions in response to this serious problem do not inspire trust.

As we all appreciate, ignorance can indeed be bliss, at least for a time, but as people have learned from the sub-prime mortgage mess—what you don’t know can hurt you.
_________________
Scott Cleland is one of nation’s foremost techcom analysts and experts at the nexus of: capital markets, public policy and techcom industry change. He is widely-respected in industry, government, media and capital markets as a forward thinker, free market proponent, and leading authority on the future of communications. Precursor LLC is an industry research and consulting firm, specializing in the techcom sector, whose mission is to help companies anticipate change for competitive advantage. Cleland is also Chairman of NetCompetition.org, a wholly-owned subsidiary of Precursor LLC and an e-forum on Net Neutrality funded by a wide range of broadband telecom, cable and wireless companies. He previously founded The Precursor Group Inc., which Institutional Investor magazine ranked as the #1 “Best Independent” research firm in communications for two years in a row. His latest op eds can be seen at www.precursorblog.com.


Copyright Publius Forum 2001