The security risks of Google Notebook

To understand what Google Notebook and similar services do, let's first look at life before we had them. When most people surf the Web to perform research on a paper they are writing, a vacation they are planning, or a hobby that they fancy, they end up with a bunch of data snippets. In the olden days (of six months ago), users would drag such data items into a Word document, or save whole Web pages to their hard drive. Some even (gasp!) printed the results on paper.

Now, with Google Notebook, users can cut and paste elements into Notebook from the other pages viewed in the browser. To make use of Google Notebook's extended features, users can install a browser plug-in for IE and Firefox. This enables users to place a selection of a Web page -- or even an entire page, and its URL -- into the notebook. Also, because Google Notebook entries are stored online, they can be accessed from any Internet-connected browser, provided you log in to that same Google account.

While these features have their benefits, they do have some security concerns. For one, Google Notebook not only allows users to maintain a private Notebook, but also allows a user's private notebook to be shared with anyone else that has a Google account. Users can also choose to publicly publish their Notebook so that anyone can read it. And, to top it off, Google has created a Notebook search site that allows ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices SaaS and Web application security Why financials must implement Web application security best practices The PCI compliance case for source code review Security questions to ask SaaS vendors when outsourcing services SSLstrip hacking tool bypasses SSL to trick users, steal passwords Study of banking malware analyzes underground economy Gartner advises banks to shore up online channels Security on the street with SearchFinancialSecurity.com: Mobile banking Verizon security chief says protect your data first Developing a patch management policy for third-party applications On-demand log management gets the nod

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary NASDAQ  (SearchFinancialSecurity.com) password cracker  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Notebook users to network with one another. Thus, with Google Notebook, we have people storing information in a format that can easily be made public, and is searchable via Google's powerful search techniques.

It came as no surprise in December 2006 when it was discovered that public Google Notebooks could be mined to find sensitive data that people had inadvertently published. Illustrating just how serious the issue was, users of digg.com had a blog-style discussion of searches and links to users' Google Notebooks that offered social security numbers and passwords for various Web applications.

So, what can be done to prevent sensitive information from appearing in a Google Notebook? And, perhaps more importantly, what can enterprises do to make sure their own sensitive information isn't inadvertently published?

For starters, advise users that they should use Google Notebook's private, default option, and to only publish those notebooks that contain information that you wouldn't mind sharing with anyone. Users may also choose to store information the old-fashioned way, via a series of Web clips in a word processor or your file system, and avoid Google Notebook altogether.

But if Google Notebook use is necessary or difficult to prevent, there are some ways to ensure private information remains so.

And, finally, if you inadvertently put sensitive information in a public Notebook on Google, unpublish that Notebook immediately, by clicking on the Google-provided "Unpublish" button. According to Google, "If you unpublish a notebook, we'll remove it from our search results within a few days." Doing so will minimize the damage caused by any leaked information.

About the author:
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.