In May 2006, Google released Google Notebook, a Web-based application with which users can save information they find on the Web, including snippets of Web pages, related notes, search results, images, and almost anything else. Google Notebook is similar to Web services like Yahoo's MyWeb, Ask.com's MyStuff, del.icio.us and digg.com, which provide a useful function to store and organize notes. But as Spider-Man's mantra reminds us, with great power comes great responsibility.
To understand what Google Notebook and similar services do, let's first look at life before we had them. When most people surf the Web to perform research on a paper they are writing, a vacation they are planning, or a hobby that they fancy, they end up with a bunch of data snippets. In the olden days (of six months ago), users would drag such data items into a Word document, or save whole Web pages to their hard drive. Some even (gasp!) printed the results on paper.
Now, with Google Notebook, users can cut and paste elements into Notebook from the other pages viewed in the browser. To make use of Google Notebook's extended features, users can install a browser plug-in for IE and Firefox. This enables users to place a selection of a Web page -- or even an entire page, and its URL -- into the notebook. Also, because Google Notebook entries are stored online, they can be accessed from any Internet-connected browser, provided you log in to that same Google account.
While these features have their benefits, they do have some security concerns. For one, Google Notebook not only allows users to maintain a private Notebook, but also allows a user's private notebook to be shared with anyone else that has a Google account. Users can also choose to publicly publish their Notebook so that anyone can read it. And, to top it off, Google has created a Notebook search site that allows Notebook users to network with one another. Thus, with Google Notebook, we have people storing information in a format that can easily be made public, and is searchable via Google's powerful search techniques.
It came as no surprise in December 2006 when it was discovered that public Google Notebooks could be mined to find sensitive data that people had inadvertently published. Illustrating just how serious the issue was, users of digg.com had a blog-style discussion of searches and links to users' Google Notebooks that offered social security numbers and passwords for various Web applications.
So, what can be done to prevent sensitive information from appearing in a Google Notebook? And, perhaps more importantly, what can enterprises do to make sure their own sensitive information isn't inadvertently published?
For starters, advise users that they should use Google Notebook's private, default option, and to only publish those notebooks that contain information that you wouldn't mind sharing with anyone. Users may also choose to store information the old-fashioned way, via a series of Web clips in a word processor or your file system, and avoid Google Notebook altogether.
But if Google Notebook use is necessary or difficult to prevent, there are some ways to ensure private information remains so.
1. Carefully comb the publicly published Notebooks to ensure that they do not contain private or sensitive information, such as organization's name, corporate officers' names, major brands, and so on. If sensitive information is found, contact the owner of the Notebook or Google itself to have the information removed.
2. Whenever users add information to a notebook, ask that they check to make sure it goes into the appropriate private or public Notebook.
3. When placing information into a public notebook, remove any links included in the text you post, as some links include authentication information, like user IDs and passwords or even session credentials. Remember, if someone swipes the session credential for a Web application, they might be able to hop into that session as you, and engage in transactions on your behalf for that ecommerce site.
4. Avoid logging in from a public kiosk, for a bad guy may have installed a keystroke logger to steal password and account information.
5. As advice for enterprise security pros, continually educate employees about the risks associated with Web services like Google Notebook.
And, finally, if you inadvertently put sensitive information in a public Notebook on Google, unpublish that Notebook immediately, by clicking on the Google-provided "Unpublish" button. According to Google, "If you unpublish a notebook, we'll remove it from our search results within a few days." Doing so will minimize the damage caused by any leaked information.
About the author:
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.
This was first published in January 2008