A design flaw discovered earlier this week in Web-based Google applications spotlights a troublesome security trend for IT departments: what to do about protecting internal systems and data as workers access Web-based e-mail and collaborative applications using their employer's PCs.
Google acknowledged that, over the New Year's weekend, it was notified of a vulnerability related to the use of JSON objects that affected several of the company's products. "These objects, if abused, can expose information unintentionally," Google information security manager Heather Adkins said in a statement. The company claims that it corrected the problem within 24 hours of being notified.
While most security experts agree that guarding Web applications, a notorious security soft spot today, is crucial for the overall well-being of systems and data, they debate whether security vulnerabilities in consumer-focused Web apps such as Web mail, instant messaging, and social networking sites such as MySpace and Facebook are a great threat to business IT systems.
Employees use Web mail and other Web-based services from their work computers, and IT managers have little control over how securely those Web applications are written. Yankee Group senior analyst Andrew Jaquith says that it's what we don't know about Web applications that make them so dangerous. "Because they aren't fully understood, they're going to attract a lot of attention from hackers," he says, adding that this should concern IT managers because "consumer-grade applications are increasingly becoming de facto parts of corporate IT infrastructures."
This means employees may be mixing IT work with pleasure in their cubicles, potentially adding work-related information to the vast repositories managed by Web mail systems. For example, whenever a user can't remember a password for a given Web site, they'll typically have that password mailed to a Web mail account because they can access that account from any computer with an Internet connection. If these passwords are for work-related sites, Web mail security becomes a problem.
"Web mail accounts give you access to everything," says Jeremiah Grossman, founder and CTO of WhiteHat Security, a maker of Web application security assessment software. Grossman, who also worked at Yahoo as its security officer, notes that cross-site request forgeries can be used for more than poaching information from Web mail accounts. "An attacker can gain access to any account the user is logged on to," he says. "This includes Web mail address books and even bank accounts."
Under another scenario, a Web mail user's ID and password could be stolen and then used by the attacker to send bogus messages to the victim's co-workers. "All the attacker has to do is send a Web mail saying 'I'm working from home today; use my Web mail account'," McGraw says. This trick could divert all sorts of business-related information to a Web mail account.
Yet other security experts see Web mail as more of a danger for users purposely or inadvertently leaking data out of their employers' IT environments, rather than as an attack vector for malware. "Applications that your employees are going to use that are not under the control of your IT department are definitely a security concern," says 451 Group senior analyst Nick Selby. But, "if an attacker is using malware, that's already being addressed by checking endpoints and isolating infected end points," he adds.