Wrestling With Malware, Google Launches Security Blog
Google said it began tackling online security in a public manner last year.
In a continuation of its year-old effort to make the Web more secure, Google today launched an online security blog to keep Internet users informed about security threats. It makes no mention, however, of Google's ongoing vulnerability to redirection exploits.
The initial post by Panayiotis Mavrommatis and Niels Provos of Google's Anti-Malware Team attempts to clarify misinterpretation of the company's own study about the prevalence of malware online.
"Unfortunately, the scope of the problem has recently been somewhat misreported to suggest that one in 10 Web sites are potentially malicious," explained Mavrommatis and Provos. "To clarify, a sample-based analysis puts the fraction of malicious pages at roughly 0.1%."
While Google may be glad to set the record straight that only about one in 1,000 Web sites are potentially malicious, it says something about the state of online security that some simply accepted the 1-in-10 figure.
Google began tackling online security in a public manner last year. In January 2006, Google was among the companies that sponsored the launch of StopBadware.org, a site conceived to fill the role of a neighborhood watch group on the Internet.
The insecurity of search came to the fore last May when a McAfee SiteAdvisor report found that search engines regularly returned risky sites when queried using popular keywords. Shortly before that report appeared, Google made an arguably long-overdue addition to its Webmaster Quality Guidelines: "Don't create pages that install viruses, Trojans, or other badware."
Three months ago in February, Google started to flag suspect search result links with the message, "This site may harm your computer." The company also disabled the links on flagged results, preventing users from visiting those sites unless they copied the URL and pasted it directly into their browser address bar.
That same month, Google also added a notification for owners of flagged sites to help those with good intentions identify and mitigate any malware they might be hosting.
While Google's efforts may provide some comfort to its users, cyberthieves appear to be unimpressed. Since last year, Google has been dealing with URL redirection exploits that allow phishers to disguise malicious URLs to look like Google links. While the company has closed some holes, others apparently remain.
"We're aware of the issue and working on a fix," said a Google spokesperson.
Indeed, Google has "started an effort to identify all Web pages on the Internet that could potentially be malicious," according to a security paper published by several Google engineers, Mavrommatis and Provos among them.
Even so, not everyone believes Google is moving fast enough. Writing about an exploit that Google closed in February, Robert Hansen, CEO of security consultancy SecTheory and the maintainer of ha.ckers.org under the name RSnake, said, "Google is riddled with these holes and they are incredibly easy to find."
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.