The security risks of Google Notebook

There's more than one way to receive Threat Monitor Listen to this Google Notebook tip on your PC or favorite MP3 player.

To understand what Google Notebook and similar services do, let's first look at life before we had them. When most people surf the Web to perform research on a paper they are writing, a vacation they are planning, or a hobby that they fancy, they end up with a bunch of data snippets. In the olden days (of six months ago), users would drag such data items into a Word document, or save whole Web pages to their hard drive. Some even (gasp!) printed the results on paper.

Now, with Google Notebook, users can cut and paste elements into Notebook from the other pages viewed in the browser. To make use of Google Notebook's extended features, users can install a browser plug-in for IE and Firefox. This enables users to place a selection of a Web page -- or even an entire page, and its URL -- into the notebook. Also, because Google Notebook entries are stored online, they can be accessed from any Internet-connected browser, provided you log in to that same Google account.

More Google risks  Protect against a Google Hack Learn how Google Desktop usage can be dangerous

While these features have their benefits, they do have some security concerns. For one, Google Notebook not only allows users to maintain a private Notebook, but also allows a user's private notebook to be shared with anyone else that has a Google account. Users can also choose to publicly publish their Notebook so that anyone can read it. And, to top it off, Google has created a Notebook search site that allows Notebook users to network with one another. Thus, with Google Notebook, we have people storing information in a format that can easily be made public, and is searchable via Google's powerful search techniques.

It came as no surprise in December 2006 when it was discovered that public Google Notebooks could be mined to find sensitive data that people had inadvertently published. Illustrating just how serious the issue was, users of digg.com had a blog-style discussion of searches and links to users' Google Notebooks that offered social security numbers and passwords for various Web applications.

So, what can be done to prevent sensitive information from appearing in a Google Notebook? And, perhaps more importantly, what can enterprises do to make sure their own sensitive information isn't inadvertently published?

For starters, advise users that they should use Google Notebook's private, default option, and to only publish those notebooks that contain information that you wouldn't mind sharing with anyone. Users may also choose to store information the old-fashioned way, via a series of Web clips in a word processor or your file system, and avoid Google Notebook altogether.

But if Google Notebook use is necessary or difficult to prevent, there are some ways to ensure private information remains so.

1. Carefully comb the publicly published Notebooks to ensure that they do not contain private or sensitive information, such as organization's name, corporate officers' names, major brands, and so on. If sensitive information is found, contact the owner of the Notebook or Google itself to have the information removed.

2. Whenever users add information to a notebook, ask that they check to make sure it goes into the appropriate private or public Notebook.

3. When placing information into a public notebook, remove any links included in the text you post, as some links include authentication information, like user IDs and passwords or even session credentials. Remember, if someone swipes the session credential for a Web application, they might be able to hop into that session as you, and engage in transactions on your behalf for that ecommerce site.

4. Avoid logging in from a public kiosk, for a bad guy may have installed a keystroke logger to steal password and account information.

5. As advice for enterprise security pros, continually educate employees about the risks associated with Web services like Google Notebook.

And, finally, if you inadvertently put sensitive information in a public Notebook on Google, unpublish that Notebook immediately, by clicking on the Google-provided "Unpublish" button. According to Google, "If you unpublish a notebook, we'll remove it from our search results within a few days." Doing so will minimize the damage caused by any leaked information.

About the author:
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Architecture Insider Proper preparation necessary for successful penetration test Vulnerability assessments: Steps to success How to easily integrate managed email security services Integrating firewalls into your financial enterprise systems Steps to secure your remote users How to integrate network behavior anomaly detection into enterprise systems Establishing a practical routine for reviewing security logs How to get the most out of a SIM Security information management finally arrives, thanks to enhanced features Best practices in managing privileged access SaaS and Web application security Verizon security chief says protect your data first Developing a patch management policy for third-party applications On-demand log management gets the nod Microsoft warns of Excel zero-day flaw A security checklist for e-commerce Web sites RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary NASDAQ  (SearchFinancialSecurity.com) password cracker  (SearchFinancialSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.