Google made security news in a big way this week, announcing that they would begin displaying special “Your computer appears to be infected” warning banners in the search results pages served to certain users. This seems to have really caught the fancy of a lot of security journalists, and I ended up doing several quick press calls with writers who were looking for comment and thoughts about the significance of this announcement. Regrettably, I ended up being misquoted in at least two of the articles I’ve seen so far. Such are the hazards of allowing an engineer to be interviewed, I suppose… Anyway, to set the record straight, here are my thoughts, based on a number of misconceptions that came up in questions yesterday: – First, Google is doing a Good Thing here. No one should pooh-pooh this announcement. (Unlike much of the “good old days” of computer viruses, where they would often mess with your screen to let you know that you’d been “hacked”, these days you usually don’t know that your computer has been compromised, since the malware doesn’t want you to find out about it and remove it. So the fact that Google is able to visually alert you is cool.) – Second, keep this announcement in perspective: this alert is only for one specific type of malware infection. Google isn’t actually scanning your computer for the presence of malware, it’s simply inferring that you are infected with it, based on your search query coming into their service in a particular way. – Likewise, Google isn’t announcing any sort of new anti-malware tool. Their alert page sends you to an advice page recommending traditional antivirus solutions. (They also get bonus points for warning people about Fake AV.) – However, like many security people, my first thought was, “How long will it be before the Bad Guys mimic the look of the Google warning banner to send people to a Fake AV site?” (That’s just how security people think, after hanging around the malware ecosystem for a few years…) This is where I tended to be misquoted, as the nuances of how such an attack might be structured turned out to be harder to communicate clearly than I thought they would be… So let’s try again:
- As Google themselves pointed out “We’ve heard from a number of you that you’re thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It’s a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users.”
- The scenarios I was thinking of do not involve malware on an already-compromised computer inserting a bogus warning banner in that user’s Google search results. As Google pointed out, that computer is already infected.
- Nor do the scenarios involve a Bad Guy hacking into the Google computers and inserting a bogus warning banner into search result pages. (If you allow me to speculate on what a Bad Guy could do with direct access to Google’s servers, I can come up with a lot more dangerous/devious things he could do…)
- Rather, what I was talking about was a Bad Guy mimicking the overall look and feel of a Google search results page — as they have been doing for years already — and simply adding a bogus warning banner. This is the sort of attack vector that many security pros (way smarter than me) were trying to point out.
- It’s similar to what happened when Firefox partnered with Google to warn users that a URL they were attempting to visit was considered to be a malicious site: the Bad Guys began displaying fake Firefox warning pages as the first stage of Fake AV attacks. (In other words, they can make a page look like anything they want to. The question then becomes, can they think up a believable situation to display that page? If so, then it will be effective.)
–C.L.
Leave a reply
