Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Portfolio Management Maturity Model at Chevron - Presentation & Discussion
November 13, 11:30 AM - 12:30 PM ET (GMT-4)
The fundamental goal of the model is to help IT become a business partner and earn a seat at the table. Core to the model is to establish a five year IT strategic road map that is owned by the business. Presenter Janinne Franke is manager of strategy, planning & optimization at Chevron's corporate department & services. She will share processes and lessons learned from developing and implementing the model.
Learn more about the CIO Executive Council »
Apply today for a FREE subscription to CIO Magazine!
February 26, 2007 — CIO —
Google’s PC search software is vulnerable to a variation on a little-known Web-based attack called anti-DNS pinning, which could give an attacker access to any data indexed by Google Desktop, security researchers said this week.
This is the second security problem reported this week for the software. On Wednesday, researchers at Watchfire said they’d found a flaw that could allow attackers to read files or run unauthorized software on systems running Google Desktop.
 |
| Google Screenshot |
As with Watchfire’s bug, attackers would first need to exploit a cross-site scripting flaw in the Google.com website for this latest attack to work, but the consequences could be serious, according to Robert Hansen, the independent security researcher who first reported the attack. "All of the data on a Google desktop can now be siphoned off to an attacker’s machine," he said.
Cross-site scripting flaws are common Web server vulnerabilities that can be exploited to run unauthorized code within the victim’s browser.
Hansen, who is CEO of Sectheory.com, did not post proof-of-concept code for his attack, but he said he has "tested every component of it, and it works." He has posted some details of how Google Desktop data could be compromised on his blog.
Google said it was investigating Hansen’s findings. "In addition, we recently added another layer of security checks to the latest version of Google Desktop to protect users from vulnerabilities related to Web search integration in the future," the company said in a prepared statement.
Anti-DNS pinning is an emerging area of security research, understood by just a handful of researchers, said Jeremiah Grossman, chief technical officer at WhiteHat Security. The variation of this attack described by Hansen manipulates the way the browser works with the Internet’s DNS in order to trick the browser into sending information to an attacker’s computer.
"Once you can repoint Google to another IP address, instead of Google getting the traffic, the bad guy does," he said.
Because this type of attack is so difficult to pull off and is poorly understood, it is unlikely to be used by the criminals anytime soon, Grossman said. But anti-DNS pinning shouldn’t be ignored, he added. "We should keep our eyes on it in case the bad guys shift gears."
News of the attack comes as Google is trying to enter the desktop productivity market. On Thursday Google launched a suite of Web-based collaboration software, called the Google Apps Premier Edition, which analysts say could become a competitor to Microsoft Office.
FORTUNE 100 insurance leaders rely on the Symantec Data Loss Prevention solution to protect sensitive customer data.
Do you know where your confidential data is, where it is going, and how to prevent it from leaving your organization.
Learn what the thought-leaders at PricewaterhouseCoopers have to say on the risks associated with data security.
Incorporate best practices from many companies using DLP solutions as you establish your organization's requirements and safeguard confidential data.
Learn how this proactive implementation of a DLP solution helps ensure E-LOAN's customer trust and loyalty.
Best Practices for Providing Secure and Cost-Effective Remote Access
They Can't Steal What You Don't Have: Smart Security Choices for Mobile Workers
The Three Pillars of Data Protection
The Case for A Specialized Security Platform
Security and Trust: The Backbone of Doing Business over the Internet
Best Practices in Choosing and Consuming Managed Security Services
Building Competitive Advantage with Next-Generation Wireless Infrastructure
IT Risk Management: Preparing for the Perfect Storm
Advanced DNS and Traffic Management Solutions: The Keys to Enhancing and Securing your Enterprise Network
The Power of Data Deduplication
Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response
Find out what Forrester says about mobile endpoint security and its management.
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Google in Curious Alliance with Click-Fraud Detection Firm
Kernel Developers, Wall Street to Come Together
Ellison Strikes Bullish Tone At Shareholder Meeting
Yahoo Investor Proposal Unlikely to Push Microsoft
Ugandans Comment on 10 Years of ICT Regulation
Vodafone to Acquire 15 Percent More of Vodacom Group
Zoho Launches E-Mail App with Offline, Mobile Access
Mobile Penetration to Hit 95 Percent By 2013
UK Supermarket Uses IT to Cut Checkout Waits
Mobile Industry Split Over UMA Versus Femtocells
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
