University of CoimbraFaculty of Sciences and TechnologyDepartment of Informatics Engineering

Subject:

Google´s SecurityCourse:

Security in Communication SystemsStudent:

Alexandre Correiaarsc@student.dei.uc.pt

http://www.dei.uc.pt/~arsc

2

Index1.Motivations to do this presentation2.Google´s Security Polices:

I. philosophyII.technologyIII.processIV.people

3.Security flaws:I. GmailII.OrkutIII.GtalkIV.Chrome

4.Security tips by approaches:I. technicalII.end-userIII.developer

5.Conclusions6.Index

10100

3

Motivation (Google´s Business)1.G businesses: building a better search

engine -> With quickly spread from satisfied users -> the volume of traffic at this site grew -> Google's managers identified two initial opportunities for generating revenue: search services and advertising

2.Now G offer hundred of products and services that people, businesses and companies are joining and consuming. It's growing significantly in the last years.

3.G mission: "organizing the world's information and making it universally accessible and useful."

Source: http://www.google.com/services/

10100

4

Motivation (Google's Stats)1. In 2005 they indexed 8 billion web

pages. Estimated 450,000 low-cost commodity servers in 2006

2.They handle petabytes of data in disk and terabytes in memory.

3.Aggregate read/write throughput can be as high as 40 gigabytes/second.

4.Hundreds of millions of users are using their products and services.

Source: http://www.google.com/about.html

Oh God, Our lifes are in the google!!!Are we safe?

Source: http://www.google.com/options/

10100

5

Polices (philosophy)1.Security is a continuous process. They don't just "check" a

product for security before they launch it. They are building with security in throughout the product's development.

2.Their most sensitive information is difficult to find or access (the safe). Their network and facilities (the house) are protected with the best tech ways: encryption, alarms, and other technology for their systems, and strong physical security at their facilities.

3.They've learned that when security is done right, it's done best as a community.

4.They encourage everyone to help identify potential problems and solutions.

5.They work closely with the community to find and fix potential problems.

10100

6

Polices (technology)1.These layers of protection are built on the best security

technology in the world. They employ products developed by others in the security community.

2.And they build a lot of their security technology themselves.

3.their security architecture focus on automation and scale.

4.They're constantly seeking more ways to use encryption and other technical measures to protect data, while still maintaining a great user experience.

5.Custom platform -> GFS, BigTable, Sawzall, MapReduce, Chubby, and so on...

6.Base platform -> Linux, C, Python, Java, and so on...

10100

7

Polices (process)1.They have a set of processes that dictate how they secure

confidential information and who can access it.

2.The most innovative components of their security architecture focus on automation and scale. Daily, they handling millions user´s data and do tests (that don't require much human intervention) for possible security vulnerabilities or attacks.

3.They hold themselves to a very high standard.

4.They also work to ensure that their processes meet industry standards (These include audits for Sarbanes-Oxley, SAS 70, PCI, etc.).

5.By working with independent auditors, who evaluate compliance with standards that hold hundreds of different companies to very rigorous requirements.

10100

8

Polices Process (Sarbanes-Oxley) -1[DOCID: f:publ204.107][[Page 116 STAT. 745]]Public Law 107-204107th Congress

An Act To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. <<NOTE: July 30, 2002 - [H.R. 3763]>> Be it enacted by the Senate and House of Representatives of the United States of America in Congress <<NOTE: Sarbanes-Oxley Act of 2002. Corporate responsibility.>> assembled,

TITLE I--PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD... TITLE II--AUDITOR INDEPENDENCE... TITLE III--CORPORATE RESPONSIBILITY

source: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ204.107

10100

9

Police Process (SAS 70) -21.Provides guidance on the factors an independent auditor should

consider when auditing the financial statements of an entity that uses a service organization to process certain transactions.

2. It also provides guidance for independent auditors who issue reports on the processing of transactions by a service organization for use by other auditors.

Source: http://infotech.aicpa.org/Resources/Systems+Audit+and+Internal+Con

trol/IT+Systems+Audit/Standards+and+Regulations/SAS+No.+70+Service+Organizations.htm

10100

10

Police Process (PCI) -31.The PCI DSS, a set of comprehensive requirements for enhancing

payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

2.The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Source: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

10100

11

1.“The most important part of our approach to security is our people”.

2.They employs some of the best and brightest security engineers in the world. Many of their came from very high-profile security environments (banks, credit card companies, and high-volume retail organizations)

3.a large number of them have published hundreds of academic papers, hold PhDs and patents in security and software engineering.

4.G team adopt best practices in the industry.

5.They ensuring that all code is reviewed by multiple engineers so that it meets their software and security standards.

10100Police (people)

12

1.Vice President, Engineering, and Senior Director of Information Systems.

2.He plays the role of chief information officer at Google, managing both traditional enterprise systems and the applications developed by Google engineers for internal use.

3.A student of social and political organization who holds a Ph.D. in psychology from Princeton, Merrill worked on computer simulations of education, team dynamics and organizational effectiveness for the Rand Corp.

4.On 2008 april, he got out from Google to becomes the president of EMI.

Source: http://www.blogger.com/profile/11817160

10100Police (people) - 1

13

Police (people) - 2

Source: http://www.eweek.com/c/a/Security/The-15-Most-Influential-People-in-Security-Today/1/

10100

14

1.John is Gartner's lead analyst on all Internet-facing security issues, covering a broad range of enterprise-critical areas.

2.He also provides thought leadership in wireless security, ways to develop software without vulnerabilities, and trustable computing platforms

3.He has 24 years experience in computer network and information security.

Source: http://www.gartner.com/research/fellows/asset_62950_1175.jsp

10100Police (people) - 3

15

Source: http://www.eweek.com/c/a/Security/The-15-Most-Influential-People-in-Security-Today/1/

10100Police (people) - 4

16

Source: http://www.eweek.com/c/a/Security/The-15-Most-Influential-People-in-Security-Today/1/

10100Police (people) - 5

17

Security and application´s flaws1.“...Throughout the company, we use our own products. That means

we protect your information with the same security that we use to protect our own company emails and documents”.

2.They have philosophy, technology, process and people, but sometimes the things do not work...

10100

Source: http://upload.wikimedia.org/wikipedia/commons/7/7d/Bug.png

18

Gmail flaw1.According to Pure Hacking security researcher´s Chris Gatford:

“...attackers could compromise a Gmail account — using a cross-site scripting [XSS] vulnerability — if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account's messages to a POP account.

2.If someone picks up on this before Google fixes it, this could be very damaging to Gmail users”.

Source: http://news.zdnet.co.uk/security/0,1000000189,39289674,00.htm

10100

When?Sep/ 2007

19

Orkut flaw1....Orkut was Google's first entry into social networking,

but is far more popular in Brazil and India than in the United States.

2.You get an e-mail notification (or find out on Orkut) that you have a new scrapbook entry. It's from a friend. It says: “2008 vem ai... que ele comece mto bem para vc.”

3.There's no need to click on anything, just viewing it does the trick. The scrap deletes itself, and adds you to the Orkut Community "Infectados pelo Vírus do Orkut". That group, was gaining members at a rate of at least one hundred per minute (there were about 660 thousands).

4.This virus might be harmless, but what would happened if didn't?

Source: http://www.salon.com/tech/htww/2007/12/19/brazilian_orkut_virus/

10100

When?Dec/ 2007

20

GTalk flaw1.GTalk contains a flaw that allows HTML injection attack. This

flaw exists because GTalk does not validate 'http' and 'mailto' upon submission to conversation window. This could allow to create a specially crafted URL or mailto address that would execute arbitrary code in a user's gtalk leading loss of integrity.

2.Gtalk version 1.0.0.105.3.If the attackers send to victims: http://&#34&#62&#60&#104&#49&#62&#76&#111&#115&#116&#109&#111&#110&#60&#47&#104&#49&#62

4.but don´t execute... Gtalk accept html encoding them!!!

Source: http://lostmon.blogspot.com/2008/06/gtalk-100105-html-injection-and.html

10100

When?Jun/ 2008

21

Chrome flaw1.“...In the browsers world, when you take a horse (Firefox/IE) and a

donkey (Safari) and mix them up, you get Google Chrome.”.2.The current beta uses an old version of WebKit - 525.13 - which is

the same WebKit (used by the old Safari v3.1). Chrome borrowed local resource files from the Mozilla project, too.

3.Whenever Google Chrome downloads a file, is displayed as a button, and the one click on it will execute them. If the file is an executable (e.g. .EXE, .BAT, etc.), Windows Explorer will show a warning that this file was downloaded from the Internet. In this case, Google Chrome does a good job by setting the Zone.Identifier in the alternative data stream.

4.However when will download a JAR file Chrome not set the Zone.Identifier in the alternative data stream, and the system will execute the JAR file with no warning.

Source: http://aviv.raffon.net/2008/09/03/GoogleMule.aspx

10100

When?Aug/ 2008

22

Security tips (technical approach)1. Securing Systems or Networks:

Securing an Internet Name ServerProblems With The FTP PORT Command (or Why You Don't Want Just Any PORT in a Storm)

2. Web Security Issues:Securing Your Web BrowserUnderstanding Malicious Content Mitigation for Web DevelopersCross-Site Scripting Vulnerabilities

3. Email Abuse:Email Bombing and SpammingSpoofed/Forged Email

4. Understanding Attacks:Denial of Service AttacksManaging the Threat of Denial-of-Service AttacksTrends in Denial of Service Attack Technology

5. Technical Explanation:A Brief Tour of the Simple Network Management ProtocolUsing PGP to Verify Digital Signatures

Source: http://www.cert.org/tech_tips/

10100

23

Security tips (end-user approach)A.General information:

1. Why is Cyber Security a Problem?

2. Guidelines for Publishing3. Information Online4. Understanding Internet Service

Providers (ISPs)

B.General security:1. Choosing and Protecting

Passwords2. Understanding and Coordinating

Virus and Spyware Defense3. Debunking Some Common

Myths4. Good Security Habits5. Safeguarding Your Data6. Real-World Warnings Keep You

Safe Online7. Keeping Children Safe Online

Source: http://www.us-cert.gov/cas/tips/

A.Safe browsing:1.Understanding Your Computer:

Web Browsers, Operation Systems and Patches

2.Shopping Safely OnlineB.Software and applications:

1.Understanding Voice over Internet Protocol (VoIP)

2.Risks of File-Sharing Technology

3.Reviewing End-User License Agreements

10100

24

Security tips (developer approach)Yahoo! treats the security of our users' personal data very seriously,

and we hope that our developers will do the same. Here are some guidelines to help you protect your users' trust in your application.

1.Protect Your Servers

2.Protect Your Network

3.Protect Your Application

4.Protect Against Request Forgeries

5.Protect Against Cross-Site-Scripting

Source: http://developer.yahoo.com/security/

10100

25

Conclusions1.They have philosophy, technology, process and people, but

sometimes the things do not work...

2.Their security architecture focus on automation and scale (They're handling data, test their software and monitor for security attacks with a minimum of human intervention).

3.They've learned that when security is done right and working with the community (users, developers, enthusiasts, etc.) helps make the online experience safer for everyone.

4.Their team, before they joined Google, some of them also help to built almost everything you have used.

5.They strongly encourage anyone who is interested in researching to reporting security issues to them, because when they are properly notified of legitimate issues, they'll investigate it, and fix potential problems as quickly as possible.

10100

26

Reference10100

1.How Google keeps your information secure http://googleblog.blogspot.com/2008/03/how-google-keeps-your-information.html

2.Google Architecture http://highscalability.com/google-architecture

3.Work at Google, Who are we? http://research.google.com/why-google.html

4.Papers Written by Googlers http://research.google.com/pubs/papers.html

5.Google University Relations http://research.google.com/university/

27

Index1.Motivations to do this presentation2.Google´s Security Polices:

I. philosophyII.technologyIII.processIV.people

3.Security flaws:I. GmailII.OrkutIII.GTalkIV.Chrome

4.Security tips by approaches:I. technicalII.end-userIII.developer

5.Conclusions6.Index

10100