Archive for the News Category

Controversial book search engine can be co-branded and embedded on publishers’ sites.

Google Offers Book SearchGoogle is making its controversial engine available to publishers interested in putting it on their Web sites.

This is the first time Google’s Book Search service has been available outside of its main site in the Google.com domain.

This co-branded search program benefits Google because the search engine will now be available more broadly. Meanwhile, publishers benefit by offering an additional search service to their Web site visitors.

Publishers can tailor the index of their search engine so that only books published by them show up in the query results, Google said Friday. As in the main Book Search site, these result pages give users the option to link to online shops that sell the listed books.

Interestingly, one of the publishers that put Book Search on its Web site is The McGraw-Hill Companies. Along with other major publishers, McGraw-Hill is suing Google for copyright infringement over Google’s ongoing project to scan millions of copyright books without permission.

Although McGraw-Hill’s position may seem at first contradictory, it stems from the fact that Google’s Book Search service has two main pieces.

One focuses on securing formal partnerships with publishers, obtaining their permission to scan books and giving them control over how much of those books can be displayed by Google for free.

McGraw-Hill is one of about 10,000 publishers that participate in this partner program with Google that have collectively made available about 1 million titles for scanning so far, said Tom Turvey, director of Google Book Search partnerships. About 50 publishers have embedded Book Search in their sites already, and many more are in line to do so, Turvey said. McGraw-Hill didn’t immediately reply to a request for comment.

Simultaneously, McGraw-Hill objects to the other portion of the Book Search operation, in which Google partners with major academic libraries to scan large portions of their collections. Those library scanning operations often involve copyright books, which Google is digitally copying without obtaining permission from publishers and authors.

 

 

As users store more data online, hackers are finding ways to break into the new service sites. Experts say the problems are deep-seated.

Samy Kamkar was really just trying to impress girls. Instead, he made Web hacking history.

Kamkar created what is considered the first Web 2.0 worm–a virulent bug that no firewall could block, and which ultimately forced MySpace.com to temporarily shut down. The Samy worm (named after Kamkar) was among the more prominent of a new generation of Web attacks that some security experts fear may slow the fast-evolving collaborative model of Internet development known as Web 2.0.

Kamkar was looking for a way to circumvent MySpace’s content-posting restrictions to jazz up his profile when he found a bug that essentially allowed him to control the browser of anyone who visited his MySpace page. “A Chipotle burrito and a few clicks” later, Kamkar says, he created the fastest-spreading Web-based worm of all time.

Within 20 hours, the worm had spread to approximately 1 million MySpace users, forcing them to select Kamkar as their “hero” in their profile page. News Corporation, the site’s owner, had to pull down MySpace to fix the problem, and Kamkar later received three years’ probation in Los Angeles Superior Court.

As a Web 2.0 worm, Samy signaled the start of a shift in Web security concerns. Past worms such as MyDoom and Sobig clobbered systems and caused days of technical problems for system administrators to contend with. Kamkar’s worm didn’t do anything to harm MySpace users’ computers, but it threatened their data online. And though the affected MySpace users couldn’t apply a patch or update their antivirus software to handle the problem, once MySpace fixed the issue on its servers, it was fixed globally.

via

Tags:

Just one day after discovering Google’s Firefox toolbar could be exploited in an attack, a similar flaw has been discovered in Google Desktop.

Just one day after a security researcher showed how Google Inc.’s Firefox toolbar could be exploited in an online attack, a similar flaw has been discovered in the Google Desktop.

On Thursday, Google hacker Robert Hansen posted proof of concept details showing how attackers could use Google Desktop to launch software that had already been installed on the victim’s computer.

The attack is hard to pull off and could not necessarily be used to install unauthorized software on the victim’s PC, but it does illustrate the kind of security issues that arise with Web-based applications, said Hansen, the CEO of Web security consultancy Sectheory.com, and a contributor to the Ha.ckers.org Web site.

“When you have third parties writing code that interacts with your browser, it inherently breaks the browser security model,” he said.

To exploit Hansen’s Google Desktop vulnerability, an attacker would first have to launch a successful “man-in-the-middle” attack, somehow placing himself between the victim and Google’s servers. This could by done by tricking the victim into logging onto a malicious wireless network, Hansen said.

Once this was done, the hacker could launch Hansen’s attack by changing the Web pages being delivered to the victim’s PC. By returning Web pages that have been doctored with new JavaScript code, the victim could be tricked into clicking onto a malicious link, Hansen said. “When they actually click that mouse button, they’re not clicking on the Web page, they’re clicking on a link to Google Desktop that actually runs code, ” he said.

The steps Hansen took to pull off the attack are complex because of the security features that Google has built into its software, he added. “What I’ve done is combine a lot of different attacks that Google desperately tries to prevent.”

On Wednesday researcher Christopher Soghoian showed how a man-in-the-middle attack could be used to install malicious software on computers that used a variety of popular Firefox add-ons, including the toolbars from Google, Yahoo Inc., and AOL LLC.

Hansen has posted a video showing how this attack could be used to launch Windows HyperTerminal. But it could be used to launch virtually any application that has already been installed on the PC, he said.

This is not the first bug in Google Desktop. In February, engineers at Watchfire Corp. showed how a flaw in the program’s Advanced Search Feature could be used to gain access to data or even run unauthorized software on a victim’s computer.

Two days after the Watchfire bug was disclosed, Hansen himself showed how attackers could steal information from Google Desktop users using what is called an anti-DNS (Domain Name System) pinning attack.

Google was not immediately available to comment for this story.

via