You are here
Top 10 Reasons Google Has Culpability in Gmail Security Breach -- Security is Google Achilles Heel Part XII
Submitted by Scott Cleland on Fri, 2011-06-03 11:01
Google's deep aversion to accountability was in full view in its blog response to the latest gmail security breach, in which Google placed most all of the blame on users and others, while largely trying to absolve Google of its responsibility and accountability in the matter as the world's largest source of private, sensitive and secret information.
Top 10 Reasons Google Has Culpability & Needs More Accountability:
- No other entity has a mission to "organize the world's information and make it universally accessible and useful." This gives Google a unique responsibility to aspire to be the world's leader in information security.
- No other entity actually collects all the world's information, making mirror copies of the entire Internet many times daily involving 5 exabytes of data every two days, the amount of information created from the beginning of time and 2003.
- No other entity stores all of its information in one unified "BigTable" database eschewing the normal security protocol of compartmentalizing information to prevent catastrophic universal data breaches.
- No other entity so plainly and corporately prioritizes speed and efficiency of accessing data over the security, privacy, and other internal controls of data.
- No other Fortune 500 company so officially relies on the crowd sourcing of their non-expert users and others to be their primary line of security defense, rather than taking corporate responsibility for maximizing the security of the information and people entrusted to safekeeping and protection at Google.
- No other entity universalizes its password access to more products and services (more that 500) than Google, a practice Google Security expert Greg Conti describes as a "single point of failure" problem.
- No other entity that we know of has had their entire password security code stolen wholesale by hackers like Google has -- per John Markoff's front page expose in the New York Times. This is relevant given Google's representations to the public that "it is important to stress that our internal systems have not been affected -- these account hijackings were not the result of a security problem with gmail itself."
- No other entity has made more personal profiles (35 million Google Profiles) publicly accessible for easy downloading by hackers to effectively aid and abet spearfishers than Google per a recent study by a University of Amsterdam PHD student Matthijs R. Koot. This is relevant to this latest gmail security breach because it was spear-fishing-driven.
- No other entity has been accused by the U.S. Department of Justice in court documents of publicly misrepresenting that a suite of Google software that is related to gmail was FISMA certified. This is relevant here because Google misled that it was security-compliant with the Federal Information Security Management Act when it was not, which could have led Government employees who used gmail, and were compromised by the latest gmail breach, to believe they were secure in using gmail when they were not.
- And the most disturbing reason of all, Google is the only entity in the world to decide at the highest executive levels to index Julian Assange's Wikileaks stolen cables and make them universally accessible and useful to bad actors, terrorists, crooks and hackers like the ones in the latest gmail breach of senior U.S. Government officials.
- (This is highly relevant in this case because spear fishing depends on learning intimate accurate details of groups and their communications about secret information that would enable a hacker to successfully fraudulently misrepresent themselves to gain officials trust, that would not have happened but for the hackers knowledge of secret Wikileaks documents made available by Google search.)
In sum, not only is Google not taking responsibility and accountability for its users security like one would expect any top brand and purported good corporate citizen to do, Google has made a series of strategic and tactical corporate decisions that have systematically and materially facilitated the success of security breaches like occurred this week with gmail.
- Most troubling of all is the fact that Google's willful disregard for national security secrets, confidential sensitive government communications, and privacy, in deciding at the highest levels to make Julian Assange's Wikileaks stolen cables universally accessible and useful to hackers like the ones that hacked Google's gmail, appears to potentially have aided and abetted our Nation's enemies in compromising our national security.
- At a minimum, appropriate oversight by inspector generals and Congressional Oversight Committees should want to investigate the connection between this latest gmail spear-fishing attack and the stolen government cables released by WikiLeaks and publicly indexed by Google's search engine.
- The purpose of this oversight would be to bring accountability to the situation, and to help prevent future gmail or other data breaches in the future to the best extent possible.
Previous parts of the "Security is Google's Achilles Heel" Series:
- Part I: "Why security is Google's Achilles heel"
- Part II: "Google values security much less than others do"
- Part III: "Google: "Security is part of our DNA" (Do Not Ask)
- Part IV: "Why Security is Google's Achilles Heel"
- Part V: "Google Apps Security Chief is a magician/mentalist"
- Part VI: "Google-China: Implications for Cybersecurity"
- Part VII: "Did Google Over-React to China Cybersecurity Breach?"
- Part IX: "Google's Titanic Security Flaws"
- Part X: : "A Google Android Botnet Problem":
- Part XI: "Google's Deep Aversion to Permission"
For even more information, see the Security section of PrecursorBlog's sister site: www.GoogleMonitor.com; or read the "Security is Google's Achilles Heel chapter of my Book: Search & Destroy Why You Can't Trust Google Inc. at www.SearchAndDestroyBook.com.