Social media security has been a major focus of the Cisco Security blog in the past several months. We believe so strongly in sharing the message of using social media in a secure way that it was also a prominent focus in the 2009 Cisco Annual Security Report. In the 2009 report, we discussed how criminals, like predators in the wild, migrate to where their victims can be found. Recently, that has been on social networking sites and services.
Now, Google has moved to include microblogging and other recent search index updates in their Real Time Search section (“Latest results for…”) of a standard search results page. Just as the existence of community lends trustworthiness to content found on social networks, the association with Google’s search results also lends validity to content.
Real-time search poisoning
That may seem like a reach, but consider how many users click links that are the first link (“I’m feeling lucky”), or at least found on the first page of results. For a better idea on this, consult anyone who does search engine optimization or online marketing. These locations are prime real estate in web commerce. Now consider that the Real Time results are de facto front-page results. If an attacker can get someone to wait long enough (or if they can inject their content frequently enough) they can have the “up-to-the-minute” positioning on a very popular search engine.
Real-time search is a logical progression of information availability, but will security suffer for it? Or can Google add value to the popular medium of microblogging? User decision-making will be impaired if information is presented to them faster than they can make risk assessments. This is further complicated because Google is extracting this information from social networks, where there could be a context of social trust that could help users make more informed choices. Outside of this social context, users will be inclined to assign their trust in Google to any content presented in the real-time search results.
Google also has entered the short URL fray with its custom goo.gl domain, currently only available to users of Google Toolbar or FeedBurner. From the perspective of their core strengths in advertising, this only makes sense. Bit.ly, tr.im, and tinyurl all get traffic whenever someone follows their custom shortened links. They know who is going to which shortened sites, and from where. Short URLs make a great deal of sense for SMS services that limit character length, as well as other short-format media like social status updates or mobile device browsing.
Of course, these truncated URLs also carry with them the abstraction between the end-user and the final destination. Combined with the transitive trusts afforded by social networks (or association to Google’s brand image), goo.gl might be a prime target. Google asserts that the same security controls applied to web searches will be used on shortened URLs. If this is effective, it could be an earlyadvantage over other services with fewer resources (or motivators) to secure their shortened URLs. That is not to say that other services do not provide opportunities to learn more about an obfuscated URL. Users can gain information through browser extensions, or adjusting URLs (by appending + to a bit.ly link, or using preview.tinyurl.com for example). I mean that goo.gl URLs could have security included in their default state, and other services might follow through with this as well.
Google recognized in the past that it could do quite a bit of good by marking suspicious sites as potentially-infected or dangerous. Other search providers followed suit. Leveraging that kind of technology to highlight which real-time results and shortened URLs may be unsafe could be costly (e.g., in terms of delay to the front page) but could be yet another positive influence in the heated competition among search providers. Whether Google’s services become leaders in this space, or if the search giant’s influence simply drags competitors into increased security, users stand to benefit if Google makes smart security choices.