Google Dashboard Creates Security and Privacy Concerns
The new Google Dashboard addresses concerns that users have regarding just how much Google knows about them. Providing a resource like the Google Dashboard that presents all associated information in one place may actually create more privacy and security issues than it solves though.
Users have a reason to be concerned, or at least curious, about what kind of information is available about them on the Web. Google is like the Big Brother of the Internet--indexing and cataloging virtually everything you do online. Web indexing is like social networking in that its core purpose is in direct conflict with privacy and security. The primary goal is to index everything and provide access to as much information as possible--even if that information is sensitive or personal.
An entire genre of hacking--Google Hacking--has evolved around using Google searches to expose information that probably shouldn't really be public knowledge. If you know the right queries to use you can find usernames and passwords, financial spreadsheets, confidential documents, and more by leveraging the vast database of indexed information stored at Google.
We look to Google as a provider of information and we expect Google to have the answers. Google has established itself as that type of resource and there is a reason that 'did you Google it' is a common response when seeking information. The virtual omniscience of Google also sparks privacy concerns though and has caused some backlash with services like Google Social Search, Google Voice, and Google Maps.
That brings us back to the new Google Dashboard. Here is the thing--any technology or service that makes life easier and more convenient for you also makes it easier and more convenient for attackers. So, Google delivers all of the juicy details it has about you in a one-stop-shopping resources like the Google Dashboard which also provides a juicy one-stop-shopping target for attackers. A compromised Google account can yield a jackpot of sensitive information for attackers.
Ben Rothke, Senior Security Consultant with BT Professional Services notes that "Google Dashboard is akin to putting all of one's eggs in a single basket. The problem is that the average end-user is clueless on how to guard that digital basket. So once that Google account is breached/hacked, the victim has their entire Google experience compromised."
The concept is novel and it has a certain curiosity factor, but most users will never even look at their information in the Google Dashboard. Those that do are unlikely to monitor it frequently or visit regularly to clean up or remove data they don't want out there on the Interwebs.
That leaves Google Dashboard as a buried treasure for attackers. Users may not frequent the site or put the information to use, but you can bet that anyone who acquires a set of compromised Google account credentials will be visiting the Google Dashboard to see what sort of gems can be unearthed.
To be fair, the issues with indexed information and the ability to discover sensitive information using search queries is not unique to Google. The fact that its called Google hacking is sort of an unfortunate homage to the success Google has had in branding itself as the number one search engine. This information can also be found using Bing and other search engines as well though--they just haven't rolled out dashboards to make it easier to compromise as much information as possible on a single site.
Rothke summed it up by stating "It comes down to the proverbial security vs. usability equation. And when it comes to most users employing Google services, that is an equation they can't calculate."
Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He tweets as @PCSecurityNews and provides tips, advice and reviews on information security and unified communications technologies on his site at tonybradley.com .