San Jose, California, USA, January 22, 2007 -- Finjan Inc., the global provider of best-of-breed proactive web security solutions for businesses and organizations, today announced that it reconfirms recent reports that Google have unwittingly exposed private user names and passwords on the Google anti-phishing blacklist, which did not use any access protection. Such sensitive information could potentially have been used to compromise user privacy, and could even have been used for identity theft or financial profit (as users generally have a single “web” password for most of their online accounts).
On January 3, 2007, Finjan’s Malicious Code Research Center (MCRC) researchers discovered that a list of URLs was available and unprotected on Google’s servers and immediately informed Google, which acknowledged receipt of Finjan’s alert about the vulnerability. Finjan believes the information on the servers had been gathered using Google’s anti-phishing browser extension. Google has fixed the problem, and it is assumed that Google has notified all affected users. Recent tests conducted by Finjan confirm that there is no data leakage on the current Google anti-phishing blacklist.
For a snapshot of the data leakage follow this link:
www.finjan.com/objects/pics/google.jpg“Finjan became aware of the problem after examining a publicly available list of URLs provided from Google’s servers” said Yuval Ben-Itzhak, Finjan’s Chief Technology Officer. “After examining the data provided in these files, Finjan found that sensitive user information was available on the web with no access protection, including emails, usernames, passwords and session tokens that could be used by hackers to compromise users’ privacy.”
Finjan offers the following advice to minimize the risk of exposing confidential information from similar web applications:
Pointers for home users:
- Avoid sharing your browsing habits with third parties by disabling URL sharing or forwarding - as this is usually enabled in your browser’s toolbars.
- Use adequate password policy for your web accounts. Do not use the same password for all web accounts. Having the same password for several accounts will compromise ALL of them if just one is compromised.
- Make sure that your PC is adequately protected from malicious software such as spyware and adware that can send out private information. Even when an application’s privacy policy looks sensible, remember that it’s enough for it to send a full URL (including parameters) to disclose your email and other private information.
Pointers for corporate users:
- Make sure that you have proactive protection in your web security solution – chasing the attack vectors after the event is always “too little, too late”, particularly if you get hit by a zero hour attack that your security solution does not recognize. Anti-virus and URL Filtering are not enough!
- Make sure that your security solution is updated for handling new technologies and trends. Security products must protect you from the vulnerabilities rather than just attacks and exploits.
- Check your vendor’s research capabilities and their ability to provide up-to-date information which is immediately translated it into actionable security measures.
- Deploy a web security solution that protects users from being subjected to information leakage by preventing users from visiting phishing sites in the first place. The solution should also prevent any toolbar or add-on that is installed in the browser from getting to see the URL.
- Examine your egress data policy to make sure that you cover all known and suspicious site access (users trying to access phishing sites).
-- ENDS --
Notes for Editors:
For a snapshot of the data leakage follow the link:
www.finjan.com/objects/pics/google.jpgAbout MCRC
Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet and email applications as well as other popular applications. MCRC’s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as spyware, Trojans, phishing attacks, worm and viruses. MCRC researchers work with the world’s leading software vendors to help patch their security holes, as well as contribute to the development of next generation defense tools for Finjan’s proactive secure content management solutions. For more information, visit our MCRC subsite.
About Finjan
Finjan is a global provider of best-of-breed web security solutions for businesses and organizations. Our proactive, appliance-based solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results. Finjan’s web security solutions utilize patented behavior-based technology to proactively repel all types of threats arriving via the web, such as Spyware, Phishing, Trojans and other malicious code, securing businesses against unknown and emerging threats, as well as known malware. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including IDC, Butler Group, SC Magazine, CRN, PCPro, ITWeek, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit:
www.finjan.com.
© Copyright 1996-2006. Finjan Inc. and its affiliates and subsidiaries. All rights reserved.
All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No. 6092194, 6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968, 7058822, 7076469, 7155743, 7155744 and may be protected by other U.S. Patents, foreign patents, or pending applications.
Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan Inc., and/or its affiliates and subsidiaries. Sophos is a registered trademark of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky Lab. SurfControl is a registered trademark of SurfControl plc. Microsoft and Microsoft Office are registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their respective owners.
Media Contacts
The Netherlands
Frank Peters
Porter Novelli
Tel +31 (0)20 543 7600
fpeters@porternovelli.nl