February 16, 2010

The Wizard of Buzz

Buzz is just a new wizard in the kingdom of Google. However, it is not hard to foresee through the crystal ball that Dorothy's journey along the yellow brick road will be full of constant attacks from the Witch of malware and her spamming monkeys.

The biggest problem with Google Buzz is privacy. You can read lots of blogs and articles on this already, and this blog does not intend to examine this subject. It's enough to know that with Buzz, it is too easy to follow and read other people's messages. What we intend to explain is how Buzz connects different social networks together, creating a super-network.

What is worrying for us is that it's now much easier to spread spam and malicious messages than before, thanks to this super-network. Google has reacted to these issues quickly and has changed the default settings of its social network. Unfortunately there is no change for existing users, so if you have already subscribed, you still need to tweak the settings for yourself to make it secure - see below for details of how to do this. Google has also promised a new tab for the Gmail settings screen, to give people better control over their existing account.

Picture 1: The blogspot "szilvasyz" is not even mine!

But what was wrong, you might ask? As you can read in this alert, just two days after Buzz became available to the crowd, spammers started to use it for their unwanted mail marketing. I expect our ThreatSeeker™ Network to detect more threats like this in the near future. Were you surprised how quickly spammers just jumped into this platform? The reason is simple: not only were Buzz users able to build up an audience in an uncontrolled way, but they could also attach other Web sites to their Buzz accounts. In fact, some of these external sources were already attached to users' Buzz accounts by default. This is what Google has realized and corrected - however, people who have already subscribed are still vulnerable.

What does it mean? If you have a Google Reader account, then your public posts and shared items are automatically displayed in Buzz. Similar to this, Picasa also shares public photos to Buzz by default. Further, you can manually set up virtually any unrelated public posts in your account. This means whenever you post a message on an application such as Twitter, Flickr, or Blogspot, the same message appears in your Buzz account as well. If this isn't eyebrow-raising enough already, here is the next privacy issue: you can even attach someone else's Twitter or Flickr account to your Buzz. This latter issue opens many security and privacy related questions.

Picture 2: This is a typical scenario of what Google Buzz does in the real world

How can Buzz be made more secure? As mentioned above, Google has already made changes to the default settings. However, existing users are still suffering from these privacy and security issues. To make your Buzz account safer, you need to tweak the settings manually.

When you open your Buzz window, you can see a row of links on the top of the page containing your name, an Edit function, connected sites, and followers. The first thing you need to do is click the Edit link:

Picture 3: Click Edit to set up your profile

On the setup screen, make sure you clear the boxes marked with red in the picture below. The most important one is Display the list of people I'm following and people following me - as this means everyone can see who you are following. In the early Buzz defaults, someone could even track down your mailing partners as Buzz was automatically following your most frequent mail buddies. Also it is recommended that you never put personal information on social networking sites (and in general on any sites) as that information could be used for social engineering.

Picture 4: Clear these boxes

The next step is to click the connected sites link, to see which sites are sharing information with your Buzz account. You can see that the dialog box is similar to the one in Picture 1. Make sure you remove sites you do not want to share with Buzz buddies. For example, my Picasa and Google Reader were connected automatically with the early default settings, so I had to remove the connections manually. To do this, click on Edit, then Remove site.

Picture 5: Remove unwanted connections

The final step is to review all the people following you and those you follow already. Just click the Followers link at the top of the Buzz page, and click Unfollow next to whoever you do not wish to follow any more. You can also block people, preventing them from following you. Take your time and check that you are happy with everyone on your list.

Picture 6: Unfollow and block people in your Buzz list

Google Buzz has just showed us how these social networks are getting connected together and how they are likely to get closer and closer in the near future. They are a quickly-expanding open platform for spamming, phishing, and fraud, all brought to you automatically.

Everywhere in the social network might appear to be good, and at first it sounds like a good idea to connect them together. However, the great Buzz has only one piece of advice for Dorothy: click your heels three times and repeat "There's no place like home."

Security Researcher: Tamas Rudnai


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.