Google Inc(NASDAQ:GOOG) has denied that the search
giant's corporate email servers are vulnerable to a security risk that allows
any reasonably smart hackers to impersonate the company's leadership or any of
its employees.
The security flaw was first reported by
mathematician-turned-security researcher Zachary Harris, earlier this year.
Last week Kim Zetter wrote an article on the front
page of Wired.com about the security flaw, which has sent tremors across Google's
corporate customers and what it meant for the security of their mails.
Forbes said that a spokeswoman for Google, Andrea
Freund said that this was not the case.
Google validates its emails by using a system called
Domain Key Identified Mail, which authenticates Google as the sender of the
mail and not from a spammer.
According to Forbes: DKIM lets an organization
digitally sign each message by using public key cryptography to generate domain
keys that are unique to a particular domain, like Google.com. The keys are then
added to the Domain Name System (DNS) records for that domain.
What Harris discovered was that Gamil was using a very
weak encryption of 512 bits compared to the industry standard of 1024 bits to
create its digital signatures.
Forbes said - Harris was able to crack Google’s code
in less than 72 hours and create a spoof email that he sent to Larry Page.
Google Apps allow customers to generate their own
domain key. With the step by step instruction customers who do this get domain
keys that are encrypted with 1024 bits. However those who do not follow these
instructions do not get that protection.
No comments:
Post a Comment