Monday, October 29, 2012

Google Inc (NASDAQ:GOOG) mail’s corporate customers vulnerable to spam attacks

Google Inc(NASDAQ:GOOG) has denied that the search giant's corporate email servers are vulnerable to a security risk that allows any reasonably smart hackers to impersonate the company's leadership or any of its employees.

The security flaw was first reported by mathematician-turned-security researcher Zachary Harris, earlier this year.

Last week Kim Zetter wrote an article on the front page of Wired.com about the security flaw, which has sent tremors across Google's corporate customers and what it meant for the security of their mails.

Forbes said that a spokeswoman for Google, Andrea Freund said that this was not the case.

Google validates its emails by using a system called Domain Key Identified Mail, which authenticates Google as the sender of the mail and not from a spammer.

According to Forbes: DKIM lets an organization digitally sign each message by using public key cryptography to generate domain keys that are unique to a particular domain, like Google.com. The keys are then added to the Domain Name System (DNS) records for that domain.

What Harris discovered was that Gamil was using a very weak encryption of 512 bits compared to the industry standard of 1024 bits to create its digital signatures.

Forbes said - Harris was able to crack Google’s code in less than 72 hours and create a spoof email that he sent to Larry Page.

Google Apps allow customers to generate their own domain key. With the step by step instruction customers who do this get domain keys that are encrypted with 1024 bits. However those who do not follow these instructions do not get that protection. 

No comments:

Post a Comment

Privacy Policy | Legal Disclaimer