INFO SECURITY: Google’ing your way into trouble

Google is wonderful.  They allow you to have access to a myriad of free things that make your life simpler.  It makes it easy to share data to your contacts, set up appointments, chat with them online, get the daily news, make money with adds, purchase items through web sites, and a metric crap ton of other things.

But, did you know that Google will track you like a malicious stalker?

Oh yes, it does.

Let’s take a look at what all it does and tracks…

(To follow along on your own computer, head on over to the Google Accounts page and click on View data stored with this account link under the Personal settings/Dashboard – https://www.google.com/accounts/ManageAccount).

AdSense

- A free program that enables website publishers of all sizes to display relevant ads on Google and earn money.  You can place ads within Content, on mobile devices, through searches and in feeds.  The ads are targeted and it will give you access to a network of advertisers.

- This could be dangerous, but it does help you make money.

AppEngine

- This portion of Google allows you to build and host web apps on the systems that power the Google apps.  There’s no need to worry about hardware patches, backups, etc.  But, it’s in their hands and do you really trust what they’re doing with that data?  Not to mention, do you really want proprietary information on their servers?

Checkout

- This allows you to keep your credit cards online and use the Google Checkout service to ‘check out’ when paying on some sites.  Could be dangerous if someone is able to crack into their database…

iGoogle

- This is a simple start page that contains multiple ‘dashboard’ items. This is very configurable, fairly safe unless you’re using a public computer and forget to log out.

News

- Simple top headlines recommended for you based on what you view regularly

Page Creator

- This has been replaced with Sites

Subscribed Links

- This will give you the custom search results that you want to add to your search pages.  Could be useful, could be harmful, depending on what you’ve got set up.

Wave

- This will hold contacts, discussions, meetings, documents, brainstorms, tasks, conversations, etc that you have with people within your Google contact list.  This can be VERY damaging.  Are you sure you know exactly ‘who’ your contacts are?

AdWords

- This will let you advertise through Google for whatever you’re looking to get out there.  It keeps a hold of your billing information, adds, budgets, etc.

Blogger

- The Google version of a free user blog interface, it’s not bad for first timers or people who really don’t want to think about a lot of customization and just want to throw something up there.

Docs

- This will hold notes, document, spreadsheets and just about any other file that you can think of.  It’s good for journaling, accessible just about anywhere, able to share files with friends, relatives, co-workers, etc.  You can set who can see what, but be careful; the wrong document shared to the wrong person could lead to a BAD situation.  You don’t necessarily want the Mullah of BadPlaceCountry to have the plans to secret away his top military intel guy, do you?

Groups

- Similar to Yahoo Groups, it contains a lot of different information based on what you post, read, etc.  Good place to get information and a good place for a little social engineering or data mining.

Maps

- This can be VERY damaging if you’re not careful.  It contains all of your ‘specially saved’ maps that you have created over the years including your ‘my saved places’. It also has a list of public directions/places that you may have created.

Notebook

- This was actually supposed to disappear months ago with the live version of Docs, but it still lingers. It’s a basic note keeper.  Not bad overall, but still be careful of what is stored in there as it could have negative consequences if you have sharing set wrong.

Picasa Web Albums

- Exactly what it states, it’s a web gallery for pictures.  Be careful with what you post and what settings you make on it, it could be very bad if something you put up there get’s into the public gallery section by mistake. Do you really want that picture of you in a thong with the goat, stripper and gallon of jello in Los Lobos getting out to your contacts?

Talk

- Basically it’s chat from Google.  You’ll need to download an app for it if you don’t want to be in a browser window, but it will give you chat on both the PC and Mac, within GMail, iGoogle, orkut, etc.  Similar to AOL IM, Yahoo IM, MSN IM, etc.  It does keep a track of your contacts as well as chat history if you don’t have things set right.

History

- This is where things get a little scary.  It tracks ALL of your web, images, news, products, sponsored links, video, maps, blogs, books, trends, bookmarks, etc that you access while you’re logged into your Google Account.  I noticed items in there dating back to 2007.  WOW, I’ve been remiss to clear that out.  I have since rectified that mistake and will be more careful with it in the future.  If the data within this search engine were ever to get into someone else’s hands instead of just your own, it could be VERY damaging. A good thing to keep clear especially if you use a public computer and/or are married, dating or just have someone that likes to snoop your accounts if you live with someone and they have access to your computer.

Alerts

- You can monitor just about anything on the web.  Again, could be damaging, OR could help you do that bit of ciber stalking that you’ve always wanted help with.  It’s also a good way of keeping tabs on what information is out there concerning you.

Calendar

- It’s a calendar, it’s sync-able with multiple other services, easy to use and easy to goof up and make things public.  Watch and be careful with this one.  The wrong invite to the wrong person could spell disaster.  Do you really want your target to know that you’re going to make a ‘house call’ when they’re ‘supposed to be on vacation’?

GMail

- It’s a mail program, you can get your Buzz items in it, other e-mail accounts, etc.  Not too much is needed to be said about this, we all know the dangers involved.  (If not, I’ll be doing a post on the dangers of e-mail later).

Health

- INVASION OF PRIVACY ALERT

- This can lead to some severe issues.  You can track drug interactions, age, sex, height, conditions, medications, allergies, procedures, test results, immunizations, insurance, files, images, just about anything medical related is available here if you put it up there.  This can be a HUGE security risk.

I suggest not using it unless you really don’t mind if this information get’s out of the hands of Google.  If you’re not careful, it could lead to everyone in your contact list knowing about that embarrassing rash you picked up in Vegas last weekend on leave…

Mobile

- It’s the mobile version of Google.  Ties in with all the other services that I’ve listed here, it’s just as dangerous as the rest if you’re not careful.

Reader

- Simple Google News/RSS feed reader.  You can share things out and can really strangle yourself if you’re not careful.  Watch what you ‘like’ and ‘share’ on there.  EVERYONE can see your likes and shares, so, if you don’t want them to know that you like that animal porn video you just watched, be warned.

Voice

- This is Google’s version of VOIP.  It can receive voice mails, text messages, record calls, very dangerous if you’re not careful.  You can go from VOIP to landlines and back. Treat this as you would your cell/sat phone or home phone.

YouTube

- Keeps a track of the videos that you’ve watched, what you share, etc.

And there you have it.  The services Google has that tracks your information and data.  I’d suggest heading out to the Google Account page and making sure that you’re covered as well as verifying that whenever you leave a computer, ALL accounts are logged out.  Never leave the browser save your passwords or logins and don’t forget;

Just because you’re paranoid doesn’t mean they’re not out to get you…

—————————————————————————————

~Norm W.
Information Security Correspondent

Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.

Be Sociable, Share!

14 thoughts on “INFO SECURITY: Google’ing your way into trouble”

  1. As always, GREAT article!!

    BubbaM.

      (Quote This Comment)

  2. I never understood why people google stuff when logged in their google account – every search you make is cataloged… forever

    Great Article Norm!

    ~James G

      (Quote This Comment)

  3. Every search you make is logged forever anyway, and traceable to you if you have a static IP.

    Remember: half of the information they have is what you provide willingly.

      (Quote This Comment)

  4. I have too many Google accounts to keep track of I think. I even made a new “site” with a bunch of crap in it. Its like crack!

      (Quote This Comment)

  5. Great one again norm. I have a love hate with google as well as apple. But all you say is the truth and stuff that I adhere to daily. This is all stuff that most people don’t pay any mind to and can with the right attitude and time take the initiative and attempt to keep their private things private. And it is kind of sad that we have to do this. But It comes with technology.

    Thanks again norm

      (Quote This Comment)

  6. So if I don’t have a google account then what?

      (Quote This Comment)

  7. 1. Privacy is an illusion.
    2. Google has long forsaken their motto Don’t Be Evil.

    The only method to truly remain free of tracking is to not use the internet, but for most of us that isn’t an option any more. Pretty soon corporations will know that James G ate lunch at La Hacienda and start showing him ads for Immodium.

    So if I don’t have a google account then what?

    Well, then they use tracking cookies and keep all the same information under a randomly assigned identifier. Why would they care if you are known to the system as PartyDude47 or a53e98e4-0197-4513-be6d-49836e406aaa? It doesn’t have the same long term benefits, but it gets the job done.

      (Quote This Comment)

  8. man I’m just glad to find this web site….you boys are way beyond me….but i do use an i.p and mac address hider when on line.

      (Quote This Comment)

    1. I’ve done that but the actual address still shows up in the history.

        (Quote This Comment)

  9. The cookies you can delete from time to time, in that case Google creates a new ID for you but it confuses the whole thing a bit (assuming you don’t have a static ip but most people don’t). Never understood the whole fetish about putting your private stuff into the net. I’ve avoided FB and I don’t think I’ll get into creating an account at Google.

    I always thought their company logo was: Do Little Evil.

      (Quote This Comment)

  10. First off all, I want to apologize for not responding sooner, I’ve been off grid for a few days and didn’t have good access. Sorry about that.

    So if I don’t have a google account then what?  

    They utilize tracking cookies on your system (and associate it with IP address, MAC address etc). Associating with IP and MAC is a non-confirmed association, but it’s most likely being done. Not having a Google account only makes it more irritating when they’re trying to target with ads, etc. Other companies out there do the same thing, it’s just that Google is more open with their users about what they’ve got on you. Which is one of the reasons that I like Google over say AOL or Microsoft.

    Again, yes, they all do it, but Google is open with what they collect.

    To help prevent this, you can use a ‘private browsing’ feature or an anonymizer site to get around it. But in the long run, even anonymizer sites need to keep records and worst case scenario, (say you threaten the POTUS), they’d be able to track you down to the point of knowing exactly where you were, what computer you were using, etc and find you. it takes a LOT of work to do that, but it’s still possible even using an anonymous account.

    man I’m just glad to find this web site….you boys are way beyond me….but i do use an i.p and mac address hider when on line.  

    Again, it’s a good step towards staying safe online and will hind most people that are doing it in a passive state, but for someone who really wants the information, it’s out there.

    The cookies you can delete from time to time, in that case Google creates a new ID for you but it confuses the whole thing a bit (assuming you don’t have a static ip but most people don’t). Never understood the whole fetish about putting your private stuff into the net. I’ve avoided FB and I don’t think I’ll get into creating an account at Google.
    I always thought their company logo was: Do Little Evil.  

    The company logo actually is Do No Evil, but then what exactly is the definition of do no evil in Google terms?

    Google’s Corporate Policy is a pretty interesting read. Check the corresponding forum posting – “Companion Post: Google’ing your way into trouble” for additional links and information.

    Also, according to John Battelle’s book on Google, The Search, the phrase “Don’t be evil” was not coined by Sergey Brin or Larry Page, but rather by Paul Buchheit, the engineer behind Gmail.

    I appreciate again the comments you guys provide. I’m glad you’re getting something out of it.

      (Quote This Comment)

  11. Great article. I have always know Google to be that friend that will love you and help you out but you can never really trust him.

      (Quote This Comment)

  12. Great article. I have always know Google to be that friend that will love you and help you out but you can never really trust him.  

    I’ve always fallen back on the old saying:
    Trust No One, Deny Everything…

      (Quote This Comment)

  13. Not to mention that pages remain logged and cached even after you remove them from the web. Try to go off the grid and you are still there.

      (Quote This Comment)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Upload Files

You can include images or files in your comment by selecting them below. Once you select a file, it will be uploaded and a link to it added to your comment. You can upload as many images or files as you like and they will all be added to your comment.