Google Chromebooks OS Could Pave Way For Data Loss: Experts7:54 PM EST Thu. May. 12, 2011
Security experts are eyeing Google's new Chromebooks notebook with caution, maintaining that a cloud-based OS could create gaping security holes that would leave users' data vulnerable to a cyber attack.
Google announced the impending release of its own notebook, dubbed Google Chromebooks, Wednesday during its Google IO Conference in San Francisco. The search giant's own low-end notebook will be manufactured by Samsung and Acer, utilizing 2 GB of RAM and 16 GB of SSD storage, and will come equipped with the Chrome OS, the first commercially available consumer operating system relying on cloud technology.
The cloud technology enables users to reinstall and reauthenticate their credentials to the cloud, allowing them to completely restore their information and regain a smooth computing experience should the Chrome operating system crash or become infected with malicious code.
Meanwhile, Google touts that one of Chromebooks' biggest differentiators is its sandbox technology, which enables users to lose or break their notebook, without fear of losing their data.
Google claims its Chromebooks employs "defense in depth," relying upon multiple layers of protection, which include automatic security updates and sandbox technology. At its core, sandboxing isolates Web sites and applications and runs them in a restricted environment, which eliminates the potential to compromise a user's entire system if exposed to malware.
"So if you visit an infected page, it can’t affect the other tabs or apps on your computer, or anything else on your machine. The threat is contained," Google said on its Web site. "So while it's still important to take precautions to protect your data, Chromebooks let you breathe just a little bit easier."
The marketing around security might be a hook for Google's enterprise ambitions. The search giant disclosed during its Google IO conference plans to offer a monthly subscription service for enterprise and education sectors, which incorporates a Web-based management console, automatic updates, warranty, support, and hardware lifecycle upgrades.
However, the release follows shortly after researchers at France-based Vupen Securityfound a way to break into Google's Chrome browser, including its sandbox technology, which would enable potential hackers to launch malicious attacks on unsuspecting users by luring them to an infected Web site that would install malware onto their systems.
While Vupen released demos of the exploit, it has yet to publicly release the exploit code to Google, or anyone else, with the exception of its government customers.
Meanwhile, security experts contend that the cloud-based architecture makes Google's Chrome OS a likely target for future attacks, especially in light of the recent exploit, by galvanizing other hackers to follow suit.
Costin Raiu, senior malware researcher for Kaspersky Lab, said in a blog post Thursday that hackers would likely figure out a way to access users' data stored in the cloud, making the Chrome OS more vulnerable to attack , despite more sophisticated endpoint security protections.
Malware Targeting Cloud Could Leave Chrome OS Vulnerable
"Obviously, with all your data being available into the cloud, in one place, available 24/7 through a fast Internet link, this will be a goldmine for cyberciminals," Raiu said. "All that is necessary here is to get a hold of the authentication token required to access the cloud account; this is actually already happening with malware that has become 'steal everything' in the past years. Although the end points are now more secure, the situation is that the data is in a more risky place, and it will be much easier to silently steal it."
Raiu said that current attacks focus on infecting a user's machine with malware that silently logs keystrokes or lifts information stored on the system. However, with an OS that utilizes the cloud, hackers have only to figure out a user's credentials to access a myriad of personally identifying and financial data.
"Who needs to steal banking accounts, when you have Google Checkout? Or, who needs to monitor passwords, when they're all nicely stored into the Google Dashboard?" he said.
Meanwhile, at least one security solution provider says that in light of the recent Amazon and Sony breaches, it's only a matter of time before Google's cloud-based Chromebooks are hacked or otherwise leak users' private information.
Roy Miehe, CEO of Campbell, Calif.-based AAAntivirus, said that Google's other applications have either been hacked or compromised users' information because the company in general falls short at building in security redundancy in its platforms, which has previously led to Android and Gmail breaches ultimately sets the stage for future data loss.
"Everything that Google touches and/or does has a single point of failure," Miehe said. "They're controlling so much that if their servers go down like the rest of their products do, what do their users do? Isn't that a single point of failure?"
While Miehe applauded Google's attempts to provide Microsoft with competition on the OS front, he said that Google probably wasn't the best player to do that based on their history of large-scale data breaches.
"They're spreading themselves into this one here is going to be detrimental to the public. Not necessarily bad, but they don't have redundancy," he said. "With that many engineers, how do you monitor who's going to release code and who's not?"