The search engine giant Google is currently suffering from what appears to be a self-inflicted denial of service. Every search page is returning a mention that the link may be harmful to your system. The mention refers you to a Google page which should explain why, but attempts to get to that page fail with a server timeout…presumably because millions of people are trying the same thing.

The warning appears to come from Stopbadware.org. That domain was registered by Google, and the DNS administrator’s phone number leads you to the Harvard School of Law. Presumably this is an organization attempting to assist in the control of criminals using search engine results to seed crimeware.

The problem appears to have started sometime in the morning on January 31^st, EST.

Update 10:30am

The problem first appeared to us at approximately 9:30am, and as of 10:30am, appears to be resolved. At least the warnings are no longer appearing.

Update 10:45am

Further checking reveals that Google is properly warning against search results that do appear to contain crimeware, so everything appears to be functioning as it should right now.

An interesting question went out to one of my favorite mailings lists a few days ago (SecurityMetrics.org) regarding a definition for “effectiveness”. It’s one of those words that we in the security profession use constantly but there seem to be differing opinions on what qualities a control (or group of controls) must have in order to be ‘effective’. For instance, does it need to be foolproof? Prevent at least 90% of attacks? Provide more value than it costs? Satisfy its purchasers? Make auditors happy? Something else?

After thinking over it a bit, I offered up the following definition to the group:

“If it does what it’s supposed to, to the degree it’s supposed to, it’s effective (no matter how much risk, or what % of attacks, etc it reduces). If it does that for a cost that is low relative to its effectiveness, it’s efficient. At the point where the cost of increasing effectiveness exceeds the incremental benefit of doing so, it’s optimal.”

I know this isn’t a new question nor do I feel I’ve offered up some novel, ultra-insightful definition. I’d simply like to know what other folks out there think. Agree / Disagree? Have something better?

A number of organizations take the end of the year as an opportunity to publish predictions about what will happen in the security space during the subsequent year. The RISK Team engages in that exercise every Thursday as part of our weekly Risk call, during which we analyze emerging threats and vulnerabilities. So instead of generating a new list, we’ll share one that was refined over the course of 50 weekly meetings. In addition, we’ll share our predictions from the prior five years.

(more…)