|Are you Feeling Lucky? : 2008 : Frequency-X Blog : Blog : Home|
Are you Feeling Lucky?
Given the proliferation of site’s infected with malicious drive-by download attack code, it’s about time to retire Google’s “I’m Feeling Lucky” search button isn’t it?
Over the last couple of months we’ve been observing weekly defacements number in the hundreds-of-thousands. The specific vectors change every few weeks. For a short while it was though ISS-ASP-SQL vulnerabilities, the next it is through Search Engine Optimization (SEO) injection attacks, and today it’s being reported that more than half-a-million sites have been infected through a simple SQL injection vector.
Several years ago I commented on the potential dangers related to the way people used search engines for accessing their online banking portals – i.e. the URL’s and site names were so hard to remember that banking customers were simply typing “mybank online” or similar in to their favorite search engine and clicking the first or second link on the results page – kind of like an alternative DNS infrastructure. At the time I pointed out that even simple SEO attacks (or page rank escalation) could advantageous to phishers.
Now, since just about any popular Web site appears to have an equal probability of containing an embedded drive-by download link, the risk is greater than ever in blindly following links between sites. It’s for this reason I think it may be a good idea for Google to consider retiring the “I’m Feeling Lucky” button.
Sure, we’ve all played with the “I’m Feeling Lucky” button on slow and boring days. But in today’s drive-by download world I've got the feeling that ”luck” is probably a depreciating commodity as far as the Web is concerned.
As Clint Eastwood once said in Dirty Harry, "you've got to ask yourself one question: Do I feel lucky? Well, do ya, punk?"