Danger, thy name is Jessica Biel!

No, we’re not turning Search Engine Land into a celebrity gossip blog … we’re talking about the risks of searching online for certain celebrities. And, according to a McAfee report issued today, Jessica Biel is the most dangerous celebrity on the web, passing last year’s master of search disaster, Brad Pitt.

McAfee explains the risks involved in being a search engine-using fan of Jessica Biel:

“Fans searching for “Jessica Biel” or “Jessica Biel downloads,” “Jessica Biel wallpaper,” “Jessica Biel screen savers,” “Jessica Biel photos” and “Jessica Biel videos” have a one in five chance of landing at a Web site that’s tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware.”

Here’s the full top ten, according to McAfee’s study:

1. Jessica Biel
2. Beyoncé
3. Jennifer Aniston
4. Tom Brady
5. Jessica Simpson
6. Gisele Bundchen
7. Miley Cyrus
8. Megan Fox & Angelina Jolie (tie)
9. Ashley Tisdale
10. Brad Pitt

This the third consecutive year McAfee has surveyed the danger associated with using celebrity names when searching online. It’s similar to, but more specific than McAfee’s report a couple months ago that detailed the web’s riskiest search terms overall.

(Jessica Biel image provided by McAfee.)

A report (PDF) by LegitScript and KnujOn claims that of the prescription drug and online pharmacy search ads on Bing (i.e. adCenter), Microsoft’s search engine, 89.7% led to “rogue” Internet pharmacies. By “rogue” they mean Internet pharmacies that fall into the categories of:

1. Those that facilitate the sale of prescription drugs, including controlled substances, without requiring a valid prescription.
2. Those that sell drugs from sources that are not licensed as a pharmacy in any US jurisdiction.
3. Those that illegally source unregulated, unapproved prescription drugs from outside of the United States.
4. Those that are otherwise deceptive or misleading.

This study was done over the June or July 2009 months and only examined Bing’s search ads, not the organic listings. Microsoft currently has not commented on this report.

LegitScript is an Internet pharmacy verification organization identified by the National Association of Boards of Pharmacy (NABP).

Ars Technica reports Google has informed the Federal Communications Commission (FCC) that they have been working on a new filtering system for videos, comments and communication on YouTube. It is believed that Google is working on these changes in order to make YouTube more kid or family friendly, by complying more with the FCC regulations for TV viewing.

Google wrote to the FCC:

Google Inc. (“Google”), by its attorneys, files these comments in response to the Notice of Inquiry (“NOI”) issued by the Federal Communications Commission (“FCC” or “Commission”) initiating a proceeding as required by the Child Safe Viewing Act of 2007 (“CSVA”) to examine the existence and availability of advanced blocking technologies compatible with various communication devices and platforms for programming parents deem indecent, violent or otherwise objectionable.2 As we explain, Google is committed to empowering and educating parents so that they can create a positive and safe online experience for their children.

A number of initiatives designed to give users and families greater control to moderate their YouTube experience, including the ability to filter video comments they find inappropriate.

Previously, YouTube had to create sophisticated software to protect copyright over music and videos. That software has been doing a pretty good job identifying videos or music on YouTube and quickly removing such video.

In other YouTube news, YouTube has been testing a super seekrit channel design.

Yet another privacy complaint has been filed against Google with the FTC, this time by the Electronic Privacy Information Center over Google’s cloud computing services and related privacy and data security issues. While Google is the named party, the company is basically the stand-in for “the cloud” as a whole. (If you want to read the complaint, you can download it here [.pdf].)

Here’s the thrust of the complaint:

EPIC hereby petitions the Federal Trade Commission to open an investigation into Google’s Cloud Computing Services, to determine the adequacy of the privacy and security safeguards, to assess the representations made by the firm regarding these services, to determine whether the firm has engaged in unfair and/or deceptive trade practices, and to take any such measures as are necessary, including to enjoin Google from offering such services until safeguards are verifiably established. Such action by the Commission is necessary to ensure the safety and security of information submitted to Google by American consumers, American businesses, and American federal agencies.

The three services mentioned in particular are Gmail, Picasa and Google Docs. EPIC successfully filed a similar action against Microsoft’s Passport service and won fines and concessions.

The complaint asserts that Google represents to the public that its online services are secure but, EPIC argues, there are known flaws and Google disclaims any responsibility for privacy or security breaches. It claims that Google’s data security practices are inadequate as they stand, and so on.

Privacy has re-emerged as a serious issue and big consumer concern on a number of fronts.

Without saying anything about the merits of the complaint and whether the EPIC claims are accurate, the issues raised are important as we move into the cloud-computing era very rapidly. Mobile access to Internet content and services will further accelerate this trend.

Update: I spoke briefly to a Google spokesperson yesterday and he had this to offer on the record:

“We have received a copy of the complaint but have not yet reviewed it in detail. Many providers of cloud computing services, including Google, have extensive policies, procedures and technologies in place to ensure the highest levels of data protection.  Indeed, cloud computing can be more secure than storing information on your own hard drive.  We are highly aware of how important our users’ data is to them and take our responsibility very seriously.”

It also struck me after I wrote the item above that there’s something perhaps unnecessarily “vindictive” in EPIC’s complaint that singles out Google. The issues raised are serious but pertain not only to Google but to Microsoft, Yahoo, Facebook and others. So it’s curious that the complaint was only filed against Google. In addition the language of “deception” is quite aggressive.

Everyone has an interest in ensuring better privacy and data security and EPIC is doing something helpful in raising the issues. But there are probably ways to address them at an industry level that are somewhat less “litigious.”

On the heels of the tragic terrorist attacks in Mumbai last month, legal advocates in India are asking the country’s High Court to demand that Google blur sensitive locations on Google Earth.

The Times reports that the Indian petition says Google Earth “aids terrorists in plotting attacks” and offers “absolutely no control to prevent misuse or limit access” of the service, particularly access to photos of sensitive locations such as the Bhabha Atomic Research Centre.

In the wake of the attacks, there were many reports that the terrorists used high-tech tools — including GPS — to plan, execute, and monitor the attacks. The only gunman captured alive has reportedly told police that the terrorists used satellite imagery to learn about the city of Mumbai.

Security concerns over Google Earth go back years. In 2005, Australian officials asked Google to remove the Lucas Heights nuclear reactor from Google Earth. Just last month, USA Today wrote about governments that are concerned about easy access to satellite photos on Google Earth and from other sources.

(And it’s not just Google Earth: Earlier this year, the Pentagon banned Google StreetView cars from taking photos on U.S. military bases.)

No word on if/when the Indian High Court may respond to the petition.

Blogspot.com cited as the No. 1 host for malware from News.com reports Google’s Blogger accounts “for nearly 2 percent of all malware hosts.” Sophos, an antivirus vendor, published a report showing the state of malware injections and attacks throughout the web.

Specifically, hackers can set up “malicious blogs” on the Blogger service, plus they can inject dangerous web links and content into Blogger blogs.

The Google web search team takes malware attacks seriously. They have reviews in webmaster tools and they label malicious web sites in web search results. So isn’t it ironic that Google hosts the number one problem of malware on the Internet?

Yesterday, I said that we had reports of spam on Google Sites, as well as spam on Google Groups. But this report shows that Google’s Blogger is worse than both of those.

A Google spokesperson gave News.com a statement:

Google takes the security of our users very seriously, and we work hard to protect them from malware. Using Blogger, or any Google product, to serve or host malware is a violation of our product policies. We actively work to detect and remove sites that serve malware from our network.

Google Is A Malware Site (Says Yahoo) from TechCrunch reports a funny bug at Yahoo that accidentally made it look like Google’s home page had Malware on it, based on the Yahoo SearchScan feature that was recently launched.

A search for Astalavista at Yahoo returned what appeared to be a Google.com result in the 10th position. But in reality, Yahoo somehow mixed up the astalavista.ms URL with a Google.com URL, and since astalavista.ms had signs of Malware on it, it appeared that Google.com had malware on it.

Here is a screen capture of what the search results originally looked like, when Yahoo labeled the astalavista.ms result and a google.com result:

But now, the same result is labeled correctly and looks like this:

Amit Bhawani commented at TechCrunch, explaining that if you clicked through to the detailed warning, it showed the warning was for astalavista.ms and not for google.com.

It now appears that Yahoo fixed the issue with the search result showing google.com instead of astalavista.ms. Yahoo has been known to mix up the display URL in the search results in some cases, specifically in the past. But I have been hearing some recent noise in the search forums that there are more signs of these Yahoo issues.

Yahoo Search has begun a partnership with McAfee, Inc. to provide SearchScan, which uses McAfee’s SiteAdvisor technology to flag URLs it deems "risky" in the search results. Results are flagged with the type of danger below the title. This new feature is primarily aimed at preventing spyware and other malicious software from being downloaded on searchers’ computers, as well as at preventing searchers from falling victim to sites that employ spammy email tactics.

The Yahoo Search Blog provides more information. Below, more details on what types of pages are flagged and how site owners can dispute incorrect flagging.

The types of behavior that causes a page to be deemed risky include:

• Download triggered upon page visit (these types of pages are removed from the search results entirely)
• User-initiated download includes spyware or other malicious sofware
• Site engages in spammy email tactics, such as flooding inboxes with mail

SearchScan is on to alert by default, but searchers can turn it off (or specify that flagged sites shouldn’t display at all) in their Yahoo preferences.

Why has Yahoo implemented this feature?
The press release being released tomorrow morning quotes a Decipher Inc Online Security & Web Search consumer survey from March of 2008 and says, "After children’s safety, 65 percent of Americans online are more worried about clicking unsecured search listings than the threat of neighborhood crime, getting ones [sic] wallet stolen or email scams." That’s an interesting claim, as I don’t know that 65% of online Americans know what an "unsecured search listing" is, but the point remains a valid one. Search engines present the web as a whole, and as the web include lots of malicious activity, search engines end up serving up malicious suggestions. This partnership is an attempt to serve up "safe" results without engaging in web censorship.

Google’s approach
Google has taken a similar tactic with a partnership with StopBadware.org. Any sites flagged by StopBadware.org include a message below the search result and Google directs searchers who click on these results to a page that provides more information and enables them to either continue to the page or go back to the search results.

If a site is flagged in Google’s search results, Google alerts the site owner via email and a Google Webmaster Tools message. Google also provides a dispute and resolution process in the cases where the site owner doesn’t agree with the label or makes changes to the site to abide by the StopBadware.org guidelines. In addition, the site owner can obtain more information from the page that Google directs searchers to for flagged pages in the search results.

The dispute and resolution process is actually forwarded to StopBadware.org and site owners can follow the process there.

Yahoo’s dispute process
Yahoo has a dispute process for site owners as well. When you hover over an alert in the Yahoo search results, an information box appears that includes a site owner link.

That links leads to the SearchScan form, which seems to be for both site owners and searchers. When I talked to Yahoo about this process a month ago, they said that, like with Google’s process, they forward the information to McAfee to resolve. I’ve asked them if they also provide proactive alerts to site owners and they said that if site owners are concerned that their pages may be missing from the search results due to SearchScan, they can turn off SearchScan and check the results:

If your site shows up in that experience, but not in the SearchScan On mode, (all other options such as SafeSearch remaining same) then you can believe that it is due to exploit rating on your site.

Note, to make this work, you should ensure that you keep all other elements of the search experience constant between the test with SearchScan off and on. That is

a) make sure you don’t change any other preferences

b) make sure you don’t change the computer you are searching from in case source IP or other changes affect the query routing

c) make sure you use the same Y! search destination – .com, co.uk etc. because sometimes there are regional rules which cause filtering (for example, france has stricter rules around nazi memorabilia sites etc.)

d) check multiple times across a couple of days. This is important because sometimes there is some localized maintenance going on which might temporarily affect what you see.

As part of the agreement, McAfee will distribute Yahoo Search to its user base. Distribution is arguably more important to gaining search market share than user interface improvements, and this distribution deal may provide clues to Yahoo’s strategy. (Two different hotels I’ve stayed at in the last month have featured a Yahoo search box on the wifi landing page — more signs that Yahoo is working hard at increasing distribution.)

Google mappers banned from U.S. bases from the LA Times reports the US Pentagon has banned Google StreetView photographers from accessing military bases. The ban came after StreetView photographs of Fort Sam Houston in San Antonio were found on Google Maps.

Reportedly, Fort Sam Houston gave Google access to the base after a promise not to take photos. An anonymous person told the LA Times, “Unfortunately, Google didn’t follow the rules.” Google spokesman Larry Yu said, “against our policy, we did mistakenly access the base.”

Gary Ross, spokesman for the U.S. Northern Command, said:

The Street View provides clear imagery of control points, barriers, headquarters and security facilities that pose a risk to our force-protection efforts.

So now, Google is banned from U.S. military bases.

Hackers turn Google into vulnerability scanner from Techworld reports a group of hackers named Cult of the Dead Cow (CDC) launched a search tool powered by Google to help see if your sites are vulnerable to a hacking attempt. The tool is named Goolag, and by typing in a domain name it may return site vulnerabilities.

Techworld reports the tool makes “it easy for unskilled users to track down vulnerabilities and sensitive information on specific Web sites or broad Web domains.” The tool uses the Google Custom Search engine and has a detailed specification on how it works.

“It’s no big secret that the Web is the platform,” said cDc spokesmodel Oxblood Ruffin. “And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We’ve seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I’d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”