Saturday, June 6, 2009

The Security of Bing

This week Bing made its big debut. If you haven't yet heard of Bing, Microsoft has a 100 million dollar advertising campaign that should correct your ignorance pretty soon.

Bing hasn't yet hit prime-time. When I Googled the word Bing (ahhh...the irony) the first page of results still contained links to a surf board shop, a columnist for Fortune, and various complaints from the latter about brand name infrigement. That's going to change real fast (like by the time you are reading this), but it goes to show that Bing has a long way to go before it even begins to chip away at Google's dominance of search.

Bing has generally received good reviews - it seems to basically work (no repeat of the initial Vista disaster here) and is a refreshing alternative to Google. But suprisingly there hasn't been much talk about the security of Bing (except for a storm of criticism about the display of inappropriate material in search snippets).

Or maybe not so surprisingly. Most people think of cybercrime in terms of hackers and ID thieves. Search engines just search for stuff that's already out there. But the truth is that the vast majority of criminal and quasi-criminal activity on the web involves gaming the search engine system in one way or another. A lot of crime that just happens to use a computer gets incorrectly labelled cybercrime. But search engine crime (if I may coin a new phrase) is truly cybercrime. 

How does search engine crime work? Take the term "hotels New York". Every week thousands of people book millions of dollars of hotel rooms by Googling those three words. Since people only pay attention to the very first search engine results (and almost never click beyond the first page of search results), moving just one spot up the list of results can result in a huge increase in revenue. The difference between being number 8 and number 7 in the Google results for any hotel related word has a very real and measurable price attached to it.

Enter the cybercriminals. Botnets are harnassed to create spam links to sites to raise their profile. Browsers are hijacked to redirect unsuspecting users. Content is culled from one site to another to produce hits in unrelated searches. Spam links are created dynamically on the basis of user input. There are literally thousands of ways of gaming the search engine system. Some are outright criminal, while others are just very shysterish SEO (search engine optimization) techniques.

Of course not all search terms have equal cachet. Take the term CISO (Chief Information Security Officer). A reader who stumbled on my blog by googling the term "CISO" pointed out to me that my recent post on whether companies really need a CISO is now the 5th highest search result for the term "CISO" on Google. Now while this blog has a healthy readership and has built up some decent Google juice over time, what this high ranking really goes to show is that there aren't all too many people talking about CISOs or competing for this term in search engines. Which kind of reinforces the point the post was trying to make in the first place...

But I digress. Let's get back to Bing security. My guess is the majority of all malware, viruses, etc are aimed at gaming Google search results. Now while most of these techniques work to some extent at gaming Yahoo and other search engines, the fraudsters are aiming to maximize Google rankings above all else. 

How well has Google done in making it's search engine fraud and spam proof? Google has done pretty well with controlling gmail spam (despite recent glitches). But today Google search results are a mess - malware related sites are frequently misidentified and many common search terms point to malware. Just a bit of Googling - I mean binging around - makes it seems like Bing suffers a bit less from this problem. One reason is that Bing appears to provide less search results than an equivalent Google search. And the other more important factor is that cybercriminals have not yet honed their skills on gaming Bing.

Early indications are that Bing uses much the same malware filtering as other search engines. The web analytics market is already scrambling to understand the implications of Bing. Features like the (annoyingly slow) rollover function undoubtedly have serious implications in terms of both security and user behaviour. How these will be exploited by cybercriminals will have a major influence on the face of cybercrime in the coming months.


  1. One awesome part of is if you have users who like spending time watching videos at work, like whole television episodes. You can do that with bing's videos section. Yay!

    And depending on your web filter product, it may be annoying to block parts of a domain.

  2. I wouldn't be surprised if MS offers better ways to control the video feature (they've already turned it off or limited it in some countries). They've been taking a lot of flack on this issue.


Note: Only a member of this blog may post a comment.