Microsoft Local Impact Map
Tuesday, October 12th, 2010Microsoft Local Impact Map
Securing websites
Securing websites
This paper discusses some of the common ways that web servers are attacked and details various techniques in which they – and by extension the websites they host – can be protected.
1. Introduction
For systems like servers that are designed to be ‘always on’, security is an important issue. Web servers are the backbone of the internet. They provide the core services and functionalities of the billions of websites around the world and, as a result, act as a repository for the personal data of everyone who visits them. Ensuring that servers are secure from outside attack is a prime concern for any organisation who rely on them.
In the last few years attacks against web servers have increased substantially. As the map below shows, it is immaterial where in the world you base a web server: malicious code respects no boundaries. The threat is not only international, but now comes from organised criminal gangs looking to harvest passwords, financial details and other information, rather than teenage hackers looking to cause mischief. In most cases an attack occurs unobtrusively, with servers and websites corrupted with malware designed to infect as many users as possible.
Web servers are particularly vulnerable as they are ‘open’ by nature, with users encouraged to send and receive information to them. The HTTPD (HTTP server daemon), database software and code behind a website can each be re-written by a criminal and their original function altered.
However, that is not to say that web servers cannot be protected. They can, but it requires an integrated approach from website administrators, programmers and designers alike, with areas such as anti-virus software, operating systems (OS) and access permissions requiring constant review.
This paper will explore many of the common areas that lead to a compromised web server and the ways of preventing them.
2. Secure foundations
The first step in designing, building or operating a secure website is ensuring that the server that hosts it is as safe as possible.
A web server is made up of layers that provide multiple avenues of attack, as the diagram below shows. Remember, each block is a possible target.
The foundation of any server is the OS and the secret to ensuring that it remains secure is simple: keep it updated with the latest security patches. Doing so could not be easier, with Microsoft [1], together with many flavours of Linux, allowing organisations to apply the patches automatically or launching them with a simple mouse click.
However, remember that hackers too automate their own attempts with malware designed to jump from server to server until it finds one which is unpatched. This is why it is important to ensure that your patches are up-to-date and installed properly, as any server running old patches will become a victim.
You also need to remember to update any software components that run on a web server. Anything that is non-essential, such as DNS servers and remote administration tools like VNC or Remote Desktop, should be disabled or removed. If remote administration tools are essential, however, then avoid using default passwords or anything that can be easily guessed [14]. This is not only applicable for remote access tools, but user accounts, switches and routers as well.
The next area to be addressed is anti-virus software. This is a must for any web server – whether it running Windows or Unix – and, combined with a flexible firewall, is one of the strongest forms of defence against security breaches. When a web server is targeted the attack will attempt to upload hacking tools or malware immediately, so as to take advantage of the security breach before it is fixed. Without a good anti-virus package, a breach in security can go unnoticed for a significant amount of time.
When it comes to defence, a multi-layered approach is best. In the frontline are the firewall and the OS, while in the trenches is the anti-virus, ready to rush in and fill any gaps that present themselves.
In summary:
• Do not install software components you do not need. Every component is a risk, the more there are, the greater the risk
• Keep your OS and applications patched with the latest security updates.
• Use anti-virus, enable automatic updates and regularly check that these are installed correctly.
Some of these tasks might appear onerous, but do not forget that just a single security hole is enough for an attacker. The potential risks include stolen data and bandwidth, server IP blacklisting, the negative impact on an organisation’s reputation and the possibility that your website could become unstable.
The next most important piece of software is the HTTPD itself, with the two most popular alternatives being ISS and Apache.
2.1 Internet Information Services (IIS)
ISS is part of Microsoft Windows and is a popular and commonly used web server, as it requires very little configuration.
When implementing it, however, it is worth remembering the following:
• Disable default services such as FTP and SMTP unless you need them. Disable the directory browsing function unless it is required as it allows visitors to see which files are running on your system.
• Disable any FrontPage Server Extensions that are not being used.
You should also keep ISS fully updated, which can be done by simply enabling the Auto Update function that is found in the Windows Control Panel.
2.2 Apache HTTP Server
Apache is a highly configurable and well-maintained open source web server. It requires a more detailed configuration to deploy successfully, but provides greater control over a web server. Most Apache servers run on Linux/BSD, but it can also run on Windows.
Because configuring Apache is complex, there is not space in this paper to detail the entire procedure. However, the following tips [2,3,4] are worth bearing in mind:
• Deny resource access by default and only allow resource functionality as desired.
• Log all web requests as they help identify suspicious activity.
• Subscribe to the Apache Server Announcement mailing list which can send updates, patches and security fixes.
Websites that require a more complicated functionality sometimes augment their HTTPD with a server-side interpreter via CGI (Common Gate Interface). The two most popular are PHP and ASP.
2.3 PHP and MySQL
PHP is one of the most common server-side scripting languages. It has a very large functional code base, simple syntax, adaptable code and, most importantly, interacts with a large number of database formats. MySQL is one of the most popular database choices to use in conjunction with PHP as it is fast, feature-rich, easy to configure and use.
PHP has often been accused of being security-lax as over the years many exploitable bugs have been found within it. However, it has matured steadily and most of the bugs tend to be avoidable by either configuring the installation correctly and/or writing the code securely.
Here are some configuration tips (writing secure code is covered in a later section) that relate to the variables in the “php.ini” file:
• Set ‘register_globals’ off
• Set ‘safe_mode’ on
• Set ‘open_basedir’ to the base directory of the website
• Set ‘display_errors’ off
• Set ‘log_errors’ on
• Set ‘allow_url_fopen’ off
For more information on these configuration directives and why they are important, please see [6,7,10].
When MySQL is installed it creates a default ‘test’ database and an open ‘root’ account that is password-free. The root account is then automatically given free access to every other database on the server which is why it is important to:
• Change the root password immediately.
• Create a new MySQL user and give it the bare minimum privileges.
• Remove the test database and test users.
2.4 Active Server Pages (ASP)
ASP is a Microsoft add-on that is supported by IIS, though there is also an Apache implementation. ASP is integrated in IIS and so usually requires little or no configuration.
2.5 Security
Anti-virus is generally the final line of defence against an attack which is why web servers, particularly those dealing with dynamically generated content, should have on-access scanning enabled at all times. As the chart below shows, no web server is safe from malware. No matter how secure you think your web server is, there is always a chance that it will get hacked. On-access scanning significantly reduces the chance of malicious code running on the system as it can scan in both ‘on read’ and ‘on write’ modes, and can then deliver an immediate notification as soon as any piece of malware tries to store itself on the server.
While on-access scanning can affect the throughput of the server slightly, but the added security benefits far outweigh any possible performance issues. There are also areas of the system, such as the HTTPD log folder, that can be excluded from the scan, which further reduces any impact on the system.
Attacks against web servers can be generally categorised into two main types: local and global.
• Local attacks usually attempt to steal information or take control of a specific web server.
• Global attacks are generally targeted towards multiple websites and aim to infect anyone visiting them.
Although Linux and BSD are regarded in some quarters as more secure than Windows, they are certainly not exempt from organised crime. They can – and should – have anti-virus software installed. Even if malware cannot execute on the host server because it is protected with anti-virus software, it can still be served up as valid content to website users as some hackers upload it in PHP or ASP, thus rending the OS of the web server redundant.
It is also possible for servers to become infected across a local network. The Fujacks family of worms, for example, infect HTML, PHP and ASP files over shared drives and network shares.
3. External Web Hosting
Most organisations do not have the hardware or stability of bandwidth to host their own web server and as such use external providers. There are three alternatives that are suitable for small and large organisations:
• Shared dedicated hosting.
• Virtual dedicated hosting.
• Dedicated hosting.
3.1 Shared dedicated hosting
This is possibly the most used and abused of all forms of web hosting and involves a dedicated server hosting multiple websites. It is one of the cheapest forms of hosting and consequently one of the most dangerous, as it can take just one infected user to infect everybody else using the server.
An excellent real-life example of the problems inherent with shared hosting can be found in the following SophosLabs Blog posting:
http://www.sophos.com/security/blog/2007/06/172.html
3.2 Virtual dedicated hosting
Virtual dedicated servers – sometimes referred to as elastic servers – are created by using virtualization software to run a number of separate, self-contained virtual servers on just one machine. This is appropriate for any growing organisation as each user have access to their own OS and server software.
3.3 Dedicated hosting
Dedicated servers are exclusively reserved for one user. There are typically two forms available: managed and unmanaged.
• Managed servers have staff to take care of duties such as managing local security issues and troubleshooting.
• Unmanaged servers are unmonitored and slightly cheaper to operate, as any assistance would have to be bought in.
Of the three options presented here, virtual dedicated hosting seems to be the most efficient, being generally cheaper than dedicated hosting but retaining the latter’s flexibility and security.
4. Design yourself safer
No matter what you do and no matter how small your website, it will be attacked. Design is intrinsic to security as it can reduce the damage caused by viruses, spyware and other malware.
Try putting yourself in the attacker’s shoes and use common sense to plug glaring holes. Some website mistakes are made so commonly – by beginners and old hands alike – that it is worth going over them here.
4.1 Cookies
One of the main problems encountered when designing a web application is that every request for a new page is dealt with independently from the previous request. Asking a web application to ‘remember me’ is therefore more difficult than it is in normal applications.
There are two methods that web applications use to remember visitors and which are supported by most browsers: cookies and session cookies.
• A cookie is a small file that is created by the browser and stored on the user’s computer. It can contain virtually anything, but is usually a name, an expiry date and an arbitrary amount of data like: “Count = 100” or “Member = false”.
• A session cookie is similar to a regular cookie, except it allows web applications to store the data in memory.
The difference between the two is that a cookie is stored directly onto the user’s computer and stays resident unless manually deleted. A session cookie, meanwhile, is only saved as long as a computer is switched on, and so is lost automatically as soon as the browser is closed. They do have something in common: they can both be tampered with.
Developers often trust the data they retrieve from cookies simply because they developed the code and so it must be good, right? Wrong. Hackers can easily modify a cookie (and in some cases live session data) to fool a website into giving them access to a restricted page.
When designing your system never trust user input, whether it comes directly from visitors, or indirectly through cookies. Try and limit the amount of data that is stored in cookies, especially if it is data that should not be made available to the public. A good rule is to treat any data that is stored on an end-user machine as suspect.
MySpace.com was targeted by a Trojan (JS/SpaceStalk-A) early this year, which stole information stored in cookies and transmitted it to a remote server. This information could theoretically contain confidential information such as login names, internet preferences and passwords.
4.2 Authentication
If your website contains areas that are only intended for certain customers or registered users, you need a way for visitors to identify themselves before they gain access[8].
There are a number of ways to authenticate users: basic authentication, digest authentication and HTTPS.
• Basic authentication allows a username/password combination to be visible inside the web request. Even if the restricted content is not especially secret this is best avoided, since a user might use the same password on many sites. A Sophos poll showed that 41% of users use the same password for all online activity, whether it is a banking site or a local community forum [15]. Try to protect your users against this mistake by using a more secure authentication method.
• Digest authentication – which all popular servers and browsers support – encrypt the username and password securely inside the request. It keeps user names and passwords secure, which creates a better impression on the user and reduces the chance of your server being abused.
• HTTPS encrypts all data transferred between the browser and the server, not just the username and password. You should use HTTPS (which relies on a security system called Secure Sockets Layer, or SSL) whenever you are asking users to provide private or personal data such as their address, credit card or banking details.
When choosing an authentication system, it is good practice to choose the best available. Anything less will worry security-conscious customers and possibly expose them to unnecessary risks.
4.3 Components, libraries and add-ons
Many web developers do not have time to reinvent the wheel. When asked to add a feature that is common elsewhere the simplest approach is to source a package that already contains the necessary component and customise it. Such outsourcing occurs primarily with complex, feature-rich micro-applications such as blogs, forums and content management systems (CMS).
The reason for using pre-built and customisable systems are obvious: they save time and money.
Like all pieces of software, however, add-ons can contain flaws and so it is wise to keep an eye on any packages that are in use and update them regularly. The popularity of some of these packages can sometimes instil a misleading sense of trust among the public and many of the popular products have been found to be exploitable, even when apparently installed and configured correctly.
Popular server-side applications that have had problems in the past with critical, exploitable bugs include:
• WordPress (blogging software).
• phpBB (forum software).
• CMS Made Simple (CMS Software).
• PHPNuke (CMS Software).
• bBlog (blogging software).
Many of the above (and similar) add-ons are widely used, which makes them very attractive targets for hackers as they greatly increase the number of possible victims. Since most OS and HTTPD software can be automatically updated many developers ‘set and forget’ certain features, but neglect to update the various add-ons: a dangerous mistake.
Again, the golden rule here is as before, if you do not need it, get rid of it! If your hosting provider supplies such features by default, turn them off. If you are unable to disable them, then you should think about finding a new provider.
4.4 Log Files
Server logs are a very important commodity when managing a website. Most HTTP servers can be configured to save access logs as well as error logs, and this should be enabled at all times as it can be important when conducting a review.
They should also be reviewed regularly as they can provide a better understanding on the threats that websites face. Log files provide an insight into any potential breach by recording, in great detail, every single successful or attempted access to a site.
5. Breaking the code
Writing secure code is not always as easy as it sounds. It not only takes a skilled programmer, but also one that is knowledgeable about specific security issues [9]. There are whole books dedicated to writing secure code so I will only cover the basics here[13].
• Always enable global variables as they can be purposely initialised by a fake GET or POST request.
• Turn off error reporting and ensure that you log-to-file instead, as such information can help attackers provoke a similar problem and then manipulate it to expose further vulnerabilities.
• Do not trust any user data and always use filter functions to strip out special SQL characters and escape sequences.
5.2 SQL injection
SQL injection can be used to attack websites that interact with databases. It occurs when unfiltered input designated by the user is used in an SQL query.
SQL queries can be used to query a database, insert data into a database or modify/delete data from a database. A lot of modern websites use scripting and SQL to generate page content dynamically. User input is frequently used in SQL queries and this can be dangerous as hackers can try to embed invalid SQL code within the input data. Without careful attention, this malicious SQL may be executed successfully on the server.
Take the following PHP code:
$firstname = $_POST[“firstname”];
mysql_query(“SELECT * FROM users WHERE first_name=’$firstname’”);
After submitting your first name to the web form, the SQL query will return a list of users that have your first name. If I put my name “Chris” in the form, the SQL query would be:
“SELECT * FROM users WHERE first_name=’Chris’”
This is a valid statement and will work as you would expect, but what would happen if instead of my first name, I put in something like “’; DROP TABLE; #”? The statement would then read:
“SELECT * FROM users WHERE first_name=’’; DROP TABLE users; #’”
The semi-colon allows multiple commands to be run, one after the other. Suddenly the simple statement is now a complex three part statement:
SELECT * FROM users WHERE first_name=’’;
DROP TABLE users;
#’
The original statement is now useless, and can be ignored. The second statement instructs the database to drop (delete) the entire table and the third uses the ‘#’ character which tells MySQL to ignore the rest of the line.
The above is particularly dangerous and can be used to display sensitive data, update fields or delete/remove information. Some database servers can even be used to execute system commands via SQL.
Fortunately this type of vulnerability is easily avoided by validating user input. In PHP there is a special function for stripping out potential SQL injection code called ‘mysql_real_escape_string’. This function should be used to filter any data that is passed to an SQL statement.
5.3 XSS (cross-site scripting)
This type of attack focuses on websites that display user-supplied data. Rather than attempting to control the database with malicious input, the attacker attempts to attack the website code itself with malicious output.
Many sites store the usernames of every visitor in a database so that they can display a specific name when that user logs in. For an attacker it is a simple thing to create a false account, but place malicious code into the username field instead of a name. Such attacks are typically achieved with malicious Javascript scripts that then load content from another website. The database stores what it thinks is the username, but is in fact malicious code. Subsequently, when the website attempts to display the username at the top of the page, the malicious code is unwittingly executed. Since the code could, depending on the circumstances, do just about anything, this is a very real concern and often overlooked by developers. In recent history many high-profile websites have been the victim of XSS attacks, including MySpace, Facebook and Google Mail.
Take the following PHP code:
$firstname = $_POST[“firstname”];
echo “Your name is: $firstname”;
After submitting your first name to the web form, the website will display the message on the page. If I put my name “Chris” in the form, the message would say: “Your name is: Chris”.
What if I decided to use “<script>alert(“You just got hacked!”);</script>” instead of my name?
Unfortunately, XSS attacks can sometimes be hard to defend against as they rely on the correct filtering of input and output and then the validation of every single field that can be modified by a user. This includes data retrieved from GET and POST requests, as well as queries that have been returned from the database.
If you use PHP there are a number of packages that can help you filter output easily, an example being CodeIgniter[5]. Alternatively, there is a native PHP function called ‘htmlspecialchars’ that can be used to filter output.
6. A study of how easy it is
While researching this paper I decided to see how easy it would be to find examples of data leakage and so searched Google for the default log filename for a common FTP client. I found thousands of websites that were publicly displaying (and unknowingly indexing) this seemingly unimportant FTP log file. Each one was a brilliant example of data leakage.
Here is one such (censored) log:
99.07.16 08:34 A x:xxxxxxxxxxxxxxxxxxxxWS_FTP.LOG <-- <Site name> /export/home/<username>/xxxxxx/xxxxxx WS_FTP.LOG
99.07.16 08:53 A x:xxxxxxxxxxxxxxxxxxxxhome.html --> <hostname> /xx/www/xxxxxx-xxx/xxxxhome.html
From this I learned a number of interesting things:
• The <site name> gave me the name of the website.
• The <user name> provided the login name on the Linux/BSD style server.
• The <host name> supplied the server’s hostname.
This tells me the following about the host:
• The name and IP of the web server.
• The remote path it was copied into.
• The local path it was copied from.
This kind of information is gold dust to any criminal, as by knowing the hostname and username he or she can attempt to gain administrator access. They could also simply discover the web hosting company’s phone number or email address and attempt to gain the password via social engineering.
The latter is often easier than attacking the server itself as many web hosting companies undertake minimal security checks before handing out security credentials. This may be because they are often contacted by individual web contractors who are building a site on behalf of a third-party, and so are quite used to getting calls asking for account credentials or password resets.
I myself have done this several times – legitimately of course – and only one of the four different companies I asked required the original business to provide express permission.
Yes, it really is as easy as that.
About the Author
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.
Microsoft Local Impact Map
Microsoft Local Impact Map on Surface
Google: The search party is over --- offer by Www.go-shop.com.au
Yes, the company is still growing at rates that would be the envy of the rest of the Fortune 500. But its core business is slowing, its stock is down, its Android mobile platform generates scant revenue, and competition (hello, Facebook) is fierce. Can Google find its footing in this brave new world?
Stroll across the Googleplex in Mountain View, Calif., and you are confronted by a world that sparkles a bit more than whatever slightly dreary one you just left. Massive stone busts of ocean explorers like Jacques Cousteau fix their gaze on the cobbled paths that flow into the main Google buildings. At sunny tables outside, Google employees -- the coolest, most confident techies you'll meet -- eat their free food and chat animatedly about who-knows-what arcane computer algorithms, or the latest must-do pastime of the young and affluent Silicon Valley set, like kite-boarding or indoor skydiving.
It looks a lot like the midday break at some elite college campus. But almost 12 years after it was launched by precocious Stanford grad students Larry Page and Sergey Brin, Google and its founders are grappling with a very grownup set of problems. Google's core business, online search, is slowing. That is partly due to Google's own success; it's hard to keep posting record growth rates when you dominate a business so thoroughly -- Google sites lead the U.S. market with 64% of all searches conducted. But more crucially, the web has changed significantly since Google became a verb. There is (at long last) fresh competition from Microsoft's Bing, and also a new wave of sites and services that offer alternatives for consumers' time and attention -- and the advertisers that follow them.
The Googlers certainly know this, but in classic Innovator's Dilemma fashion, the company seems unsure about how to move beyond the core search business that has brought it such massive success. Google has placed expensive bets on acquisitions, chief among them its $1.6 billion purchase of YouTube, a $3.1 billion wager on ad network DoubleClick, and more recently its $750 million purchase of mobile advertising platform AdMob. But none of those deals have yet significantly diversified Google's $23-billion-a-year revenue stream: Google's main focus continues to be driving people back to the search box and the ad dollars that Google collects for helping marketers reach highly targeted consumers. Even Google's most successful new product, the Android operating system for smartphones, generates scant revenue for the company: Google gives the licenses free to mobile-phone operators to facilitate, you guessed it, searches and use of other Google services on mobile phones. And while it lets its whip-smart engineers dedicate a portion of their workdays to dreaming up the coolest products for the web, all that Googley experimentation hasn't had a huge impact on the bottom line.
That was fine when the search business was expanding at 30% or 40% a year, and Google's revenue was growing at twice that. Long-term projections for growth in the search business are more in the 15% to 17% range. Yet analysts estimate that 91% of Google's revenue still comes from the AdWords and AdSense business model that Google built around Page and Brin's breakthrough PageRank algorithm. Even more telling, an estimated 99% of its profit does too. This year's projected earnings growth of 18% is a third of what Google averaged over the past five years. A lot of companies would kill for that growth, but for technology companies, and Google in particular, those numbers don't impress. Google is rounding a corner that all the fruit smoothies at its Silicon Valley campus make it hard to pull back from. This year Google (GOOG) has joined the ranks of just about every great technology company before it, including IBM (IBM), eBay (EBAY), Cisco (CSCO), Microsoft (MSFT), and Oracle (ORCL). Google, against its will, and defying its massive cash hoard, is transitioning from a growth company to -- and there is no kind way to put it -- a cash cow. That ranks right up there with being a former supermodel, but it is a taint Google can't seem to shake right now, at least not on Wall Street. It's a big part of the reason that Google shares are down 21% since Jan. 4, underperforming the Nasdaq (up 1%).
Up against the ever-changing web
Some investors also worry about Google's ability to keep pace with consumers' evolving use of the web. Say you want to buy running shoes to train for a marathon. Five years ago you would have simply Googled it, looked at the list of results, weighed your options, and made the purchase, perhaps by clicking on one of the sponsored links that accompanied your search. Today you might still do that, but increasingly you might pose the question "What running shoes should I buy?" to your friends on Facebook, or maybe write "Who knows about training for marathons?" on Twitter. By the time shopping service Groupon sends you (and 25 of your friends) an offer for the perfect shoes and registration for a race, you'll probably just pounce on it.
And what if you don't even have a question to pose? What if you just need help? Consider the case of American graduate student James Buck. Egyptian police detained Buck for taking photographs of a protest in a city outside Cairo. Using his cellphone and his Twitter account, Buck broadcast a single word, "arrested." Buck's network alerted officials at the University of California at Berkeley, who ultimately got the U.S. State Department and a local lawyer involved. Buck was out of jail in 24 hours. Try that with a keyword search.
This is the phenomenon Google is up against. In the decade-plus since Page and Brin came up with PageRank, the web and the way we use it have changed dramatically. As Buck's example shows, the web experience is increasingly mobile and social. We take it everywhere, and are connected almost all the time. Google needs to find real success in this new world -- or invent the next major evolution of the web. It isn't easy to create new multibillion-dollar businesses, but the rewards are great for the companies that do: Consider former Google ally Apple (AAPL), which has dominated add-on businesses (music players, retail) that are more profitable than the one that brought it prominence (computers). Apple is just killing it, and it is now the most valuable technology company in the world, with a market cap of $236 billion vs. Google's $156 billion. Thus far Google has been tight-lipped about plans for a world beyond search. Marissa Mayer, head of search at Google, says the company doesn't provide financial guidance, but contends that Google doesn't need a huge second act, a collection of smaller businesses will suffice. The original search business will always dwarf any subsequent new units. And Page, Brin, and Google CEO Eric Schmidt simply haven't articulated a vision for Google's future. "That is what is scaring investors," says Sameet Sinha, a senior analyst with JMP Securities in San Francisco. "There is no clear path toward what Google is doing, or wants to do."
<object id="ep" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="384" height="356">
<embed type="application/x-shockwave-flash" width="384" height="356" src="http://i.cdn.turner.com/money/.element/apps/cvp/4.0/swf/cnn_money_384x216_embed.swf?context=brainstormtech&videoId=video/technology/2010/07/26/tm_google_no_growth.fortune" bgcolor="#000000" allowfullscreen="true" allowscriptaccess="always" wmode="transparent"></embed>
</object>
There are good reasons why companies, and tech companies in particular, want to maintain the mantle of Growth Enterprise. For starters, Wall Street values you differently. A growth company stock commands a premium price/earnings multiple based on its future potential that, in turn, helps it lure employees with stock options. Just as important, being a growth company affords employees and founders (and even shareholders) a huge psychological boost: You're driving the economy, you're changing the world. Facebook and Twitter are packed with engineers who've left formerly hot tech companies. As soon as early adopters smell a whiff of last year's technology, they are on to something new.
That particular odor has never attached itself to Google since it launched in 1998, crushing all comers. You may recall AltaVista, Infoseek, Lycos, and HotBot. Google's edge was better technology (see "smart engineers," above), so it must be somewhat worrisome in Mountain View that Bing is gaining in popularity -- Microsoft sites had about a 12.7% share of searches in June, according to comScore, up from 12.1% in May -- partly due to its interface and other features. Indeed, Google has dispatched Ben Ling, a former YouTube wizard, to help improve the quality of its mainstay business.
"Google is not the hot company anymore," says Marc Benioff, CEO of Salesforce.com (CRM). "Their stock has been mostly flat for five or six years now. How can you claim to be a leader with equity performance like that? That's starting to look like Microsoft or Yahoo (YHOO). They have to get into some other place, and quickly."
Microsoft is an apt comparison, except the software company found a second engine of growth to supplement its Windows computer operating system business eight years after MS-DOS hit the market. That business would become Office, the world's most profitable application software, which today accounts for roughly 40% of Microsoft's earnings. Of course, Microsoft has been struggling since to find its next big winner. Its server business chugs along. Its gaming console, Xbox, could still be an engine of growth, but it hasn't moved the needle yet. Once Office saturated the workplace and then some, Microsoft lost its growth-company status.
So what is Google's best shot? It won't be international growth. Google dominates search in developed countries, and it will be a long slog in other parts of the world, such as Russia and China. (In China, where Google recently renewed its license despite strained relations with the government, Google's 30% share trails China's homegrown search king, Baidu (BIDU).) Google has plenty of real estate on the web to which it can attach more advertising, such as Google Maps and Google Images. And indeed, during the recession Google boosted its ad revenues by opening up inventory on its sites to marketers. But those are incremental gains, not a big new source of revenue.
Searching for Google's next big thing
The company's recent acquisitions and product launches fall into four main avenues of business: the mobile Internet (Android, AdMob), display advertising (splashier, graphics-heavy ads with DoubleClick), YouTube and video, and applications. A fifth area, social networking, is likely to be a big push for Google and holds the most potential. The company is widely rumored to be pursuing a "Google Me" project to do battle with Facebook.
Google does not report specific financials of businesses outside of search, but Sandeep Aggarwal, an Internet and software analyst with Caris & Co., estimates that mobile, display, YouTube, and apps generated about $1.5 billion in revenue in 2009, and this year should bring in about $2.1 billion in sales. On a bottom-line basis, that translates to about $1.44 in earnings per share this year. That's peanuts today -- Google is expected to earn $27 per share in 2010 -- but those are areas that are already outpacing traditional search in their rates of growth.
Amazingly, Google's biggest and most promising opportunity to date, its successful Android operating platform for mobile phones, doesn't produce much revenue or profit for Google -- by design. The company in 2007 made the technology available to all comers in a bid to make the web more accessible on smartphones and in turn to encourage consumers to do more Google searches on their mobile devices. The strategy worked. Encouraged by this easy access to Android, handset makers began churning out multimedia phones, and the Android platform has been a consumer success: Google says some 160,000 new Android devices are activated each day, and device makers from Motorola (MOT) to HTC have all released popular phones on the Android platform. But Google doesn't make gobs of money on those devices. (Google dabbled in phones but discontinued its Nexus One after only six months.) Apple, on the other hand, also stoked the smartphone market with its iOS, but with very different financial results: Last year the company posted an estimated $15 billion in iPhone sales, a benefit of making the hardware and the software.
So where will Google's next $20 billion come from? It may not come from one blockbuster new business but rather from a handful of smaller opportunities. Google insiders are optimistic about YouTube, which accounts for 10% of all the time spent online worldwide, according to comScore. (The only greater time-suck on the web is Facebook, at 17%. We'll get back to social networking.) Four years after buying the money-losing video site for $1.6 billion, Google seems to have figured out a way to eke out operating profits by selling video and display ads against a growing pool of professionally produced programming, including infomercials and other content created by marketers. Likewise, Google's $3.1 billion acquisition of DoubleClick, the ad exchange that's been folded into Google's display network, will help expand Google's ability to place multimedia and display ads on websites, including its own properties: It essentially hopes to do for online display what it has done with text ads. But few analysts see those businesses, in the short term at least, becoming Google's next huge follow-on business -- its Office equivalent, to use the Microsoft analogy.
Could its Office equivalent be, well, an Office equivalent? It's a long shot, but one of the more profitable efforts at Google, and one that doesn't have a thing to do with advertising, is its nascent business-software operation, Google Apps. For an annual licensing fee of $50 per head, Google provides corporate customers with Gmail, collaboration tools, and other services that are delivered via the Internet. Some companies have started ditching traditional software vendors (including Microsoft) for the Google Apps' cheapness and flexibility (adding or dropping a new account takes just a few clicks). In June, Google announced that more than 2 million businesses were using Google Apps for Enterprise. That sounds like a big number, but analysts peg revenue from Apps this year at about $350 million, or just $175 per business. Nikesh Arora, Google's president of global sales operations and business development, told analysts at a technology conference in June that he expects the number of apps customers to double in the next few years.
The net effect of all these efforts? Analyst Aggarwal pegs revenue from Google's nonsearch businesses at $5 billion to $8 billion in 2013. For any other company, that might be enough, but Aggarwal estimates that the company's search revenue will be about $40 billion three years down the road. In that context, nonsearch revenue still isn't enough to make a huge difference in how Google is valued. For the foreseeable future Google will remain a search company.
About Www.go-shop.com.au
we are a manufacturer which specialize in research, development, manufacturing & sales of all types of Ni-MH battery, Li-on battery, battery packs include laptop battery, camcorder battery, camera battery, power tools battery and laptop AC adapter, laptop DC(Auto) adapter and battery chargers, We have a complete engineering facility for battery pack testing. This enables us to offer the most up-to-date in battery pack testing for the most advanced portable consumer electronic products. We only sell quality products from quality suppliers.
High Quality and Superb Service, Season Promotion, 35% discount!
Our Advantages:High Quality + Low Price + 100% Guarantee + Fast Shipping!
All our batteries, laptop adapters, battery chargers are shipped from Alexandria,NSW 2015.
The real shift going on within the Internet
Mike McCue has had a front-row seat watching the web grow up, and as far as he is concerned, the search box is all about the past. McCue was an early Netscape guy, and he recently launched tablet software company Flipboard, which takes all your Facebook updates, your Twitter feeds, all the news sites you like and subscribe to, and in a very elegant way publishes a constantly updated magazine of text, photos, and video. "There is no need to do a search," McCue says. "We almost view it as a bug if we have the user search for something."
At Google, where every problem is waiting to be solved by some form of search query, that is tantamount to blasphemy. But Flipboard sums up the shift going on within the Internet, one that is arguably the biggest change to the web and the way we use it since Google came on the scene. Your network simply provides you with answers, stories to read, bargains to buy -- and you often don't even need to ask a question.
In this new phase of the web, one of the largest threats to Google and its core search business is the expanding Facebook footprint around the world. Not only because social networks (and those used for work like LinkedIn fall into that same category) offer a substitute for search for consumers, but also because they offer a substitute for advertisers as well. In display advertising, for example, Facebook has a 16% share of the roughly $9 billion market, according to comScore (Google sites have 2.4% of the market), and advertisers say they're looking for more ways to plug into Facebook.
"Facebook has got Google in its sights," says Debra Aho Williamson, a senior analyst with eMarketer. "Advertisers get the best of both worlds -- a mass audience but also the ability to target more than anyone else. Who are the advertisers? In a lot of cases, they're Google's advertisers."
Most alarming to Google is that much of this new social and real-time world is closed off to Google's core search business, and its index of the world's information. Facebook, LinkedIn, and Twitter are essentially "closed" platforms. "It's a growing chink in their armor," says a former Googler now working at a popular social network. "They know that. The question is, What can they do about it?"
Google's Mayer believes the answer lies in delivering better-quality -- almost intuitive -- search results. Mayer calls this implicit or passive search. It's the sort of thing that makes connections between, say, a friend who is an amateur expert on travel in Australia and your upcoming trip Down Under. A keyword search could not only flag hotels and tourist hot spots but also find blog posts, e-mails, messages, and even pose questions to your friend about where to go shopping or dining in Sydney -- without bothering the rest of your network. "Who you are, your context, what you are doing, who your friends are -- if all of that comes in as the search input," she says, "what is the right output?" (The key word in her quote? "Friends.")
Mayer won't say what Google is building (perhaps the rumored "Google Me" service?), but clearly she is pushing the company in a more social direction, which means changing users' perceptions of Google. "You need to create a place where it's okay to be social," Mayer says. Google doesn't have that yet, and in fact, its efforts so far have been widely panned: Remember Google Buzz, which drew the ire of consumers for automatically sharing Gmail users' lists of friends? If would-be rivals are worried, they aren't letting on. "Google is smart to figure out how to make its stuff social," says Chris Cox, head of product at Facebook.
But critics question whether Google can make the leap. "They are just not that good at it," says Tom Coates, until recently the head of product at Yahoo's defunct Brickhouse lab. "Google is very good at building these utility-type products -- search, e-mail, and messaging. They are sort of like the power company of the Internet. But what they lack is a sense of how people share and collaborate."
Coates's point is that you don't have friends on Google, you have contacts and tasks. These services reflect an engineering culture that's all about utility, but one that makes it hard for the company to create something that's friendly and social. But if Google can change its utilitarian ways, the company stands a real chance of tapping into that next growth engine. Imagine if it added that social layer to its core search business and to Android, and blew it out on YouTube, giving people a reason to hang out on Google sites for long periods. Advertisers would come flocking. If it can get that right, as the former Googler now working in social media sees it, "Google would be unstoppable." Just like it used to be.
About the Author
www.go-shop.com.au is everyone's one-stop shop for Toshiba laptop batteries, Dell laptop batteries, Fujitsu laptop batteries, Canon camera batteries, MAKITA 24V Battery, Dewalt power tools batteries, HP laptop ac adapters and Olympus battery chargers. High Quality and Superb Service, Season Promotion, 35% discount! Follow me on Twitter.
Our Advantages:High Quality + Low Price + 100% Guarantee + Fast Shipping!
All our batteries, laptop adapters, battery chargers are shipped from Alexandria,NSW 2015.
|
|
Dungeon Siege III $17.42 Square Enix Dungeon Siege III 91026 PC Games... |
Microsoft Local Impact Map
