This weekend news came that a Gmail archive service called G-Archiver, which backs up all of your Gmail emails to your hard drive, was actually the front for a scam - hard coded into the application was a “feature” that sent every user’s email address and password to the creator’s own email account, giving him access to all of their Gmail messages.
These users should have known better than to type their email credentials into a third party service, so sympathy levels are at a minimum. But there is a much bigger problem to consider. Gmail is the entry point into a vast array of Google office services - including Google Docs and Google Apps. Those services allow users to share documents with others. If one user’s email credential become compromised, all of those sensitive documents become available to the bad guys, too. So if a single user’s credentials become known, the business they work for is at risk.
That has led a number of experts to conclude that Google Apps can never be a real threat to Microsoft Exchange and Sharepoint. All of the sensitive business information of a company, if stored on Google’s servers, is just a password guess, or in this case what is effectively a phishing scam, away.
I’ve spoken with Google employees about this issue in the past, and they point out that Google Apps allows authentication mechanisms that require more than just a password. In the Google Apps Security Policy, they state: “Google Apps integrates with standard web SSO systems using the SAML 2.0 standard. This allows integration with custom sign-on and/or advanced authentication (SecureID). Solutions can be custom made or Google Partner supplied.”
Of course many companies won’t use SecureID for authentication, and they’ll still be at risk. Over time, hopefully, even smaller companies will require it.
In the meantime, something else about Google’s security policy caught my eye. They’ll turn over data to third parties when required to by law (including search warrants, court orders, or subpoenas.) Google says they will “attempt to notify users before turning over their data whenever possible and legally permissible.” That may not be good enough for many companies, who would choose to fight an information transfer in court before they turn it over. If it was on their own servers they would be able to do that. But Google, certainly, won’t be going to court to fight on your behalf. Users should consider themselves lucky just to be notified that the information was released. Caveat Emptor.
See all
Post
This shows that Google needs to have stronger security features for google apps access. Moreover these features should be compulsory and not just an opt in thing
I might be asking a naive question, but wouldn’t the documents in Sharepoint or Exchange Server also be at risk once a users login credentials are compromised since even these products offer single sign-on?
Using Google’s Office Productivity SAS tools should be done as a convenience not as a business solution.
Instead of using Google’s word processor - you can use WordPad that comes free on Windows - and if you are really on a budget, you can use open source software or pay a few hundred dollars for WordPerfect instead of office.
When you are buying used computers - sometimes the older versions office software are already installed.
You would seriously have to wonder about the survivability of any business that would be so frugal that they would resort to Web software as their only alternative.
Also, if you delete your info from Google DOCS - how long is it before they are deleted off Google’s databases?
If you are worried about it being subpoenaed - perhaps you should store it with private webhosting or email hosting account under a private username
turning over data to third parties is a given i think, phone companies, search engines, even encryption systems, operating systems, the entire web/network has a back door… subpeonas are only if a cover is needed, after the fact
there is no privacy, is a good way to think, unless of course you can buy a government
Michael you make a great point. A large portion of enterprise users are not using Google services seimply because of how easy it is to “hack” your way into the systems. Everything is exposed and is simply a password guess away. In order to gain enterprise momentum, the will need to offer some kind of internal authentication service or device for corporations that removes this kind of threat. The Google box could be a perfect place for such a solution. By authenticating to this device or service, enterprise users would be safe by giving the administrators control over what users could install to work with their accounts.
I wonder if all of MAHALO’S company work is in Google docs….
;P
I dont think that sympathy levels should be at a minimum. You enter you gmail details to any desktop mail program and this service was similar. People should check out the program homepage and not just download from download sites.
With cheap hardware (when did you last see a lean pc?) and open office/star office there is no real need for companies to use google office. I can only see a reason to use online office as a strategy if you have a big mobile workforce although i don’t think they need office tools much.
I love that thing when someone thinks he is smart enough to say what shall be mandatory to others. I mean, leaving others without choice is such a political thing… And yes, there shall be tax on stupidity.
PayPal, eBay, and eTrade are distributing electronic dongles that produce a random six-digit code every half minute. I’d like to use something like this for Google.
Pretty smart! I’ve long thought that if had a criminal bent, I would do just what this guy did. Set up a legit looking service and then drink at the fountain of info and ID theft.
This is why I won’t use SaaS or similar apps for anything important.
I also only allow apps that I trust 100% to check for updates over the net automatically. If I install an app on my PC and it tries to get out to the net, my firewall pops up a warning. I want to know what it is trying to do before I allow it permission.
Recently the domain name of French site (WebRankInfo) has been stolen due to a gmail flaw (no more precision about the flaw). The site admin used its gmail address as contact name for the domain registration. The hacker just set a filter to forward the mail (that made me realize that Google does not even ask the password to set up the forward filter!!) and thus transfer the domain name to godaddy.
Our google account has much more information that we expect, especially if we turned on the web/search history feature. Now imagine your search history available to anyone on the web… or your health record?
A fast and easy solution is to use (better: require!) the use of so called “form fillers” for login, so one can be 100% sure that you are logged into the REAL website. Good examples are Roboform (shareware) or iMacros for Firefox, which is even free: http://www.iopus.com/imacros/firefox/
If logging in wasn’t hard enough already.
any talk about keeping data private from the government is just nonsensical - the Patriot Act (which is now law) means that the Federales can get all your data (and probably now have it) at any time they want, no warrant necesary, and the company is not even allowed to let you know they spied on you.
if you want to rail against the patriot act, fine - but anything less is hardly civilized.
Three words: two factor authentication
Sigh…
SAML is only half the solution. SAML does not properly cover the authorization part. Even if SAML is implemented, you would essentially give everything over if authenticated.
On a separate note, the Google Search Appliance (google in a box) does use SAML for their third party auth as an option. What is not common knowledge is that this auth mechanism is completely serial. So for secure search results, you would have to call the SSO for EACH result to be authn/authz. Insane, I tell you.
Long time ago I have sent google a feature request which would allow to use google account credentials on other’s computers and internet cafes without a chance to compromise account (btw, AdWords is also a part og google account). So, the feature I required is to allow users to generate a bunch of “for one-time use only” passwords.
I wrote a script a while ago called Popbak that downloads and archives my gmail account to text files since I never found a decent email archiver (glad I didn’t try g-archiver!). Seems like some people might find it useful so I went ahead and threw it online. The script is written in Python so you don’t have to worry about any hidden stuff. Anyway, you can find it here: Popbak.
It’s interesting that Google still has a search result for GArchiver, and doesn’t even have the MALWARE/Badware page when you click it.
Look below
http://www.google.com/search?q=G-Archiver
So I take it that no one here would recommend using the “Friend Finder”-type functionality that most social sites use now? Only a few posts above this one is a favorable review of socialthing…which requires putting in your username and password for a number of sites.
bboing has a excellent point: any email software requires putting in your username and password, so why should we think people who used G-Archiver don’t deserve sympathy? Yes, the web still has a lot of security concerns, and this is a reminder that a lot of people may have gotten a little lax about handing out their Google credentials, but…”should have known better”? It’s an easy mistake.
And, no, I did not use G-Archiver
I dont like gmail, hotmail is the best. I think many vulnerabilities in gmail will be found in future.
Huge systems always has huge holes
It is in my opinion that Google is heading towards a path that you would never have to give out your password to anyone. I say this based on the data APIs that they have steadily been releasing for almost every product they offer. Here is a blog entry about their latest data API that allows developers to access google contacts.
http://googledataapis.blogspot.....anded.html
They even mention in the first paragraph of this entry that giving out your password to your email account is not preferable and that this is one main reason they created this API.
Mike, the iffy Google wording on data handout is likely due to cases such as with the Patriot Act, where Google (or any company) could have been required to handover information without being able to tell people if this is happening. Ask came under fire for its AskEraser service having similar wording, that it might not tell you the service is switched off if a legal request forces that. In general, I find it hard to fault companies from saying they have to follow the law. The issue is more with the lawmakers.
Google should just invest in a ‘folder’ sidebar so we can all store old mail on their servers.
The other stuff should wait
Mutimba
this statement confuses me based on coverage of other services on TC: “These users should have known better than to type their email credentials into a third party service, so sympathy levels are at a minimum.”
I don’t disagree, but what about Mint and the other community-driven finance site? they were well-covered here and are based on providing all your most valuable credentials.
in general, i’m paranoid even about indespensible FF extensions (Firebug, Better Gmail); not fully undertanding what’s permissible for them to see, and swallowing hard before clicking the ‘unsigned’ extensions - the security and trust mechanisms are there, why aren’t they used?
and how are people / users supposed to know how to behave if they get mixed messages even from trusted sources like TC?
It seems consumers are back tracking. A few years ago people were hesitant to provide email addresses, passwords, or personal information to third-parties. Recently, I think people have become more and more comfortable doing so. It just goes to show, there is still evil on the internet preying on unsuspecting victims in even the most obvious ways.
I have been telling people - especially startup entrepreneurs - that the Gmail model and everything associated with it - is deeply flawed and poses an unacceptable level of risk to confidential information.
Nonetheless it never fails to shock me how many entrepreneurs use Gmail and totally dismiss the risk.
When someone hands you free email with huge storage capacity and other cool bells and whistles, do you just unquestioningly jump for it without thoroughly considering all the potential security ramifications?
I think we’re only seeing the tip of the iceberg here.
@ #9
I agree. We need a Google dongle.
Another payPerPost sponsored by your ethic friends from M$
How low has arrington gone
Despite TechCrunch’s long-standing insistance that googles docs is going to really start hurting Offic/sharepoint any darn minute now MS has curiously said that its users aren’t demanding a similiar solution. I believe them and this issue is why.
Not just because a sharepoint (or similiar solution) admin has far more control over what’s happening with users and documents but because no company actually thinking anything through wants all their information on someone else’s servers. Especially with no viable way to back that information up. Incredibly there is no google-way to download (ie backup) multiple google docs at once. You are left with mysterious third party apps and greasemonkey scripts. Yet somehow google apps is touted as serious cometition to Sap or sharepoint! Hilarious. The delusions rampant in the valley never fail to amaze.
Scam vulnerability? How about last week someone “captured” my Gmail account and wrote to my Top 20 contacts with a plea for money via Western Union to keep me out of jail. When my contacts wrote back in alarm, the creep replied in real time from my Gmail account, still posing as me. I was locked out with no way to stop the process or assess the damage. All Google did was reset my password. No apologies, no further instructions, no info on where or how to report the incident to law enforcement if there is such a thing. Must have been quite an easy hack. I don’t use the account for anything sensitive, but still, you’d be amazed at your vulnerability when people have 100% access to read and manipulate all your traffic.
This is nonsense. Most MS domains use a single sign on. If people are using any similar utility for any of their work mail or any other function it will be compromised. If that’s unlikely, it’s certain that many, many users enter their credentials over unsecured WiFi connections into Exchange web access. And if their laptops are used to being part of the domain, every thirty seconds or so they broadcast all sorts of information about the machine and the domain no matter what network they’re on. There’s nothing necessarily safer about the MS or other solutions.
Also, if a company is *just* using Google Docs to save money they’re idiots. OpenOffice is much more feature rich. Google Docs is useful, though for it’s accessibility and simplicity and ease of collaboration with people not on your domain.
Interesting to hear this report. If you’re as big as Gmail, you’re bound to have these security issues. They are inevitable.
“These users should have known better than to type their email credentials into a third party service, so sympathy levels are at a minimum.”
Disagree on two counts:
Reason One: Any desktop application that interacts with a web service requires either API access or pagescraping, both of which require authentication of some sort. Flickr has a great system where you logon via the browser, and a token representing that session gets passed off to the third party app, so it never sees your login/pass info. I think faces.com uses that system too. But not very many do.
Reason Two: It’s a slippery slope. A program could just as easily skim your harddrive for a “passwords.txt” file, or passwords saved in the browser, and email that to the programmer. You might as well be saying “These users should have known better than to run a third party application, so sympathy levels are at a minimum.”
I’m not saying users should ignore security, but there are some common sense steps available. Download.com will test applications before publishing them and put a “adware/spyware free” badge on the download page. Look for that. A good firewall will tell you if an application you’re in is attempting to send email. If it tries, shut it down (Not sure if that applies in this case: G-Archiver might just fire off emails via the API and duck that. Still, a useful measure in general). If you use a product like this and then find out news like this, for crap’s sake change your password. It’s not too late, he probably has a few dozen he hasn’t checked yet floating in his inbox.
Notice I’m not saying “If you don’t know how to sniff network packets and check for your password manually, you’re too dumb to be using your computer” or anything ridiculous like that. I’m talking about what normal users can do here.
The question now is, Gmail has one email account that’s obviously being used for illegal activity. What’re they going to do about it?
Hi Mike - I would disagree with the sympathy levels at a minimum comment.
The internet became what it is today because of the participation of non-technical, semi-computer literate users.
I feel influential commentators like you should pressure companies in power to take this type of thing seriously even if technically speaking - its rather easy for them to wash their hands off it.
And Facebook and LinkedIn also ask for account details to other services. So the implication of what you say isn’t without ambiguity for the average user.
I feel chastising users with a “told you so” response is not warranted. We need solutions.
Aditya
“These users should have known better than to type their email credentials into a third party service”
You mean like Facebook which asks for that info to “find your friends”. I believe several other social services do this as well. Services that TechCrunch seems all too happy to trust.
I take it as even asking for that info makes the company suspect or in other words Facebook is NOT trust worthy
All of these companies use Strong Authentication to protect their own data. You can’t even touch their corporate networks without tokens or smartcards.
Well, my data is just as important to me, and I should have the ability to protect it with the same tools.
Let me protect my data the same way you protect your own.
Passwords are a joke. My security is NOT.
http://blog.vidoop.com/archives/26
“But Google, certainly, won’t be going to court to fight on your behalf.”
Google has gone to court before to defend our users’ data: http://www.mattcutts.com/blog/.....-subpoena/ talks about when the DOJ sent subpoenas to 30+ companies and only Google went to court to fight the subpoena.
Mike -
You write: “These users should have known better than to type their email credentials into a third party service, so sympathy levels are at a minimum.”
What does that say about Mint . . . which requires you to provide all your bank info to them?
G
The thing I find astounding is just how many folks don’t seem to understand that if you don’t own your data, you simply don’t own your data.
I do not store sensitive information into The Cloud for precisely the same reason I don’t keep my medical and financial information in a locker at the bus station (and even if I did, it would be heavily encrypted by me using a key that only I had access to).
Sure, I’ll use Google Docs for something like Aunt Sally’s ice cube recipe, but for stuff that I do Not want global access to, it goes a fully secure, air-gapped system.
I swear some people must have grown up wearing their lunch money pinned to their shirts or something.
Common Arrington, let’s hear a reply about Mint. There’s no doubt in my mind you intentionally left it out of your post.
“These users should have known better than to type their email credentials into a third party service, so sympathy levels are at a minimum.”
You mean like you do at Mint.com and Wesabe.com?????
@SSO
iMacros - which is very comfy for automating FF processes, no doubt - archives its data in the clear (correct me if I’m wrong).
If a program is not encrypted it’s best not to use it for passwords and logins.
Re: Roboform is born as a form filler but it does have a sound security foundation. Of course, as a PassPack founder, I prefer an online solution — but yes, Roboform is valid.
I’m concerned that Google Checkout seems to be protected by the same password as all the other Google services. Since Google encourages users to stay logged in to receive the benefits of a personalized search page (iGoogle), browser synchronization, etc., not having a separate password to protect Google Checkout seems dangerous to me. Ideally I’d like to see users be able to specify different passwords for each service and possibly use secondary authentication methods such as SecureID.
The obvious workaround requires maintaining 2 Google accounts, one for sensitive information like documents, email, and Checkout’s financial information and the other for other personalized but non-sensitive information.
Unfortunately a lot of people could fall for that. Recently, we got a weird email from a third party “Security Metrics” saying that our merchant account “First Data” and Citibank required us to use their service to be PCI compliant. There was not a lot of information about what exactly PCI compliance is, who was requiring it (just said all the major ccards needs this) and asked us to go online, submit our DNS information and get tested. We ignored it. What kind of security company would send out out a security notification via email only?? They sent us a “fail” message and said that our online charge capability could be cut off. The email said “Go to the site for instructions” and linked to their generic home page. We ignored them again, but did send an email to FirstData asking if this was legit.
Got another email from Security Metrics saying we had to be compliant and were in danger of losing merchant ability, so went to the to set up an account, asked us for a bunch of data, then we stopped during the procedure because we had to pay a fee (for what? it was totally unclear).
Finally got a call from the merchant account First Data via Citibank that we do need to do this. Security Metrics was completely arrogant and acted as though we were the only company to possibly question why we should just accept an email telling us to go to a site and enter all our merchant data so they could test compliance of our site.
Thinking it through - if I have your gmail address and your password, I have all your mail. But if your company uses Exchange/Lotus/other, I would need your email address, your password, and the address of your VPN server or email web gateway and some inkling of the protocol used (especially if it’s a VPN). So, the comments noting that many businesses uses single sign-on and are just as vulnerable - not quite true. It wouldn’t be hard for a real techie to find out these extra peices of information, but they do represent extra speedbumps. (Please don’t use the old ’security by obscurity’ objection. All authentication-based security works by obscurity, one way or another!) A more advanced admin team might do certificate based auth, adding another speedbump. Or RSA tokens …
The point being that security is a series of speedbumps - some relatively minor, some major. The question is whether the owner of the data has considered its value and emplaced the correct number and type of speedbumps around that data.
Also I was glad to note the several comments which take Michael to task for assigning low levels of sympathy to people who used G-archiver. Very little of the ’security wisdom’ handed out to normal users includes any way to determine how trustable any given app is. In fact few users seem to have ever heard any suggestion that they should consider this question at all.
I was glad to be reminded that if someone subpeonas your data - it’s Google who gets the subpeona, not you. That’s a good thing for IT architects to remember when outsourcing any of their infrastructure.
Well FREE is never free, you pay for it somehow and in the long run! When are people going to get this? Soon.
The “Google -Riech” will not be happy with you disclosing this sensitive information. NO BAD PRESS about the “STATE” off to work camp for you.