Let’s assume, for argument’s sake, that Google does abide by its own code of conduct and isn’t evil. They’re still amassing a staggering amount of data about nearly every Internet user. Now, with more and more companies “Going Google,” Google has access to data that it wouldn’t in the past. Now, they aren’t just indexing your website, blogs, or even chats and emails. Now they’re indexing your corporate documents – you know, the sensitive things you’re “not supposed to send via email?”

While I am quite confident in Google’s security capabilities, no one is perfect. And like my aikido instructor used to say, there’s always someone stronger, or quicker than you. Last week, Google met its security match when their servers were hacked.

While I won’t delve into the economic and political issues which revolve around this hack (see footnotes for plenty of reference links), there are plenty of lessons we can take away from this:

• By most accounts, Google’s servers were hacked by good, old-fashioned social engineering:
  

  “Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees…”

  This means that the attackers were not hammering through firewalls or reprogramming routers – they had people click links on what they thought were legitimate emails and exploited security flaws in common desktop software to gain access.

• Users accounts which were hacked were most likely running with administrative privileges over their desktop systems.
• If Google can be hacked, anyone can. By extension, if your data is with Google, you can be hacked as well.
• Trusting Google does not just mean “trusting that Google won’t do anything evil with my data.” It also means “trusting Google will never make a mistake which accidentally opens my data up to anyone else.”
• Substitute the word “Google” with any popular online service or enterprise firm that has a lot of (your) data (e.g. Facebook, Salesforce, Amazon). This is not a problem just with Google.

References:

• Researchers identify command servers behind Google attack
• Adobe Reader vuln hit with unusually advanced attack • The Register
• IE zero-day used in Chinese cyber assault on 34 firms • The Register
• Google may exit China after ‘highly targeted’ attack • The Register
• Google May Pull Out of China After Cyber Attack
• NY Times Article on Google/China Hack
• Official Google Blog: A new approach to China
• China Defends Internet Censorship
• Ballmer doesn’t get why Google is upset about attacks | Googling Google | ZDNet.com
• US will complain to China about Google hacking • The Register
• SANS Internet Storm Center Diary



All of your email in one inbox

As for new features, the first thing I noticed was the option to display all of your accounts’ inboxes in one location, just as recent versions of Apple’s Mail have. For instance, if you have a work email address and a home email address, and you check them both with the same email client, you can now view all new messages in a single inbox. I’m sure that fans of GTD will applaud this move. As for me, I wasn’t totally sold on this feature, but after experimenting with it for a day or so, I started to like it. If the goal is to be notified of new email from various sources, this definitely meets it. However, if you like keeping things separated (for example, not getting distracted with personal emails while at work, or bothered with work while at home), this isn’t necessarily for you.

Tabbed emails

While setting up Thunderbird, you are presented with the option to synchronize IMAP accounts onto your local hard drive. This is a great feature if you travel and don’t have an Internet connection, but still want to be able to read your email while offline. I did note that it took a very long time to synchronize my Gmail account, which has gigabytes of saved email on it, but that’s to be expected. I was able to use Thunderbird while the sync was going on, so it did not bother me.

The first thing I noticed was that the user interface has been simplified, with some of the button clutter removed. Also, by default messages open in new tabs, as opposed to new windows. While I am very used to this method of presenting information in web browsers (as Firefox has had this feature for years), I haven’t quite gotten used to it in email. However, I’m starting to like it more as I use it.

Thunderbird 3's new search

Thunderbird’s new search engine is immediately noticeable the first time you search your inbox for something. The results are presented in a new fashion, but more importantly, Thunderbird indexes all of your messages for faster search results, and you don’t have to search folder by folder for messages, as it will go through all of them for you. While I use Gmail for most of my email, I still like using Thunderbird as the client. However I frequently have found myself going back to the Gmail web interface when I need to search for a lost message. Hopefully this will no longer be necessary with Thunderbird’s new search capabilities.

Also, taking another page from the Gmail book, Thunderbird now lets you archive your email by pressing ‘A’ while reading any message. While I generally file all of my emails away (in folders in Thunderbird or with a label, then archiving in Gmail) sometimes I don’t have a particular folder or label to apply to an email. I know I don’t want to delete it, but I also don’t want to stick it in a file. I just want it gone… until I want it back again. That’s what archiving is for. This is another feature I’ve found myself logging in to the Gmail interface for. Unfortunately, Thunderbird’s archive feature is different from Gmail’s, so when I archive an email in Thunderbird, I still need to sign in to Gmail’s web interface to archive it there. However, if I never used the Gmail interface, this would not be an issue.

It is worth noting that I did have some stability problems with the beta and release candidates in late November, however they all seem to have been sorted out and the release version is rock-solid on Mac OS X and Linux. I have not yet tested the Windows versions, but I have high hopes. This is a noteworthy improvement to Thunderbird which I am grateful to have. In short, if you do not require connectivity to a Microsoft Exchange server (for calendar, contacts, and other non-email data) I recommend you try Thunderbird 3.

Oh, did I mention that it’s free?

“Between March 19 and March 28 the spyware sent more than 1,000 screen captures … via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well…”

This incident goes a long way to show that the biggest threat can often come from inside. Yes, while the boyfriend was the root cause, had the hospital employee not been allowed to access her personal email from work, her system would not have been infected in the first place.

In a separate news article, Panda Security reports that a hacker site is offering to crack Facebook accounts for the low low price of $100. Setting aside the question of whether the site is a “legitimate” hacking site (who’s to say they won’t just take your $100 and walk away?), I found it interesting that a Facebook account is now worth 3 times the street price of a social security or bank account number, which my sources say are going for $20-35 a piece.

We first chose the Astaro Security Gateway for a client who needed a reliable web content filter, and an email spam filter. They had previously used various patchwork solutions which were not meeting their needs. The Astaro product did everything they required, replacing their aging firewall, providing secure remote access, a web content filter to keep users from accessing websites they shouldn’t, and blocking junk email. When I asked the director how he liked it, as compared to their previous solution, he said he was “Very, very, very satisfied.” That’s the kind of feedback we like.

Usually when we put a UTM in place, clients have one security device in place, but not others. The nice thing is that the Astaro combines multiple services into a single unit. While this does place all of the proverbial eggs in one basket and can lead to a single point of failure for network traffic and security, for small businesses on a tight budget, it does provide an affordable way to get services you might not normally have in place.

The first line of defense offered by the Astaro is its firewall. The ASG can act as your network’s router and firewall, whether your Internet connection is a T1 line, DSL modem, or Cable modem. The device provided by your ISP plugs directly into the ASG, which then connects to the rest of your network.

By default, the Astaro Security Gateway is a “default deny” firewall. This is to say that initially, unless you tell it otherwise, it allows no traffic in or out of your network, which is the most secure, best practice configuration for a firewall. This prevents not only unwanted intrusions from outside sources, but also unwanted extrusions from your system. Whether it’s people running instant messaging or voice chat clients, the hobbyist who’s running his own web server on your company network, or the latest malware which has turned your desktop into a spam sending zombie, the ASG won’t allow it out unless you say so.

If you have remote workers who require access to your system from the road, home, or remote branch office, the Astaro supports just about every type of virtual private network (VPN) out there. Popular choices such as PPTP, L2TP, IPSec, and SSL are all available, and the clients work with Windows, Macintosh, and Linux stations.

The ASG also includes a powerful, flexible web content filter, which can be used to protect your network from malicious websites, as well as to keep users from websites that they should not be using the company network for.

Astaro also includes email security features, including two anti-virus scanners and a powerful anti-spam and anti-phishing filter to keep your inbox free of the needless clutter that comes from these annoyances and threats. Email encryption can also be configured so that if servers you communicate support this feature, your messages can’t be read by anyone in between if intercepted.

Finally, Astaro offers a free trial of their Astaro Security Gateway product, so you can evaluate it without commitment. They even pay the shipping.

Note: Paradigm Consulting Co. is an Astaro reseller. Please contact us if you are interested and we can arrange a demo for you and your network.

1. Greeting cards are a waste of time and resources. I can think of no reason that these are required in a business setting, as they just waste time and other resources.
2. In order to send an electronic greeting card, you normally are asked for the recipient’s email address, and possibly your own. By supplying this information to XYZ greeting card site, you’ve just opened up an avenue for junk email (spam) to yourself and the recipient.
3. Fake electronic greeting cards are a prime vector for email attacks and the spreading of malware. By getting people to click on a link that claims to be a greeting card, the user is likely to want the program to run, not knowing what it really is. I’ve personally had clients ask, repeatedly, that I install Adobe Flash Player on their systems so they could open a greeting card, despite my repeated protests. Sure enough, a few weeks later, their system was infected by malware as a result.

In summary, stop sending electronic greeting cards. If you absolutely must open one that you’ve received, then you can… wait… No, scratch that. There’s no reason for them.

I highly recommend that your company’s acceptable use policy prohibits the sending or viewing of electronic greeting cards, and that your content filtering system be tuned to prohibit these sites whenever possible.

Drawbacks

The major drawback of these is that they present a single point of failure on your network. If a hardware UTM device gets compromised or simply fails, your system can either be exposed or your Internet access can be down. Also, if you already have these all of these devices/services in place on your network, a UTM may not gain you much.

Advantages

As previously stated, UTMs can offer a lower initial and ongoing cost of ownership than several separate devices. Consider the following elements of your network:

• Internet router
• Firewall
• Intrusion detection/prevention system
• VPN server
• E-mail anti-virus scanner
• Junk E-mail (spam) filter
• Web content filter
• Web proxy server

Now, take these devices or services and combine them into a single device which does all of these services for one (relatively) low(er) price. To a small business, this is pretty appealing, especially if these services were not present in the first place. For example, most of our smaller clients have no intrusion detection/prevention system in place. Many do not have any sort of website content filtering or centralized e-mail anti-virus or junk e-mail filter.

Additionally, small businesses frequently have only one main “server” on their network, and they can easily be overburdened by having too many tasks placed on them. We have seen software email anti-virus and junk e-mail scanners bring servers to a grinding halt. Offloading these processes to a separate device can improve performance and reliability of the main server.

A UTM also offers a single location to manage all of these services. This can be beneficial to less-experienced administrators, who are easily confused by having multiple different interfaces with different appearances and conventions. In other words, it is easier to manage because the interfaces and terminology tend to be consistent whether you are managing the firewall, email filter, or web proxy.

A UTM can kill many “birds” with a single stone, and is something every small business should consider for their network, especially if any of the above services are currently not present.

If you have only one Internet address that you share with other servers and desktops, any one of these devices can damage your reputation if they are compromised.  For example, let’s say Jane’s PC contracts a virus that causes it to send out junk e-mail.  Since she uses the same gateway as the mail server, your mail server’s (public) Internet address will be blacklisted, which is to say, millions of computers across the Internet will refuse to accept email from it as long as it remains on the list.

How can you prevent this from happening?  There are several actions that can (and should) be taken:

1. Install and maintain an effective antivirus / anti-malware product, such as AVG, McAfee, Symantec, etc., across all of your servers and desktops, to help prevent their compromise.
2. Ensure that your Internet gateway is configured to block outbound email traffic (port 25) from your network, except the computers you know require it.
3. Consider allocating a separate public IP address dedicated to your e-mail server, so rogue machines on your network will not affect the production server.
4. Consider hosting your email with a commercial service provider.
5. Configure a reverse DNS and SPF record for your mail server’s IP address.  These are essential in preventing others from spoofing your mail server IP and using / damaging its reputation.