I applaud this move toward security and productivity. I don’t think it will be a easy task for Google, but I believe it will be worth the effort in the long run.

Does your company need to consider switching away from Windows?

We’ve heard the same thing before. In 2007, when Facebook introduced Beacon, there was a an outcry from the Facebook community. Facebook responded with the governance council, then, a couple of years later, introduced new and better privacy controls. The default setting for these? Everything was open to everyone. Who do they think they are fooling? Apparently about 400,000,000 of us Facebook users, that’s who.

Once again, due to a large public outcry, this time by a number of web-celebs who threatened to, or actually did, deactivate their Facebook accounts, Zuckerberg and company again responded, and promised to fix the issue. I can’t help but think this is like a bad relationship with a partner (Facebook) who, despite repeated promises, just can’t seem to keep promises or stop taking advantage of the other (you).

As always, assume that anything and everything you post to Facebook is public. Period. Forget “privacy settings” which give you a false sense of security. They can be changed at any time. Your personal information can be shared by Facebook (and other online services) any time they feel like it. They’ve done it before, and I’m convinced they’ll do it again.

While these sites had no intention (or maybe even knowledge) of this, it goes to underscore a point that, while you may trust Google, Yahoo!, Fox, Facebook, eBay, etc., as trustworthy sites, the bulk of the content that these sites serve up is not coming from them – it’s coming from third parties, such as ad networks, which you don’t necessarily trust, or even know.

To protect yourself from this sort of attack, I recommend the following:

• Limit unnecessary web surfing, especially at work and doubly so for machines and networks which handle sensitive information. If you don’t go to the site in the first place, you can’t get infected.
• Make sure you are using a recent “alternative” browser, such as Firefox or Chrome. While this is no guarantee of safety, Internet Explorer is still the main target for browser-based attacks. Using an alternative platform may lower this risk by lowering your profile.
• Run extensions such as Adblock Plus and NoScript. These disable active programming on websites by default. Note: This does mean more work for you, as the bulk of websites you hit will not work until you enable the scripting components on the pages. However, you are much, much safer from this type of attack.
• Keep your operating system and all other software on your computer patched and up to date. Many of these sorts of attacks rely on flaws in software installed on your computer. If the flaws are patched, then you are less vulnerable to the attack.
• Know what your anti-malware program and operating system alerts look like. Many of these “drive by downloads” rely on tricking the user into installing malware by popping up fake notices telling them that their system is infected, and needs to be scanned. What they are really doing is tricking the user into running the malware in the first place! Don’t be fooled! Learn what your software really is likely to say in the event of malware detection, and how to respond appropriately. If you have any questions, contact your IT staff before taking any action, including clicking on links or closing windows.
• As always, drop those admin rights.

In order to continue to improve our products and deliver more sophisticated features and performance… we will be phasing out support for Microsoft Internet Explorer 6.0 as well as other older browsers that are not supported by their own manufacturers.

It’s about time, and not just for those reasons.

Internet Explorer is arguably the most insecure web browser in current use today. It’s very old, in Internet terms, and really needs to be replaced. If you are still using Internet Explorer, you need to upgrade to IE 7 or IE 8, or switch to another browser like Mozilla Firefox (currently at version 3.6), Google Chrome, Opera, or Safari.

If you are one of those unfortunate folks who are required to use Internet Explorer 6 for a legacy web application, contact your vendor immediately and tell them that they need to change their application to support newer browsers. There is no excuse for continuing to use Internet Explorer when Microsoft itself has recommended that people discontinue its use.

The advice is to have a PC dedicated to online banking. If you weigh the convenience and cost savings of having access to online banking, versus time spent on the phone or traveling to and from a bank to conduct your business, the expense of a PC dedicated to this task, to continue to enable online banking, will likely be recouped within a matter of weeks, if not days.

The three arguments I’ve heard against this are:

• We don’t have enough money in the bank for anyone to want to hack it. (Or, “no one is interested in us because we’re too small.“)
  Then it sounds like you have everything to lose! Isn’t it more important to protect what assets you have, regardless of size?
• We’re protected by our bank’s security.
  No, you’re not. Bank websites get hacked frequently. Don’t believe me? Just do a Google search on the subject. Furthermore, the banks are not required to refund your money! You do not have the same protections as you do with credit cards on bank accounts. Finally, it’s not usually the bank that gets hacked – it’s your computer.
• We can’t afford the expense.
  The cost of a lightweight PC dedicated to this task is most likely lower than most of my clients’ electric bill, heating bill, or liability insurance for one month. You can afford the cost. But can you afford getting hacked and having your assets drained?

This is the same advice we gave on this blog last year. It’s sound. It’s simple. It’s cheap. Get a new netbook for a couple hundred dollars and use that for online banking. Is this not worth the risk of your business losing tens of thousands of dollars from its bank account? Please, if you do online banking at home or at work, at the very least, practice it from a non-Windows computer not running Internet Explorer. Better yet, prove me wrong and get a cheap PC and dedicate it to your online banking needs. Never go to any website other than your bank’s with it. Another alternative would be to boot from a live CD of your favorite Linux distribution, such as my favorite, Ubuntu.

References:

• http://lastwatchdog.com/american-bankers-associations-small-business-warning/
• http://itknowledgeexchange.techtarget.com/security-corner/aba-recommends-using-dedicated-pc-for-online-banking/
• http://news.softpedia.com/news/Small-Businesses-Should-Conduct-Online-Banking-from-Dedicated-Computers-131086.shtml
• http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=1#sID200
• http://content.usatoday.com/communities/technologylive/post/2010/01/online-banki
  ng-precaution-for-small-and-mid-sized-businesses-draws-attention-/1
• http://www.upi.com/Top_News/US/2010/01/01/Businesses-warned-about-online-banking
  /UPI-81761262329630/

Let’s assume, for argument’s sake, that Google does abide by its own code of conduct and isn’t evil. They’re still amassing a staggering amount of data about nearly every Internet user. Now, with more and more companies “Going Google,” Google has access to data that it wouldn’t in the past. Now, they aren’t just indexing your website, blogs, or even chats and emails. Now they’re indexing your corporate documents – you know, the sensitive things you’re “not supposed to send via email?”

While I am quite confident in Google’s security capabilities, no one is perfect. And like my aikido instructor used to say, there’s always someone stronger, or quicker than you. Last week, Google met its security match when their servers were hacked.

While I won’t delve into the economic and political issues which revolve around this hack (see footnotes for plenty of reference links), there are plenty of lessons we can take away from this:

• By most accounts, Google’s servers were hacked by good, old-fashioned social engineering:
  

  “Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees…”

  This means that the attackers were not hammering through firewalls or reprogramming routers – they had people click links on what they thought were legitimate emails and exploited security flaws in common desktop software to gain access.

• Users accounts which were hacked were most likely running with administrative privileges over their desktop systems.
• If Google can be hacked, anyone can. By extension, if your data is with Google, you can be hacked as well.
• Trusting Google does not just mean “trusting that Google won’t do anything evil with my data.” It also means “trusting Google will never make a mistake which accidentally opens my data up to anyone else.”
• Substitute the word “Google” with any popular online service or enterprise firm that has a lot of (your) data (e.g. Facebook, Salesforce, Amazon). This is not a problem just with Google.

References:

• Researchers identify command servers behind Google attack
• Adobe Reader vuln hit with unusually advanced attack • The Register
• IE zero-day used in Chinese cyber assault on 34 firms • The Register
• Google may exit China after ‘highly targeted’ attack • The Register
• Google May Pull Out of China After Cyber Attack
• NY Times Article on Google/China Hack
• Official Google Blog: A new approach to China
• China Defends Internet Censorship
• Ballmer doesn’t get why Google is upset about attacks | Googling Google | ZDNet.com
• US will complain to China about Google hacking • The Register
• SANS Internet Storm Center Diary



While the content is good, it is rather elementary, so if you are already familiar with Facebook, you’ll probably be better served by something else. I bought the book to see what sort of insight it would give for business applications, but I found the chapter on this topic to be short and not very enlightening. Also, I found the topics of privacy and security to be a bit lacking. The best advice they have is to not post anything that you wouldn’t want your grandma to see, because it may come back to haunt you. However, they also recommend you install lots of applications, without stressing that installing Facebook apps (of dubious nature) is a quick and easy way to get your account hacked.

While it was published nearly two years ago, the majority of the book is still up to date and current. However, some things have changed recently, especially with respect to default privacy settings, covered in the privacy chapter.

Also, the book is a little expensive, given its size. However, if you are just getting into social networking and Facebook, it does provide a good overall view of the service to newcomers.

If you have not yet looked at one of these other browsers, I strongly recommend you do. If you are wedded to Internet Explorer, then you should at least be on version 7, if not 8. Also, several of our clients have been told that they must use Internet Explorer for an application that they use which requires it. What’s shocking is that several of my clients have vendors who insist that they continue to use IE 6! This, despite the fact that it’s easily the least secure mainstream browser still available today. If you are unlucky enough to be in this group, I strongly recommend you put pressure on your vendors who are requiring IE 6, and tell them to support current versions, or better yet, make their application less browser-specific so that it works with other platforms like Firefox, Chrome, Opera, and Safari.