Google Addreses Security Issues

Thom — Tue, 04 May 2010 18:29:49 +0000

The joy and pain of Google Apps and other services is the single sign-on system. While it’s great to be able to access online your email, document repository, analytics and other services by only logging on once, it can also open yourself up to a world of information theft if your password is compromised. Combine that with browsers that store passwords, malware and phishing scams, and you’ve got a recipe for disaster if you are not careful.Recently, this single sign-on system came under attack by many security experts. Each of the experts points back to the December cyber-attack on Google and other companies. Shortly after announcing the attacks on January 12th, Google dropped supporting IE6, which is believed to be part of the reason for the attack. Writers at eWeek have their own theories on the security of Google’s single-sign on and how safe it may or may not be.

Google Fights Back

As of Monday, Google has a solution to locking down Google Apps accounts. When you sign into Google, a cookie is stored on your computer. A cookie is a small text file that gets sent back to the site who issued it every time you click on it. In this case, the cookie tells Google that you are signed in and not to ask you to sign in again.

Google has always allowed domain administrators to change passwords. Google is now empowering enterprise users who have implemented Google Apps on their domains to expire any user’s cookies in real-time. This means your domain’s administrators can – essentially – automatically log out users who have logged in. Why is this cool? Here’s a scenario:

Someone steals your password (or worse yet, your mobile phone with a saved password)
They log in as you, change your password, locking you out of your own account.
Having your administrator reset the password won’t kick the person out; it merely prevents them from logging in again. (Presuming they ever log out).
By expiring the cookie, the identity thief is forced to log back in again – but this time, they won’t have the password because the administrator changed it.

It’s a start. It certainly brings more credence to Google Apps for a real Enterprise solution. Time will tell to see how this plays out with the security bloggers.

Facebook Has Abandoned Their Users’ Privacy

Thom — Tue, 27 Apr 2010 03:54:10 +0000

There can be no other logical conclusion. Facebook wants your data and doesn’t care how they share it.

Last week Facebook rolled out more changes, usurping users’ privacy settings in the process. It seems that Facebook still wants to hold on to its opt-out policy and doesn’t really care to tell its users they were opted in. So what settings matter to you; it’s only Facebook, right? Wrong! Facebook is now granting personal information to any Web site that cares to add a Like button. You thought spam and phishing sites were bad before?

Why is Facebook doing this to its user base? Well, it’s for the “greater good” of the Internet, of course.

What’s New & How to Opt-Out

For starters, the Like button has now become the conduit for giving up all your privacy. You’re going to start seeing it outside of Facebook on other Web sites and blogs. If you click it, you’ll be authorizing that site to access your profile information.

Because of this, Facebook has created a new privacy setting for what they call “instant personalization.” And opting out of this is your first step. However, if your friends visit and like the site, they’ll know you visited the site, too.

A screen capture of the new Instant Personalization opt-out setting

Applications work the same way. Make sure you look at “Applications and Websites” and check each individual application you’ve ever used and make sure you note what information is shared with each application. As a great rule of thumb, make sure you remove any applications you no longer use. Remember that some apps can also be blocked directly from the app’s page.

Facebook has established partnerships with three sites. These partners also have unfettered access to your data. The three partners are: Pandora, Yelp and Docs.com (Microsoft’s new online office suite). You must specifically block these applications.

Update: The Electronic Frontier Foundation has a great write-up on how to opt out of Facebook’s Instant Personalization with video.

Why Does Facebook Not Care About You?

Facebook calls it being social. Standing up before the audience at F8 developer conference, Facebook CEO Mark Zuckerberg seems to think he’s doing a service to the entire World-Wide Web. To me, this seems to be a “for the greater good” type of offering.

Frankly, it seems to be all about the money, really. I think Molly Wood summed up Facebook’s strategy best:

Let’s be clear: I hold few illusions that Facebook’s business strategy has ever been about anything other than building up a huge user base and then selling ads to those users. And obviously, the more targeted the ads, the easier it is to get people interested in them. But as the opportunities for data mining and targeting grow, Facebook faces a growing problem: how to get the data, if the users won’t share it.

So How Far Has Facebook Gone?

Pretty far, actually. Enter Graph API (application programming interface). Facebook now provides this API to allow for easy feeds of all aspects of any Facebook user’s information. Many users are reporting their events are exposed, and with them, their information. This livejournal blog documents how “Ping” was able to expose events to anyone on the Internet. You can try for yourself to see which or your information are exposed.