Tag Archives: Google

Security Threats Are Changing, So Are The Strategies

Security threats are changing. They are becoming more persistent, virulent and debilitating. But strategies to control and counter these threats are also changing; evolving.

Two APTs that created ripples in the recent years are RSA SecurID Hack and Operation Aurora. Unfortunately, both these were state sponsored threats and cannot be classified with the normal types of threats that are faced by organisations in the course of computing over the Internet. RSA SecurID Hack is an APT that was released in 2011. This attack compromised systems that used RSA SecurID two factor authentication tokens to generate one time passwords.

Operation Aurora was an APT that stole sensitive intellectual property along with source codes from computing Giants like Google; Adobe. The attack was very sophisticated, coordinated and orchestrated. The attackers had immense technical skills and an ability to take advantage of weaknesses of the target organisation. The attacks also, are not short term with aim to capitalise on temporary windows of opportunity. They were threats that exploited vulnerabilities that had not yet been identified by the organisations themselves and were designed to unfold over a period of time (spanning years) using multiple vectors; combining a number of security breaches.

As a result, any traditional methods of securing the organisations data stores, fails in the face of an APT. Alternate strategies will have to be discovered and implemented. The security strategy will have to be more proactive and have the capability of detecting and preventing an APT even as the perpetrators attempt to reconnaissance the organisation for weaknesses.

Organisations and cloud services may have to institute a layered security. The layering will have to begin at the Perimeter. Shared accounts will have to be managed effectively by encrypting and securing passwords; creating complex passwords that are difficult to break; restricting access to administrative accounts and preventing password sharing by automatic login.

The next security layer should include server hardening. Server hosts should be protected with firewalls and definitions of high risk applications for exclusion. Sessions should be recorded; examined and unusual activities should be instantly highlighted for deeper investigation. Analytical tools should be made available to evaluate and examine these activities and track the time, date, source IP and user ID of the login. Phishing protection; anti-virus installation and employee education should follow.

In short, “defense in depth” security concepts should be implemented.

Why Are Companies and IT Professionals Reluctant to Use the Cloud?

For a variety of reasons, today, many professionals are reluctant to use the cloud. In fact, a recent IDG survey revealed of that of 153 IT professionals, most of them are reluctant to use the cloud to store data and that only 13 percent of organisation store their files in the cloud. The good news is that as time goes on, more users will become less reluctant to use the cloud; and will realise why it is beneficial for them to access this cutting edge technology. But, what are the underlying reasons why more companies and professionals are not using the cloud?

Perhaps part of the reluctance stems from the fact that like any new technology, there is a fear of the unknown. This fear of the unknown and using a new technology breeds mistrust. There could be a fear of losing data, of not feeling secure that transferring their files to the cloud will ensure that their data is safe.

The reluctance cannot stem from the cost of switching over to the cloud. Switching over to the cloud is a cost effective way of doing business that does not require a major capital investment. It allows businesses to store their data and access it instantaneously.

It could also not be due to a lack of flexibility. The cloud allows IT users and businesses a great deal of flexibility, particularly frequent business travellers. For example, with just a handheld device like a smart phone and access to files in the cloud, employees can be anywhere in the world accessing the data that they need for a meeting, briefing, seminar or workshop. The cloud frees them up from carrying files with them or even taking a laptop or tablet. Accessing data on a smart phone allows business travellers to communicate and collaborate with their colleagues wherever they happen to be travelling.

So, whatever the reluctance may stem from, there is a need to tout the benefits of the cloud to those who don’t yet see the benefits of using it yet. Perhaps it is just a simple matter of a lack of awareness. Many end users might be using cloud technology without even being aware that they are using it (Google docs for example or the Kindle Cloud reader being prime examples). Perhaps, it is just a matter of informing them of what cloud technology is all about; and how it is already being used for a myriad of reasons. Once they are aware, the fear of the unknown may dissipate.

Whatever the case may be, the reluctance by some IT professionals, organisations, and end users will most likely dissipate over time as they overcome their resistance to this new technology. The benefits of using the cloud far outweigh the disadvantages; and as an awareness of this fact grows, so will the number of users of the cloud. Therefore, the cloud has a bright future.

Versioning for Cloud Computing — Part II

Versioning, as mentioned in the previous part of this article, Versioning for Cloud Computing- Part l, is the process of assigning numbers with or without date stamps to identify versions of a document or piece of data. Versioning at the backup level may create identities for backup versions that are stored on the server. At the file level, each file may be assigned a version number to distinguish it from other versions of the file after modifications have been done. A few storage providers may treat a set of backups, documents or files or folders as objects and perform object versioning.

File versioning is the most commonly used versioning system in cloud computing. The first version of the file (available in the seeded backup or a subsequent full backup) is generally given the first number (in accordance with the versioning system of numbering adopted) and every new version of the file is compared with the original version or the full backup version and numbered sequentially. The comparison process, additionally, enables the storage provider initiate incremental backup processes, so that only the modified sections of the file are backed up and unchanged portions of the file link back to the original file. This saves on bandwidth and time to backup. If time stamps are available and the management has pre-set archival policies on the system via the agent interface, the files will be automatically archived.

Some vendors like Google use object versioning systems. Objects are stored in buckets. All modifications to the object are part of the bucket, including archived versions of the object. Objects can be restored to an earlier state, overwritten, deleted or modified as required. The object properties allow users to identify the different versions of the object. The properties are numeric.

Versioning can be switched off or on for both file and object versioning systems. A switch off of versioning does not remove identifying characteristics of files or objects already stored under the versioning system. Original versions of the file can be restored without disturbing the current version of the file in file versioning. In object versioning, restoration of an earlier version of the file will result in overwriting of the current version.

Versioning for the cloud is becoming more and more sophisticated as cloud vendors strive to differentiate themselves from the competition. This is, especially, true of cloud service vendors, who want to offer their customers state-of-the-art collaboration tools and provide support for mobile / remote computing.

Google and Apple Introduce Encryption by Default

Google has revealed that their next mobile operating system, Android L, will encrypt users’ data by default. Apple has also confirmed that devices that are running its latest operating system, iOS8, will also encrypt data by default.

These measures are to make it more difficult for thieves or law enforcement agencies to obtain the data.

This isn’t the first time that Google and Apple have offered encryption for mobile devices but it was optional and needed to be enabled. As a result, many users were actually unaware of the capability to encrypt their data or hadn’t enabled it.

A spokesman for Google stated, “For over three years, Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement. As part of our next Android release, encryption will be enabled by default out of the box, so you won’t even have to think about turning it on.”

It is thought that the step to encrypt data by default is more to do with data privacy than protection as US firms will not have to hand data over to law enforcement agencies. As Google and Apple will not possess the data due to it being in an encrypted format and  having no knowledge of the encryption keys, it will be unreadable to them.

Google and Apple are already part of an alliance group called Reform Government Surveillance which has been set up in an attempt to persuade the US government to drastically change its surveillance programmes.

It is now very important that any confidential or sensitive data is stored in a secure state as the threat of cyber-thieves is increasing. They are developing more sophisticated methods of attacks as the value of obtaining confidential data is increasing.

Did you know about the data encryption feature? Have you enabled the encryption?

Gmail Addresses and Passwords Posted Online

Millions of Gmail addresses have been posted onto a Russian website along with a set of passwords for the accounts.

The total number of Gmail addresses and passwords that were posted online approached the five million mark but there are serious doubts with whether the passwords are correct.

Security experts believe that the passwords are not correct and that they are either old ones that have been obtained through phishing attacks or that they are passwords that have been used on other sites in conjunction with Gmail addresses.

Reddit users have confirmed that they have found their Gmail addresses in the list but that the provided passwords have never been used in conjunction with their Gmail account.

Reddit user InternetOfficer stated, “The password that I generally use for other services is shown in this list and not my Gmail password. This proves that the hackers hacked into some other service where Gmail address (or other email addresses) are used and got the password of that service not Gmail password.”

Google have stated that they have seen no evidence that their systems have been successfully hacked but did confirm that some users have been asked to change their password.

In a security blog released by Google, it stated, “We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.”

As cybercriminals are developing more sophisticated methods of attacks, it is vital that security measures are in place and regular updated. It is recommended that strong, different passwords are used for different accounts to ensure that access cannot be obtained to multiple accounts through obtaining one password.

Twitter Offer Bug Bounty Rewards

Twitter has become the latest company to offer computer experts financial rewards for discovering a vulnerability in their security systems. This is known as a bug bounty.

Twitter has confirmed that there is a minimum reward of $140 (£85) available but that no limit has been set on the maximum reward that is available.

Twitter released a statement confirming the bug bounty. The statement read, “There is no maximum reward. Reward amounts may vary depending upon the severity of the vulnerability reported. Twitter will determine in its discretion whether a reward should be granted and the amount of the reward.”

Twitter concluded, “This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.”

The bug bounty actually started in June through a company called HackerOne but there were no financial rewards available. This was reflected in the uptake as only 44 bugs were reported but this is now expected to increase.

In order to be considered for financial rewards, the person reporting the vulnerability must be the first to have reported it and not disclose the vulnerability until it has been resolved.

Twitter is not the first company to set up a bug bounty which has been successfully utilised by other market leading companies such as Microsoft and Google. A bug bounty helps companies reduce the number of security flaws they have and can also prove very profitable for individuals who discover any security flaws.

One example of this occurred when a security expert earned $100,000 from Microsoft during their bounty program.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal