Would the SONY Hack Work on a Google Drive Based Business?

Your Information IS your business, Keep It Safe

Google Drive & Docs
Google Drive & Docs

A modern business of ANY size is largely the sum of it’s data and documents. Keeping them safe and private is crucial for the survival of your business. Are you safe if you use Google services?

Security in the Post Sony Hack World

The Sony Pictures hack has shone the spotlight on the security issues posed by Internet connected systems, particularly those using Windows desktops. Sony, it will probably be revealed, got hacked via a spearfishing attack. Spearfishing is aiming a carefully crafted attack at an individual using personal information to make the attack seem like an email or document they expect, know, or want. Once they have allowed it into the network, lax security procedures and poor passwords gave them access to everything. However they got in, poor security procedures will ultimately be revealed to be the main culprit.

Sony Hack
Sony Hack

Passwords were stored in unencrypted files named “passwords”. Thousands of email messages stored in Microsoft Outlook .PST data files were copied. massive numbers of documents were just copied off the Sony servers and out to the web. It is obvious that security was lax, but the reason all this was copied is basically that it was all sitting on Sony servers, and the passwords were weak or available to the hackers.

This was a failure of the classic server-client network on a huge scale.

Security in the Google Cloud World

Google Drive Logo
Google Drive Logo

On the other hand, a business that keeps it’s workers on Chromebooks and stores data in the cloud is going to be in a better position to defend it’s data.

The documents, spreadsheets and mail are all stored on Google’s secure and backed up servers. Access is via individual user passwords. Documents can be private, shared with individuals, shared with domains (everyone in the business) or publicly.

There is one huge security advantage to this. Instead of documents being emailed around the company, they can be shared via email. This means that all that is sent is a link. A document in an email can be forwarded, copied and stolen. The document link will only work for someone logged into Google Drive as the recipient of the document. Anyone else that gets the link will not be able to access the document. This is a huge step up from emailing documents.

An Example of the Dangers of Sending Documents

Some time ago, I worked for a very large organization that used Microsoft Office. Everyone used Outlook for email. People inside the company sent contracts, proposals, memos and other documents as Word documents attached to emails.

In one large department, Instead of saving documents on the corporate servers, they began to go back to Outlook to find the last version of the document and worked on that. Then they sent it or saved it back to Outlook. Corporate data was not being saved on the file servers. Outlook .PST files grew to huge sizes.

Then, one Sunday night, the mail server for that department ran out of disk space. It tried to alert the Sysadmin, but there was no space on the server to process the email. The whole system collapsed at 2:35 AM and no-one knew anything was wrong until they arrived for work on Monday.

The lack of disk space had also prevented backups from running properly. Tape backups had failed weeks before, but no-one had checked the logs. It took two weeks to get the mail system running, and many users had lost hundreds of documents and revisions of documents. Some lost their entire email history, address book and calendar. For weeks, email flew around the organization begging for recent versions of contracts, proposals and other documents to be sent back to the originators. The fallout went on for a year or more.

As the Sysadmin for my department, I began monitoring the size of Outlook data files, and began delivering scathing warnings if they began to grow to large.

It was a lesson I never forgot.

And the Winner Is…

If Sony had been using Google cloud storage, how may this have played out?

E-mail would have been protected by storage in Google’s cloud. Google mail is accessible by web browser. The connection to Gmail is by a secure HTTPS connection. This would have made intercepting e-mail difficult to impossible. Attachments would have been replaced by links, and not accessible to the hackers without the relevant passwords. Email would have remained secure as long as passwords remained secure.

I have mentioned secure passwords a few times. A cloud based solution needs good password security. Sony obviously were using bad passwords and poor password procedures.

For Google Docs (the business version of Drive) User policy is controlled centrally by the Administrator and allows policy like good passwords and two factor authentication to be enforced.

Lastpass
Lastpass

A corporate account with Lastpass would have saved a lot of grief. Lastpass creates and stores secure passwords. Instead of using “Monkey” or “123456” everywhere, Lastpass will generate a real, unique and secure password for every site and then store it for you. Every time you visit that site while logged into lastpass, it will paste the password and username into the browser for you.

And even better, it is really secure, really cheap, and uses two factor authentication.

Singing the Praises of Two Factor Authentication  

Two factor authentication simply means you need something other that the password. The password is easily stolen, but a second form of identification means the password is not enough

The second factor or token can be one of those key-ring devices that shows a number every thirty seconds, a fingerprint, a retinal scan, or a usb dongle that has to be plugged into your computer before you can log in.

Every teller at my bank has to swipe a card and type a password before they can use a terminal. That card is their second factor.

The simplest one for most of us is an app for our phone or tablet. I use Google Authenticator. I have registered my Google Mail account, and when I login, I have 30 seconds to type in the six digit number displayed on my phone or tablet. I also have a sheet of six emergency codes. I keep that paper very safe, and have never had to use it. I always have a phone or tablet in range when I sit down at the computer.

The Cloud IS Secure

00131-drive-iconsAs we can see from this, using a cloud service like Google Docs is no less secure than storing everything on a local server.

Is it absolute security? No. No-one is even sure such a thing exists. It is all relative.

If the FBI, NSA, ASIO or GCHQ want your data, they will get it. But Google is working hard to make this process more difficult for them, and is making great strides.

This is a low friction, low cost option to provide secure storage and sharing of your data with high reliability, and no cost for a big IT team to keep it working.

REALLY Secure Information in the Cloud  

Some things really are secrets, rather that just private. There are ways to put the absolutely most secret things in the cloud to. They just require a little work to get them there.

More on that later – Enjoy!

Beware the “Awesome Screenshot” Extension for Chrome, Firefox, Safari

Awsome Sceenshot Page
Awsome Sceenshot Page

This seemingly innocent plugin that allows the capture and annotatiuon of screenshots has been caught with it’s hand in the till, according to mig5.net. I caught onto this story courtesy of the Chrome Story Blog.

Awsome Screenshot Access
Awsome Screenshot Access

Basically the Awsome Screenshot plugin spies on all the web sites and pages you visit, sends the data back to servers for storage, and at a later date a web-crawler identifying itself as “niki-bot” begins scanning those pages. The purpose is not clear, but the terms of service for “Awesome Screenshot” states:

When users access the software, certain non-personally and personally identifiable information (the “User Information”) may be collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users.

Awsome Screenshot Logo
Awsome Screenshot Logo

My advice would be to run, do not walk to your computer and remove the Awsome Screenshot plugin immediately!

Thank you to the sites mentioned above for doing the detective work on this one!

 

Sinking the Chromebook Myth – It Does Work Offline!

Samsung Chromebook
The Samsung Chromebook

There is endless carping by ill-informed or ignorant pundits talking about Chromebooks being “bricks without WiFi”. It is time to look at that with fresh eyes.

I am shocked to discover I have not written about the offline  capabilities of the Chromebook. I have written a lot in comments on other Blogs, and lost track of the fact that I have not discussed it here.

The 31 Day Chromebook Challenge – Day 30

My 31 Day Chromebook Challenge is drawing to a close. And it is time to speak out about the Chrome OS. Most of this article was written in the passenger seat of my car, definitely offline. And with no problems at all.

I am writing this on the Samsung chromebook. I am offline, typing in Write Space using a fairly large font. I like the ability to set up Write Space with colours, fonts and page width. I am writing is less than perfect viewing conditions, and It is perfectly readable and comfortable.

I am listening to music saved to the downloads folder through my headphones, writing until a 25 minute countdown timer to tells me to take a break, and I have access to lots of notes in Google Keep and saved from Feedly into Pocket.

So, here is the executive summary for you impatient types:

Offline, with the default Chromebook installation I can:

  • Manage Files – Move, copy, delete and more with The file manager
  • Read and edit e-mail, and send when connected with Gmail offline
  • Edit  all types of documents with Google Docs
  • Create, read and search notes in Keep.
  • Set reminders and alarms in Keep
  • View my Calendar in Google Calendar
  • Use Calculator – A simple calculator, but it works offline
  • Audio & Video player – Part of the Files app. Most music and video files just play. Even from External drives and devices
  • Display a presentation in Full Screen mode and use the HDMI port to send it to a projector
  • Take photos using the (front facing) camera app.

With apps from the Play Store I can:

The Things I CANNOT do:

  • Capture or edit audio or video (offline)
  • Open a zip file
  • Open an encrypted volume
  • Access Dropbox folders and files (offline)
  • Use Evernote (offline)

All in all, I can do a hell of a lot with a Chromebook. And I have close to 9 hours of battery life in lecture note taking mode, with WiFi off and screen brightness lowered.

And I have six or more hours plus in full working mode.

I intend to write a lot more about ChromeOS and Chrome apps in the Future. I also have some words about the Microsoft Scroogled Toadies and their severely slanted views.

Enjoy! – Phil Stephens

 

 

Chromebook Challenge Day 3 – Remote Support – A Problem Overcome

Chromebook
Image by Zoinno

The Chromebook challenge began badly. On the second day I had to provide some technical support for a friend in another state. Unfortunately she is barely coherent, technically, despite having a degree in another field. As a result I soon had to fall back on accessing her machine remotely to make some configuration changes to her wireless router.

I know remote management of another computer is possible on a Chromebook using Chrome Remote Desktop.

This requires the installation of Chrome and the Remote Desktop plugin, on the client or host machine, and this was more than I thought we could manage, so I booted a Windows laptop up for this situation.

There is another solution, the new Google Hangouts Remote Desktop. This is an addon, easily accessed in Hangouts, even while a hangout is in progress. Unfortunately either the Samsung Chromebook, or my bandwidth was not adequate, and the remote connection was painfully slow, and audio was reduced to a Cylon snarl. I gave up fairly quickly.

The Chrome Remote Desktop option, however is improving, and works very well. There is now an option to install the Remote Desktop software on a PC in Permanent Access Mode so that you can connect to it even before it is logged in. (Chrome Support shows how here: https://support.google.com/chrome/answer/1649523?hl=en )

Chrome remote login
Chrome remote login

I installed this service on a Windows 7 Netbook and logged in easily as soon as it booted up. 

Logging into Windows 7 Remotely
Logging into Windows 7 Remotely

If you are required to do remote support, I strongly recommend installing this service and appying a STRONG PIN to protect the host computer. Once done, you can log in at any point from any computer with a Chrome browser. That obviously includes a Chromebook.

Another problem solved!

The Chromebook Challenge Day Two – Write Space

Samsung Chromebook
The Samsung Chromebook

Well, here I am on day two of the 31 day Chromebook challenge. It has not been without problems, one of them causing me to use a Windows PC to do a remote support call. I now know how to do that from ChromeOS and will write about it when I can do some more research.

The first question I asked when I started using a Chromebook a couple of months ago was what will I use as a text editor? The obvious choice would seem to be Google Docs or a Google Drive Document. Drive (For now, I will call them Google Docs) has formatting, spell-check and word-count, all things important to a writer. And despite the the “without WiFi it is a brick” whining of the Microsoft Scroogled campaign’s lapdogs, it works perfectly offline, accessing and editing all your documents, as long as you have allowed them to sync with Google before going offline.

But I have one problem with Google Docs as a general purpose text editor. A Google document can be quite hard to view in field conditions. I spend a lot of my day on buses and in the sun, with my Samsung Chromebook Series 3 on my lap. A big, clear screen is vital.

I am currently using Write Space, a full-screen text editor. Write Space is basic. A handful of basic key-strokes, a status bar at the bottom of the screen with Words, Lines and Characters typed.

Write Space
Write Space, Configured the way I like it!

There is no menu, and no save option. Everything I type is saved locally. It has no file save option. Text just gets saved to the local Chrome storage, and is kept. To use it elsewhere, it must be cut and pasted to a Doc file, Keep, or a text file.

I using Write Space because of the simplicity of the screen and the ability to re-configure it. If you go to the Chrome > plugins > settings menu you can change the page width, font size and colour. Save the settings, and Write Space instantly updates its look an feel.

I am writing in a large, pale blue font on a dark blue background on a page that is 800 pixels wide. It is large, easy on the eyes and very responsive. It is visible in low light. I can read the large font easily when using the computer on my lap. It is a little reminiscent of the Wordperfect screen of the eighties, and easy on the eyes.

There is a spell-checker that works well, even when offline. The usual short cuts work, including the undo function.

When I hit the full-screen key (the equivalent of F11 in a Windows Chrome browser) I have a full, uncluttered and simple screen that allows me to work without distraction.

It is hard to get any simpler, and hard to think of more that a few hundred words to say about an editor that just works. I have never lost a word, and occasionally I copy everything into Keep so it will sync across every device I use.

All in all, I recommend Write Space as a simple and reliable text editor.

Enjoy!

User Account Control Settings – Windows

User Account Control (UAC) settings in Windows Vista and Windows 7 seem like an annoyance rather than a benefit to Windows users. There are  many web sites telling users how to turn UAC off. However the UAC warning:

Is a vital tool in maintaining the security of your computer. It ensures that you know when a program is attempting to make changes. If you are trying to install a program, you expect the warning. But if you see a message like this when you are visiting a web site, or reading e-mail it is a warning that something is being done without you requesting it.

Simply cancelling the request will keep your computer safe.

To maximise your safety, increase the level of notification from UAC to the maximum.

How to Raise UAC to the highest setting

1) Click on the Start button or hit the Windows key.

2) type UAC in the “search programs and files” box

3) Click on the “Change User Account Control Settings” option (it should be the first choice)

4) Push the Slider up to the highest setting

5) Click OK, and you are done.

This will ensure nothing makes changes to your computer without notifying you. and remember, ALWAYS read those notifications before clicking on them. A malicious program, once installed can be an expensive mistake.

What Else Can I Do?

There is lots more, and we will post about them here, but with these three things, and common sense, you will enjoy a safe and secure Windows computer.

 

Don’t Make This Social Media Marketing Mistake

Social Media Marketing – DON’T Send  Your Customers to Mark Zuckerberg

More and More, I see marketing campaigns sending customers to Social Media web sites.

Don’t do that! Really. Stop it now! The visitor is interested enough in you or your product to read a web page, blog post, tweet and look for more information. Instead of sending them to your  web page, you are directing them to a site you do not and cannot control.

Bloggers are doing the same with Follow us on Twitter and Find us on Facebook buttons. A visitor has come to your site, hopefully to read your content and perhaps buy your products, and you then send them to Facebook. Mark Zuckerberg thanks you. Your customer has now become his. In the Internet age we all have the attention span of goldfish. Once your prospect hits Facebook they may follow you, but they may never actually engage you. It may be days or months before they return to your web site.

Don’t Send People to a Place You Do Not Control

“Ahh”, you say, “but we have build a GREAT site on Facebook and are getting thousands of Likes”. Perhaps you are, but what real engagement are you getting, and how much control do you have?

Many businesses have used a standard Facebook account and use it a business page. A Group has some advantages, but today Facebook is pushing everyone towards Fan Pages. Many businesses have fallen foul of Facebook’s ever changing rules and had there site taken down. See the account by Ars Technica. Some have had the page taken over by hackers or ex-employees who have changed passwords and locked the business out of it’s own site. And many people will use comments on a popular Fan Page as a platform for their own purposes.

Facebook Changes Again

At the end of March 2012 Facebook is changing the rules about pages again. Fan pages, or Facebook pages are now being brought into line with the normal user page. The look is changing. Here is the facebook page of one business before:

This is how the Easy Luchbox page looked on Facebook

 

And After:

 

easy lunchbox facebook page now

Some businesses have spent $50,000 (and perhaps more) getting pages like this designed. Now much of that work will be thrown away.

 

McDonalds Australia. A Big Marketing Campaign pointing to Facebook

McDonalds Australia have been running an advertising campaign featuring their Facebook page. Their web site ( it doesn’t work for me most of the time, I have Flash disabled) also has a link to this page. I tried clicking on the link to Facebook and got a rather disturbing pop-up.

Eventually I accepted the caution and when to the McDonalds Facebook page. The advertising campaign seems to have worked. They Have 285,580 persons who like their page.  There was a reward for doing liking the site. Of those 277,965 have actually visited the site, but only 13,933 are Talking About the page.

This page will, of course change within the next week or so…

Be prepared for Damage Control

A quick browse through the comments on various posts indicate that many of the comments are less than flattering.

Comment on McDonalds Facebook Page
More less that flattering comments

 

I wonder if I commented on the violent bout of food poisoning that almost put me in hospital after eating a McDonalds, would it be deleted? Would it help their marketing?

Deleting comments because they do not meet your approval is a dangerous move. People do not like to be censored.

Keep your traffic at Home, Mark Zuckerberg has enough. Remember, Facebook is not there to help your marketing effort. Their goal is to get your customers engaged, gather information and target someone else’s advertising at them

A far better use for the precious seconds of their time someone has given you would be to direct them to you own web site. Preferably a custom landing page that has been designed to call them to action. Sign up for a news letter, subscribe to a feed or make a purchase.

Use Facebook and Twitter for Inbound Marketing

Facebook and Twitter have a very real place in marketing, but it is in the other direction. Don’t send people there. Use Tweets or posts to encourage people who find you on those sites to follow you because you point them to interesting content. If that content is on your web site, so much the better. The main thing is to give them something worth reading, commenting on or re-tweeting. Then they will bring their friends to you.

So when that Social Marketing Guru comes knocking, say “No, thank you, I would like to send my potential clients where I can control the message.”