We Want Protection, Google!

We Want Protection, Google!

Summary: With Google’s customer data now a prime target for sophisticated cyber attacks, do we now need some peace of mind in the form of free security software and services from the company in order to protect us?

SHARE:

With Google's customer data now a prime target for sophisticated cyber attacks, do we now need some peace of mind in the form of free anti-malware software and services from the company in order to protect us?

The fallout from Google's recent Chinese cyber-attacks which may cause them to cut their ties with the communist nation raises a number of questions as to what sort of data protection and security the company should provide to its huge customer base of GMail and Google Office applications.

I don't know about how everyone else is feeling, but as a GMail and Google Apps user I'm starting to get that creepy feeling that the front door of my house is wide open and the bad guys are waiting to walk in and grab all of my stuff while I'm away.

Back in early December of last year, I appealed to Google to provide its customers with an online-based backup service, which I tentatively called Google Backup. Last week, it appears that Google got the message, by now providing enhanced capabilities to Google Docs in which any form of data, up to 250MB per file, can be stored.

For regular consumers, additional storage above the free amount can be purchased for approximately 25 cents per gigabyte per year. While online cloud-based backup appears to be only part of the much more expensive Google Apps Premier Edition and thru partner services like Memeo and Syncplicity, the "Google Drive" that everyone has been clamoring for has for the most part surfaced.

Now that Google Docs will be seen as a major online storage platform for consumers and corporations, that makes it a very high value target, and we can expect that the Chinese cyber-attacks are only the beginning of a trend towards an ever increasing environment in the cloud where hosted data will constantly be under the attack by interested parties.

Whether these attacks came from a group connected to the Chinese government or simply a rogue criminal organization is unimportant from the perspective of Google's customers. The bottom line is that if we're going to use these online storage services from Google, we want protection, and we want it now.

According to multiple sources, the Chinese GMail attacks used a Zero Day exploit in the Windows Internet Explorer browser as part of their toolset and techniques used to penetrate Google's security. Our own Windows maven, Ed Bott, suggests that it's time for IE6 to die in IT environments and for personal use. I agree with Ed but I'm going to take that a few steps further.

Recently Google turned HTTPS on by default for all connections to GMail and its apps sites. This is a good start, but it's not enough.

For starters, IE 6 should be blacklisted from being used as a web browser on any of the Google sites. It should be persona non grata, verboten. This policy should be adopted like, um, yesterday.

If Google detects incoming connections from IE6, the offending end-user should get an immediate message to the likes of "In order to provide our customers a secure and safe experience we no longer support the version of the web browser you are currently using. Please use one of the following web browsers instead, yadda yadda" and provide the relevant links to download Chrome, Firefox, IE 8, Safari and Opera.

Next, Google needs to ensure that its customers are practicing safe browsing and are securing their systems, because your security is only as good as your weakest link. For this, I suggest that Google start going on a shopping spree and buy up a whole bunch of PC and Internet security firms, particularly ones that develop multi-platform antivirus, antimalware and firewall solutions, and then offer that stack to all of its customers.

Companies like Kaspersky Lab and ESET might be good candidates for multi-platform antivirus solutions for Google's coffers, since their software runs on Windows, Linux, Mac and other Unixes, and would be easy to bake into Android and Chrome OS. There are a number of other firms and/or Open Source projects that would be good buys/plays which would form the other portions of the "Google Security" stack.

Every Google customer should have to go through a comprehensive multi-point inspection depending on the platform they are running to certify that their PC/Mac/Linux/Smartphone system is protected for using Google sites. This would include firewall port settings, ensuring that they have an antivirus with current definitions installed, and that the system is properly protected against spyware.

Obviously, in the case of Windows, free antivirus, antimalware/antispyware and firewall for all Google customers will be a necessity. Most corporate customers would be already covered in that most large corporations have standard antivirus, firewall and antimalware compliance policies set, and the Google multi-point audit utility would catch anything else that needed to be locked down.

The largest issue would be with small businesses and home users that don't properly update or secure their systems. For these customers, a Google Security Suite that includes everything they need to protect their systems and run safely on Google's sites -- provided for free -- would be a godsend.

Do Google Apps customers need a free Google Security stack? Talk Back and Let Me Know.

Topics: Cloud, Browser, Collaboration, Data Management, Google, Hardware, Security, Storage

About

Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

153 comments
Log in or register to join the discussion
  • I don't think installing more junk will do

    If a user can't keep up with the current AV/AM, then why do you think they'd keep up with Google's?

    I've also been spreading the word about Microsoft's Security Essentials, there is your solution. Requires no user interaction what so ever, unless called upon to clean up and intruder.

    Honestly, I still think users need an education before being put behind a keyboard. Know what to do, what not to do, and how to keep yourself safe online would be more beneficial than throwing software onto a system and leaving the user to their own device.

    That said, this isn't good for Google who, a few short months from now, will be releasing ChromeOS. If Google is this easily hacked into, why should I use it? It forces me to store my data on Google's Cloud for the whole world (Not just China) to see....
    The one and only, Cylon Centurion
    • Blame game

      Ah, so it's user's fault for being too ignorant to use a windows pc, or
      is it in fact Google's platform that has been hacked? Which is it?

      Or, pray tell, is it actually Microsoft who simply can't make a reliable
      platform?

      People should exercise consumer power a lot more vigorously and
      choose among the alternative platforms. This is the only real solution,
      not more software for a broken windows. Now that billions of dollars
      and IP may be lost as a consequence should a lot of eyes be opened,
      but I'll not hold my breath.

      [i]"No one ever went broke underestimating the intelligence of the
      American people" -- H. L. Mencken[/i]
      Mikael_z
      • Actually it is both user and corporate fault...

        ...for continuing to use IE 6 (users for not upgrading, corporations for requiring IE 6 because of their inhouse apps that haven't been updated to work with later versions of IE).

        Microsoft already has mitgations in place for this issue and yet the many businesses in the corporate world continues to live in the past.

        Lastly for the people who think that everyday external users logging into Google's sites using IE 6 to do their Google Apps are the cause of Google's woes in this regard, then they really need to lay off the crack.

        Every day external user IE6 won't gain admin access to Google's servers. This was an internal screwup. Someone INSIDE Google (with full access to the corporate network) used IE 6 on their corporate network, that's the ONLY way that IE 6 could have been part of the problem.

        Looks to me like if Google's internal users are using IE 6, it's because Google didn't do good internal security. I mean think about it, how long have other versions of IE been available? How long has DEP been available on Windows?
        PollyProteus
      • No. It's the user's fault for believing that ...

        ... Google can provide them something for nothing.

        All data is vulnerable. The bigger the target, the more vulnerable it is. A Google server is more vulnerable than a PC sitting on your dining room table.

        There is a very short list of things that the consumer can do to protect his/her PC from 99% of threats. This short list includes a number of tools which are either free with Windows, free off the web, free from your ISP, or ship free (of for a small charge) with a new PC.

        Even the most elaborate commercial products are available for consumers for between $50 and $100.

        For Google (and, to be fair, most any corporate entity) there is a long list of things they MUST DO to protect this customers data as well as their own. Failure to do so places the entire entity (and all of their customers) at GRAVE RISK.

        Caveat Emptor.
        M Wagner
    • Microsoft's Security Essentials...

      So you want MS, with their unsafe code, to guard against malware... how brilliant. Don't you think that MS Security Essentials is also full of holes? Whatever you're smoking, I want some...
      prof123
      • Give it a try

        You tell me it seems to be a hit. I have yet to see any holes, and don't have regrets spreading the word about it.

        If you'd understand where it came from you'd realize the strengths of the program.

        And it's not just me saying this:

        http://www.neowin.net/news/facebook-users-get-6-months-of-free-mcafee
        The one and only, Cylon Centurion
        • Are you kidding?

          In order to install this, you have to have Windoze Genuine Advantage Validation tool on your machine.

          I had a hell of a time getting that M$ spyware off.

          No need to be 100% pwned.
          Wintel BSOD
          • Is that all you've got?

            Please. Gods forbid big bad companies keep track of their software! When you think of something that'll contribute to the conversation, let me know. Otherwise, quit talking to me.
            The one and only, Cylon Centurion
          • It's an open forum, Nicholas

            [i]Please. Gods forbid big bad companies keep track of their software![/i]

            It's my machine. I bought it. I paid for it. I have a receipt and a valid key. That all M$ needs to know.

            [i]When you think of something that'll contribute to the conversation, let me know. Otherwise, quit talking to me.[/i]

            Soon as you stop making slavering sales pitches for M$. Don't you know you're supposed to be in school? ;)
            Wintel BSOD
    • If Google can't keep its own network safe...

      ...why would I even consider puting my data on their servers (outside of the tons of data google already collects).
      Google got hacked because they had a machine running outdated software (old browser running on a very old OS) hooked up to their corporate network with enough access to do damage.
      Why Google why?
      FutureGuy
    • google network hacked due to IE6 vulns

      I thought the google network(s) and other networks
      were effectively broken into because of IE6
      vulnerabilities and not necessarily because
      Google's network was any more or less secure than
      any other well maintained network.

      Am I missing a different story somewhere that
      talks about Google's network being insecure and
      everything not being the fault of IE6?

      Well, in MS's defense, they have been pushing
      really hard to get people to stop using IE6. When
      people don't listen, networks suffer.
      jimnorcal
      • Google's network didn't have anything to do with this.

        It was the result of an unknown exploit with IE6 and Windows XP that allowed the hackers to gain access to the network.

        But my statement is Google, why should I bother looking into ChromeOS, which by default, forces my data to be synced with your servers - servers that are as hackable as any other - when it can be hacked, destroyed, or read? You promoted all this nice looking client side security, but nothing on the other end is keeping my data secure.
        The one and only, Cylon Centurion
      • garbage

        [i]Well, in MS's defense, they have been pushing
        really hard to get people to stop using IE6. When
        people don't listen, networks suffer.[/i]

        No they haven't. Stop making excuses for them.

        If if they [b]really cared[/b], they would have ended support for it a long time ago. As it is, support won't end for it until 2014

        http://en.wikipedia.org/wiki/IE6
        Wintel BSOD
        • Well that is how things work....

          They are continuing support to maintain corporate systems and it has been done in the past by every software vendor in the world who is trying to generate some kind of profits. It is a huge loser for a software company to continue support products beyon the current release. MS really would love to walk from that legacy stuff, but their clients wont allow them to. I have seen this many times from them, and in reality, it is about the only viable action they can take without risking their customer base. They are not intent on hitting themselves with a hammer as you imply in the tone of your post.
          Woned B. Fooldagan
          • There comes a time...

            ...when you eventually have to move on. IE6 has been out for almost 10 years now. If the software developers haven't made their money back by now in development costs, then should get the hell out of the business.

            M$ won't "risk" their customer base? With 90% of the desktop market, where would their customers go?

            They are a captive audience, suffering from a bad case of vendor lock-in. Pwned, bought & paid for.
            Wintel BSOD
          • Something here does Not Add Up

            Your generalizations sound plausible at first, but upon closer inspection, are flawed.

            No, they are NOT obligated to keep maintaining old software. Every major software company makes a committment to maintain and provide support for software versions only to a certain point. For Sprint PictureMail, for example, it was two major revision numbers: once they released 5.1, they no longer supported 2.whatever.

            I don't know the specifics of the agreement with Microsoft and corporate customers, but it would have been pretty stupid for them to agree to support IE6 when they are already two major revision numbers up, to IE8.

            Besides: even with such an agreement, sometimes the best way to support/maintain the software IS to insist the customer upgrade.

            Such is certainly the case here. That is what MSFT should have done. It is not too late for them to wise up.
            mejohnsn
  • RE: We Want Protection, Google!

    Google Protecion = oxymoron

    They have no interest in protecting your data. They mine it and sell it, protection would go against everything they stand for.

    [i]I don?t know about how everyone else is feeling, but as a GMail and Google Apps user I?m starting to get that creepy feeling that the front door of my house is wide open and the bad guys are waiting to walk in and grab all of my stuff while I?m away.[/i]

    uh... what took you so long to realize this? The rest of us already knew that Google's lack of security was a huge factor in not using their services. Add on to the fact that their employees would rather sit around play with office toys than secure your data is a big reason I no longer use anything from Google. When they start getting serious about being a business then I'll look into them and see if their services are on par with the alternatives. Until that happens its a Google-free zone for me.
    Loverock Davidson
    • Hi

      [i]They have no interest in protecting your data. They mine it and sell it, protection would go against everything they stand for.[/i]

      If they want to mine it and sell it, then all the more reason they would want to protect it from unauthorized access.

      If data becomes available to any entity other than Google, then Google--all of a sudden--CANNOT command a high price for this information...

      For example, if I have information "x" to mine and sell, I want to make sure some random hacker doesn't get access to "x"...because then this random hacker will sell "x"...becoming my competitor.

      So, sadly, your argument fails in that regard.
      purag66
    • It's like hiring a fox to guard hen houses

      The last one I'd turn to is Google as far as data protection goes. I'm sure they allow CIA / FBI to read my gmail content at will.
      LBiege
      • Do you really think there's anything

        that you could put online without the NSA knowing about it?
        T1Oracle