Google: Gmail Scam Signals Much Bigger Security Issue

This weekend news came that a Gmail archive service called G-Archiver, which backs up all of your Gmail emails to your hard drive, was actually the front for a scam - hard coded into the application was a “feature” that sent every user’s email address and password to the creator’s own email account, giving him access to all of their Gmail messages.

These users should have known better than to type their email credentials into a third party service, so sympathy levels are at a minimum. But there is a much bigger problem to consider. Gmail is the entry point into a vast array of Google office services - including Google Docs and Google Apps. Those services allow users to share documents with others. If one user’s email credential become compromised, all of those sensitive documents become available to the bad guys, too. So if a single user’s credentials become known, the business they work for is at risk.

That has led a number of experts to conclude that Google Apps can never be a real threat to Microsoft Exchange and Sharepoint. All of the sensitive business information of a company, if stored on Google’s servers, is just a password guess, or in this case what is effectively a phishing scam, away.

I’ve spoken with Google employees about this issue in the past, and they point out that Google Apps allows authentication mechanisms that require more than just a password. In the Google Apps Security Policy, they state: “Google Apps integrates with standard web SSO systems using the SAML 2.0 standard. This allows integration with custom sign-on and/or advanced authentication (SecureID). Solutions can be custom made or Google Partner supplied.”

Of course many companies won’t use SecureID for authentication, and they’ll still be at risk. Over time, hopefully, even smaller companies will require it.

In the meantime, something else about Google’s security policy caught my eye. They’ll turn over data to third parties when required to by law (including search warrants, court orders, or subpoenas.) Google says they will “attempt to notify users before turning over their data whenever possible and legally permissible.” That may not be good enough for many companies, who would choose to fight an information transfer in court before they turn it over. If it was on their own servers they would be able to do that. But Google, certainly, won’t be going to court to fight on your behalf.

Users should consider themselves luck just to be notified that the information was released. Caveat Emptor.

Comments

[Tom B]

There are legitimate site that ask for one's E-mail password-- some blog sites, for example. It is'nt always easy for the user to protect himself.