Tag Archives: Google

If you like it, Google might put a ring on it

24973P

A recent Google Labs research paper explored ideas of alternative sign-in methods and securer authentication techniques. As anyone who has used Gmail over the last few months will know, Google are desperate to introduce secondary forms of verifying your identity; namely submitting your mobile number so that the Mountain View-based internet giant can generate a one-time password. A current pilot study being run out of the Googleplex explores the idea of the mobile device as (rather than generating) the password, this is the passdevice.

Google are desperate to get user security right. They have a large existing user base across their search, messaging, mapping, and video services, and are firmly established as a market leader in consumer email. It isn’t just email though; your Google credentials are the same across the entirety of their platform and product range. What we are dealing with here then is a cross-platform online identity. With the increasing monetisation of services such as Wallet and the Play Store, there is also a direct loss impact to be felt should account security be compromised. There is a direct financial incentive, in terms of profit rather than just loss prevention, as Google tries to assure us that is the homogenous web ecosystem… although let’s face it, no one is believing those Google+ user figures!

Search, Gmail, YouTube, Android OS, Play Store, Zagat, Maps, Motorola, Blogger, Drive, AdWords, AdMob, Analytics. Google offer a lot of free services, and constantly push the envelope in research (Goggles), only to scrap offerings that aren’t ‘working’ (read: not easily monetised) – Google Wave anyone? So there’s no questioning the value that they bring to the digital age, and the standing they have as one of the world’s most powerful (if not necessarily trusted – “don’t be evil”) brands. Is it that unreasonable then that they might ask something in return, something beyond $10-11bn/year profit and full knowledge of your online habits?

You see, Google are thinking along the same lines as Beyoncé here, if you like their services so much then you might as well let them put a ring on it. An authentication ring. Which all sounds very nice, until you start thinking that Web 2.0 giants like Facebook and Twitter, and arch-rivals Apple might like the idea – free advertising and the kind of brand commitment that wearing a real world ‘device’ entangles. The whole initiative would take some time to role out too, not just in terms of manufacturing and getting rings on fingers, but also in terms of devices and platforms that can read the token. Mobile phones are refreshed every 18-24 months, meaning that side of the industry wouldn’t take too long to catch up, but what about PCs – would a reader be connected via USB, retro-fitted, or built in during manufacture? And then there’s Apple, who haven’t exactly been playing ball with supporting their Californian neighbours’ products and services – considering the market share Apple still have in Western markets like the US and UK (and remarkably in Japan), then Tim Cook (Apple CEO) may be the biggest road block on the ring’s route to market.

As a principle there are pros and cons from a security and usability perspective with ‘ring-thentication’ – to name a few… Will it be resilient? Water-proof? Easily blocked and replaced if lost or stolen? Will remote and/or security updates be possible? There are still questions to be answered, but what the research paper does do is finally try to take on the challenge of user inertia towards security and passwords. It’s so simple a solution, that the user won’t have to do anything beyond making the initial decision to put the thing on.

An eye on data, governments increase Google requests for information

The internet is, without a question of a doubt, a vital part of most people’s existence, from people working in forensics, to those involved in ethical hacking and cyber security professionals who keep on top of threats and/or the latest security measures against such activities.

And Google is, perhaps, the dominant player in this virtual arena, at least from a purely search point of view – the dominant search engine by a long shot. That’s putting it lightly, it is, in any case, a master in other areas, like statistical analysis (Google Analytics); social media, and relevant to this post, in the art of data collection.

The American multinational corporation, which was founded by Larry Page and Sergey Brin, recently released its biannual transparency report, which it does, and I quote, to “ensure that we maximise transparency around the flow of information related to our tools and services”.

The most fascinating thing about this report is that government requests, from the UK to the US to China and all the rest – for Google to pass on data is increasing. With regards to the UK, the tech organisation reported a massive 71 per cent rise in content removal requests from the British government and its police force. The reason for moving such information is down to national security issues, a bid to preserve information security.

A Home Office spokesman explained the government’s action as a response to online extremists or hate content, which it takes “very seriously”.

“Where unlawful content is hosted in the United Kingdom, the police have the power to seek its removal and where hosted overseas, we work closely with our international partners to effect its removal,” the spokesman said.

In response, Google said that it had had fully or partially complied with 82 per cent of these requests.

It’s an intriguing insight into the ‘hidden backroom’ conversations going on all the time between Google and various governments, in what is a very sensitive area. We value information security and risk management as much as any other organisation, but we have to be careful that such actions don’t filter into unjustified censorship.

That’s why Google’s transparency report is such a good thing – it lets the world see what’s going on and what governments are doing. Accountability, transparency and, of course, maintaining high levels of information security with sensitive and private data is inherently important after all.

What are you and your organisation doing about Android security?

At the RANT Forum (Acumin’s monthly information security networking event), attendees often complain that they are playing catch up to cybercriminals. It is the bad guys that define the market, they are at the cutting edge as they try and find vulnerabilities, attack vectors, and exploits that will allow them to break in to a network. It is difficult enough for the CISO and Info Sec Manager to ensure that they are recognising and mitigating the appropriate risks, let alone trying to factor in emerging threats such as zero days and second guess the nature of the next generation of hack attempts.

This idea of playing catch up in IT security also extends in to new technology areas, the corporate line often requires some maturity before implementation of new products. This has not necessarily been the case with smartphones. By smartphones I refer here not to the old school PDA-type devices we enjoyed at the turn of the millennium – my guilty pleasure on that one is here! Rather I mean the combatting trinity of iPhone, Android, and Blackberry… sorry WinMo7, you are underappreciated indeed!

There must be few technologies that have been so rapidly integrated in to corporate environment, let alone being driven by users. Early adopters usually spend hours going blue in the face trying to explain why gadgets like the Psion Series 3 are the ‘next big thing’, with the emergence of shiny and gimmicky apps, the ‘Wow factor’ of the modern smartphone has spread like wildfire (not the HTC Wildfire, which would spread slowly due to an underclocked and underspec’d CPU!).

So, when the CEO (or his/her designated errand runner) knocks on the door of the info sec team, it is a brave IT Security Manager who will cautiously lean out from behind the firewall cluster and inform them that the proper security controls haven’t been developed and implemented yet to let the boss’ new toy run riot on the network. So what do you do?

We find the information security industry, both in terms of vendors and internal security, looking to develop protective measures for what is essentially a pocket computer (a proper one with RAM and CPU to match the claim, as opposed to this.) With such rapid technical innovation in terms of hardware and software it is difficult to keep abreast of emerging threats and how to counteract them.

Android here probably stands as more of a challenge than the iPhone here – its users are typically more technical and are allowed greater freedom by the OS to chop and change. This means that control becomes difficult, especially with the wide number of devices and various incarnations of the operating system. The iPhone with its proprietary nature is an easier beast to tame. So if you’re looking to find out more about the threat landscape on Android, as well as some of the potential vulnerabilities and counter actions you can take as both a personal and business user, take a look at the Acumin white paper on Android Security.

– Ryan Farmer

rfarmer@acumin.co.uk