Posts

Google Apps and Student Privacy

student-privacyAs you have probably heard,  there is a Federal lawsuit against Google in California that accuses Google of mining student data for commercial purposes. We have received a few questions and should expect we will have more.

Here is what we know so far.

  • Google Apps for Education remains certified as FERPA compliant. Federal regulators have not seen any issue to warrant reconsideration, revocation, or further investigation at this time.
  • Yes, Google scans all email before it reaches its inbox.  The scanning addresses several issues, including spam and virus protection, archiving, spell checking, and priority inbox, as well as automated identification of keywords.
  • Auto identification of keywords is for ad display.  Unless explicitly turned on by a school district, ads are not displayed and this functionality is disabled.  We have never turned on this service for a school, and to the best of our knowledge, no school has turned on ads themselves.
  • No humans read emails or other Google contents.  The scanning is automated, by computer algorithm.
  • Google does not sell the information it gathers — that is not how Ads work. When an advertiser selects keywords, Google’s system matches keywords from ads with keywords from users.  Advertisers do not know the identity of those who see ads.
  • The lawsuit alleges that Google could use a “profile” learned from email scanning to advertise and market to students using other Google services. Emphasis is on “could”.  While Google could do this, they do not, as to do so would invalidate Google’s FERPA compliance and would destroy the trust of thousands of schools and districts.   Also note that SaaS providers offering SIS and LMS services also have information that could be sold or used for marketing.   Like Google, these providers hold the information as confidential.
  • The judge in the case denied the request for class action status. This indicates that there is likely insufficient cause to expect a broad application of fault or liability. While we are not lawyers, appears to be an early indication regarding the merits of the case.

We will continue to monitor the case for developments and publish relevant information as it becomes available.  If you have any questions, please feel free to contact us.

A New Approach to Protection

Security Key
One of the challenges in today’s world is that malware can come from anywhere.  Traditionally, viruses and other malware travelled by disk or thumb drive.  As our desktop protections improved, malware appeared in infected files attached to emails, or spam.  Today, malware is more likely to come from a web site you visit — even legitimate sites have been hacked — than anywhere else.

Additionally, malware targets every platform.  Once thought immune to viruses, MACs face some of the same risks as PCs.  Our smartphones and tablets, running iOS and Android, are also under attack with malware built specifically for those platforms and the information they often hold and access.

The problem with protecting all devices, is that we have historically needed a solution for each platform.  For those with laptops, smartphones, and/or tablets, as many as three solutions may be needed — each with purchase and subscription costs as well as administrative time and costs.  Additionally, historical malware protection focuses on infected files and malicious code on each device … even though the web is the greatest source of danger.

Looking forward, we need a better way!

Instead of working to protect devices and data, let’s focus on protecting the users.  Let’s offer protection through a single system across all devices.  Let’s offer protection that not only looks for traditional viruses and malware, but prevents malicious code and activities from hacked web sites.  Let’s deploy a solution that works with they way our users work — on smartphones and tablets, as well as PCs and MACs.  And, let’s do this without breaking the bank.

Does such a solution exist?

YES!  And, we are launching it soon.  Fill in the form, below, for pre-launch information and pricing.

Google Apps for Education Security and Privacy

Secure Cloud
Recently, there has been much media discussion in light of litigation regarding data privacy in Google Apps for Education.  Here are the important facts about student accounts and Google Apps for Education.

First and foremost, Ads in Gmail are turned off by default for Google Apps for Education and Cumulus Global advises every school and district we work with not to change this setting at any point in time.

Gmail for consumers and Google Apps users runs on the same infrastructure, which helps Google deliver high performance, reliability and security to all users. However, Google Apps offers additional securityadministrative and archiving controls for education, business, and government customers.

Gmail scans and indexes email for multiple purposes, including spell check, virus and spam protection, features like Priority Inbox and auto-detection of calendar events, relevant search results and advertising.  This scanning is done on all incoming emails, is 100% automated and cannot be turned off.

When ads in Gmail are turned off for Google Apps for Education, automated scanning that is done in Gmail is not used to target ads to Education users, whether inside Gmail or in other Google products (e.g. YouTube, Google Search, etc.).

Google does not scan information stored in Google Drive or Docs (or Sheets, Slides, Drawings, Forms) to target ads to Apps for Education customers.

Google does not share personal information with companies, organizations or individuals outside of Google unless one of the circumstances outlined in the Google Privacy Policy applies.

The data schools and students put into Google systems is theirs, and Google believes it should stay that way. If an education department, school or university decides to no longer use Google, it easy for them to take their data away with them.

Google Apps for Education offers schools a number of additional controls and security features. These include a 99.9% uptime guarantee, 24/7 customer support, greater storage capacity and the ability for school administrators to turn certain features or services on or off. As with all our accounts, we keep our users secure by filtering out spam and looking out for viruses and malware.

If you have any questions or concerns regarding Google Apps for Education security and privacy, please contact us.  We are happy to answer questions and provide additional information.

Cloud File Sync & Sharing: Risks and Solutions (Part 3)

Secure Cloud
This blog post is the third in a series on the data risks and solutions available for file sync and sharing services.

In the first two posts in this series, we focused on some of the risks and basic concepts for file sync and sharing services.  In this post, we focus on ways to mitigate risks.

Provide Employees with an Approved File Sharing Service. As we have noted in our prior posts, if you do not provide an approved service, employees will sign up for and use one of their own.  The difference?  With an approved services, you have access to your employees’ data and clear ownership of the information.  You can also monitor and manage for adoption, usage, and (if desired) adherence to policies.

Have a Clear Policy. Let employees know that personal and company data and systems are to remain separate, and why.  Provide a list of approved file sharing and sync services, as well as a clear an concise statement which other services may not be used (i.e., all others) and why.  The policy should include consequences for violations, along with a means for approved exceptions.

Block or Blacklist Unauthorized Tools. For many organizations without decent web filtering services in place, this recommendation will be difficult to implement.

Audit Workstations for Unauthorized Use.  Beyond application monitoring, when you scan workstations for application inventories, look to see if sync service agents have been installed.

With a moderate planning effort and reasonable monitoring and enforcement efforts, businesses can take advantage of the conveniences that file sharing and sync services offer, without exposing data to unnecessary risk and loss.

 

How to Spot Phishing Emails

Secure Cloud
“Phishing” is the process through which criminals attempt to steal you from you by getting you to respond to an email that appears to be legitimate.  Here is what to look for to avoid the trap.

URL Mismatch: Hover the mouse over any URLs in the email message and see if the destination URL matches what is in the message.  If not, you have a mismatch and you won’t land where you expect.

Misleading Domain Name:  If the link has an awkward domain name that does not end in a domain you know and trust, be afraid.  Scam artists will use domains like apple.otherdomain.com, hoping you think the link is related to Apple.

Poor Spelling or Grammar:  Companies that send emails to customers proofread them for proper English.  While mistakes happen, if the message reads “we please to lower your car payment”, it is likely trash.

Asks for Personal Information:  If any message — from your bank or your best friend — is asking for personal information like account numbers, credit card numbers, or the answers to your security questions, you are being phished.  Banks and companies you deal with already have this information, there is no need to ask.

Seems Too Good to Be True:  If it seems to good to be true, it probably is.  Enough said.

You Did Not Initiate the Action:  If the email tells you won a contest that you did not enter, or is responding to a call that you did not make, hit the delete button.  Most of these scams will ask for money to pay for award fees or taxes on a prize you did not win.

Wild Threats:  Banks, and even companies trying to collect past due accounts, will not make threats with unrealistic or wild consequences if you do not respond in a certain way. Legitimate collection notices will ask for payment or for you to contact them, they will not ask for account or personal information and threaten to seize assets or contact the police if you fail to respond to the email.  Legitimate companies will also provide a means to call.

Email from The Government:  In the US, the IRS, FBI, and other agencies do not initiate communications via email, they will send you a letter (or a subpoena if it’s really serious).  Be extra suspicious if the message contains a threat or dire consequence.

Not Quite Right:  If the message does not look right — if your gut is suspicious — you are probably right.  Delete the message.

 

Microsoft Acknowledges Security Best Practice Failures


It was an easy post to miss in the run up to the Thanksgiving holiday.  On November 25, we posted the results of an Electronic Frontier Foundation (EFF) survey detailing how Microsoft fails to meet 4 out of 5 security best practices for its cloud service data centers and its customers’ data (Google and Dropbox were the only vendors surveyed that meet all 5 criteria).

This week, Microsoft acknowledged that not all customer data is encrypted in their data centers — at rest, or in transit within and between data centers.  In a ZDNet article dated December 5th, Chris Dunkett reports that Microsoft will not fully protect stored user data until the end 2014.

The article also quotes Brad Smith, Microsoft general counsel and executive vice president, legal and corporate affairs, stating that Microsoft will work “…with other companies across the industry to ensure that data traveling between services — from one email provider to another, for instance — is protected.”  Microsoft is acknowledging that they currently do not run STARTTLS services, and industry security best practice.

While Microsoft is actively positions itself as the “enterprise knowledgeable” competitor to a “consumer-centric” Google, pointing out how Microsoft runs its own large data centers. Once again, however, Microsoft fails to realize that the methods and practices used to run their own data centers do not translate to multi-tenant data centers hosting customer data.

 

Why Security is About Humans, Not Technology


This warning and advice was posted this week by our local police department.  While this scam is targeting people at home, this type of scam could easily impact employees with laptops and could target workers at the office.  The scam depends on anticipated human behaviors; education and training of your team is the best defense.

The Westborough Police Department has received complaints by residents who received calls from someone claiming to be with Microsoft tech support and that the company detected a virus on the victim’s computer. The caller indicated he could help the resident remove the virus if he was allowed remote access to the computer. To ensure that no one falls prey to this scam, we would like to provide the following information from the Center for Internet Security at www.CISecurity.org.

The Threat: An individual, claiming to work for a well-known software, technology, or research company cold calls victims at random in an attempt to convince them that their computer is at risk of attack or infected with viruses, and that only the caller can remediate the problem. Victims who comply with the caller’s requests are highly likely to compromise their computer systems, as well as experience monetary loss. Victims may receive the calls at work or home, and on mobile telephones or landlines.

While there are variations of the scam, most follow a similar script.

  • Introduction: A caller claims to work on behalf of a well-known software, technology, or research company and informs the victim that their computer is sending out error messages, attacking another computer, or exhibiting behaviors indicative of viruses. The caller claims that only they can repair the problem for the victim or that the problem can be fixed with a software upgrade.
  • Gaining Trust: The caller will attempt to gain the victim’s trust. The caller may do so by instructing the victim to access the Windows Event Viewer, which displays standard messages about the computer’s operations, including general warning and error messages that are normal for the computer. The caller states these warnings and error messages are proof of malicious activity. The caller may use technical terms to confuse the victim or gain credibility. Callers are often forceful and attempt to create a sense of fear or urgency.
  • “Fixing” the Problem: The caller will offer to fix the problem by installing an update, or requesting remote access to the victim’s computer. The “updates” and remote access programs are actually malware.
  • Charging for Services: The caller may request the victim’s credit card information, or direct the victim to a website to enter their credit card number and personal information, in order to charge the victim for services rendered or for the software package provided.

In most cases, the main motive for conducting this scam is monetary gain, which could be achieved through two possible means:

  • Financial fraud: The caller may request monetary reimbursement for services rendered or for the software installation. If the victim provides credit card or financial information, the caller can charge the incorrect amount or make additional unauthorized charges.
  • Malware: It is highly likely malware will be installed if the victim provides the caller with remote access to the computer or installs unknown programs. Malware can be used to collect sensitive information such as usernames and passwords, which could lead to compromised financial institution accounts or additional malware being installed.

Individuals receiving a call that matches the description of any of these tech support scam calls, or those who previously participated in a similar call, should be aware of several security guidelines.

If you receive a call:

  • Do not rely on caller identification (Caller ID) to authenticate a caller. Criminals can spoof phone numbers so they appear to be coming from another location or entity.
  • Never provide passwords or bank account information over the phone; legitimate organizations will never call and ask for a password.
  • Be aware that software updates do not require the computer monitor to be off; legitimate organizations will never request the computer monitor be turned off during an update and will not call home users to notify them about an update.

If you receive an unsolicited phone call from a technology company, hang up and report the incident to either your local police department and/or Information Technology (IT) team.

If you previously received a call:

  • If you provided password information, change the password for that account. Never use the same password for multiple accounts.
  • Use a credible antivirus program, and enable automatic installation of software patches. If malware may have been downloaded, run an anti-virus scan on the computer.
  • If you provided credit card information and the caller charged the account, call the credit card provider and request to reverse those charges. Check financial statements for other unauthorized charges.

Courtesy of the Grafton, MA and Westborough, MA Police Departments

Cloud File Sync & Sharing: Risks and Solutions (Part 2)

Secure Cloud This blog post is the second in a series on the data risks and solutions available for file sync and sharing services.

Your employees are using file sharing services. Ignoring reality or denying its existence will not change the fact that today’s tech users want to easily share files, and that they will circumvent IT if needed.

Understand the Technology.  Many organizations are using file sync services to share and backup files.  A poor understanding of how file sync services, however, can result in data corruption and loss.

Sync Basics. Most sync services keep a copy of your files on your local machine and in cloud storage, with synchronization happening for files saved in specific directories on your local machine.  In other words, you open and work on files locally.  When you save them in a sync folder (or folder tree), the file will be synchronized with the version in the cloud.  Files may also be used and saved using more traditional upload and download techniques. If you share a file with another person, they will download, or sync, a copy of the file to their local desktop.  This means that if you both are editing a document at the same time, you are both working locally on different copies of the file.  While some sync services offer basic file locking, most will allow the conflict to occur.  Data may be easily lost as each person syncs and overwrites the changes of the other. Better sync services offer multiple level or permissions, allowing you to restrict access to view versus edit.  Some services will also prevent downloading and printing.

Sync versus Backup. File sync is NOT backup.  If you overwrite or delete a file, those changes are synced to the server and to other users.  While some sync services offer version control with a limited ability to retrieve prior versions, most sync services quickly propagate errors and deletions. As such, sync is not a reliable technology for data restores.

When to Sync? Sync and sharing services can be part of a robust business continuity strategy. With near-real time updates, a local or remote service outage does not mean loss of access to files, or loss of operating data. Sync and sharing services are also useful for sharing files with outside parties, provided your users understand the limitations of the service. If you allow the use of sync and share services, however, make sure your team is using a company-owned and managed account and a business grade service.  We will discuss why this is so critical in our next installment.

Previous Post in the Series

Cloud File Sync & Sharing: Risks and Solutions (Part 1)

Secure Cloud
This blog post is the first in a series on the data risks and solutions available for file sync and sharing services.

Your employees are using file sharing services. Ignoring reality or denying its existence will not change the fact that today’s tech users want to easily share files, and that they will circumvent IT if needed.

Failing to provide a secure, reliable service, puts your data — and your business — at risk.

Case Study 1: Inside Sales Disappear

An inside sales representative at a B2B industrial supply company was signing on new customers.  While the contract were all boilerplate, the rep use a personal Dropbox account to share them with customers for signature and to store them once signed.  After failing to be promoted, the rep quit the firm.  The company had no copies and no access to dozens of customer agreements.

Case Study 2: Order Management Gone Wrong

A customer service rep was using a personal file sharing service to send/receive credit card authorization forms with customers and, unintentionally, his family.  The company became aware of the problem (and PCI violation) when a customer called to inquire about an attempted electronics purchase the day after they had provided the form.  The rep’s teenage son had attempted to make an online purchase with “credit card number in Dad’s account.”

Case Study 3: No Backup = No Restore

A CEO recently contacted his IT department, asking that  they restore several critical files needed for a business meeting the next day, as he could no longer find them.  After searching several iterations of backups and audit logs, they informed the CEO that the IT team could not find any indication that the files had ever existed. The CEO had created the documents locally on his PC, then placed them in a personal file sharing service so that he could access them while traveling.  Without any protection, restoring the deleted files was impossible.

While these examples may seem extreme, if your employees are using personal, unsecured file sharing services, they may already be happening to you.

Back in September, we posted about the increasing problem of rogue cloud services.  Over the course of this series, we will look specifically at cloud-based file sharing services, their risks, and solutions that protect your data, your reputation, and your business.

Google Meets Security Best-Practices; Most Cloud Providers Fail

Recently, the Electronic Frontier Foundation (EFF) released a survey of how well common cloud providers meet the EFF’s 5 security best practices.

Google Apps and Dropbox are the only two vendors to meet all five standards.  Microsoft, most notably, fails to meet or confirm four of the five standards, as follows.

Encrypt Websites with HTTPS

Both Microsoft and Google support the use of HTTPS to encrypt data between the user’s computer and the web site/service.  As a best practice, Cumulus Global forces HTTPS for all Google services.

Enable HTTP Strict Transport Security (HSTS)

HSTS uses secure communications to prevent certain attacks if a network pretends that the site visited has asked to communicate insecurely.  Google enables HSTS; Microsoft does not.

Encrypt Data Center Links

To prevent somebody with physical access from attacking, this practice encrypts data between a company’s own cloud servers and their data centers.  Google follows this practice; Microsoft does not.

Implement STARTTLS for Email Transfer

STARTTLS encrypts communications between email servers when both servers support the service.  Google uses STARTTTLS and provides users with the ability to utilized Policy-based TLS as well.  Microsoft’s Outlook.com service is non-compliant with this best practice.

Use Forward Secrecy for Encryption Keys

This best practice ensures that should a hacker gain access to a provider’s secret key, they cannot read previously encrypted communications.  Google follows this best practice; EFF was unable to confirm that Microsoft is compliant.

For more information, see the full Gizmodo article here.