Seriously serious, a freebie from Google

AccomNews Sunday, April 3, 2016

0 4 minutes read

If you’re like me, and a billion or so others, you use Google services like Google Docs, Gmail, and Google search every day. You’re probably also concerned about your Google security, but not so concerned that you do anything about it. Well, Google wants to make you a sweet deal to encourage to check your security settings. Google will give you an additional 2GBs of free Google Drive storage just for checking.

That’s it. There’s no catch. Just spend about two minutes double-checking your Google security settings, which you should have been doing anyway, and you get free storage. What’s not to like?

First, you’ll log into your Google account. Next, you’re asked to check on your recovery information. If you haven’t added a phone number to your Google account, it will ask you to add one.

This is not the same thing as adding Google two-step verification to your account. You should add two-factor authentication to your account for better security but Google isn’t asking you do that this time. Google just wants to make sure that if you’re locked out of your account, you can use your phone number to recover access if you’ve been hacked.

This section of the security check-up will also ask you for a secondary email account and a security hint. If you already have all the above in place, Google simply asks that you recheck that they’re still current and correct.

Next, the security check-up asks you if you recognize all the devices you’ve been using with your Google account. I found no surprises. But, if you spot a device you don’t recognise or one of your gadgets appears to be being used somewhere you’ve never been, Google provides instructions on how to double check your account’s security.

After that, Google will ask you if you want to disable access to less secure apps. Google has been pushing to make the net more secure in general. Recently, Google announced that its Chrome web browser will start marking all HTTP sites, which don’t use HTTPS encryption as unsafe.

Now, Google is giving you the option of blocking access to apps that do not support the security standards. These include:
• The Mail app on your iPhone or iPad with iOS 6 or below
• The Mail app on your Windows phone preceding the 8.1 release
• Some Desktop mail clients like Microsoft Outlook and Mozilla Thunderbird

If you’re still using such apps with Google services, you can elect to keep using them. You’d be foolish for doing so, but that’s your call.

Finally, Google asks you to review the apps, websites, and devices connected to your Google account. If you don’t recognise one or more of them, or no longer use them you can remove their access to your Google account. Typically, these are online services, such as Nextdoor.com, Pinterest, or Sandvine, where you use your Google account as your service ID.

That’s all there is to it. Once you’re done, you get 2GB of free Google storage permanently. I think for an investment of about five-minutes for 2GB of free storage, it’s worth finding the time.

And still on the security trail, Google Chrome gets ready to mark all HTTP sites as ‘bad’.

Google’s push for all websites to be HTTPS has so far been all carrot. But the company is now using its big stick: a large red cross through every website that doesn’t offer an encrypted connection.

A year after Google’s chromium security team proposed marking all HTTP sites which are non-secure, the company is preparing to implement the policy in Chrome. As the company highlighted in its proposal in 2014, HTTP sites provide no data security to users, so why don’t browsers warn users of this fact, say, by displaying a red cross over a padlock next to the URL instead of the status quo, which is no warning at all?

Google called on Apple, Microsoft, and Mozilla to reverse the situation gradually, so that one day the only unmarked sites are those that have enabled the more secure protocol, HTTPS.

With HTTPS, the connection to users is encrypted and the site’s digital certificate has been verified by a third-party certificate authority. The new marking in Chrome is designed to be the stick to the carrots Google has dangled to encourage wider adoption of HTTPS.

Google argues that properly secured connections can frustrate surveillance attacks on the web. In 2014, it began using HTTPS as a positive ranking signal and in December adjusted its indexing system to crawl for HTTPS equivalents of HTTP pages and prioritise them where they’re available.

However, until this week it hadn’t announced any progress on its proposal. At the Usenix Enigma 2016 security conference, Google offered a snapshot of the future, showing what The New York Times website would like when Google implements the feature in Chrome.

Chrome users can look at how the markings would work by typing chrome://flags/ in the URL bar and enabling the experimental feature ‘mark non-secure origins as non-secure’.

It is not clear when Google will introduce the new marking system by default in Chrome. And as the company prepares to begin marking HTTP as bad, it has also released new tools to help developers deploy HTTPS.

On Tuesday, Google announced Security Panel, a new developer tool in Chrome that will help them identify common issues preventing sites from attaining the green padlock that represents a properly secured connection.
The tool will check the validity of a digital certificate and whether the site is using a secure protocol, cipher suite, and key exchange.

It will also help pinpoint the source of mixed content issues, such as a non-secure image on an otherwise secured page, which today in Chrome will trigger a grey padlock with a yellow triangle.

Security has become a critical issue for everybody. As we have seen, smaller systems are now at risk, such as automobiles, water distribution systems and traffic light control systems, which have buffer overflows, SQL injection flaws and other coding problems that can be exploited. Attackers can infiltrate the devices and gain command and control of the infrastructure.

Make sure your operation does not become compromised.