Lazy identity thieves have just got an early Christmas present – Google Dashboard

Google have launched ‘Dashboard‘ to address privacy concerns.  It lets you see the data Google holds on you. The idea is you can then manage your data and more importantly that which Google holds.

I’m not a huge user of Google services other than the web search, and I try not to be logged in when using that.  But I do use Gmail for one off registrations and so on, and I have tried out a number of their services out of curiosity.

So it was interesting to log in and visit my dashboard.  I saw:

• long forgotten docs,
• emails (including spam),
• a couple of calendar appointments from three years ago,
• old web searches (I used to work for an agency that dealt with people worried about kids viewing porn so there some interesting ‘research’ searches there)
• chat histories
• tasks
• gadgets I created
• contacts and more

It was quite an education but once the dust settled not particularly surprising and probably not that useful to a malicious user.

But it did strike me that if I were a more dedicated member of the Google fan club then Dashboard would hold a hell of a lot of quite sensitive information, made more so by the fact that it is displayed on one a single web page.

Building a full identity on someone might be quite a laborious task, but it’s just been made a damn sight easier, so long as you have a person’s Google account credentials.  And as we know these are two-a-penny if you know where to look.

Lazy identity thieves have just got an early Christmas present.

Overall I think it’s a good move by Google and a great way to educate users on just how much of their information is out there.  But if there has ever been a good reason to immediately change your Google password to a really strong one, often, then this is it.

Google Dashboard - you is here

VeriSign Phishing Awareness Site Starts Well then Misses Point

A tweet from @Allen L. Kelly pointed me to a nice bit of phishing education from VeriSign.  www.phish-no-phish.com runs you through a challenging quiz where you are presented with two ‘identical’ screenshots and have to identify which is the phishing site.

Some of the sites were very difficult to differentiate and I even got one wrong because I was perhaps in too much of a hurry and didn’t spot a couple of minor spelling mistakes.  This though would reflect real life for most people so was an excellent way of demonstrating just how careful you need to be.

I got about half way through and was considering posting a link to the site on the corporate intranet as an awareness exercise for staff.

Then I was hit by the sales pitch.

After the fifth question a screen appeared explaining how Extended Validation (EV) SSL, triggers modern web browsers to display a green address bar when a genuine site is viewed.  Fair enough I thought. Users should be taught about this technology as it can help them identify genuine sites.

I was invited to continue the quiz to “see how easy it is to choose the correct site. Just choose the site that displays the green address bar.“

And yes it was easy after that. No more needing to look for dodgy addresses, missing padlocks or poor spelling and grammar.  As the tips pointed out:

The green address bar is a surefire way to identify the genuine Web site.

When you see the green address bar, there’s no need to scan for typo’s and misspellings.

Criminals can’t fake the green address bar.

Cool! No more need to take care, just watch for the green address bar and any site that doesn’t display it must be fake! And I know I can trust any site with a green address bar because criminals can’t fake it – yet.

You’ll have to indulge me here for while I believe technical solutions can help, I don’t believe they solve the problem.  As Mr Schneier says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

It’s a shame the VeriSign site lets itself down on this point. I know they’re trying to sell a technology solution but there should be a stronger emphasis on EV SSL being only part of an overall solution.  After all it’s not going to help users who are taken to a fake site from an email link – unless of course they’ve bought into the technology so completely that they only trust sites with green address bars. This is after all how the final five questions in the quiz run. You just click on the sites with green address bars.

But then you’d be missing out on all the fun on Facebook, Twitter, Gmail (Thawte i.e. Blue) etc.