Tag Archives: google drive

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”

8 Steps to Beat All 8 CPCU Exams

Now that we got you excited based on earlier articles such as this one, and you’re ready to start CPCU today, here’s some guidance on how to actually get it done and survive the tests. This article is lovingly dedicated to “those poor souls studying for the CPCU designation,”

Please keep in mind that doing CPCU is very much like trying to eat an elephant; there’s only one way to do it, one bite at a time.

I asked my friend and all-around Wonder Woman, Carly Burnham, to share the strategies she used in completing the designation. I met Carly in 2011 when she was at a turning point in her career. She felt stuck in her position as a call center sales agent and wasn’t sure of the next step. She wasn’t even sure whether insurance was an industry she could make a career in. She had an interest in underwriting but had no idea how to get there. We met through the Gen Y Associate Resource Group at Nationwide Insurance.

head

I could clearly see she was bright and hard-working and was looking for a challenge, so I asked her if she had heard about the CPCU. Over coffee, I told her all about why CPCU is awesome and convinced her to go for it. To make things even more interesting, I challenged her to do it in a year, while working full time and finishing a part-time MBA program. To my surprise, she took me up on it. Even more impressively, she met the goal and finished all eight tests in just short of 12 months.

When I talked to Carly about this article, she shared the following thought with me, “The CPCU is usually done as a self-study program, and if you haven’t tackled online courses or some other self study program, it can be challenging to know where to start. I was lucky to have your mentorship, and, looking back, I’d say these eight strategies were really what helped me meet the audacious goal that we set.”

  1. Set Your Own Timetable

Decide up front when you are going to finish your CPCU. If you don’t choose an end date, you could stretch the entire process out for YEARS. On average, people take at least two years to finish, but many insurance professionals have been working on their CPCU for longer than that. Decide when you want to be done and commit to the deadline. If you are trying to finish to advance your career, focus on finishing before you begin to apply for new roles. If you want to finish in time to attend the annual meeting in a certain city, set your end date as the last month that you can qualify for that meeting. Having an end date and an understanding of your motivation will help you push through challenges along the way.

Untitled

  1. Find an Accountability Partner

Your accountability partner may be a current CPCU or someone who is also pursuing the designation. He or she should be someone with whom you can share the reason for your pursuit of the CPCU. If he or she understands your motivation, it will be easier to push you to stay the course and finish by your goal date.

Untitled

  1. Create a Spreadsheet on Google Drive to Share With Your Accountability Partner

On this spreadsheet, you will want to map out the dates that you will take each exam to achieve your goal date. Once you have mapped out exam dates, you can work backward using the chapter summaries at theinstitutes.org to identify when you will read each chapter of the text for the exam and when you will take your practice exams.

  1. Devote Certain Hours of Your Day to Studying

When studying, consistency is key. If you focus best at the beginning of the day, set aside an hour or two in the morning and commit to showing up the same place each day to read the chapters that you laid out in your spreadsheet for this day. Choose the time that works best for you, but aim to make it a routine, so that you don’t have to decide every day that you are going to stay at the office an extra hour or go to the coffee shop before work starts. If it’s part of your daily rituals, you won’t have to use willpower to get your studying done.

  1. Read the Entire Book

First, read The Institutes’ guide to preparing for their exams. As they mentioned, there is no single way to prepare. But I found that reading the entire book first helped me establish a base level of knowledge. Next, I would take a practice exam, as a sort of pre-test. The practice exam would let me know which chapters I was weak on. With this information, I could pinpoint the best way to spend my time. If I needed to, I could re-read chapters and test on those individual chapters until I felt comfortable moving on to the next chapter.

  1. Use the Mobile App

The Institutes have created a mobile app called Smart QuizMe for Apple and Android phones. Using this in any spare time you have will also help you feel confident with the information and the style of questions on the practice exams. You can set the app to run through certain chapters or the whole book depending on what you want to focus on. Because it’s on your phone, you can use it even if you only have five or 10 free minutes. The questions on the app tend to be clustered, so question 100, 101, 102 and 103 might be the same question with only one word changed. This really teaches you how changing a small part of a question can result in a different answer. The app is particularly helpful for the most detail-oriented tests, especially 520. One word of warning: Don’t depend entirely on the app without doing the online practice exams; you could easily fool yourself into thinking you’re ready when there are significant parts you haven’t yet mastered.

Untitled

  1. Pass the Practice Exams a Few Times

Leave at least at least four and preferably a full seven days before the real test to take the online practice exams. Passing the exams will give you the confidence you need to take the exam without feeling rushed or unsure of your answers. The practice exams are very similar and sometimes harder than the actual exams. You will also have the opportunity to research any questions you missed and make sure you understand the concept before test day. Nothing beats going into the real test feeling confident, and nothing gets you more confident that the online practice exams. The practice exams are the key to the kingdom!

  1. Get the Proper Support

Make sure your family, close friends and other support systems fully understand that the CPCU is a BIG DEAL and that you will require lots of support while you get through it. Make sure they know this isn’t just another license or minor designation but a serious commitment that only 4% of people in our industry have gotten through.

To help my family understand, I explained that I was pursuing something akin to a master’s degree in insurance, and I was doing it in a year, while working 40 hours a week — most people outside the industry will need the designation explained in a similar way to fully understand the commitment you’ve made. Also, join the CPCU Candidates Facebook Group; they’ll provide you with tons of encouragement and answer your questions. Most importantly, you won’t feel like you’re the only person in the world putting yourself through the challenge of CPCU.

One Bonus Tip:

Know ahead of time that 540 – Finance and Accounting for Insurance Professionals is a special beast of a test (see artist’s rendering below). To ensure proper preparation for this one, allow yourself 50% more time than usual; so if you have given yourself two months for 500, 520 and 530, give yourself three months for 540. Buy a financial calculator (preferably the Texas Instruments BA-II Plus) and learn how to use it. The book won’t teach you how to use it, so you have to get help from someone who knows how to use it – if you have a hard time finding someone, there are decent tutorials on YouTube or at Atomic Learning. Use the calculator for all the practice tests, and then don’t forget to bring it on exam day!

I am passionate about spreading the word about the CPCU, and I was glad to have met Carly at that turning point in her career. Her commitment has paid off, and she has recently became a commercial lines underwriter at Erie Insurance; she’s loving the new job, and she’s fully committed to the industry. She credits her designation with helping her get the interview but says it goes even further than that: “The knowledge that I gained in earning my CPCU gave me the confidence to pursue a true career in the industry, and I now use the knowledge every day in my role as an underwriter. This designation gives you a broad understanding of the industry, but it also gives you practical, technical information that is essential to being a successful insurance professional.”

If you’ve had similar experiences, share them in the comments. If you have questions about the pursuit of your CPCU, message me. There are really no excuses left. Let’s get going and get your CPCU. You will never regret it.

Good job making it to the end of our longest post yet; as a reward, here is another image for the awesome metaphor of eating an elephant one bite at a time.

Untitled

3 Ways to Protect Sensitive Messages

“Delete this email if you are not the intended recipient.”

That and similar language theoretically sounds imposing but essentially does nothing to protect sensitive data from any nefarious actors who view it (though they may get a good chuckle before reading the email).

Yet almost 90% of attorneys surveyed by LexisNexis for a study it published in May 2014 on law firm security acknowledged using email to communicate with clients and privileged third parties. The vast majority of attorneys surveyed also acknowledged the increasingly important role of various file sharing services and the inherent risk that someone other than a client or privileged third party could gain access to shared documents. Yet only 22% use encrypted email, and 13% use secure file sharing sites, while 77% of firms rely on the effectively worthless “confidentiality statements” within the body of emails.

Technology Basics

To explain the right approach, I need to start with some technology basics.

How does email actually work?

By its nature, email is not a terribly secure way to share information. When you send an email, it goes through a powerful, centralized computer called a server on its way to a corresponding email server associated with the recipient’s computer or mobile device. The email passes through any number of servers along the way, like a flat stone skipping across a pond. If that email isn’t encrypted, anyone with access to any one of those servers can read it.

What is encryption?

Encryption is the use of an algorithm to scramble normal data into an indecipherable mishmash of letters, numbers and symbols (referred to as “ciphertext”). An encryption key (essentially a long string of characters) is used to scramble the text, pictures, videos, etc. into the ciphertext. Depending on how the encryption is set up, either the same key (symmetrical encryption) or a different key (asymmetrical encryption) is used to decrypt the data back into its original state (called “plaintext”). Under most privacy and data breach notification laws, encrypted data is considered secure and typically doesn’t have to be reported as a data breach if it’s lost or stolen (so long as the decryption key isn’t taken, as well).

Three Methods to Secure Email

1) Encrypted email. Properly encrypted email messages should be converted to ciphertext before leaving the sender’s computer or mobile device and stay encrypted until they are delivered to the recipient (remaining indecipherable as they pass through each server along the way). This approach is referred to as end-to-end encryption.

Until fairly recently, email encryption has been a somewhat technical and cumbersome process, often requiring both sender and recipient to use matching encryption programs and carefully manage their own encryption keys. Now, there are plenty of encrypted email offerings from larger commercial companies, as well as a number of new and interesting email encryption services that have become available in the wake of disclosures made by Edward Snowden.

When choosing one, be mindful of where the service you use is located (including where the servers handling the emails on the system actually are). Snowden used a well-regarded U.S.-based encrypted email provider called Lavabit. Not long after Snowden’s revelations came to light, federal law enforcement forced Lavabit to secretly turn over the encryption keys safeguarding its users’ private communications. Lavabit’s founder tried to resist but was overwhelmed in federal court.  As a result, he shut down the service. Another well-regarded service called Silent Mail followed suit shortly thereafter as it felt it could no longer ensure its customers’ privacy. Both have since relocated to Switzerland and are planning to introduce a new encrypted email service called Dark Mail.

Larger companies offering encrypted email services typically control the encryption keys and will decrypt data before turning it over in response to a warrant or subpoena (including one coupled with a gag order). In addition, email service providers can legally read any email using their systems under Title II of the Electronic Communications Privacy Act, referred to as the Stored Communications Act. Moreover, emails remaining on a third-party server for more than 180 days are considered abandoned. Any American law enforcement agency can gain access to them with a simple subpoena.

Accordingly, if you choose to use a service based in the U.S. or another jurisdiction with similar privacy protections, be mindful of who controls the encryption keys.

2) Secure cloud storage. Another way to securely communicate or share files with a client or privileged third party is to place communication and files in encrypted cloud storage and allow the client or third party to have password-protected access to them. Rather than a direct email with possible attachments, the client or third party would receive a link to the securely stored data. The cloud service you select should be designed for security. Before you ask: DropBox and Google Drive would not be suitable options. There are a number of services offering well-protected cloud storage, and it’s important to do your due diligence before selecting one. If it all seems a bit much to figure out, two services I would recommend looking into are Cubby and Porticor.

3) Secure Web portal. A third approach is to place communications and files in a secure portion of your firm’s network that selected clients and privileged third parties can access. As with the secure cloud storage option, the email sent to the client or third party would have a link back to the secure Web portal’s log-in page. An advantage to this approach is that the communications and files do not actually leave your computer network and should be easier to protect.

An additional consideration: A government snoop or competent hacker doesn’t necessarily have to target a message while it’s encrypted. A message that is protected by strong encryption when it’s sent or held in secure cloud storage can still be intercepted and read once it has been opened or accessed using a mobile device or computer that has been compromised. The same holds true for intercepting a message before it’s encrypted initially. What steps can you take to protect yourself? The software on any computer or other device that can potentially access confidential data should be kept as up-to-date as possible. Devices should be protected against possible data loss if they are lost or stolen. And all firm personnel should have regular security awareness training with respect to social engineering and other threats.

At the end of the day, there is no single silver bullet to provide perfect security. But there are genuinely helpful steps that you can take to better protect your electronic communications and keep your sensitive data confidential.