I’m not saying that email is taking a bad rap these days, but there are many people out there who believe that email’s days as the reigning king of workplace communication are numbered.

With more companies opening up the doors to social media communication, text messaging and instant messaging, email is no longer the only method used to send electronic messages out to co-workers and customers. Continue reading Making Email Pleasant Again

For personal email, I use Gmail. Sure, I run an Exchange server at home, but my ISP is not exactly providing an SLA for business class connectivity on my home account, and I’ve had that Gmail address since the days of the early invite only mode, so there’s a lot of things connected to it. It was while I was checking out the notice of upcoming improvements to their advertising model that I stumbled across something called the Gmail Security Checklist.

This checklist sets 5 steps, with a percentage progress bar, and walks the user through tasks they should take to help secure access to their email. With more and more services using email as the way to communicate information, including statements and password resets, having your email secured is a critical, but for the layperson, daunting task. Gmail makes this as simple as possible, presenting checkboxes to mark tasks complete, links to relevant pages with more information, and using language that a non-technical user can understand and providing guidance along the way. I only wish they put it at the front of the Gmail login page, and then as a banner at the top of the Gmail interface, for it was not something most would stumble upon.

Continue reading 5 Points to the Gmail Security Checklist

A flawed storage software update over at Google triggered an unexpected bug over the weekend.  This resulted in data corruption that affected tens of thousands of Gmail accounts, with some users missing old messages or finding their account emptied of all emails, while others have been left unable to log into their mailboxes.

Google was quick to point out that affected users account for a mere 0.02% of its user base even as it launched into the task of restoring affected accounts. At the time of writing this article however, the problems with Gmail have been persisting for some users into the fourth day with no definite timeframe for a final resolution.

Confident of its cloud architecture and sophisticated software systems, Google has recent modified its SLA (Service Level Agreement) to remove provision for planned downtime.  Beyond being an obvious slap in the face for one of the largest email providers in the world, what are some lessons that email administrators can learn from this debacle?

Continue reading The Big Gmail Crash and the Lesson for Email Administrators

Google two weeks ago announced that it has changed its SLA (Service Level Agreement) for paid versions of its Google Apps suite of products, removing provisions for planned downtime.  The goal, says Google Enterprise product management director Matt Glotzbach, is to deliver service that’s as reliable as telephone dial tone.

Understandably some observers see this as a war of “nines,” since the move pits the strengths of its cloud-based architecture against conventional on-premise deployments.  Detractors might also argue that Google hasn’t always been completely honest where its definition of uptime is concerned, since outages lasting below 10 minutes were simply ignored in the past.  Of course, the recent changes in Google’ SLA now counts intermittent downtime towards the total used to determine the credit customers are entitled to.

Regardless, email administrators are probably left a little worried, understandable since Google’s self-sufficient Gmail email service is part of Google Apps, and which relegates the administrator to simple tasks such as creating user accounts and assigning passwords.  While I’ve previously written about Some Reasons for an On-Premise Deployment of Exchange Server, I wanted to specifically write about why Microsoft Exchange is unlikely to go away anytime soon.

Continue reading Why Email Administrators need not worry about Google’s new SLA

The BBC reported today that Google is the latest in several cloud-based email systems that have been subject to a widespread phishing attack. The British news agency reported seeing two lists with over 30,000 names and passwords, which have been posted online. Google has since discovered a third list.

The cracked email passwords aren’t just from Google’s popular Gmail system though, the list also includes names of Microsoft Hotmail users, along with Yahoo, AOL, and other providers.  The first reports of the scam appeared when Pastebin, a legitimate web site used by programmers to share code, was used to post 10,000 Hotmail addresses.

Are there even more lists out there? Probably. The Neowin blog first reported the hack on Hotmail accounts, noting on October 1 that the lists detail 10,000 accounts with email addresses starting with “A” and “B”. Although only three lists have been detected so far, the alphabetical nature of the lists would imply that there are more floating around to account for the rest of the alphabet.

Bloggers, commentators and security folks are recommending that if you use Hotmail or Gmail, that you change your password immediately. Even better—stop using Hotmail or Gmail and stay away from free cloud-based email services altogether.

For their part, Google issued a forced password reset to all affected accounts, and Microsoft indicated that they too are taking steps to help customers regain control of their accounts.

Email operations and email archiving needs to have safe and secure protocols in place, especially if the corporation is under the purview of a privacy-related piece of legislation, such as HIPAA or Sarbanes-Oxley. Generally, the best way to ensure that those privacy protocols are put in place is to avoid cloud-based email and storage services.

Google continues to try to get a seat at the enterprise with Gmail, and this week, some of the industry’s heavy-hitters took Google to the task over the issue. An open letter to Google’s CEO Eric Schmidt says the company is putting users at risk unnecessarily, and that encryption should be enabled by default on their web-based apps, including Gmail.

Currently, SSL is used only during login, after which, all browsing is unencrypted, unless the user takes an active step to return to the https protocol. Unless that step is taken, which most users will not do, the user is vulnerable to attack and theft. In most cases then, Gmail is run in the clear–which is completely unsuitable for corporate use.

Google released a synchronization tool this week that allows Microsoft Outlook to front-end Gmail. The synchronization tool, which is available to users of Google Apps Premier, lets users keep their Outlook client and retain the familiar interface, while still using Gmail on the back end, and opening up the possibility of scrapping Exchange altogether. Cool piece of technology? Definitely. Good idea for the enterprise? That’s the million-dollar question, and the answer isn’t quite so clear.

On the surface, it seems like a useful piece of technology, but for corporate email, it may not be conducive to a secure environment. I’ve often noted that cloud-based email, especially the free varieties, are inherently insecure, and make it far too easy to bypass corporate email security policies. Deploying a tool to blend Outlook/Exchange and Gmail would tend to legitimize use of free public webmail systems in a corporate environment, at least in the eyes of users.

Google is of course, trying to take market share away from Microsoft and position the Apps Sync as a game-changer. However, security concerns and compliance issues will keep a lot of enterprises from going the Google route, if for no other reason, than to maintain control over where the emails and attachments are archived. Store and archive email in the cloud? Still not good enough–and compliance and privacy issues relating to cloud email storage are enormous.

Bottom line, Gmail is fine and quite useful for personal use and personal email accounts, but still needs to be kept separate from the corporate environment.

This week, a Vietnamese security company reported discovery of a new worm, named W32.Gaptcha.Worm, which breaks Google’s CAPTCHA, and then automatically creates multiple random Gmail accounts which are then used for distributing spam.

The attack sends the new Gmail accounts out to hackers, who use them until Gmail blocks the IP address of the infected machine. According to the report, if your computer becomes infected, you will see Internet Explorer launch itself, and then the Gmail account registration process takes place, with the worm automatically filling in random names and numbers to manufacture a bogus user. The worm is able to circumvent Google’s CAPTCHA system by sending the CAPTCHA image to a remote server, where it is broken. Gmail will later block your computer, preventing you from signing up for any new legitimate Gmail accounts.

The blog entry that highlights the discovery doesn’t specify however, just how the CAPTCHA is broken once it has been sent to the remote server. It is believed that some spammers actually use low-tech means, sometimes even employing low-cost laborers in third world countries to decode CAPTCHAs by the thousand, by hand.

The company discovered the worm in a honeypot trap.