Google+ runs out of disk space, spams users with notifications

Google PlusSome early adopters of Google+ have found themselves bombarded with multiple notification messages in their email, due to a bug in the social networking's code after the site - astonishingly - ran out of disk space.

Vic Gundotra, Senior Vice-President of Social for Google, posted an apology (appropriately enough) on his Google+ account to those users affected, painting the social network as having been a victim of its own success.

Google spam apology

Please accept our apologies for the spam we caused this afternoon.

For about 80 minutes we ran out of disk space on the service that keeps track of notifications. Hence our system continued to try sending notifications. Over, and over again. Yikes.

We didn't expect to hit these high thresholds so quickly, but we should have.

Thank you for helping us during this field trial, and once again, we are very sorry for the spam.

It's pretty embarrassing for Google+ to suffer from such a bug - you can hardly imagine how the site could conceivably "run out of disk space", even if it is still technically undergoing trials.

High profile sufferers included Rory Cellan-Jones, BBC News's technology correspondent, an influential reporter who would hardly be high on your list of people you want to slate the social network.

Follow @ruskin147Rory Cellan-Jones@ruskin147
Rory Cellan-Jones
Getting zillions of Google+ emails, including duplicates which is apparently a bug. Already dubious about its usefulness...

Of course, accidental spam like this is better than being hit by spam containing Viagra adverts, phishing messages and malicious links - but it's still a nuisance and precisely the kind of irritating bug that is likely to upset users.

If you are on Google+, and want to keep informed about the latest security news, consider adding me to one of your circles.

Follow @gcluley

How to stop your Gmail account being hacked

GmailAs has been widely reported, high profile users of Gmail - including US government officials, reporters and political activists - have had their email accounts hacked.

This wasn't a sophisticated attack against Google's systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.

Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail's login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.

So, what steps should you take to reduce the chances of your Gmail account being hacked?

  1. Set up Two step verification
  2. Check if your Gmail messages are being forwarded without your permission
  3. Where is your Gmail account being accessed from?
  4. Choose a unique, hard-to-crack password
  5. Secure your computer
  6. Why are you using Gmail anyway?

1. Set up Two step verification

The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.

Google provides a facility called "two step verification" to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account - as they will be sending you a magic "verification" number via SMS.

The advantage of this approach - which is similar to that done by many online banks - is that even if cybercriminals manage to steal your username and password, they won't know what your magic number is because they don't have your phone.

Google has made two step verification easy to set up.

Setting up 2 step verification

Once you're set up, the next time you try to log into Gmail you'll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.

Mobile phone receives verification number

Let's just hope the bad guys don't have access to your mobile phone too..

Here's a video from Google where they explain two step verification in greater detail:

You can also learn more about two step verification on Google's website.

By the way, note that two step verification doesn't mean that your Gmail can't ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it's certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.

2. Check if your Gmail messages are being forwarded without your permission

Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.

Go into your Gmail account settings, and select the "Forwarding and POP/IMAP" tab.

If your emails are being forwarded to another address, then you will see something like the following:

Gmail forwarding

That's fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn't.

If your messages are not being forwarded you will see a screen more like this:

Gmail forwarding

Hackers want to break into your account not just to see what email you've received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That's why it's so important to check that no-one has sneakily asked for all of your email to be forwarded to them.

3. Where is your Gmail account being accessed from?

At the bottom of each webpage on Gmail, you'll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven't been using your computer) or from a different location.

Last account activity

Clicking on the "Details" option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up - especially if you spot a computer from another country has been accessing your email.

IP addresses of computers accessing Gmail account

4. Choose a unique, hard-to-crack password

As we've explained before, you should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if they grab your password in one place they can try it in many other places.

Also, you should ensure that your password is not a dictionary word, and is suitably complex that it's hard to break with a dictionary attack.

Here's a video which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Don't delay, be sensible and make your passwords more secure today

And once you've chosen a safer password - keep it safe! That means, don't share it with anyone else and be very careful that you're typing it into the real Gmail login screen, not a phishing site.

5. Secure your computer

Secure PCIt should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don't, you're risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.

You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That's one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don't know what state the computer is in, and who might have been using it before.

6. Why are you using Gmail anyway?

Okay, I don't really mean that. But I do mean, why are you storing sensitive information in your Gmail account?

The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn't have that in their webmail account? Shouldn't that be on secure government and military systems instead?

Always think about the data you might be putting on your web email account - because if it's only protected by a username and password that may actually be less security than your regular work email system provides.


35 million Google profiles were *already* exposed on the internet

Google Profile logoDo you have a Google Profile? Did you find yourself getting cobbywobbles when you read the headlines in the security press?

Here's just a handful of the many headlines that have appeared in the last few days:

"35 Million Google Profiles Captured In Database", Information Week

"35m Google Profiles dumped into private database?", The Register

"Entire Google Profile database acquired by a user", ARN

Matthijs R. Koot, a PhD student at the University of Amsterdam, was able to create a database of 35 million Google Profiles, scooping up real names, email addresses, biographical information, Twitter feeds, links to Picasa photos, etc.

Sound scary to you? If so, maybe you're one of those people who has populated your Google Profile with a large amount of private information that you wouldn't like to fall into the hands of ne'er-do-wells.

At first glance the headlines might appear worrying. But there's one important thing you need to know.

All of this information was already available to anyone on the internet.

Some Google Profiles

You may remember that last year security researcher Ron Bowes conducted a similar experiment with Facebook, creating a database of 100 million Facebook users who had left their profiles open for anybody to view.

Koot has done something similar - but with Google Profiles. He wrote a relatively simple script (which he published on the net for others to try out) that harvests Google Profile data - and in the process, revealed that many users were potentially being careless with their personal information.

Part of Koot's script

So, Koot hasn't actually exposed any new information. He's just written a script to collect together data which was already out there.

Google Profile allows you to choose the nature of the url to your profile. You can either have a random-looking number, or the username they use for Google Gmail.

For instance, Matthijs R. Koot has the option of using:

https://profiles.google.com/115572197788225218471

or

https://profiles.google.com/mrkoot

Google Profile URL

However, Google Profile users are explicitly warned that if they choose to customise their URL with their GMail username, they will be making their email address publicly discoverable.

Koot says that he conducted the test to expose how careless people were being with Google Profile, and in particular that they were exposing their email addresses.

He discovered that approximately 40% of the 35 million Google Profiles he accessed exposed the owner's username and hence their @gmail.com address. That's 15 million exposed email addresses.

There's an obvious potential for spear phishing and malware campaigns when you have access to such a hoard of legitimate email addresses. Especially when they can be combined with other personal information shared on your Google Profile.

Google Profile users can adjust their settings to not allow their profiles to be indexed by search engines. But that's not really fixing the main problem.

Google Profile search visibility

Wouldn't it be better to choose not to post personal information in the first place?

One problem, of course, is that you may not actually realise that you already have a Google Profile.

After all, Google freely admits that "if you've been writing reviews on Google Maps, posting buzz on Google Buzz, creating articles on Google Knol, sharing Google Reader items, or adding books to your Google Book Search library, you may already have a profile."

Google Profile help screen

Maybe now is the time to check if you have a Google Profile, and - if you do - that you're comfortable with the information you're sharing through it.

Ultimately, though, remember the golden rule. If you don't want a piece of information to fall into the hands of hackers/your boss/your mother-in-law then maybe it's best not to post it on the internet in the first place.


What Google and Mastercard’s new mobile payment system could mean for iOS users

Last week saw a major new product announcement from Google: the new "Google Wallet" will allow people with compatible mobile phones to use them to pay for goods and services in shops with a simple wave of their hand. This follows a number of in/out/in/out/shake it all about rumors that this "NFC" stuff might be included in the next iPhone. So what is NFC and why should you care? Sit back, grab a cup of coffee, and I'll explain.

Continue reading What Google and Mastercard's new mobile payment system could mean for iOS users

What Google and Mastercard's new mobile payment system could mean for iOS users originally appeared on TUAW on Mon, 30 May 2011 11:00:00 EST. Please see our terms for use of feeds.

Source | Permalink | Email this | Comments

Security hole could affect 99% of Android smartphones

Android smartphoneAccording to German researchers, 99% of Android devices might be at risk from a vulnerability which could allow unauthorised parties to snoop on your Google Calendar and Contacts information.

The discovery by the University of Ulm researchers brings to light a serious privacy issue, and underlines the difficulty that many Android smartphone owners appear to face keeping their operating systems up-to-date.

According to the paper by Bastian Könings, Jens Nickels, and Florian Schaub, entitled "Catching AuthTokens in the Wild: The Insecurity of Google's ClientLogin Protocol", in Android 2.3.3 and earlier the Calendar and Contacts apps transmit information "in the clear" via HTTP, and retrieve an authentication token (authToken) from Google.

That means that there's the potential for cybercriminals to eavesdrop on WiFi traffic and steal the authToken that your smartphone has just generated.

Wireshark sniffing an authToken

As authTokens can be used for several days for subsequent requests, hackers can exploit them to access what should be private services and data - such as your web-based calendar. Furthermore, it turns out that the generated authTokens are not linked to a particular phone, so they can be easily used to impersonate a handset.

Yuck!

The scenario is a real problem if you use an unencrypted WiFi hotspot (such as those commonly available in hotel lobbies, airports or at the coffee shop on the corner of your street), as someone could snoop on your authToken and abuse it.

According to the researchers, Google has fixed the problem in Android 2.3.4. But there's the rub. Just how many people are still running older versions of the Android OS?

Android OS platform usage

Approximately 99% of Android users are vulnerable, as they haven't updated to at least version 2.3.4 (codenamed "Gingerbread").

GingerbreadUnfortunately it's not always possible to easily upgrade the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air.

There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren't so simple for Google's users. This fragmentation inevitably leaves Android devices open to security problems.

Fortunately, Google seems to be aware of this pain, and says it will work more closely with manufacturers and carriers to ensure users can receive the latest Android updates in the future.

But what should you do if you're a concerned Android owner?

My recommendation would be to upgrade to the latest version of Android if at all possible.

Furthermore, do not use open WiFi networks as your communications may not be properly protected. If you're worried about this latest security issue you might be wise to connect to the internet via 3G from their smartphone rather than using unencrypted public WiFi connections.

Using 3G may eat into your data plan, but it's far less likely that your communications are being snooped upon.

Update: Good news. Google has started rolling-out a fix for this vulnerability.