Manage Learn to apply best practices and optimize your operations.

Google 'Gchat' security and Internet application security best practices

Users in the enterprise may unknowingly be exposed to 'Gchat' security risks. Expert Michael Cobb discusses Internet application security best practices that can help protect enterprise users.

I recently discovered that when using Gmail, users are automatically connected to the Gchat application. My concern is that people will often post personal information thinking they are safe because they think only trusted friends can see their information. However, that is not the case; if you send an email to multiple parties, or your email is forwarded with a @gmail tag attached, you are automatically entered into someone's Gchat address book where unknowingly they could see your personal information. Besides encouraging best practices regarding posting personal information, how else can users protect themselves from being unknowingly added to a third-party application?
The problem of signing up a service and then being added to other related services or being deluged by emails from other "relevant or related" vendors seems to be getting worse, mainly because many commercial application service vendors are trying to win market share. Many of them make it difficult to avoid enrollment in their other services, such as Google Inc.'s Gmail and Google Chat (Gchat). Unfortunately, it is left to the individual to look out for his or her own Internet application security.

Generally speaking, there are two elements to combating unwanted applications: careful selection of the applications you use, and careful control over what you use them for. Before signing up for an online service or installing the latest app, users must stop and consider whether they will really benefit from using it. Some, like Gmail, provide obvious benefits, but others aren't valuable (at least not during the course of one's workday or when conducting business) once the initial period of curiosity has past. Before signing up for or installing any application, everyone should carefully read the vendor's terms and conditions and privacy policy.

Like any third-party service, be sure to carry out a risk assessment before allowing Gchat to be used within the enterprise. Not only is the address book a concern, but if you need full end-to-end encryption, you will need to deploy an SSH server or some form of encryption plugin for your chat client. Google's Privacy Policy must also be reviewed to ensure it doesn't contravene your own policies. Your own acceptable usage policy is of course essential.

These are typically long, tedious documents written to deter users from reading to the end, but often buried deep within them are details of what may happen with data you provide or other services for which you may be automatically registered. This will help you make a more informed choice as to whether to proceed. For example, many Android Market applications have sent users' private information and location data to remote advertising servers without users being aware of what was being sent or to whom.

When gauging the security of a free Internet application, it's worth searching customer and research reviews on the Internet to see if existing users are complaining about privacy, security, or a lack of control over their data. Also, check what the experts say about the relative safety of an application before endorsing it; vulnerabilities have been exploited in online applications to spread malware, and aid phishing attacks and spam.

Unfortunately, even if users take all these precautions and configure their privacy and security settings to high, you may still find that they will end up enrolled in another service that can access their data. This is why it's important to follow best practices regarding posting personal information. Microblogging sites are designed to enable content and comments to be published quickly and easily but pause and think before hitting the submit button.

Personal information can be harvested and used for phishing or targeted malware attacks. So if it's not something you'd be willing to shout out loud in Times Square then don't post it. Information such as date of birth and home address is commonly used in identity verification and so can be used by criminals for the purpose of identity theft or social engineering attacks. Also, many of the answers to common security questions, such as favorite pet's name or name of first school can be found on people's online profiles. I would also think twice about using location-based social networks as the publication of location data has been linked to subsequent burglaries. The only way to help your users truly protect their privacy is to not allow use of these services in the enterprise, as generally you have limited ability to control how your corporate data is used.

This was last published in February 2011

Dig Deeper on Email and Messaging Threats-Information Security Threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.