Nearly everything we do is digital: our banking and commerce; our interactivity and socialization; our education and information exchange; our entertainment; our politics and our dissent. So much of our lives have an electric footprint.

Therefore, it's in the interest of everyone to better manage the risks of digital media. In the spirit of teaching others how to do something than to simply do it for them, Mickler & Associates, Inc. is joining forces with the Electronic Frontier Foundation (EFF) to help train, educate, and show others how to manage their data securely and confidentially.

The Electronic Frontier Alliance (EFA) is a network of grassroots groups taking action in their own local communities to promote digital rights.

As an EFA member organization, we believe that technology should support the intellectual freedom at the heart of a democratic society. In the digital age, that entails advancing:

• Free Expression
  People should be able to speak their minds to whoever will listen.
  

• Security
  Technology should be trustworthy and answer to its users.
  

• Privacy
  Technology should allow private and anonymous speech, and allow users to set their own parameters about what to share with whom.
  

• Creativity
  Technology should promote progress by allowing people to build on the ideas, creations, and inventions of others.
  

• Access to Knowledge
  Curiosity should be rewarded, not stifled.

We uphold these principles by fighting for transparency and freedom in culture, code, and law. Locally, Mickler & Associates, Inc. will be promoting these ideals by:

• Holding online and on-ground seminars about digital security and privacy.

• Creating training videos and other digital assets that could be shared and disseminated.

• Commercial and non-commercial training.

• Private consultations and service engagements.

• Corporate events.

• Offering up training for students and to community activists.

• Donating our time and experience to non-profits.

Want to know more, or, how we could lend a hand to you or your local organization? Contact us. We can chit-chat about the possibilities and see where Mickler & Associates, Inc. could add value. Thanks.

R

How does Google secure your data and ensure its confidentiality?

1. The Google Cloud Platform encrypts data at rest on their servers. That means that your stuff, while it sits idle on the cloud platform, is wrapped in encryption. This is done without your intervention. The Google Cloud Platform even allows users to declare their own cryptographic keys if desired for extra layers of security.

2. Google Data is distributed and wrapped in key-chunks throughout their data centers. That means your stuff is broken into pieces - so not all of your eggs are in one basket. Your data is spread among data centers to provide extra redundancy, security, and disaster recovery, and encrypted using Google's Key Management Service. This is also done without your intervention.

3. Data is encrypted at the storage level using AES128 or AES256 encryption. This is a bit nuanced, but let's say that Google's physical hardware is also set to use encryption.

4. Google uses Perfect Forward Secrecy (PFS) with it's API's. Data that travels between their services is encrypted. It also uses Keyczar to implement encryption of your data between all of their products.

5. Google employs TLS/SSL security in transit. While your data is on the move between their servers and your device it is encrypted.

6. Gmail's web interface forces all client connections to use HTTPS (RSA/SSL) encryption and has done so since 2014. While you're using Gmail on the web, your session is secure.

7. Gmail has client-side controls within the web interface to notify the user of security failures or questions.  While you're using Gmail, it informs the user if there are questionable aspects of the sender that could put you at risk.

8. Google is actively attempting to depreciate legacy mail clients that use older forms of email challenge/verification. Google refers to these mail solutions as "less secure clients" and the user must flip a switch for them to be used. This often forces the user to upgrade their mail client software to versions that support more modern and secure access tokens.

Now, all of this is well and good but it's not the end of the conversation. Your data may be encrypted at rest and in transit with Google, but is it confidential?

1. If you own a non-commercial Gmail account, you have no promise of confidentiality. That is because the service is offered in exchange for Google being able to read your email and market services to you. This aspect of Gmail would fail all best practice confidentiality requirements as Google expressly says in its EULA that the data is theirs and can be used to "token and stem" - a big-data practice of creating logical relationships between ideas - as to market to you. That's why it's free.

2. If you own a commercial Gmail account - if you pay for G-Suite - you are a commercial subscriber to the Google Cloud Platform. The EULA there says that Google does not read your data and Google considers it a private, sealed container. It's your data.

3. Caveat: both the non-commercial and commercial aspects of the Google Cloud Platform are subject to US Law and Regulation. That is, if Google receives a warrant to access data under your account, they will work with federal officials to retrieve that data and surrender it to authorities. This aspect of Google's operations - for some - presents a hazard that has folks turning to Proton Mail, for example: a free encrypted mail service that is presumed outside US jurisdiction, or, Signal, from Open Whisper Systems, an encrypted messaging platform.

Okay, but I use a thick mail client like Apple Mail or MsOutlook or Thunderbird. What about the security of my client software, o/s, or hardware platform?

This isn't recommended. Using a thick mail client makes you responsible for the care-taking of your data and some aspects of filtration (spam filters, AV filters, keyword and black list filters, etc). Even using G-Suite which centralizes some of this management.

Still, if you don't use the web for accessing email and insist on using a thick mail client:

1. Once the data is delivered to a software mail client (e.g., Apple Mail, MsOutlook, Eudora, etc.), it is up to the client to secure the messages. Example: if your Windows laptop was stollen, the data stored in MsOutlook's PST file is an open container - it is not encrypted unless you encrypt it - and is therefore vulnerable. You must take steps to encrypt that data.

2. The platform must provide encryption. At the o/s and hardware level, there are tools to encrypt the contents of your drive. You must take steps to encrypt the drive system (enable Filevault 2 on a Mac, or, Bitlocker on a PC).

3. You may not think the o/s level encryption is good enough, so you may be convinced to implement your own hardware level encryption. That's something you'd have to do, too.

4. Some iOS platforms are secured through hardware-level encryption; some are not. Generally, receiving mail to Apple Mail on an iPhone 6 or iPhone 7 is secure. Android phones must be specifically configured to provide o/s layer security; each vendor has their own policy on hardware level encryption, and that's variable based on product.

Best Practice:

Are you concerned about the best way to keep your data secure on Gmail/G-Suite?

1. Follow my list of advice on how to Avoid Gmail Hacks.

2. Don't use a thick mail client. Stick to using the web interface.

3. Avoid using Microsoft Windows computing platforms. Using a ChromeBox, Linux machine, or Apple product is far superior in terms of o/s security.

4. Use the latest iOS and Apple devices for the best security possible.

5. Avoid using unaltered Android platforms. Have a professional help you configure Android to be secure; and/or purchase specific OEM products like Google's Pixel or the Blackphone from Silent Circle to make it secure.

6. If you're concerned about HIPAA, only the G-Suite product can offer a Business Associate Agreement (BAA) for protecting that data, and there are specific restrictions over Google's service offerings. Not all data on the Google Cloud Platform is considered compliant. Careful.

7. If you're concerned about FERPA or COPPA, G-Suite for Education is compliant there. PCI-DSS 3.0 compliance is also a feature of the Google Cloud Platform.

And finally, how do you know that Google is actually doing what they're promising? Like, how can you trust Google?

Don't take my word for it: Google is audited annually to specific information system standards. Independent agencies routinely compare what Google says to what Google does. Still, Google isn't perfect - in 2015, the EFF rated Google poorly on being transparent with publishing government requests and data access. We hope that Google will make progress there.

There we go. A reasonable accounting of how well your data is secured and confidentiality managed on the Google (G-Suite) Cloud Platform. Questions?

R

On March 19, 2016, Mr. John Podesta - Hillary Clinton's Campaign Chairman - received an email advising him that his Gmail account had been compromised.

The email looked like an official communication from Google. It even had a link available in the email to change his password. It was not. It was intentionally crafted to make Mr. Podesta believe that it was an official alert from Google.

And when Mr. Podesta clicked on the link, he was brought to a website designed to look like Google's password rotation site. What Mr. Podesta didn't realize was that the site wasn't Google's - he received a phish - and he inadvertently gave has account's password away to Ukrainian hackers.

The rest is history. Mr. Podesta's email was siphoned and uploaded to Wikileaks, a data breach that - in part - is alleged to be used by the Russian government to exert influence a United States election cycle.

Update 2017.05.31: Google announces new tools and features in Gmail to help prevent phishing attacks.

Update 2017.06.05: A good article on how to identify and avoid common phishing scams by Dave Albaugh

Okay, so maybe your concerns don't involve the Presidency of the United States but the confidentiality of your affairs are still important to you. You don't want your Gmail or Google Apps (G-Suite) email to be hacked. So what can you do?

1. Question Authority.

When it comes to the security of your Google account (really, any online account you may own), never act on impulse.

Emails like the one Mr. Podesta received are designed to get you to stop thinking and just take action - the intent is to disconnect your logical mind with an overriding emotion, like fear, and to get you to click on a hyperlink found within the email. Don't fall for it. 

There is a similar attack going around concerning Google Drive. You may receive an email that says somebody (you may or may not know) has shared a file with you on their Google Drive. If you clink on the link to access the file, you're brought to a login screen similar to Google's that captures your email address and password; your credential is then used to access your account and make changes to your email settings.

2. Use the Tools Yourself.

If you suspect that your account may have been compromised, Google has a tool that you can use to rotate your password and investigate the matter on your own. It's found at www.google.com/accounts.  

Open a browser and go there yourself. Rotate (change) your Google password on your own. And by the way, don't be a wuss: now's not the time to go convenient on your Google password. Woman-up and do what needs to be done: change your password to something unique and strong. 

In the case of Google Drive, access Google Drive directly on the web and go to the Shared With Me section of Drive. If somebody shared a file with you, it'll actually appear in this list. Check for it there.

3. Protect Yourself - Security Self-Service.

Take a few minutes to evaluate the Google Accounts site.

• Do you need to recover a hacked Gmail account? You can do so yourself.
  

• Are there devices and applications connected to your account? Don't recognize them? Just disconnect them. Clean this up. Only allow current devices and applications that you actually use to access this account.
  

• Do you have a recovery cell phone number? If you do, is it your cell phone? If you don't have a recovery cell phone number, add it now.
  

• Have you enabled two-factor authentication? Two-factor authentication requires not only what you know (your password) but what you have (your cell phone) in order for you to login to your account. If two-factor authentication is enabled, the hacker can't sign-in as your account unless they have your cell phone, which is highly unlikely.
  

• Have you set your security alert settings? Get notified directly on a more secure channel when something is suspicious about your account - like, get a text message from Google to your recovery cell phone. That way, you won't need to fall for the phish.
  

• Do you notice strange computers or devices acting on your account? This information is also available from the Gmail Security Details link in the bottom-right-corner of your Gmail screen.
  

• Force a sign-off from all active sessions. That will force anyone who wants to use your account to re-authenticate: they'll have to know your new password to sign-in again.
  

• Is your Gmail account being filtered? One of the ways these exploits work is to set up a filter in your Gmail account that deletes any inbound mail sent to you, so it'll look like that you're not receiving email. Check your Gmail Filters. If you see a filter that says any mail addressed to your email account should be deleted, remove that filter.
  

• Is your account accessible by less secure apps? This setting should only be enabled (flipped on) if you're using a legacy (old) email program to retrieve your email. It's a less secure setting to receive your email, and some hacks try to flip this setting on so it's easier to get at your email. If you're not sure, turn it off.

4. Don't Just Give Away Access to Your Google Account.

Over time, you may have indiscriminately given access to your account to other applications. When dealing with a compromise situation, turn off all access to your account by removing those applications from your Connected Applications list; you can always add them back later.

Second, think harder about that. When asked about connecting applications and granting them authority to look at your account, you're going to receive a screen that looks like this from Google.

Think very hard: is this something you really want? Do you know or trust the vendor (Twillio in this case)? Is this actually a good idea? Think critically: are you about to share critical account information with someone you don't know?

5. Ask for Help.

If you have a question about a suspicious email that you received, talk to your IT folks and/or a trusted IT professional before clicking on it. If you're on the Google Accounts site and need clarification about what it's telling you, ask someone. If you're being challenged to provide authentication for account access and you're not sure why, please ask a trusted professional.

Remember that Google Apps / G-Suite / Gmail isn't an insecure platform. It isn't Gmail that's hacked - it's the human that's hacked. In all of these cases, what's being exploited here are human weaknesses.

Humans will react emotionally to phishing emails instead of act rationally.

Humans will create weak passwords because it's more convenient than using stronger passwords.

Humans may not enable two-factor authentication because they don't know it's there, or, it's an inconvenience they'd rather not bother with.

Humans may not review what devices and applications are accessing their accounts because they don't know how to perform this check, or, they don't want to be bothered by it.

Humans will allow any application access to their account because it's convenient to do so.

Convenience is the enemy of security. If you're genuinely interested in protecting you, your family, your company, your clients, your patients - everyone - from security compromises and breaches, then take action. Follow some of these best practices. Stop making security convenient. Think before you click. Ask for help.

R