Maintain Your Privacy on Google with a Dash of Paranoia

Risk 3: Hackers attacking Google

Even if you trust Google as much as you trust your mother, the sheer amount of data the company amasses about your life is daunting -- even more so when you consider what could happen if someone outside of Google managed to get access to Google's servers.

Sound far-fetched? Google's internal networks were breached in December 2009 in a widespread attack known as "Operation Aurora" that resulted in the theft of some Google source code and some (but not all) personal details of at least one Chinese human-rights activist, including his account creation data and e-mail subject lines.

Google may have some of the best minds in the world working to secure its systems, but it's also a big target -- and a potentially big prize -- for hackers. "Companies like Google are under attack because they have so much data about you," says Bill Morrow, CEO of CSIdentity, an Austin-based provider of identity theft protection services. "Instead of getting a little snippet of your life's digital footprint, [attackers] could get your entire profile."

Defcon 2

Use common sense. "If it's absolutely critical intellectual property, don't use [online] services," says Mark Kadrich, CEO of The Security Consortium, a San Jose-based security services provider and research firm.

The same goes for personal information. No system is 100% perfect. If you simply could not recover from a piece of information getting out into the world, then no online service can offer you the level of security you need.

While Google's mechanisms are strong enough to protect against common threats, a determined attacker such as a corporate competitor or a government agent who gains access to your account on Google could conceivably access everything you've entrusted to the company -- including data you didn't even know you were leaving behind.

"You have both very sensitive and less sensitive data under the same log-in credential," says Vatsal Sonecha, vice president of business development and product management at security vendor TriCipher Inc. "An attacker who gets into your account has the keys to the kingdom."

It's up to you to make the distinction between what information can be trusted to Google and what can't.

Defcon 1

Encrypt your e-mail. If you use an e-mail client like Outlook or Thunderbird to access your Gmail account, you can use a product like PGP Corp.'s PGP Desktop Home or its open-source cousin GnuPG to encrypt all of your outgoing e-mail. Or you can use the FireGPG Firefox extension to add encryption to Gmail's Web interface.

Businesses can use tools such as PGP Desktop Corporate on the desktop or one of PGP's server-based products to encrypt all outgoing e-mail at the network level.

You'll have to insist that others send you only encrypted e-mail, though, or all your incoming e-mail will still be in plain text. Unfortunately, there are no equivalent encryption tools for other Google services -- some, like Google Health, encrypt your data, but not all do.

Risk 4: Hackers guessing your log-in

While hacking into Google might be difficult, hacking into your particular Google account probably isn't. Most people use simple, easy-to-remember passwords -- often the same one on dozens of sites -- which means a hacker with some basic information about you could easily crack your account.

If you use a single English-language word as a password, a hacker who knows just your e-mail address can crack your account in a few seconds by using common cracking tools that simply try every word in the dictionary.

And on Google, your password accesses everything, from your medical records on Google Health to your credit card numbers on Google Checkout.

Defcon 2

Use a password management program like KeePass or RoboForm to generate and remember strong passwords (such as W2J@Y*YHzqrkd) that are almost impossible to guess. And change your password regularly -- once a month or more.

Subscribe to the Today in Tech Newsletter

Comments