I code, play ‘n’ secure

The Theory of Everything

Sun, 22 Jan 2012 15:28:53 +0530

This post is about my views about the theory of everything in science. After stating what I mean by the title and the problems associated with it, I shall talk about three disciplines/concepts that are seemingly independent, but as I shall try to reason, are tripartite secrets to understanding the greatest mysteries of our universe.

If you’re looking for something lighter, and a significantly shorter answer to a similar question.

“…if we discover a complete theory, it should in time be understandable by everyone, not just by a few scientists. Then we shall all, philosophers, scientists and just ordinary people, be able to take part in the discussion of the question of why it is that we and the universe exist. If we find the answer to that, it would be the ultimate triumph of human reason — for then we should know the mind of God.”

- Stephen Hawking (A Brief History of TIme)

Wait, What Theory ?

The “Theory of Everything” is a label given to the persistant ongoing effort in the scientific community to come up with a theory of physics which would explain and account for everything in the observable universe.

For example, if you have an infinitely large table with billiard balls that follow Newton’s laws of motion, you can compute and predict everything about their future and also explain their present and past behavior. To cut the long story short, everything in the universe is made of particles* which interact with each other based on forces. There are only four fundamental forces. If you can explain how all four behave, you can theoretically predict and explain everything about our universe. As a matter of fact, physicists have unified 3 of the fundamental forces and only one does not fit into their picture (wiki: GUT) – the force of gravity. Seemingly, we are very close to the ultimate theory of everything in science.

So, Whats the Problem ?

The idea itself sounds very fascinating at first. Practically, however, we might not be able to predict everything even if we have such a theory. But what really strikes Prof. Hawking is that once we complete this quest, it would complete the jigsaw puzzle of physics. And then, we can move on to asking greater questions, from “how” we and the universe exist, to “why” we and the universe exist. However, over time and countless realizations, my opinion about all this has swiftly changed. Even if I believe that such a complete theory of physics actually exists, we are certainly not anywhere close to discovering it yet.

The primary reason why I think so expresses concern about the very basic approach through which science works. Scientific theories can only be judged in retrospect, when better theories have been discovered (the “all swans are white” argument). Philosophical criticism aside, I would like to elaborate upon a fundamental flaw in science. The scientific method is all about observation. A scientific hypothesis cannot be tested as a theory until an experiment is carried out. An experiment is an act of measurement. A measurement is done by an observer. Thus the role of the observer, the experimenter, the guy who watches things go by and takes a note, is critical. Strangely and ironically so, the quantum family of theories, which come closest to the ultimate, final theory of everything, place a ridiculously interesting amount of importance on the very act of measurement. It is the very act of measurement or observation in these theories which gives rise to reality. The importance of the observer can be elegantly illustrated through Schrodinger’s cat paradox where the cat is both dead and alive at the same time, until the observer sees it.

There is a certain problem with coming up with the theory of everything. It has to be about everything. And as clearly indicated by the latest set of theories, we have long ignored the importance of a certain missing piece of the puzzle. To illustrate my point, here are the three disciplines which I will talk about:

Cognition and The Theory of Everything

The theory of everything is about a complete representation of how reality actually works. But what is reality? Our definitions of reality are synonymous with what we perceive through our senses. When you hold a cup of tea in your hand, you do not really think about whether it is actually there or not. Of course there is good evolutionary reason why it is so. If you were a dear and saw a lion approach you, doubting what you perceived as reality would not really help you much. Evolution does not favor philosophers, in general. We shall question the association and analogy between what we see and what is real in another post. But either way, it is you who is looking at your computer, moving your eye across this sentence trying to make any sense of it. You do exist. It would be unfair to exclude YOU from the theory of everything. Eventually, you sense this world. Shouldn’t YOU be of greater importance in it?

The paradoxes inscribed within quantum theory indicate that there is more to the observer (YOU) than what meets the eye. Every system in quantum mechanics is a bubble of possibilities which pops to one result, only when observed. While instrumentalists would disagree with my next argument, as a realist I cant help but visualize reality. The implication – reality does not exist how we know it until someone observes it. In a way, does it not indicate that our brain does not experience reality, but somehow creates it ? Coming to think of it, it is us who have observed this world all this while. While the Earth may not be the center of the solar system or the known universe, the human brain might just be so.

Artificial Consciousness

Exploring the mysteries of the human brain brings us to the second topic. I could have named this section ‘Artificial Intelligence’, but that term has acquired a slightly different meaning over the years. What is conscious and what is not? Is a robot conscious? What about a worm or a cat? What about the baby born last month? My only point here is, we can never really understand the world around us until we have understood our own minds. Eventually, it is our brains which interfaces with reality and tells us everything we know about it. A theory of everything which misses out on a theory of consciousness is clearly incomplete.

We should not be interested in the different complex structures in the brain and how they account for consciousness. I am talking about a different paradigm here. A different approach, where you do not study how the brain works in the outside physical world. Instead, you account for how the brain experiences, or in effect, creates the outside physical world through sensory observation. Why? Because that is what truly happens. While it may not be intuitive reasoning at first, think of it this way – Does the world behind you exist while you’re not looking at it? Is there any way to find out? To fetch answers to questions which cannot be tested by experiment is beyond the scope of science. But who said science was the ultimate tool to acquire knowledge anyways?

There are quite a few problems with understanding consciousness. Does our mind work on algorithms? What about free will, where does that fit it? Now there is a line of reasoning which goes on to show how consciousness cannot arise purely based on algorithms, as we know of them. What about intuition? If you think of it, it is amazing how the human brain, even with all its complexity, can have intuition – a leap of reason, faith or knowledge which is apparently not a result of any algorithms as such.

I believe that the real test of a theory of consciousness is to create artificial consciousness. I am not sure whether a simple Turing test would suffice for this, but it does seems inadequate. So is our mind simply an extremely complex computer running a complex bit of software?

Quantum Computers

Our knowledge in the field of computing is extremely limited. We currently employ bits (0/1) at the core of our computers. Dealing with concurrency related issues is a major challenge while representing algorithms. Coming to think of it, the Turing machine itself is a deterministic, single-threaded machine. Can such algorithms ever account for, represent and eventually take the place of the human mind?

The suggestion that our mind is a quantum computer is not new. Obviously, to state that it is ‘just’ a quantum computer would be an oversimplification. But all the clues point us towards this line of thought. Free will – a result of, or another name for, the popping of wave functions inside the natural quantum computer? All in all, we will need another theory of computation to account for the human mind.

Conclusion

This is more of a start, than an end. If space-time permits, I shall follow up with more posts, specific to the topics I touched upon. For the time being, I shall leave the reader with the following metaphysical imagery:

“There is a pool of ‘consciousness’ – the fluid. Pipes of it are drawn out from that pool. A lump of consciousness within itself can share information. But since these many pipes are drawn out form the pool, the lumps get separated and cannot interact with each other. These pipes eventually end into the same pool. The constraints that these lumps are put through while they work their way across the pipe, results into experience.”

Do I not sound like a certain Indian book, part of a greater epic tale?
Or do I sound like a certain Indian price, who attained his wisdom under a Bodhi tree?
Can you see the analogy here? Eventually, it is all about analogies.

“Space-time is like some simple and familiar system which is both intuitively understandable and precisely analogous, and if I were Richard Feynman I’d be able to come up with it.” -xkcd.com

Symantec backtracks, admits own network hacked

Wed, 18 Jan 2012 02:07:40 +0530

Symantec today backed away from earlier statements regarding the theft of source code of some of its flagship security products, now admitting that its own network was compromised.

In a statement provided to the Reuters news service, the security software giant acknowledged that hackers had broken into its network when they stole source code of some of the company's software.

Previously, Symantec had denied that its own network had been breached, and instead pointed fingers at an unnamed "third party entity" as the attack's victim. Evidence posted by a hacker nicknamed "Yama Tough" -- a self-proclaimed member of a gang calling itself "Lords of Dharmaraja" -- indicated that the information was obtained from a server operated by the Indian government.

Two weeks ago, Symantec spokesman Cris Paden said that the hacker made off with source code of Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, enterprise products between five and six years old.

At the time, Paden downplayed the seriousness of the theft.

Today, however, Paden said that source code of Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, had been stolen.

Some of those -- Norton Internet Security and Norton Utilities -- are among Symantec's most prominent consumer-grade products.

Symantec missed one bullet, however.

Last Saturday, Yama Tough promised to release more than a gigabyte of the source code for Norton Antivirus -- the hacker did not specify which version -- but he said the group has since reconsidered.

"We've decided not to release code to the public until we get full of it," Yama Tough wrote on Twitter Monday. "1st we'll own evrthn we can by 0din' the sym code & pour mayhem."

In the message, "0din'" likely stands for "zero-daying," meaning attacks launched against unpatched vulnerabilities.

Also on Monday, Yama Tough claimed that he had some or all of the source code for pcAnywhere, a multi-platform remote access suite that Symantec sells.

"PCAnywhere code is being released to blackhat community for 0d expltin!," said Yama Tough, again on Twitter.

Paden confirmed Yama Tough's claim when he told Reuters that pcAnywhere users face "a slightly increased security risk" because of the hacker's activities.

"Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information," Paden said.

Hackers threaten Symantec with full source code release

Tue, 17 Jan 2012 02:04:30 +0530

The hacking collective that spent recent days revealing fragments of the source code to Symantec’s Norton AntiVirus (NAV) has threatened to release code for the whole program

The hacking collective that spent recent days revealing fragments of the source code to Symantec's Norton AntiVirus (NAV) has threatened to release code for the whole program.

Using the group's Twitter feed, 'Yama Tough' said the release would happen this Tuesday (17 January) with the message "this comming (sic) tuesday behold the full Norton Antivirus 1,7Gb src, the rest will follow...."

For some days remarks on the feed have linked the code release to a lawsuit filed by US resident James Gross against Symantec last week which alleges that Symantec used scareware techniques to persuade users to buy full version of its antivirus products.

"Today we are going to release Norton Utilities src to accompany Symantec lawsuit =) Stay tuned for release," Yama Tough announced on Friday without making clear why the release would in any way aid Gross's case.

The group also said the post would include code for the company's Norton Utilities software.

Symantec earlier confirmed that the group - which also uses the name 'The Lords of Dharmaraja' - has been leaking genuine code without confirming that it was stolen, as the group claims, from servers belonging to the Indian military.

The company said leaked documentation and code dated back as far as 1999, some of which related to Endpoint Protection 11.0 and Antivirus 10.2, and would have no impact on its current products.

For the time being, whatever is posted on Tuesday will probably be less of a real security compromise than simply serve to spell out the vulnerability of data and source code stored by security vendors on third-party servers. It is unlikely to hve any bearing on the scareware lawsuit against Symantec.

Five Principles To Improve Your Security Monitoring

Sat, 14 Jan 2012 02:01:30 +0530

Following a year full of breaches, companies need to focus more on monitoring their systems for signs that attackers are already inside, security experts say.
To better defend against and detect attacks, companies need to take stock of their networks, find out where critical information resides, and use that knowledge to secure and monitor their critical assets, says Mike Lloyd, chief technology officer with RedSeal Networks. A recent study sponsored by the network monitoring firm found that seven out of 10 security practitioners believed their networks were at risk because of improperly configured devices, and more than half of respondents lacked the knowledge to create metrics to measure security.

"I often end up talking about Sun Tsu early on: Don't worry about the enemy so much as ... worry about the terrain and know about yourself," Lloyd says. "These two same principles occur in IT: Know the network, and know the end points in the network."

In 2012, companies should put a bit more Eastern philosophy into their security practice.

1. Know yourself.
Companies need to take stock of their systems and networks for two reasons. The first is to find sources of information that they can monitor. Firms should go beyond monitoring just firewall logs, network data, and employee usage patterns, and move to analyzing access logs, domain name requests, and any geolocation data.

Getting that information is not always easy because the security team might not manage the asset in question, says Eddie Schwartz, chief security officer for RSA.

"You look at some organizations, and they have roadblocks in place," he says. "They can't get the information from the Windows team or from the firewall team, when any data that is relevant to solving the security problem should be part of their assets."

Find the sources of data and get management on-board to get the data you need to monitor the security of the network, Schwartz says.

2. Know the terrain.
Using various logs and traffic data, the next step is to find every way in and out of the network, as well as every endpoint.

Sounds easy? It's not, says RedSeal's Lloyd. Half of all security practitioners do not know, or have no way of knowing, what resources can be access from outside the network, according to RedSeal's recent study.

"Many companies will say, 'We didn't know how much we didn't know until we analyzed our network,'" he says. "Gathering data about the network is not a simple task, and most organizations don't know about every device on their network."

Taking an effective stock of the devices, as well as connection patterns among the assets, allows companies to know from where an attack might come and to detect odd usage patterns, as well.

[Security information and event management tools must catch up with the elusive advanced persistent threat. See APT Shaping SIEM.]

3. Know where to defend.
After finding sources of information to monitor and the layout of the network, companies need to inform their monitoring and defenses by knowing the business function of the assets, Lloyd says.

When incident responders see an attack, they need to know where the attacker could go and what data could be in danger.

"A vulnerability scanner could have a lot of value to the network, for example," he says, "because an attacker in control of that asset will know the weak points of the network."

4. Know the enemy.
Industry experts disagree on the importance of global threat intelligence to a company's monitoring plans.

RedSeal, which focuses more on helping companies understand and secure the network, puts less emphasis on keeping tabs on attackers. RSA, which has about two-dozen threat feeds, is focusing on intelligence-based security as a significant evolution for large companies.

"Security has to be more agile; it has to be more intelligence-based," says Art Coviello, executive chairman for RSA. "It is not whether, or if, you are going to be attacked or breached. It is how you are going to be able to respond."

For companies that believe attackers will specifically target their systems, keeping track of the threats can be key.

5. Measure security, not work.
Some companies measure the wrong things, and that can set them up for failure, Lloyd says.

Using the number of updates applied, antivirus definitions updated or other measures of work do not make a company more secure. Instead, it puts the security team on a treadmill, where they have to run faster every quarter to meet expectations, he says.

"Security is the absence of something, and that is hard to measure," Lloyd warns. "So what you have to measure is posture -- how far you are ahead of the next threat."

Instead, companies should measure metrics that improve security, such as the number of vulnerabilities remediated. "The trick then is to make it quantifiable and repeatable," he says.

Facebook Chat-based Phishing Attack Impersonates Facebook Security

Fri, 13 Jan 2012 01:59:16 +0530

A new phishing attack that's spreading through Facebook chat modifies hijacked accounts in order to impersonate the social network's security team.

Facebook claims that changing the profile name can take up to 24 hours and is subject to confirmation. However, in Jacoby's tests the change occurred almost instantly and required only the password. This was also confirmed by a victim whose profile name was modified within 5 minutes of their account being compromised, he said.

After the victim's profile name and picture get changed, the attackers send out a chat message to all of their contacts informing them that their accounts will be suspended unless they re-confirm their information.

The rogue messages appear to be signed by "The Facebook Team" and contain a link to a phishing page hosted on an external domain. The Web page mimics Facebook's design and asks for name, email, password, security question, country, birth date and other information needed to hijack the account.

However, the attack doesn't stop there. According to Jacoby, a second form asks users for their credit card details and billing address. This is somewhat unusual for Facebook phishing attacks, the majority of which target only social networking account information.

"These scams are just getting more popular and we really recommend not giving out personal information, especially not email, password and credit card information over social media," Jacoby said.

Hey, Google: Here's What Fragmentation Means

Wed, 11 Jan 2012 01:56:22 +0530

This back-and-forth about Android fragmentation is getting a little ridiculous.
I'll cut a swath through the recent articles out there and recommend two. Although I disagree with his view on fragmentation, Eric Schmidt's recent take at CES 2012 on Android's place in the universe is interesting, and recommended reading. It's also worth balancing against MG Siegler's piece on what he believes went wrong with Android. MG Siegler is a known iPhone partisan, but his explanation is compelling.
I don't believe there's a blanket "this one is wrong and this one is right" choice with either of these stories. There are too many shades of gray. But here's what's clear: the way the Android ecosystem works ensures fragmentation, even if there are good intentions on all sides. Instead of denying it, it's much more helpful to work on mitigating it.
Schmidt can call it differentiation instead of fragmentation if he wants, as he did at CES this week, but the result is still OS and app incompatibilities across different Android devices. By allowing vendors to "innovate" on top of the Android code base, Google is relying on phone vendors and carriers to develop bug-free UI layers and other software, maintain it all while simultaneously working on new phones, and continue to support older phones with new OS upgrades along with the new ones. All of that requires a lot of extra development time. It also exponentially increases QA with third-party apps.
That wouldn't be a problem in a world of unlimited resources, but we don't live in that world. Phone vendors will tend to allocate developer resources toward creating software for brand new devices that bring in more revenue, while leaving older platforms out in the cold and not fixing bugs in new phones in a timely manner. That's how fragmentation happens. It's not intentional, but given the way the system works, it's unavoidable. Google's dream of one open Android OS and many phone vendors with distinguishing software and bug-free products doesn't work out so neatly in reality.
This is also why the Google Android Update Alliance, originally announced at Google I/O in May 2011 to address the inconsistency and uncertainty of Android OS updates, was doomed to fail (and fail it did).
Let me give an example. In a conversation about this on Google+, John Bergquist, an app developer for both Soma Games and Code-Monkeys, commented that even on iOS devices—which as a rule get OS updates for as long as the hardware allows—customers with first and second-generation iPhones sometimes have trouble running his company's apps. "We chose to develop for Android via the Kindle Fire only for now, because whether [Schmidt] believes or not, the market is fragmented," Bergquist said.
Sadly, that's a smart strategy, even though it limits the company's potential customer base. Otherwise, smaller independent development studios like Bergquist's will code themselves into oblivion tracking down bugs instead of selling product. "I love the innovative side of Android and despise the fallout," Bergquist said.
So why let companies modify Android in the first place? Phone vendors want to add value and differentiate their devices, because otherwise, everyone is selling the same exact phone: a touch screen slab with a big screen that runs stock Ice Cream Sandwich. That's why these UI layers exist in the first place. Carriers also add tons of bloatware to promote their own services, as well as give smaller app developers a chance at the big time by granting them a prized spot in the stock device menu.
Android phone enthusiasts have always hated this, and we call it out in the reviews. But this isn't the real problem, since the vast majority of Android phone buyers pay little to no attention to such things. What they do notice is that they buy a new phone, download a cool game or an app they can't wait to start using, and then find that the app doesn't run. Or that it runs, but it's buggy, looks awful, or quits after a minute for no apparent reason.
Once in a while, the custom modifications work out: witness the sharply targeted Amazon Kindle Fire. Most of the time, though, they lead to devices that may work well out of the box but act weird with various third-party apps. And it means OS updates will lag, because the next Android version won't automatically play nicely with all the stuff the phone vendor and carrier added, so they can't just make the OS update available automatically.
Schmidt's solution—that "if you don't like it, you can buy the phone from someone else"—doesn't work when you're locked in a two-year contract, when there are over 300,000 apps in Android Market to test, and when a phone vendor goes back on its promise to provide an OS upgrade. How could you possibly know beforehand what's going to happen?
Android has plenty of virtues, and it's turned out to be an awesome competitor to the iPhone. Even with fragmentation, we regularly recommend Android phones because of so many other reasons. But fragmentation remains an issue with each new OS revision—regardless of what Google executives say.

Been Hacked? Five Steps For Online Safety

Sun, 8 Jan 2012 01:52:57 +0530

You are sure it could never happen to you. You are careful with your passwords, you don’t fall for get-rich-quick scams and you are too smart to be conned. Well, even smart people have bad things happen to them and getting your email or social media account hacked is one of those bad things.

Email accounts are taken over by criminals for several reasons, including to get to your personal information and online accounts, to send out fraudulent emails and to use your identity to possibly convince others to give money or personal information.

Here are some steps to take if you believe your account has been hacked:

• Report the hack. As soon as you detect that your email account or social media profile has been compromised, report it to the email provider or social media site. Facebook, Twitter, Gmail, Hotmail, Yahoo and other webmail services have methods of resetting your account’s password. If you are completely locked out of your account, you will have to contact their security team and seek assistance. If it is a Gmail account, here is a very thorough look at steps you should take in navigating the process.

• Assess the damage. After you have re-accessed your account and reset the password, be sure to see what damage is evident from your files. Delete offending tweets or wall posts. Check to see what personal or financial information might have been available to the intruders from within your mail folders and notify the banking institutions that the account was hacked.

• Lockdown. Run a complete virus scan on any computer or device that was compromised. Change the passwords on any of your accounts. Use secure passwords that are not shared for every account. You can have an easy, less-secure password for news sites perhaps, but for any account that is linked to your financial life or that could be co-opted to damage your personal reputation, a secure, unique password is a must.

• Alert and apologize. Let your contacts know that your email had been compromised. Apologize to your friends if the hacker sent out inappropriate or offensive content.

• Be vigilant. You may want to enlist a credit monitoring service if you believe your financial information was compromised. At the very least, be sure to carefully review your accounts, including phone bills or other non-banking sites which can be billed for products or services (iTunes for example).

Hopefully, you will never be a victim of hacking. Just the thought of the potential damage that could be caused by a hack should be enough to get people to make their accounts and passwords more secure, because we all know that an ounce of prevention is worth a pound of cure.

Facebook Brings Back the Hack

Thu, 5 Jan 2012 01:54:50 +0530

Hacking is core to how we build at Facebook. Whether we’re building a prototype for a major product like Timeline at a Hackathon, creating a smarter search algorithm, or tearing down walls at our new headquarters, we’re always hacking to find better ways to solve problems.

Today we’re announcing open registration for Facebook’s second annual Hacker Cup. Programmers from around the world will be judged on accuracy and speed as they race to solve algorithmic problems to advance through up to five rounds of programming challenges. This is your chance to compete against the world’s best programmers for awesome prizes and the title of World Champion.

What: An annual algorithmic programming contest open to engineers from around the world.
Where: Three online rounds with the finals at Facebook's headquarters in California.
When: Registration opens January 4, 2012 with the three online rounds occurring throughout January 2012. World finals to follow.
Finals: We'll pay to fly and accommodate the top 25 hackers from the third online round out to our campus.
Prizes: Of course! $5,000 USD and title as world champion to the top hacker, $2,000 for second place, $1,000 for third, and $100 for fourth through 25th. Awesome t-shirts for the top 100 hackers coming out of the second online round.

Details
The competition commences with a 72-hour Qualification Round on January 20, 2012 at 4:00 PM PT and ends on January 23, 2012 at 4:00 PM PT. All registered competitors will be presented with three problems. Every competitor who correctly solves at least one problem will advance to Online Round 1.

Online Round 1 will last 24 hours from January 28, 2012 at 10:00 AM PT and ends on January 29, 2012 at 10:00 AM PT. To advance to Online Round 2, participants must solve at least one problem correctly. If more than 500 people solve at least one problem correctly, then the top 500 participants will advance, as well as everyone else who answered the same number of questions correctly as the 500th-place contestant.

Online Round 2 will last three hours from February 4, 2012 at 1:00 PM PT and end February 4, 2012 at 4:00 PM PT. The competitors will have three hours to solve the presented problem sets. The top-scoring 100 participants from Online Round 2 will receive an official Hacker Cup t-shirt. The top-scoring 100 competitors from Online Round 2 will be notified via email that they have advanced to Online Round 3.

Online Round 3 will last three hours from February 11, 2012 at 1:00 PM PT and end February 11, 2012 at 4:00 PM PT. The 100 competitors will have three hours to solve the presented problem sets. The top-scoring 25 competitors from Online Round 3 will be notified via email that they have advanced to the final round at Facebook.

Facebook will fly the top-scoring 25 competitors to Menlo Park, California, for the final round of competition on March 17, 2012, where they'll receive some great cash prizes and other awesome goodies. Out of these 25 finalists, one champion will emerge and be immortalized on the Hacker Cup trophy. Finalists will be responsible for obtaining their own entry visa before arrival in the USA; however, Facebook will reimburse the finalist for any visa application fee and up to $100 USD in travel expenses incurred in obtaining the visa. Facebook will not reimburse any fees or expenses related to obtaining a passport.

Want to get ahead of the competition? Try your hand at the problems from last year's qualification round here and keep an eye on the Hacker Cup Page for more details and announcements as the January 20th qualification round approaches.

Happy hacking!

4 big moves Google should make in 2012

Tue, 3 Jan 2012 01:50:25 +0530

In peeking ahead to predict what 2012 holds for Google, it's informative to look back at the eventful year it had. While one can't help but see the big product introductions -- a social network, a mobile-payment system, a music store -- it's the deletions that are much more interesting.
Google got rid of a host of unwieldy and barely used products and features in 2011. While Google regularly does "spring cleaning" to trim its vast portfolio, the projects scrapped this year were many, and most were originally intended to be major focuses of the company.
Just look at this partial list of the services killed or folded into larger projects: Buzz. Knol. Checkout. PowerMeter. Health. Wave. Even the company's well-meaning initiative to save the world from coal-fired power plants got tossed.
The mass culling is indicative of the style of Google's new CEO, Larry Page. Of course, Page was Google's first CEO, too, stepping aside for a decade to let Eric Schmidt run the show while Page and fellow company co-founder Sergey Brin could craft the company's web services.
Google experimented a lot during that decade, and now that Page is back in the driver's seat, he appears to have gotten that out of his system.
Page is leading Google with unprecedented focus. From the major moves the company has made in the nine short months since Page got the top job, it's clearer than ever which technologies Google is really serious about. After all, the ones it's more lukewarm toward have probably gotten the ax.
Being serious isn't the same as success, of course, but it's an essential first step. Google may be aggressively plowing ahead in the areas of social networking, mobile payments and mobile devices, but so are many other heavy hitters. There are sure to be some collisions in 2012. Let's take a look at some key ones.
Google+ comes into its own
Probably the most head-turning Google product launch in 2011 was the debut of Google+. Google's very own social network borrows elements from Twitter and Facebook, but is its own animal. The launch saw virtually instant adoption by pretty much anyone and everyone who considered themselves tech- or media-savvy. And that's been its greatest weakness.
Google+ has had favorable growth and many positive reviews, but it's still relatively unknown among "real" people. And those that do know it have the distinct impression that it's the social network for hard-core nerds. That's something Google has to change if it wants people to use its service instead of competitors, and going mainstream has to be a primary goal in the new year.
It can do so by leveraging its differentiators (like the useful multiple-person videoconferencing Hangouts), but most of all it has to find its voice -- its one-sentence description that doesn't have the words "like Facebook" in it.
This task is largely up to its users, since they're the ones using the service, deciding which features they like and how they use it. They're already starting to, with many Plusers treating the site like a centralized, supercharged blogging service.
Even as Google+ grows, though, it's doubtful that it'll ever be able to rise as high as Facebook, which is expected to hit a cool billion users this year. But as long as the service starts to become known as "the place where you..." something, maybe Barney Stinson, the digital-savvy womanizer on "How I Met Your Mother" will be regularly referencing it by the end of 2012.
Android puts its house in order
The most sticking criticism of Android is its fragmentation problem -- that there are so many devices running it, often with completely different specs, that it's impossible to know with any certainty whether or not your device will ever get any updates that Google releases.
That may not have hurt the platform's market share, but it's no doubt given a good chunk of potential customers pause.
Google's acquisition of Motorola is a big step toward, if not putting this fragmentation business to rest, at least turning the tide a little. You can bet the farm that every Motorola device released under the new Google regime will have a clear upgrade path. Although Google's other partners are wary of potential favoritism to Motorola, this actually works in Google's favor, too, since now they'll be strongly motivated to get in line with Google's plans, lest customers opt for the perceived reliability of the Moto/Google name.
At the same time, the recent Android malware scares have given the platform a black eye. While Google has been very effective at addressing viruses and trojans in various evildoing apps as they've appeared, it needs to deploy a more proactive strategy to attack the issue head-on. Could an acquisition of, say, mobile-security company Lookout be next? It couldn't hurt.
Ceding tablet territory while building content
It's something of a embarrassment to Google that the most popular Android tablet ever launched is the Amazon Kindle Fire, which doesn't even run Google's tablet-optimized operating system.
Amazon, by creating highly customized software that runs on top of Android and points users to the company's digital services, essentially carved out its own platform by hijacking Google's. Since Android is an open system, there's not much Google can do about it.
At this point, it doesn't really want to just yet. Tablets so far are essentially media-consumption devices -- good for watching TV and movies, reading books and playing games. As colossal as the company is in many areas (see below), right now Google is far from a big player in offering actual content. Google Books and Google TV are anemic services, if not outright flops. Google Music, though promising, is brand new and has no mind share.
So it makes sense that consumers reacted to "proper" Android tablets with disdain. After all, Google never opened up version 3.0 "Honeycomb," so anyone with actual content to offer (i.e. Amazon and Barnes & Noble) had no interest in using it. The devices on offer were virtually identical overpriced touchscreens whose only noteworthy commonality was that they weren't iPads.
Even though Google's just gotten into the hardware business by purchasing Motorola, I can't see it focusing much on tablets just yet.
Sure, the successors to the Xoom are on their way, and they'll even move into the hands of a few customers, but Google must first focus on bumping up the quality and reputation of its content offerings before any "Xoom Nexus" has a shot at gobbling up market share from Apple and Amazon. Original videos on YouTube is great first step -- there will be many more in 2012.
GDrive cements domination of the cloud
This is kind of a no-brainer, but Google will continue its blot-out-the-sun dominance in its primary services: search, email and cloud services in general.
Bing, the only credible challenger to Google's search business, is rising, but very slowly, and that's with Microsoft shoveling mountains of money into the service. And even though Yahoo and Hotmail now offer much better services than they did a couple of years ago, Gmail still has the (deserved) reputation of being the best and coolest of the lot.
Google's been the cloud business for a long time, of course, but when it finally unveils its expected Dropbox competitor, nicknamed GDrive, it's hard to see it not becoming an instant hit.
Google is already synonymous with storing stuff online, and with Google+ it's showed it can deftly merge disparate services to create a new and seamless experience. Standing against Google's huge storage capabilities and cloud expertise could be too much for any other player in the space.
Overall: Going with what works
Larry Page appears to have instilled Google with a new sense of focus, quickly striking while the iron's hot on promising products like Google+ and Android, putting stagnant ones like Buzz out of their misery, and nurturing potential late-starters like Google Wallet.
Some games, after all, are long, and we won't know for a while whether the company's bets on technologies such as mobile payments or solar panels will ever pay off. As soon as Page sees a winner, though, he clearly knows how to put the overwhelming force of the entire Google empire behind it.
Before 2012 is out, he'll no doubt have done it several times.

Microsoft on disabling wireless cards

Tue, 27 Dec 2011 17:25:22 +0530

I think it is important to disable wireless cards in laptops when a wired connection is present. Microsoft doesn’t. Steve Riley wrote about this back in October 2008. I blogged about that then. Now in a post signed by David Pracht but posted under MichaelPlatts’ userid, the Microsoft Enterprise Networking Team argues that it is no big deal to be connected to the internal corporate network in a wired fashion while you are connected to EVILROGUE hotspot in the parking lot. They says this because Windows 7 has “strong host” routing. Also you could disable the ability to connect to unapproved wireless. They don’t really spell out how “strong host” routing helps.

Disabling the ability to connect to unapproved wireless is not something I see happening in most organizations. “To improve mobility, here is your laptop. To improve security, you may not connect this to any wireless network except the one here at work. And maybe Starbucks”. Sounds like a recent Dilbert strip.

There is no valid reason for users to have multihomed computers. While personal firewalls when configured correctly should prevent intrusion by a parking lot pentest access point, why take the risk? It looks like you have a bad security posture.

Actually the Microsoft article left me wondering what happens if my wired connection is 100 Mb, but the wireless is 802.11n and is identified as having 300 Mb. If both interfaces have default gateways does the wireless connection then “win”. As I understand that article, fastest speed wins. Worth testing.

Insurance Against Cyber Attacks Expected to Boom

Sat, 24 Dec 2011 17:06:17 +0530

Sony is still awaiting the final tally for losses related to its data breaches earlier this year. At last count, it had 100 million compromised customer accounts, and Sony anticipated the debacle would cost $200 million. With 58 class-action suits in the works, that may be wishful thinking.

But what about Sony’s insurance coverage?

In a lawsuit filed in July, Sony’s insurer, the Zurich American Insurance Company, said the company did not have a cyber insurance policy. It said Sony’s policy only covered tangible losses like property damage, not cyber incidents.

Jim Kennedy, a Sony spokesman, said that Sony has coverage for “significant portions” of the losses from the data breaches. “Sony’s coverage includes multiple cyber insurance policies for operations around the world, traditional general liability policies, and property insurance policies that contain express provisions covering damage or disruption to electronic data,” Mr. Kennedy said in a statement. “Sony has already received payments from some of its insurers, and is actively pursuing claims for additional payments.”

But despite high-profile cyber attacks at Sony, Google, Epsilon, RSA and others this year, only a third of companies surveyed by Advisen, a research group, say they have purchased a cyber insurance policy.

“That’s cyber insurance in a nut shell,” said Jacob Olcott, a principal with Good Harbor Consulting’s cybersecurity team. “Everybody needs it, and most companies don’t realize they don’t have it until it’s too late.”

Experts say that more companies will buy policies in the coming year because of new Security and Exchange Commission requirements. Last October, the S.E.C. issued a new guidance requiring that companies disclose “material” cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a “description of relevant insurance coverage.”

That one S.E.C. bullet point could be a boon to the cyber insurance industry.

Cyber insurance has been around since the Clinton administration, but most companies tended to “self insure” against cyber attacks, says Robert Ackerman, a venture capitalist at Allegis Capital who specializes in cybersecurity.

“Companies don’t want to talk about cyber attacks,” Mr. Ackerman says. “All of a sudden, breaches are now going to be more visible and people are going to have to start estimating their costs.”

There are no statistics on the size of the cyber insurance industry, but Peter Foster, a senior vice president at Willis North America, an insurance broker, estimates there may be $750 million worth of premiums placed. With the recent S.E.C. measure and the frequency and severity of cyber attacks growing, Mr. Foster predicts that figure could grow by 50 percent over the next 12 to 18 months.

The average cost of a data breach hit $7.2 million last year and cost companies $214 per compromised data record, according to the Ponemon Institute. And that’s just for a data breach. If a company’s intellectual property is stolen, it could decimate an organization.

“It is now possible to suck all the information out of a company,” said Scott Borg, chief executive of the nonprofit United States Cyber Consequences Unit.

A comprehensive cyber insurance policy should cover intellectual property theft, said Emily Freeman, a cyber insurance broker at Lockton. Most policies, Ms. Freeman said, cover the “twin risks of privacy and security,” which include the cost of lost business, notification costs, credit-monitoring services, public relations and legal and investigation expenses. It may also cover class-action lawsuits, regulatory investigations, civil fines and even extortion demands.

“There’s no one size fits all. It depends on the size of the company and their exposure,” Ms. Freeman said. “I’ve seen companies buy a million dollars of this coverage with a small deductible. Others have bought $100 million of coverage for a rainy day — the kind of rainy day you might have to disclose to the S.E.C.”

Correction: An earlier version of this post, citing a lawsuit by the Zurich American Insurance Company, stated that Sony was not insured against losses related to data breaches. The post should have included Sony’s response to the lawsuit. Sony says significant portions of its losses are covered.

LOIC (Low Orbit Ion Cannon) – DOS attacking tool

Tue, 20 Dec 2011 16:48:00 +0530

The DOS (Denial of service) attack is one of the more powerful hacks, capable of completely taking a server down. In this way, the server will not be able to handle the requests of valid users. With a DOS attack, many computer systems connected to the internet will try to flood a server with false requests, leading to a service disruption. There are many ways in which an attacker can enact this attack on a server system over the network or the internet. Some hackers try this attack with their own coded tools while others use previously available tools.

A LOIC (Low Orbit Ion Cannon) is one of the most powerful DOS attacking tools freely available. If you follow news related to hacking and security issues, you doubtless have been hearing about this tool for the past several months. It has become widely used, including in some highly-publicized attacks against the PayPal, Mastercard and Visa servers a few months back. This tool was also the weapon of choice implemented by the (in)famous hacker group, Anonymous, who have claimed responsibility for many high profile hacking attacks, among them, hacks against Sony, the FBI and other US security agencies. The group not only used this tool, but also requested that others download it and join Anonymous attacks via IRC.

In this brief article, I will give an overview and operational model of the tool. There are 2 versions of the tool: the first is the binary version, which is the original LOIC tool. The other is web-based LOIC or JS LOIC.

@Infosec Resources

India Asks Google, Facebook to Screen User Content

Mon, 5 Dec 2011 18:23:45 +0530

The Indian government has asked Internet companies and social media sites like Facebook to prescreen user content from India and to remove disparaging, inflammatory or defamatory content before it goes online, three executives in the information technology industry say.

Top officials from the Indian units of Google, Microsoft, Yahoo and Facebook are meeting with Kapil Sibal, India’s acting telecommunications minister, on Monday afternoon to discuss the issue, say two executives of Internet companies. The executives asked not to be identified because they are not authorized to speak to the media on the issue.

Mr. Sibal’s office confirmed that he would meet with Internet service providers Monday but did not provide more information about the content of the meeting.

About six weeks ago, Mr. Sibal called legal representatives from the top Internet service providers and Facebook into his New Delhi office, said one of the executives who was briefed on the meeting.

At the meeting, Mr. Sibal showed attendees a Facebook page that maligned the Congress Party’s president, Sonia Gandhi. “This is unacceptable,” he told attendees, the executive said, and he asked them to find a way to monitor what is posted on their sites.

In the second meeting with the same executives in late November, Mr. Sibal told them that he expected them to use human beings to screen content, not technology, the executive said.

The three executives said Mr. Sibal has told these companies that he expects them to set up a proactive prescreening system, with staffers looking for objectionable content and deleting it before it is posted.

The executives said representatives from these companies will tell Mr. Sibal at the meeting on Monday that his demand is impossible, given the volume of user-generated content coming from India, and that they cannot be responsible for determining what is and isn’t defamatory or disparaging.

“If there’s a law and there’s a court order, we can follow up on it,” said an executive from one of the companies attending the meeting. But these companies can’t be in the business of deciding what is and isn’t legal to post, he said.

Yahoo, Facebook and Microsoft did not respond immediately to calls for comment, and a Google spokeswoman said the company had no comment on the issue. Facebook said earlier this year it has more than 25 million users in India. Google has over 100 million Internet users in India.

The demand is the Indian government’s latest attempt to monitor and control electronic information. In April, the ministry issued rules demanding Internet service providers delete information posted on Web sites that officials or private citizens deemed disparaging or harassing. Last year, the government battled with Blackberry’s manufacturer, Research In Motion, threatening to shut the company’s service off in India if it did not allow government officials greater access to users’ messages.

The Indian government also plans to set up its own unit to monitor information posted on Web sites and social media sites, executives said, which will report to Gulshan Rai, the director general of India’s cyber-security monitor.

A man who answered the phone in Mr. Rai’s office said he did not talk to the press and hung up when a reporter asked for a press contact.

Some Indian cities like Mumbai have already set up special units to monitor Internet sites like Facebook and Orkut, the social networking site operated by Google, for content considered disparaging or obscene. India has made nearly 70 requests to Google to remove content between January and June of this year, one of the highest request rates of any country though less than the United States’s 92 and Brazil’s 224, according to Google’s transparency report.

Protecting data for the long term with forward secrecy

Tue, 22 Nov 2011 17:36:33 +0530

Last year we introduced HTTPS by default for Gmail and encrypted search. We’re pleased to see that other major communications sites are following suit and deploying HTTPS in one form or another. We are now pushing forward by enabling forward secrecy by default.

Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.

Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.

Forward secret HTTPS is now live for Gmail and many other Google HTTPS services(*), like SSL Search, Docs and Google+. We have also released the work that we did on the open source OpenSSL library that made this possible. You can check whether you have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.

We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision.

(* Chrome, Firefox (all platforms) and Internet Explorer (Vista or later) support forward secrecy using elliptic curve Diffie-Hellman. Initially, only Chrome and Firefox will use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. We hope to support IE in the future.)

Best Practices for Verifying and Cleaning up a Compromised Site

Sat, 22 Oct 2011 18:08:03 +0530

As part of Cyber Security Awareness Month, Google's Anti-Malware Team is publishing a series of educational blog posts inspired by questions we've received from users. October is a great time to brush up on cyber security tips and ensure you're taking the necessary steps to protect your computer, website, and personal information. For general cyber security tips, check out our online security educational series or visit http://www.staysafeonline.org/. To learn more about malware detection and site cleanup, visit the Webmaster Tools Help Center and Forum.

In our last post in this series, we explained Google's malware scanning process and how malware warning reviews work. It's not always clear to webmasters how to go about cleaning up their sites once they've been compromised, so this time we thought we'd share some best practices.

1) Verify Your Site with Google Webmaster Tools

If you have added and verified your site's ownership with Google Webmaster Tools, you can view a partial list of URLs where our system has detected suspicious content on your site, as well as samples of the malicious code. Once you've thoroughly cleaned up your site and addressed the vulnerability that allowed it to be compromised, it's easy to request a review through Webmaster Tools. We recognize that some site owners may want to use these tools even if they haven't already signed up with Webmaster Tools. For that reason, we enable you to verify ownership of your sites at any time, even if our systems have listed them as potentially dangerous.

2) If Your Site Has Been Compromised, Perform a Comprehensive Cleanup

If any part of your site has been compromised, thoroughly check all pages on the site for harmful code or content — not just the example pages listed in Webmaster Tools. Be sure to identify and address the underlying vulnerability that led to the compromise, or else reinfection is likely to occur.

Remember to Check Your Web Server Configuration

In addition to checking the contents of your site's pages and web server source code, remember to check that your web server configuration has not been modified by any intruders. If your web server has been compromised, your site's error pages can be modified to include custom HTML that actually redirects visitors to malicious sites.

Deleted & Error Pages: Dark Corners of Your Website Where Malware May Be Lurking

When a page is deleted from a site, the web server returns an error code (usually 404: Not Found) when requests to the "deleted" URLs are made. In addition to the error code in the HTTP header, the web server may send a custom error page or "Not Found" page, usually intended to help users find what they are looking for. If your site is infected, its error page can contain arbitrary HTML that exposes your visitors to malware. You can search our Webmaster Forum for information about how others are dealing with similar problems. The recently-launched malware samples feature in Google Webmaster Tools could also come in handy.

3) If You Switch Hosting Providers, Disable Access to the Old Version of Your Site

When a site is moved to a different hosting provider, the DNS records are updated such that the domain name points to a new IP address. In some cases, DNS caching can cause your domain name to continue resolving to the old IP address for some visitors even after the site has moved. For this reason, we recommend instructing your former hosting provider to stop serving any content for your site. This may cause some visitors to experience server errors for a few hours, but can protect them from visiting a potentially dangerous web server.

Data is not information

Thu, 20 Oct 2011 16:38:24 +0530

But just collecting data isn’t enough. You need to use the data to draw conclusions about what’s happening in your environment. That requires indexing the data, supplementing and enriching it with additional context, alerting on the data, and then searching through the data to pursue an investigation. This is all technically demanding. Just capturing the full network packet stream requires a purpose-built data store, which does some black magic to digest and index network traffic at sufficient speed to provide usable, actionable information to shorten the exploit window.

To get an idea of the magnitude of this challenge, note that many SIEM platforms struggle to handle 10,000-15,000 events per second. We are talking here about capturing 10-100gbps of honest-to-goodness network traffic – not 100kbyte log records. Don’t try this on your SIEM or log aggregation device.

@Securosis Blog

The Network Doesn’t Lie

Thu, 20 Oct 2011 16:36:07 +0530

For the purposes of this discussion, let’s assume time starts at the moment an attacker gains a foothold in your network. That could be by compromising a device (through whatever means) already on the network, or by having a compromised device connect to the internal network. At that point the attacker is in the house, so the clock is ticking. What do they do next? An attacker will try to move through your environment to achieve their ultimate goal, whether that be compromising a specific data store or adding to their bot army, or whatever.

There are about a zillion specific things the attacker could do, and 99% of them depend on the network in some way. They can’t find another target(s) without using the network to locate it. They can’t attack the target without trying to connect to it, right? Furthermore, even if they are able to compromise the ultimate target, the attackers must then exfiltrate the data. So they will try to use the network to move the data.

They need the network, pure and simple. Which means they will leave tracks, but only if you are looking. This is why we favor (as described in React Faster and Better) capturing the full network packet data as possible. Attackers could compromise network devices and delete log records. They could generate all sorts of meaningless traffic to confuse network behavioral analysis.

But they can’t alter the packet stream as it’s captured, which becomes the linchpin of the data you’ll collect to perform this advanced network security analysis.

@Secorosis Blog

Logs are not enough

Thu, 20 Oct 2011 15:40:59 +0530

Back when I was in the SIEM space, it was clear that event logs are a great basis for compliance reporting, because they effectively substantiate implemented controls. As long as the logs are not tampered with, at least. But when you are working to isolate a security issue, the logs tell you what happened, but lack the depth to truly understand how it happened. Isolating a security attack using log data requires having logs from all points in the path between attacker and target. If you aren’t capturing information from the application servers, databases, and applications themselves, visibility is severely impaired.

Contrast that against the ability to literally replay an attack from a full network packet capture. You could follow along as the attacker broke your stuff. See the path they took to traverse your network, the exploits they used to compromise devices, the data they exfiltrated, and how they covered their tracks by tampering with the logs. Of course this assumes you are capturing the right network traffic along the attacker’s path, and it might not be feasible to capture all traffic all the time. But still, if you look to implement a full network packet capture sandwich (as we described in the React Faster and Better series), incident responders have much more information to work with. We’ll discuss how to deploy the technology to address some of these issues later in this series. Given that you need additional data to do your job, where should you look?

@Securosis Blog

Phishing URLs and XML Notifications

Sun, 16 Oct 2011 17:56:45 +0530

Recently, we announced Safe Browsing Alerts for Network Administrators. Today we’re adding phishing URLs to the notification messages. This means that in addition to being alerted to compromised URLs found on networks, you’ll be alerted to phishing URLs as well.

We’d also like to point out the XML notification feature. By default, we send notification messages in a simple email message. However, we realize that some of you may want to process these notifications by a script, so we’ve added the ability to receive messages in XML format. Click on an AS in your list to modify preferences, such as enabling the XML notification feature. If you decide to use XML email messages, you should familiarize yourself with the XML Schema.

Protecting your data in the cloud

Sun, 16 Oct 2011 17:54:28 +0530

Like many people, you probably store a lot of important information in your Google Account. I personally check my Gmail account every day (sometimes several times a day) and rely on having access to my mail and contacts wherever I go. Aside from Gmail, my Google Account is tied to lots of other services that help me manage my life and interests: photos, documents, blogs, calendars, and more. That is to say, my Google Account is very valuable to me.

Unfortunately, a Google Account is also valuable in the eyes of spammers and other people looking to do harm. It’s not so much about your specific account, but rather the fact that your friends and family see your Google Account as trustworthy. A perfect example is the “Mugged in London” phishing scam that aims to trick your contacts into wiring money — ostensibly to help you out. If your account is compromised and used to send these messages, your well-meaning friends may find themselves out a chunk of change. If you have sensitive information in your account, it may also be at risk of improper access.

As part of National Cyber Security Awareness month, we want to let you know what you can do to better protect your Google Account.

Stay one step ahead of the bad guys

Account hijackers prey on the bad habits of the average Internet user. Understanding common hijacking techniques and using better security practices will help you stay one step ahead of them.

The most common ways hijackers can get access to your Google password are:

Password re-use: You sign up for an account on a third-party site with your Google username and password. If that site is hacked and your sign-in information is discovered, the hijacker has easy access to your Google Account.
Malware: You use a computer with infected software that is designed to steal your passwords as you type (“keylogging”) or grab them from your browser’s cache data.
Phishing: You respond to a website, email, or phone call that claims to come from a legitimate organization and asks for your username and password.
Brute force: You use a password that’s easy to guess, like your first or last name plus your birth date (“Laura1968”), or you provide an answer to a secret question that’s common and therefore easy to guess, like “pizza” for “What is your favorite food?”

As you can see, hijackers have many tactics for stealing your password, and it’s important to be aware of all of them.

Take control of your account security across the web

Online accounts that share passwords are like a line of dominoes: When one falls, it doesn’t take much for the others to fall, too. This is why you should choose unique passwords for important accounts like Gmail (your Google Account), your bank, commerce sites, and social networking sites. We’re also working on technology that adds another layer of protection beyond your password to make your Google Account significantly more secure.

Choosing a unique password is not enough to secure your Google Account against every possible threat. That’s why we’ve created an easy-to-use checklist to help you secure your computer, browser, Gmail, and Google Account. We encourage you to go through the entire checklist, but want to highlight these tips:

Never re-use passwords for your important accounts like online banking, email, social networking, and commerce.
Change your password periodically, and be sure to do so for important accounts whenever you suspect one of them may have been at risk. Don’t just change your password by a few letters or numbers (“Aquarius5” to “Aquarius6”); change the combination of letters and numbers to something unique each time.

Never respond to messages, non-Google websites, or phone calls asking for your Google username or password; a legitimate organization will not ask you for this type of information. Report these messages to us so we can take action. If you responded and can no longer access your account, visit our account recovery page.

We hope you’ll take action to ensure your security across the web, not just on Google. Run regular virus scans, don’t re-use your passwords, and keep your software and account recovery information up to date. These simple yet powerful steps can make a difference when it really counts.