Fantastic news from the Hover blog:
We’ve partnered up with Google to cut down 10+ of the steps needed for the domain registration portion of the signup process to just three steps. Now, you can not only verify, but also transfer your email in just a couple of clicks. The best part – you’re no longer required to leave the Google App to complete domain registration!
via Hover integrates with Google Apps | Hover Blog.
This is quite nice and very handy, although you’d only need it during initial setup.
However, if you’re an Apps re-seller and set up domains and accounts for people frequently, it will save a lot of time.
Excellent – this could be quite valuable in certain organizations.
Objectionable Content and Content Compliance email security settings are now available directly in the Google Apps Control Panel. These new settings will allow admins to filter messages based on word lists or predefined sets of words, phrases, text patterns, or numerical patterns.
via Google Apps update alerts: Email security for Google Apps: Objectionable Content and Content Compliance features now available.
We’ve released two security enhancements to Gmail that help protect you from phishing attempts.
- Going forward, email address will be visible next to the display name for senders that aren’t in your Contacts list.
- We now scan messages and alert you if the sender may have spoofed a Gmail address.
Good – issue #1 there has irritated me for a long time.
via Google Apps update alerts: Protect your account with new security features in Gmail.
If you use Google Apps and have Linux machines you access via SSH, this is a handy method to add two-factor authentication to your environment:
When Google introduced two-factor authentication for the Google and Google Apps accounts, they also created a pluggable authentication module PAM for Linux. This is great news for people running Linux servers who want to protect their remotely-accessible SSH accounts with two-factor authentication. For free.
via Two-factor SSH authentication via Google secures Linux logins | TechRepublic.
Thank you Google, on behalf of my employees who get married and change their names.
The ability to rename a user’s email address is now available in the administrator control panel.
How to access what’s new:
Go to ‘Organizations and users’ > Select the check box next to a user > Click ‘Rename user’ under the ‘More actions’ dropdown
via Google Apps update alerts: Need to change a username? Ability to rename a user’s email address is now available.
Excellent new feature, and easy to use!
We recently released the ability to recover a deleted site in Google Sites. If an owner of a site accidentally deletes a site, it will be immediately removed from view but they may recover it by visiting its URL within 30 days. Once 30 days have elapsed however, it will not be possible to recover the site under any circumstances and it will be permanently deleted.
via Google Apps update alerts: Accidentally delete a site? Owners can now recover a deleted site in Google Sites.
A new minimum password length has now been introduced to Google Apps domains. If administrators manage user passwords using the Control Panel, the new minimum is 8 characters instead of 6.
If domains are using a Single Sign-On system, then the administrator is responsible for this authentication system so are not affected.
If admins are using a password-sync solution, then please ensure that the system is sending hashed passwords to Google. If it’s sending hashed passwords then users are not affected by this new requirement.
If the password-sync solution is sending plain-text passwords, then this is not recommend and the domain will be affected by this change.
And if you’re your internal users’ plain-text passwords out across the Internet, you need help.
via Google Apps update alerts: New minimum password length requirement for Google Apps.
Google Cloud Connect for Microsoft Office is now available to download for all Google Apps domains. With this plugin, you can now share, backup and simultaneously edit Microsoft Word, PowerPoint®, and Excel® documents with co-workers without the need for sending attachments back and forth.
via Google Apps update alerts: Teach your old docs new tricks with Google Cloud Connect for Microsoft Office.
It’s been very interesting watching the HBGary vs Anonymous event unravel in such a public way, with such well-known hacker methodology used to compromise the systems of security specialists. Anonymous uses SQL injection on HBGary’s public CMS to find a few usernames and passwords, and with a non-privileged user account they were able to compromise an otherwise fairly secure Linux system that was behind on its patches:
The only way they can have some fun is to elevate privileges through exploiting a privilege escalation vulnerability. These crop up from time to time and generally exploit flaws in the operating system kernel or its system libraries to trick it into giving the user more access to the system than should be allowed. By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.
Exploitation of this flaw gave the Anonymous attackers full access to HBGary’s system. It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.
Aaron’s password yielded even more fruit. HBGary used Google Apps for its e-mail services, and for both Aaron and Ted, the password cracking provided access to their mail. But Aaron was no mere user of Google Apps: his account was also the administrator of the company’s mail. With his higher access, he could reset the passwords of any mailbox and hence gain access to all the company’s mail—not just his own. It’s this capability that yielded access to Greg Hoglund’s mail.
PCI DSS requires that patches be installed monthly. In addition, could Google Apps’ two-factor authentication have helped prevent that portion of the attack?
So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren’t patched. And an astonishing willingness to hand out credentials over e-mail, even when the person asking for them should have realized something was up.
It’s not enough to know security if you don’t actually implement it.
via Anonymous speaks: the inside story of the HBGary hack.
2-Step verification is now available for Google Apps (free) edition. When enabled by an administrator, it requires two means of identification to sign in to a Google Apps account. A mobile phone is the main requirement to use the second form of identification. It doesn’t require any special tokens or devices. After entering a password, a verification code is sent to the user’s mobile phone via SMS, voice calls, or generated on an application they can install on their Android, BlackBerry or iPhone device.
This makes it much more likely that it is the user accessing the data: even if someone has stolen the password, they’ll need more than that to access the account. Users can also indicate when they’re using a computer they trust and don’t want to be asked for a verification code from that machine in the future.
via Google Apps update alerts: 2-Step authentication now available to Google Apps (free) edition.