Special: Dragon*Con session – Webmail Security

This special episode of the Gmail Podcast is a recording of a webmail security presentation I did at DragonCon in Atlanta Georgia on September 3, 2011. I co-presented for the EFF track with my Technorama co-host Kreg Steppe. It’s a little longer than my usual Gmail Podcast. And at times it starts to become a Google support forum, but thanks to Kreg’s facilitation, he gets things back on track. This episode contains many topics discussed on previous episodes of the Gmail Podcast, along with some new information, put together in one package. If you’re looking for better ways to reduce your risk email attacks, then you won’t want to miss this episode.

Podcast: Play in new window | Download

Auto Advance

In this episode, I cover

• A way to advance to the next conversation without going back to the index,
• A recommendation from a fellow podcaster whose Gmail account was hacked
• A quick note about an update to the iPhone interface.

First up, long time listeners will know that I’m a fan of the Gmail keyboard shortcuts. They have been a huge time saver for keeping my inbox organized when using the desktop browser interface. I also understand that not everyone uses the keyboard shortcuts and there are some features that are not available from standard screen interface.

One of those is the ability to archive a message and advance forward or backward in your conversations without going to the index. Keyboard junkies already know about the right and left square bracket keys (“[” and “]”) to do this. Unfortunately, there was no way for those who prefer the mouse to do the same thing. Once again, Google has heard the cries of their Gmail audience and created a labs feature called Auto-Advance that lets you determine if you want Gmail to advance to the next or previous conversation, OR return to the index after you archive, delete, or mute a conversation.

Like other Labs features, click on Settings in the upper right, then click the Labs tab. Look for the feature labeled “Auto-Advance” and click Enable, scroll to the bottom and click “Save”. This turns the feature on, but doesn’t change the behavior until you go to the General Settings and tell it to advance to the next or previous conversation. If you’re the kind of person who likes to start with your newest mail first, change the setting to go to the previous conversation. If you read your older messages first, then set tell Gmail to go to the next newer conversation. If you decide this option isn’t for you, either change it to the setting “Go back to the threadlist” or disable the labs feature.

Whether your a keyboard shortcut junkie or prefer the mouse, the Auto-Advance feature should make it easier to keep your inbox clean without having to go back to the index every time you archive, delete, or mute a conversation. I activated the feature shortly after I heard about it and love it.

Next, I received the following message from Dennis Gray over at the 101 Uses for Baby Wipes podcast:

Apologies to all for the strange e-mail you received from my account.  Google advised me that my Gmail account had been accessed from China, and once I received that notice I locked the account for a few days and changed the password.

If you’ve ever been curious about what the warning looks like, I have attached a snapshot of the warning. (Which I have included in the show notes on the Gmail Podcast website) Sad thing is, the warning doesn’t show up in mobile Safari browsers, which are now my primary web access tools.  The warning also does not appear in the mail app for iPad.

It does show up in Firefox, though, and that is how I captured the warning, saved for posterity in the attached .PNG file.

Once again, my apologies for the spam, and the ‘radio silence’ that followed.

The key take away from this is the recommendation to change your password once in a while, say every six months, and use a secure password with mixed case, numbers, and throw in a symbol to keep those hackers off your mail account. Remember, you can change your password from Settings> Accounts and Import or go to google.com/accounts. If you’re not good at remembering passwords, I recommend using a password tool like 1Password at agilewebsolutions.com or KeePass at keepass.info.

Finally, a quick note for your iPhone Gmail users. You probably already noticed, but the floating toolbar is no more. When you select one or more conversations from the index, the option to archive, delete, and more is at the bottom rather than floating at the top. It’s a subtle change, but a nice one in my opinion. What’s neat is that they are willing to share the JavaScript and HTML techniques used to do this with other developers. Watch for that on code.google.com/mobile. Thanks Google!

Podcast: Play in new window | Download

Tags: archiving, iphone, password, Security

Gmail News: October 2010

I’ve come across several new stories and features regarding Gmail that just didn’t seem to fit in any other podcast so I’ll cover them here. Today I’ll be covering:

• Buzz on the sidebar
• A security checklist
• Watch out for a phishing scam
• Calendar notifications in Gmail

To start, Gmail has a new feature being rolled out that puts the latest Google Buzz comments from the mail sender on your sidebar. When you open a conversation, look on the left and if the person writes Buzz comments, you will see them there. If you don’t see the option, it could be that the person either doesn’t use Buzz, or that you need to turn this feature on. You can find it under Settings on the Buzz tab just below Your External Apps. If you don’t see the option there, it could be that it hasn’t been released to you yet. Keep watching. Like most features, this is being released in a phased approach.

Gmail is currently Google’s biggest application to date. While Buzz has a few million users, it hasn’t lived up to Google’s expectations and still falls far short of being a Twitter of Facebook killer. Google hopes that by making Buzz messages more prominent in the Gmail interface, it will drive more people to use the feature.

Next up, I came across a security checklist on Gmail’s help site with 18 steps to help make your computer more secure. The checklist includes everything from keeping the latest software and patches installed to changing your password periodically. I’ll include a link in the show notes so you can make sure you do your part to prevent problems and unwanted access to your computer. I went through it and found a couple things that I could probably do a little better. Thanks Google!

On a security note, listener Norb sent along a phishing scam that you might want to look out for. Phishing (with a ph) is a way in which people send fake email messages to try and gain your access information. A typical one would be from someone impersonating PayPal with a link to their site that looks like PayPal to try and get you to login with your account information and bam – they’ve got your PayPal login and password. Bad idea. How do you protect yourself? Watch for key clues.

One key way is to watch for grammatical errors. Things like “we have determine that your account is at risk. Please login to confirm account information.” Another way is to check the links before clicking

Once you become aware that most services like your bank, eBay, and so on don’t send out messages that say “You’ve won”, or “You need to validate your access”, you can  just delete these, or better yet, use the Gmail option to report phishing so it can learn and block these messages so other people don’t receive similar messages.

The message that Norb sent me appears to be sent from Google Service and goes like this:

Our science & technology team has recently launched Google web software to protect and secure all Gmail Accounts. This system also enhanced efficient networking and fully supported browser. You need to upgrade to a fully supported browser by filling out the details below for validation purpose and to confirm your details on the new webmaster Central system.   Account Name:      Pass word: Country:  Date of Birth:   Note: Your Account will be disabled permanently if you failed to provide the details below within 72hours. Gmail will not be heard responsible for your negligence. The Google web Service.
Sent from my Verizon Wireless BlackBerry

Again, the first giveaway is the grammar. Don’t be taken in by threats of your account being deactivated. Just report it as phishing and go on with the rest of your day.

Finally, I wanted to pass on a neat feature that I hadn’t noticed until recently. If you’re a Google Calendar user like me, then you may have noticed that Gmail will put a short alert message in the lower right corner of the screen when an appointment alarm goes off. If you’ve got a browser window open with Google Calendar running, it will fire an alert there and change your browser focus to that window. However, if you only running Gmail, then you’ll get a little alert in the lower right with the name of the event, the calendar it is from, and two links; one to view the appointment in your calendar and the other to close the short alert message. This is far less annoying than Google calendar hijacking your browser and forcing you to look at the appointment in the middle of typing something!

Podcast: Play in new window | Download

Two Factor Follow Up

George Starcher joins me to share his real life experience with Google’s new security feature.

Brought to you by GotoAssist. Try it free for 30 days.

In the previous episode of the Gmail Podcast, I mentioned that Google has a two factor authentication available to keep your login information more secure than just using a password. Shortly after I released that, I got an email from my friend and fellow Friends In Tech member, George Starcher to discuss his first week of experience after working with the new security method in his day job.

Podcast: Play in new window | Download

Protect Yourself

This episode is sponsored by GotoAssist Express. Try it free for 30 days.

It’s time to take a look at maintaining your Gmail security. It’s no secret that the Internet can be a dangerous place. Fortunately, you don’t have to be an IT security geek to protect your Gmail account. With a few simple, common sense steps, and a little familiarity of some key Gmail features, you can protect yourself from people trying to gain access to your account.

You know the story. You get an email from a friend of yours who is reported to be stranded overseas and needs a couple hundred dollars to get home. This is one of the common messages and, of course, completely false. Your friend’s email account has been compromised, he’s got no idea until it’s too late, and your name happened to be in the address book along with who knows how many others who got a similar message. Remember, they wouldn’t be doing it if it didn’t work at least some of the time.

How do you prevent yourself from the same fate as your friend? (Not the ‘getting stuck overseas part’). The first step is understanding how your account could be breached. One way is forgetting logout on a public computer (a hotel kiosk for example.) Another way would be if someone had installed keylogging software on the computer you used. While undetectable to you, there are steps you can take to mitigate the risk.

First, select a strong password. Use a combination of letters, numbers, and throw in a symbol here or there. Use uppercase and lower case letters. Don’t use dictionary words or common names. Make it meaningful to you. For example: iat#1gmn! would be short for (I am the number 1 Gmail ninja). Also, change your password periodically. Yes, I know this is a pain, but when you think about it, even if someone has captured your password from a keylogger, it won’t be any good once you change your password. You can change your password under Settings> Accounts and Import> Change Account Settings or go to http://www.google.com/accounts

Second, remember to sign out when you’re done. It sounds simple, but it’s easy to forget.

Third, monitor any open sessions and understand what they mean. At the bottom of the main conversation index, there’s a line that says “Last account activity” and a link at the end to display the details. If you, or someone else, is logged on from another computer, it will tell you there. I often see one or two other computers logged in because I forget to logout on my home computer then access Gmail from work. By clicking on the Details link Gmail displays the location and IP addresses of the other sessions, a button to terminate the other sessions immediately, and a history of recent activity. It’s a good idea to become familiar with your home and work IP addresses so you can spot others that you don’t recognize. Remember to periodically scroll to the bottom of the screen and see how many other seessions are going. If it’s one or more, have a look at the details to be safe.

Finally, Gmail has created a feature that removes some of the burden of monitoring your activity. If Google sees activity on your account from two different countries within a few hours, you will see a warning message at the top of the screen in red which starts out “Warning, We believe your account was last accessed from…” You can turn this setting off from the same Activity history details mentioned earlier, but I don’t recommend it. Hopefully you’ll never see this message. While it’s nice to know Gmail is helping with some of the security, it doesn’t relieve you from doing some of the measures mentioned earlier.

Podcast: Play in new window | Download

Tags: password, Security, session, sign out

Selected Offline Messages and Password Tips

Try gotoassist express free for 30 days by going to gotoassist.com/techpodcast

Back in January 2009, Gmail came out with a labs feature to let you access your Gmail without an Internet connection. The mail was synchronized when you were connected and then you could access it when you were offline. For frequent travelers, this is a terrific feature. You can learn more about it by listenging to the Gmail Podcast episode simply titled Offline from March 1, 2009.

The downside of the standard offline mode is that it took a very long time to download the messages or in some cases, all the messages you wanted were not there due to the way the software chooses which messages to download. You might find yourself with plenty of messages from a year ago that have little value, but not all your inbox was synced.

Gmail Offline now lets you choose which items to download and how far back to get them. This not only saves download time, but also ensures you have relevant information at your fingertips. For example, my Gmail archive is currently around 30,000 messages. It would take a couple hours to download all those messages, and according to the heuristics, I might not get all of the the ones I want.

To setup selected offline messages, you’ll need to enable the “Offline” labs feature from the Labs tab on the Settings screen. Once that is done, you can use the “Offline” tab from the Settings screen. The “Download Options” section of that screen is where you configure how far back you want to sync your conversations and from which labels. The old method would have defaulted to all conversations from all labels. I setup mine to only go back a month and then fine tune it to first, ignore most labels, then chose some like Inbox that I want all conversations, and finally chose a few fairly active labels where I only need the past month. Once I saved those options, I was able to sync my data in a few minutes and take it on the road.

This feature really makes Gmail Offline a lot more convenient, but you will need to remember to check the settings from time to time to ensure you add labels as they are needed and remove those that are not.

Here’s today’s quick tip – Be sure to change your Gmail password at least a couple times a year. There are people on the Internet who make a career out of trying to steal passwords. Some guidelines to follow when choosing a new Gmail password:

• Make it unique. Don’t make it the same as your other Internet accounts. If someone compromises your Gmail account, they could have access to lots of other information on the Internet. If you have lots of different passwords to remember, I recommend a password vault program like KeePass available from keepass.info. I use because I have over 100 different passwords to remember at home and work.
• Use a combination of upper case and lower case letters, numbers, and symbols. One common trick is to replace letters with symbols. For example, replace S with a dollar sign, or T with a 7.
• Don’t use simple words found in the dictionary like “house”, “automobile”, and definitely not “password”.
• Don’t use personal information that is easy to find such as your street name, dog’s name, and so on.
• Putting two or more words together with symbols is a good idea. Something like “dino+eggs”, of course replacing some of those letters with numbers or other symbols would make it a much stronger password.
• Finally, make you password something you are likely to remember. “dino+eggs” would be great if you are a paleontologist, but not necessarily if you are a stock trader.

You can change your password by going to google.com/accounts, or if you are starting from Gmail, go to settings, click on the “Accounts and import” tab, then look near the bottom for a link labeled “Google Account Settings”.

Podcast: Play in new window | Download

Gmail Backup

Welcome the Gmail Podcast, a collection short hints, tips, and tricks to help you get more from your Gmail account. I’m your host, Chuck Tomasi.

Try GotoAssist free for 30 days at gotoassist.com/podcast

This past week I came across a really neat application called “Gmail Backup”. The name says it all. All you do is download and install the tool, provide your Gmail credentials, point it at a folder on your system, and click the Backup button. It takes care of the rest. And best of all, it’s free.

There’s a Windows command line and GUI vesion, a command line and GUI Linux version, and a Mac command line version only. I have heard rumors that a GUI version for the Mac is in the works so stay tuned to the Gmail Podcast for more information. Running from the command line actually makes sense if you want to schedule regular backups from a script. See the documentation on their website at www.gmail-backup.com.

Regardless of your platform, you will need Gmail IMAP enabled. You’ll find this in the settings under the “Forwarding and POP/IMAP” tab. For Linux users, you will need the wxPython (http://wxpython.org) packages installed. It also requires the ctypes module; which should be included in the Python 2.5 distribution. For earlier versions of Python you can find the package in the repositories of your distribution.

I downloaded and installed the Windows XP version and was up and running fairly quickly. I created a new folder under “My Documents” called “My Gmail Backup”. Feel free to put the folder where you like or create multiple fodlers if you plan on backing up multiple accounts. You can even do this after you start the application. Currently my mailbox is using approximately 1.6GB of storage on Gmail and it took a little over an hour to backup the first 600MB before I stopped. I had to relocate which would have interrupted my Internet connection. When I started it back up again, Gmail Backup recognized how much work it had done, took a few minutes to scan past the 9700 messages already backed up and resumed where it left off.

Other parameters availble in the application allow you to set a “Before date” to backup all messages before a given date, and all message since a given date. On first invokation, both dates are the same so it backs up all messages. As it retrieves the messages, they are stored in individual “eml” files in your backup directory. The ELM files can be opened by Microsoft Outlook, Outlook Express, Internet Explorer, IncrediMail, Thunderbird, and for Mac users, Entourage, and of course Apple’s Mail program. EML files are nice because not only do they preserve the times, sender, and other standard information, they also contain any file attachments that were on the files on Gmail. And yes, Gmail Backup also remembers your labels that you applied to the messages. They are saved in a mapping file called “labels.txt”, although you may run in to problems if your labels contain non-alphanumeric characters (a-z and 0-9).

And what would a backup program be without a restore feature? Gmail Backup allows you to re-upload all or part of your backup. If you’ve got multiple Gmail accounts or host your own domain from Gmail, you can backup messages from one account, and restore them to another account simply by providing the right credentials.

Again, I recommend visiting the website for full documentation, FAQs, and active forums at www.gmail-backup.com

For what it’s worth, there are other ways to backup your Gmail account, including Thunderbird (which has a limitation of 64,000 messages), Fetchmail (a little more technically involved and requires Cygwin to be installed), or Getmail (for you Linux users). I just found Gmail Backup to be quick and easy to use.

Here’s today’s quick tip… If you receive an email with a subject something like “Warning code: VX2G99AAJ”, just report it as spam, a phishing attempt, or delete it. The message body says it’s from “The Gmail Team”, however the message header says something quite differently. This is just an attempt to get your user information. Don’t even bother opening the message.
That’s all for this time… Comments, suggestions, or questions can be sent to gpodcast@gmail.com or check the website for full information and archives of all previous Gmail tips at chuckchat.com/gmail. I have no affiliation with Google other than as a satisfied Gmail user. Thanks to you for listening, and don’t forget to write.

Podcast: Play in new window | Download

Password Reset by SMS

This show is sponsored by GotoAssist.com – Try it FREE for 30 days!

Let’s face it, sooner or later we all forget a password. There are just so many of them to keep track of. Gmail has made this a little easier by allowing you to recover your password via text message.

Begin by going to http://www.google.com/accounts. Under the personal settings, you should see a section labeled “Security”. Click on the link that says “Change password recovery options”. You’ll need to provide your Google Account credentials one more time to verify your account.

Once that is done, you can add email addresses to send a reset link, or set a mobile phone number to send a password reset code via text message. To this, click on the link under the section “SMS” labeled “Add a mobile phone number”. Choose your country and enter the mobile number you wish to send the text message to and make sure to check the checkbox labeled “Use this phone number for password recovery via text message”. Finally, click the “Save” button at the bottom.

Now if you lose or forget your password, click on the link labeled “Can’t access your account?” in the login box of any Google application. On the right, look for the article labeled “I forgot my password” and click it. This link is also available on the bottom of the page. You will then be taken to the password recovery page where you first need to provide your username. In my case, I entered chuck.tomasi and clicked Submit. You’ll need to enter the text in the captcha page, one of those graphics with squiggly letters. I’ll admit, sometimes these are a little hard to read and I often have to enter more than one.

Once you’ve passed that test, you will be given several options to reset your password based on the account options you chose. If you set an alternate email address, you will receive an email to initiate the password reset process. If you setup the SMS option, you’ll get a text message with a recovery code.

Here’s today’s quick tip. Fight phishing with new labs feature. If you are unfamiliar with the term, Phishing, with a “ph” is a term used for nefarious email that tries to lure you to a website that impersonates another in order to get secure information from you. The most notable of these are eBay and PayPal. For example, some Internet villain will send you a message that looks like it is from PayPal and take you to a site that looks like PayPal, only to get your login and password and exploit your real account. This Labs feature in Gmail verifies that an email that says it’s from eBay or PayPal actually is from one of those sources – making it more trustworthy. To use this, go to the Labs tab in Settings, turn on the feature called “Authentication Icon for verified senders”. Now when you see an email from one of these sources, a little gold key appears next to the sender’s name in the message. This currently only works for eBay and PayPal, but I’m sure Google will be extending this functionality in the future.

Finally, Google has promoted their first labs feature to a full fledged feature. Tasks is now a permanent fixture on the main page for all Gmail users. This labs feature was so successful that everyone is now able to use it by clicking the Tasks link on the left. While there is still no syncing with other systems, I expect more functionality in Tasks in the future. After all, they already implemented my suggestion to move tasks between different tasks lists. Thank you Google!

Podcast: Play in new window | Download