A Word of Caution About Google Calendar
I've been playing around with Google Calendar, a beta service from the search-engine giant that lets users store -- and share -- calendar data online. It's a great Web-based tool, but in experimenting with it I found that far too many people are using Google Calendar without fully understanding how to protect their personal information.
Since security is what this blog is all about, I plugged "password" into a search of Google Calendar's public events, and within the first few pages of results found a username and password for a credit report account at TransUnion. The credentials belonged to Douglas Kerr, a network administrator for a software company in Charlotte, N.C. Kerr said he'd been experimenting with Google Calendar for a few weeks, but had no idea that he'd imported that record into the application.
"During an experiment to learn how to sync a personal calendar across the Internet to that Google calendar and back, I unknowing synced sensitive information to it," Kerr said. "I use Linux exclusively at home, which makes a task such as this more challenging than normal, and that is the only excuse I have for making such a silly mistake."
Been looking for help with that bug in your YouTube API project? Thanks to this Google Calendar user, you can get the access you need. (post.com)
Kerr wasn't alone among technically proficient people who wound up posting private information on Google Calendar. Searching events for "passcode" produced hundreds of entries featuring toll-free conference lines and numeric codes used by various companies and their employees. My favorite was an entry entitled "United Airlines Morning ISD Event Call," which employees apparently use every morning "to report on issues that concern the Windows Engineering group." (This particular calendar item has since been deleted.)
Some Google Calendar users posted vacation dates and jury duty -- just the kind of information that might be useful to a crook hoping to drop by your house while you're away. Some of the posts I saw along these lines included handy Google maps showing where the person lived. How convenient.
Angry that Apple only picked one wireless provider for its new iPhone? Dial in and let them know. (post.com)
Maybe you can't afford an iPhone, but here's your chance to at least be on the phone with Apple, by tuning in to their weekly Monday 2 PST conference calls.
Searching for "poker game" turned up a number of friendly neighborhood house games -- again -- complete with maps to the host's home. Those might be of interest to local law enforcement, or even local thieves who'd like nothing more than to crash the party and steal the pot.
Poker, anyone? The Minnesota organizer better hope the cops aren't searching Google Calendar. (post.com)
A search for "routine maintenance" produced some eyebrow-raisers. If you wanted to break into a company, what better way than to impersonate the repair guy? Worse yet, if a crook knows exactly when the repair guy is supposed to show up, he can call ahead and move up the appointment.
I especially liked this Google Calendar entry (screenshot to left), which lists the times and dates that engineers are expected to come by and apply software patches to database computers on the company's network.
This listing tells us when a big software upgrade will occur at a North Carolina location. (post.com)
By default, Google does not share your calendar entries with the rest of the Internet unless you actively choose to make your calendar public. The examples above generally arise from people who have chosen to share their calendars but neglected to make certain events private, or to select a certain few individuals who are permitted to have access to the entries.
By Brian Krebs |
July 6, 2007; 6:00 AM ET
Fraud
,
From the Bunker
,
Safety Tips
Previous: Terrorism's Hook Into Your Inbox |
Next: Scammers Play Robin Hood to Test Stolen Credit Cards
Posted by: Lee Wifflestin | July 6, 2007 7:37 AM
Congrats to Brian for exposing yet another breach of personal data for the unwary (mentally challenged) who put their data willy-nilly on Web sites.
I had to Refuse about 40 cookies from WashPost to post via a browswer where I do not have a password registered for the Post. Ridiculous!
I use Google Search, but would never sign up for G-mail, G. Calendar, or any other service that puts (and/or leaves) so much personal information on the Web or remote servers. Don't most people have a desktop calendar and sync it to their PDA or have an encrypted remote access program to read their own computer files?
I also don't use Google or Yahoo toolbars, etc. They all seem too intrusive.
I won't use any of the free online data storage sites, either. External USB HDs are so cheap now that it makes no sense to put put your data on the Web. It is tough enough keeping your data secure on your own computer. Putting any of it on the Web is asking for trouble. It seems that there are too many hackers who are smarter than the people who offer online storage and posting.
Posted by: Robin Geigerstat | July 6, 2007 11:44 AM
like pregnant I thought how it would be if anybody would give the webmasters of a untrustworthy side at the first glance his special password insteed of using just a placeholder or a unbeatable one. The unbeatable one is for security check at the first row servers! Thinking while every webmaster has idea about the behaviour of password-users in generally and software to read, apart of the stored ones and he also knows that computer cant forget easily. Only by force, strong force.
tagesclaus
Posted by: tagesclaus | July 6, 2007 12:41 PM
To serve as a personal example for Robin's question: no, I don't have a desktop calendar that I sync to a pda. i'm tired of having desktop applications period, ones that require constant backing up of data, reinstallation of applications, and general hassels every time i switch computers or have a hard drive fail. the first few times it happens in your life you get over it, but i've found that it happens about once a year or so, and after a couple decades, i really, really love the model of having my data in the "cloud" where it's always available even if i'm borrowing a computer. i'll definitely be careful to make sure my private data is, in fact, marked private, but i'm not concerned about companies like google or yahoo revealing my data deliberately (they have too much at stake) and i don't have anything i'm worried about the government knowing (or that the gov't couldn't get just as easily from my desktop).
Posted by: william | July 6, 2007 1:05 PM
Great post, Brian. You're right that a lot of people are bringing technologies like this into work without understanding the implications. I found a few more examples here giving me a way to dial into conference calls with a few companies that should have known better.
-Bob
Posted by: Robert McMillan | July 6, 2007 1:40 PM
That's nothing--I found a weekly conference call for the SITE institute (siteinstitute.org) - open antiterrorism!
Posted by: Alan | July 6, 2007 2:49 PM
As a response to William:
Sir, your constant need to upgrade and/or re-install only indicates your unfortunate ignorance of how to maintain a computer on the Internet.
If you use an infereior anti-virus program, don't use a couple of anti-spyware programs and don't do regular disk maintainance, you will have troubles.
Modern automobile drivers are like this. They refuse to learn anything about the tool they literally depend upon to traverse this land past how to turn the key.
No disrespect intended, but this is a fool's folly.
Posted by: Dan | July 8, 2007 2:56 AM
@Dan,
This isn't about not knowing how a computer works or how to maintain it. Hard drives have mechnical parts, and they can fail for even the most tech savvy of us. The tech savvy know to keep backups and that's what seperates us out, but hard drives can fail on anyone.
That said, I personally use Google Calendar all the time and I wouldn't trade it for any desktp calendar app. I love not worrying about backing it up, I love being able to access it on any computer anywhere in the world, and all in all I trust Google with my data. The main lesson learned with this article is to be careful with what information you share. The share feature is a very useful feature, but some people like to turn it on by default and then forget to turn it off for events that should stay private. You just have to remember to use common sense for any online app.
Posted by: Martin | July 8, 2007 3:27 AM
I've been using Google Calendar for almost a year now and find it very useful. It's not perfect, but my quibbles are very minor. I don't see any threat here, though - you can put together as many calendars as you like (all viewable simultaneously thanks to color-coding), and decide when you set them up how and if they are shared. I have a personal one and several set up for use of everyone in the office - company events, staff vacation notices, and project schedules/events. Works like a charm.
Posted by: Allen | July 9, 2007 10:00 AM
You'll love Google calendar well and good because you don't see the need nor the means to back up your appointments--until Google sends you a message that they have lost all your appointments. Then what recourse will you have?
Posted by: Bote | July 9, 2007 11:07 AM
Hi everybody! Wanna see my cool pages? Would you please also visit my homepage?
Posted by: Kathy | July 17, 2007 7:36 AM
The comments to this entry are closed.
Other than the user error that is possible with that program and many other products in today's world, I believe Google Calendar is an outstanding program, head and shoulders above any other calendaring program. Considering its free also, makes Google Calendar a ridiculous good deal.