Risk
8/7/2009
04:31 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

'Going Google' Worries Los Angeles Police

The LAPD isn't convinced that Google Apps is secure enough for its data. But Google says that its competitors are eager to see the deal delayed or derailed.

Echoing the concerns raised by the World Privacy Forum about the City of Los Angeles' proposed plan to start using Google Apps for messaging and collaboration, a group representing the city's police officers wants to make sure sufficient safeguards are in place to protect confidential information before the multi-million dollar contract gets approved.

The LAPD Protective League said on Thursday that it is very concerned about having its records stored on computers outside the city.

"Our concerns are well-founded and understandable, given that government and corporate computer network breaches have become more prevalent over the past several years," said Sgt. Paul M. Weber, president of the League, in a blog post. "Just recently, Twitter acknowledged that hackers were able to access confidential information stored with Google."

Google's systems were not hacked in that incident, however. The hacker obtained the password of a Twitter employee by abusing the password recovery process at a different online service. Because the Twitter employee used that same password for Google Apps, the hacker was able to use that password to log into the Twitter employee's Google Apps account.

If the employee had used different passwords for different services, or if Twitter had used two-factor authentication, as it now does, the hacker would not have gained access to Google Apps.

The $7.25 million contract under consideration in Los Angeles is expected to cost $8.31 million over five years and to save the city $6.25 million over the same period in license fees. Such fees presently go to Microsoft and Novell, the city's current providers of productivity software and e-mail.

Those figures assume that 30,000 workers will transition to Google Apps. If the LAPD opts out, only about 17,000 city employees would transition to Google Apps.

Google has been pushing hard to encourage businesses to switch to Google Apps. The company on Monday launched a billboard ad campaign to trumpet the benefits of "going Google."

Matt Glotzbach, director of product management for Google's enterprise group, says that any government agency or company moving to new systems should be careful and address security concerns. However, he notes that city officials believe Google Apps will be an improvement over existing computer security.

Indeed, Los Angeles' Information Technology Agency has said that the level of security for the city's data will be higher under the proposed contract than it is at present.

"There's a lot of misinformation out there and our competitors who did not get selected may have had a part in spreading this misinformation," Glotzbach said.

Glotzbach acknowledged the LAPD's legitimate security concerns but said the department's sensitive data is expected to remain in the many Microsoft Access databases that the department will continue to maintain. He said that the city's information policies won't change just because Google is providing e-mail and online applications.

"One of the big pieces of misinformation is that the LAPD is going to take all of their data and put in into Google and that's just not the case," he said.

Some 15 bids were submitted to Los Angeles to replace its e-mail system. Those not selected appear to be unhappy at the prospect of losing millions of dollars in business to Google. In a July 20 letter, Novell client executive Brian Hervey said that his company wants to continue providing e-mail service to the city and offered a 10% discount on the annual maintenance fee.

Glotzbach said that by moving to Google Apps, Los Angeles stands to save an estimated $13.8 million over five years and to free up six IT employees who'd otherwise be tending e-mail servers.

InformationWeek has published an in-depth report on leading-edge government IT -- and how the technology involved may end up inside your business. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.