Keep Your Gmail Secure
Safeguarding Your Email
Buried in email? Looking for creative ways to organize, sort, and/or safeguard your emails? Come along as we take a quick look at some of our favorite email apps, organization tools, and solutions to common problems.
A Quick Survey
Meet the Problem
"Jennifer," said her superintendent. "Turn on the news." It was 5:30pm and Jennifer was just getting home from an after-school event.
As she watched the news broadcast play on the television, her heart dropped into her stomach. "What do we do, Peg?" she asked her superintendent.
"Let's plan to meet tomorrow morning after Cabinet to discuss what our next steps are. While I am meeting with Cabinet, take a moment to discuss this with Jeannine (the tech director). Come up with our next steps and we'll figure this out."
Today's Topics
- Obstacles to Overcome
- Encryption Tools
File and Folder
Text Encryption
PGP/GPG
- Protecting Gmail Communications
1 - Obstacles to Overcome
Recent attack vectors have left educators reeling from massive data breaches due to ignorance and a lack of consistent procedures for safeguarding sensitive data.
Just as hackers employ encryption to deny access to data on an ransomware-infected machine, so can educators and students learn to use encryption to prevent unauthorized access to data. Popular data encryption tools are available. Are you using them?
Let's explore some obstacles
Obstacle #1 - Not a Priority?
For many districts, safeguarding sensitive data isn't a priority. Some tips for making it one:
Conduct a benchmark assessment of current practices
Get executive leadership to form a stakeholder committee
Develop Policies and Procedures for Safeguarding Sensitive Data
Review paper processes
Review digital processes
Compare them to what other's do
Develop incident response team
Provide professional learning
Obstacle #2 - Enterprise Level?
Establish procedures for handling sensitive data in your classroom and/or office. Ensure that data containing personally identifiable information (PII), as well as usernames/passwords to popular services, is encrypted.
Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor.
Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler). See other links to the left.
This is a question you will get. Make sure you keep your response simple and make it a requirement of dealing with sensitive data.
Avoid embarrassment and high-cost of identity theft protection for students and staff. Texas Safe Harbor law protects organization that encrypt data should that data be lost or stolen.
Avoid sending decrypted confidential information via email or as email attachments. Phishing attacks can compromise users' accounts and spread to all quickly via email groups (a.k.a. distribution lists). Decrypted data on compromised accounts can be a treasure trove and lead to costly issues. Encrypted email attachments are no big deal on a stolen smartphone, tablet or laptop. Decrypted email attachments or files on stolen devices puts the district at risk for liability and lawsuits.
Avoid saving decrypted files to portable devices (e.g. laptops, tablets) and/or storage media (e.g. USB flash drives, pendrives, sticks, hard drives).
Always encrypt sensitive data before sending it to a third party solution provider. Negotiate up front, over the phone how you will encrypt data and come up with a solid password to use. If data is transferred from a server, encrypt it FIRST before placing it on the server, then use Secure FTP to transfer it. An alternate approach is to grant the 3rd party solution provider Virtual Private Network (VPN) access to a specific device. This may be easier since you can setup a network share, a mapped drive, to make it simpler to create and share files quickly. Again, it is better to encrypt than to have decrypted files at rest on an intranet server.
NEVER place decrypted sensitive files online on an internet server and/or in cloud storage.
When Will I Use This in the Real World?
This is a question you will get. Make sure you keep your response simple and make it a requirement of dealing with sensitive data.
Avoid embarrassment and high-cost of identity theft protection for students and staff. Texas Safe Harbor law protects organization that encrypt data should that data be lost or stolen.
Avoid sending decrypted confidential information via email or as email attachments. Phishing attacks can compromise users' accounts and spread to all quickly via email groups (a.k.a. distribution lists). Decrypted data on compromised accounts can be a treasure trove and lead to costly issues. Encrypted email attachments are no big deal on a stolen smartphone, tablet or laptop. Decrypted email attachments or files on stolen devices puts the district at risk for liability and lawsuits.
Avoid saving decrypted files to portable devices (e.g. laptops, tablets) and/or storage media (e.g. USB flash drives, pendrives, sticks, hard drives).
Always encrypt sensitive data before sending it to a third party solution provider. Negotiate up front, over the phone how you will encrypt data and come up with a solid password to use. If data is transferred from a server, encrypt it FIRST before placing it on the server, then use Secure FTP to transfer it. An alternate approach is to grant the 3rd party solution provider Virtual Private Network (VPN) access to a specific device. This may be easier since you can setup a network share, a mapped drive, to make it simpler to create and share files quickly. Again, it is better to encrypt than to have decrypted files at rest on an intranet server.
NEVER place decrypted sensitive files online on an internet server and/or in cloud storage.
2 - Encryption Tools
In the individual exercises, you will explore how to encrypt both text and files using AES-256 encryption. There are various ways to accomplish this. Find the way that works best in your environment and implement it consistently.
Make sure to use a secure password generator and to protect sharing that password with end to end encryption tool (e.g. Signal).
Text Encryption
You can use a variety of text encryption solutions. These are ideal for text/email messages you might send on your smartphone, as well as via a computer.
Tool #1: Paranoia Text Encryption
iOS | Android | Windows | Mac | Web version
Tool #2: Browser-based Text Encryption
Activity - Encrypt and Decrypt Text
Part 1 - Decrypt Text
To facilitate decryption, open the Paranoia Text Encryption Online tool (via the web browser on your device, including smartphones) and paste in the text that appears below. Use the password - kQgWbQhc58wc - and send it to "mguhlin@tcea.org" via email. Obviously, this password would not be shared on a web page for anyone to access. It is shared here for demonstration purposes.
==Begin Encrypted Text Below (only copy encrypted content, not anything with == in front of it)
fIqoBFlGIJibGhbYnHhdKkrpjQs2a]DKvDuxGOIEosjfgk)bHvqKB693PuPdSGCbtT9rS]KB3PFNo0MVKm95B)yF06rj)]KrLJnPfpogU1yIT]DgCzbsw8PlqxSZ]ndqcefwocfLOX9)q3tDSWtNg9WPw85yMyI47H6t8y1)LESw3P3roKKx3)3QscDPifOOTPhwOzmMkvl5ZgzvkzIbX8gQrcXrXJR2O9r5axA63]L6Ja9L6UeVt1Q810oZlDkLD2RIu0RS6ilV8aIR)TIrs66MxYYOqgh2HQ1UgSuI33EMuV8jGENDYxjxGA)5K]g6YJekzBGr5iWGYymUTP)UQvRIU2TSfmkIYzpAIozEMcBsrZ9KBzfchP1LdkB7oOH6ZSnFIrDskFwgx31AjCGeOEjy8bhkvF9gx2UkCDr28rMfR6DIPUGX7vjZY5fuDR])blioTUqE1I66ltMkJ9lMHTjntNQhu1rED232iV727yBPuNHJWu1qfNDgQLNsxngWIuxu7Y2Wt3jH1ql3IpePG3w1sjicGwmfzsj]1lW)1MoXzkFuLI8fC5556Q8FSG6R44XS)Sy5z5Xq412u6XPPU4M3HanQrIb1SGGTcjf1QDStWTREzQQKeT9G5blz499O8YxWqq9Q4Q1poQYFqDXYBPZjV9i93AiP9W4JStyShTU)ezjqBWpQmEy4UVCPD7yR]QLBcSUZT7OshQ)Ow6lxZm)lU6A!
==End Encrypted Text Below (only copy encrypted content above)
Part 2 - Encrypt Text
To encrypt text, type your own message in the Paranoia Text Encryption Online tool and then send the encrypted text to "mguhlin@tcea.org" with subject line of "Encrypted Text." Use the password - T5ecaJiMepSU - to encrypt. Or, if you prefer, use a different password.
File Encryption
Encrypting files with AES-256 can be done with a variety of tools. Here are a few you can use that are free. A few tools include:
7zip for Windows - This is a zip/7zip compression program that combines multiple files into one. Works great with a wide variety of files. Think of it as putting a folder of files into ONE file that is compressed for space and encrypted for security.
Keka Zip for Macs - This is the same thing as 7zip but for Mac computers.
Paranoia's Secure Space Encryptor (SSE) - Here is (what I think) is the best cross-platform encryption tool available. It works on the most platforms (e.g. Android, Mac, Windows). One of the features is that it can take a folder of files and encrypt them all into ONE file.
FileLock.org - A browser-based solution that works well for Chromebooks. Encrypt individual files via your web browser.
Protecting Confidential Email Attachments
“I’m working with a few schools. They only wish to send password protected files. The files will go outside their organization,” says John M., a Google Certified Trainer*.
“From a Windows machine, that’s fine. But we’ve moved to a Chromebooks-only environment. How do you add a password to exported files, like DOCx or PDF, that get sent via email?”
One web-based tool you can use includes FileLock.org. This works in a similar way to PTE and FourmiLab. You access a website, select a file on your Chromebook (e.g. DOCx you’ve saved from a Google Doc), and then encrypt it.
Then you attach the encrypted file to your Gmail message (as shown below).
Protecting Gmail Communications
Set Up 2-Step Authentication
One of the most critical things you can do is turn on TWO-FACTOR AUTHENTICATION or 2-step authentication for any and all accounts you have online. If they offer it, use it. You can get a Google Authenticator app (it works with more than Google alone) via the Apple/Google stores to manage all the codes.
Ways to Prove Who You Are
There are a lot of ways to "authenticate" yourself on Google. As you can see, I have several ways I use for my Google Workspace for Education account. My primary way is to use the Authenticator app on my iPhone.
This is one of the easiest ways to authenticate, although there are other ways that involve physical keys you can buy and keep on a keychain. Since I always have my phone with me, that's what I use.
Confidential Mode
When composing an email message in Gmail, you can enable CONFIDENTIAL MODE.
But it's not THAT confidential. Unfortunately, in a Google Workspace for Education environment, the message is still viewable to Google Admins.
It allows you to send an SMS code (via your mobile phone) to another person. They won't be able to open the email message without it.
It works fine when you are OK with Google Admins reviewing your communications.
Encrypting Your Communications
Privacy
Protect Yourself Against Click-Tracking Tools
Can you see who's watching you open your email? Here's my current inbox of messages...do you see an EYE next to a message? What do you think it means?
- Uglymail - Works similarly to Pixelblock. "Ugly Email is a Gmail extension that allows you to see if the email is being tracked before opening it. It seamlessly integrates with Gmail."
Click-Tracking Tools
- GetNotify.com - Add .getnotify.com to the end of email addresses your writing to (e.g. mreynolds@gmail.com.getnotify.com) and this will track emails sent. You'll need to get a free account. Has a different approach but works! And, no cost!
- MxHero - This was my favorite for a long time, but the time came to pay for it, and I wasn't willing to do that."features include open and URL click tracking, attachment tracking, self-destructing emails, email read receipts and the ability to schedule an email for later"
- Boomerang Read Receipts for Gmail - Just like the other services, you can take advantage of a free feature.
- Bananatag - Another click-tracker. "It's free for 5 messages a day, but $5 a month gives you unlimited tracking" viaLifeHacker
- Yesware Email tracking - A Chrome add-on, includes free two month trial with limited features afterwards at no cost or at great cost otherwise! (smile)
- MailTrack for Chrome - This is another alternative. It didn't work all that well for me, but I had several others going at the same time.
How Do I secure an entire Google Workspaces for Education?
"My district uses Google Forms to collect parent and student data. This includes names, birth dates, phone numbers, and emails. Should I be worried? I know Google says it’s the school’s responsibility. Do you see any issues with security regarding sensitive data?"
--Christi
Option #1 - Cloud Encryption Tools (client-based)
The easiest solution (which isn’t that easy) is to avoid placing sensitive, personally-identifiable information online in a public folder where it is unknown who has access to it. If you must place sensitive data in the cloud, encrypt the file first. Once the person has obtained the file, remove the file. At no time should a decrypted file be placed online in cloud storage or emailed as an attachment.
Two commercial solutions districts can use for encrypting data stored in the cloud include Cryptomator and Boxcryptor.
A free solution is Secure Space Encryptor (SSE) from Paranoia Works. It’s free, open source, and works on Mac/Win/Linux/Android. It also features text encryption for iPad.
You could use this because it allows you to encrypt files/folders. If the files/folders you are encrypting save to a “sync to cloud” folder (e.g. Dropbox, Google Backup & Sync, OneDrive), then that data is encrypted.
Option 2 – Invest in a Solution that Scans Your Google Workspace Domain
These solutions offer a variety of features, essentially scanning your cloud storage provider (e.g. Google Workspace for Education or Office 365) for sensitive data. What’s more, additional rules can be set up to restrict placement of sensitive data online to prevent or quickly catch rule violations.
You will want to explore these solutions through an official request for proposals (RFP) process aligned to your particular district’s processes and procedures.
Did you knowb4?
A big part of protecting data involves avoiding situations, like phishing expeditions, that attempt to capture your username and password. Some school districts are turning to solutions like KnowB4, which provides security probing and awareness training. For example, a false spear phishing attack is launched against employees with the organization’s permission.
This simulated attack is done without notifying the employees first. One district, for example, “sent out a baseline test to 4,390 staff and 924 clicked on it.” The district later reported that they suffered an actual attack, not simulated by KnowB4. Only one person was compromised. From 924 to one is quite an improvement.
Use Period and Plus Symbols to Manage eMail
Tip #1: Add Dots to Your Email
Insert one or several dots (".") anywhere in your email address. Gmail doesn't recognize periods as characters in addresses -- Gmail just ignores them.
For example, you could tell people your address was p.reimers@gmail.com, preim.ers@gmail.com or pr.eimers@gmail.com.
Tip #2: Create Unique Email Address with a Plus Symbol
Append a plus ("+") sign and any combination of words or numbers after your email address. For example, if your name was dbenner@gmail.com, you could send mail to dbenner+friends@gmail.com or dbenner+mailinglists@gmail.com.
