Solved

Security of Google Talk

Posted on 2006-10-30
12
1,856 Views
Last Modified: 2008-02-01
One of my clients would like to use email (specifcally webmail) for interoffice communication in a dental office (also occasionally want to be able to view outside the office).  The office has approx 30 associates who would use this method of communication.  Email is of course slow and insecure so I am considering Google Talk (IM).  I would like to know:

1) how secure/insecure is this?

2) Is there a way that I can control passwords for all of the users?

3) what port does G Talk use and is it always open (listening?) and is that a security risk?

Is there a better way to achieve the same result?

Bill

0
Comment
Question by:billrush2
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 17836500
I'm thinking that the reql question is not how secure or well built it is, but how the jury will react when they find out that the dentists were sending their patient's private information to a free service they didn't have a contract with guaranteeing a specific level of security.
0
 

Author Comment

by:billrush2
ID: 17836791
Unfortunately - very true!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 100 total points
ID: 17837331
The packets are secure from the client to the server via them being encrypted via TLS (ssl's replacement)  and from the server to the other client.
GTalk is based on the Jabber protocol http://www.google.com/talk/about.html#privacy

GoogleDesktop might have something that your looking for, but I'm not sure
http://desktop.google.com/enterprise/about.html#admin
But I don't think there is centralized managment for Gtalk... you might use your own jabber server internally, there are tools for that.

IM typically is a 3rd party service. You sign in to Gtalk, AIM, MSN, and your on-line talking to that services servers, those servers then send your messages to other online buddies/contacts, and since each client initiated the contact to the IM's servers, your not listening for anything other than contact from those servers.
1.2.3.4 on port 45698 connects to (IM sever) 9.8.7.6 on port 443... no one can contact 1.2.3.4 on port 45698 unless their ip is 9.8.7.6... it's called an established session
or a stateful session: http://en.wikipedia.org/wiki/Stateful_firewall
-rich
0
 
LVL 2

Assisted Solution

by:Tayger
Tayger earned 75 total points
ID: 17837385
Email is of course slow and insecure so I am considering Google Talk (IM).

=> You can use PGP encrypton that is a very strong security, but of couse not as fast as intime talk.
http://eu.pgpstore.com/ (Im sure there are also free PGP programs around)

1) how secure/insecure is this?
=> Atm Google talk is beta. Unless its stable I wouldnt recommend it if security is a issue. All over: no system is unbreakable.
Googles business is storing and analyizing data. So they store certain user data (how you configure Google talk, how long you very talking per session, timepoint of using GT, stored contatcs in GT, frequency and size of sent files, communication partner)
All over I didnt find anything they are storing/checking what is spoken over GT.
Sent data are encrypted like in most IM tools.

2) Is there a way that I can control passwords for all of the users?
=> No, Google talk is a single user program.

3) what port does G Talk use and is it always open (listening?) and is that a security risk?
=> As long as GT is open and set to "Online" its listening to GT server. Any programm with a open port to the Internet is vulnerable as soon as a exploit is known. IM programs are in general very secure against exploits (you dont hear a lot of IM exploits).
GT uses default port 5223. If its not working Google recommends port 443. Hacker programs will proably dock on those ports. So its recommandable to change the port to any other ID.

Is there a better way to achieve the same result?
=> Google talk is not better or worse than other IM tools. I have no security issue but Im happy with Skype. Of course they all have some unqiue features others wont have.
There are also providers you can find in Internet offering so called "meeting rooms" but they cost every time you use them and its only good for time based meetings.

As long as the dentist have http://www.experts-exchange.com/images/submitButton.gifa PC with unprotected customer dathttp://www.experts-exchange.com/images/submitButton.gifa on it online, they will not be less with a proved IM tool.

Oh, I just saw that PGP also offers IM encryption. You got more infos on the link above.

Hope I could help
Tayger
0
 

Author Comment

by:billrush2
ID: 17837436
So is the use of G Talk less secure than communicating via unsecured email?  Sounds like they are equivalent.  Is this accurate?

Bill

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17837625
No... Gtalk is encrypted, mail by default isnt...
-rich
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Expert Comment

by:Tayger
ID: 17837640
Hmmm, you mixing two types of communication tools. But due both sending data over Internet I agree with you.

Tayger
0
 
LVL 2

Expert Comment

by:Tayger
ID: 17837680
Richrumble, you're right. I was thinking from the point that both wouln't be encrypted.
0
 

Assisted Solution

by:FarFromHome
FarFromHome earned 75 total points
ID: 17862701
Are the employee's of this dental office going to use gTalk to relay protected health information over the network? If so then I you can't recommend that solution to your client. When you are dealing with HIPAA you have to be vigilant about the protection of the patient information. These are the issues I see with doing this.

1. Everyone has to create a google mail account. There is no mass password tool to facilitate this. You are at the mercy of your users using simple passwords.
2. Google by default turns on chat history. This means that patient information will be stored on google servers and is forever searchable by you.
3. Being that your data has now been stored by google you have lost control of the data. If an employee quits or is terminated they have permanent access to this information.

Just think of the ramifications of a disgruntled employee having access to this data once they've been terminated. They could then start an investigation into your clients HIPAA practices. With $10k per day fines per area of non-compliance that could really add up when they have blatant proof of your non-compliance.

If inner-office communication is a priority then I would recommend running a Wildfire server. This is based off of Jabber which is the same protocol that gTalk uses. You can use encryption which would be preferable. Best of all the data stays within your network!!

http://www.jivesoftware.org/
0
 
LVL 2

Expert Comment

by:Tayger
ID: 17868942
FarFromHome, some points I have to correct:

Its not true that entered text is stored on Google's side. They store data like session time, set config, etc. but - so far - not typed text.  You can YOURSELF activate chat history on the local PC if you want to. Information you entered/set on GMail/over email will be used for internal (Google) analysis but NO ONE except Google can search that personal stuff.

Here is Googles licence agreement: http://www.google.com/talk/privacy.html

Google commited to the termns of SafeHarbor: http://www.export.gov/safeharbor/index.html

Just to make some things clear.
0
 

Expert Comment

by:FarFromHome
ID: 17869095
Do you even have a google talk account? It does in fact store your chat conversations on their servers. I just created another gmail account and by default they save chat history. You can also search your chat history from your gmail account. It is stored on googles servers and you can search it from any computer in the world. Try it out before you comment on it next time...
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17869293
By default, chats are not logged, Tayger is correct, you have to enable the setting- further you can go off-record if you wish
Your chat history will appear here if you choose to save your chats. You can change this in Settings
http://www.google.com/talk/chathistory.html
http://mail.google.com/support/bin/answer.py?ctx=%67mail&hl=en&answer=29290
http://mail.google.com/support/bin/answer.py?answer=29291 (off the record chats...)
-rich

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now