Tag Archives: safety and security

Building a safer internet, one secure domain at a time

Do you lock your doors when you're not home or when you’re sleeping at night? Your home protects everything and everyone that lies within it—whether that’s your family, pets or belongings—and a door is the most direct way for a criminal to access your home. Locking your door is the simplest thing you can do to keep safe. Similarly, when you’re browsing the web, there’s one key thing that helps keep you and your information safe and “locked” up.


HTTPS is a certificate that works just like the lock on your front door at home. By “locking” your connection to a website, it helps prevent interception or alteration of content on the site you’re visiting. We want every website to have a lock on it. That’s why Google Registry created safe.page: so you can understand the most direct steps you can take to keep yourself and others safe while browsing the internet.

Visit safe.page to learn how to read a URL (to avoid phishing attacks) and the importance of a secure connection (especially when sharing sensitive info like credit cards and passwords).

Build safely, get rewarded

That’s not all we’re doing to support HTTPS. We're also teaming up with WordPress to make it easy for anyone to build a secure website. They make building secure websites a snap by automatically installing SSL certificates at no cost for domains they host. If HTTPS is locking your online information safely, an SSL certificate acts like the actual lock on the door.


If you’ve been thinking of building a website, now’s a good time to get started: We're running a contest for the best sites created through April 30, 2019. Nine winners will be selected based on their website’s user experience, user interface, originality, design and content clarity. Winners will receive a Pixel 3 phone or equivalent prize and the opportunity to be featured on one of Google Registry's websites (get.page, get.app and get.dev). Entering the competition is simple:

  1. Register your .page, .app or .dev domain. All three extensions are secure by default (registered domains only work with an SSL certificate). You can register your domain through your preferred registrar.
  2. Build your website. You can get started building your site on WordPress.com and save 25 percent using the promo code SAFE_A24F at checkout. (The offer is valid until April 30, 2019.) Websites created in other ways on .app, .page and .dev are also eligible for the contest.
  3. Learn more about the contest rules here, including eligibility restrictions, prize details and entry deadlines. Submit your website to the contest at safe.page.

That’s it! Regardless of whether you create your own secure website, we encourage everyone to visit safe.page to learn the fundamentals of keeping your information safe. Good luck and thanks for doing your part to build a safer internet!

Fighting disinformation across our products

Providing useful and trusted information at the scale that the Internet has reached is enormously complex and an important responsibility. Adding to that complexity, over the last several years we’ve seen organized campaigns use online platforms to deliberately spread false or misleading information.

We have twenty years of experience in these information challenges and it's what we strive to do better than anyone else. So while we have more work to do, we’ve been working hard to combat this challenge for many years.

Today at the Munich Security Conference, we presented a white paper that gives more detail about our work to tackle the intentional spread of misinformation—across Google Search, Google News, YouTube and our advertising systems. We have a significant effort dedicated to this work throughout the company, based on three foundational pillars:

  • Improve our products so they continue to make quality count;
  • Counteract malicious actors seeking to spread disinformation;
  • Give people context about the information they see.

The white paper also explains how we work beyond our products to support a healthy journalistic ecosystem, partner with civil society and researchers, and stay one step ahead of future risks.

We hope this paper and increased transparency can lead to more dialogue about what we and others can do better on these issues. We're committed to acting responsibly and thoroughly as we tackle this important challenge.

Working with security researchers to make the web safer for everyone

What do a 19-year-old researcher from Uruguay, a restaurant owner from Cluj, Romania and a Cambridge professor have in common? They’re all security researchers—a global community of professionals, academics, students and hobbyists who are essential to the safety of our products and the web as a whole. We’re grateful to be a part of this community and support their work in a bunch of ways, including the Vulnerability Rewards Program and our 2018 Privacy and Security academic research awards.

Vulnerability Reward Program: Year in Review

Whether it’s been written by a PhD or a hobbyist, software inevitably has bugs that make it behave in unexpected ways. The important thing is that bugs are identified and patched as quickly as possible. Back in 2010, we started the Vulnerability Reward Program to get help from the security research community in identifying and reporting bugs in Google apps and software. The goal of the program is simple: encourage researchers to report issues so that we can fix them quickly and keep users’ data secure. We also provide financial rewards for bug reporters, ranging from $100 to $200,000, based on the risk level of their discovery. 

Since 2015, we’ve taken a look back at what VRP researchers have done to help make Google users safer. Here’s 2018, by the numbers:

vrp2018

Thanks to researchers from all around the world, we’ve been able to patch all different types of bugs. Ezequiel Pereira, a 19-year-old researcher from Uruguay, uncovered a Remote Code Execution "RCE" bug that allowed him to gain remote access to our Google Cloud Platform console. Tomasz Bojarski from Poland discovered a bug related to Cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data or perform actions on behalf of someone else. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant. After Dzmitry Lukyanenka, a researcher from Minsk, Belarus, lost his job, he began bug-hunting full-time and became part of our VRP grants program, which provides financial support for prolific bug-hunters over time.

Security and Privacy Research awards

We’ve also worked closely with leading security and privacy experts in academia, collaborating when we can provide the technology needed to carry out specific research projects. Academic breakthroughs help improve data privacy and security for years to come. Last year, we announced the Security and Privacy research awards, a new effort to recognize academics who have made major contributions to the field. Awards winners are selected by a committee of senior security and privacy researchers at Google.

Today, we’re revealing the 2018 winners—and on their behalf, we’re making a financial contribution to their universities totaling more than half a million dollars:

Whether they’re finding bugs today or making breakthroughs that will protect the web years into the future, the security research community is making everyone’s information safer online. We’ll continue to do our part to support it.

Encryption for everyone: How Adiantum will keep more devices secure

Editor's note: February 5 was Safer Internet Day, but we’ll be talking about it all week with a collection of posts from teams from across Google.


Encryption is incredibly important. It underpins our digital security. Encryption encodes data so that it can only be read by individuals with a key. With encryption, you are in complete control of this key, and you can store sensitive information such as personal data securely.

But encryption isn’t always practical, since it would slow some computers, smartphones and other devices to the point of being unusable. That changes with Adiantum, which we are introducing today in the spirit of Safer Internet Day.

Adiantum is a new form of encryption that we built specifically to run on phones and smart devices that don’t have the specialized hardware to use current methods to encrypt locally stored data efficiently. Adiantum is designed to run efficiently without that specialized hardware. This will make the next generation of devices more secure than their predecessors, and allow the next billion people coming online for the first time to do so safely. Adiantum will help secure our connected world by allowing everything from smart watches to internet-connected medical devices to encrypt sensitive data. (For more details about the ins and outs of Adiantum, check out the security blog.)

Our hope is that Adiantum will democratize encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance. Everyone should have privacy and security, regardless of their phone’s price tag.

Source: Android


How a data hack led Heather Adkins to her career

Editor’s note: Two-factor authentication, not using my pet’s name for a password, surfing the web on a secure browser—I do what I can to keep my data safe online. But thanks to the work of Heather Adkins—Google’s Director of Information Security—and her team, I don’t have to worry about my account getting hacked on a daily basis. I caught up with her for this latest She Word to learn about her career path in information security, her love for medieval history, her advice on how we can all protect ourselves online and more.

How do you explain your job at a dinner party?

I keep the hackers out of Google.

How did you get into information security field?

In college, I had a job at a small ISP (internet service provider) and we got hacked. When most people get hacked for the first time, there’s helplessness, fear and panic—you feel like you’re having your house burgled. Instead, I felt a sense of curiosity: How did the hackers possibly manage that? What do they know that I don’t?

I knew that’s what I wanted to do for the rest of my life: get hacked—or at least study the techniques hackers use, and find ways to defend against it. My career found me, and I can’t imagine doing anything else.

There are high-stakes and stressful situations when you’re investigating potential security threats. How do you stay focused and calm?

One of the most important things is to make it a team effort. This responsibility doesn’t fall on any one person’s shoulders; it falls on a set of people who can support each other. It helps to distribute the stress—without a team, it would be too much.

My team has a heavy focus on trying to maintain work-life balance. Since our work is 24/7, we use a “follow the sun” model, moving responsibility of a project along with offices’ daytime working hours. This gives people a sense of closure at the end of their day, knowing that their work isn’t going to get dropped.

You’ve been at Google for 16 years—how many different roles have you had? How have you seen online security change during that time?

I’m one of the founding members of the security team. It’s changed so much—there was no Gmail when I joined Google! As the company has grown over time, so has our responsibility as a security team. But a lot of fundamental things are the same: Google was really committed  to security before I got here. And the passion of people who work in security hasn’t changed—they love technology and they care about keeping people safe online.

What’s one thing everyone should do right now to better protect themselves online?

Two-factor authentication, where it’s offered, and use a security key if you’re a Google user.

My career found me, and I can’t imagine doing anything else.
heather4'

What’s one habit that makes you successful?

I like to read lots of different things. When I started in the industry, I would get up and read Bugtraq (an electronic mailing list covering issues about computer security). When I wake up today, however, I want to know what the trade relationship is between the U.S. and other countries. The security industry is as much driven by geopolitical trends as anything. I find inspiration for solutions in all kinds of places; I’m reading books about quantum physics and civilizations at the moment.

What are you passionate about outside of work?

I study medieval history as a hobby. We know very little about this period of time in history because nobody kept what we would consider to be good records. It’s similar to what interests me when it comes to working on a system compromise—it’s a desire to put the picture back together, and figure out what happened.

Who has been a strong female influence in your life?

There are numerous luminaries I admire like Admiral Grace Hopper but they loom large at a distance (I’ve never met them). In my professional life, there haven't been many—I knew maybe five women in the field when I joined. In my personal life, my mom has been my biggest influence.

What advice do you have for women starting out in their careers?

Build resiliency in yourself. Finding a way to be resilient through tough times and come out the other side—having grown a little—means that you’re going to be able to go farther. To do that, you have to make sure you have joy elsewhere in your life to offset the difficult moments. It’s an engineering job: you have to be able to engineer your own happiness. You can get through anything in life if you can do that.

Protecting your data, no matter where you go on the web

Editor’s note: Today is Safer Internet Day, but we’ll be talking about it all week with a collection of posts from teams from across Google.

We’re always working to make sure your data is protected, whether you’re using Google products or checking out your favorite websites and apps.

Today, we’re introducing two new updates that will help keep your data secure, beyond just Google’s sites and apps: Password Checkup, a Chrome extension that helps protect your accounts from third party data breaches, and a new feature called Cross Account Protection.

Password Checkup

We help keep your Google Account safe by proactively detecting and responding to security threats. For example, we already automatically reset the password on your Google Account if it may have been exposed in a third party data breach—a security measure that reduces the risk of your account getting hacked by a factor of ten.

But we want to provide you with the same data breach protections for your accounts, beyond just Google apps and sites. This is where the new Password Checkup Chrome extension can help. If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised, the extension will trigger an automatic warning and suggest that you change your password.

Password Checkup

We built Password Checkup so that no one, including Google, can learn your account details. To do this, we developed privacy-protecting techniques with the help of cryptography researchers at both Google and Stanford University. For a more technical description of these innovations, check out our security blog post.

This is our first version of the Password Checkup, and we’ll be refining in the coming months. You can take advantage of these new protections right away by installing the extension.

Cross Account Protection

In the rare case that an attacker is able to find a way into your Google Account, we’ve built useful tools to help you quickly get back to safety. Unfortunately, these protections haven’t extended to the apps that you sign into with Google Sign In.

Cross Account Protection helps address this challenge. When apps and sites have implemented it, we’re able to send information about security events—like an account hijacking, for instance—to them so they can protect you, too.

We’ve designed the security events to be extremely limited to protect your privacy:

  • We only share the fact that the security event happened.
  • We only share basic information about the event, like whether your account was hijacked, or if we forced you to log back in because of suspicious activity.
  • We only share information with apps where you have logged in with Google.

We created Cross Account Protection by working closely with other major technology companies, like Adobe, and the standards community at the Internet Engineering Task Force (IETF) and OpenID Foundation to make this easy for all apps to implement.

Signing In With Google

For app developers using Firebase or Google Cloud Identity for Customers & Partners, it is included by default. We’re getting this effort off the ground now, and developers can get started today to improve security for everyone.  

With technologies like Password Checkup and Cross Account Protection, we're continuing to improve the security of our users across the internet, not just on Google. We'll never stop improving our defenses to keep you safe online.

Five things you can do right now to stay safer online

Editor’s note: Today is Safer Internet Day, but we’ll be talking about it all week with a collection of posts from teams from across Google.


When you’re online, you shouldn’t need to worry about the security of your information. That’s why we work to build security into our products, so the information in your Google account is automatically protected. We also share our best practices and security tools with other organizations, to help make the internet safer for everyone.

Even still, there are some simple things that you can do to make your information even more secure. Recent U.S. data from a survey we conducted with Harris Poll confirms that many people may not be familiar with these basics. 

This Safer Internet Day, take a moment to strengthen your online security by following these five tips:

1. Set up a recovery phone number or email address, and keep it updated.

The majority of people surveyed said they have either a secondary email address (87 percent) or mobile device (73 percent) set for account recovery and security purposes—and that’s great.


For many web services, your Google Account included, having a recovery method can help alert you if there’s suspicious activity on your account or if you need to block someone from using your account without permission. And of course, adding recovery information to your account can help you get back in more quickly if you ever lose access or can't sign in.


To set up recovery information, visit your Google Account’s Security section and scroll down to “Ways we can verify it's you.”


2. Use unique passwords for your accounts.

65 percent of respondents in our poll said they reuse the same password for multiple accounts, which can increase your security risk. It’s like using the same key to lock your home, car and office—if someone gains access to one, all of them could be compromised.  

Create a unique password for each account to eliminate this risk. Make sure that each password is hard to guess and better yet, at least eight characters long. It can be hard to keep track of many different passwords—60 percent of people report having too many passwords to remember. To help, consider using a password manager (like the one built into your Chrome browser) to help you create, safeguard and keep track of all your passwords. If that is too difficult, you can even write your passwords down on a piece of paper (but keep it in a safe place!), since hijackers are most likely to be online, rather than physically near you.


3. Keep your software up to date.

To help protect your online activity, make sure you’re always running the latest version of software on all your devices. The Harris Poll results show that, while 79 percent of respondents said they understood the importance of updating their software, one third of people said they still don’t regularly update their applications, or aren’t sure if they do or not.


If you’re using the below operating systems, here’s where you can look to learn how to check & update the software on your devices:

Some software, like Chrome, will automatically update so you never need to worry about doing it yourself. For other services that send notifications when it’s time to update, don’t click “remind me later”— take the time to install the update right away.


4. Go a step further by setting up two-factor authentication.

Setting up two-factor authentication (2FA)—also known as 2-Step Verification—significantly decreases the chance of someone gaining unauthorized access to your account. For the majority of people, Google’s automatic and risk-based sign-in protections are more than enough, but everyone should know that 2FA is an extra option. However, one in three survey respondents (31 percent) said they do not use 2FA, or don’t know if they are using it or not.


2FA requires you to take a second step each time you sign in to your account on top of your username and password. Examples of second verification steps include: an SMS text message, a six-digit code generated by an app, a prompt that you receive on a trusted device or the use of a physical security key.


Set up two-factor authentication for your Google Account by visiting g.co/2sv and clicking “Get Started.”


5. Take the Google Security Checkup.

The Security Checkup gives you personalized and actionable security recommendations that help you strengthen the security of your Google Account, and it only takes two minutes to complete.

Taking the Security Checkup doesn’t just help make you safer while using Google. The Checkup also includes personalized tips to keep you safer across the web, like helping you set up a screen lock on your mobile phone and advising you to remove risky third-party sites and apps that have access to your account.

Find more online security tips like these by visiting our Safety Center; you can also visit your Google Account’s Security section to find all the settings and tools mentioned in this post. Check out this infographic for more insights from our Online Security Survey.


Teaming up with partners to make the internet safer for kids

Editor’s note: Tomorrow is Safer Internet Day, and we’ll be talking about it all week with a collection of posts from teams around Google.

A year and a half ago, we launched the Be Internet Awesome program to help kids be safe, confident explorers of the online world. We built a little something for everyone: a curriculum for teachers, resources for parents and an adventure-packed online game for kids. And we couldn’t have done it without help from partners like the Family Online Safety Institute (FOSI), National PTA, the David's Legacy Foundation, and Disney’s Wreck It Ralph film “Ralph Breaks the Internet.”

This year’s Safer Internet Day theme is "Together for a better internet." That's something we can really get behind—joining forces with other organizations to help make the internet safer for everyone, especially younger kids. We’re kicking off a week of announcements, starting in San Antonio with the Be Internet Awesome adventure, a bilingual interactive space designed with hands-on activities to help kids and families learn the fundamental lessons of online safety and citizenship.

BIAsa

There are also a bunch of new updates to the Be Internet Awesome program, including:

  • A partnership with the David’s Legacy Foundation to create a program empowering teens to mentor and teach younger kids that it’s cool to be kind online (launching later this year)
  • The launch of Be Internet Awesome in France tomorrow as “Les Super-héros du Net”
  • Teaming up with the Walt Disney Animation Studios film Ralph Breaks the Internet  (recently nominated for an Academy Award©) to encourage more families to practice online safety and digital citizenship with Wreck It Ralph
  • A Be Internet Awesome guide and set of tips designed specifically to help parents foster a conversation with their kids about using the Internet safely

Working with the community to help kids stay safe online

Today in San Antonio, we hosted a panel with our partners to discuss our latest research, conducted with 2,000 parents and 1,000 teachers in the US, to better understand how they view internet safety for kids. We’re sharing the results today—here are a few themes from the panel that stood out:

Cyberbullying is a rising concern in schools

This year, cyberbullying rose to the number one online safety concern for teachers (up from number four last year). Maurine Molak, co-founder of the David’s Legacy foundation, said the first step to reducing cyberbullying is to help kids understand that if you wouldn’t say something in real life, you shouldn’t say it online. Through her work raising awareness and support for anti-cyberbullying legislation, she has observed that teens are often the most influential teachers, because younger kids look up to them.

The online safety conversation needs to start early

Our survey found that parents, on average, said that online safety education should begin when their kids are eight years old. Erin McCowey, who joined us from FOSI, noted that it might be a good idea to start even earlier. While the average kid gets a mobile phone by age eight, the average age for getting a tablet is age six. That’s why FOSI recommends that parents talk to their kids about online safety early and often in their seven steps to good digital parenting.

Teachers and parents need to work together

83 percent of teachers feel they need more resources to teach online safety in the classroom. And in addition to feeling ill-equipped, 87 percent wish parents were more involved when it comes to keeping their kids safe online. Leslie Boggs, President-Elect of National PTA, discussed their PTA Connected program, which encourages conversations about online safety between parents and teachers. As part of that effort, Google and the National PTA partnered earlier this year to facilitate 200 online safety workshops nationwide, providing grants and kits to help parents teach one another about these topics.

A week of online safety goodness

Check in tomorrow as we’ll be sharing a set of security tips that can help you and your whole family stay safer online, and stay tuned throughout the week as we’ll be sharing more about what we do to keep everyone safe online.

Expediting changes to Google+

In October, weannounced that we’d be sunsetting the consumer version of Google+ and its APIs because of the significant challenges involved in maintaining a successful product that meets consumers’ expectations, as well as the platform’s low usage.

We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API. We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.

With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognize there are implications for developers, we want to ensure the protection of our users.

Details about the bug and our investigation

Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue.

Our investigation into the impact of the bug is ongoing, but here is what we have learned so far:

  • We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.
  • With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
  • In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
  • The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
  • No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.

We have begun the process of notifying consumer users and enterprise customers that were impacted by this bug. Our investigation is ongoing as to any potential impact to other Google+ APIs.

Next steps for Consumer Google+

We will sunset all Google+ APIs in the next 90 days.  Developers can expect to hear more from us on this topic in the coming days, and can stay informed by continuing to check the Google+ developer page.

We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019.  We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data.

A note for our enterprise customers

We are in the process of notifying any enterprise customers that were impacted by this bug. A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered.

G Suite administrators are always in control of their users’ apps. This ensures that G Suite users can give access only to apps that have been vetted and are trusted by their organization. In addition, we want to reiterate that we will continue to invest in Google+ for enterprise. More details were announced in October.

We understand that our ability to build reliable products that protect your data drives user trust. We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.