Tag Archives: Safety & Security

Improve your nonprofit’s account security with 2-step verification

While online accounts allow nonprofits to easily communicate with partners, volunteers and donors across the world, this shared network can also leave your account vulnerable to intruders. As your nonprofit continues to grow its online presence, it’s crucial to keep confidential information (e.g., finances or donor’s information) safe. While passwords have historically been the sole guardian for online account access, research from Google has shown that many passwords and security questions can easily be guessed. That's why we strongly recommend that all nonprofits using GSuite for Nonprofits, or Google products like Gmail, use 2-Step Verification (2SV) as an additional protection on their account(s). 

Account hijacking—a process through which an online account is stolen or hijacked by a hacker—constitutes a serious threat to your nonprofit’s operations. Typically, account hijackings are carried out by phishing attempts or hackers who guess weak passwords. Because of this, it’s especially important for your nonprofit to maintain strong and unique account passwords to keep sensitive data safe.

But 2SV goes beyond just a strong password. It's an effective security feature that combines "something you know" (e.g., a password) and "something you have" (e.g., a text, a prompt, or a Security Key) to protect your accounts. Think of this like withdrawing money from an ATM/cash machine: You need both your PIN and your debit card.

Google Authentication app.png
Our free Google Authenticator app is available for Android and iOS devices, which generates a code for you each time you want to sign in to your account.

Now that you know what 2SV is, head over to our Help Page to start improving your nonprofit’s online security now. (Quick tip: Remember to keep your account settings up to date and configure backup options to use if your phone is ever lost or stolen). Stay safe, nonprofits!  

To see if your nonprofit is eligible to participate, review the Google for Nonprofits eligibility guidelines. Google for Nonprofits offers organizations like yours access to Google tools like Gmail, Google Calendar, Google Drive, Google Ad Grants, YouTube for Nonprofits and more at no charge. These tools can help you reach new donors and volunteers, work more efficiently, and tell your nonprofit’s story. Learn more and enroll here.

Improve your nonprofit’s account security with 2-step verification

While online accounts allow nonprofits to easily communicate with partners, volunteers and donors across the world, this shared network can also leave your account vulnerable to intruders. As your nonprofit continues to grow its online presence, it’s crucial to keep confidential information (e.g., finances or donor’s information) safe. While passwords have historically been the sole guardian for online account access, research from Google has shown that many passwords and security questions can easily be guessed. That's why we strongly recommend that all nonprofits using GSuite for Nonprofits, or Google products like Gmail, use 2-Step Verification (2SV) as an additional protection on their account(s). 

Account hijacking—a process through which an online account is stolen or hijacked by a hacker—constitutes a serious threat to your nonprofit’s operations. Typically, account hijackings are carried out by phishing attempts or hackers who guess weak passwords. Because of this, it’s especially important for your nonprofit to maintain strong and unique account passwords to keep sensitive data safe.

But 2SV goes beyond just a strong password. It's an effective security feature that combines "something you know" (e.g., a password) and "something you have" (e.g., a text, a prompt, or a Security Key) to protect your accounts. Think of this like withdrawing money from an ATM/cash machine: You need both your PIN and your debit card.

Google Authentication app.png
Our free Google Authenticator app is available for Android and iOS devices, which generates a code for you each time you want to sign in to your account.

Now that you know what 2SV is, head over to our Help Page to start improving your nonprofit’s online security now. (Quick tip: Remember to keep your account settings up to date and configure backup options to use if your phone is ever lost or stolen). Stay safe, nonprofits!  

To see if your nonprofit is eligible to participate, review the Google for Nonprofits eligibility guidelines. Google for Nonprofits offers organizations like yours access to Google tools like Gmail, Google Calendar, Google Drive, Google Ad Grants, YouTube for Nonprofits and more at no charge. These tools can help you reach new donors and volunteers, work more efficiently, and tell your nonprofit’s story. Learn more and enroll here.

Shielding you from Potentially Harmful Applications

Earlier this month, we shared an overview of the ways we keep you safe, on Google and on the web, more broadly. Today, we wanted to specifically focus on one element of Android security—Potentially Harmful Applications—highlighting fraudsters’ common tactics, and how we shield you from these threats.

PHA_SecurityIllustration.png

Potentially Harmful Applications,” or PHAs, are Android applications that could harm you or your device, or do something unintended with the data on your device. Some examples of PHA badness include:

  • Backdoors: Apps that let hackers control your device, giving them unauthorized access to your data.
  • Billing fraud: Apps that charge you in an intentionally misleading way, like premium SMS scams or call scams.
  • Spyware: Apps that collect personal information from your device without consent
  • Hostile Downloads: Apps that download harmful programs, often through bundling with another program
  • Trojan Apps: Apps that appear benign (e.g., a game that claims only to be a game) but actually perform undesirable actions.
PHA_illustration.png

As we described in the Safer Internet post, we have a variety of automated systems that help keep you safe on Android, starting with Verify Apps—one of our key defenses against PHAs.

Verify Apps is a cloud-based service that proactively checks every application prior to install to determine if the application is potentially harmful, and subsequently rechecks devices regularly to help ensure they’re safe. Verify Apps checks more than 6 billion installed applications and scans around 400 million devices per day. If Verify Apps detects a PHA before you install it or on your device if, it will prompt you to remove the app immediately.

Testapp.png

Sometimes, Verify Apps will remove an application without requiring you to confirm the removal. This is an action we’ll take very rarely, but if a PHA is purely harmful, has no possible benefit to users, or is  impossible for you to remove on your own, we’ll zap it automatically. Ongoing protection from Verify Apps has ensured that in 2015, over 99 percent of all Android devices were free of known PHAs.

Verify Apps is just one of many protections we’ve instituted on Android to keep billions of people and devices safe. Just as PHAs are constantly evolving their tactics, we’re constantly improving our protections. We’ll continue to take action when we have the slightest suspicion that something might not be right. And we’re committed to educating and protecting people from current and future security threats—on mobile and online in general.

Be sure to check if Verify Apps is enabled on your Android device, and stay clear from harmful apps by only installing from a trusted source.

Shielding you from Potentially Harmful Applications

Earlier this month, we shared an overview of the ways we keep you safe, on Google and on the web, more broadly. Today, we wanted to specifically focus on one element of Android security—Potentially Harmful Applications—highlighting fraudsters’ common tactics, and how we shield you from these threats.

PHA_SecurityIllustration.png

Potentially Harmful Applications,” or PHAs, are Android applications that could harm you or your device, or do something unintended with the data on your device. Some examples of PHA badness include:

  • Backdoors: Apps that let hackers control your device, giving them unauthorized access to your data.
  • Billing fraud: Apps that charge you in an intentionally misleading way, like premium SMS scams or call scams.
  • Spyware: Apps that collect personal information from your device without consent
  • Hostile Downloads: Apps that download harmful programs, often through bundling with another program
  • Trojan Apps: Apps that appear benign (e.g., a game that claims only to be a game) but actually perform undesirable actions.
PHA_illustration.png

As we described in the Safer Internet post, we have a variety of automated systems that help keep you safe on Android, starting with Verify Apps—one of our key defenses against PHAs.

Verify Apps is a cloud-based service that proactively checks every application prior to install to determine if the application is potentially harmful, and subsequently rechecks devices regularly to help ensure they’re safe. Verify Apps checks more than 6 billion installed applications and scans around 400 million devices per day. If Verify Apps detects a PHA before you install it or on your device if, it will prompt you to remove the app immediately.

Testapp.png

Sometimes, Verify Apps will remove an application without requiring you to confirm the removal. This is an action we’ll take very rarely, but if a PHA is purely harmful, has no possible benefit to users, or is  impossible for you to remove on your own, we’ll zap it automatically. Ongoing protection from Verify Apps has ensured that in 2015, over 99 percent of all Android devices were free of known PHAs.

Verify Apps is just one of many protections we’ve instituted on Android to keep billions of people and devices safe. Just as PHAs are constantly evolving their tactics, we’re constantly improving our protections. We’ll continue to take action when we have the slightest suspicion that something might not be right. And we’re committed to educating and protecting people from current and future security threats—on mobile and online in general.

Be sure to check if Verify Apps is enabled on your Android device, and stay clear from harmful apps by only installing from a trusted source.

Shielding you from Potentially Harmful Applications

Earlier this month, we shared an overview of the ways we keep you safe, on Google and on the web, more broadly. Today, we wanted to specifically focus on one element of Android security—Potentially Harmful Applications—highlighting fraudsters’ common tactics, and how we shield you from these threats.

PHA_SecurityIllustration.png

Potentially Harmful Applications,” or PHAs, are Android applications that could harm you or your device, or do something unintended with the data on your device. Some examples of PHA badness include:

  • Backdoors: Apps that let hackers control your device, giving them unauthorized access to your data.
  • Billing fraud: Apps that charge you in an intentionally misleading way, like premium SMS scams or call scams.
  • Spyware: Apps that collect personal information from your device without consent
  • Hostile Downloads: Apps that download harmful programs, often through bundling with another program
  • Trojan Apps: Apps that appear benign (e.g., a game that claims only to be a game) but actually perform undesirable actions.
PHA_illustration.png

As we described in the Safer Internet post, we have a variety of automated systems that help keep you safe on Android, starting with Verify Apps—one of our key defenses against PHAs.

Verify Apps is a cloud-based service that proactively checks every application prior to install to determine if the application is potentially harmful, and subsequently rechecks devices regularly to help ensure they’re safe. Verify Apps checks more than 6 billion installed applications and scans around 400 million devices per day. If Verify Apps detects a PHA before you install it or on your device if, it will prompt you to remove the app immediately.

Testapp.png

Sometimes, Verify Apps will remove an application without requiring you to confirm the removal. This is an action we’ll take very rarely, but if a PHA is purely harmful, has no possible benefit to users, or is  impossible for you to remove on your own, we’ll zap it automatically. Ongoing protection from Verify Apps has ensured that in 2015, over 99 percent of all Android devices were free of known PHAs.

Verify Apps is just one of many protections we’ve instituted on Android to keep billions of people and devices safe. Just as PHAs are constantly evolving their tactics, we’re constantly improving our protections. We’ll continue to take action when we have the slightest suspicion that something might not be right. And we’re committed to educating and protecting people from current and future security threats—on mobile and online in general.

Be sure to check if Verify Apps is enabled on your Android device, and stay clear from harmful apps by only installing from a trusted source.

Google Wifi: Secure at every point

Today is Safer Internet Day, and we hope you’ve taken a few minutes to find out what you can do to stay safe online. But there’s one thing you probably haven’t thought about: the safety of your home network. When we created Google Wifi, we built it from the ground up to be focused on security, with multiple layers of protection. Here’s how it works:

Secure to the core

Google Wifi won’t even boot up unless it can verify that it’s using official Google Wifi software. We call this “Verified boot,” and it means Google Wifi is extremely difficult to attack or compromise. In addition, if you want to change any settings on Google Wifi, you have to use the Google Wifi mobile app which uses the same world-class cloud-based security as other Google services like Gmail. This system ensures that no changes are made to your network unless they come from the authenticated app.

Always updating

In the past year, there have been widespread cases of botnets—similar to viruses on computers—being detected in cameras, routers and other devices. These botnets can steal your private data information or even take down large portions of the internet by flooding servers with tons of data. In the past, to protect yourself against this malicious software, you’d have to somehow discover that there was a vulnerability in your router, then worry about when and where to get updated software to protect against it. Luckily, Google Wifi continually works to protect you against threats, including botnets, with automatic, behind-the-scene security updates, so you’re always one step ahead of vulnerabilities. These software updates are seamless and pushed from the cloud to your home. It’s so simple, you probably don’t even know it’s happening.

Safety mesh

Google Wifi provides fast, reliable Wi-Fi to every corner of your home using mesh technology, a system where multiple Wifi points work together to create a blanket of coverage. To establish control and security, the multiple Wifi points produce security keys—long and complex machine-generated passwords—that are shared between all the Wifi points in your network. These security keys establish encrypted communication between all points and devices on your network, and as an added security measure, these keys never leave your personal network.  

If there is an event that warrants changing of the mesh keys—for example, if you remove a Wifi point—the system will automatically renegotiate them. This ensures that your network only includes known and trusted Wifi points, and prevents your data from being sent across a compromised network that a hacker could access.

Put Wifi to the test

Google Wifi is part of Google’s Vulnerability Reward Program, which started in 2010 and provides rewards ranging from $100 to $20,000 to people who identify bugs in Google's apps and report them to us so we can fix them. With many contributors working on cutting-edge solutions to keep Google’s platforms secure, you can rest easier. And so far, no vulnerabilities in Google Wifi have been identified under this program. 💪

As security challenges continue to evolve, our team of dedicated engineers will keep working to improve the security of Google Wifi and your home network—so you can enjoy great Wi-Fi at home without worrying. Stay safe out there!

Google Wifi: Secure at every point

Today is Safer Internet Day, and we hope you’ve taken a few minutes to find out what you can do to stay safe online. But there’s one thing you probably haven’t thought about: the safety of your home network. When we created Google Wifi, we built it from the ground up to be focused on security, with multiple layers of protection. Here’s how it works:

Secure to the core

Google Wifi won’t even boot up unless it can verify that it’s using official Google Wifi software. We call this “Verified boot,” and it means Google Wifi is extremely difficult to attack or compromise. In addition, if you want to change any settings on Google Wifi, you have to use the Google Wifi mobile app which uses the same world-class cloud-based security as other Google services like Gmail. This system ensures that no changes are made to your network unless they come from the authenticated app.

Always updating

In the past year, there have been widespread cases of botnets—similar to viruses on computers—being detected in cameras, routers and other devices. These botnets can steal your private data information or even take down large portions of the internet by flooding servers with tons of data. In the past, to protect yourself against this malicious software, you’d have to somehow discover that there was a vulnerability in your router, then worry about when and where to get updated software to protect against it. Luckily, Google Wifi continually works to protect you against threats, including botnets, with automatic, behind-the-scene security updates, so you’re always one step ahead of vulnerabilities. These software updates are seamless and pushed from the cloud to your home. It’s so simple, you probably don’t even know it’s happening.

Safety mesh

Google Wifi provides fast, reliable Wi-Fi to every corner of your home using mesh technology, a system where multiple Wifi points work together to create a blanket of coverage. To establish control and security, the multiple Wifi points produce security keys—long and complex machine-generated passwords—that are shared between all the Wifi points in your network. These security keys establish encrypted communication between all points and devices on your network, and as an added security measure, these keys never leave your personal network.  

If there is an event that warrants changing of the mesh keys—for example, if you remove a Wifi point—the system will automatically renegotiate them. This ensures that your network only includes known and trusted Wifi points, and prevents your data from being sent across a compromised network that a hacker could access.

Put Wifi to the test

Google Wifi is part of Google’s Vulnerability Reward Program, which started in 2010 and provides rewards ranging from $100 to $20,000 to people who identify bugs in Google's apps and report them to us so we can fix them. With many contributors working on cutting-edge solutions to keep Google’s platforms secure, you can rest easier. And so far, no vulnerabilities in Google Wifi have been identified under this program. 💪

As security challenges continue to evolve, our team of dedicated engineers will keep working to improve the security of Google Wifi and your home network—so you can enjoy great Wi-Fi at home without worrying. Stay safe out there!

The geeky detective-work that protects you online, automatically

Using a strong password without recycling it on different accounts, exchanging personal information only on encrypted sites, keeping your software up to date: these tried-and-true tips have never been more important for staying safe online. But this Safer Internet Day, we wanted to give some insight into how our systems help keep you safe, automatically—on Google and beyond. No switches to flip or buttons to click, these protections always have your back.

Outsmarting phishing to protect your Google Account

Sometimes, email may look like it came from someone you trust, but it might be a wolf in sheep’s clothing. This spammy message is trying to phish you—trick you into giving away your personal information—and then hijack your account.
Phishing Quiz Final_Page_14.png
Spam emails take advantage of your trust in friends or businesses to try to infect your computer or steal your username and password

Luckily, we’ve built lots of smart armor into Gmail to automatically zap scammy messages before you ever see them. Our systems anonymously examine thousands of signals across all of Gmail—where a message originated, to whom it’s addressed, how often the sender has contacted the recipient in the past—to determine which messages are safe, and which ones aren’t. We then filter the vast majority of this nasty stuff out; the average Gmail inbox contains less than 0.1 percent spam.

Still, across the internet, the bad guys can be pretty clever. For example, a fraudster could steal your username and password because you accidentally shared them on an especially deceptive scam site. But, even if attackers have your credentials, our systems are still able to block them and keep your account safe, something we did hundreds of millions of times in 2016. That's because we aren’t just making sure you’ve typed the right password. We also look for subtler signals to confirm the sign-in doesn’t look funky: Are you using the same device that you usually use? Are you in a familiar location, or somewhere far away that you haven’t been to before? We want to make sure the sign-in attempt doesn’t resemble other concerning sign-in patterns that may be on our radar at any given time.

The secret sauce is the systems that detect these subtler signals—clues—billions and billions of times every day to help paint the picture of a safe log-in. Think of these like Sherlock Holmes’ magnifying glass...if it were powered by a few data centers. The clues scammers may not even know they’re leaving behind help us inspect each new log-in attempt and compare it with the picture of a safe log-in that our systems have painted based on billions and billions of other log-ins. If something looks fishy, we’ll require more verifications designed to thwart bad guys, send notifications to your phone, or email you so you can quickly act on anything that looks unfamiliar.

On the web, on Android: we've got you covered

safe_browsing_phone_2.png
A Safe Browsing warning: red means stop!

We use similar security tools to help make the web and a huge variety of Android apps and devices safer too.

For example, have you ever clicked a link and seen a red warning, like this? That’s Safe Browsing at work, strongly suggesting you should avoid visiting a site because it probably contains “badness,” like malware or a phishing trap. Similar to the way we crawl the web to deliver search results, Safe Browsing crawls for bad stuff that might be harmful to you or your device. It’s always hard at work: We show tens of millions of Safe Browsing warnings every week on more than 2 billion devices, across a variety of web browsers.

For our Android users, we developed an “app analyzer” that builds on Safe Browsing’s technology to specifically hunt for dangerous Android apps, wherever they may be, and warn you before you install one. If an app doesn’t pass the app analyzer test, it won’t be allowed in Google Play. An additional protection, Verify Apps, runs directly on Android devices, proactively checking more than 6 billion apps and 400 million devices every day. It checks in when you install an app, returns frequently to make sure everything looks safe, and if something is amiss, can remove the app from afar.

Detecting the obvious badness—sites well-known for phishing scams, ransomware that locks your device until you pay a fraudster—is relatively easy. But the stealthier badness is only detectable by measuring billions of signals across sites and apps. If this sounds similar to the way we approach spam protections on Gmail or suspicious logins into Google, that’s because it is! The ability to understand badness on a large scale enables us to find the clues bad guys don’t even know they were leaving behind.

We have a responsibility to keep you safe on Google, and help make the web more secure as well. We’re constantly improving our automatic protections, but we want to give you the controls to adjust your security settings as well. With that in mind, celebrate Safer Internet Day by taking our two-minute Security Checkup to protect your account and adjust your security settings. You can also learn more about other ways to keep your Google Account secure at privacy.google.com.

The geeky detective-work that protects you online, automatically

Using a strong password without recycling it on different accounts, exchanging personal information only on encrypted sites, keeping your software up to date: these tried-and-true tips have never been more important for staying safe online. But this Safer Internet Day, we wanted to give some insight into how our systems help keep you safe, automatically—on Google and beyond. No switches to flip or buttons to click, these protections always have your back.

Outsmarting phishing to protect your Google Account

Sometimes, email may look like it came from someone you trust, but it might be a wolf in sheep’s clothing. This spammy message is trying to phish you—trick you into giving away your personal information—and then hijack your account.
Phishing Quiz Final_Page_14.png
Spam emails take advantage of your trust in friends or businesses to try to infect your computer or steal your username and password

Luckily, we’ve built lots of smart armor into Gmail to automatically zap scammy messages before you ever see them. Our systems anonymously examine thousands of signals across all of Gmail—where a message originated, to whom it’s addressed, how often the sender has contacted the recipient in the past—to determine which messages are safe, and which ones aren’t. We then filter the vast majority of this nasty stuff out; the average Gmail inbox contains less than 0.1 percent spam.

Still, across the internet, the bad guys can be pretty clever. For example, a fraudster could steal your username and password because you accidentally shared them on an especially deceptive scam site. But, even if attackers have your credentials, our systems are still able to block them and keep your account safe, something we did hundreds of millions of times in 2016. That's because we aren’t just making sure you’ve typed the right password. We also look for subtler signals to confirm the sign-in doesn’t look funky: Are you using the same device that you usually use? Are you in a familiar location, or somewhere far away that you haven’t been to before? We want to make sure the sign-in attempt doesn’t resemble other concerning sign-in patterns that may be on our radar at any given time.

The secret sauce is the systems that detect these subtler signals—clues—billions and billions of times every day to help paint the picture of a safe log-in. Think of these like Sherlock Holmes’ magnifying glass...if it were powered by a few data centers. The clues scammers may not even know they’re leaving behind help us inspect each new log-in attempt and compare it with the picture of a safe log-in that our systems have painted based on billions and billions of other log-ins. If something looks fishy, we’ll require more verifications designed to thwart bad guys, send notifications to your phone, or email you so you can quickly act on anything that looks unfamiliar.

On the web, on Android: we've got you covered

safe_browsing_phone_2.png
A Safe Browsing warning: red means stop!

We use similar security tools to help make the web and a huge variety of Android apps and devices safer too.

For example, have you ever clicked a link and seen a red warning, like this? That’s Safe Browsing at work, strongly suggesting you should avoid visiting a site because it probably contains “badness,” like malware or a phishing trap. Similar to the way we crawl the web to deliver search results, Safe Browsing crawls for bad stuff that might be harmful to you or your device. It’s always hard at work: We show tens of millions of Safe Browsing warnings every week on more than 2 billion devices, across a variety of web browsers.

For our Android users, we developed an “app analyzer” that builds on Safe Browsing’s technology to specifically hunt for dangerous Android apps, wherever they may be, and warn you before you install one. If an app doesn’t pass the app analyzer test, it won’t be allowed in Google Play. An additional protection, Verify Apps, runs directly on Android devices, proactively checking more than 6 billion apps and 400 million devices every day. It checks in when you install an app, returns frequently to make sure everything looks safe, and if something is amiss, can remove the app from afar.

Detecting the obvious badness—sites well-known for phishing scams, ransomware that locks your device until you pay a fraudster—is relatively easy. But the stealthier badness is only detectable by measuring billions of signals across sites and apps. If this sounds similar to the way we approach spam protections on Gmail or suspicious logins into Google, that’s because it is! The ability to understand badness on a large scale enables us to find the clues bad guys don’t even know they were leaving behind.

We have a responsibility to keep you safe on Google, and help make the web more secure as well. We’re constantly improving our automatic protections, but we want to give you the controls to adjust your security settings as well. With that in mind, celebrate Safer Internet Day by taking our two-minute Security Checkup to protect your account and adjust your security settings. You can also learn more about other ways to keep your Google Account secure at privacy.google.com.

Resounding support for updating electronic privacy laws

Today, the House of Representatives passed the Email Privacy Act (H.R. 387) by voice vote.  This is the second year in a row that the House of Representatives has resoundingly passed this bill, which is a testament to its widespread support across the political spectrum.

The Email Privacy Act updates the Electronic Communications Privacy Act (ECPA) to require the government to obtain a warrant before it can compel companies like Google to disclose the content of users’ communications.  Since 2010, Google has has testified before Congress four times in support of this reform, which will protect all users, and we are proud of our efforts.  We are particularly grateful to the House of Representatives leadership and to Representatives Yoder (R-Kan.), Polis (D-Colo.), Goodlatte (R-Va.), and Conyers (D-Mich.) for securing passage of this bill so early in the 115th Congress.

This Act will fix a constitutional flaw in ECPA, which currently purports to allow the government to compel a provider to disclose email contents in some cases without a warrant, in violation of the Fourth Amendment.  The Email Privacy Act ensures that the content of our emails are protected in the same way that the Fourth Amendment protects the items we store in our homes. 

This is consistent with the practice around the country already and what the Constitution requires; the Sixth Circuit Court of Appeals concluded in 2010 that ECPA is unconstitutional to the extent it permits the government to compel a service provider to disclose to the government a user’s electronic communications content without a warrant.  Today’s vote demonstrates that this conviction is widely shared.

The Senate now has a historic opportunity to shepherd this landmark reform toward enactment.  While there are disagreements about other aspects of surveillance reform, there is no disagreement that emails and electronic content deserve Fourth Amendment protections.  We urge the Senate to advance this common sense measure, which will begin the process of updating ECPA for the Internet age.