USB Keystroke Injection Protection

USB keystroke injection attacks have been an issue for a long time—problematic and affordable, due to the availability and price of keystroke injection tools. Those attacks send keystrokes immensely fast, in a human eyeblink, while being effectively invisible to the victim. Initially proposed to ease system administrator tasks, attackers learned how to use this technology for their purpose and compromise user systems. Here is an attack example, with a more or less benign payload:



To make the life of an attacker harder, we propose a tool that measures the timing of incoming keystrokes and determines if it is an attack based on predefined heuristics (without a user being involved in the decision). In contrast to the successful “attack” shown above, the following shows the same payload but with the tool installed on the system:


Choosing the RUN mode

The tool offers two different modes of operation: MONITOR and HARDENING. When running it in monitoring mode it won’t block a device that was classified as malicious, but will write a log line with information about the device to syslog. If it is run in hardening mode, it will immediately block a device that was classified as malicious/attacking. Out of the box, the tool is shipped in HARDENING mode.

Investigation

If the tool is running in monitoring mode, it logs information to the syslog. For one time inspection, this log can be read by simply using journalctl:
journalctl -u ukip.service
If it is rolled out to more machines in a network, it makes sense to collect each syslog at a centralized place for investigation.

Choosing the heuristics

A challenge when running the tool is the proper selection of the two main heuristic variables: KEYSTROKE_WINDOW and ABNORMAL_TYPING, which control the behaviour of the tool and its detection capabilities. The first one is the number of keystrokes it looks at, to determine whether it’s dealing with an attack or not. The lower the number, the higher the false positive rate; if the number is 2, the tool only looks at 1 interarrival time (the time between 2 keystrokes) to determine if it's an attack. Since users sometimes hit two keys almost at the same time it leads to the aforementioned false positive. Based on internal observations, 5 is an effective value, but should be adjusted based on the specific user’s experiences and typing behavior. The second variable specifies what interarrival time should be classified as malicious. More false-positives arise with a higher number (normal typing speed will be classified as malicious), versus with a lower number where more false-negatives arise (even very fast typing attacks will be classified as benign). That said, the preset 50000 after initial installation is a safe default but should be changed to a number reflecting the typing speed of the user using the tool. Finding the proper speed can be achieved in two ways: 1) By using one of the various online tools to measure the typing speed, and 2) using the Monitoring mode and letting it run for a few days (or even weeks) and gradually lower the false positive rate until it’s gone.

Getting it up and running

The README on Github contains a step-by-step guide to prepare the tool, set it up and run it as a systemd daemon, that is enabled on reboot. Over time it may be necessary to revise the variables for the tool by simply adjusting the values on top of /usr/sbin/ukip and restarting of the daemon:
sudo systemctl restart ukip.service

A note on silver bullets

The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user’s machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked. The tool is meant to provide another layer of protection and to defend a user sitting in front of their unlocked machine by them seeing the attack happening. They are able to see the attack either because the keystrokes are delayed enough to circumvent the tool’s logic or fast enough to be detected by it, i.e., blocking the device by unbinding its driver and logging information to syslog.

Keystroke injection attacks are difficult to detect and prevent since they’re delivered over USB (the most widely used computer peripheral connector) and require a Human Interface Device Driver (available on likely every operating system for mouse and keyboard input). The proposed tool raises the bar making it more difficult for the attacker while removing the user in the decision about whether a device is malicious or benign, apart from the refinement of the heuristic variables mentioned above. The tool can be complemented with other Linux tools, such as fine-grained udev rules or open source projects like USBGuard, to make successful attacks more challenging. The latter lets users define policies and allow/block specific USB devices or block USB devices while the screen is locked. That feature is specifically useful, since an attacker could plug in a device while the user is away from their keyboard and launch an attack once they are back. With USBGuard in place, the device would need to be replugged when the system is unlocked to work correctly.

By Sebastian Neuner, Google Information Security Engineering Team

How Google does certificate lifecycle management

Posted by Siddharth Bhai and Ryan Hurst, Product Managers, Google Cloud 

Over the last few years, we’ve seen the use of Transport Layer Security (TLS) on the web increase to more than 96% of all traffic seen by a Chrome browser on Chrome OS. That’s an increase of over 35% in just four years, as reported in our Google Transparency Report. Whether you’re a web developer, a business, or a netizen, this is a collective achievement that’s making the Internet a safer place for everyone.


Percentage of pages loaded over HTTPS in Chrome by platform (Google Transparency Report)

The way TLS is deployed has also changed. The maximum certificate validity for public certificates has gone from 5 years to 2 years (CA/Browser Forum), and that will drop to 1 year in the near future. To reduce the number of outages caused by manual certificate enrollments, the Internet Engineering Task Force (IETF) has standardized Automatic Certificate Management Environment (ACME). ACME enables Certificate Authorities (CAs) to offer TLS certificates for the public web in an automated and interoperable way. 

As we round off this exciting tour of recent TLS history, we’d be remiss if we didn’t mention Let’s Encrypt - the first publicly trusted non-profit CA. Their focus on automation and TLS by default has been foundational to this massive increase in TLS usage. In fact, Let’s Encrypt just issued their billionth (!) certificate. Google has been an active supporter of Let’s Encrypt because we believe the work they do to make TLS accessible is important for the security and resilience of the Internet's infrastructure. Keep rocking, Let’s Encrypt!

Simplifying certificate lifecycle management for Google’s users

These are important strides we are making collectively in the security community. At the same time, these efforts mean we are moving to shorter-lived keys to improve security, which in-turn requires more frequent certificate renewals. Further, infrastructure deployments are getting more heterogeneous. Web traffic is served from multiple datacenters, often from different providers. This makes it hard to manually keep tabs on which certificates need renewing and ensuring new certificates are deployed correctly. So what is the way forward? 

With the adoption numbers cited above, it’s clear that TLS, Web PKI, and certificate lifecycle management are foundational to every product we and our customers build and deploy. This is why we have been expanding significant effort to enable TLS by default for our products and services, while also automating certificate renewals to make certificate lifecycle management more reliable, globally scalable, and trustworthy for our customers. Our goal is simple: We want to ensure TLS just works out of the box regardless of which Google service you use.

In support of that goal, we have enabled automatic management of TLS certificates for Google services using an internal-only ACME service, Google Trust Services. This applies to our own products and services, as well as for our customers across Alphabet and Google Cloud. As a result, our users no longer need to worry about things like certificate expiration, because we automatically refresh the certificates for our customers. Some implementation highlights include:

  • All Blogger blogs, Google Sites, and Google My Business sites now get HTTPS by default for their custom domains.
  • Google Cloud customers get the benefits of Managed TLS on their domains. So:
    • Developers building with Firebase, Cloud Run, and AppEngine automatically get HTTPS for their applications.
    • When deploying applications with Google Kubernetes Engine or behind Google Cloud Load Balancing (GCLB), certificate management is taken care of if customers choose to use Google-managed certificates. This also makes TLS use with these products easy and reliable.
Performance, scalability, and reliability are foundational requirements for Google services. We have established our own publicly trusted CA, Google Trust Services to ensure we can meet those criteria for our products and services. At the same time, we believe in user choice. So even as we make it easier for you to use Google Trust Services, we have also made it possible across Google’s products and services to use Let’s Encrypt. This choice can be made easily through the creation of a CAA record indicating your preference.

While everyone appreciates TLS working out of the box, we also know power users have specialized needs. This is why we have provided rich capabilities in Google Cloud Load Balancing to let customers control policies around TLS termination. 

In addition, through our work on Certificate Transparency in collaboration with other organizations, we have made it easier for our customers to protect their and their customers’ brands by monitoring the WebPKI ecosystem for certificates issued for their domains or those that look similar to their domains, so they can take proactive measures to stop any abuse before it becomes an issue. For example, Facebook used Certificate Transparency Logs to catch a number of phishing websites that tried to impersonate their services. 

We recognize how important security, privacy, and reliability are to you and have been investing across our product portfolio to ensure that when it comes to TLS, you have the tools you need to deploy with confidence. Going forward, we look forward to a continued partnership to make the Internet a safer place together.

Project Stringer provides video coverage for U.S. elections

Whether on TVs, phones, or social media feeds, many Americans are getting their news through videos. And with a national election dominating the U.S. news, many local publishers are struggling to meet the demand for engaging, on-the-ground political videos. Enter Project Stringer.

The Google News Initiative partnered with Stringr—a video marketplace that allows publishers to source, edit and publish custom footage—to distribute daily video content about the 2020 elections to local newsrooms across the country. Initial participating publishers include The Boston Globe, FOX Television Stations, News Press & Gazette, Lee Enterprises, The Weather Group and Local Now, and Flood Communications with plans to expand to more newsrooms.

Everyday, Stringr produces and distributes short video content from the campaign trails. Since the project launched in September 2019, more than 150 video packages and 3,000 raw video clips have been distributed to news publishers reaching more than 75 percent of U.S. households.

Video packages range from candidate profiles and debate recaps to deep explainers about campaign and policy issues. Stringr employs its network of 100,000 freelance videographers, or “stringers,” to capture election moments—from stump speeches to meet-and-greets—around the country.

For many local newsrooms, the availability of these videos may mean the difference between covering a political story or not. The 2020 election cycle has challenged the budgets of many U.S. newsrooms given the sheer number of candidates, debates, and events. But these newsrooms remain steadfast in their mission to provide high-quality, comprehensive coverage of the election. Mike Flood, founder of News Channel Nebraska, said the Project Stringer videos have helped his independent network source video and cover a nation from Nebraska, to the benefit of his viewers. 

Project Stringer has helped newsrooms keep track of ongoing campaigns and gather information about the candidates’ whereabouts. For instance, The Boston Globe built a candidate database that incorporates Stringr video clips from speeches and appearances. The tool helps journalists quickly access transcribed footage from these events, making the reporting process a lot easier. 

Matt Karolian, General Manager at Boston.com, said access to these videos has  also provided a business benefit, allowing publishers like him to show more ads across more content—something that is important when running a news organization in the year 2020 when the industry faces so many financial challenges. He said that without being able to lean on this technology, an organization of their size would not be able to cover the campaign in such a meaningful way for their audience.


Join us for the digital Google for Games Developer Summit

Posted by the Google for Games TeamGDC banner

Last month, Game Developers Conference (GDC) organizers made the difficult decision to postpone the conference. We understand this decision, as we have to prioritize the health and safety of our community. GDC is one of our most anticipated times of the year to connect with the gaming industry. Though we won’t be bringing the news in-person this year, we’re hosting the Google for Games Developer Summit, a free, digital-only experience where developers can watch the announcements and session content that was planned for GDC.

Google for Games Developer Summit

The Developer Summit kicks off on March 23rd at 9:00AM PT with our broadcasted keynote. Immediately following, we’ll be releasing a full lineup of developer sessions with over 10 hours of content to help take your games to the next level.

Here are some types of sessions to expect:

  • Success stories from industry leaders on how they’ve conquered game testing, built backend infrastructure, and launched great games across all platforms.
  • New announcements like Android development and profiling tools that can help deploy large APKs to devices faster, fine tune graphic performance, and analyze device memory more effectively.
  • Updates on products like Game Servers (currently in alpha)—a fully managed offering of Agones, letting developers easily deploy and manage containerized game servers around the globe.

Sign up to stay informed at g.co/gamedevsummit.

Support for the game developer community

We recognize every developer is impacted differently by this situation. We’re coordinating with the GDC Relief Fund to sponsor and assist developers who’ve invested in this moment to further grow their games.

We also understand many developers were looking forward to sharing their content with peers. To help with this, developers can use YouTube to stream events from small to large using tools like Live Streaming and Premieres.

We can’t wait to share what we have in store for gaming. Discover the solutions our teams have been building to support the success of this community for years to come.

Join us for the digital Google for Games Developer Summit

Last month, Game Developers Conference (GDC) organizers made the difficult decision to postpone the conference. We understand this decision, as we have to prioritize the health and safety of our community. GDC is one of our most anticipated times of the year to connect with the gaming industry. Though we won’t be bringing the news in-person this year, we’re hosting the Google for Games Developer Summit, a free, digital-only experience where developers can watch the announcements and session content that was planned for GDC.  

Google for Games Developer Summit

The Developer Summit kicks off on March 23rd at 9:00AM PT with our broadcasted keynote. Immediately following, we’ll be releasing a full lineup of developer sessions with over 10 hours of content to help take your games to the next level. 

Here are some types of sessions to expect:

  • Success stories from industry leaders on how they’ve conquered game testing, built backend infrastructure, and launched great games across all platforms. 
  • New announcements like Android development and profiling tools that can help deploy large APKs to devices faster, fine tune graphic performance, and analyze device memory more effectively.
  • Updates on products like Game Servers (currently in alpha)—a fully managed offering of Agones, letting developers easily deploy and manage containerized game servers around the globe.

Sign up to stay informed at g.co/gamedevsummit

Support for the game developer community

We recognize every developer is impacted differently by this situation. We’re coordinating with the GDC Relief Fund to sponsor and assist developers who’ve invested in this moment to further grow their games.

We also understand many developers were looking forward to sharing their content with peers. To help with this, developers can use YouTube to stream events from small to large using tools like Live Streaming andPremieres

We can’t wait to share what we have in store for gaming. Discover the solutions our teams have been building to support the success of this community for years to come.

Source: Google Ads


Preventing App engagement campaigns for prohibited apps

Starting on April 1, 2020, the Google Ads API will prevent the creation of new App engagement campaigns for apps in prohibited categories.

The Google Ads API currently allows you to create App engagement campaigns for any category of app. But if an app from a prohibited category is chosen, those campaigns are prohibited from serving ads. This can lead to confusion among advertisers.

Enabling the API to validate that such campaigns are indeed eligible to serve before their creation will allow developers to take corrective action early on and also ensure client accounts are able to serve their intended ads.

Change details
App engagement campaigns are identified in the API as campaign objects with the following properties. Once this change goes into effect, API calls to create campaigns of the above type will fail if the campaign’s app_campaign_setting.app_id references an app in a prohibited category.

Versions v3 and later of the API will throw a SENSITIVE_CATEGORY_APP error. Earlier versions of the API will throw a more generic UNKNOWN error, since the error code is not published in those versions. These errors may surface from the following services and operations.

API Version Service Operation Error
v3+ CampaignService create CampaignError.SENSITIVE_CATEGORY_APP
v1, v2 CampaignService create CampaignError.UNKNOWN

For instances of error code CampaignError.UNKNOWN, the GoogleAdsError’s details.unpublished_error_code field will indicate, “CampaignError.SENSITIVE_CATEGORY_APP”.

Implementation and support
If you create App engagement campaigns with the Google Ads API, please add error handling for apps in prohibited categories. In order to leverage the new SENSITIVE_CATEGORY_APP error, please upgrade to v3 of the Google Ads API first where possible.

If you’re unable to upgrade versions before the change goes into effect, please check for error code CampaignError.UNKNOWN upon campaign creation, and verify that the error’s details.unpublished_error_code string matches the error name documented in the previous section, to indicate a prohibited category may be in use.

For more details on implementing support for App campaigns, see our App Campaigns developer guide for more information. And as always, if you have any questions about this change, don’t hesitate to reach out to us on the Google Ads API developer forum.
Adam Ohren, Google Ads API Team

How three women are changing the game—literally

It’s Women’s History Month and we wanted to take a moment to highlight some of the incredible work that women are doing in the tech and gaming industry. From creating innovative new video games to teaching the next generation of coders, women are doing incredible things in these traditionally male-dominated fields.

The three women below inspire us every day with the work they are doing in our Google Fiber cities. They remind us why we do what we do — connect people to the things that matter to them. Find out what drives them in their own words (and if you want to learn even more about these superstars, follow us on Twitter and Facebook).



Elizabeth Schulte
Salt Lake City, Utah

Elizabeth is an interactive designer and digital media mentor at Spy Hop Productions. She teaches teens how to create video games.


Having women on a game creation team adds a more robust perspective. If every member of the team looks the same and acts the same, you’re going to get the same old answers. But by diversifying teams, we can get fresh perspectives to the questions asked and maybe even get new solutions to old problems. Females are half the population; we should represent a similar number in games creation.

To help support their girls’ interests in STEM, I’d give parents this advice: See teens where they are. Give them the tools to be successful. Celebrate the positive steps that they make. Let them fail in a safe environment; let them try to fix problems on their own first. Nudge them toward the solution; everything is an opportunity to learn.


Daisy Magnus-Aryitey
Durham, North Carolina

Daisy is a software engineer and the Director of Programs at Code the Dream. She wrote her very first line of code as a student with the organization. Now, she’s working to show other women that they belong in tech, too.


I don’t think being a woman necessarily made it more difficult to break into the field, but it does make it hard to advance in the field — to move into a leadership role. As a woman, and especially as a woman of color, you definitely have to be a vocal advocate for yourself.

I think the best way to show girls that they belong in STEM fields is to show them women who are in tech. It’s not enough to simply say that this is a field for everyone, and it’s not enough to celebrate a small number of women in tech that are based in New York City or the Bay Area. We need girls to see women in their own cities and communities who are working as software engineers.


Athena
Austin, Texas

Athena is a live streamer — meaning she plays video games with people watching her online, specifically on Twitch, for a living. She started gaming at 7 years old, and had no idea that it would turn into her career.


As a game-streaming woman, I did encounter a number of challenges early on. Initially, the major criticism was that my success was not attributed to hard work and providing entertaining content, but solely due to my gender. Over time, that criticism faded somewhat as my Rocket League community grew.

The impact I am able to have on the lives of the people in my community is my favorite part of what I do. If I can make one person smile or laugh or forget a tough time they are going through, even if only for a couple minutes, it’s all worth it.

~~~

Grow with Google takes digital skills training to the Illawarra community

Grow with Google has headed out on the road again for 2020, taking our specialist digital skills training program to the Illawarra region of New South Wales for the first time.

More than 250 Illawarra locals joined special training workshops at Shellharbour Civic Centre where they learned tips and tools from Google’s own digital experts to help them grow their businesses, careers and education.

Caption: Google Australia’s Richard Flanagan with Stephen Jones MP and Mayor Marianne Saliba 

We were joined by Shadow Assistant Treasurer and Member for Whitlam, Stephen Jones MP, and City of Shellharbour Mayor, Marianne Saliba - who officially opened the event.

The Grow with Google program - which features in person training and online resources - is designed to help address the digital skills gap in Australia.

 Caption: Local Illawarra businesses picked up online tips and tricks 

At today’s small business workshop, Illawarra businesses learned how to have a strong presence online to attract new customers and gain better insights into what their customers wanted - and individuals at all stages of the digital journey picked up new skills.

We know that digital tools and skills can open up new opportunities for communities and businesses across the Illawarra. But many people are unsure what to do or where to begin, so we created Grow with Google to help bridge this gap.

One Illawarra business that is using digital tools to help grow their business is catering and fine foods company Culinarius. Business owner Rebecca Armstrong said they’ve focused on updating their online profile, responding to customer reviews, and learning insights from their web traffic.

Since 2014, Google has trained more than half a million people across Australia through online and in-person digital skills training, as well as curriculum integrated through school and partner programs.

We look forward to taking Grow with Google to every state and territory in 2020.

Posted by Richard Flanagan, Head of Small Business Marketing

Preparing students to learn from home with Chromebooks

As educators and IT administrators prepare for potential school closures due to COVID-19, we’re offering free access to advanced Hangouts Meet features, as well as resources and tips for teaching classes remotely.

School admins can quickly and securely prepare their school's Chromebooks to go home with students. Educators and IT administrators can also use our new resource hub to find materials, resources and training—and we'll continue adding to this as additional resources become available. 


Sending Chromebooks home for distance learning

Chromebooks are remotely managed through the Google Admin console, making it simple for schools and IT administrators to deploy and manage thousands of devices. There’s no need to manually install software or login to a device to apply settings—admins simply flip a switch online and every device updates its applications and settings automatically. These same capabilities make it just as easy to turn school-based Chromebooks into take-home devices for students to continue learning in times of need. For example:

  • Admins can restrict device access to managed student accounts or set “Off Hours” when students can sign in with their personal accounts.

  • Admins can use URL blacklists to set content restrictions and ensure that students are held to the same responsible-use policies off-campus as they are inside their classrooms.

For more information, please see our Help Center article on how to prepare Chromebooks for e-learning days at home.
979-GDU-Distance-Learning-Blog-r1.png


Using Chromebooks from home 

Even if students don’t have WiFi access, they can access their Google Drive, and edit and save files offline. And they can take photos, record videos and screencasts while offline on Chromebooks.

Sharing information with families

Some parents and guardians might not be familiar with Chromebooks and how they differ from other computers. Admins might consider sending an email home to parents to explain how these devices work and how to assist students at home with our Guardian's Guide to Chromebooks. It’s important to share information with families about how to manage their child’s Chromebooks, including activity controls and which sites to allow. Schools might also consider sharing their distance learning plans with families so they might know how to support the transition.

More resources for distance learning

As families support students learning at home, we’re here to help. You can find resources on our distance learning hub and watch our webinar on distance learning strategies. We’re inspired by the ideas and resources educational leaders are sharing with each other. To continue the conversation and share your own ideas, join us on Google Educator Groups, Twitter and Facebook

Experience the new Google Groups, launching in beta

What’s changing 

Later this year, we’ll replace the current Google Groups interface with a new experience. Starting today, you can sign up to try the new experience in beta, giving your organization early access to the new UI and a head start on the migration from classic Groups. Use this form to apply for the beta

Before applying, please carefully consider the “Additional details” below. Some features that currently exist in Groups will not be available in the beta. If your organization uses those features often, you may want to wait to try new Groups.

Who’s impacted 

Admins and end users

Why you’d use it 

The new Groups experience features a modern, fresh look and controls that are streamlined, intuitive, and consistent with other G Suite tools like Gmail. Participation in the beta will allow you to check out the new interface as soon as possible, provide feedback to Google, and prepare your users for future migration.

It’s important to note that we’re continuing to improve on the new Groups experience and some features that currently exist in classic Groups will not be available in the beta

Specifically, users in the new Groups beta won’t have access to the following features:
  • Collaborative inboxes
  • Tags and categories
  • Mobile browser experience for new Groups
  • Welcome messages above group conversations
  • Accessing moderated messages
For the complete list of features that will not be available in beta, see our Help Center.


Users will still be able to access features not available in beta features at any time by reverting back to classic Groups. To do so, you can click on the gear at the top right of the page and select “Visit classic Google Groups.” When opted into beta, users can switch between the beta version of Groups and Classic Groups as often as needed. If you feel this will be confusing or disruptive, however, you may not want to apply for the beta.


Reverting back to Classic groups from the New Groups beta

Reverting back to the New Groups beta from Classic Groups

Visit our Help Center for more information on the features available in the new Groups beta.

Additional details

We’ll roll out the new Groups experience in three stages:

  • Beta with the option to revert: If you apply for and are accepted into the beta, your users will be automatically transitioned to the new Groups experience with the option to revert back to the classic Groups UI at any time.
  • General availability (GA) with option to revert: Following the beta, we’ll introduce the new Groups experience to all G Suite customers. We’ll announce the specific date for this GA phase on the G Suite Updates blog at least two weeks in advance, and admins will have the option to control user access to the UI in the Admin console at that time. If an admin doesn’t take action, their users will see the new Groups experience when they visit groups.google.com. Users will have the option to revert back to classic Groups at any time.
  • Mandatory transition to new Groups: Later this year, all users will be migrated to new Groups, and they’ll no longer have the option to revert to classic Groups. Admins will not be able to prevent users from accessing the new Groups UI. We’ll announce the specific date for this transition on the G Suite Updates blog at least one month in advance.

Getting started

Admins:  
  • Complete this form to apply for the beta. You must be a super admin to qualify.
  • If you’re accepted into the beta, you’ll receive an email shortly before your domain is whitelisted. Once your domain is whitelisted, all users in your domain and subdomains will be migrated to the new Groups experience, but they’ll have the option to revert back to classic at any time. Once accepted into the beta, you can use this email template to communicate these changes to your users
  • Please note that it may take several weeks for your domain to be whitelisted into the beta.
End users:  
  • If your organization is accepted into the beta, you’ll automatically be transitioned to the new UI. You can revert back to classic Groups at any time.

Availability

  • Available to all G Suite customers

Resources