Tag Archives: Safety & Security

How fact checkers and Google.org are fighting misinformation

Misinformation can have dramatic consequences on people’s lives — from finding reliable information on everything from elections to vaccinations — and the pandemic has only exacerbated the problem as accurate information can save lives. To help fight the rise in minsformation, Full Fact, a nonprofit that provides tools and resources to fact checkers, turned to Google.org for help. Today, ahead of International Fact Checking Day, we’re sharing the impact of this work.

Every day, millions of claims, like where to vote and COVID-19 vaccination rates, are made across a multitude of platforms and media. It was becoming increasingly difficult for fact checkers to identify the most important claims to investigate.

We’re not just fighting an epidemic; we’re fighting an infodemic. Fake news spreads faster and more easily than this virus and is just as dangerous. Tedros Adhanom
Director General of the World Health Organization

Last year, Google.org provided Full Fact with $2 million and seven Googlers from the Google.org Fellowship, a pro-bono program that matches teams of Googlers with nonprofits for up to six months to work full-time on technical projects. The Fellows helped Full Fact build AI tools to help fact checkers detect claims made by key politicians, then group them by topic and match them with similar claims from across press, social networks and even radio using speech to text technology. Over the past year, Full Fact boosted the amount of claims they could process by 1000x, detecting and clustering over 100,000 claims per day — that’s more than 36.5 million total claims per year!

The AI-powered tools empower fact checkers to be more efficient, so that they can spend more time actually checking and debunking facts rather than identifying which facts to check. Using a machine learning BERT-based model, the technology now works across four languages (English, French, Portuguese and Spanish). And Full Fact’s work has expanded to South Africa, Nigeria, Kenya with their partner Africa Check and Argentina with Chequeado. In total in 2020, Full Fact’s fact checks appeared 237 million times across the internet. 


Graphic showing the following impact statistics: 1000x increase in detected claims, fact checks appeared 237 million times in search results, the technology works across 4 languages, and  50K claims were detected per day in the UK election.


If you’re interested in learning more about how you can use Google to fact check and spot misinformation, check out some of our tips and tricks. Right now more than ever we need to empower citizens to find reliable authoritative information, and we're excited about the impact that Full Fact and its partners have had in making the internet a safer place for everyone. 

Today, we #ShareTheMicInCyber

We know diverse security teams are more innovative, produce better products and enhance an organization's ability to defend against cyber threats. 

This is part of why Googler Camille Stewart cofounded #ShareTheMicInCyber, an initiative that pairs Black security practitioners with prominent allies who lend their social media platforms to the practitioners for a day. The goal is to break down barriers, engage the security community and promote sustained action to eradicate systemic racism.

Today, cybersecurity and privacy practitioners across Google and industry are elevating the voices and expertise of Black women who specialize in cybersecurity and privacy as part of #ShareTheMicInCyber’s Women’s History Month campaign. 

I’m honored to #ShareTheMicinCyber with a few of the Black women security and privacy practitioners I work alongside everyday at Google.

Camille Stewart

Camille Stewart, Head of Security Policy, Google Play + Android

“I work in this space to empower people in and through technology by translating and solving the complex challenges that lie at the intersection of technology, security, society and the law. 

Security is core to everything we do here. As creators of technology, we work to be intentional about how we build and educate users on safety and security. To do this effectively, we must be more intentional about diversity. More often than not, I am the only woman and only person of color in meetings where decisions are being made. To make truly inclusive technology and combat abuse, we need a diverse workforce.

I believe technical and policy mitigations to cybersecurity challenges will never reach their full potential until systemic racism is addressed and diverse voices are reflected among our ranks at all levels. That’s why I co-founded #ShareTheMicInCyber. ”

Brooke Pearson

Brooke Pearson, Program Manager for Chrome Privacy Sandbox 

“I work in security and privacy to protect people and their personal information. It’s that simple.

At Google, we’re tackling some of the world's biggest security and privacy problems, and everyday my work impacts billions of people around the world. Most days, that's pretty daunting, but it's also humbling and inspiring.

If we want to encourage people to engage in more secure behavior, we have to make it easy to understand, easy to act on and inclusive. 

I’m proud to work for a company that promotes active allyship and has stepped forward in such a prominent way to support Black women security and privacy professionals through the #ShareTheMicInCyber campaign.”

Michee Smith

Michee Smith, Product Manager, Privacy, Safety & Security

“Protecting user data is core to our mission. We build privacy into everything we do, which is why I am so passionate about my job. I work on products that make it easier for users to understand and control what happens with their data. My interest in this work was sparked when I learned how nuanced and technical these topics are, and how much they impact people.

For me, relationships and representation in tech really matter. Oftentimes, people of color don’t see people who look like us in these roles and on stages. There’s a sense of gratitude, belonging and relief to see someone who looks like you. I want to show up to help others imagine themselves in similar roles — that’s why I’m a huge fan of #ShareTheMicInCyber. This initiative is lifting people and communities up and creating an echo chamber that can be heard beyond cyber to the technology industry as a whole.”

Esther Ndegwa

Esther Ndegwa, Program Manager Security,  Privacy, Safety & Security

“My passion for security lies in the challenges the industry faces — especially with regard to the evolving expectations and requirements we face to protect data wherever it is. 

The right place to start is to ensure we define our principles through policy.

To get security right requires diverse thinking, drawn from different backgrounds and perspectives. I often encourage minority professionals in technology, who are starting off their career, to explore opportunities in security. 

For me, nothing resonates more than hearing someone tell their story and #ShareTheMicInCyber has created a much needed platform for amplifying those stories. While there is still work to be done to make the security industry more diverse, I believe that having conversations like these makes a big difference.”


I encourage you to follow, share, and retweet #ShareTheMicInCyber on Twitter and LinkedIn, today, March 19. By strengthening our commitment to racial equity and inclusion we can build safer and more secure products for everyone.

If you are interested in participating or learning more about #ShareTheMicInCyber, you can visit the site

Our efforts to fight child sexual abuse online

Across Google and YouTube, we are always working to protect our users from harmful content, especially the kind of horrific, illegal content referred to as child sexual abuse material (CSAM). Since our earliest days, we’ve been committed to fighting online child sexual exploitation and abuse both on our platforms and in the broader online ecosystem. We have invested in the teams, tools, and resources to deter, remove, and report this kind of content, and to help other companies do so. But we know this issue cannot be solved by any one company alone, and we’re committed to tackling it with others in our industry and partners who are dedicated to protecting children around the world. Today, we’re sharing more information about our work, including new efforts to combat this abuse, and how we’re supporting organizations that are committed to protecting kids online.

How we identify and remove CSAM

We identify and report CSAM with a combination of specialized, trained teams of people and cutting-edge technology. We use both hash-matching software like CSAI Match (a technology developed by YouTube engineers to identify re-uploads of previously identified child sexual abuse in videos) and machine learning classifiers that can identify never-before-seen CSAM imagery. These tools allow us to proactively scan our platforms for potential CSAM and identify potentially abusive content so that it can be removed and reported — and the corresponding accounts disabled — as quickly as possible. A crucial part of our efforts to tackle this kind of abuse is working with the National Center for Missing and Exploited Children (NCMEC), the U.S.-based reporting center for CSAM. NCMEC tracks reports from platforms and individuals and then sends those reports to law enforcement agencies around the world.

New insights into our work to fight CSAM

We recently launched a new transparency report on Google’s Efforts to Combat Online Child Sexual Abuse Material, where we detail the number of reports we made to NCMEC in the first and second half of 2020. The report also provides data around our efforts on YouTube, how we detect and remove CSAM results from Google Search, and how many accounts are disabled for CSAM violations across our services. We also include information on the number of “hashes” of newly identified CSAM we share with NCMEC. These hashes (unique digital fingerprints) help other platforms identify CSAM automatically at scale. Contributing to the NCMEC hash database is one of the most important ways we, and others in the industry, can help in the effort to combat CSAM because it helps reduce the recirculation of this material and the associated re-victimization of children who have been abused.

Working to combat CSAM across the internet

Because CSAM is an issue that spans beyond any one platform, in 2018 we developed and launched the Content Safety API. Using AI classifiers we built for our own products, the API helps organizations classify and prioritize the most likely CSAM content for review. Today, the API is being used by NGOs like SaferNet Brazil and companies including Facebook and Yubo. Along with CSAI Match, these tools are offered free-of-charge for qualifying organizations and companies. In 2020, the Content Safety API was used by our partners to classify more than 2 billion images, helping them identify the small fraction of violative content faster and with more precision. We encourage organizations who are interested to apply to use CSAI Match or Content Safety API. 


For many years, we’ve had dedicated teams working to prevent access to CSAM on google.com by de-indexing and reporting illegal sites and filtering autocompletes for search terms associated with CSAM. Last summer, we redesigned and expanded a feature we’ve been running since 2013 where users who enter CSAM-related queries are shown a prominent message that CSAM is illegal and instructions on how to report this content to their local authorities. We also provide information about local resources to connect users with NGOs that support children or families who may have been victims of abuse. We’re already seeing an impact from these efforts: hundreds of thousands of users each month are clicking through to the reporting hotlines we surface, including the Internet Watch Foundation in the UK, the Canadian Center for Child Protection and Te Protejo in Colombia. And, crucially, we’ve seen when these warning boxes are shown, we’re less likely to see follow-up searches seeking similar material. We will be expanding this feature over the course of this year. 

Supporting organizations to fight CSAM globally

The scale and complexity of fighting CSAM online means we must take a global and multi-stakeholder approach. That’s why we’re working together across industry and with leading child safety organizations like the WeProtect Global Alliance, Thorn, the Global Partnership to End Violence Against Children. And we continue to work to empower and support organizations that are creating real and lasting change for children. For example, we’ve funded a three-year Google Fellow at NCMEC to modernize and integrate their systems. We’ve also extended our Ad Grants program to qualifying child protection nonprofits during the pandemic, providing funding and campaign help for organizations like the INHOPE hotline network and ECPAT International. Since 2003, we’ve given almost $90 million in Ad Grants to global child protection organizations. We also supported the Five Country Ministerial Forum Voluntary Principles to Counter Child Sexual Exploitation and Abuse and collaborated across industry to produce a practical guide for companies considering applying these principles. This builds on our work on Project Protect as part of the Technology Coalition


Working together, we can make meaningful progress in the global fight against CSAM.

Your Android is now even safer — and 5 other new features

It wasn't all that long ago that we introduced Android users to features like Emoji Kitchen and auto-narrated audiobooks. But we like to stay busy, so today we're highlighting six of the latest Google updates that will make Android phones more secure and convenient — for everyone.

1. Keep your accounts safe with Password Checkup on Android

Password Checkup notification screen

Password Checkup notification screen

On Android, you can save passwords to your Google account, making it quicker and easier to sign into your apps and services using Autofill. Your login credentials are one of your first lines of defense against intruders, so we’ve integrated Password Checkup into devices running Android 9 and above. This feature lets you know if the password you used has been previously exposed and what to do about it.


Now when you enter a password into an app on your phone using Autofill with Google, we’ll check those credentials against a list of known compromised passwords — that is, passwords that have potentially already been stolen and posted on the web. If your credentials show up on one of these lists, we’ll alert you and guide you to check your password and change it. 


Learn more on our support page about changing unsafe passwords. And you can find additional information about how this product works in this blog post.


We’re passionate about building defense into every detail on Android, from downloading apps to browsing the web to choosing where and when you share your data. Learn more about how Android keeps you safe.

2. Use schedule send in Messages to write a text now and send it later

Schedule a text to send it at your chosen date and time

Click on the image above to learn how to schedule a text to send at your chosen date and time

Over half a billion people across the world use Messages to seamlessly and safely connect with family, friends and others every month. To continue  improving the way you communicate and help you stay in touch, we’re starting to roll out schedule send in Messages for phones running Android 7 and newer. 


Having loved ones in another time zone or on a different schedule can sometimes make it difficult to send a text at an appropriate time. With schedule send, you can compose a message ahead of time when it’s convenient for you, and schedule it to send at the right moment. Just write your message as you normally would, then hold and press the send button to select a date and time to deliver your message. Download Messages or update to the latest version to schedule your next text.

3. No need to look at your screen, with TalkBack

Start and stop media with Talkback gestures

Click on the image above to see how to start and stop media with Talkback gestures 

For those who are blind or have trouble seeing the display, the new version of TalkBack, Android’s screen reader, is now available. Using spoken feedback and gestures, TalkBack makes Android even more accessible and opens up a full phone experience without needing to look at your screen. We worked closely with the blind and low vision communities on this revamp of TalkBack to incorporate the most popularly requested features including: more intuitive gestures, a unified menu, a new reading control menu and more. Get TalkBack today by downloading or updating your Android accessibility apps in the Google Play Store.

4. Get more done hands-free with Google Assistant

Use Google Assistant to send a text, even when your phone is locked

Use Google Assistant to send a text, even when your phone is locked

We want to give you more ways to use your phone hands-free — so you can do things like use your voice to make calls, set timers or alarms and play music. Now, the latest updates to Google Assistant make it easier to get things done on your phone without needing to be right next to it.


Assistant now works better even when your phone is locked or across the room with new cards that can be read with just a glance. Just say “Hey Google, set an alarm” or “Hey Google, play pop music on Spotify.” To get the most out of Assistant when your phone is locked, simply turn on Lock Screen Personal Results in Assistant setting and say “Hey Google '' to send text messages and make calls.

5. Come to the dark side with dark theme in Google Maps 

San Francisco on Google Maps dark theme

San Francisco on Google Maps dark theme

These days, we’re all experiencing a bit of screen fatigue. With dark theme in Google Maps soon expanding to all Android users globally, you can give your eyes a much-needed break and save on battery life. Simply head to your Settings, tap on Theme and then on “Always in Dark Theme” to lower the lights when you’re navigating, exploring, or getting things done with Maps. Change your mind? Just tap on “Always in Light Theme” to switch it back.

6. A better drive with Android Auto

Stay entertained with voice-activated games on your display with Android Auto

Stay entertained with voice-activated games on your display with Android Auto

Android Auto’s new features help you enjoy the drive more. With custom wallpapers, you can now select from a variety of car-inspired backgrounds to personalize your car display. For longer drives, you and your passengers can stay entertained with voice-activated games like trivia and “Jeopardy!” Just say, “Hey Google, play a game” to get started. 


We’ve also launched shortcuts on the launch screen. These provide convenient access to your contacts and even allow you to use Assistant to complete tasks like checking the weather or remotely adjusting the thermostat by simply tapping on the icon on your car display, just as you would on your phone. For cars with wider screens, you can do more with a split-screen that features a real-time view of Google Maps and media controls. And if you have family and friends coming along for the ride, you can now set a privacy screen to control when Android Auto appears on your car display. 


These Android Auto features will be available in the coming days on phones running Android 6.0 or above, and when connected to your compatible car.

Source: Android


Build security into your next website

Posted by Ben Fried, VP, CIO & Chief Domains Enthusiast

If you wanted to send a secret message by mail, would you rather send it in an envelope, or on a postcard? If you send it on a postcard, anyone who saw the postcard on its way to the recipient could read the message, or even make changes to what’s written.

Encryption on a website functions like an envelope, protecting information passed between your website and its visitors so it can’t be snooped on or changed. It’s what keeps your visitors safe from bad actors who may try to alter your site’s content, misdirect traffic, spy on open Wi-Fi networks, and inject malware or tracking. You achieve encryption on a website by installing an SSL (Secure Sockets Layer) certificate. This certificate ensures that the data passed between a web server and a browser remains private.

To kick off National Cyber Security Awareness Month, we’re highlighting something that many website owners don’t realize—a single page that isn’t encrypted could potentially be used to gain access to the rest of the website. To avoid this, you need encryption on your entire website, not just for pages that are collecting credit card numbers or log-in info. Even unencrypted landing pages that redirect to an HTTPS page can pose risks. A single unprotected page can become a backdoor for bad actors to snoop on the rest of the site. How do you ensure your entire website is encrypted?

Use a top-level domain that is HSTS preloaded.

The HSTS preload list tells modern browsers which websites to only load over an encrypted connection. The fastest way to get on this list is to use a top-level domain that’s already on the HSTS preload list, such as .app, .dev, or .page. Any website on those extensions gets the security benefits of HSTS preloading from day one, so all you need to do is install your SSL certificate.

Add your website to the HSTS preload list yourself.

Websites can be individually added to the HSTS preload list by the website owner at hstspreload.org. Keep in mind this can be a slow process because the list is manually built into the browser. That means updates to the list are made as new browser releases come out, which can take months to occur for all browsers.

More people are creating websites than ever before, with 48 percent of the U.S. population planning to create one. To help make building your secure website a bit easier, we’ve teamed up with some of our registrar partners, who are offering a discount on .dev, .app, and .page domains plus free SSL certificates during the month of October. We’re also kicking off a video series where existing creators will share their tips for launching a website. You can check them out at safe.page/buildsecurely.

Stephanie Duchesneau, Domains Security Expert, explains the importance of website encryption and the benefits of HSTS-preloading.

Working together to improve user security

Posted by Adam Dawes

We're always looking for ways to improve user security both on Google and on your applications. That's why we've long invested in Google Sign In, so that users can extend all the security protections of their Google Account to your app.

Historically, there has been a critical shortcoming of all single sign in solutions. In the rare case that a user's Google Account falls prey to an attacker, the attacker can also gain and maintain access to your app via Google Sign In. That's why we're super excited to open a new feature of Google Sign In, Cross Account Protection (CAP), to developers.

CAP is a simple protocol that enables two apps to send and receive security notifications about a common user. It supports a standardized set of events including: account hijacked, account disabled, when Google terminates all the user's sessions, and when we lock an account to force the user to change their password. We also have a signal if we detect that an account could be causing abuse on your system.

CAP is built on several newly created Internet Standards, Risk and Incident Sharing and Coordination (RISC) and Security Events, that we developed with the community at the OpenID Foundation and IETF. This means that you should only have to build one implementation to be able to receive signals from multiple identity providers.

Google is now ready to send security events to your app for any user who has previously logged in using Google Sign In. If you've already integrated Google Sign In into your service, you can start receiving signals in just three easy steps:

  1. Enable the RISC API and create a Service Account on the project/s where you set up Google Sign In. If you have clients set up in different projects for your web, Android and iOS apps, you'll have to repeat this for each project.
  2. Build a RISC Receiver. This means opening a REST API on your service where Google will be able to POST security event tokens. When you receive these events, you'll need to validate they come from Google and then act on them. This may mean terminating your user's existing sessions, disabling the account, finding an alternate login mechanism or looking for other suspicious activity with the user's account.
  3. Use the Service Account to configure Google's pubsub with the location of your API. You should then start receiving signals, and you can start testing and then roll out this important new protection.

If you already use Google Sign In, please get started by checking out our developer docs. If you don't use Google Sign In, CAP is another great reason to do so to improve the security of your users. Developers using Firebase Authentication or Google Cloud Identity for Customers & Partners have CAP configured automatically - there's nothing you need to do. You can also post questions on Stack Overflow with the #SecEvents tag.

Optimistic dissatisfaction with the status quo of security

This article is a condensed version of a keynote speech Parisa gave at Black Hat Conferenceon July 8, 2018.

As I kid, I used to spend hours at the arcade playing whack-a-mole. With a toy mallet in hand, I’d smash as many plastic moles as possible. But the more moles I whacked, the faster they popped up out of their holes.

I haven’t played this arcade game in years, but there have been times when my career in computer security felt like a reality version of whack-a-mole. Computer security issues are emerging at a quickening pace, and everyone’s energy is spent knocking out the same problems over and over and over.

We have to stop taking a whack-a-mole approach to security. Instead, we need to focus our energy on tackling the root causes of bad security, strategically investing in long-arc defense projects, and building out our coalitions beyond security experts.

Tackle the root cause

As the world becomes more dependent on safe and reliable technology, we can no longer be satisfied with isolated security fixes. Instead, we need to identify and tackle the underlying causes of bad security—whether they’re structural, organizational or technical.

Project Zero, a team that formed at Google in 2014, aims to advance the understanding of offensive security and improve defensive strategies. Over the past four years, the team has reported more than 1,400 vulnerabilities in a variety of targets, including operating systems, browsers, antivirus software, password managers, hardware and other popular software. But what's more impressive than that number is the impact we’re seeing across industry in terms of tackling the root causes of bad security.

In the case of Project Zero, the team recognized that vendor response times for fixing critical security reports varied hugely, and it often didn’t tip in favor of the people using the technology. Unfortunately, software vendors don’t always have incentives aligned that prioritize security. To address that underlying problem, Project Zero introduced a consistent 90-day disclosure policy that removed the historical, time-consuming negotiation between security researchers and vendors.

Initially, this deadline-driven approach was controversial. It caused short-term pain for organizations that needed to make structural changes. But sticking to this approach resulted in  vendors investing more in solving root problems that, for whatever reason, weren’t previously addressed. Since the introduction of the deadline-driven disclosure policy, one large vendor doubled the number of security updates released each year, and another vendor improved response time by 40 percent. When it came to the controversial deadline, 98 percent of the security issues Project Zero reported have been fixed within 90 days, up from 25 percent.

Through all of this, Project Zero worked in the open to advance the public’s understanding of exploitation techniques. Ultimately, the team recognized that one individual security researcher isn’t likely to change the behavior of a large vendor, but a larger public response can. The team sought out opportunities for collaboration with other vendors, and people came together, both inside and outside the walls of Google, to analyze and build defenses against exploits discovered in the wild.

Solving the root problems—especially in today’s distraction-driven environments—isn’t always the fastest or easiest route to take, but it builds a foundation for a more secure future.

Celebrate milestones to make progress on strategic projects

To make real security change, we need to commit to long-arc defense efforts, no matter how complex they may be or how long they take to complete. Maintaining momentum for these projects requires strategically picking milestones, communicating them repeatedly and celebrating progress along the way.

In 2014, the Chrome team set out on a mission to drive the adoption of HTTPS on the open web. We wanted the web to be secure by default, instead of opt-in secure. We also wanted to address confusion in our existing network security indicators; users weren’t perceiving the risk of HTTP connections given our lack of a warning. We knew this project would take many years to complete because of the complexity of the web ecosystem and the associated risk of making big changes to browser security warnings.

It's important to remember that nobody owns the web. It’s an open ecosystem of multiple players, each with different incentives and constraints—so projects of this magnitude require wrangling a lot of moving parts. To avoid creating warning fatigue and confusion about the web, we set strategic milestones over a long period and share them publicly.

My job as a manager was to make sure my team believed change was possible and that they stayed optimistic over the entire course of the project. We shared a comprehensive step-by-step strategy and published the plan on our developer wiki for feedback. Our milestone-based plan started out simple and increasingly upped the pressure over time. Internally, we found fun and inexpensive ways to keep team morale high. We kicked off a brainstorming day with a poetry slam—finger snapping included! We made celebratory HTTPS cakes, pies and cookies. We also had a team chat to share updates, challenges and a lot of GIFs.

https cake

Building momentum externally was equally important. When sites made the switch to the more secure HTTPS, we celebrated with the broader community—usually via Twitter. And we published a transparency report that shed light on top sites and their HTTPS status. Hooray for openness!

Since our official announcement of these changes, HTTPS usage has made incredible progress. The web is ultimately more secure today because of a loose coalition of people who were able to stay committed to seeing a long, ambitious project all the way through. Which brings me to my third point...

Build a coalition

As we proactively invest in ambitious defense projects where the benefits aren’t immediately clear, we need to build a strong coalition of champions and supporters.

In 2012, the Chrome team started its Site Isolation effort, a project that mitigated the risk of cross-site data theft on the web. The project turned out to be the largest architecture change and code refactor in the history of Chrome! This was no small task considering Chrome is 10 years old, has more than 10 million lines of C++ code and has hundreds of engineers committing hundreds of changes each day from around the world. The core Site Isolation team was made up of only around 10 people, so building a strong coalition of support for the project outside of the team was critical for its success.

Originally, we thought this project would take a year to complete. Turns out we were off by more than a factor of five! Estimation mistakes like this tend to put a bullseye on a project’s back from upper management—and with good reason. Luckily, the team regularly articulated progress to me and the reasons why it was more work than first anticipated. They also demonstrated positive impact in terms of overall Chrome code health, which benefited other parts of Chrome. That gave me additional cover to defend the project and communicate its value to senior stakeholders over the years.

Aside from management, the team needed allies from partner teams. If other Chrome team members weren’t motivated to help or didn’t respond quickly to questions, emails and code reviews, then this 10-person project could have dragged on forever. The team kept a positive attitude and went out of their way to help others, even if it didn't relate directly to their own project. Ultimately, they conducted themselves as good citizens to build a community of support—a good lesson for all of us. We might be able to find the problems and technical solutions on our own, but we rely on everyone working on technology to help clear the path to a safer future.

We’ll keep finding complex problems to solve as technology evolves, but I’m optimistic that we can continue to keep people safe. It just requires a little bit of change. We need to take a different approach to computer security that doesn’t feel like playing whack-o-mole. So let’s band together—inside and outside of our organizations—and commit to ambitious projects that solve the root problems. And let’s not forget to celebrate our wins along the way! ?

Source: Google Chrome


Protect your online accounts with Titan Security Keys

Phishing—when an attacker tries to trick you into giving them your credentials—is a common threat to all online users. Google's automated defenses securely block the overwhelming majority of sign-in attempts even if an attacker has your username or password, but we always recommend you enable two-step verification (2SV) to further protect your online accounts.

There are many forms of 2SV—from text (SMS) message codes, to the Google Authenticator app, to hardware second factors like security keys. And while any second factor will greatly improve the security of your account, for those who want the strongest account protection, we’ve long advocated the use of security keys for 2SV.

Today, we’re making it easier to get a security key by making Google’s own Titan Security Keys available on the Google Store

Titan Security Key

Titan Security Key

Titan Security Keys have extra “special sauce” from Google—firmware that’s embedded in a hardware chip within the key that helps to verify that the key hasn’t been tampered with. We’ve gone into more detail about how this works on the Google Cloud blog.

Titan Security Keys work with popular browsers (including Chrome) and a growing ecosystem of services (including Gmail, Facebook, Twitter, Dropbox and more) that support FIDO standards

Getting started

It’s easy to get started with Titan Security Keys. Kits of two keys (one USB and one Bluetooth) are now available to U.S. customers on the Google Store and will be coming soon to additional regions.

To set them up with your Google Account, sign in and navigate to the 2-Step Verification page (see detailed instructions on our help center). Titan Security Keys are also compatible with the Advanced Protection Program, Google's strongest security for users at high risk. And Google Cloud admins can enable security key enforcement in G Suite, Cloud Identity, and Google Cloud Platform to ensure that users use security keys for their accounts.

For more information, visit our website or read our detailed post on Google Cloud.

An update on state-sponsored activity

We’ve invested in robust systems to detect phishing and hacking attempts, identify influence operations launched by foreign governments, and protect political campaigns from digital attacks through our Protect Your Election program.

Our Threat Analysis Group, working with our partners at Jigsaw and Google’s Trust & Safety team, identifies bad actors, disables their accounts, warns our users about them, and shares intelligence with other companies and law enforcement officials.

This week, there has been a lot of news about attempted state-sponsored hacking and influence campaigns. We wanted to provide an update on some of our ongoing work in this area:

  • State-sponsored phishing attacks 
  • Technical attribution of a recently-reported influence campaign from Iran 
  • Detection and termination of activity on Google properties

State-sponsored phishing attacks

Phishing—attempts to trick users into providing a password that an attacker can use to sign into an account—remains a threat to all email users. Our ​improving ​technology has enabled ​us to ​significantly ​decrease ​the ​volume of ​phishing ​emails that ​get ​through to our users. ​Automated ​protections, ​account ​security ​(like ​security ​keys), ​and specialized ​warnings give ​Gmail users industry-leading ​security. As part of our security efforts, for the past eight years, we’ve displayed prominent warnings to Gmail users who are at risk of phishing by potentially state-sponsored actors (even though in most cases the specific phishing attempt never reaches the user’s inbox).

In recent months, we’ve detected and blocked attempts by state-sponsored actors in various countries to target political campaigns, journalists, activists, and academics located around the world. When we’ve seen these types of attacks, we’ve notified users as well as law enforcement.

On Monday morning, we issued our most recent series of notifications to Gmail users who were subject to suspicious emails from a wide range of countries. We posted about these sorts of warnings here—if you received this type of warning, please read the blog post and take action immediately.

Iran and FireEye

To complement the work of our internal teams, we engage FireEye, a leading cybersecurity group, and other top security consultants, to provide us with intelligence. For the last two months, Google and Jigsaw have worked closely with FireEye on the influence operation linked to Iran that FireEye identified this week. We’re grateful to FireEye for identifying some suspicious Google accounts (three email accounts, three YouTube channels, and three Google+ accounts), which we swiftly disabled. FireEye’s full report has just been published today. It’s worth reading.

In addition to the intelligence we received from FireEye, our teams have investigated a broader range of suspicious actors linked to Iran who have engaged in this effort. We’ve updated U.S. lawmakers and law enforcement about the results of our investigation, including its relation to political content in the United States. We wanted to provide a summary of what we told them.

Connections to IRIB: forensic evidence

Our technical research has identified evidence that these actors are associated with the IRIB, the Islamic Republic of Iran Broadcasting.

We can’t go into all the technical details without giving away information that would be helpful to others seeking to abuse our platforms, but we have observed the following:

  • Technical data associated with these actors is strongly linked to the official IRIB IP address space.
  • Domain ownership information about these actors is strongly linked to IRIB account information.
  • Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control.

These facts, taken together with other technical signals and analysis, indicate that this effort was carried out as part of the overall operations of the IRIB organization, since at least January 2017. This finding is consistent with internet activity we’ve warned about in recent years from Iran.

Detecting and terminating activity on Google properties

Actors engaged in this type of influence operation violate our policies, and we swiftly remove such content from our services and terminate these actors’ accounts. Additionally, we use a number of robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts.

We identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort, including while sharing English-language political content in the U.S.:

  • 39 YouTube channels that had 13,466 total US views on relevant videos; 
  • 6 blogs on Blogger
  • 13 Google+ accounts

Our investigations on these topics are ongoing and we will continue to share our findings with law enforcement and other relevant government entities in the U.S. and elsewhere, as well as with others in the industry.

The state-sponsored phishing attacks, and the actors associated with the IRIB that we’ve described above, are clearly not the only state-sponsored actors at work on the Internet. For example, last year we disclosed information about actors linked to the Internet Research Agency (IRA). Since then, we have continued to monitor our systems, and broadened the range of IRA-related actors against whom we’ve taken action. Specifically, we’ve detected and removed 42 YouTube channels, which had 58 English-language political videos (these videos had a total of fewer than 1,800 U.S. views). We’ve also identified and terminated the account associated with one blog on Blogger.

We continue to actively monitor our systems, take prompt action, share intelligence, and remain vigilant about these and other threats.

A milestone for Chrome security: marking HTTP as “not secure”

Security has been one of Chrome’s core principles since the beginning—we’re constantly working to keep you safe as you browse the web. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users.

http 1

Starting in the latest version of Chrome (68), you’ll see a new “not secure” notification when visiting HTTP pages.

More encrypted connections, more security

When you load a website over plain HTTP, your connection to the site is not encrypted. This means anyone on the network can look at any information going back and forth, or even modify the contents of the site before it gets to you. With HTTPS, your connection to the site is encrypted, so eavesdroppers are locked out, and information (like passwords or credit card info) will be private when sent to the site.

Chrome’s “not secure” warning helps you understand when the connection to the site you're on isn’t secure and, at the same time, motivates the site's owner to improve the security of their site. Since our announcement nearly two years ago, HTTPS usage has made incredible progress. We’ve found in our Transparency Reportthat:

  • 76 percent of Chrome traffic on Android is now protected, up from 42 percent
  • 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent
  • 83 of the top 100 sites on the web use HTTPS by default, up from 37

We knew that rolling out the warning to all HTTP pages would take some time, so we started by only marking pages without encryption that collect passwords and credit card info. Then we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.

Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages.

http 2

In October’s version of Chrome (70), you’ll see a red “not secure” notifications when you enter data on an HTTP page.

Making encryption easy

If you’re a site owner looking to migrate (or build!) your site on HTTPS, we’ve helped make the process as simple and inexpensive as possible. Improvements include managed HTTPS for Google App Engine, required and automatic HTTPS on all .app domains, and free and automated certificates through Let’s Encrypt (Chrome is a Platinum sponsor). And if you’re in the process of migrating to HTTPS, look out for messages coming from Search Console with further information and guidance.

So when you’re shopping for concert tickets or online banking, rest assured: you’ll be warned if a site is not protecting your data with HTTPS. And we’ll continue to improve Chrome’s security, to make sure you’re using the most secure browser out there.