Google's new Gmail security: If you're a high-value target, you'll use physical keys

The Advanced Protection Program will use Google's USB Security key in place of two-step verification.

Google will soon be offering an Advanced Protection Program to lock down the Gmail accounts of high-value targets.

According to Bloomberg, the new Gmail service will block third-party apps from accessing user data and introduces a replacement for two-factor authentication based on Google's USB Security Key.

Google will begin offering the Advanced Protection Program next month, which will be marketed to "corporate executives, politicians and others with heightened security concerns".

The service appears to be aimed at raising defenses against sophisticated phishing attacks of the type that led to the Gmail hack of Hillary Clinton's 2016 campaign chairman, John Podesta, and the breach of the Democratic National Convention's (DNC) databases.

Bloomberg notes that the service builds on USB Security Key, for which Google introduced software in 2014. Security Key is a physical USB key used in place of a code required for two-step verification.

It's more secure because an attacker needs physical possession of the key to access an account they have credentials for. The USB key also cryptographically verifies the user is on a legitimate Google site and not a phishing site.

G Suite admins can force their users to require the USB key for login. The Advanced Protection Program will require two keys to use the service, according to Bloomberg.

Gmail accounts in the Advanced Protection Program will also prevent third-party apps from accessing data, Bloomberg notes. This measure appears to be aimed at preventing third-party apps from using OAuth to access Google apps.

Security firm Trend Micro reported last year that the group responsible for credential phishing attacks against the DNC and others were abusing OAuth to target email accounts.

The attackers created apps with names like Google Defender, then signed up for OAuth with Google, before sending phishing emails designed to trick victims into authorizing the rogue app to access an email account.

Google tightened OAuth registration processes earlier this year after a fake Docs app phishing attack impacted a large number of Gmail users.

Previous and related coverage

No more fiddling around on smartphones to use addresses, phone numbers, and contact information.

With great power comes great responsibility. If you click into this article, be sure to pay attention to the warnings.

Comments

Post a Comment

Popular posts from this blog

3 ways employees can risk your firm’s cybersecurity (and what to do about it)

Leveraging The program convenes world-class thought leaders from Brown’s top-ranked Department of Computer Science and Watson Institute for International and Public Affairs, as well as accomplished practitioners driving advances in cybersecurity. EMCS graduates earn a Master’s degree from Brown University and join Brown’s powerful global alumni network. EMCS forges visionary leaders ready to deploy successful strategies for cybersecurity that address: Technologies such as big data, cloud, mobile, Internet of ThingsSocial trends including social networks, globalized workforceHuman factorsEconomic tradeoffs and risk managementPolicy and privacyEffective leadership
Read more

Scientists Discover Unlikely Source Of Electricity

"The impact of this discovery in the field of biological piezoelectricity will be huge ..."By  Tracy Mastaler on October 6, 2017 at 8:35am Scientists have  discovered  a way to produce electricity from human tears and saliva, which could — if harvested effectively — become a new fuel for implanted medical devices. The  finding  came when researchers in Ireland from the University of Limerick’s Bernal Institute applied pressure to lysozyme, a protein found in both tears and saliva. The team’s groundbreaking report was published in the October 2, 2017, issue of the scientific journal  Applied Physics Letters . Researchers made the discovery after applying pressure to a film of lysozyme crystals squeezed between two glass slides. The team was able to detect and measure the production of piezoelectricity, a form of energy in which an electric charge accumulates in response to pressure. Although piezoelectricity has been known and understood for years, the process has be
Read more

H]ardOCP: Google Is Hurting Themselves with Their Poor Support of Windows

Image
Google’s lack of support for Windows  is likely a strategic move, but some say they should just give in and start building native apps for it: by not offering good support on the most productive platform in the world, Google is having reduced engagement from many potential users. Windows users are less engaged with Google services than mobile users, and a large part of that is due to Google not making any effort. Despite their efforts the desktop is not going away anytime soon, and with Chromebooks still comprising less than 1% of web usage, Google is hurting not just users but themselves by not supporting Windows better. It also leaves the door open for Microsoft to get it right and steal users away from Google services, as it is making every effort to be cross-platform.
Read more