searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Related topics

  • Activists targeted with barrage of creative phishing attempts

Featured news

  • Retail and hospitality sector fixing software flaws at a faster rate than others
  • Organizations struggle to maintain application security across platforms
  • Financial institutions must prepare for increased risk of financial crime
  • 3GPP standards enrich LTE and 5G with network architecture enhancements
  • Bugs in Signal, other video chat apps allowed attackers to listen in on users
Zeljka Zorz
Zeljka Zorz, Managing Editor, Help Net Security
October 18, 2017
Share

Google offers Advanced Protection for high-risk users of its services

High-risk Google users – journalists, human rights and civil society activists, but also campaign staffers and people in abusive relationships – can now take advantage of Google’s Advanced Protection Program to keep their account safe from extremely targeted attacks.

google offers advanced protection

What is Advanced Protection?

“Advanced Protection provides Google’s strongest security, designed for those who are at an elevated risk of attack and are willing to trade off a bit of convenience for more protection of their personal Google Accounts,” says Dario Salice, Advanced Protection Product Manager.

Anyone with a consumer/personal Google Account can enroll in the program. They will need a physical security key – a small USB or wireless device that will provide additional user verification during the login process – and Google Chrome, as it’s the only browser that currently supports the U2F standard for security keys.

“We expect other browsers to incorporate this soon,” Salice noted.

Apart from the added anti-phishing protection introduced by the use of secure keys, the program also:

  • Limits full access to users’ Gmail and Drive to specific apps, and
  • Adds extra steps to the account recovery process (as hackers often try to impersonate targets and pretend they have been locked out of the target account.)

The drawbacks of the program

The program comes with some drawbacks.

As mentioned before, users can currently only use Chrome to sign-in to Google’s online services. Secondly, only Google-developed apps will be able to get full access to the users’ Google services, as others apps lack support for security keys. This might be a particular problem for iOS users who are used to Apple Mail, Contacts, and Calendar apps.

Finally, users should be aware that, should they lose access to their accounts and their security key, it could take them days to gain access to the account again due to the added verification requirements.

Google says that new security measures will continually be added to the program to counter emerging threats.

Industry reactions

“Google’s roll out of Advanced Protection comes as no surprise to me following the staggering number of high-profile hacking campaigns that have targeted Gmail in the recent years. It’s certainly a promising step in the right direction as the industry continues to battle with new phishing tactics,” says Richard Parris, CEO at British digital identity outfit Intercede.

“Despite this, one thing that stands out to me is that in the eternal battle between digital security and a painless user experience, Google’s new advanced program falls short on the convenience front. Being the patience-poor and fickle creatures that we are, unfortunately if a security measure compromises the end user experience it will almost certainly never be fully embraced by the mainstream.

“What’s needed is a level of security that is both secure and convenient to the end user and this can be done. There are highly secure, cost-effective and convenient solutions already available and these should be made an industry standard. Striking the right balance is the cornerstone to security success.”

While welcoming the option, Charl Van Der Walt, Chief Security Strategy Officer at cybersecurity consultancy SecureData, says that a very significant number of successful breaches are still achieved via a compromised desktop, mostly via a malicious document attachment.

“Undoubtedly Google will become far better at detecting and blocking such attachments, thereby better mitigating an additional threat vector not covered by these ‘advanced’ new controls. High profile users, however, should be aware that unauthorised access to their computer is as much a threat to email confidentiality as unauthorised access to Google itself and these new controls will do little to change this.”

His advice to them is to think hard about the platforms they use to access email and how they open attachments.

“Simple, limited-use platforms like a Chromebook or a tablet are generally safer to work from, but using a Yubikey with a tablet can be tricky, especially on iOS devices. This seems a pity, and looks to be a trade-off,” he noted.

“Something else to consider is that although preventing unauthorised remote access to email is part of the equation, there needs to be jurisdictional consideration also. Google itself might have access to email and contact data, and that given Google is a US company, the US government may be able to obtain access. This, however, is a ‘political’ consideration rather than a technical one,” he concluded.

More about
  • account hijacking
  • account protection
  • Gmail
  • Google
  • Intercede
  • phishing
  • SecureData
Share this
healthcare

Bolstering healthcare IT against growing security threats

  • Retail and hospitality sector fixing software flaws at a faster rate than others
  • Ransomware provides the perfect cover
Bugs in Signal, other video chat apps allowed attackers to listen in on users

What's new

bug

Retail and hospitality sector fixing software flaws at a faster rate than others

cloud

Organizations struggle to maintain application security across platforms

healthcare

Bolstering healthcare IT against growing security threats

money

Financial institutions must prepare for increased risk of financial crime

Don't miss

healthcare

Bolstering healthcare IT against growing security threats

bug

Retail and hospitality sector fixing software flaws at a faster rate than others

eavesdropping

Bugs in Signal, other video chat apps allowed attackers to listen in on users

ransomware

Ransomware provides the perfect cover

money

Financial institutions can strengthen cybersecurity with SWIFT’s CSCF v2021

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • How do I select a fraud detection solution for my business?
  • Securing the connected home: A joint task for homeowners and their ISP
  • Cybersecurity sales: Do you have what it takes to succeed?
  • How do I select a data control solution for my business?

(IN)SECURE Magazine ISSUE 67 (November 2020)

  • Hardware security: Emerging attacks and protection mechanisms
  • Justifying your 2021 cybersecurity budget
  • Cooking up secure code: A foolproof recipe for open source
  • Mapping the motives of insider threats
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise