Posted by Adrian Ludwig, Android Security Engineer
We frequently get asked about how we defend Android users from malware and other threats. As the Android platform continues its tremendous growth, people wonder how we can maintain a trustworthy experience with Android Market while preserving the openness that remains a hallmark of our overall approach. We’ve been working on lots of defenses, and they have already made a real and measurable difference for our users’ security. Read more about how we defend against malware in Android Market on the Google Mobile Blog here.
Email phishing, in which someone tries to trick you into revealing personal information by sending fake emails that look legitimate, remains one of the biggest online threats. One of the most popular methods that scammers employ is something called domain spoofing. With this technique, someone sends a message that seems legitimate when you look at the “From” line even though it’s actually a fake. Email phishing is costing regular people and companies millions of dollars each year, if not more, and in response, Google and other companies have been talking about how we can move beyond the solutions we’ve developed individually over the years to make a real difference for the whole email industry.
Industry groups come and go, and it’s not always easy to tell at the beginning which ones are actually going to generate good solutions. When the right contributors come together to solve real problems, though, real things happen. That’s why we’re particularly optimistic about today’s announcement of DMARC.org, a passionate collection of companies focused on significantly cutting down on email phishing and other malicious mail.
Building upon the work of previous mail authentication standards like SPF and DKIM, DMARC is responding to domain spoofing and other phishing methods by creating a standard protocol by which we’ll be able to measure and enforce the authenticity of emails. With DMARC, large email senders can ensure that the email they send is being recognized by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders’ addresses.
We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing. Our recent data indicates that roughly 15% of non-spam messages in Gmail are already coming from domains protected by DMARC, which means Gmail users like you don’t need to worry about spoofed messages from these senders. The phishing potential plummets when the system just works, and that’s what DMARC provides.
If you’re a large email sender and you want to try out the DMARC specification, you can learn more at the DMARC website. Even if you’re not ready to take on the challenge of authenticating all your outbound mail just yet, there’s no reason to not sign up to start receiving reports of mail that fraudulently claims to originate from your address. With further adoption of DMARC, we can all look forward to a more trustworthy overall experience with email.
For the last year, our data center team has been working on a project to bring our facilities to even higher standards for environmental management and workforce safety. Recently we got the good news that our work paid off.
All of our U.S. owned and operated data centers have received ISO 14001 and OHSAS 18001 certification. We’re the first major Internet services company to gain external certification for those high standards at all of our U.S. data centers.
In a nutshell, both standards are built around a very simple concept: Say what you’re going to do, then do what you say—and then keep improving. The standards say what key elements are required, but not how to do it—that part’s up to us. So we set some challenging goals for ourselves, and we asked our auditors to confirm that we’ve followed through on them.
Here’s an example of the kind of improvements we’ve implemented: Like most data centers, ours have emergency backup generators on hand to keep things up and running in case of a power outage. To reduce the environmental impact of these generators, we’ve done two things: first, we minimized the amount of run time and need for maintenance of those generators. Second, we worked with the oil and generator manufacturers to extend the lifetime between oil changes. So far we’ve managed to reduce our oil consumption in those generators by 67 percent.
A second example: each of our servers in the data center has a battery on board to eliminate any interruptions to our power supply. To ensure the safety of the environment and our workers, we devised a system to make sure we handle, package, ship and recycle every single battery properly.
These are just two elements of what ultimately adds up to a comprehensive system of policies that our data center teams follow in their day-to-day operations. We do this because we want to be the gold standard in environmental and workforce safety, and because we care about the communities where we live and work. This is one more reason you can feel confident that when you’re using our products, you’re making an environmentally responsible choice.
Our data centers in the following U.S. locations have received this dual certification. We plan to pursue certification in our European data centers as well.
Last year, we started integrating Postini’s business-class email security and management capabilities into Gmail and today we’re excited to be rolling out the latest round of integrated features. Google Apps administrators can now take advantage of improved email compliance footers, approved/blocked sender lists and file attachment policies. These capabilities help our customers address compliance requirements and effectively manage email traffic. Previously, Google Apps customers used Google Message Security, powered by Postini, to provide these capabilities.
With this new release, we’ve improved these features and designed them specifically to meet the needs of our Apps customers. Admins will manage the features natively in the Google Apps control panel (localized in 28 languages), leverage our granular policy framework to customize settings for different types of users, and join multiple rules together to address very targeted use cases.
These new features are available globally for Google Apps for Business, Google Apps for Government and Google Apps for Education editions.
Dominie Liang, IT Director at New Media Group in Hong Kong, was able to use the new features to quickly address his company’s compliance requirements:
“Our legal team wanted us to add a compliance note to all of our outbound email. Thanks to Google’s new email feature set, we could easily add the rich text format disclaimer with Chinese characters to the email footer, and solved the issue within a minute.”
George Krieger, Technical Services Manager, Mazda Raceway Laguna Seca, adds:
“The new message footers in Gmail have made it easy for us to standardize our email signatures and more effectively promote our race schedules. And I love the ability to delegate control of these to our Media department so they can change them when they want without having to call me. This is a major improvement for us.”
With the addition of these features to Gmail, there is no longer a need to use Google Message Security (GMS) with Google Apps so we will no longer offer GMS to Google Apps customers. We’ll work with those customers currently using GMS to migrate their settings to these new features. For more information on these features and how customers can migrate to them please refer to this Google Apps Help Center article and the Transition Guide.
Does this person sound familiar? He can’t be bothered to type a password into his phone every time he wants to play a game of Angry Birds. When he does need a password, maybe for his email or bank website, he chooses one that’s easy to remember like his sister’s name—and he uses the same one for each website he visits. For him, cookies come from the bakery, IP addresses are the locations of Intellectual Property and a correct Google search result is basically magic.
Most of us know someone like this. Technology can be confusing, and the industry often fails to explain clearly enough why digital literacy matters. So today in the U.S. we’re kicking off Good to Know, our biggest-ever consumer education campaign focused on making the web a safer, more comfortable place. Our ad campaign offers privacy and security tips: Use 2-step verification! Remember to lock your computer when you step away! Make sure your connection to a website is secure! It also explains some of the building blocks of the web like cookies and IP addresses. Keep an eye out for the ads in newspapers and magazines, online and in New York and Washington, D.C. subway stations.
We encourage you to take a few minutes to check out the Good to Know site, watch someofthevideos, and be on the lookout for ads in your favorite newspaper or website. We hope you’ll learn something new about how to protect yourself online—tips that are always good to know!
Does this person sound familiar? He can’t be bothered to type a password into his phone every time he wants to play a game of Angry Birds. When he does need a password, maybe for his email or bank website, he chooses one that’s easy to remember like his sister’s name—and he uses the same one for each website he visits. For him, cookies come from the bakery, IP addresses are the locations of Intellectual Property and a correct Google search result is basically magic.
Most of us know someone like this. Technology can be confusing, and the industry often fails to explain clearly enough why digital literacy matters. So today in the U.S. we’re kicking off Good to Know, our biggest-ever consumer education campaign focused on making the web a safer, more comfortable place. Our ad campaign offers privacy and security tips: Use 2-step verification! Remember to lock your computer when you step away! Make sure your connection to a website is secure! It also explains some of the building blocks of the web like cookies and IP addresses. Keep an eye out for the ads in newspapers and magazines, online and in New York and Washington, D.C. subway stations.
We encourage you to take a few minutes to check out the Good to Know site, watch someofthevideos, and be on the lookout for ads in your favorite newspaper or website. We hope you’ll learn something new about how to protect yourself online—tips that are always good to know!
Posted by Alma Whitten, Director of Privacy, Product and Engineering
For the past year, we’ve been sending notifications to network administrators registered through the Safe Browsing Alerts for Network Administrators service when our automated tools find phishing URLs or compromised sites that lead to malware on their networks. These notifications provide administrators with important information to help them improve the security of their networks.
Today we’re adding distribution domains to the set of information we share. These are domains that are responsible for launching exploits and serving malware. Unlike compromised sites, which are often run by innocent webmasters, distribution domains are set up with the primary purpose of serving malicious content.
If you’re a network administrator and haven’t yet registered your AS, you can do so here.
In May we announced that we are ending support for the Safe Browsing protocol version 1 on December 1 in order to focus our resources on the new version 2 API and the lookup service. These new APIs provide simpler and more efficient access to the same data, and they use significantly less bandwidth. If you haven’t yet migrated off of the version 1 API, we encourage you to do so as soon as possible. Our earlier post contains links to documentation for the new protocol version and other resources to help you make the transition smoothly.
After December 1, we will remove all data from the version 1 API list to ensure that any remaining clients do not have false positives in their database. After January 1, 2012, we will turn off the version 1 service completely, and all requests will return a 404 error.
Thanks for your cooperation, and enjoy using the next generation of Safe Browsing.
Last year we introduced HTTPS by default for Gmail and encrypted search. We’re pleased to see that other major communications sites are following suit and deploying HTTPS in one form or another. We are now pushing forward by enabling forward secrecy by default.
Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.
Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.
Forward secret HTTPS is now live for Gmail and many other Google HTTPS services(*), like SSL Search, Docs and Google+. We have also released the work that we did on the open source OpenSSL library that made this possible. You can check whether you have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.
We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision.
(* Chrome, Firefox (all platforms) and Internet Explorer (Vista or later) support forward secrecy using elliptic curve Diffie-Hellman. Initially, only Chrome and Firefox will use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. We hope to support IE in the future.)
Posted by Adam Swidler, Senior Manager, Google Apps Team
Editors note: This is the final post in a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.
It’s important for all businesses regardless of size or industry to assess the risk of potential data breaches and take steps to prevent them, especially in the area of information technology. The use of laptops, smartphones, tablets and other mobile devices is increasing as users demand anytime, anywhere access to email and documents. This can increase the risk of a data breach if you’re using traditional applications which store a local copy of the data on the device and the device gets lost or stolen.
Google Apps can help reduce the risk of a data breach by limiting the data that is stored on your devices. When you check email or work on a document in a browser with Google Apps, the data is stored in our data centers, not on your device. That means that if your device gets lost or stolen, there is lower overall risk of a data breach. Similarly, if you collaborate with others in Google Docs, you don’t need to send them a copy of the document. You can enable and disable access to the document with a simple set of sharing controls and your collaborators access it from their browser. The document does not need to be stored locally on their device for them to collaborate on it.
For those times when you want to access Google Apps but you don’t have an Internet connection, we recently released an offline capability for Gmail and for Google Docs. The offline capability does involve some local data storage on devices. The amount of stored data is likely to be smaller as only a limited amount of documents and email are synchronized to the device for offline access. If you decide that this local data storage poses a risk, you can easily disable offline access.
For additional security and data protection information, including a video tour of a Google data center, you can visit our Google Apps security page.
