Google has implemented additional cyber-protections for users that are at particularly high risk of targeted online attacks, such as campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.
The Advanced Protection Program is a continually updated suite of services that focuses on three core defenses:
Phishing: Advanced Protection requires the use of security keys (small USB or wireless devices) to sign into an account. They use public-key cryptography and digital signatures to prove to Google that it’s really the account holders. Anyone trying to log in who doesn’t have the security key is automatically blocked, even if the person has the password.
Accidental Sharing: Sometimes people inadvertently grant malicious applications access to their Google data. Advanced Protection prevents this by automatically limiting full access to Gmail and Drive to specific apps. For now, these will only be Google apps, but Google expects to expand these in the future, it said.
Fraudulent Account Access: Another common way hackers try to access accounts is by impersonating the account holder and pretending they have been locked out. For Advanced Protection users, extra steps will be put in place to prevent this during the account recovery process, including additional reviews and requests for more details about why the person has lost access to his or her account.
“We've been testing Advanced Protection for the last several weeks and learning from people like Andrew Ford Lyons, a technologist at Internews, an international nonprofit organization that has supported the development of thousands of media outlets worldwide,” said Dario Salice, Advanced Protection product manager at Google, in a blog.
“Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," said Lyons. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.”
Anyone with a personal Google Account who is using Chrome (other browsers will be added) can enroll in Advanced Protection.
Charl Van Der Walt, chief security strategy officer at SecureData, applauded the move but did have a caveat: A significant number of successful breaches are still achieved via a compromised desktop, mostly via a malicious document attachment—and these new controls will do little to change this.
“Instead, [high-risk] users should think hard about the platforms they use to access email and how they open attachments,” he said via email. “Simple, limited-use platforms like a Chromebook or a tablet are generally safer to work from, but using a Yubikey with a tablet can be tricky, especially on iOS devices. This seems a pity, and looks to be a trade-off.”
He also brought up the data privacy disconnect that exists between the US and other parts of the world.
“Something else to consider is that although preventing unauthorized remote access to email is part of the equation, there needs to be jurisdictional consideration also,” he added. “Google itself might have access to email and contact data, and that given Google is a US company, the US government may be able to obtain access. This, however, is a ‘political’ consideration rather than a technical one.”