Category Archives: Security Tips

New Research: Some Tough Questions for ‘Security Questions’

Posted by Elie Bursztein, Anti-Abuse Research Lead and Ilan Caron, Software Engineer

What was your first pet’s name?
What is your favorite food?
What is your mother’s maiden name?

What do these seemingly random questions have in common? They’re all familiar examples of ‘security questions’. Chances are you’ve had to answer one these before; many online services use them to help users recover access to accounts if they forget their passwords, or as an additional layer of security to protect against suspicious logins.

New Research: The Ad Injection Economy

Posted by Kurt Thomas, Spam & Abuse Research

In March, we outlined the problems with unwanted ad injectors, a common symptom of unwanted software. Ad injectors are programs that insert new ads, or replace existing ones, into the pages you visit while browsing the web. We’ve received more than 100,000 user complaints about them in Chrome since the beginning of 2015—more than any other issue. Unwanted ad injectors are not only annoying, they can pose serious security risks to users as well.

Today, we’re releasing the results of a study performed with the University of California, Berkeley and Santa Barbara that examines the ad injector ecosystem, in-depth, for the first time. We’ve summarized our key findings below, as well as Google’s broader efforts to protect users from unwanted software. The full report, which you can read here, will be presented later this month at the IEEE Symposium on Security & Privacy.

Protect your Google Account with Password Alert

Would you enter your email address and password on this page?

This looks like a fairly standard login page, but it’s not. It’s what we call a “phishing” page, a site run by people looking to receive and steal your password. If you type your password here, attackers could steal it and gain access to your Google Account—and you may not even know it. This is a common and dangerous trap: the most effective phishing attacks can succeed 45 percent of the time, nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day.

A Javascript-based DDoS Attack as seen by Safe Browsing

Posted by Niels Provos, Distinguished Engineer, Security Team

To protect users from malicious content, Safe Browsing’s infrastructure analyzes web pages with web browsers running in virtual machines. This allows us to determine if a page contains malicious content, such as Javascript meant to exploit user machines. While machine learning algorithms select which web pages to inspect, we analyze millions of web pages every day and achieve good coverage of the web in general.

Ads Take a Step Towards “HTTPS Everywhere”

Posted by
Neal Mohan, VP Product Management, Display and Video Ads
Jerry Dischler, VP Product Management, AdWords

Since 2008 we’ve been working to make sure all of our services use strong HTTPS encryption by default. That means people using products like Search, Gmail, YouTube, and Drive will automatically have an encrypted connection to Google. In addition to providing a secure connection on our own products, we’ve been big proponents of the idea of “HTTPS Everywhere,” encouraging webmasters to prevent and fix security breaches on their sites, and using HTTPS as a signal in our search ranking algorithm.