The IT Nerd

Google announced a new security feature that will allow all US Gmail users to be able to use Google’s dark web report to discover if their email address has been found on the dark web and also take action with guidance provided by Google, such as turning on two-step authentication.

Originally only available to Google One plans, all Gmail accounts will now be regularly reminded to check if their email has been linked to any data breaches that ended up on nefarious cybercrime forums.

“And if any matching info is found on the dark web, we’ll notify you and provide guidance on how you might protect that information,” said Google One Director of Product Management Esteban Kozak.

Google also announced that it upgraded the Safe Browsing service on Chrome and Android to catch and block 25% more phishing attempts, and that Google added a new spam view in Google Drive.

Roy Akerman, Co-Founder & CEO, Rezonate had this to say:

   “Google’s extension of its dark web report beyond Google One plans is a step in the right direction and part of Google’s responsibility in the ecosystem. This will reduce compromised accounts and further fraudulent attempts against businesses who’s corporate’s credentials were compromised. However, we seen with Google One existing customers, they may be aware their information is available in the dark web, yet no action is taken. Knowing is not enough, action must be taken to understand the potential risk and account changes must be put in place.”

I’ve always argued that if you give users the tools to protect themselves, and more importantly educate them on how to use those tools, that will help users to become more secure. Google has got the part right these tools existing mostly right as this needs to go beyond US users. But I hope Google really pushes to promote this so as to make sure that as many people as possible know these tools exist and how to use them. Because a single announcement won’t do.

 With this year’s Google I/O keynote wrapped up, I wanted to do a post with some helpful resources that will help you keep track of everything Google announced today. 

I’ll start with Google’s latest blog post for more details on the updates that were announced at I/O this year.  Some of the biggest announcements include:

• Powerful new enterprise AI tools, including Duet AI for Google Cloud, a  generative AI-powered collaborator built for developers, and new foundation models and capabilities that make it easier for organizations to build with generative AI. There’s also a blog post with more info.
• Exciting Google Workspace features that leverage generative AI to boost your productivity, including features that help you quickly generative images from text and reply to emails based on content in the thread, as well as our newest Project Starline prototype, which now has a simpler design to easily fit into more homes and offices
• The introduction of PaLM 2 – Google’s next generation language model which will power nearly 20 new products and features
• Google unveiled details about new members of the Pixel family: Pixel Tablet and Pixel 7a and Pixel Fold 
• Google introduced Search Labs, a new way for you to sign up and test new products and ideas they are exploring
• Immersive View for routes in Maps to help you visualize every segment of your journey
• They shared details around features to be included in Android 14
• Multiple safety updates including Safe Browsing API and upcoming unknown tracker alerts

Is there something on this list that you’re interested in? If so, leave a comment below and share your thoughts.

Yesterday, Google announced that users can now sign into their Google account using passkeys instead of passwords or 2-step Verification. The move is part of the company’s efforts towards passwordless authentication and to further protect users from threats like phishing.

“This signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site,” Google’s Arnar Birgisson and Diana K Smetters said.

 Passkeys will be linked to each device where they’ve been added to the account allowing devices to be unlocked locally using a PIN or screen lock biometrics. Passkeys will be securely backed up and synced to the cloud and work across all major web browsers and platforms.
 
For now, passkeys will be an additional Google sign-in option ensuring that users have a fallback method and can log in using a password.

Roy Akerman, Co-Founder & CEO, Rezonate had this to say:

   “Only last year Google shared its intent to end passwords realizing that identity threats are a top priority, and right before password national day it takes a major step towards that goal. Google is not alone on this mission joining FIDO alliance, Apple, and Microsoft which are on the same path. As adoption increases, we will see a decrease in less secured 2FA (two factor authentication) options available. Passkeys are proven to resist online attacks such as phishing compared to the common SMS OTP (one time password) yet security teams should carefully review usage and attempts as attackers will try to bypass and be ahead of the game.”

I am a big fan of passkeys as this will solve a lot of problems in terms of online security that consumers have. Thus making them a lot safer as a result. Hopefully other companies jump onto the passkeys bandwagon as that will make users more safe in more places.

Cyber attacks increased globally by nearly 40 per cent last year, but despite the pressing need to address this threat, research shows that there are currently more than 25,000 unfilled cybersecurity jobs in Canada.This highlights the need for more experienced cyber security professionals in Canada, 

Today, Google Canada announced the launch of the Google Cybersecurity Certificate as the newest addition to the Google Career Certificates program, which provides job seekers with paths to careers in data analytics, IT support, project management and more. The course can be completed online and prepares learners for entry-level careers in cybersecurity in less than six months with no prior experience required.

To help create new opportunities and bring more diverse talent to the cybersecurity sector, Google is working with non-profit partners Canada Learning Code and ComIT to build bespoke training programs and grant 1,500 scholarships to learners in their networks who identify as women, newcomers and underrepresented Canadians.  

About Google Cybersecurity Career Certificates

The Cybersecurity Certificate builds on the success of Google’s Career Certificate Programs in Canada, which offer job seekers affordable pathways to careers in data analytics, IT support, business intelligence and more.

76% of Canadian graduates from Google Career Certificate Programs report positive outcomes, including securing new jobs, higher pay or promotions within six months of completion.

Google Career Certificates were developed by Google employees as part of Grow with Google, a global initiative designed to create economic opportunities. 

Certificate programs are available in Cybersecurity, Data Analytics, Project Management, UX Design, IT Support and more.

Google’s latest blog post has more details. 

Today, Google Canada announced the opening of applications for their Inaugural North American Google for Startups Accelerator: Cloud program. The program incorporates key learnings from the pilot Cloud accelerator in Canada, and is expanding to startups in both U.S. and Canada. 

Around the world, cloud technology is helping businesses and governments accelerate their digital transformations, scale their operations, and innovate in new areas. In fact, last year more than 300 Canadian companies used cloud to develop artificial intelligence (AI) and machine learning (ML) technologies that raised a total of $1.46B in venture capital funding.* 

With the growth of AI/ML ecosystems across North America, and increased adoption rates for cloud technologies, we’re seeing new opportunities emerge for startups across multiple verticals. At Google we’re supporting startups as they seize these opportunities through our equity-free accelerator. 

More information about the 2023 North American Google for Startups Accelerator: Cloud is available here. Applications for the 10-week accelerator  are now open to startups until May 30. The program kicks off in July.  

Yesterday at RSA, Google announced their new Cloud Security AI Workbench, a cybersecurity suite powered by an AI model coined Sec-PaLM that specializes in intelligent security LLM (Large Language Model).

Cloud Security AI Workbench will span a few new AI-powered tools (both owned by Google):

• Mandiant’s Threat Intelligence AI – finds, summarizes and acts on security threats 
• VirusTotal – helps subscribers analyze and explain the behavior of malicious scripts

Google says that it plans to release the rest of the offerings to “trusted testers” soon, but in general, Sec-PaLM will assist customers in searching for and interpreting security events and interacting with the results conversationally. Also, users of Google’s Security Command Center AI will get explanations of attack exposures, assets effected, suggested mitigations and risk summaries, compliance and privacy findings.

Google’s play in the generative AI cybersecurity race comes just after Microsoft’s March release of competitor Security Copilot.

Jeffrey Sims, Principal Security Engineer, HYAS had this to say:

   “Google has also been a large contributor to the open source LLM space with their fine-tuned model series called Flan (Fine-tuned LAnguage Net). These models range in parameter size (capability) and allow for commercial applications. 

   “In addition to Google’s offering, we’ll see many technologically advanced organizations leveraging these open source models which will allow for deep customization and creative use cases, working in tandem with AI Workbench’s “partner plug-in integrations,” mentioned above. The rate of innovation based on creative systems like this will radically accelerate the security space in the years to come. “

It will be interesting to see how Google’s offering competes against from companies like Orca Security and ARMO who are doing similar things. And it will be interesting to see who else jumps into this space.  

In Google’s April 2023 Threat Horizons Report, security researchers in its Threat Analysis Group revealed that APT41 has been abusing the open-source GC2 red teaming tool in malware attacks.

The threat campaign interacts only with Google’s domains making it harder to detect, and it consists of an agent that is deployed on compromised devices, which then connects back to a Google Sheets URL to receive commands to execute.

These commands cause the deployed agents to download and install additional payloads from Google Drive or exfiltrate stolen data to the cloud storage service.

APT41’s use of GC2 is another indicator of a trend of threat actors using well intentioned, legitimate red teaming tools and RMM platforms as part of their attacks.

Matt Mullins, Senior Security Researcher, Cybrary provided this comment:

   “APT41’s use of GC2 is a shift into using more novel and off-the-shelf modern open-source projects. While most of the APT pool still relies on certain tried-and-true approaches (such as using PowerShell and macros), this change up of tactics shows a willingness to change approaches with the time. The GC2 program isn’t anything revolutionary to the Red Team community as the utilization of covert channels as a non-standard C2 is something that good Red Teams have been organically developing for years now. 

   “The tool, which uses Google’s trusted domains and applications, allows for the masquerading of legitimacy. This approach exposes an Achilles heel to using major providers like Google and Microsoft-enterprises essentially have to whitelist all domains and subdomains associated with these companies. By doing so, any service that can be abused is a free hall pass for attackers. I have personally used this on my own operations before and can say that it leaves even the best defenders blind to C2 communications.

   “The application also uses Go, which is a Google language (for extra insult), and in a similar vein it is a known compiled language to Red Teams. Go provides nice cross-compatibility with less robust detection maturity in most organizations. All of this makes for a great initial malware payload!

   “Times are changing and so are APT groups. As we see more research and development done by Red Teams, we will see more advanced vectors and approaches like this. Defenders need to make sure they have validated their detections, their detections are robust, and that we have security at all layers (instead of depending on one product or tool to save us). Above all else, having a good Red Team will help your Blue Team train up to defend against advanced threats like this! Investing into a good offensive security program for ANY organization will pay exponentially in the long run.”

Christopher Peacock, Principal Detection Engineer, SCYTHE followed up with this comment:

   “In this day and age, free and open-source hacking software is just that, hacking software. Any interesting capability posted publicly to GitHub will inevitably be used maliciously regardless of the projects’ intentions, licensing, or disclaimer.”

Clearly threat actors are becoming more and more dangerous by using tools to create even more novel and dangerous attacks. That means that those of us who are tasked with defending against these attacks need to work harder than ever to make sure that these attacks never succeed.

In 2020, Chrome announced the deprecation of third party cookies; and as the deadline approaches, Google ads platforms have been experimenting with serving interest based ads with privacy-preserving signals (including the Privacy Sandbox’s Topics API) instead of third party cookies.

The results showed that when using IBA solutions with privacy-preserving signals, Google Ads advertising spend on IBA decreased by between 2 and 7% compared to third-party-cookie-based results. For conversions per dollar [proxy for return on investment] the decrease was 1-3%. It also showed that click through rates (CTR) remained within 90% of the status quo. 

It’s worth noting that the results were derived from a combination of privacy-preserving signals such as contextual information, the Topics API from the Privacy Sandbox and first-party identifiers such as Publisher Provided IDs.

You can read the blog post here.

Google is reporting that weak passwords accounted for almost half of security breaches affecting Google Cloud customers. Google is seeing nation state actors finding success exploiting “weak identity verification practices” according to Chris Porter, head of threat intelligence for Google Cloud “The percentage that’s a software issue or a zero-day, you know, it’s not zero, but it goes down and down and down. That’s a trend we generally expect to continue,” Porter said.
 
Google reports that compromise of API’s to gain permissions into a company systems is the second most common avenue of attack on their cloud systems and accounted for nearly one fifth of all reported incidents. They point out that ransomware attacks in the cloud, threatening to release stolen data, have become common events.

I have three comments on this. The first is from Willy Leichter, VP, Cyware:
    
   “This report seems depressingly familiar, that our oldest security problems – poor password practices and leaked API credentials, lead to the majority of attacks. But we must move beyond our typical response – trying to train and cajole end-users to be more careful. We need to assume that users will be careless, design better defense-in-depth, and leverage the explosion of AI tools to detect poor security practices, and advanced attacks that will always find weak points to exploit.”

The next is from Roy Akerman, Co-Founder & CEO, Rezonate:

   “This confirms the same exact information we have seen for the past decade. Identity was and remains the biggest risk, and the true “zero-day”, organization must address with priority. Current identity security approaches are fragmented across many tools and teams and does not fit today’s reality of a constantly changing infrastructure. Identity security hasn’t evolved for the past decade for the purpose of detecting identity exploitation. We were too busy managing and allowing access vs monitoring and detecting unauthorized access behaviors and a true end-to-end view across all stages of the identity lifecycle.”

The final comment is from George McGregor, VP, Approov:

   “The combination of weak passwords and careless API key management is a dangerous cocktail which opens up APIs as an attack surface for hackers. Better discipline in general is of course important, but developers should also put in place runtime solutions to prevent stolen keys being exploited. This can be done effectively by using app and device attestation combined with secret management solutions which allow keys to be rotated immediately if compromised or changed.”

This is depressing and hopefully this report from Google serves as a wake up call to do better on the security front. Because we live in a time where not doing better will end badly more often than not.