The IT Nerd

Today, Google Canada announced the opening of applications for their Inaugural North American Google for Startups Accelerator: Cloud program. The program incorporates key learnings from the pilot Cloud accelerator in Canada, and is expanding to startups in both U.S. and Canada. 

Around the world, cloud technology is helping businesses and governments accelerate their digital transformations, scale their operations, and innovate in new areas. In fact, last year more than 300 Canadian companies used cloud to develop artificial intelligence (AI) and machine learning (ML) technologies that raised a total of $1.46B in venture capital funding.* 

With the growth of AI/ML ecosystems across North America, and increased adoption rates for cloud technologies, we’re seeing new opportunities emerge for startups across multiple verticals. At Google we’re supporting startups as they seize these opportunities through our equity-free accelerator. 

More information about the 2023 North American Google for Startups Accelerator: Cloud is available here. Applications for the 10-week accelerator  are now open to startups until May 30. The program kicks off in July.  

Yesterday at RSA, Google announced their new Cloud Security AI Workbench, a cybersecurity suite powered by an AI model coined Sec-PaLM that specializes in intelligent security LLM (Large Language Model).

Cloud Security AI Workbench will span a few new AI-powered tools (both owned by Google):

• Mandiant’s Threat Intelligence AI – finds, summarizes and acts on security threats 
• VirusTotal – helps subscribers analyze and explain the behavior of malicious scripts

Google says that it plans to release the rest of the offerings to “trusted testers” soon, but in general, Sec-PaLM will assist customers in searching for and interpreting security events and interacting with the results conversationally. Also, users of Google’s Security Command Center AI will get explanations of attack exposures, assets effected, suggested mitigations and risk summaries, compliance and privacy findings.

Google’s play in the generative AI cybersecurity race comes just after Microsoft’s March release of competitor Security Copilot.

Jeffrey Sims, Principal Security Engineer, HYAS had this to say:

   “Google has also been a large contributor to the open source LLM space with their fine-tuned model series called Flan (Fine-tuned LAnguage Net). These models range in parameter size (capability) and allow for commercial applications. 

   “In addition to Google’s offering, we’ll see many technologically advanced organizations leveraging these open source models which will allow for deep customization and creative use cases, working in tandem with AI Workbench’s “partner plug-in integrations,” mentioned above. The rate of innovation based on creative systems like this will radically accelerate the security space in the years to come. “

It will be interesting to see how Google’s offering competes against from companies like Orca Security and ARMO who are doing similar things. And it will be interesting to see who else jumps into this space.  

In Google’s April 2023 Threat Horizons Report, security researchers in its Threat Analysis Group revealed that APT41 has been abusing the open-source GC2 red teaming tool in malware attacks.

The threat campaign interacts only with Google’s domains making it harder to detect, and it consists of an agent that is deployed on compromised devices, which then connects back to a Google Sheets URL to receive commands to execute.

These commands cause the deployed agents to download and install additional payloads from Google Drive or exfiltrate stolen data to the cloud storage service.

APT41’s use of GC2 is another indicator of a trend of threat actors using well intentioned, legitimate red teaming tools and RMM platforms as part of their attacks.

Matt Mullins, Senior Security Researcher, Cybrary provided this comment:

   “APT41’s use of GC2 is a shift into using more novel and off-the-shelf modern open-source projects. While most of the APT pool still relies on certain tried-and-true approaches (such as using PowerShell and macros), this change up of tactics shows a willingness to change approaches with the time. The GC2 program isn’t anything revolutionary to the Red Team community as the utilization of covert channels as a non-standard C2 is something that good Red Teams have been organically developing for years now. 

   “The tool, which uses Google’s trusted domains and applications, allows for the masquerading of legitimacy. This approach exposes an Achilles heel to using major providers like Google and Microsoft-enterprises essentially have to whitelist all domains and subdomains associated with these companies. By doing so, any service that can be abused is a free hall pass for attackers. I have personally used this on my own operations before and can say that it leaves even the best defenders blind to C2 communications.

   “The application also uses Go, which is a Google language (for extra insult), and in a similar vein it is a known compiled language to Red Teams. Go provides nice cross-compatibility with less robust detection maturity in most organizations. All of this makes for a great initial malware payload!

   “Times are changing and so are APT groups. As we see more research and development done by Red Teams, we will see more advanced vectors and approaches like this. Defenders need to make sure they have validated their detections, their detections are robust, and that we have security at all layers (instead of depending on one product or tool to save us). Above all else, having a good Red Team will help your Blue Team train up to defend against advanced threats like this! Investing into a good offensive security program for ANY organization will pay exponentially in the long run.”

Christopher Peacock, Principal Detection Engineer, SCYTHE followed up with this comment:

   “In this day and age, free and open-source hacking software is just that, hacking software. Any interesting capability posted publicly to GitHub will inevitably be used maliciously regardless of the projects’ intentions, licensing, or disclaimer.”

Clearly threat actors are becoming more and more dangerous by using tools to create even more novel and dangerous attacks. That means that those of us who are tasked with defending against these attacks need to work harder than ever to make sure that these attacks never succeed.

In 2020, Chrome announced the deprecation of third party cookies; and as the deadline approaches, Google ads platforms have been experimenting with serving interest based ads with privacy-preserving signals (including the Privacy Sandbox’s Topics API) instead of third party cookies.

The results showed that when using IBA solutions with privacy-preserving signals, Google Ads advertising spend on IBA decreased by between 2 and 7% compared to third-party-cookie-based results. For conversions per dollar [proxy for return on investment] the decrease was 1-3%. It also showed that click through rates (CTR) remained within 90% of the status quo. 

It’s worth noting that the results were derived from a combination of privacy-preserving signals such as contextual information, the Topics API from the Privacy Sandbox and first-party identifiers such as Publisher Provided IDs.

You can read the blog post here.

Google is reporting that weak passwords accounted for almost half of security breaches affecting Google Cloud customers. Google is seeing nation state actors finding success exploiting “weak identity verification practices” according to Chris Porter, head of threat intelligence for Google Cloud “The percentage that’s a software issue or a zero-day, you know, it’s not zero, but it goes down and down and down. That’s a trend we generally expect to continue,” Porter said.
 
Google reports that compromise of API’s to gain permissions into a company systems is the second most common avenue of attack on their cloud systems and accounted for nearly one fifth of all reported incidents. They point out that ransomware attacks in the cloud, threatening to release stolen data, have become common events.

I have three comments on this. The first is from Willy Leichter, VP, Cyware:
    
   “This report seems depressingly familiar, that our oldest security problems – poor password practices and leaked API credentials, lead to the majority of attacks. But we must move beyond our typical response – trying to train and cajole end-users to be more careful. We need to assume that users will be careless, design better defense-in-depth, and leverage the explosion of AI tools to detect poor security practices, and advanced attacks that will always find weak points to exploit.”

The next is from Roy Akerman, Co-Founder & CEO, Rezonate:

   “This confirms the same exact information we have seen for the past decade. Identity was and remains the biggest risk, and the true “zero-day”, organization must address with priority. Current identity security approaches are fragmented across many tools and teams and does not fit today’s reality of a constantly changing infrastructure. Identity security hasn’t evolved for the past decade for the purpose of detecting identity exploitation. We were too busy managing and allowing access vs monitoring and detecting unauthorized access behaviors and a true end-to-end view across all stages of the identity lifecycle.”

The final comment is from George McGregor, VP, Approov:

   “The combination of weak passwords and careless API key management is a dangerous cocktail which opens up APIs as an attack surface for hackers. Better discipline in general is of course important, but developers should also put in place runtime solutions to prevent stolen keys being exploited. This can be done effectively by using app and device attestation combined with secret management solutions which allow keys to be rotated immediately if compromised or changed.”

This is depressing and hopefully this report from Google serves as a wake up call to do better on the security front. Because we live in a time where not doing better will end badly more often than not.

Starting in early 2024, Google has announced a new Play Store data deletion policy that will require Android developers to provide users the ability to delete their accounts and in-app data both within the app and on-line.
 
Every store listing will display links in the “Data deletion” area where developers will provide an in-app account deletion experience as well as a web-based option so users do not have to re-install the app. Developers will be required to delete the data associated with the account deletion. Finally, users are also provided with more options such as the ability to delete specific data while maintaining account. Google acknowledged that some developers may be legally required to retain certain data.
 
Developers may request an extension, but non-compliant apps will no longer be able to publish new apps or release app updates and may face removal from Google Play.
 
This announcement follows Apple’s move requiring developers of apps with an account creation option to also provide the users with a way to delete their accounts from within the apps starting June 2022.

Ted Miracco, CEO of Approov had this comment:

   “It is important for companies like Google and Apple to prioritize user privacy and security, and this new policy is a step in the right direction. The new Play Store data deletion policy is a positive development from a mobile security perspective and can help reduce the risk of data breaches by giving users more control over their personal data. In the event of a data breach, the ability to delete specific data and account information can be critical in preventing further damage and protecting sensitive information. With this new policy, users will have more control over their data and will be able to delete it in a more efficient and effective way, which can help reduce the risks associated with a data breach. App developers still need to do more to secure their apps and make sure they cannot be tampered with, and consumers should only install apps from legitimate app marketplaces.”

I like this as my data belongs to me. Thus I should have control over whom I share it with including if I no longer want to share it with a third party. Good on Google for doing the right thing for a change.

Today, Google released the 2023 edition of their annual Ads Safety Report, which takes a deeper look at how Google created a safer experience for users in the ad ecosystem in the past year. Google also launched a brand new transparency tool called the Ads Transparency Center, which will be a fully searchable repository of global ads we serve from verified advertisers. 

Here’s a link to the full report, as well as blog posts about the Ads Safety Report and new Ads Transparency Center for more information, along with some highlights below:

Key Insights from the 2023 Ads Safety Report:

• Google blocked or removed over 5.2 billion ads for violating Google’s policies. That’s more than 9,000 ads per minute.
• Google restricted over 4.3 billion ads. 
• Google blocked over 17 million ads related to the war in Ukraine under our sensitive event policy.
• Google suspended more than 6.7 million advertiser accounts for egregious  policy violations.
• Google removed ads from over 1.5 billion pages last year. 
• Google added or updated 29 policies for both advertisers and publishers in 2022. 

New fact-checking tools on Google Search

With International Fact Checking Day (April 2) approaching, it’s an important time to consider information literacy and misinformation online. Everyone should be empowered with the tools they need to find information they can trust, that’s why we’re highlighting tools and features available on Search to help people evaluate the information they come across online. You can read more details about the new Search features in this blog post.

• About this page, is a new Search results page experience. Now when you search for a URL on Google.ca, About this page will appear below the top navigational results on the Search page. It provides quick, important context about the webpage you searched for, to help you evaluate the credibility of the page.
• About this result will now be available for all Canadians. Through the feature, you can quickly find more context about the sources and topics you’re searching for. This includes information like a description of the source (if available), when the site was first indexed, and whether your connection to a site is secure. You’ll see Information about some of the factors used to connect a result to the query, and whether a result is personalized for you. 
• Fact Checking Fund (GNI), back in November, Google and YouTube announced a $13.2M grant to the International Fact Checking Network to provide indirect funds to 135 fact-checking organizations across 65 countries covering 80 languages. The fund will be opening very soon, building on our previous work to address misinformation, and is Google and YouTube’s single largest grant in fact-checking.