Google Safety Center goes live in the UK

A newly expanded Google Safety Center is now live in the UK, two weeks after the company began rolling it out around the world in attempt to focus attention on top security issues.

According to Google, the site – which is to provide the most locally relevant information in more than 65 languages – now boasts updated resources and even more information dedicated to educating users in line with the latest security practices and thinking and to educate them on relevant issues, privacy controls and online protections.

The site is aimed at helping to inform users about what Google does to keep personal information private and safe and give them control by linking to privacy controls, encouraging people to use security tools such as password managers instead of focusing on guidance on how to create strong passwords.

It also features security tips to help people stay safe online based on continually updated research by Google, including resources and tools to teach children about digital safety and citizenship.

“Helping people manage their privacy and security is integral to everything we do,” said Mark Risher, director of product management at Google security.

Over the years, he said Google has created many tools such as Google Account to give users access to all the settings to safeguard personal data and privacy, Privacy Checkup to enable users to review and adjust what data Google uses to personalise experiences, and My Activity, which helps users to review and delete the activity data connected to their account.

“As technology continues to change the way we live, work and play, our commitment to keeping users safe and secure online only grows. This site is the latest example of how we live up to our responsibility to protect users,” said Risher.

He denied allegations in the media that Google has made changes to its Chrome browser so that users are automatically logged into their Google accounts, with the aim of collecting browsing data.

“This issue was misunderstood by a number of people, but there were also valid concerns that we have already responded to,” he told Computer Weekly.

“Our goal was to make it more transparent or clearer to users when they are signed into Google as they move around the web, because we wanted to help with any concerns people might have in a shared device scenario by putting the users’ profile picture in the Chrome user interface.

“But we did not make any changes to the information that is getting sent to Google and we specifically retained the explicit step before any information gets uploaded to the Google Cloud.

“The problem is that people did not fully understand this, and unfortunately we are in a place – as a company and as an industry – where a lot of people are suspicious and sceptical, and consequently assume the worst and thought that Google was automatically uploading data, which is something we never would do.”

As a result, Google has announced that it will soon be introducing more changes soon that are aimed at making it even clearer what is happening to ensure that users understand where their information is going and that they have very explicit control over that.

“We want users to know exactly what they are getting and to be clear about the benefits they are receiving. We have nothing to hide. We want people to know and understand what data we have, how they can access it and how they can manage their privacy settings,” he said.

Turning to security trends, Risher said Google is seeing a shift from generic, broad-based attacks to things that are much more targeted, where attackers know a lot about the individuals they are going after.

“In the consumer space, they are targeting individuals with high net worth, while in the enterprise, they are targeting high-value businesses and individuals within those organisations that have power and influence,” said Risher.

“As a result, these attacks typically take longer to craft because attacker need to understand who the target is and what needs to be done to make phishing emails more credible, especially when masquerading as CEOs writing to the finance department or as finance department employees writing to CEOS,” he said.

However, Risher said many users still do not understand that the majority of successful cyber attacks are conducted by exploiting known vulnerabilities that have been patched by the relevant hardware and software suppliers.

“By failing to ensure that they are applying existing security updates to all their hardware and software, they are exposing themselves unnecessarily to potentially devastating cyber threats,” he said.

In  terms of future product development in the light of the growing popularity of business email compromise (BEC) attacks, Risher said Google is continually working on new explicit and implicit defences, improved user interfaces and user education.

“From an explicit standpoint, BEC has long been a focus of the application of machine learning on our side because it enables us to look at a very broad range of signals and features to do very rapid and accurate classification of email messages.

“We complement that with changes to the user interface, such as displaying warning banners to anyone who receives a message from a sender whose address is a near duplicate of another address in your contact list, to guard against instances where an email appears to come from a contact, but the address differs only by one character, which is commonly overlooked by recipients,” he said.

Google also uses outbound warnings to users that emails they are sending may not be going where they think because attackers are using email addresses that appear very much like a regular correspondent’s email address, but with subtle differences.

“Both are user interface changes to help prevent users from being tricked in these ways,” said Risher.

In addition, Google is continually introducing preventive technologies, such as the recently launched “Titan” security key, which is a phishing-resistant two-factor authentication (2FA) device that is initially aimed at helping to protect high-value users such as IT admins, journalists, elected officials, business leaders and celebrities.

“After Google rolled out security key enforcement for its own employees, we have had zero cases of password phishing, and that is truly a game changer because we are definitely a targeted company. Having this technology that has reduced this particular attack vector to zero is something we are really proud of,” said Risher. “Authentication is an important focus area as the world increasingly moves to cloud-based services.”

Another concerning trend, he said, is attackers using data from past breaches to add credibility to phishing or scam emails. “Recipients are likely to believe an email from an attacker is from their bank if the message includes the last four digits of their credit card, but this is data the attackers are getting from other data breaches and adding to their phishing messages,” he added.

Looking to the future, Risher said Google is looking to find ways of finding more 2FA devices that are lower in cost, easier to use and interoperable with other technologies without requiring special hardware ports in an effort to get this protection into the hands of more users.

“The current [Titan] product works really well, but it is perhaps unrealistic to expect everybody around the world will be willing and able to buy such devices, so we are looking to find simpler, more streamlined alternatives to get it into the hands of the majority, not just high-risk individuals,” he said.