Security Blog
The latest news and insights from Google on security and safety on the Internet
New Built-In Gmail Protections to Combat Malware in Attachments
May 31, 2017
Posted by Sri Somanchi, Product Manager, Gmail anti-spam
Today we announced
new security features for Gmail customers
, including early phishing detection using machine learning, click-time warnings for malicious links, and unintended external reply warnings. In addition, we have also updated our defenses against malicious attachments.
Let’s take a deeper look at the new defenses against malicious attachments. We now correlate spam signals with attachment and sender heuristics, to predict messages containing new and unseen malware variants. These protections enable Gmail to better protect our users from zero-day threats, ransomware and polymorphic malware.
In addition, we
block
use of file types that carry a high potential for security risks including executable and javascript files.
Machine learning has helped Gmail achieve more than 99% accuracy in spam detection, and with these new protections, we’re able to reduce your exposure to threats by confidently rejecting hundreds of millions of additional messages every day.
Constantly improving our automatic protections
These new changes are just the latest in our ongoing work to improve our protections as we work to keep ahead of evolving threats. For many years, scammers have tried to use dodgy email attachments to sneak past our spam filters, and we’ve long blocked this potential abuse in a variety of
ways
, including:
Rejecting the message and notifying the sender if we detect a virus in an email.
Preventing you from sending a message with an infected attachment.
Preventing you from downloading attachments if we detect a virus.
While the bad guys never rest, neither do we.
These protections were made possible due to extensive contribution from Vijay Eranti & Timothy Schumacher (Gmail anti-spam) & Harish Gudelly (Google anti-virus) & Lucio Tudisco (G Suite anti-abuse)
OSS-Fuzz: Five months later, and rewarding projects
May 8, 2017
Posted by Oliver Chang, Abhishek Arya (Security Engineers, Chrome Security), Kostya Serebryany (Software Engineer, Dynamic Tools), and Josh Armour (Security Program Manager)
Five months ago, we
announced
OSS-Fuzz
, Google’s effort to help make open source software more secure and stable. Since then, our robot army has been working hard at
fuzzing
, processing 10 trillion test inputs a day. Thanks to the efforts of the open source community who have integrated a total of
47
projects, we’ve found over
1,000
bugs (
264
of which are potential security vulnerabilities).
Breakdown of the types of bugs we’re finding
Notable results
OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects:
10
in FreeType2,
17
in FFmpeg,
33
in LibreOffice,
8
in SQLite 3,
10
in GnuTLS,
25
in PCRE2,
9
in gRPC, and
7
in Wireshark. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801). (Some of the bugs are still view-restricted so links may show smaller numbers.)
Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, so that the chances of users being affected is reduced.
Fuzzing not only finds memory safety related bugs, it can also find correctness or logic bugs. One example is a carry propagating bug in OpenSSL (
CVE-2017-3732
).
Finally, OSS-Fuzz has reported over 300
timeout and out-of-memory failures
(~75% of which got fixed). Not every project treats these as bugs, but fixing them enables OSS-Fuzz to find more interesting bugs.
Announcing rewards for open source projects
We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process. To this end, we’d like to encourage more projects to participate and adopt the
ideal integration
guidelines that we’ve established.
Combined with fixing all the issues that are found, this is often a significant amount of work for developers who may be working on an open source project in their spare time. To support these projects, we are expanding our existing
Patch Rewards
program to include rewards for the integration of
fuzz targets
into OSS-Fuzz.
To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure. Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration (the final amount is at our discretion). You have the option of donating these rewards to charity instead, and Google will double the amount.
To qualify for the ideal integration reward, projects must show that:
Fuzz targets are checked into their upstream repository and integrated in the build system with
sanitizer
support (up to $5,000).
Fuzz targets are
efficient
and provide good code coverage (>80%) (up to $5,000).
Fuzz targets are part of the official upstream development and regression testing process, i.e. they are maintained, run against old known crashers and the periodically updated
corpora
(up to $5,000).
The last $5,000 is a “
l33t
” bonus that we may reward at our discretion for projects that we feel have gone the extra mile or done something really awesome.
We’ve already started to contact the first round of projects that are eligible for the initial reward. If you are the maintainer or point of contact for one of these projects, you may also
reach out
to us in order to apply for our ideal integration rewards.
The future
We’d like to thank the existing contributors who integrated their projects and fixed countless bugs. We hope to see more projects integrated into OSS-Fuzz, and greater adoption of fuzzing as standard practice when developing software.
Protecting You Against Phishing
May 5, 2017
Posted by Mark Risher, Director, Counter Abuse Technology
As many email users know, phishing attacks—or emails that impersonate a trusted source to trick users into sharing information—are a pervasive problem. If you use Gmail, you can rest assured that every day, millions of phishing emails are blocked from ever reaching your inbox.
This week, we defended against an email
phishing campaign
that tricked some of our users into inadvertently granting access to their contact information, with the intent to spread more phishing emails. We took quick action to revoke all access granted to the attacker as well as steps to reduce and prevent harm from future variants of this type of attack.
Here’s some background to help you understand how the campaign worked, how we addressed it, and how you can better protect yourself against attacks.
How the campaign worked and how we addressed it
Victims of this attack received an email that appeared to be an invite to a Google Doc from one of their contacts. When users clicked the link in the attacker’s email, it directed them to the attacker’s application, which requested access to the user’s account under the false pretense of gaining access to the Google Doc. If the user authorized access to the application (through a mechanism called OAuth), it used the user's contact list to send the same message to more people.
Upon detecting this issue, we immediately responded with a combination of automatic and manual actions that ended this campaign within an hour. We removed fake pages and applications, and pushed user-protection updates through Safe Browsing, Gmail, Google Cloud Platform, and other counter-abuse systems. Fewer than 0.1% of our users were affected by this attack, and we have taken steps to re-secure affected accounts.
We protect our users from phishing attacks in a number of ways, including:
Using machine learning-based detection of spam and phishing messages, which has contributed to 99.9% accuracy in spam detection.
Providing
Safe Browsing
warnings about dangerous links, within Gmail and across more than 2 billion browsers.
Preventing suspicious account sign-ins through dynamic, risk-based challenges.
Scanning email attachments for malware and other dangerous payloads.
In addition, we’re taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users.
How users can protect themselves
We’re committed to keeping your Google Account safe, and have layers of defense in place to guard against sophisticated attacks of all types, from anti-hijacking systems detecting unusual behavior, to machine learning models that block malicious content, to protection measures in Chrome and through Safe Browsing that guard against visiting suspicious sites. In addition, here are a few ways users can further protect themselves:
Take the
Google Security Checkup
, paying particular attention to any applications or devices you no longer use, as well as any unrecognized devices.
Pay attention to
warnings and alerts
that appear in Gmail and other products.
Report
suspicious emails
and
other content
to Google.
How G Suite admins can protect their users
We’ve separately notified G Suite customers whose users were tricked into granting OAuth access. While no further admin or user action is required for this incident, if you are a G Suite admin, consider the following best practices to generally improve security:
Review and verify current
OAuth API access by third-parties
.
Run
OAuth Token audit log reports
to catch future inadvertent scope grants and set up automated email alerts in the Admin console using the
custom alerts feature
, or script it with the
Reports API
.
Turn on 2-step verification for your organization and use
security keys
.
Follow the
security checklist
if you feel that an account may be compromised.
Help prevent abuse of your brand in phishing attacks by publishing a
DMARC
policy for your organization.
Use
and enforce rules for
S/MIME encryption
.
Here is a list of more
tips and tools
to help you stay secure on the web.
Labels
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2023
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2022
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Aug
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
2010
Nov
Oct
Sep
Aug
Jul
May
Apr
Mar
2009
Nov
Oct
Aug
Jul
Jun
Mar
2008
Dec
Nov
Oct
Aug
Jul
May
Feb
2007
Nov
Oct
Sep
Jul
Jun
May
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.