PiChris - Fotolia

Google G Suite updates aim to improve phishing protection

News roundup: Google updates G Suite with stronger authentication. Plus, WordPress secretly patches vulnerabilities, malware is likely to infect entire OSes, and more.

Google is taking a stronger stance against phishing attacks and other security threats with its launch of some new features in G Suite.

Among its new phishing protection capabilities, G Suite enhanced its existing two-step verification process, which previously gave users the option to use Security Key, a physical USB device used for the second factor in authentication. With the new features, administrators can enable two-step verification to use only Security Key with no other option. Administrators can now restrict login to only users with a Security Key. In addition, Security Key now plugs directly into a computer or pairs with a mobile device via Bluetooth or Near Field Communication (NFC), when previously it received a code in a text message.

"[Two-step verification] with only a Security Key offers the highest level of protection from phishing," explains Google product managers Christiaan Brand and Guemmy Kim in a blog post. "Instead of entering a unique code as a second factor at sign-in, Security Keys send us cryptographic proof that users are on a legitimate Google site and that they have their Security Keys with them. Since most hijackers are remote, their efforts are thwarted because they cannot get physical possession of the Security Key."

On top of getting rid of text code verification, Security Key also now uses Bluetooth Low Energy to make pairing with a mobile device more secure. The feature works on both Android and iOS devices.

The Google G Suite update doesn't end with Security Key enforcement. The company also added data loss prevention for Google Drive, as well as Secure/Multipurpose Internet Mail Extensions for Gmail.

The phishing protection improvements from Google follow the discovery of a Gmail phishing campaign that can bypass two-factor authentication (2FA) in limited real-time scenarios. The scheme uses emails that contain a PDF that can be previewed in Gmail, but the file redirects to a malicious URL. The URL shows the user what seems to be a legitimate Google login screen. The user then enters his login information, which the attacker uses in real-time to log in. In limited unconfirmed cases, the attack includes a 2FA code.

The Google G Suite release may not be the last we hear on authentication and phishing protections from Google.

"In the coming months," writes Brand and Kim, "we'll build on these protections and offer users the opportunity to further protect their personal Google Accounts."

In other news

  • Mobile security company Zimperium will now buy N-day exploits that target any mobile OS version that isn't current. While most exploit buyers only want zero-days, Zimperium focuses on remote, local N-day exploits -- which are vulnerabilities that are known to the company that developed the flawed product -- that have likely already been patched. It plans to release the exploits it buys to Zimperium Handset Alliance, which includes over 30 mobile carriers and handset vendors, such as Samsung and Blackberry. The Zimperium Handset Alliance will have between one and three months before Zimperium will release the exploit to the public. "We would like to encourage security researchers to provide proofs for exploitation of known vulnerabilities and at the same time, getting paid for previous work," explains a Zimperium blog post. "Multiple [Zimperium Handset Alliance] partners explained to us that without proof of exploitability, it's hard to convince the security teams to allocate resources needed for a complete patch cycle, even for known issues. We hope this program will encourage more researchers to look into monthly security updates, and promote better patching."
  • WordPress secretly patched a vulnerability that hadn't been disclosed to the public. The vulnerability, found in WordPress versions 4.7 and 4.7.1, was an unauthenticated privilege escalation vulnerability in a REST API endpoint. WordPress patched the flaw in a security release on Jan. 26 along with three others, but did so without informing the public until Feb. 1. "We believe transparency is in the public's best interest," wrote WordPress's Aaron Campbell in an update. "It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites." Security researcher Marc-Alexandre Montpas of Sucuri notified WordPress of the vulnerability on Jan. 20 and WordPress put together the fix quickly. However, the content management system company didn't disclose the vulnerability or the fix so that it could test the patch before hackers got wind of the flaw and took advantage of it.
  • In its annual report, "State of Malware Report 2017," security vendor Malwarebytes warned that ransomware continues to evolve and could soon infect a computer so drastically that the user could lose access to the entire operating system. "We may see more variants that modify the infected computer's Master Boot Record, which is a key part of a system's ability to boot into its operating system," the report states. "Once modified, the system will boot into a lock screen set up by the malware, demanding payment not only to decrypt files but also to restore access to the main operating system." However, the Malwarebytes report also states that new families in the ransomware field are unlikely. "We are unlikely to see many, if any, new advanced ransomware families enter the market with the sophistication and mass penetration of Cerber and Locky." Cerber is a ransomware that's known for generating nearly $200,000 per month for cybercriminals.
  • A study from certificate management company Venafi found that 79% of businesses suffered at least one certificate-related outage in 2016. The study also found that 38% suffered more than six outages related to certificates last year, and 64% of respondents said their organizations could not respond to certificate security incident quickly enough. The rise in IP-enabled IoT devices means there are more certificates on enterprises' networks than ever before, and that contributes to the high number of certificate security incidents, Venafi said. Also contributing to the poor certificate security in organizations, according to the study, is that 65% of them don't centrally manage keys and certificates, and of those that do, 65% rely on their certificate authorities for security. Companies such as Google are already taking steps to better certificate security by creating their own root certificate authority.

Next Steps

Find out how G Suite stacks up against Microsoft 365

Learn the difference between two-step verification and two-factor authentication

Discover the best training methods for phishing

Dig Deeper on Identity and access management