2 weeks ago

How to Use Google’s Advanced Protection Program to Secure Your Account via Phishing « Null Byte :: WonderHowTo

the idea’s easy to have your password stolen. Important people like executives, government workers, journalists, as well as activists face sophisticated phishing attacks to compromise their online accounts, often targeting Google account credentials. To reduce This kind of risk, Google created the Advanced Protection Program, which uses U2F security keys to control account access as well as make stolen passwords worthless.

The purpose of your password is actually to authenticate any device requesting access to your online account data, from the hopes of keeping out unauthorized users. This kind of only works if you have a strong password as well as never share, reuse, or accidentally enter of which password into the wrong place. Stealing the password for an online account is actually the most obvious way of breaking in, as well as those from the business of breaking into accounts have turned This kind of single point of failure into a science.

Phishing & Whaling Mean Passwords Aren’t Enough

Passwords are stolen for many reasons, as well as those behind phishing attacks have motives of which vary significantly in scope.

Criminals will often attack an organization or person for personal financial gain, using the compromised account to steal financial or blackmail data via a business. While This kind of kind of attack is actually the most obvious, executives as well as various other important people also must worry about an evolution of This kind of attack called “whaling,” where their accounts are targeted due to the user’s influence in a company.

Hijacking social credit as well as trust is actually a major concern in whaling attacks, as well as the success of This kind of tactic has peaked the interest of state-sponsored attackers. Stealing the password of an account owned by an important person in a company has many advantages for criminals.

The attacker compromising the account of an executive can request improvements internally to make the organization as a whole easier to attack, request payments be made, or target another business the executive works with by sending fake invoices or various other documents full of malware.

APTs Are Changing Phishing to a Weapon of War

In 2016, the power of Russian cyberwarfare was unleashed against members of the Democratic National Party. Russian intelligence-linked advanced persistent threat (APT) groups began aggressively spearphishing the accounts of important members of the Clinton election committee. APTs are called persistent because they contain the state-backed resources to probe high-priority targets endlessly for vulnerabilities, producing their eventual success nearly guaranteed. the idea only took 1 mistake for the DNC to be infiltrated by This kind of group.

Advanced Protection via Phishing for Google Accounts

With many organizations using Google products like Drive as well as Gmail for work, Google credentials are a high-priority target for hackers. To combat This kind of, Google designed a program for those at risk of phishing attacks or interested in preventing them altogether. At the Enigma 2018 conference, Google presented Advanced Protection, their solution to state-sponsored or well-resourced APT attacks targeting Google credentials. Advanced Protection has actually been around since Oct. 2017, nevertheless many still aren’t away This kind of program exists.

Advanced Protection removes the weak link from the kind of two-factor authentication most people are familiar with. SMS messages as well as push notifications are not a barrier for a skilled attacker attempting to compromise an account, so Google turned to the Universal 2nd Factor authentication standard adopted by physical security keys to creating a system of which is actually more secure.

Image by Kody/Null Byte

Multi-factor authentication uses a combination of challenges to make sure a device is actually allowed to access the account. A password represents one of three commonly used factors of authentication, a secret you know. The various other factors can include something you are, like a fingerprint or facial scan to unlock a phone, or something you have, like a physical key. A USB security key is actually used to add an extra layer of security to your device, meaning an attacker will need to physically steal your key in order to get in.

This kind of is actually critical because tricking you into entering This kind of physical key won’t even allow an attacker access since the idea improvements each time as well as is actually generated in response to a challenge. Simply having your password doesn’t get them anywhere, provided the idea’s not a password you reuse with any various other accounts. While This kind of sounds great, there are some tradeoffs for the security Google’s Advanced Protection gives users unwilling to trust their account data’s security to 1 password.

The Inconvenience of Security — U2F for Beginners

The most serious tradeoff is actually the inability to give account access permission to third-party apps, including Apple. You’ll need to use Google app, as well as the Chrome browser, to access your data or any signed-in services. Make sure you can live with of which before turning This kind of feature on. various other types of 2FA can’t be used, so you’ll need to make sure you have a U2F token any time you need to add a fresh device (or connect via a VPN).

When using U2F physical security tokens, which cost somewhere between $15 as well as $30, the idea’s not bad to think of them as keys. If you only have one as well as you lose the idea, you’ll need to go through the hassle of proving your identity to get back in, as well as the idea won’t be like just requesting a password reset. You must have at least two in order to enable Advanced Protection, as well as This kind of is actually to protect you via you.

For Android devices as well as any various other device which has a USB port, you can use a Fetian or Yubikey USB security key. These keys are sturdy, as well as the Yubikey supports various other helpful features like secure one-time password generation just by tapping on the gold disk. Additionally, you can quickly use them with Android over NFC, allowing you to authenticate any desktop, laptop, or Android device with NFC.

Setting Up Advanced Protection

the idea’s important to note of which Google Advanced protection is actually rolling out for Gmail accounts, nevertheless if you try to enroll an organization account (one which has a custom domain rather than an @gmail.com domain), you’ll see the following message.

If you’re a Google domain administrator, or you want to talk to yours about adding U2F security keys to protect your organization, you can learn more about enforcing similar protections on Google’s information page.

If you have an individual account as well as you want to protect the idea against phishing with Advanced Protection, then make sure you can live with the tradeoffs, as well as let’s get began!

Step 1: Purchase 2 Universal Two-Factor Security Keys

Navigating to Google’s Advanced Protection setup page, you’ll be greeted with the following message prompting you to purchase at least two U2F keys.

You probably have more than one key to your house, so make sure you have more than one key to access your important data. I recommend the Yubikey NEO via personal experience as well as via reading reviews about the idea surviving incidents of which destroyed regular keys. the idea features a USB as well as NFC interface. Google recommends the Yubico FIDO security key.

If you only use Android, you can purchase a pair of these, or the cheaper $16 Fetian security key. These aren’t as compatible with various other services as the Yubikey, nevertheless purchasing one as a cheap backup is actually a not bad idea.

Image by Kody/Null Byte

If you have an iOS device you’ll need to authenticate, or you want to be able to do so via Bluetooth, you’ll need a Bluetooth security token like the Feitian MultiPass FIDO security key (which Google also recommends). In addition to syncing these via Bluetooth, they can be plugged directly into any device which has a USB port via a little micro-USB port on the bottom to charge or authenticate a device with the click of a button.

Step 2: Register Your Security Keys

After selecting “I Have 2 Security Keys” via the Advanced Protection setup page, you’ll need to sign in again to verify your identity (or if you’re not currently logged into Google), then you’ll be greeted with the registration screen.

To register one of your keys, click the “Add Security Key” button. Click through the first prompt about producing sure you have your key nevertheless of which the idea’s not connected to your computer yet, then when you see the next prompt, connect your security key by plugging the idea into the USB drive of your computer.

Tap the gold disk on your USB key or, if you’re connecting a Bluetooth U2F device via USB cable, tap the button on the dongle to register the key. You should see the result from the picture below, inviting you to name your key so you can remember the idea. Do so as well as click on “Done.”

The setup menu should right now show your registered key. Repeat This kind of process by clicking the second “Add Security Key” link to complete the key registration process with your second key.

Once both of the checkboxes are green, you’re ready to confirm as well as activate Advanced Protection from the final step, so hit “Continue” as well as keep going.

Step 3: Activate Advanced Protection

Clicking on “Continue” leads us to the final warning screen before enabling Advanced Protection. Thoroughly read the warning before accepting, because you’ll have to live with these improvements.

Once ready, click “Turn On” to proceed. A popup explaining of which you will be signed out of all devices will appear. This kind of means of which you’ll need to re-authenticate for every device of which you aren’t currently on.

After selecting “Turn On” on This kind of last popup, you should see a confirmation screen like the one below.

Some Limitations on Locking Things Down

Even though Google Advanced protection is actually designed to give you the most power to protect your account, the idea still had some quirks. One issue I found was of which I was unable to revoke a Samsung Galaxy S6 device I was no longer using via being listed as having access to my account. Normally, when you select an option via your recently used device list, there will be an option to “Remove” said device. In This kind of case, however, there was simply no option to do so.

This kind of raised the issue of being unable to revoke access to a suspicious device if someone were able to briefly use your key to add their own. I reached out to the project manager for Google Advanced protection to ask about revoking access to devices, as well as he mentioned of which any device of which has accessed your account will stay on This kind of list for 28 days, to prevent an account hijacker via covering their tracks.

To revoke access via any device of which doesn’t allow you to do so remotely, you can change the password to your Advanced Protected account. The device appearing on your account via of which point on is actually somewhat misleading, nevertheless the act of changing your password should lock out all devices as well as force them to re-authenticate which has a U2F token.

Use 2FA Wherever You Can for a Brighter Future

If you’re using a password without a second factor of authentication to secure your accounts, you need to be aware of which you are one targeted phishing email away via giving a stranger access to all of your online data. This kind of may not have been the case back when you made your account, nevertheless the idea certainly is actually right now, as well as the idea’s time to get out ahead of of which reality rather than letting the idea run you over. Companies big as well as little are regularly breached by phishing tactics, as well as not bad security hygiene is actually an essential part of bridging the tech divide to avoid being an easy target.

Cover photo as well as screenshots by Kody/Null Byte

Don’t Miss: How to Create Stronger Passwords

Don’t Miss: How to Spear Phish with the Social Engineering Toolkit (SET)

Don’t Miss: How to Write an XSS Cookie Stealer in JavaScript to Steal Passwords

Don’t Miss: How to Hack Forum Accounts with Password-Stealing Pictures

Don’t Miss: How to Protect Yourself via Being Hacked

Leave a Comment

Your email address will not be published. Required fields are marked *

six − 3 =