Google has announced it is distributing free physical security keys to more than 10,000 journalists, human rights activists, and other individuals at high risk of being targeted by nation-state backed hackers.
The tech giant has partnered with several human rights and pro-democracy organizations to distribute the keys to at-risk individuals under its Advanced Protection Program (APP).
Providing an additional authentication layer when signing into online accounts, the keys help to thwart malicious attempts to surveil victims and access their personal data.
Securing elections
Among other avenues, Google is distributing its Titan Security Keys and educational materials via training courses delivered by the International Foundation for Electoral Systems (IFES), which provides support for elections in new and emerging democracies.
In February 2020, Google announced a collaboration with Defending Digital Campaigns – which helps to defend political parties and campaigns against cyber-attacks – in order to distribute hardware keys to more than 180 federal political campaigns in the US.
Google plans to complete bipartisan cybersecurity training in all 50 US states by the time of the 2022 midterm elections.
UN chapters and organizations worldwide that support at-risk female journalists, activists, politicians, and business executives are also receiving consultations and online security workshops from the company.
“We’re excited to be working with these leading organizations to protect high risk user groups and learn more about the needs of at-risk users and organizations,” says Google.
“These collaborations help us make the world’s most advanced security even stronger, more inclusive and easier to use – helping everyone stay safer with Google.”
Heightened security
APP bolsters security protections beyond the defenses built into Google services such as Gmail and Google Drive, for instance by scanning downloads for malware more stringently.
Only Google apps and verified third-party apps are permitted to access Google account data such as contacts, location, calendar or Drive files.
Google recommends enrolling a phone-based key as a primary authentication mechanism as well as a backup, FIDO-compliant physical key, whether USB-, Bluetooth- or NFC-based.
While anyone can enrol with APP, it has been “specifically designed for individuals and organizations at higher risk of targeted online attacks, such as elected officials, political campaigns, human rights activists and journalists”, said Google in a blog post.
No silver bullet
Ilia Kolochenko, founder of web security firm ImmuniWeb, hailed Google’s announcement, saying it should “inspire other IT giants” to provide similar support to vulnerable groups.
But the initiative is no silver bullet, he warned, given sophisticated threat actors can still bypass two-factor authentication (2FA), leaving unencrypted data vulnerable.
“Moreover, the data oftentimes resides in several locations, for example, journalists frequently receive valuable reports and hints from whistleblowers who will now likely become the new target of cybercriminals,” he added.
The scheme would also be helpless to protect users living under authoritarian regimes if refusal to unlock their devices landed them in jail, said Kolochenko.
“Nonetheless,” he added, “the ongoing efforts undertaken by Google are certainly better than non-feasance and will definitely prevent some cyber-attacks.”
Source: https://portswigger.net/daily-swig/google-distributing-10-000-security-keys-to-journalists-elected-officials-human-rights-activists