Posted by Diana Smetters, Software Engineer

This summer we’re posting regularly with privacy and security tips. Knowing how to stay safe and secure online is important, which is why we created our Good to Know site with advice and tips for safe and savvy Internet use. -Ed.

Strong passwords help protect your accounts and information on the web. But forgetting your password is like losing your keys—you can end up locked out of your own home. It gets worse if your password gets compromised or stolen. Sometimes the thief will change your password so you can't get back into your own account—kind of like someone stealing your keys and then changing the lock.

If you've lost your Google password, you need a way to get back into your Google Account—and back to all of your stuff in Gmail, Maps, Google+ and YouTube. To help you, Google needs to be able to tell that you’re the rightful account owner even if you don't have the right password. There are a few easy steps you can take right now to make it easy for you—and no one else—to get into your Google Account if you forget or don’t know the password.

1. Add a recovery email address. By registering an alternate email address with your Google Account settings, you’re giving Google another way to reach you. If you forget your password, Google can send a link to that recovery email address so you can reset your password. Google can also use that email address to let you know if we detect something suspicious happening with your account.

Setting up your recovery options can help you get back in

if you get locked out of your Google Account

2. Add a phone number to your Google Account. Your mobile phone is the best way to regain access to your account if you forget your password. It's like the "fast lane" for account recovery: we text a code to the phone number you've registered with us, and you're back in business in no time. Your phone is more secure and reliable than other means of recovering your account. Methods like “secret” questions (asking your mother’s maiden name or city where you were born) may have answers that are easy to remember, but they are also possible for bad guys to uncover. And we’ve consistently seen that people who register a recovery phone are faster and more successful at getting their accounts back than those recovering their accounts via email.

You can also get a text message if Google detects that something suspicious is going on with your account. Giving a recovery phone number to Google won’t result in you being signed up for marketing lists or getting more calls from telemarketers. 3. Keep your recovery options up to date. It’s a good idea to check your recovery options every so often. For example, if you change your phone number after setting up your recovery options, take just a minute to update your recovery settings to match. We'll remind you of your current settings every so often to make it easier for you to keep them up to date.

That’s it! You can either update your recovery options next time you’re prompted, or you can take two minutes to do it right now on our Account recovery options page. For more advice on how to protect yourself and your family online, visit our Good to Know site, or check out some of the other posts in our series on staying safe and secure.

Posted by Adrian Ludwig, Android Security Engineer

This summer we’re posting regularly with privacy and security tips. Knowing how to stay safe and secure online is important, which is why we created our Good to Know site with advice and tips for safe and savvy Internet use. -Ed.

With summer vacation in full swing, you’re likely out and about, using your smartphone or tablet to get answers on the go or check out the latest cool apps and games. But you don’t have to leave safety at home! In this post, we’re sharing a few tips and tools that you can easily set up if you’re on an Android phone or tablet to keep your device—and the contents inside—safe and secure, including a new service that makes it easy to locate a misplaced device.

1. Lock your device screen. Whether you’re on a phone or a tablet, it’s easy to set up a screen lock. This is important to do in case your device gets left in the back of a car, or you’re worried about someone picking up your phone and scrolling through your stuff. You can lock your device with a pin, password, pattern (or even your face!) by going to Settings > Personal > Security > Screen Lock.

2. Protect your phone from suspicious apps. We automatically scan Google Play to block and remove harmful apps. That makes Google Play the safest place to get Android apps. But Google Play can also help protect you even for apps you get elsewhere, like the web or a third-party app store. The first time you start to install an app from an unknown source, a message will pop up asking if you’d like Google to scan the file to make sure it’s not harmful. Tap “OK” to let Google help protect you from harmful apps.

3. Locate, ring and wipe a misplaced device. Have you ever lost your phone in between the couch cushions or left it in a restaurant? Later this month, you will be able to use a new service called Android Device Manager, which can quickly ring your phone at maximum volume so you can find it (even if it’s been silenced), or locate it on a map, in real time, using Android Device Manager. If your phone can’t be recovered, or has been stolen, you can quickly and securely erase all of the data on your device to keep your data from ending up in the wrong hands. The Android Device Manager will be available for devices running Android 2.2 and above, as part of Google Play. You can read the full announcement on the Android blog.

For more advice on how to protect yourself and your family online, visit our Good to Know site, and stay tuned for more posts in our security series.

Posted by Matthias Helier, Staff Software Engineer

This summer we’re posting regularly with privacy and security tips. Knowing how to stay safe and secure online is important, which is why we created our Good to Know site with advice and tips for safe and savvy Internet use. -Ed.

Summer is here, and with kids out of school it is a great time for families to explore the web together—from learning what makes fireflies glow to playing online games together. But while there is a lot of entertaining, educational content online, there are also materials I’d rather not see when I’m surfing the web with my family. Google has built a number of tools that parents can use to help keep content they would rather not see from popping up on the family computer. It takes less than five minutes to turn them on, so follow the steps below to help make your search results more family-friendly this summer.

1. Turn on SafeSearch in Google Search
Turning on SafeSearch is an easy way to help you hide images, search results and videos intended just for adults. It’s especially helpful if you’re concerned about the content that might pop up on your family computer, and it’s easy to turn on. Just visit the Google Search Settings page, go to the "SafeSearch filters" section, and check the box to filter mature content from Google Search result pages. These preferences will apply for any searches done using that browser on your computer. If you have multiple browsers on your family computer, you might want to turn SafeSearch on for each one.

You can turn SafeSearch on or off from the Search Settings page

2. Save and lock your preferences
Once you’ve set your preferences, make sure to click the Save button at the bottom of the page. And if you're signed in to your Google Account, you can also lock the SafeSearch filter so others can’t change your preferences—just click “Lock SafeSearch.” Now the setting is protected with your Google Account password. While no filter is 100 percent perfect, with SafeSearch on you can feel more confident browsing the web with your family.

3. Turn on YouTube Safety Mode
YouTube Safety Mode helps you and your family avoid videos that might be OK with our Community Guidelines, but you might not want popping up on your family computer. Turning on Safety Mode in YouTube takes just one step. Scroll down to the bottom of any YouTube page and click on the button that says “Safety” at the bottom of the page—now you can choose your preferences for Safety Mode.

Click the button that says “Safety” at the bottom of any YouTube page, and then choose your preferences

4. Lock your Safety Mode preferences
Just like with Safe Search, you can also log in with your Google Account and lock YouTube Safety Mode on each one of your computer’s browsers. It will filter videos with mature content, so they won’t show up in video search results, related videos, playlists, shows or films. YouTube Safety Mode will also help hide objectionable comments.

5. Turn on SafeSearch on mobile
SafeSearch is available on your phone or other mobile device, as well as the web. You can turn on SafeSearch for Google on your mobile device by opening your phone’s browser and visiting google.com/preferences. Scroll to the SafeSearch Filters section to select what level of filtering you would like to enable. Be sure to tap “Save Preferences” after you’ve made your selection.

To enable SafeSearch on YouTube’s mobile app, first open your settings, then press “Search.” From there, select “SafeSearch Filtering” and select moderate or strict filtering.

Helping your family have a positive and safe experience with Google is important to you, and it’s important to us, too. That’s why we’ve partnered with parents and experts on free and easy to use tools and resources to help your family stay safe and secure when browsing online. If you’re interested in even more of our tools and tips, please see our Good to Know site, and stay tuned for more security tips throughout the summer.

(Cross-posted from the Official Google Blog)

Posted by John Munoz, Technical Program Manager 

This post is part of a regular series of privacy and security tips to help you and your family stay safe and secure online. Privacy and security are important topics—they matter to us, and they matter to you. Building on our Good to Know site with advice for safe and savvy Internet use, we hope this information helps you understand the choices and control that you have over your online information. -Ed. 

More than a quarter of Internet users worldwide use WiFi at home to connect to the web, but many aren't sure how to protect their home network, or why it is important to do so. The best way to think of your home WiFi network is to think of it like your front door: you want a strong lock on both to ensure your safety and security. 

When data is in transit over an unsecured WiFi network, the information you’re sending or receiving could be intercepted by someone nearby. Your neighbors might also be able to use the network for their own Internet activities, which might slow down your connection. Securing your network can help keep your information safe when you’re connecting wirelessly, and can also help protect the devices that are connected to your network. 

If you’re interested in improving your home WiFi security, the steps below can help make your home network safer. 

1. Check to see what kind of home WiFi security you already have. Do your friends need to enter a password to get on your network when they visit your house for the first time and ask to use your WiFi? If they don’t, your network isn’t as secure as it could be. Even if they do need to enter a password, there are a few different methods of securing your network, and some are better than others. Check what kind of security you have for your network at home by looking at your WiFi settings. Your network will likely either be unsecured, or secured with WEP, WPA or WPA2. WEP is the oldest wireless security protocol, and it’s pretty weak. WPA is better than WEP, but WPA2 is best. 

2. Change your network security settings to WPA2. Your wireless router is the machine that creates the WiFi network. If you don’t have your home network secured with WPA2, you’ll need to access your router’s settings page to make the change. You can check your router’s user manual to figure out how to access this page, or look for instructions online for your specific router. Any device with a WiFi trademark sold since 2006 is required to support WPA2. If you have a router that was made before then, we suggest upgrading to a new router that does offer WPA2. It’s safer and can be much faster.

3. Create a strong password for your WiFi network. To secure your network with WPA2, you’ll need to create a password. It’s important that you choose a unique password, with a long mix of numbers, letters and symbols so others can’t easily guess it. If you’re in a private space such as your home, it’s OK to write this password down so you can remember it, and keep it somewhere safe so you don’t lose it. You might also need it handy in case your friends come to visit and want to connect to the Internet via your network. Just like you wouldn’t give a stranger a key to your house, you should only give your WiFi password to people you trust. 

4. Secure your router too, so nobody can change your settings. Your router needs its own password, separate from the password you use to secure your network. Routers come without a password, or if they do have one, it’s a simple default password that many online criminals may already know. If you don’t reset your router password, criminals anywhere in the world have an easy way to launch an attack on your network, the data shared on it and the computers connected to your network. For many routers, you can reset the password from the router settings page. Keep this password to yourself, and make it different from the one you use to connect to the WiFi network (as described in step 3). If you make these passwords the same, then anyone who has the password to connect to your network will also be able to change your wireless router settings. 

 5. If you need help, look up the instructions. If you’ve misplaced your router’s manual, type the model number of your base station or router into a search engine—in many cases the info is available online. Otherwise, contact the company that manufactured the router or your Internet Service Provider for assistance. Please check out the video below to learn more about the simple but important steps you can take to improve the security of your Internet browsing.

 

For more advice on how to protect yourself and your family online, visit our Good to Know site, and stay tuned for more posts in our security series.

Posted by Lucas Ballard, Software Engineer

Two of the biggest threats online are malicious software (known as malware) that can take control of your computer, and phishing scams that try to trick you into sharing passwords or other private information.

So in 2006 we started a Safe Browsing program to find and flag suspect websites. This means that when you are surfing the web, we can now warn you when a site is unsafe. We're currently flagging up to 10,000 sites a day--and because we share this technology with other browsers there are about 1 billion users we can help keep safe.

But we're always looking for new ways to protect users' security. So today we're launching a new section on our Transparency Report that will shed more light on the sources of malware and phishing attacks.  You can now learn how many people see Safe Browsing warnings each week, where malicious sites are hosted around the world, how quickly websites become reinfected after their owners clean malware from their sites, and other tidbits we’ve surfaced.

Sharing this information also aligns well with our Transparency Report, which already gives information about government requests for user data, government requests to remove content, and current disruptions to our services.

To learn more, explore the new Safe Browsing information on this page. Webmasters and network administrators can find recommendations for dealing with malware infections, including resources like Google Webmaster Tools and Safe Browsing Alerts for Network Administrators.

Posted by Eric Grosse, VP Security Engineering

Cross-posted from the Google Online Security Blog

For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users. These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region. The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.

Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that targeted users within Iran. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance. If the user clicks the link, they see a fake Google sign-in page that will steal their username and password.

Protecting our users’ accounts is one of our top priorities, so we notify targets of state-sponsored attacks and other suspicious activity, and we take other appropriate actions to limit the impact of these attacks on our users. Especially if you are in Iran, we encourage you to take extra steps to protect your account. Watching out for phishing, using a modern browser like Chrome and enabling 2-step verification can make you significantly more secure against these and many other types of attacks. Also, before typing your Google password, always verify that the URL in the address bar of your browser begins with https://accounts.google.com/. If the website's address does not match this text, please don’t enter your Google password.

Posted by Jenny Backus, Public Policy Team

Every day in this country, someone’s mother, grandfather, or older neighbor is a victim of identity theft. Whether the identity thieves attack through a confusing telemarketing scam, a misleading piece of mail, or over the Internet, seniors and their families are increasingly at risk of long-term financial and emotional damage that can take years to undo.

In order to address this issue, the Federal Trade Commission and a coalition of public and private partners like the National Consumer League’s Fraud.org are working together to protect seniors from identity theft. Google will also be recognizing Older Americans Month this May by offering tips for seniors to help them stay safe and secure online.

The FTC’s report of 2012 consumer complaint data recently showed that complaints about identity theft from older Americans are increasing at a faster rate than for any other age group. In fact, identity theft complaints from those over 70 increased by almost 70% since 2010, while complaints from 60 to 70 year olds increased by 53% in the same period.  

Google’s Good to Know site is designed to help educate consumers of all ages about online threats and tools they can use to protect themselves, including information on how to protect themselves from identity theft.

Here are five tips from our security experts:

• Don’t reply if you see a suspicious email, instant message or webpage asking for your personal or financial information. Identity thieves can steal your information and then use it to withdraw money from your bank account.
• Never enter your password if you’ve arrived at a site by following a link in an email or chat that you don’t trust.
• If you see a message from someone you know that doesn’t seem like them, their account might have been compromised by a cyber criminal who is trying to get money or information from you. Think before responding!
• Don’t send your password via email, and don’t share your password with others. Legitimate sites won’t ask you to send them your passwords via email, so don’t respond if you get requests for your passwords to online sites.
• Report any suspicious emails and scams. Many email providers, including Gmail, provide an easy way for you to report fishy emails and scams, and it can help our teams stop similar mail from being sent to you and others.

Seniors around the country can also learn more by attending or viewing by webcast the FTC’s workshop today on protecting seniors from identity theft. With speakers from some of the most trusted consumer groups, local, state and government leaders, and lead experts on fraud prevention, the FTC workshop will focus on forms of ID theft that are particularly significant for seniors, from the risks that seniors face in nursing homes to the identity theft concerns that arise when they file their taxes or seek government assistance, which is increasingly happening online.

Stopping bad actors who target seniors and preventing the rise of identity theft is a shared mission for all of us. Google is committed to making the Internet safer, and protecting our users of all ages.

Posted by Andreas Tuerk, Product Manager

Not many of us like thinking about death — especially our own. But making plans for what happens after you’re gone is really important for the people you leave behind. So today, we’re launching a new feature that makes it easy to tell Google what you want done with your digital assets when you die or can no longer use your account.

The feature is called Inactive Account Manager — not a great name, we know — and you’ll find it on your Google Account settings page. You can tell us what to do with your Gmail messages and data from several other Google services if your account becomes inactive for any reason.

For example, you can choose to have your data deleted — after three, six, nine or 12 months of inactivity. Or you can select trusted contacts to receive data from some or all of the following services: +1s; Blogger; Contacts and Circles; Drive; Gmail; Google+ Profiles, Pages and Streams; Picasa Web Albums; Google Voice and YouTube. Before our systems take any action, we’ll first warn you by sending a text message to your cellphone and email to the secondary address you’ve provided.

We hope that this new feature will enable you to plan your digital afterlife — in a way that protects your privacy and security — and make life easier for your loved ones after you’re gone.

 

Posted by Chris Evans, Google Chrome Security Team

(Cross-posted from the Google Chromium Blog) 

Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes. That’s why we’ve continued to engage with the security research community to help us find and fix vulnerabilities. Recently, HP’s Zero Day Initiative (ZDI) announced details for the annual Pwn2Own competition, to be held at the CanSecWest security conference taking place March 6-8 in Vancouver, BC. This year we’ve teamed up with ZDI by working together on the Pwn2Own rules and by underwriting a portion of the winnings for all targets. The new rules are designed to enable a contest that significantly improves Internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards.

Today we’re announcing our third Pwnium competition—Pwnium 3. Google Chrome is already featured in the Pwn2Own competition this year, so Pwnium 3 will have a new focus: Chrome OS.

We’ll issue Pwnium 3 rewards for Chrome OS at the following levels, up to a total of $3.14159 million USD:

• $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page. 
• $150,000: compromise with device persistence -- guest to guest with interim reboot, delivered via a web page. 

We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems.

The attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack. For those without access to a physical device, note that the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine.

Standard Pwnium rules apply: the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits.

Pwnium 3 will take place on-site at the CanSecWest conference on March 7.

Posted by Niels Provos, Security Team

In this post, we've collected some highlights from the past five years of our Safe Browsing efforts, aimed at keeping people safe online. See the Security Blog for the full details and more visuals. -Ed.

Five years ago, we launched Safe Browsing, an initiative designed to keep people safe from malicious content online. Our primary goal was to safeguard Google's search results against malware (software capable of taking control of your computer) and phishing (fraudulent websites that entice users to give up their personal information). We also wanted to help educate webmasters on how to protect their own sites.

Malware and phishing are still big problems online, but our Safe Browsing team has labored continuously to adapt to the rising challenges of new threats. We've also developed an infrastructure that automatically detects harmful content around the globe.

Here’s a look at the highlights from our efforts over the past five years:

• We protect 600 million users through built-in protection for Chrome, Firefox and Safari, where we show several million security warnings every day to Internet users. When we detect malware or phishing, we trigger a red warning screen that discourages clicking through to the website. Our free and public Safe Browsing API allows other organizations to keep their users safe by using the data we’ve compiled.
• We find about 9,500 new malicious websites every day and show warnings to protect users. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing. Our detection techniques are highly accurate—we have had only a handful of false positives.
• Approximately 12-14 million Google Search queries per day warn users about current malware threats, and we provide malware warnings for about 300 thousand downloads per day through our download protection service for Chrome.
• We send thousands of notifications daily to webmasters. When webmasters sign up for Webmaster Tools we give them the option to receive warning notices if we find something malicious on their site.

Malware and phishing aren’t completely solvable problems because threats continue to evolve, but our technologies and processes do, too.

Phishing and malware trends
Online commerce sites are still favorite phishing targets because phishers are motivated by money. Some tried-and-true phishing methods are still used, but attacks are also getting more creative and sophisticated. Attacks are faster, with phishers sometimes remaining online for less than an hour to try to avoid detection. They’re also more geographically dispersed and are getting more targeted.

Malware authors often compromise legitimate sites to deliver content from a malicious attack site or to redirect to an attack site. These attack sites will often deliver "drive-by downloads" to visitors, which launch and run malware programs on their computers without their knowledge. To try to avoid detection, these attack sites adopt several techniques, such as rapidly changing their Internet location with free web hosting services and auto-generated domain names. Although less common than drive-by downloads, we’re also seeing more malware authors bypassing software vulnerabilities altogether and instead employing methods to try to trick users into installing malicious software—for example, fake anti-virus software.

How you can help prevent malware and phishing
Our system is designed to protect users at high volumes, but people still need to take steps to keep their computers safe. Ignoring a malware problem is never a good idea—if one of our warnings pop up, you should never click through to the suspicious site. Webmasters can help protect their visitors by signing up for malware warnings at Google Webmaster Tools. These warnings are free and will help us inform them if we find suspicious code on their sites. Finally, everyone can help make our system better. You can opt-in to send additional data to our team that helps us expand the coverage of Safe Browsing.

Looking forward
Some of our recent work to counter new forms of abuse includes:

• Instantaneous phishing detection and download protection within the Chrome browser
• Chrome extension malware scanning
• Android application protection

It’s a good feeling to know that we’re making the web more secure and directly protecting people from harm—whether they’re our users or not. We continue to invest heavily in the Safe Browsing team so we can defend against current and future security threats.

(Cross-posted on the Official Google Blog)

Posted by Katharine Wang, Policy Analyst

As more of our life happens online, Internet skills are crucial to living responsibly. So what are the skills needed to navigate today’s Internet society? To answer this question and help adapt to digital society, parents and educators are working together to find new ways to teach themselves, their families, and their communities about important topics like identity protection, online security, and digital citizenship.

Today, on Safer Internet Day, we are proud to partner with Common Sense Media, ConnectSafely, the National Consumers League, on launching a new digital literacy portal called ThinkB4U. ThinkB4U combines “choose-your-own-adventure” style videos with expert advice from leading online safety NGOs and the Federal Trade Commission’s OnGuard Online resources.

ThinkB4U is just one example of how seriously we take the challenge of increasing safety on the web. Here are a few examples of Google’s involvement across the globe, along with inspiring efforts from our partners, NGOs, government stakeholders, and researchers from Asia-Pacific to Europe:

Awareness Campaigns

• Australia: The Google Australia team is raising awareness of Google and YouTube safety tools by placing advertisements in newspapers and online.
• Russia: In collaboration with Net Literacy we are meeting with over 200 Russian journalism students to engage them in a broader discussion on digital literacy, and what they can personally do in their schools and local communities. Additionally, we are hosting a series of international expert panels at the Safer Internet Forum. 

Research and Technical Solutions

• UK: We are funding research by Young and Well Cooperative Research Centre (YAW-CRC) on how parents can practice online safety (part 1 and part 2).
• France: We are supporting great work by e-Enfance on Net Ecoute Chrome extension an extension that allows for quick access to online discussions with a helpline counselor.
• Italy: Italian child advocacy organization Telefono Azzurro has decided to share a Google Search Appliance that we had previously donated with all of the members of Missing Children Europe (MCE)—the federation of national NGOs responsible for the European 116.000 phone hotline. We hope the use of our GSA will help streamline processes among the members of MCE in combating child exploitation and recovering missing children throughout Europe.

Events

• Israel: Following our successful launch of the Web-Rangers program, Israel’s Ministry of Education has invited these talented online safety ambassadors to present their projects all across Israel and on YouTube.
• Hong Kong: We are working with Weborganic, an organization tasked by the government to bridge the digital divide in schools, on an online safety exhibition for participating students and teachers.
• Indonesia: We are organizing a series of trainings for NGOs, youth and community leaders, educators, and officials in the Ministry of Communications.
• Germany: Wieland Holfelder, Google Engineering Director, is keynoting a session on safe Internet use at the Safer Internet Event in Germany, organized by Bitkom and the Ministry of Consumer Protection (BMELV).
• Portugal: We’re launching the Google Family Safety Center in Portugal with an event in Lisbon, chaired by the President of the National Commission for Children's Protection and Young at Risk, Mr. Armando Leandro.

There is still much to be done to achieve high levels of digital literacy for everyone. We hope that these projects and events will boost advocacy for online safety education, the importance of which is invaluable in a deeply connected world.

Check out the EU Public Policy Blog for more Safer Internet Day information!

Posted by Liz Eraker, Policy Counsel

We are strong believers in the importance of abuse reporting tools that identify harmful and illegal content online. That’s why we are proud to say we recently helped The National Center for Missing & Exploited Children (NCMEC) launch a newly redesigned CyberTipline — the national reporting mechanism for cases of child sexual exploitation — to better protect all Internet users.

NCMEC receives a staggering amount of information. Since the CyberTipline’s inception over a decade ago, it has handled more than 1.25 million reports of child sexual exploitation. The National Center is at the forefront of efforts to protect society’s most vulnerable individuals by providing tools and resources for reporting abuse and working with law enforcement on child sexual exploitation investigations.

We are proud to have assisted NCMEC in building a more user-friendly and seamless reporting system for both the public and electronic service providers. In the spirit of our continued partnership with NCMEC, we hope that these improvements will help to better facilitate CyberTipline reporting and encourage more Internet users to join the fight against child sexual exploitation.

More details about the new CyberTipline are available on the NCMEC website here.

Posted by Damian Menscher, Security Engineer

(Cross-posted from the Official Google Blog)

The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks.

As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results:

This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.

We hope to use the knowledge we’ve gathered to assist as many people as possible. In case our notice doesn’t reach everyone directly, you can run a system scan on your computer yourself by following the steps in our Help Center article.

Updated July 20, 2011: We've seen a few common questions we thought we'd address here:

• The malware appears to have gotten onto users' computers from one of roughly a hundred variants of fake antivirus, or "fake AV" software that has been in circulation for a while. We aren't aware of a common name for the malware.
• We believe a couple million machines are affected by this malware.
• We've heard from a number of you that you're thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It's a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users.
• In the meantime, we've been able to successfully warn hundreds of thousands of users that their computer is infected. These are people who otherwise may never have known.

Posted by Harry Wingo, Policy Counsel

From encrypted search to security alerts in Gmail, we’re always looking at new ways to make your online experience more secure.

Building on that tradition, starting today we’re offering an advanced sign-in security feature for Google Accounts called 2-step verification.

Most of us are familiar with 1-step verification, which requires a username and password to sign in. 2-step verification adds an extra layer of security to your Google Account by requiring two factors for authentication: your username and password, plus a unique code generated by your mobile phone.

It's an extra step, but it's one that significantly improves the security of your Google Account. Now, if someone steals or guesses your password, the potential hijacker still can’t sign in to your account because he doesn’t have your phone.

We first rolled out 2-step verification for our Google Apps customers last year, and now we’re excited to bring the same advanced protection to all our users. To learn how to set up 2-step verification on your account, check out the Official Google Blog.

Posted by Harry Wingo, Policy Counsel

We’re always developing new ways to make your online experience more secure. For example, earlier this year we worked through several technical obstacles to become the only major webmail provider to offer session-wide SSL encryption by default.

Even with the protection that SSL provides, users may become exposed to phishing and malware attacks elsewhere on the web that attempt to steal and misuse their personal information. To help address this problem, we’re rolling out a notification system for suspicious account activity associated with your Gmail account — notifications that will provide you with greater control by helping to identify potential security issues.

You can learn more about how this alert works and how you can better manage the activity on your account on the Official Gmail Blog.

Posted by Alma Whitten, Software Engineer, Security & Privacy Teams

(Cross-posted from the Google Online Security Blog)

A group of privacy and security experts sent a letter today urging Google to strengthen its leadership role in web application security, and we wanted to offer some of our thoughts on the subject.

We've long advocated for — and demonstrated — a focus on strong security in web applications. We run our own business on Google Apps, and we strive to provide a high level of security to our users. We currently let people access a number of our applications — including Gmail, Google Docs, and Google Calendar, among others — via HTTPS, a protocol that establishes a secure connection between your browser and our servers.

Let's take a closer look at how this works in the case of Gmail. We know that tens of millions of Gmail users rely on it to manage their lives every day, and we have offered HTTPS access as an option in Gmail from the day we launched. If you choose to use HTTPS in Gmail, our systems are designed to maintain it throughout the email session — not just at login — so everything you do can be passed through a more secure connection. Last summer we made it even easier by letting Gmail users opt in to always use HTTPS every time they log in (no need to type or bookmark the "https").

Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service, but we see it as an another way to make the web safer and more useful. It's something we'd like to see all major webmail services provide.

In fact, we're currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.

We know HTTPS is a good experience for many power users who've already turned it on as their default setting. And in this case, the additional cost of offering HTTPS isn't holding us back. But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects. Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS — in some cases it makes certain actions slower.

We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?

Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We're also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well).

Stay tuned, but we wanted to share our thinking on this, and to let you know we're always looking at ways to make the web more secure and more useful.

Update @ 1:00pm: We've had some more time to go through the report. There's a factual inaccuracy we wanted to point out: a cookie from Docs or Calendar doesn't give access to a Gmail session. The master authentication cookie is always sent over HTTPS — whether or not the user specified HTTPS-only for their Gmail account. But we can all agree on the benefits of HTTPS, and we're glad that the report recognizes our leadership role in this area. As the report itself points out, "Users of Microsoft Hotmail, Yahoo Mail, Facebook and MySpace are also vulnerable to [data theft and account hijacking]. Worst of all — these firms do not offer their customers any form of protection. Google at least offers its tech savvy customers a strong degree of protection from snooping attacks." We take security very seriously, and we're proud of our record of providing security for free web apps.