When companies take advantage of cloud services, they get more secure systems as a result. Many countries, however, have proposed laws requiring that companies keep the data of that country’s users within national borders. This idea, known as “data localization,” purports to keep citizen users safer and out of the hands of spying governments and hackers. The report found that forced data localization actually undermines many of the benefits that come from cloud services:
Cloud services provide much better resiliency and redundancy than local services in the face of disasters of all sizes, from small transformer explosions that affect 30,000 users up to superstorms the size of Thaiphoon Haiyan that can interrupt entire countries. If data has to stay in one place by law, that redundancy is lost.
Security expertise is in short supply and tends to congregate in large organizations and sharing what expertise there is is better for everyone as a whole. E.g. - There are currently over a million unfilled security positions open worldwide and all of the GCHQ-led cybersecurity programs together will graduate just 66 PhD's per year starting in 2017. Small companies that are forced to host their own data will find it hard to compete to hire qualified security engineers.
If policymakers are thinking about the perceived benefits of datalocalization, they should carefully examine this study and take into account the cybersecurity of their country’s enterprises.You can check out the full studies on Leviathan’s blog.
Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that targeted users within Iran. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance. If the user clicks the link, they see a fake Google sign-in page that will steal their username and password.
Protecting our users’ accounts is one of our top priorities, so we notify targets of state-sponsored attacks and other suspicious activity, and we take other appropriate actions to limit the impact of these attacks on our users. Especially if you are in Iran, we encourage you to take extra steps to protect your account. Watching out for phishing, using a modern browser like Chrome and enabling 2-step verification can make you significantly more secure against these and many other types of attacks. Also, before typing your Google password, always verify that the URL in the address bar of your browser begins with https://accounts.google.com/. If the website's address does not match this text, please don’t enter your Google password.
Malware authors often compromise legitimate sites to deliver content from a malicious attack site or to redirect to an attack site. These attack sites will often deliver "drive-by downloads" to visitors, which launch and run malware programs on their computers without their knowledge. To try to avoid detection, these attack sites adopt several techniques, such as rapidly changing their Internet location with free web hosting services and auto-generated domain names. Although less common than drive-by downloads, we’re also seeing more malware authors bypassing software vulnerabilities altogether and instead employing methods to try to trick users into installing malicious software—for example, fake anti-virus software.
How you can help prevent malware and phishing
Our system is designed to protect users at high volumes, but people still need to take steps to keep their computers safe. Ignoring a malware problem is never a good idea—if one of our warnings pop up, you should never click through to the suspicious site. Webmasters can help protect their visitors by signing up for malware warnings at Google Webmaster Tools. These warnings are free and will help us inform them if we find suspicious code on their sites. Finally, everyone can help make our system better. You can opt-in to send additional data to our team that helps us expand the coverage of Safe Browsing.
Looking forward
Some of our recent work to counter new forms of abuse includes:
It’s a good feeling to know that we’re making the web more secure and directly protecting people from harm—whether they’re our users or not. We continue to invest heavily in the Safe Browsing team so we can defend against current and future security threats.
