![Page 1: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/1.jpg)
Lessons learned while PROTECTING GMAIL
Elie Bursztein, Nicolas Lidzborski, & Vijay Eranti
THE GMAIL SECURITY AND ANTI-ABUSE TEAM
![Page 2: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/2.jpg)
2004 2016
LESSONS WE’VE LEARNED WHILE protecting Gmail users for over a decade
![Page 3: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/3.jpg)
Malware
5 MAIN THREATSTO GMAIL
![Page 4: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/4.jpg)
Malware
AccountHijacking
5 MAIN THREATSTO GMAIL
![Page 5: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/5.jpg)
Malware
AccountHijacking
Phishing
5 MAIN THREATSTO GMAIL
![Page 6: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/6.jpg)
XSS
Malware
AccountHijacking
PhishingWeb Attacks
5 MAIN THREATSTO GMAIL
![Page 7: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/7.jpg)
XSS
Spam
Malware
AccountHijacking
PhishingWeb Attacks
5 MAIN THREATSTO GMAIL
![Page 8: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/8.jpg)
900 MILLION+ USERShundreds of billions of messages per week
![Page 9: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/9.jpg)
We launched login challenges In 2011
![Page 10: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/10.jpg)
http://goo.gl/xMctOL
NEVER STOP IMPROVING YOUR DEFENSES
Phishers updated their kits to ask for the challenge answers
![Page 11: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/11.jpg)
THERE IS NO SILVER BULLET
99.9% accuracy detecting spammy email
91.7% Large linear ML classifier
+4.7%rule based system
+3.5%deep learning
?Next gen
http://goo.gl/0jgK96 *incremental coverage measurement
![Page 12: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/12.jpg)
TUNE YOUR CLASSIFIER to match your product need
Spam classified as good
Good classified as Spam
https://goo.gl/0jgK96
False Negative
less than 0.1%
less than 0.05%False
Positive
![Page 13: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/13.jpg)
IMPLEMENT CATCH-UP MECHANISMS
![Page 14: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/14.jpg)
EMPOWER USERSto take action through meaningful UI
https://goo.gl/gqk6Bn & https://goo.gl/sL5VWC
![Page 15: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/15.jpg)
USE OVERWHELMING FORCEDeploy many countermeasures at once
![Page 16: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/16.jpg)
EMAIL ATTACHMENT
![Page 17: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/17.jpg)
ATTACKS COME IN BURSTSplan for it
![Page 18: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/18.jpg)
DON’T PROCESS TWICE
Whitelisting and blacklisting allows
up to 50% reduction in computation
Caching
![Page 19: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/19.jpg)
Gmail does not allow executable attachments
EXE
BE SECURE BY DESIGN
Caching
Policy
![Page 20: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/20.jpg)
USE ENSEMBLE LEARNINGmultiple anti-viruses are combined
0.62 4
NUMBER OF ANTI-VIRUS ENGINE
F1 S
CO
RE
6 8 10 12 14
0.8
0.7
0.9
1 .0
Union
Majority Voting
Threshold = 3
Threshold = 5
Logit_wo_family
RF_wo_family
Bayes_wo_family
Logit_with_family
RF_with_family
Bayes_with_family
Caching
Policy
Multiple Engines
![Page 21: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/21.jpg)
Caching
Policy
Multiple Engines
Dynamic Execution
USE DYNAMIC EXECUTION
to catch undetected malwares (very rare)
![Page 22: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/22.jpg)
IMPLEMENT EMERGENCY BLOCKING SYSTEMS
Unpredictable attacks and bugs happen. Get as ready as possible for it
Caching
Policy
Multiple Engines
Dynamic Execution
Fast Rules
![Page 23: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/23.jpg)
ENCRYPT EVERYTHINGin transit and at rest
OUTBOUND
82%Messages from Gmail
to other providersare encrypted
INBOUND
62%Messages from other
providers to Gmailare encrypted
https://goo.gl/iv2tIa * Gmail always tries to encrypt email communication. Encryption failures are due to other providers not supporting encryption
![Page 24: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/24.jpg)
https://goo.gl/1tLf3w
Closure Templates Strict Autoescaping
VS
Manual and Unsafe Escaping
![Page 25: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/25.jpg)
BE METRICS DRIVEN
Number of XSS affecting Gmail webmail fixed per quarter
2008 2009 2010
0
1
2
3
4
5
2011 2012 2013 2014 2015
Q1
Q2
Q3
Q4
NU
MB
ER O
F EX
PLO
ITA
BLE
XS
S
![Page 26: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/26.jpg)
PREVENT BUGS THROUGH GOOD SOFTWARE DESIGN
![Page 27: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/27.jpg)
script-src frame-src
CSP blocks a lot of bad stuff CSP helped us identify potential XSS
CSP violations for Google Inboxjust before launch
Smart labels potential XSS
<! <img src="><img src=x onerror=alert(1)// ">45.7% 54.3%
![Page 28: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/28.jpg)
IMPLEMENT DEFENSE IN DEPTH
CSP
Linear Classifiers
Deep Learning
Security audits
Encryption
Static Analyzers
DDOS prevention
Antivirus
Dynamic Execution
Fuzzing
Auto-escaping
![Page 29: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/29.jpg)
PAY FOR BUGSit’s worth it
0
10
20
30
40
50
$0
$5000
$10000
$15000
$20000
$25000
amount awarded
number of bugs
2010 2011 2012 2013 2014 2015
![Page 30: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/30.jpg)
Dynamic renderingCSS, Javascript. E.g Media Queries
Hacked siteGood sites used in phishing attacks
Email security standardsYet to be fully adopted
Advanced phishing attacks e.g spear phishing
KEY CHALLENGES IN 2016
![Page 31: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/31.jpg)
Combine detection technologies in each layerThere is no silver bullet so diversification is key to lasting security.
Defense in depthAdd multiple layers of security because sooner or later an attacker will break one.
Have a strong team that keeps runningIt takes all your efforts to keep the product clean. No rest for the brave.
KEY TAKEAWAYS
![Page 32: PROTECTING GMAIL · INBOUND 62% Messages from other providers to Gmail are encrypted * Gmail always tries to encrypt email communication. Encryption failures are …](https://reader034.vdocument.in/reader034/viewer/2022042612/5f5ba54d924c076eb05d66c1/html5/thumbnails/32.jpg)
Thank you!