What we can learn from Google’s fight with phishing

Source: https://schd.ws/hosted_files/bsidessf2018/19/Bsides%20SF%202018%20-%20You%20want%20to%20step%20outside_%20What%20we%20can%20learn%20from%20Google%E2%80%99s%20fight%20with%20phishing%20-%20Neal%20Mueller.pdf


Protecting resources behind an authenticating proxy

Today, we’re putting our core web services behind the protections provided by U2F and Google’s account takeover and anomaly detection systems. Not only will this provide phishing resistance through the authentication proxy, but also authorization through IAM roles assigned to the user’s Google account.


  • Google account
  • U2F Yubikey enrolled and enforced for the users/groups that will be accessing the application.
  • An hour or so.
  • A global cloud that has been operating at billions of rps for decades. (Beyond the scope of this article.)

Read More »

Targeted Attacks Against Corporate Inboxes – a Gmail Perspective RSA …

Millions of companies entrust Gmail to handle their emails. In this RSA 2017 talk, we will discuss the nuances surrounding company-specific attacks and highlight the defenses we put in place to counter those threats. The insights shared will inform those looking to tackle the complex security challenges posed by email within their own organizations.

Source: https://www.slideshare.net/elie-bursztein/targeted-attacks-against-corporate-inboxes-a-gmail-perspective-rsa-2017