How security engineers at Google have been protecting politicians during election season

  • In the past few years there’s been a rise in targeted hijacking toward the online accounts of politicians and other high-profile figures.
  • In response Google launched its Advanced Protection Program last October and works with politicians and campaigns to protect them from spear phishing, or when hijackers attack a specific person or organisation.
  • Guemmy Kim, a product manager on Google’s Account Security Team, also offers tips for people to secure their accounts.

Two years ago, hackers aligned with the interests of the Russian government created chaos within Hillary Clinton’s election campaign when they hacked and stole the emails of Clinton campaign chairman John Podesta.

Attacks like that aren’t going to stop anytime soon. In the past few years, the public has seen an increase in targeted hijacking – usually toward politicians, activists, business leaders, cryptocurrency users, and journalists. So last October, Google launched the Advanced Protection Program to protect these people who are most at risk.

The program, which Google offers to users free, is the highest form of personal-account security the company offers. This managed security program deals with phishing, malware, hijacking, and cryptographic techniques.

Guemmy Kim, product manager of Google’s Account Security Team, told Business Insider about some of the recent trends her team has encountered in the months leading up Tuesday’s US midterm elections, and shared her advice for staying safe.

Politically motivated “hijackers” will often ramp up attacks agains politicians and their campaign staffers in the months leading up to a big election such as Tuesday’s, Kim said. But, she noted, there are many misconceptions of what kind of people hijackers are.

“There’s this notion of a hijacker being some guy in a dark room typing at night,” Kim said. “Hijacking activities actually follow a regular schedule. These are sophisticated hackers targeting politicians.”

Read more: Google drops out of contention for a $US10 billion defence contract because it could conflict with its corporate values

That’s important to know because these hackers usually target politicians during business hours, when it’s more realistic and easier to trick people, rather than in the middle of the night.

Don’t expect to find obvious typos

Hijackers often personalise attacks for high-profile people. Using techniques like spear phishing, they may imitate a politician and send emails to the campaign subscribers. They might also try to embarrass a candidate or spearhead an attack that undermines the candidate’s credibility, like looking through emails for embarrassing information or posting personal pictures.

And the emails sent to victims look very professional – these aren’t the typo-filled junk emails people usually see in their spam inboxes.

Guemmy Kim, Google
Guemmy Kim is a product manager on Google’s Account Security team. Google

“Security is always evolving,” Kim said. “We constantly monitor what’s happening on the landscape. Our goal is to evolve that program to keep you constantly and automatically protected.”

The Advanced Protection Program requires that users have two security keys, which are devices that use two-factor authentication to protect from phishing. It protects personal email accounts, which can be a gateway to other accounts.

The program can also protect users using OAuth, or Open Authorization, which allows a user to use an account for third-party services like Facebook without exposing the account’s password. Otherwise, politicians may be tricked into granting access to email and contact data to malicious apps.

“Campaign apps often use third-party services,” Joe Hall, chief technologist of the Center for Democracy and Technology, told Business Insider. “They can share people’s information with marketers. That’s more of a privacy problem.”

Never let your guard down

To stay secure, Kim recommends that users at least sign up for two-factor authentication. In addition, they should create unique passwords and make sure they’re not reusing them.

She also recommends a Chrome extension called Password Alert, which detects when users enter their Google password into any websites other than the Google’s login page.

Although Election Day is in full swing, the 2020 election is just around the corner, and politicians are already thinking about their upcoming campaigns. Still, attackers are always evolving, and the team must make sure it stays ahead of that curve.

“People were really vigilant in 2016 after high-profile attacking,” Kim said. “Some talk about helping politicians with security. I kind of want to emphasise that we can’t let that guard down. People have to keep vigilant.”