Today’s topics include a U.S. government report warning about a lack of security tool use, and Google claiming its Pixel 2 encryption prevents even privileged attacks.
In a 51-page report to the president publicly released May 30, the U.S. Department of Commerce and the Department of Homeland Security detailed the status of botnet threats and provided direction on how to improve resiliency.
Among the key findings in the report is that existing tools to help improve defenses “are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.”
The report also determined that market incentives for product manufacturers are not aligned with the goal of reducing automated threats, as the goal of many vendors is to minimize cost and time to market, rather than to build in security.
Google is claiming that the encryption capability available with its Pixel 2 smartphones is highly resistant to attacks on the hardware, software, operating system and firmware. Central to that security is “insider attack resistance” that ensures even highly privileged users with administrative access to a Pixel 2 device cannot overcome the encryption on it without the owner’s cooperation and without destroying all data on the device first.
The insider attack resistance capability is designed to thwart an attacker from using rogue firmware to access the keys needed to decrypt data on a device, since Google by default encrypts all user data on the Pixel 2.
The encryption keys are stored in a separate tamper-resistant hardware module on the device, which can only be overcome by attacking and breaking the digital signature verification process or gaining access to the digital signing keys.