Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: google

    Security Tools13 Comments
    10
    Feb 11

    Google Adds 1-Time Passwords to Gmail, Apps

    Stolen or easily-guessed passwords have long been the weakest link in security, leaving many Webmail accounts subject to hijacking by identity thieves, spammers and extortionists. To combat this threat on its platform, Google is announcing that starting today, users of Google’s Gmail service and other applications will have the option to beef up the security around these accounts by adding one-time pass codes sent to their mobile or land line phones.

    For several months, Google has been offering this option to business customers and to “hundreds of thousands” of regular users who lost control over their accounts due to password theft, said Nishit Shah, product Manager for Google Security. Today, Google will begin rolling this feature out to all users, although it may be available to all users immediately, Shah said.

    “It’s an extra step, but it’s one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone,” Shah wrote in a blog post published today. “A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a ‘Remember verification for this computer for 30 days’ option, and you won’t need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.”

    I set up the 2-step verification process for my Gmail account, and found the process to be quick and painless, if a little involved. I choose to set it up to call my Skype line and read the code aloud, and the call came in three seconds after I hit the submit button. The setup wizard then gave me 10 backup codes to use in cases when for whatever reason I don’t have access to my Skype account. Another setup page offered the ability to add a secondary backup phone to send the code via SMS/text message, or automated voice message.

    Continue reading →

    Latest Warnings25 Comments
    4
    Jan 11

    Microsoft Warns of Image Problem

    Microsoft today warned Windows users about a previously unknown security vulnerability that could allow attackers to install malware simply by getting users to view a malicious image in a Web browser or document.

    Microsoft said in a security advisory that the problem stems from a bug in the Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. The software giant said that it is working on a patch for the flaw, but that it isn’t aware of any active attacks exploiting the security hole…yet.

    According to the CVE listing cited in the advisory, the vulnerability was discovered by a pair of security researchers who presented their findings at a security conference in Korea late last year.

    Continue reading →

    Latest Warnings / Security Tools19 Comments
    17
    Dec 10

    Google Debuts “This Site May Be Compromised” Warning

    Google has added a new security feature to its search engine that promises to increase the number of Web page results that are flagged as potentially having been compromised by hackers.

    The move is an expansion of a program Google has had in place for years, which appends a “This site may harm your computer” link in search results for sites that Google has determined are hosting malicious software. The new notation – a warning that reads “This site may be compromised” – is designed to include pages that may not be malicious but which indicate that the site might not be completely under the control of the legitimate site owner — such as when spammers inject invisible links or redirects to pharmacy Web sites.

    Google also will be singling out sites that have had pages quietly added by phishers. While spam usually is routed through hacked personal computers, phishing Web pages most often are added to hacked, legitimate sites: The Anti-Phishing Working Group, an industry consortium,  estimates that between 75 and 80 percent of phishing sites are legitimate sites that have been hacked and seeded with phishing kits designed to mimic established e-commerce and banking sites.

    It will be interesting to see if Google can speed up the process of re-vetting sites that were flagged as compromised, once they have been cleaned up by the site owners. In years past, many people who have had their sites flagged by Google for malware infections have complained that the search results warnings persist for weeks after sites have been scrubbed.

    Denis Sinegubko, founder and developer at Unmask Parasites, said Google has a lot of room for improvement on this front.

    “They know about it, and probably work internally on the improvements but they don’t disclose such info,” Sinegubko said. “This process is tricky. In some cases it may be very fast. But in others it may take unreasonably long. It uses the same form for reconsideration requests, but [Google says] it should be faster…less than two weeks for normal reconsideration requests.”

    Continue reading →

    Other31 Comments
    18
    Nov 10

    Why Counting Flaws is Flawed

    Once or twice each year, some security company trots out a “study” that counts the number of vulnerabilities that were found and fixed in widely used software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.

    The reality is that these types of vulnerability count reports — like the one issued this week by application whitelisting firm Bit9 — seek to measure a complex, multi-faceted problem from a single dimension. It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.

    The Bit9 report is more notable for what it fails to measure than for what it does, which is precious little: The applications included in its 2010 “Dirty Dozen” Top Vulnerable Applications list had to:

    • Be legitimate, non-malicious applications;
    • Have at least one critical vulnerability that was reported between Jan. 1, 2010 and Oct. 21, 2010; and
    • Be assigned a severity rating of high (between 7 and 10 on a 10-point scale in which 10 is the most severe).

    The report did not seek to answer any of the questions that help inform how concerned we should be about these vulnerabilities, such as:

    • Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?
    • How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?
    • Which products had the broadest window of vulnerability, from notification to patch?
    • How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?
    • How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?
    • Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?

    Continue reading →

    A Little Sunshine10 Comments
    1
    Nov 10

    Google Extends Security Bug Bounty to Gmail, YouTube, Blogger

    Google on Monday said it was expanding a program to pay security researchers who discreetly report software flaws in the company’s products. The move appears aimed at engendering goodwill within the hacker community while encouraging more researchers to keep their findings private until the holes can be fixed.

    Earlier this year, Google launched a program to reward researchers who directly report any security holes found in the company’s Chrome open-source browser project. With its announcement today, Google is broadening the program to include bugs reported for its Web properties, including Gmail, YouTube, Blogger and others (the company says its desktop apps – Android, Picasa and Google Desktop, etc.  are not included in the expanded bounty program).

    The program is unlikely to attract those who are looking to get rich selling security vulnerabilities, as there are several less reputable places online where critical bugs in important online applications can fetch far higher prices. But the expanded bounty may just win over researchers who might otherwise post their research online, effectively alerting Google to the problem at the same time as the cyber criminal community.

    “We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page,” Google’s security team wrote on the company’s security blog. “As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”

    The standard reward for bugs will continue to be public recognition and $500, although the search giant said bugs that are particularly severe or clever could earn rewards of up to $3,133.7 (this is leet speek for “elite”).

    Google said it won’t pay for bugs that involve overtly malicious attacks, such as social engineering and physical attacks or so-called “black hat search engine optimization” techniques –  and that it wouldn’t count less serious flaws such as denial-of-service bugs, or flaws in technologies recently acquired by Google.

    Other companies have established bug bounty programs. For example, Mozilla, the organization behind the Firefox Web browser, for years paid researchers $500 for bugs, but recently upped the amount to $3,000.

    Charlie Miller, a security researcher who has reported a large number of bugs in a variety of applications and programs, was initially critical of such a tiny bounty from one of the world’s wealthiest and most powerful businesses. But reached via e-mail Monday evening, Miller said that while he’d always like to see more money being paid to bug researchers, the relatively few companies that offer bug bounties also deserve recognition.

    “With so many companies (MS, Adobe, Apple, Oracle) not paying anything, I’m very happy to see any money going out for these types of programs,” Miller wrote. “It motivates and rewards researchers.  The security of the products (or websites) that the average person uses goes up.  Also, it provides vendors with a level of control they otherwise lack.  If a researcher reports a bug and then decides they think the process is not working well, they’ll think twice about dropping it on full disclosure if they know they’ll lose their finder’s fee.”

    Latest Warnings / Web Fraud 2.013 Comments
    28
    Sep 10

    Fake LinkedIn Invite Leads to ZeuS Trojan

    A major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan.

    The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com.

    On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS.

    This attack will no doubt fool a large number of people. Dan Tynan, a reporter for IT World, said he was tricked into clicking the link and possibly infecting his system.

    It’s a good idea to avoid clicking social networking site invites that arrive by e-mail, especially if you don’t recognize the name of the person who’s inviting you. Instead, consider just browsing to the social networking site and handling any invites there. Also, this attack is a good reminder that it pays to stay up-to-date on the latest security patches.

    What interests me most about this scam is that it shows that criminals wielding ZeuS are now using employment-oriented online services both to infect new PCs and to “cash out” these same victims, thanks to money mules recruited at job search sites like Monster.com and Careerbuilder.com.

    I asked Cisco to supply more information about the domains used in this attack. Some of that information is included at the summary listed here (please take care with the domains on this list — they all should be considered hostile).

    Other / Security Tools46 Comments
    20
    Sep 10

    Google Adds 2-Factor Security to Gmail, Apps

    Google said today that it will begin offering users greater security protections for signing in to Gmail and other Google Apps offerings. This “two-step verification” process — which requires participating users to input a user ID, password and six-digit code sent to their mobile phones — effectively means Google will be offering more secure authentication than many U.S. financial institutions currently provide for their online banking customers.

    The search giant will be making the technology available to its enterprise (paying) customers immediately, and it will be free to consumers within the next few months.  Users who choose to take advantage of the technology can have the codes sent via text message or a special Google mobile app. All devices that are successfully authenticated can then be set to not require the two-step process for the next 30 days.

    Travis McCoy, product manager of Google Security, said the company was looking for a way to prevent Google account takeovers made possible by weak or stolen passwords.

    “We wanted to look and see what single area could we work on that would have the greatest impact on user security,” McCoy said. “We found user names and passwords often end up being the weak link in the chain in terms of how accounts are being compromised.”

    Continue reading →

    Latest Warnings31 Comments
    15
    Jun 10

    Unpatched Windows XP Flaw Being Exploited

    A security vulnerability in Microsoft Windows XP systems that was first disclosed a week ago is now being actively exploited by malicious Web sites to foist malware on vulnerable PCs, according to reports.

    Last week, Google researcher Tavis Ormandy disclosed the details of a flaw in the Microsoft Help & Support Center on Windows XP and Server 2003 systems that he showed could be used to remotely compromise affected systems. Today, experts at security firm Sophos reported that they’re seeing the first malicious and/or hacked sites beginning to exploit the bug.

    If you use Windows XP and have not yet taken Microsoft up on its suggestion to disable the vulnerable Help & Support Center component, please consider taking a moment to do that today. Until Microsoft issues an official fix for this flaw, the workaround they suggest is an easy and apparently painless one. The instructions are available at this link.

    Update, June 17, 9:20 a.m. PST: Updated post to include link to Microsoft “FixIt” tool.

    Latest Warnings16 Comments
    14
    Jun 10

    Security Alert for Windows XP Users

    Microsoft is warning Windows XP and Server 2003 users that exploit code has been posted online showing attackers how to break into these operating systems remotely via a newly-discovered security flaw.

    The vulnerability has to do with a weakness in how Windows Help and Support Center processes links. Both Windows XP and Server 2003 retrieve help and support information from a fixed set of Web pages that are included on a whitelist maintained by Windows. But Google security researcher Tavis Ormandy last week showed the world that it was possible to add URLs to that whitelist.

    Microsoft said an attacker could exploit this flaw by tricking a user into clicking a specially crafted link. Any files fetched by that link would be granted the same privileges as the affected system’s current user, which could spell big problems for XP users browsing the Web in the operating system’s default configuration — using the all-powerful “administrator” account.

    “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” Microsoft said in a statement released last week.

    Continue reading →

    Latest Warnings / Web Fraud 2.039 Comments
    27
    Apr 10

    Fake Anti-virus Peddlers Outmaneuvering Legitimate AV

    Purveyors of fake anti-virus or “scareware” programs have aggressively stepped up their game to evade detection by legitimate anti-virus programs, according to new data from Google.

    In a report being released today, Google said that between January 2009 and the end of January 2010, its malware detection infrastructure found some 11,000 malicious or hacked Web pages that attempted to foist fake anti-virus on visitors. The search giant discovered that as 2009 wore on, scareware peddlers dramatically increased both the number of unique strains of malware designed to install fake anti-virus as well as the frequency with which they deployed hacked or malicious sites set up to force the software on visitors.

    Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them.

    Google found that miscreants spreading fake anti-virus have over the last six months taken aggressive steps to evade the two most prevalent countermeasures against scareware: The daily updates shipped by the legitimate anti-virus makers designed to detect scareware installers; and programs like Google’s which scan millions of Web pages for malicious software and flag search results that lead to malware.

    Google’s automated system scanned each potentially malicious page in real time using a number of licensed anti-virus engines, and all of the files were rescanned again at the end of the study. Beginning in June 2009, Google charted a massive increase in the number of unique fake anti-virus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate anti-virus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent.

    “We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates,” said Niels Provos, principal software engineer for Google’s infrastructure group. “It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads.”

    Continue reading →

    ← Older Entries
    Newer Entries →