Posts Tagged ‘Google’
Friday, August 29, 2014 @ 02:08 PM gHale
Thinking security while creating software is a must that more designers need to consider these days because not going that route is a recipe for disaster. Just ask Target.
That is why security researchers from Cigital, Google, Twitter, HP, McAfee, EMC, RSA, Harvard University, George Washington University, Athens University of Economics and Business, the Sandosky Foundation, and the University of Washington joined up with the IEEE Center for Secure Design and published a report looking at 10 of the most common software security design flaws.
IEEE Computer Society Center for Secure Design Participants are, Iván Arce, Sadosky Foundation; Neil Daswani, Twitter; Jim DelGrosso, Cigital; Danny Dhillon, RSA; Christoph Kern, Google; Tadayoshi Kohno, University of Washington; Carl Landwehr, George Washington University; Gary McGraw, Cigital; Brook Schoenfield, McAfee, Part of Intel Security Group; Margo Seltzer, Harvard University; Diomidis Spinellis, Athens University of Economics and Business; Izar Tarandach, EMC, and Jacob West, HP.
The organizations came up with a top 10 list during a workshop session this spring, where each brought examples of design flaws it had experienced.
So far the security industry targets finding and eradicating security vulnerabilities. But design flaws, such as using encryption incorrectly or not validating data properly, can also end up exploited by attackers or lead to security bugs. As a matter of fact, these issues could be more difficult to eradicate as they built in. That is one reason why software designers need to think about security as they create the software.
Target’s data breach ended up being a design flaw leading to a hack.
The report recommends how to prevent each of the 10 most common software security design flaws:
1. Earn or give, but never assume, trust.
2. Use an authentication mechanism that cannot end up bypassed or tampered with.
3. Authorize after you authenticate.
4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources.
5. Define an approach that ensures all data end up explicitly validated.
6. Use cryptography correctly.
7. Identify sensitive data and how you should handle it.
8. Always consider the users.
9. Understand how integrating external components changes your attack surface.
10. Be flexible when considering future changes to objects and actors.
Click here to view the full report.
Friday, August 15, 2014 @ 03:08 PM gHale
Google rolled out version 36 of the Chrome browser for Windows, Mac and Linux, including a set of security fixes, along with the latest revision of Flash Player.
Twelve vulnerabilities ended up fixed in this release, with some found by external security researchers, who earned cash for their efforts through Google’s bug bounty program.
For a use-after-free security flaw (CVE-2014-3165) in web sockets, Google paid $2,000 to researcher Collin Payne; additional information about this flaw is not available right now.
From another external researcher, the Google team received details about a security glitch that could lead to information disclosure in SPDY. Identified as CVE-2014-3166, the discovery goes to Antoine Delignat-Lavaud, second year PhD student in team Prosecco at Inria Paris.
In order to prevent the information leakage, Chrome developers decided to disable SPDY and QUIC session pooling in the latest revision of the web browser.
SPDY is a network protocol designed to increase page load speed and security, by manipulating HTTP traffic.
Disabling it translates to the user into slower page loads on websites using this protocol, but the latency is not as significant as to affect browsing at all.
Additional input came from the internal security team, who discovered an undisclosed number of glitches through internal audits or code fuzzing operations.
Build 36.0.1985.143 of the web browser also updates the Adobe Flash Player plug-in to the recently released version 18.104.22.168.
Adobe patched seven critical vulnerabilities, most of them referring to memory leaks that could end up taken advantage of for bypassing memory protection mechanisms (address randomization).
Thursday, May 15, 2014 @ 01:05 PM gHale
Bad guys are looking to steal Google account passwords via a new and well-written phishing attack that is hard to catch with traditional heuristic detection, researchers said.
The way Google Chrome displays data: URIs (Uniform Resource Identifiers) makes Chrome users most vulnerable, however the phishing attack also targets Mozilla Firefox users, said researchers at security provider Bitdefender.
“With access to users’ Google accounts, hackers can buy apps on Google Play, hijack Google+ accounts and access confidential Google Drive documents,” said Catalin Cosoi, chief security strategist at Bitdefender. “The scam starts with an email allegedly sent by Google, with “Mail Notice” or “New Lockout Notice” as a subject.”
“This is a reminder that your email account will be locked out in 24 hours,” the email said. “Due to not being able to increase your Email storage Quota. Go to the INSTANT INCREASE to increase your Email storage automatically.”
When clicking the INSTANT INCREASE link, users end up redirected to a Google login web page that imitates the authentic one and asks for their credentials.
“What is interesting about this phishing attack is that users end up having the ‘data:’ in their browser’s address bar, which indicates the use of a data URI scheme,” Cosoi said.
The data URI scheme allows scammers to include data in-line in web pages as if they were external resources. The scheme uses Base64 encoding to represent file contents, in this case supplying the content of the fake web page in an encoded string within the data URI.
As Google Chrome doesn’t show the whole string, regular users have a hard time figuring out they are the target of a phishing attack and may give their data to cyber-criminals.
Scammers usually pose as services that contact people by email for announcements or notifications. Google, Facebook, eBay, phone services and financial institutions are among phishers’ favorite disguises to invade inboxes worldwide.
Tuesday, May 6, 2014 @ 07:05 AM gHale
Google fixed a cross-site scripting (XSS) vulnerability in its Google Search Appliance (GSA), a device that enables organizations to index and search through web content, databases, and content management systems.
The device is vulnerable to reflected XSS attacks when the dynamic navigation feature ends up enabled, according to an advisory published by the Computer Emergency Response Team’s Coordination Center (CERT/CC). The appliance combines Dell hardware with Google software.
Google fixed the vulnerability with the release of versions 7.2.0.G.114 and 7.0.14.G.216. Customers can download the updates from Google’s Enterprise Support Portal.
As a workaround, users can disable the dynamic navigation feature. Instructions on how to do so are available on the GSA support page.
Will Dormann, a vulnerability analyst with the CERT/CC, reported the existence of the issue to Google on March 20.
Thursday, April 10, 2014 @ 04:04 PM gHale
Google released stable versions of its Chrome browser with 31 security fixes, ChromeOS and other development versions of its products.
Google’s latest Chrome Web browser Version 34 is now rolling out, as well as a new ChromeOS Version 34 for all Chrome devices, as the company continues its regularly scheduled updates for its Chrome line of browsers and related applications.
The latest stable channel update of the Chrome browser, Version 34 is now available for Windows, Mac, and Linux, said Daniel Xie of the Google Chrome team.
The new version includes bug fixes and improvements, such as easier importing of supervised users onto new computers, several new apps and extension APIs, a different look for the Windows 8 Metro mode and many changes to improve stability and performance, Xie said. Version 34 also has 31 security fixes, including at least nine that are high priority and three that are medium priority.
The latest Chrome 34 also now includes the ability to remember and fill password fields even when the autocomplete function is off, Xie said. This is to encourage the use of the Chrome password manager so users can have more complex passwords.
Also released is the latest Stable Version 34 of ChromeOS for all Chrome devices, said Matthew Yuan of the Google Chrome team.
The new version, known officially as Version 34.0.1847.118, includes bug fixes, security updates and feature enhancements, he said. Chrome devices will be receiving the update automatically. Among the fixes and features are a new “side dock,” which allows users to dock small windows and panels to screen edges, and a default “on” status for Google Drive offline backup after a user’s first log-in, Yuan said.
The new versions of Chrome and ChromeOS follow the March release of the previous Version 33 releases of each of those products.
Chrome for Android has also received an update to Version 34, giving Android devices the latest edition of their customized browser.
Chrome 34 for Android, officially Version 34.0.1847.114, distributes through Google Play and contains crash fixes and performance improvements, including battery usage optimizations, wrote Kersey.
Google is also rolling out an update for its Chromecast TV dongle devices.
The Build 16664 update includes bug fixes and stability improvements, as well as the new ability for the Chromecast audio volume level to end up retained across sessions. It also includes improved IPv6 support and improved Domain Name System (DNS) robustness.
Thursday, March 13, 2014 @ 07:03 PM gHale
Google updated the stable channel of its web browser to address seven security holes, which means Chrome 33.0.1750.149 is available for download.
Of the 7 vulnerabilities, three stand out. CVE-2014-1700 is a use-after-free issue in speech identified by Chamal de Silva. The researcher earned $4,000 for his findings.
The second flaw, CVE-2014-1701, reported by aidanhs, is an UXSS vulnerability, which brought in $3,000.
Collin Payne earned $1,000 for finding a use-after-free in the web database (CVE-2014-1702).
All those vulnerabilities ended up labeled as being high risk.
Google’s internal security team has also contributed to making Chrome more secure. They’ve identified a potential sandbox escape caused by a use-after-free in web sockets (CVE-2014-1703), and various vulnerabilities in V8 (CVE-2014-1704).
Users should update their browser soon as possible to secure their computers against cyberattacks that might leverage these flaws. The latest version of Chrome contains a Flash Player update to version 22.214.171.124.