Category Archives: Google

Google’s New Ad Policy Overlooks A Bigger Threat

Google has announced that advertisers on its platforms will have to verify their identities and their businesses. They will have 30 days to comply. 

On its face, this seems like common sense and a good idea. The Internet has been rife with fraudulent Covid-19 schemes targeting stimulus checks, selling snake oil cures and price gouging on hard to acquire products. The reality is less clearcut.

Where’s The Data?

The first issue here is Google’s track record when it comes to data mining and privacy. The company is the most successful, and also one of the most appetitive compilers of personal information in digital media. 

While it’s fairly common knowledge that Google’s Chrome browser is no stranger to controversy when it comes to tracking users and collecting data, there is more worrisome activity that gets far less attention. The company aggregates data from its phones, tablets, home media devices, personal assistants, website searches, analytics platform, and even offline credit card transactions. To say that it already has access to data about businesses and individuals would be an understatement and only serves to underscore what’s wrong with this latest initiative. 

There has been plenty of opportunity for Google put its vast stores of data to use in the identification of bad actors on its platforms with a greater level of sophistication than anything that could be gleaned from digital copies of personal and employee identification numbers or business incorporation documents. They already have everything they need to determine if someone is from the U.S. or Uzbekistan. 

Occam’s Razor points to two explanations. First, Google is doing what it does best: collecting more information. Two, Google is doing what it does best: using information to solve an information problem. Either way, it’s not a very memorable solution.  

Ignoring the Realities of Business Identity Theft

it seems naive to take the position that the submission of digital copies of documents can provide a reliable way to establish the identity of a particular business. In an era where Social Security numbers and tax IDs can be bought by the millions on the dark web and computers are capable of rendering real-time deepfakes on video conference calls, faking a document or credentials is child’s play for any scammer worth his or her Bitcoin. 

For starters, this easily flouted protocol engenders a false sense of security for internet users who assume Google’s verification process works. If this sounds cynical, remember that Facebook tried something like this following the widespread manipulation of its platform during the 2016 election. It failed.

This practice also puts a target on businesses. At a minimum, it will require the widespread transmission of digital copies of potentially sensitive business documents, which opens the door to scammers trying to intercept that data. Business identity theft is a very real threat, and access to a business’s credentials can leave it vulnerable to data breaches, fraud, cyberattacks, and worse. At a maximum, it could actually boost the market for illicit or compromised information on businesses as a means of supplying fake credentials to Google. 

We’ve seen time and again that scammers are creative and extremely persistent when it comes to gaining access to sensitive data, and we can only assume any ill-considered move to protect data will be viewed as a growth opportunity for cybercriminals.

Security Theater

The term “security theater” gained popularity after the implementation of TSA security measures in the wake of the 9/11 attacks, and it seems applicable here. 

Google’s new policies seem like marketing more than security. While it’s likely to make customers and businesses that use its online advertising platform feel more safer, it could easily have the opposite effect. 

A company with Google’s reach, resources, and oftentimes incredibly granular data isn’t likely to be made any more secure by collecting and gathering digital documents from its clients. It might, however, be putting businesses at greater risk of fraud and data compromise. 

The post Google’s New Ad Policy Overlooks A Bigger Threat appeared first on Adam Levin.

Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check

Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues. Chrome 83: New and improved security and privacy features The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites. “Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained. “Turning on Enhanced Safe Browsing will … More

The post Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check appeared first on Help Net Security.

Google WordPress Site Kit plugin grants attacker Search Console Access

Experts found a critical bug in Google’s official WordPress plugin ‘Site Kit’ that could allow hackers to gain owner access to targeted sites’ Google Search Console.

The Site Kit WordPress plugin makes it easy to set up and configure key Google products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense), giving users authoritative and up-to-date advice on how to succeed on the web, it has over 300,000 active installations.

Experts from Wordfence found a critical bug in the ‘Site Kit’ plugin that could be exploited by authenticated attackers to gain owner access to targeted sites’ Google Search Console.

“This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.” reads the analysis published by Wordfence.

Site Kit

The vulnerability is caused by the disclosure of the proxySetupURL contained in the HTML source code of admin pages, it is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.

“In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.” continues the analysis.

“Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.”

Experts also noticed another issue related to the verification request used to verify a site’s ownership was a registered admin action fails to check whether the requests to come from any authenticated WordPress user.

Chaining the two vulnerabilities it is possible to achieve the ownership of the Google Search Console allowing an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.

“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” continues Wordfence.

“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results. More specifically, it could be used to aid a competitor who wants to hurt the ranking and reputation of a site to better improve their own reputation and ranking.”

The good news is that Google sends an email alert when a new Google Search Console owners have been added allowing admins to remove the unknown owner.

As an extra precaution, admin can also reset the WordPress Site Kit connection so that they will have to reconnect all previously connected Google services.

Wordfence discovered the privilege escalation issue on April 21 and reported to Google on April 22.

Google addressed the vulnerability on May 7 with the release of Site Kit 1.8.0.

At the time of writing over 200,000 website owners have updated their Site Kit plugins, but over 100,000 sites are still vulnerable.

Pierluigi Paganini

(SecurityAffairs – Site Kit, hacking)

The post Google WordPress Site Kit plugin grants attacker Search Console Access appeared first on Security Affairs.

Work From Home For Rest Of Year? Some Tech Companies Say “Yes” – Forbes

Love it or hate it, the work from home trend will continue as countries battle against COVID-19. In fact, many prominent tech companies say their employees will be working from home for the rest of the year.  Here’s what you need to know – and what it might mean for you: Google: While employees who…

The Guardian view on an NHS coronavirus app: it must do no harm | Editorial

Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device

The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.

Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.

Continue reading...

Malware in Google Apps

Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam.

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky's researchers say, PhantomLance's hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. "In this case, the attackers used Google Play as a trusted source," says Kaspersky researcher Alexey Firsh. "You can deliver a link to this app, and the victim will trust it because it's Google Play."

[...]

The first hints of PhantomLance's campaign focusing on Google Play came to light in July of last year. That's when Russian security firm Dr. Web found a sample of spyware in Google's app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky's researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. "What's important is the ability to download new malicious payloads," he says. "It could extend its features significantly."

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks.

Getting Started With Basic Google Searches

Hello and welcome. My name is John Strand and in this video, we’re going to be talking about some very basic Google searches. Now we’ve got to take a couple of steps back and talk about what Google actually does. Google goes through and it indexes all the different texts and images and things they […]

The post Getting Started With Basic Google Searches appeared first on Black Hills Information Security.

Cyber Security Roundup for May 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
 REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

Stay safe, safe home and watch for the scams.

BLOG
NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Our personal health history is too valuable to be harvested by the tech giants | Eerke Boiten

    Action to prevent deeper access to our private lives and data is more essential than ever

    Health data paints a rich picture of our lives. Even if you remove your name, date of birth and NHS number to “anonymise” yourself, a full health history will reveal your age, gender, the places where you have lived, your family relationships and aspects of your lifestyle.

    Used in combination with other available information, this may be enough to verify that this medical history relates to you personally and to target you online. Consequently, whenever the NHS shares health data, even if it is anonymised, we need to have confidence in who it goes to and what they can do with it.

    When data about us influences a credit rating or a hiring decision, we are unlikely ever to find out

    Continue reading...

    Google software glitch sent some users’ videos to strangers

    Bug affected users of Google Takeout exporting from Google Photos in late November

    Google has said a software bug resulted in some users’ personal videos being emailed to strangers.

    The flaw affected users of Google Photos who requested to export their data in late November. For four days the export tool wrongly added videos to unrelated users’ archives.

    Continue reading...

    Will we just accept our loss of privacy, or has the techlash already begun? | Alan Rusbridger

    Not so long ago we searched Google. Now we seem quite happy to let Google search us

    Probably too late to ask, but was the past year the moment we lost our technological innocence? The Alexa in the corner of the kitchen monitoring your every word? The location-betraying device in your pocket? The dozen trackers on that web page you just opened? The thought that a 5G network could, in some hazily understood way, be hardwired back to Beijing? The spooky use of live facial recognition on CCTV cameras across London.

    With privacy there have been so many landmarks in the past 12 months. The $5bn Federal Trade Commission fine on Facebook to settle the Cambridge Analytica scandal? The accidental exposure of a mind-blowing 1.2 billion people’s details from two data enrichment companies? Up to 50m medical records spilled?

    We gleefully carry surveillance machines in our pockets and install them in our homes

    Related: Cybercrime laws need urgent reform to protect UK, says report

    Continue reading...