Category Archives: Google

Gmail “From field” bug makes phishing attacks easier for hackers

By Waqas

Gmail, as we know, is a popular and commonly preferred email platform around the world. That’s why any news about a bug in this platform is bound to create chaos among users. And, that’s exactly the case this time. Software developer Tim Cotten has discovered a bug Gmail’s ‘From:’ header structure that can allow the […]

This is a post from HackRead.com Read the original post: Gmail “From field” bug makes phishing attacks easier for hackers

Google Maps Has Introduced So Many New Features and Design Changes in Recent Months That Getting Directions On It is Becoming an Increasingly Challenging Task

Earlier this week, Google announced it is bringing business messaging to Maps, the latest in a myriad of features it has introduced to its mapping platform in recent months. A business that wants to participate will need to use Google's "My Business" verification system and its associated app to send and receive messages. While that could prove useful to a number of businesses and customers, it has raised a concern as well. From a report: But that leads me to my third feeling: what the heck is going on with Google Maps? It is becoming overburdened with so many features and design changes that it's becoming harder and harder to just get directions in it. There's Group Planning, there's a social-esque "follow" button for local businesses, you can share your ETA, there's a redesigned "Explore" section, and there's almost no way to get the damn thing to show you a cross street near your destination without three full minutes of desperate pinching and zooming and re-zooming. It's becoming bloated, is what I'm saying. It's Google's equivalent of Big Blue, as Facebook nicknames its flagship app that does a thousand things across countless strange nooks and crannies. It's as though Google wants to kill off Yelp once and for all, but can't let anybody notice how hard it's trying to do that so it just slow rolls those things into Google Maps instead.

Read more of this story at Slashdot.

How Google Photos Became a Perfect Jukebox for Our Memories

Google Photos, introduced in 2015, has become one of the most emotionally resonant pieces of technology today. It is also shaping our narratives along the way, writes The New York Times' Farhad Manjoo. From a story: Google's computers can recognize faces, even as they age over time. Photos also seems to understand the tone and emotional valence of human interaction, things like smiles, giggles, frowns, tantrums, dances of joy and even snippets of dialogue like "happy birthday!" or "good job!" The resulting montage, synced to a swelling Hollywood score, mixed obvious highlights -- birthdays, school plays -- with dozens of ordinary moments of childhood bliss. [...] This is what I mean about a sucker punch: Who expects software to make them cry? Images on Instagram and Snapchat may move you regularly, but Google Photos is not social media; it is personal media, a service begun three years ago primarily as a database to house our growing collections of private snaps -- and a service run mostly by machines, not by other humans posting and Liking stuff. And yet Google Photos has become one of the most emotionally resonant pieces of technology I regularly use. It is remarkable not just for how useful it is -- for how it has erased any headache in storing and searching through the tsunami of images we all produce. More than that, Photos is remarkable for what it portends about how we may one day understand ourselves through photography.

Read more of this story at Slashdot.

Google Went Down After Facing BGP Mishap

On Monday, numerous Internet users in the USA faced trouble after Google went down for over an hour. Upon scratching

Google Went Down After Facing BGP Mishap on Latest Hacking News.

Nigerian ISP Hijacks Google Traffic, Sends It Through Russia and China

A small Nigerian Internet service provider (ISP) hijacked traffic meant for Google data centers on Monday, re-routing local traffic through China and Russia and making some hosted services temporarily unavailable for users.

The post Nigerian ISP Hijacks Google Traffic, Sends It Through Russia and China appeared first on The Security Ledger.

Related Stories

Android Ecosystem Security Transparency Report is a wary first step

Reading through Google’s first quarterly Android Ecosystem Security Transparency Report feels like a mix of missed opportunities and déjà vu all over again.

Much of what is in the new Android ecosystem security report is data that has been part of Google’s annual Android Security Year in Review report, including the rates of potentially harmful applications (PHAs) on devices with and without sideloaded apps — spoiler alert: sideloading is much riskier — and rates of PHAs by geographical region. Surprisingly, the rates in Russia are lower than in the U.S.

The only other data in the Android ecosystem security report shows the percentage of devices with at least one PHA installed based on Android version. This is new data shows that the newer the version of Android, the less likely it is a device will have a PHA installed.

However, this also hints at the data Google didn’t include in the report, like how well specific hardware partners have done in updating devices to those newer versions of Android. Considering that Android 7.x Nougat is the most common version of the OS in the wild at 28.2% and the latest version 9.0 Pie hasn’t even cracked the 0.1% marker to be included in Google’s platform numbers, the smart money says OEM updating stats wouldn’t be too impressive.

There’s also the matter of Android security updates and the data around which hardware partners are best at pushing them out. Dave Kleidermacher, head of Android security and privacy, said at the Google I/O developer conference in May 2018 that the company was tracking which partners were best at pushing security updates and that it was considering adding hardware support details to future Android Ecosystem Security Transparency Reports. More recently, Google added stipulations to its OEM contracts mandating at least four security updates per year on Android devices.

It’s unclear why Google ultimately didn’t include this data in the report on Android ecosystem security, but Google has been hesitant to call out hardware partners for slow updates in the past. In addition to new requirements in Android partner contracts regarding security updates, there have been rules stating hardware partners need to update any device to the latest version of Android released in the first 18 months after a device launch. However, it has always been unclear what the punishment would be for breaking those rules. Presumably, it would be a ban on access to Google Play services, the Play Store and Google Apps, but there have never been reports of those penalties being enforced.

Google has taken steps to make Android updates easier, including Project Treble in Android 8.0 Oreo, which effectively decoupled the Android system from any software differentiation added by a hardware partner. But, since Android 7.x is still the most common version in the wild, it doesn’t appear as though that work has yielded much fruit yet.

Adding OS and security update stats to the Android Ecosystem Security Transparency Report could go a long way towards shaming OEMs into being better and giving consumers more information with which to make purchasing decisions, but time will tell if Google ever goes so far as to name OEMs specifically.

The post Android Ecosystem Security Transparency Report is a wary first step appeared first on Security Bytes.

Google sets Android security updates rules but enforcement is unclear

The vendor requirements for Android are a strange and mysterious thing but a new leak claims Google has added language to force manufacturers to push more regular Android security updates.

According to The Verge, Google’s latest contract will require OEMs to supply Android security updates for two years and provide at least four updates within the first year of a device’s release. Vendors will also have to release patches within 90 days of Google identifying a vulnerability.

Mandating more consistent Android security updates is certainly a good thing, but it remains unclear what penalties Google would levy against manufacturers that fail to provide the updates or if Google would follow through on any punitive actions.

It has been known for years that Google sets certain rules for manufacturers who want to include the Play Store, Play services and Google apps on Android devices, but because enforcement has been unclear the rules have sometimes been seen as mere suggestions.

For example, Google has had a requirement in place since the spring of 2011 mandating manufacturers to upgrade devices to the latest version of the Android OS released within 18 months of a device’s launch. However, because of the logistics issues of providing those OS updates, Google has rarely been known to enforce that requirement.

This can be seen in the Android OS distribution numbers, which are a complete mess. Currently, according to Google, the most popular version of Android on devices in the wild is Android 6.0 Marshmallow (21.6%), followed by Android 7.0 (19%), Android 5.1 (14.7%), Android 8.0 (13.4%) and Android 7.1 (10.3%). And not even showing up on Google’s numbers because it hasn’t hit the 0.1% threshold for inclusion is Android 9.0 released in August.

Theoretically, the ultimate enforcement of the Android requirements would be Google barring a manufacturer from releasing a device that includes Google apps and services, but there have been no reports of that ever happening. Plus, the European Union’s recent crackdown on Android give an indication that Google does wield control over the Android ecosystem — and was found to be abusing that power.

The ruling in the EU will allow major OEMs to release forked versions of Android without Google apps and services (something they were previously barred from doing by Google’s contract). It will also force Google to bundle the Play Store, services and most Google apps into a paid licensing bundle, while offering — but not requiring — the Chrome browser and Search as a free bundle. Although early rumors suggest Google might offset the cost of the apps bundle by paying OEMs to use Chrome and Google Search, effectively making it all free and sidestepping any actual change.

These changes only apply to Android devices released in the EU, but it should lead to more devices on the market running Android but featuring third-party apps and services. This could mean some real competition for Google from less popular Android forks such as Amazon’s Fire OS or Xiaomi’s MIUI.

It’s still unknown if the new rules regarding Android security updates are for the U.S. only or if they will be part of contracts in other regions. But, an unintended consequence of the EU rules might be to strengthen Google’s claim that the most secure Android devices are those with the Play Store and Play services.

Google has long leaned on its strong record of keeping malware out of the Play Store and off of user devices, if Play services are installed. Google consistently shows that the highest rates of malware come from sideloading apps in regions where the Play Store and Play services are less common — Russia and China – and where third-party sources are more popular.

Assuming the requirements for Android security updates do apply in other regions around the globe, it might be fair to also assume they’d be tied to the Google apps and services bundle (at least in the EU) because otherwise Google would have no way to put teeth behind the rules. So, not only would Google have its stats regarding how much malware is taken care of in the Play Store and on user devices by Play services, it might also have more stats showing those devices are more consistently updated and patched.

The Play Store, services and Google apps are an enticing carrot to dangle in front of vendors when requiring things like Android security updates, and there is reason to believe manufacturers would be willing to comply in order to get those apps and services, even if the penalties are unclear.

More competition will be coming to the Android ecosystem in the EU, and it’s not unreasonable to think that competition could spread to the U.S., especially if Google is scared to face similar actions by the U.S. government (as unlikely as that may seem).  And the less power Google apps and services have in the market, the  less force there will be behind any Google requirements for security updates.

 

The post Google sets Android security updates rules but enforcement is unclear appeared first on Security Bytes.

Safer Internet Day: 4 Things You Might Not Realise Your Webfilter Can Do

Since it's Safer Internet Day today, I thought i'd use it as an excuse to write a blog post. Regular readers will know I don't usually need an excuse, but I always feel better if I do.

Yesterday, I was talking to our Content Filter team about a post on the popular Edugeek forum, where someone asked "is it possible to block adult content in BBC iPlayer?". Well, with the right web filter, the answer is "yes", but how many people think to even ask the question? Certainly we hadn't thought much about formalising the answer. So I'm going to put together a list of things your web filter should be capable of, but you might not have realised...


1. Blocking adult content on "TV catch up" services like iPlayer. With use of the service soaring, it's important that any use in education is complemented with the right safeguards. We don't need students in class seeing things their parents wouldn't want them watching at home. There's a new section of the Smoothwall blocklist now which will deal with anything on iPlayer that the BBC deem unsuitable for minors.

2. Making Facebook and Twitter "Read Only". These social networks are great fun, and it can be useful to relax the rules a bit to prevent students swarming for 4G. A read-only approach can help reduce the incidence of cyber-bullying and keep users more focused.

3. Stripping the comments out of YouTube. YouTube is a wonderful resource, and the majority of video is pretty safe (use Youtube for Schools if you want to tie that down further — your filter can help you there too). The comments on videos, however, are often at best puerile and at worst downright offensive. Strip out the junk, and leave the learning tool - win win!

4. Busting Google searches back down to HTTP and forcing SafeSearch. Everybody appreciates a secure service, but when Google moved their search engine to HTTPS secure traffic by default, they alienated the education community. With SSL traffic it is much harder to vet search terms, log accesses in detain, and importantly force SafeSearch. Google give you DNS trickery to force the site back into plain HTTP - but that's a pain to implement, especially on a Windows DNS server. Use your web filter to rewrite the requests, and have the best of both.

Analyzing [Buy Cialis] Search Results

A few days ago I was updating the spammy word highlighting functionality in Unmask Parasites results and needed to test the changes on real websites. To find hacked websites with spammy content I would normally google for [viagra] or [cialis], which are arguably the most targeted keywords used in black hat SEO hacks. However after the Google’s June update in how they rank web pages for spammy queries, I didn’t have much expectation of seeing hacked sites on the first page of search results for my usual [buy cialis] query and was ready to check a few more pages.

Indeed, for queries like [payday loans] I can see quite relevant results on the first three pages. All sites are specialized and don’t look like doorways on hacked sites. That’s really good. For [viagra] I found only one result on the first page pointing to a doorway on a hacked site. Still good.

However, when I entered a really spammy combination [buy viagra], the search results were less than optimal — 5 out of 10 led to hacked sites. And at least 2 out of the rest 5 specialized sites were promoted using hidden links on hacked sites. Not good. And the worst results (although ideal for testing my update) were for the [buy cialis] query — 100% of results on the first page (10 out of 10) led to doorways on hacked sites or simply spammy web pages. Not a single result from websites that really have anything to do with cialis.

buy cialis results

Results analysis

Here is the breakdown of the first 10 results (links go to real time Unmask Parasites reports for these pages and at the moment of writing they all reveal spammy content. However this may change over time):

  1. www.epmonthly .com/advertise/ — doorway on a hacked site
  2. werenotsorry .com/ — strange spammy site with a rubbish content like this “The car buy cialis in your car is the ultimate well source of electrical amazing power in your car.
  3. incose .org/dom/ — doorway on a hacked site.
  4. www.deercrash .org/buy/cialis/online/ — doorway on a hacked site
  5. jon-odell .com/?p=54 — doorway on a hacked site
  6. www.goodgrief .org .au/Cialis/ — doorway on a hacked site
  7. www.asm .wisc .edu/buy-cialis — doorway on a hacked site
  8. www.mhfa .com .au/cms/finance-home/ — doorway on a hacked site
  9. www .plowtoplate .org/library/51.html — doorway on a hacked site
  10. john-leung .com/?p=16 — doorway on a hacked site

Over the course of the past week the results slightly fluctuated and sometimes I saw the following links on the first SERP.

Out of 18 links that I encountered on the first page for [buy cialis] 15 point to doorways on hacked sites, 1 to a site with unreadable machine-generated text (still not sure whether it’s some SEO experiment or a backdoor with a tricky search traffic processing procedure) and 2 specialized sites relevant to the query but with quite bad backlink profiles. Overall 0% of results that follow Google’s quality guidelines.

So the Google’s update for spammy queries doesn’t seem to work as it should at least for some über spammy queries. It’s sad. And the reason why I’m sad is not that I worry about people who use such queries on Google to buy some counterfeit drugs. My major concern is this situation justifies the huge number of sites (many thousands) that cyber-criminals hack in order to put a few of their doorways to the top for relevant queries on Google.

Behind the scenes

The above 15 hacked sites that I found on the first Google’s SERP are actually only a tip of the iceberg. Each of them is being linked to from many thousands (if not millions) pages from similarly hacked sites. Here you can see a sample list of sites that link to the above 15 (you might need a specialized tool like Unmask Parasites to see hidden and cloaked links there).

Many of the hacked web pages link to more than one doorway page, which maximizes changes that one of them will be finally chosen by Google to be displayed on the first page for one of the many targeted keywords. And at the same time this helps to have a pool of alternative doorways in case some of them will be removed by webmasters or penalized by Google. As a result, the networks of doorways, landing pages and link pages can be very massive. Here you can see a list with just a small part of spammy links (338 unique domains) that can be found on hacked web pages.

.gov, .edu and .org

Among those hacked sites you can find sites of many reputable organizations, which most likely greatly help to rank well on Google. There are many compromised sites of professional associations, universities and even governmental sites, for example (as of August 19th, 2013):

Volume of spammy backlinks

If you take some of the top results and check their backlink profiles (I used Majestic SEO Site Explorer), you’ll see how many domains can be compromised (or spammed) just in one black hat SEO campaign. And we know that there are many ongoing competing campaigns just for “cialis” search traffic, so you can imaging the overall impact.

backlink profile

On the above screenshot you can see that thousands of domains linking to “www .epmonthly .com/advertise/” using various “cialis” keywords.

The situation with “www. epmonthly .com/advertise/” is quite interesting. If you google for [“www.epmonthly .com/advertise/”] you’ll see more than a million results pointing to web pages where spammers used automated tools to post spammy links (including this one) in comments, profiles , etc. but failed to verify whether those sites accept the HTML code they were posting (still many sites, while escaping the HTML code, automatically make all URLs clickable, so those spammers finally achive their goal) .

Typical black hat SEO tricks

In addition to annoying but pretty harmless comment spamming, forum spamming and creating fake user profiles, black hats massively hack websites with established reputation and turn them into their SEO assets.

The most common use for a hacked site is injecting links pointing to promoted resources (it can be a final landing page, or a doorway, or an intermediary site with links). Here is what such web pages may look like in Unmask Parasites reports:

spammy keyword highlighting

To hide such links from site owners, hackers make them hidden. For example, they can place them in an off-screen <div>

<div style="position:absolute; left:-8745px;">...spammy links here...</div>

Or put them in a normal <div> and add a JavaScript to make this <div> invisible when a browser loads the page

<div id='hideMe'> ... spammy links here.... </div>
<script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>

The JavaScript can be encrypted.

e v a l(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('2.1(\'0\').5.4="3";',6,6,'bestlinks|getElementById|document|none|display|style'.split('|'),0,{}))

which translates to

document.getElementById('bestlinks').style.display="none";

where “bestlinks” is the id of the <div> with spammy links.

Sometimes, encrypted JavaScript can be coupled with dynamic HTML generation of the link container. After decryption it looks like this:

document.w ri t e('<style><!-- .read {display:none} --></style><address class="read">');
...spammy links here...
document.wri te('</address>');

Of course, it’s only a client-side representation of the problem. On the server side, it’s rarely this straightforward. Most times it involves obfuscated (usually PHP) code in sneaky places (e.g. themes, plugins, DB, etc.)

Doorways

Sites that rely on black hat SEO techniques get penalized by Google soon enough so the can’t expect much search traffic directly from search engines. Instead they try to promote many disposable doorways on other reputable sites that would redirect search traffic to them.

The typical approach is to hack a website and use cloaking tricks (generating a specialized version with spammy keywords specifically for search engines while leaving the original content for normal visitors) to make search engines think that its pages are relevant for those spammy queries. E.g. check the title of the “www.epmonthly .com/advertise/” when you visit it in a browser (“Advertise“) and when you check it in Unmask Parasites or in Google’s Cache (“Buy Cialis (Tadalafil) Online – OVERNIGHT Shipping“). Then they add some functionality to distinguish visitors coming from search engines and redirect them to third party sites that pay hackers for such traffic.

The redirects may be implemented as .htaccess rules, client-side JavaScript code, or server-side PHP code.

Sometimes, instead of using cloaking, hackers simply create a whole spammy section in a subdirectory of a legitimate site, or a standalone doorway page. Example from our cialis search results: www .asm .wisc .edu/buy-cialis .

To Webmasters

It might be tricky to determine whether your site fell victim to a black hat SEO hack since hackers do their best to hide evidence from site owners and regular visitors. At the same time antivirus tools won’t help you here since links and redirects (in case they can actually see them) are not considered harmful. Nonetheless, a thoughtful webmaster is always equipped with proper tools and tricks (click here for details) to determine such issues. They range from specialized Google search queries and and reports in Webmaster Tools to log analysis and server-side integrity control.

In addition to the tricks that I described here, you can try to simply load your site with JavaScript turned off. Sometimes this is all it takes to find hidden links whose visibility is controlled by a script.

Fighting black hat SEO hacks

Of course, site owners are responsible for what happens with their sites, should protect them and clean them up in case of hacks. Doorways on hacked sites would never appear in search results if all webmasters would quickly mitigate such issues.

But let’s take a look at this from a different perspective. The main goal of all black hat SEO hacks is to put their doorways to the top on Google for relevant keywords and get a targeted search traffic. And 80% (or even more) massive campaigns target a very narrow set of keywords and their modification. If Google actively monitor the first pages of search results for such keywords and penalize doorways, this could significantly reduce efficacy of such campaigns leaving very few incentive to hack website to put spammy links there. And you don’t have to monitor every possible keyword combination. In my experience, most of them will finally point to the same doorways.

I can see Google moving in this direction. The description of the above mentioned ranking algorithm update is very promising. However, as the [buy cialis] query with 0% of relevant search results on the first page shows — a lot should be improved.

P.S Just before posting this article, I checked results for [buy cialis] once more and … surprise!.. found a link to a Wikipedia article about Tadalafil at the 4th position. Wow! Now we have 1 result that doesn’t seem to have anything to do with hacked sites.

Related posts