Blog

Posted by Kees Cook, Software Engineer, Google Open Source Security TeamTo borrow from an excellent analogy between the modern computer ecosystem and the US automotive industry of the 1960s, the Linux kernel runs well: when driving down the highway, you're not sprayed in the face with oil and gasoline, and you quickly get where you want to go. However, in the face of failure, the car may end up on fire, flying off a cliff.As we approach its 30th Anniversary, Linux still remains the largest collaborative development project in the history of computing. The huge community surrounding Linux allows it to do amazing things and run smoothly. What's still missing, though, is sufficient focus to make sure that Linux fails well too. There's a strong link between code robustness and…

Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database. Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data…

Posted by Jan Keller, Technical Program Manager, Google VRP A little over 10 years ago, we launched our Vulnerability Rewards Program (VRP). Our goal was to establish a channel for security researchers to report bugs to Google and offer an efficient way for us to thank them for helping make Google, our users, and the Internet a safer place. To recap our progress on these goals, here is a snapshot of what VRP has accomplished with the community over the past 10 years:Total bugs rewarded: 11,055Number of rewarded researchers: 2,022Representing 84 different countriesTotal rewards: $29,357,516To celebrate our anniversary and ensure the next 10 years are just as (or even more) successful and collaborative, we are excited to announce the launch of our new platform, bughunters.google.com.This new site brings all of our…

Joseph “PlugwalkJoe” O’Connor, in a photo from a paid press release on Sept. 02, 2020, pitching him as a trustworthy cryptocurrency expert and advisor. One day after last summer’s mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph “PlugwalkJoe” O’Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O’Connor’s arrest and indictment, his alleged role in the Twitter compromise was well covered in the media. But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts. Skim the government’s indictment and you…

A 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that lead to the death of a 60-year-old grandfather in 2020 was sentenced to 60 months in prison today. 60-year-old Mark Herring died of a heart attack after police surrounded his home in response to a swatting attack. Shane Sonderman, of Lauderdale County, Tenn. admitted to conspiring with a group of criminals that’s been “swatting” and harassing people for months in a bid to coerce targets into giving up their valuable Twitter and Instagram usernames. At Sonderman’s sentencing hearing today, prosecutors told the court the defendant and his co-conspirators would text and call targets and their families, posting their personal information online and sending them pizzas and other deliveries of food as a harassment technique.…

Peter Levashov, appearing via Zoom at his sentencing hearing today. A federal judge in Connecticut today handed down a sentence of time served to spam kingpin Peter “Severa” Levashov, a prolific purveyor of malicious and junk email, and the creator of malware strains that infected millions of Microsoft computers globally. Levashov has been in federal custody since his extradition to the United States and guilty plea in 2018, and was facing up to 12 more years in prison. Instead, he will go free under three years of supervised release and a possible fine. A native of St. Petersburg, Russia, the 40-year-old Levashov operated under the hacker handle “Severa.” Over the course of his 15-year cybercriminal career, Severa would emerge as a pivotal figure in the cybercrime underground, serving as the primary…

Posted by Sarah Morales, Community Outreach Manager, Security It’s no secret that lack of diversity in corporate America is a well-documented problem and improvements have been slow. To help improve female representation in the cybersecurity industry, Google teamed up with Women in Cybersecurity (WiCyS) and SANS Institute a year ago to establish the Security Training Scholarship Program. The multi-stage security training program set participants on a path to launch and advance their careers in cybersecurity through skills development, introducing them to fundamental cybersecurity concepts with interactive challenges like Capture the Flag (CTF) and the SANS CyberStart Game, which introduces topics such as Linux, web attacks, programming, forensics, and more. Mentors and peers guide the participants through each stage of the program and top qualifiers then graduate and receive access to the…

Posted by Charlie Reis​ and Alex Moshchuk, Chrome Security TeamChrome's Site Isolation is an essential security defense that makes it harder for malicious web sites to steal data from other web sites. On Windows, Mac, Linux, and Chrome OS, Site Isolation protects all web sites from each other, and also ensures they do not share processes with extensions, which are more highly privileged than web sites. As of Chrome 92, we will start extending this capability so that extensions can no longer share processes with each other. This provides an extra line of defense against malicious extensions, without removing any existing extension capabilities. Meanwhile, Site Isolation on Android currently focuses on protecting only high-value sites, to keep performance overheads low. Today, we are announcing two Site Isolation improvements that will…

Browse the comments on virtually any story about a ransomware attack and you will almost surely encounter the view that the victim organization could have avoided paying their extortionists if only they’d had proper data backups. But the ugly truth is there are many non-obvious reasons why victims end up paying even when they have done nearly everything right from a data backup perspective. This story isn’t about what organizations do in response to cybercriminals holding their data for hostage, which has become something of a best practice among most of the top ransomware crime groups today. Rather, it’s about why victims still pay for a key needed to decrypt their systems even when they have the means to restore everything from backups on their own. Experts say the biggest…

Posted by Ryan Hurst, Production Security TeamThe way we design and build software is continually evolving. Just as we now think of security as something we build into software from the start, we are also increasingly looking for new ways to minimize trust in that software. One of the ways we can do that is by designing software so that you can get cryptographic certainty of what the software has done.In this post, we'll introduce the concept of verifiable data structures that help us get this cryptographic certainty. We'll describe some existing and new applications of verifiable data structures, and provide some additional resources we have created to help you use them in your own applications. A verifiable data structure is a class of data structure that lets people efficiently…