Blog

Announcing a unified vulnerability schema for open source (Google Online Security Blog)

Sécurité
Posted by Oliver Chang, Google Open Source Security team and Russ Cox, Go team In recent months, Google has launched several efforts to strengthen open-source security on multiple fronts. One important focus is improving how we identify and respond to known security vulnerabilities without doing extensive manual work. It is essential to have a precise common data format to triage and remediate security vulnerabilities, particularly when communicating about risks to affected dependencies—it enables easier automation and empowers consumers of open-source software to know when they are impacted and make security fixes as soon as possible.We released the Open Source Vulnerabilities (OSV) database in February with the goal of automating and improving vulnerability triage for developers and users of open source software. This initial effort was bootstrapped with a dataset of a…
Read More

How Cyber Sleuths Cracked an ATM Shimmer Gang (Krebs on Security)

Sécurité
In 2015, police departments worldwide started finding ATMs compromised with advanced new “shimming” devices made to steal data from chip card transactions. Authorities in the United States and abroad had seized many of these shimmers, but for years couldn’t decrypt the data on the devices. This is a story of ingenuity and happenstance, and how one former Secret Service agent helped crack a code that revealed the contours of a global organized crime ring. Jeffrey Dant was a special agent at the U.S. Secret Service for 12 years until 2015. After that, Dant served as the global lead for the fraud fusion center at Citi, one of the largest financial institutions in the United States. Not long after joining Citi, Dant heard from industry colleagues at a bank in Mexico…
Read More

How Cyber Safe is Your Drinking Water Supply? (Krebs on Security)

Sécurité
Amid multiple recent reports of hackers breaking into and tampering with drinking water treatment systems comes a new industry survey with some sobering findings: A majority of the 52,000 separate drinking water systems in the United States still haven’t inventoried some or any of their information technology systems — a basic first step in protecting networks from cyberattacks. The Water Information Sharing and Analysis Center (WaterISAC) — an industry group that tries to facilitate information sharing and the adoption of best practices among utilities in the water sector — surveyed roughly 600 employees of water and wastewater treatment facilities nationwide, and found 37.9 percent of utilities have identified all IT-networked assets, with an additional 21.7 percent working toward that goal. The ISAC found when it comes to IT systems tied…
Read More

Get ready for the 2021 Google CTF (Google Online Security Blog)

Sécurité
Posted by Kristoffer Janke, Information Security EngineerAre you ready for no sleep, no chill and a lot of hacking? Our annual Google CTF is back!The competition kicks off on Saturday July 17 00:00:01 AM UTC and runs through Sunday July 18 23:59:59 UTC. Teams can register at http://goo.gle/ctf. Just like last year, the top 16 teams will qualify for our Hackceler8 speed run and the chance to take home a total of $30,301.70 in prize money.As we reminisce on last years event, we’d be remiss if we didn’t recognize our 2020 winning teams: Plaid Parliament of PwningI Use BingpastenThe Flat Network SocietyWe are eager to see if they can defend their leet status. For those interested, we have published all 2020 Hackceler8 videos for your viewing pleasure here.Whether you’re a…
Read More

First American Financial Pays Farcical $500K Fine (Krebs on Security)

Sécurité
In May 2019, KrebsOnSecurity broke the news that the website of mortgage settlement giant First American Financial Corp. [NYSE:FAF] was leaking more than 800 million documents — many containing sensitive financial data — related to real estate transactions dating back 16 years. This week, the U.S. Securities and Exchange Commission settled its investigation into the matter after the Fortune 500 company agreed to pay a paltry penalty of less than $500,000. First American Financial Corp. If you bought or sold a property in the last two decades or so, chances are decent that you also gave loads of personal and financial documents to First American. According to data from the American Land Title Association, First American is the second largest mortgage title and settlement company in the United States, handling…
Read More

Introducing SLSA, an End-to-End Framework for Supply Chain Integrity (Google Online Security Blog)

Sécurité
Posted Kim Lewandowski, Google Open Source Security Team & Mark Lodato, Binary Authorization for Borg Team Supply chain integrity attacks—unauthorized modifications to software packages—have been on the rise in the past two years, and are proving to be common and reliable attack vectors that affect all consumers of software. The software development and deployment supply chain is quite complicated, with numerous threats along the source ➞ build ➞ publish workflow. While point solutions do exist for some specific vulnerabilities, there is no comprehensive end-to-end framework that both defines how to mitigate threats across the software supply chain, and provides reasonable security guarantees. There is an urgent need for a solution in the face of the eye-opening, multi-billion dollar attacks in recent months (e.g. SolarWinds, Codecov), some of which could have been…
Read More

Ukrainian Police Nab Six Tied to CLOP Ransomware (Krebs on Security)

Sécurité
Authorities in Ukraine this week charged six people alleged to be part of the CLOP ransomware group, a cybercriminal gang said to have extorted more than half a billion dollars from victims. Some of CLOP’s victims this year alone include Stanford University Medical School, the University of California, and University of Maryland. A still shot from a video showing Ukrainian police seizing a Tesla, one of many high-end vehicles seized in this week’s raids on the Clop gang. According to a statement and videos released today, the Ukrainian Cyber Police charged six defendants with various computer crimes linked to the CLOP gang, and conducted 21 searches throughout the Kyiv region. First debuting in early 2019, CLOP is one of several ransomware groups that hack into organizations, launch ransomware that encrypts files and…
Read More

How Does One Get Hired by a Top Cybercrime Gang? (Krebs on Security)

Sécurité
The U.S. Department of Justice (DOJ) last week announced the arrest of a 55-year-old Latvian woman who’s alleged to have worked as a programmer for Trickbot, a malware-as-a-service platform responsible for infecting millions of computers and seeding many of those systems with ransomware. Just how did a self-employed web site designer and mother of two come to work for one of the world’s most rapacious cybercriminal groups and then leave such an obvious trail of clues indicating her involvement with the gang? This post explores answers to those questions, as well as some of the ways Trickbot and other organized cybercrime gangs gradually recruit, groom and trust new programmers. Alla Witte’s personal website — allawitte[.]nl — circa October 2018. The indictment released by the DOJ (PDF) is heavily redacted, and…
Read More

Microsoft Patches Six Zero-Day Security Holes (Krebs on Security)

Sécurité
Microsoft today released another round of security updates for Windows operating systems and supported software, including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks. June’s Patch Tuesday addresses just 49 security holes — about half the normal number of vulnerabilities lately. But what this month lacks in volume it makes up for in urgency: Microsoft warns that bad guys are leveraging a half-dozen of those weaknesses to break into computers in targeted attacks. Among the zero-days are: –CVE-2021-33742, a remote code execution bug in a Windows HTML component. –CVE-2021-31955, an information disclosure bug in the Windows Kernel –CVE-2021-31956, an elevation of privilege flaw in Windows NTFS –CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager –CVE-2021-31201, an elevation of privilege flaw…
Read More

Rust/C++ interop in the Android Platform (Google Online Security Blog)

Sécurité
Posted by Joel Galenson and Matthew Maurer, Android Team One of the main challenges of evaluating Rust for use within the Android platform was ensuring we could provide sufficient interoperability with our existing codebase. If Rust is to meet its goals of improving security, stability, and quality Android-wide, we need to be able to use Rust anywhere in the codebase that native code is required. To accomplish this, we need to provide the majority of functionality platform developers use. As we discussed previously, we have too much C++ to consider ignoring it, rewriting all of it is infeasible, and rewriting older code would likely be counterproductive as the bugs in that code have largely been fixed. This means interoperability is the most practical way forward.Before introducing Rust into the Android…
Read More