Blog

Announcing the Android Ready SE Alliance (Google Online Security Blog)

Sécurité
Posted by Sudhi Herle and Jason Wong, Android Team When the Pixel 3 launched in 2018, it had a new tamper-resistant hardware enclave called Titan M. In addition to being a root-of-trust for Pixel software and firmware, it also enabled tamper-resistant key storage for Android Apps using StrongBox. StrongBox is an implementation of the Keymaster HAL that resides in a hardware security module. It is an important security enhancement for Android devices and paved the way for us to consider features that were previously not possible. StrongBox and tamper-resistant hardware are becoming important requirements for emerging user features, including: Digital keys (car, home, office) Mobile Driver’s License (mDL), National ID, ePassports eMoney solutions (for example, Wallet) All these features need to run on tamper-resistant hardware to protect the integrity of…
Read More

Phish Leads to Breach at Calif. State Controller (Krebs on Security)

Sécurité
A phishing attack last week gave attackers access to email and files at the California State Controller’s Office (SCO), an agency responsible for handling more than $100 billion in public funds each year. The phishers had access for more than 24 hours, and sources tell KrebsOnSecurity the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts. A notice of breach posted by the California State Controller’s Office. In a “Notice of Data Breach” message posted on Saturday, Mar. 20, the Controller’s Office said that for more than 24 hours starting on the afternoon of March 18 attackers had access to the email records of an employee in…
Read More

RedTorch Formed from Ashes of Norse Corp. (Krebs on Security)

Sécurité
Remember Norse Corp., the company behind the interactive “pew-pew” cyber attack map shown in the image below? Norse imploded rather suddenly in 2016 following a series of managerial missteps and funding debacles. Now, the founders of Norse have launched a new company with a somewhat different vision: RedTorch, which for the past two years has marketed a mix of services to high end celebrity clients, including spying and anti-spying tools and services. A snapshot of Norse’s semi-live attack map, circa Jan. 2016. Norse’s attack map was everywhere for several years, and even became a common sight in the “brains” of corporate security operations centers worldwide. Even if the data that fueled the maps was not particularly useful, the images never failed to enthrall visitors viewing them on room-sized screens. “In…
Read More

Announcing the winners of the 2020 GCP VRP Prize (Google Online Security Blog)

Sécurité
Posted by Harshvardhan Sharma, Information Security Engineer, Google We first announced the GCP VRP Prize in 2019 to encourage security researchers to focus on the security of Google Cloud Platform (GCP), in turn helping us make GCP more secure for our users, customers, and the internet at large. In the first iteration of the prize, we awarded $100,000 to the winning write-up about a security vulnerability in GCP. We also announced that we would reward the top 6 submissions in 2020 and increased the total prize money to $313,337.2020 turned out to be an amazing year for the Google Vulnerability Reward Program. We received many high-quality vulnerability reports from our talented and prolific vulnerability researchers. Vulnerability reports received year-over-yearThis trend was reflected in the submissions we received for the GCP VRP…
Read More

Fintech Giant Fiserv Used Unclaimed Domain (Krebs on Security)

Sécurité
If you sell Web-based software for a living and ship code that references an unregistered domain name, you are asking for trouble. But when the same mistake is made by a Fortune 500 company, the results can range from costly to disastrous. Here’s the story of one such goof committed by Fiserv [NASDAQ:FISV], a $6 billion firm that provides online banking software and other technology solutions to thousands of financial institutions. In November 2020, KrebsOnSecurity heard from security researcher Abraham Vegh, who noticed something odd while inspecting an email from his financial institution. Vegh could see the message from his bank referenced a curious domain: defaultinstitution.com. A quick search of WHOIS registration records showed the domain was unregistered. Wondering whether he might receive email communications to that address if he…
Read More

Can We Stop Pretending SMS Is Secure Now? (Krebs on Security)

Sécurité
SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of people (many of them low-paid mobile store employees) who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users. Security researcher “Lucky225” worked with Vice.com’s Joseph Cox to intercept Cox’s incoming text messages with his permission. Lucky225 showed how anyone could do the same after creating an account at a service called Sakari, a company that helps celebrities and businesses do SMS marketing and mass messaging. The “how they did it” was sickeningly simple. It cost just $16, and there…
Read More

Google, HTTPS, and device compatibility (Google Online Security Blog)

Sécurité
Posted by Ryan Hurst, Product Management, Google Trust ServicesEncryption is a fundamental building block when you’re on a mission to organize the world’s information and make it universally accessible with strong security and privacy. This is why a little over four years ago we created Google Trust Services—our publicly trusted Certificate Authority (CA).The road to becoming a publicly trusted certificate authority is a long one - especially if the certificates you issue will be used by some of the most visited sites on the internet. When we started on this journey, our goal was that within five years our root certificates would be embedded in enough devices that we could do a single transition to our long-term root certificates. There are still a large number of active used devices that…
Read More

WeLeakInfo Leaked Customer Payment Info (Krebs on Security)

Sécurité
A little over a year ago, the FBI and law enforcement partners overseas seized WeLeakInfo[.]com, a wildly popular service that sold access to more than 12 billion usernames and passwords stolen from thousands of hacked websites. In an ironic turn of events, a lapsed domain registration tied to WeLeakInfo let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card. For several years, WeLeakInfo was the largest of several services selling access to hacked passwords. Prosecutors said it had indexed, searchable information from more than 10,000 data breaches containing over 12 billion indexed records — including names, email addresses, usernames, phone numbers, and passwords for online accounts. For a small fee, you could enter an email address and see every password…
Read More

A Spectre proof-of-concept for a Spectre-proof web (Google Online Security Blog)

Sécurité
Posted by Stephen Röttger and Artur Janc, Information Security EngineersThree years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers could make about preventing data leaks between applications. As a result, web browser vendors have been continuously collaborating on approaches intended to harden the platform at scale. Nevertheless, this class of attacks still remains a concern and requires web developers to deploy application-level mitigations.In this post, we will share the results of Google Security Team's research on the exploitability of Spectre against web users, and present a fast, versatile proof-of-concept (PoC) written in JavaScript which can leak information from the browser's memory. We've confirmed that this proof-of-concept, or its variants, function…
Read More

#ShareTheMicInCyber: Brooke Pearson (Google Online Security Blog)

Sécurité
Posted by Parisa Tabriz, Head of Chrome Product, Engineering and UX In an effort to showcase the breadth and depth of Black+ contributions to security and privacy fields, we’ve launched a profile series that aims to elevate and celebrate the Black+ voices in security and privacy we have here at Google.Brooke Pearson manages the Privacy Sandbox program at Google, and her team's mission is to, “Create a thriving web ecosystem that is respectful of users and private by default.” Brooke lives this mission and it is what makes her an invaluable asset to the Chrome team and Google. In addition to her work advancing the fields of security and privacy, she is a fierce advocate for women in the workplace and for elevating the voices of her fellow Black+ practitioners in security…
Read More