• https://www.schneier.com »

Meta has threatened to pull WhatsApp out of India if the courts try to force it to break its end-to-end encryption.
https://www.schneier.com/blog/archives/2024/04/whatsapp-in-india.html

• https://www.schneier.com »

During the Cold War, the US Navy tried to make a secret code out of whale song. The basic plan was to develop coded messages from recordings of whales, dolphins, sea lions, and seals. The submarine would broadcast the noises and a computer—the Combo Signal Recognizer (CSR)—would detect the specific patterns and decode them on the other end. In theory, this idea was relatively simple. As work progressed, the Navy found a number of complicated problems to overcome, the bulk of which centered on the authenticity of the code itself. The message structure couldn’t just substitute the moaning of a whale or a crying seal for As and Bs or even whole words. In addition, the sounds Navy technicians recorded between 1959 and 1965 all had natural background noise. With the technology available, it would have been hard to scrub that out. Repeated blasts of the same sounds with identical extra noise would stand out to even untrained sonar operators...
https://www.schneier.com/blog/archives/2024/04/whale-song-code.html

• https://www.schneier.com »

A cruise ship is searching for the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here.
https://www.schneier.com/blog/archives/2024/04/friday-squid-blogging-searching-for-the-colossal-squid.html

• https://www.schneier.com »

Kashmir Hill has a really good article on how GM tricked its drivers into letting it spy on them—and then sold that data to insurance companies.
https://www.schneier.com/blog/archives/2024/04/long-article-on-gm-spying-on-its-cars-drivers.html

• https://www.schneier.com »

The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is coming to an end. The advent of AI threatens to destroy the complex online ecosystem that allows writers, artists, and other creators to reach human audiences. To understand why, you must understand publishing. Its core task is to connect writers to an audience. Publishers work as gatekeepers, filtering candidates and then amplifying the chosen ones. Hoping to be selected, writers shape their work in various ways. This article might be written very differently in an academic publication, for example, and publishing it here entailed pitching an editor, revising multiple drafts for style and focus, and so on...
https://www.schneier.com/blog/archives/2024/04/the-rise-of-large.html

• http://security.googleblog.com »

Posted Kaleigh Rosenblat, Chrome Enterprise Senior Staff Software Engineer, Security Lead Generative AI has emerged as a powerful and popular tool to automate content creation and simple tasks. From customized content creation to source code generation, it can increase both our productivity and creative potential. Businesses want to leverage the power of LLMs, like Gemini, but many may have security concerns and want more control around how employees make sure of these new tools. For example, companies may want to ensure that various forms of sensitive data, such as Personally Identifiable Information (PII), financial records and internal intellectual property, is not to be shared publicly on Generative AI platforms. Security leaders face the challenge of finding the right balance — enabling employees to leverage AI to boost efficiency, while also safeguarding corporate data. In this blog post, we'll explore reporting and enforcement policies that enterprise security teams can implement within Chrome Enterprise Premium for data loss prevention (DLP).1. View login events* to understand usage of Generative AI services within the organization. With Chrome Enterprise's Reporting Connector, security and IT teams can see when a user successfully signs into a specific domain, including Generative AI websites. Security Operations teams can further leverage this telemetry to detect anomalies and threats by streaming the data into Chronicle or other third-party SIEMs at no additional cost.2. Enable URL Filtering to warn users about sensitive data policies and let them decide whether or not they want to navigate to the URL, or to block users from navigating to certain groups of sites altogether.For example, with Chrome Enterprise URL Filtering, IT admins can create rules that warn developers not to submit source code to specific Generative AI apps or tools, or block them.3. Warn, block or monitor sensitive data actions within Generative AI websites with dynamic content-based rules for actions like paste, file uploads/downloads, and print. Chrome Enterprise DLP rules give IT admins granular control over browser activities, such as entering financial information in Gen AI websites. Admins can customize DLP rules to restrict the type and amount of data entered into these websites from managed browsers.For most organizations, safely leveraging Generative AI requires a certain amount of control. As enterprises work through their policies and processes involving GenAI, Chrome Enterprise Premium empowers them to strike the balance that works best. Hear directly from security leaders at Snap on their use of DLP for Gen AI in this recording here.Learn more about how Chrome Enterprise can secure businesses just like yours here.*Available at no additional cost in Chrome Enterprise Core
http://security.googleblog.com/2024/04/prevent-generative-ai-data-leaks-with.html

• http://security.googleblog.com »

Posted by Dave Kleidermacher, VP Engineering, Android Security and Privacy Keeping people safe and their data secure and private is a top priority for Android. That is why we took our time when designing the new Find My Device, which uses a crowdsourced device-locating network to help you find your lost or misplaced devices and belongings quickly – even when they’re offline. We gave careful consideration to the potential user security and privacy challenges that come with device finding services. During development, it was important for us to ensure the new Find My Device was secure by default and private by design. To build a private, crowdsourced device-locating network, we first conducted user research and gathered feedback from privacy and advocacy groups. Next, we developed multi-layered protections across three main areas: data safeguards, safety-first protections, and user controls. This approach provides defense-in-depth for Find My Device users. How location crowdsourcing works on the Find My Device network The Find My Device network locates devices by harnessing the Bluetooth proximity of surrounding Android devices. Imagine you drop your keys at a cafe. The keys themselves have no location capabilities, but they may have a Bluetooth tag attached. Nearby Android devices participating in the Find My Device network report the location of the Bluetooth tag. When the owner realizes they have lost their keys and logs into the Find My Device mobile app, they will be able to see the aggregated location contributed by nearby Android devices and locate their keys. Find My Device network protections Let’s dive into key details of the multi-layered protections for the Find My Device network: Data Safeguards: We’ve implemented protections that help ensure the privacy of everyone participating in the network and the crowdsourced location data that powers it. Location data is end-to-end encrypted. When Android devices participating in the network report the location of a Bluetooth tag, the location is end-to-end encrypted using a key that is only accessible to the Bluetooth tag owner and anyone the owner has shared the tag with in the Find My Device app. Only the Bluetooth tag owner (and those they’ve chosen to share access with) can decrypt and view the tag’s location. With end-to-end encrypted location data, Google cannot decrypt, see, or otherwise use the location data. Private, crowdsourced location reports. These end-to-end encrypted locations are contributed to the Find My Device network in a manner that does not allow Google to identify the owners of the nearby Android devices that provided the location data. And when the Find My Device network shows the location and timestamp to the Bluetooth tag’s owner to help them find their belongings, no other information about the nearby Android devices that contributed the data is included. Minimizing network data. End-to-end encrypted location data is minimally buffered and frequently overwritten. In addition, if the network can help find a Bluetooth tag using the owner’s nearby devices (e.g., if their own phone detects the tag), the network will discard crowdsourced reports for the tag. Safety-first Protections: The Find My Device network protects against risks such as use of an unknown Bluetooth tag to stalk or identify another user, including: Aggregation by default. This is a first-of-its-kind safety protection that makes unwanted tracking to a private location, like your home, more difficult. By default, the Find My Device network requires multiple nearby Android devices to detect a tag before reporting its location to the tag's owner. Our research found that the Find My Device network is most valuable in public settings like cafes and airports, where there are likely many devices nearby. By implementing aggregation before showing a tag’s location to its owner, the network can take advantage of its biggest strength – over a billion Android devices that can participate. This helps tag owners find their lost devices in these busier locations while prioritizing safety from unwanted tracking near private locations. In less busy areas, last known location and Nest finding are reliable ways to locate items. At home protection. If a user has chosen to save their home address in their Google Account, their Android device will also ensure that it does not contribute crowdsourced location reports to the Find My Device network when it is near the user’s home. This provides additional protection on top of aggregation by default against unwanted tracking near private locations. Rate limiting and throttling. The Find My Device network limits the number of times that a nearby Android device can contribute a location report for a particular Bluetooth tag. The network also throttles how frequently the owner of a Bluetooth tag can request an updated location for the tag. We've found that lost items are typically left behind in stationary spots. For example, you lose your keys at the cafe, and they stay at the table where you had your morning coffee. Meanwhile, a malicious user is often trying to engage in real-time tracking of a person. By applying rate limiting and throttling to reduce how often the location of a device is updated, the network continues to be helpful for finding items, like your lost checked baggage on a trip, while helping mitigate the risk of real-time tracking. Unknown tracker alerts. The Find My Device network is also compliant with the integration version of the joint industry standard for unwanted tracking. Being compliant with the integration version of the standard means that both Android and iOS users will receive unknown tracker alerts if the on-device algorithm detects that someone may be using a Find My Device network-compatible tag to track them without their knowledge, proactively alerting the user through a notification on their phone. User Controls: Android users always have full control over which of their devices participate in the Find My Device network and how those devices participate. Users can either stick with the default and contribute to aggregated location reporting, opt into contributing non-aggregated locations, or turn the network off altogether. Find My Device also provides the ability to secure or erase data from a lost device. In addition to careful security architectural design, the new Find My Device network has undergone internal Android red team testing. The Find My Device network has also been added to the Android security vulnerability rewards program to take advantage of Android’s global ecosystem of security researchers. We’re also engaging with select researchers through our private grant program to encourage more targeted research. Prioritizing user safety on Find My Device Together, these multi-layered user protections help mitigate potential risks to user privacy and safety while allowing users to effectively locate and recover lost devices. As bad actors continue to look for new ways to exploit users, our work to help keep users safe on Android is never over. We have an unwavering commitment to continue to improve user protections on Find My Device and prioritize user safety. For more information about Find My Device on Android, please visit our help center. You can read the Find My Device Network Accessory specification here.
http://security.googleblog.com/2024/04/find-my-device-network-security-privacy-protections.html

• http://security.googleblog.com »

Tianhao Chi and Puneet Sood, Google Public DNSThe Domain Name System (DNS) is a fundamental protocol used on the Internet to translate human-readable domain names (e.g., www.example.com) into numeric IP addresses (e.g., 192.0.2.1) so that devices and servers can find and communicate with each other. When a user enters a domain name in their browser, the DNS resolver (e.g. Google Public DNS) locates the authoritative DNS nameservers for the requested name, and queries one or more of them to obtain the IP address(es) to return to the browser.When DNS was launched in the early 1980s as a trusted, content-neutral infrastructure, security was not yet a pressing concern, however, as the Internet grew DNS became vulnerable to various attacks. In this post, we will look at DNS cache poisoning attacks and how Google Public DNS addresses the risks associated with them.DNS Cache Poisoning AttacksDNS lookups in most applications are forwarded to a caching resolver (which could be local or an open resolver like. Google Public DNS). The path from a client to the resolver is usually on a local network or can be protected using encrypted transports like DoH, DoT. The resolver queries authoritative DNS servers to obtain answers for user queries. This communication primarily occurs over UDP, an insecure connectionless protocol, in which messages can be easily spoofed including the source IP address. The content of DNS queries may be sufficiently predictable that even an off-path attacker can, with enough effort, forge responses that appear to be from the queried authoritative server. This response will be cached if it matches the necessary fields and arrives before the authentic response. This type of attack is called a cache poisoning attack, which can cause great harm once successful. According to RFC 5452, the probability of success is very high without protection. Forged DNS responses can lead to denial of service, or may even compromise application security. For an excellent introduction to cache poisoning attacks, please see “An Illustrated Guide to the Kaminsky DNS Vulnerability”.Cache poisoning mitigations in Google Public DNSImproving DNS security has been a goal of Google Public DNS since our launch in 2009. We take a multi-pronged approach to protect users against DNS cache-poisoning attacks. There is no silver bullet or countermeasure that entirely solves the problem, but in combination they make successful attacks substantially more difficult.RFC 5452 And DNS CookiesWe have implemented the basic countermeasures outlined in RFC 5452 namely randomizing query source ports and query IDs. But these measures alone are not sufficient (see page 8 of our OARC 38 presentation).We have therefore also implemented support for RFC 7873 (DNS Cookies) which can make spoofing impractical if it’s supported by the authoritative server. Measurements indicate that the DNS Cookies do not provide sufficient coverage, even though around 40% of nameservers by IP support DNS Cookies, these account for less than 10% of overall query volume. In addition, many non-compliant nameservers return incorrect or ambiguous responses for queries with DNS Cookies, which creates further deployment obstacles. For now, we’ve enabled DNS Cookies through manual configuration, primarily for selected TLD zones.Case Randomization (0x20)The query name case randomization mechanism, originally proposed in a March 2008 draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity”, however, is highly effective, because all but a small minority of nameservers are compatible with query name case randomization. We have been performing case randomization of query names since 2009 to a small set of chosen nameservers that handle only a minority of our query volume. In 2022 we started work on enabling case randomization by default, which when used, the query name in the question section is randomized and the DNS server’s response is expected to match the case-randomized query name exactly in the request. For example, if “ExaMplE.CoM” is the name sent in the request, the name in the question section of the response must also be “ExaMplE.CoM” rather than, e.g., “example.com.” Responses that fail to preserve the case of the query name may be dropped as potential cache poisoning attacks (and retried over TCP).We are happy to announce that we’ve already enabled and deployed this feature globally by default. It covers over 90% of our UDP traffic to nameservers, significantly reducing the risk of cache poisoning attacks.Meanwhile, we maintain an exception list and implement fallback mechanisms to prevent potential issues with non-conformant nameservers. However we strongly recommend that nameserver implementations preserve the query case in the response.DNS-over-TLSIn addition to case randomization, we’ve deployed DNS-over-TLS to authoritative nameservers (ADoT), following procedures described in RFC 9539 (Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS). Real world measurements show that ADoT has a higher success rate and comparable latency to UDP. And ADoT is in use for around 6% of egress traffic. At the cost of some CPU and memory, we get both security and privacy for nameserver queries without DNS compliance issues.SummaryGoogle Public DNS takes security of our users seriously. Through multiple countermeasures to cache poisoning attacks, we aim to provide a more secure and reliable DNS resolution service, enhancing the overall Internet experience for users worldwide. With the measures described above we are able to provide protection against passive attacks for over 90% of authoritative queries. To enhance DNS security, we recommend that DNS server operators support one or more of the  security mechanisms described here. We are also working with the DNS community to improve DNS security. Please see our presentations at DNS-OARC 38 and 40 for more technical details.
http://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html

• http://security.googleblog.com »

Posted by Eugene Rodionov and Ivan Lozano, Android Team With steady improvements to Android userspace and kernel security, we have noticed an increasing interest from security researchers directed towards lower level firmware. This area has traditionally received less scrutiny, but is critical to device security. We have previously discussed how we have been prioritizing firmware security, and how to apply mitigations in a firmware environment to mitigate unknown vulnerabilities. In this post we will show how the Kernel Address Sanitizer (KASan) can be used to proactively discover vulnerabilities earlier in the development lifecycle. Despite the narrow application implied by its name, KASan is applicable to a wide-range of firmware targets. Using KASan enabled builds during testing and/or fuzzing can help catch memory corruption vulnerabilities and stability issues before they land on user devices. We've already used KASan in some firmware targets to proactively find and fix 40+ memory safety bugs and vulnerabilities, including some of critical severity. Along with this blog post we are releasing a small project which demonstrates an implementation of KASan for bare-metal targets leveraging the QEMU system emulator. Readers can refer to this implementation for technical details while following the blog post. Address Sanitizer (ASan) overview Address sanitizer is a compiler-based instrumentation tool used to identify invalid memory access operations during runtime. It is capable of detecting the following classes of temporal and spatial memory safety bugs: out-of-bounds memory access use-after-free double/invalid free use-after-return ASan relies on the compiler to instrument code with dynamic checks for virtual addresses used in load/store operations. A separate runtime library defines the instrumentation hooks for the heap memory and error reporting. For most user-space targets (such as aarch64-linux-android) ASan can be enabled as simply as using the -fsanitize=address compiler option for Clang due to existing support of this target both in the toolchain and in the libclang_rt runtime. However, the situation is rather different for bare-metal code which is frequently built with the none system targets, such as arm-none-eabi. Unlike traditional user-space programs, bare-metal code running inside an embedded system often doesn’t have a common runtime implementation. As such, LLVM can’t provide a default runtime for these environments. To provide custom implementations for the necessary runtime routines, the Clang toolchain exposes an interface for address sanitization through the -fsanitize=kernel-address compiler option. The KASan runtime routines implemented in the Linux kernel serve as a great example of how to define a KASan runtime for targets which aren’t supported by default with -fsanitize=address. We'll demonstrate how to use the version of address sanitizer originally built for the kernel on other bare-metal targets. KASan 101 Let’s take a look at the KASan major building blocks from a high-level perspective (a thorough explanation of how ASan works under-the-hood is provided in this whitepaper). The main idea behind KASan is that every memory access operation, such as load/store instructions and memory copy functions (for example, memmove and memcpy), are instrumented with code which performs verification of the destination/source memory regions. KASan only allows the memory access operations which use valid memory regions. When KASan detects memory access to a memory region which is invalid (that is, the memory has been already freed or access is out-of-bounds) then it reports this violation to the system. The state of memory regions covered by KASan is maintained in a dedicated area called shadow memory. Every byte in the shadow memory corresponds to a single fixed-size memory region covered by KASan (typically 8-bytes) and encodes its state: whether the corresponding memory region has been allocated or freed and how many bytes in the memory region are accessible. Therefore, to enable KASan for a bare-metal target we would need to implement the instrumentation routines which verify validity of memory regions in memory access operations and report KASan violations to the system. In addition we would also need to implement shadow memory management to track the state of memory regions which we want to be covered with KASan. Enabling KASan for bare-metal firmware KASan shadow memory The very first step in enabling KASan for firmware is to reserve a sufficient amount of DRAM for shadow memory. This is a memory region where each byte is used by KASan to track the state of an 8-byte region. This means accommodating the shadow memory requires a dedicated memory region equal to 1/8th the size of the address space covered by KASan. KASan maps every 8-byte aligned address from the DRAM region into the shadow memory using the following formula: shadow_address = (target_address >> 3 ) + shadow_memory_base where target_address is the address of a 8-byte memory region which we want to cover with KASan and shadow_memory_base is the base address of the shadow memory area. Implement a KASan runtime Once we have the shadow memory tracking the state of every single 8-byte memory region of DRAM we need to implement the necessary runtime routines which KASan instrumentation depends on. For reference, a comprehensive list of runtime routines needed for KASan can be found in the linux/mm/kasan/kasan.h Linux kernel header. However, it might not be necessary to implement all of them and in the following text we focus on the ones which were needed to enable KASan for our target firmware as an example. Memory access check The routines __asan_loadXX_noabort, __asan_storeXX_noabort perform verification of memory access at runtime. The symbol XX denotes size of memory access and goes as a power of 2 starting from 1 up to 16. The toolchain instruments every memory load and store operations with these functions so that they are invoked before the memory access operation happens. These routines take as input a pointer to the target memory region to check it against the shadow memory. If the region state provided by shadow memory doesn’t reveal a violation, then these functions return to the caller. But if any violations (for example, the memory region is accessed after it has been deallocated or there is an out-of-bounds access) are revealed, then these functions report the KASan violation by: Generating a call-stack. Capturing context around the memory regions. Logging the error. Aborting/crashing the system (optional) Shadow memory management The routine __asan_set_shadow_YY is used to poison shadow memory for a given address. This routine is used by the toolchain instrumentation to update the state of memory regions. For example, the KASan runtime would use this function to mark memory for local variables on the stack as accessible/poisoned in the epilogue/prologue of the function respectively. This routine takes as input a target memory address and sets the corresponding byte in shadow memory to the value of YY. Here is an example of some YY values for shadow memory to encode state of 8-byte memory regions: 0x00 -- the entire 8-byte region is accessible 0x01-0x07 -- only the first bytes in the memory region are accessible 0xf1 -- not accessible: stack left red zone 0xf2 -- not accessible: stack mid red zone 0xf3 -- not accessible: stack right red zone 0xfa -- not accessible: globals red zone 0xff -- not accessible Covering global variables The routines __asan_register_globals, __asan_unregister_globals are used to poison/unpoison memory for global variables. The KASan runtime calls these functions while processing global constructors/destructors. For instance, the routine __asan_register_globals is invoked for every global variable. It takes as an argument a pointer to a data structure which describes the target global variable: the structure provides the starting address of the variable, its size not including the red zone and size of the global variable with the red zone. The red zone is extra padding the compiler inserts after the variable to increase the likelihood of detecting an out-of-bounds memory access. Red zones ensure there is extra space between adjacent global variables. It is the responsibility of __asan_register_globals routine to mark the corresponding shadow memory as accessible for the variable and as poisoned for the red zone. As the readers could infer from its name, the routine __asan_unregister_globals is invoked while processing global destructors and is intended to poison shadow memory for the target global variable. As a result, any memory access to such a global will cause a KASan violation. Memory copy functions The KASan compiler instrumentation routines __asan_loadXX_noabort, __asan_storeXX_noabort discussed above are used to verify individual memory load and store operations such as, reading or writing an array element or dereferencing a pointer. However, these routines don't cover memory access in bulk-memory copy functions such as memcpy, memmove, and memset. In many cases these functions are provided by the runtime library or implemented in assembly to optimize for performance. Therefore, in order to be able to catch invalid memory access in these functions, we would need to provide sanitized versions of memcpy, memmove, and memset functions in our KASan implementation which would verify memory buffers to be valid memory regions. Avoiding false positives for noreturn functions Another routine required by KASan is __asan_handle_no_return, to perform cleanup before a noreturn function and avoid false positives on the stack. KASan adds red zones around stack variables at the start of each function, and removes them at the end. If a function does not return normally (for example, in case of longjmp-like functions and exception handling), red zones must be removed explicitly with __asan_handle_no_return. Hook heap memory allocation routines Bare-metal code in the vast majority of cases provides its own heap implementation. It is our responsibility to implement an instrumented version of heap memory allocation and freeing routines which enable KASan to detect memory corruption bugs on the heap. Essentially, we would need to instrument the memory allocator with the code which unpoisons KASan shadow memory corresponding to the allocated memory buffer. Additionally, we may want to insert an extra poisoned red zone memory (which accessing would then generate a KASan violation) to the end of the allocated buffer to increase the likelihood of catching out-of-bounds memory reads/writes. Similarly, in the memory deallocation routine (such as free) we would need to poison the shadow memory corresponding to the free buffer so that any subsequent access (such as, use-after-free) would generate a KASan violation. We can go even further by placing the freed memory buffer into a quarantine instead of immediately returning the free memory back to the allocator. This way, the freed memory buffer is suspended in quarantine for some time and will have its KASan shadow bytes poisoned for a longer period of time, increasing the probability of catching a use-after-free access to this buffer. Enable KASan for heap, stack and global variables With all the necessary building blocks implemented we are ready to enable KASan for our bare-metal code by applying the following compiler options while building the target with the LLVM toolchain. The -fsanitize=kernel-address Clang option instructs the compiler to instrument memory load/store operations with the KASan verification routines. We use the -asan-mapping-offset LLVM option to indicate where we want our shadow memory to be located. For instance, let’s assume that we would like to cover address range 0x40000000 - 0x4fffffff and we want to keep shadow memory at address 0x4A700000. So, we would use -mllvm -asan-mapping-offset=0x42700000 as 0x40000000 >> 3 + 0x42700000 == 0x4A700000. To cover globals and stack variables with KASan we would need to pass additional options to the compiler: -mllvm -asan-stack=1 -mllvm -asan-globals=1. It’s worth mentioning that instrumenting both globals and stack variables will likely result in an increase in size of the corresponding memory which might need to be accounted for in the linker script. Finally, to prevent significant increase in size of the code section due to KASan instrumentation we instruct the compiler to always outline KASan checks using the -mllvm -asan-instrumentation-with-call-threshold=0 option. Otherwise, the compiler might inline __asan_loadXX_noabort, __asan_storeXX_noabort routines for load/store operations resulting in bloating the generated object code. LLVM has traditionally only supported sanitizers with runtimes for specific targets with predefined runtimes, however we have upstreamed LLVM sanitizer support for bare-metal targets under the assumption that the runtime can be defined for the particular target. You’ll need the latest version of Clang to benefit from this. Conclusion Following these steps we managed to enable KASan for a firmware target and use it in pre-production test builds. This led to early discovery of memory corruption issues that were easily remediated due to the actionable reports produced by KASan. These builds can be used with fuzzers to detect edge case bugs that normal testing fails to trigger, yet which can have significant security implications. Our work with KASan is just one example of the multiple techniques the Android team is exploring to further secure bare-metal firmware in the Android Platform. Ideally we want to avoid introducing memory safety vulnerabilities in the first place so we are working to address this problem through adoption of memory-safe Rust in bare-metal environments. The Android team has developed Rust training which covers bare-metal Rust extensively. We highly encourage others to explore Rust (or other memory-safe languages) as an alternative to C/C++ in their firmware. If you have any questions, please reach out – we’re here to help! Acknowledgements: Thank you to Roger Piqueras Jover for contributions to this post, and to Evgenii Stepanov for upstreaming LLVM support for bare-metal sanitizers. Special thanks also to our colleagues who contribute and support our firmware security efforts: Sami Tolvanen, Stephan Somogyi, Stephan Chen, Dominik Maier, Xuan Xing, Farzan Karimi, Pirama Arumuga Nainar, Stephen Hines.
http://security.googleblog.com/2024/03/address-sanitizer-for-bare-metal.html

• http://security.googleblog.com »

Posted by Jasika Bawa, Xinghui Lu, Google Chrome Security & Jonathan Li, Alex Wozniak, Google Safe Browsing For more than 15 years, Google Safe Browsing has been protecting users from phishing, malware, unwanted software and more, by identifying and warning users about potentially abusive sites on more than 5 billion devices around the world. As attackers grow more sophisticated, we've seen the need for protections that can adapt as quickly as the threats they defend against. That’s why we're excited to announce a new version of Safe Browsing that will provide real-time, privacy-preserving URL protection for people using the Standard protection mode of Safe Browsing in Chrome. Current landscape Chrome automatically protects you by flagging potentially dangerous sites and files, hand in hand with Safe Browsing which discovers thousands of unsafe sites every day and adds them to its lists of harmful sites and files. So far, for privacy and performance reasons, Chrome has first checked sites you visit against a locally-stored list of known unsafe sites which is updated every 30 to 60 minutes – this is done using hash-based checks. Hash-based check overview But unsafe sites have adapted — today, the majority of them exist for less than 10 minutes, meaning that by the time the locally-stored list of known unsafe sites is updated, many have slipped through and had the chance to do damage if users happened to visit them during this window of opportunity. Further, Safe Browsing’s list of harmful websites continues to grow at a rapid pace. Not all devices have the resources necessary to maintain this growing list, nor are they always able to receive and apply updates to the list at the frequency necessary to benefit from full protection. Safe Browsing’s Enhanced protection mode already stays ahead of such threats with technologies such as real-time list checks and AI-based classification of malicious URLs and web pages. We built this mode as an opt-in to give users the choice of sharing more security-related data in order to get stronger security. This mode has shown that checking lists in real time brings significant value, so we decided to bring that to the default Standard protection mode through a new API – one that doesn't share the URLs of sites you visit with Google. Introducing real-time, privacy-preserving Safe Browsing How it works In order to transition to real-time protection, checks now need to be performed against a list that is maintained on the Safe Browsing server. The server-side list can include unsafe sites as soon as they are discovered, so it is able to capture sites that switch quickly. It can also grow as large as needed because the Safe Browsing server is not constrained in the same way that user devices are. Behind the scenes, here's what is happening in Chrome: When you visit a site, Chrome first checks its cache to see if the address (URL) of the site is already known to be safe (see the “Staying speedy and reliable” section for details). If the visited URL is not in the cache, it may be unsafe, so a real-time check is necessary. Chrome obfuscates the URL by following the URL hashing guidance to convert the URL into 32-byte full hashes. Chrome truncates the full hashes into 4-byte long hash prefixes. Chrome encrypts the hash prefixes and sends them to a privacy server (see the “Keeping your data private” section for details). The privacy server removes potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a TLS connection that mixes requests with many other Chrome users. The Safe Browsing server decrypts the hash prefixes and matches them against the server-side database, returning full hashes of all unsafe URLs that match one of the hash prefixes sent by Chrome. After receiving the unsafe full hashes, Chrome checks them against the full hashes of the visited URL. If any match is found, Chrome will show a warning. Keeping your data private In order to preserve user privacy, we have partnered with Fastly, an edge cloud platform that provides content delivery, edge compute, security, and observability services, to operate an Oblivious HTTP (OHTTP) privacy server between Chrome and Safe Browsing – you can learn more about Fastly's commitment to user privacy on their Customer Trust page. With OHTTP, Safe Browsing does not see your IP address, and your Safe Browsing checks are mixed amongst those sent by other Chrome users. This means Safe Browsing cannot correlate the URL checks you send as you browse the web. Before hash prefixes leave your device, Chrome encrypts them using a public key from Safe Browsing. These encrypted hash prefixes are then sent to the privacy server. Since the privacy server doesn’t know the private key, it cannot decrypt the hash prefixes, which offers privacy from the privacy server itself. The privacy server then removes potential user identifiers such as your IP address and forwards the encrypted hash prefixes to the Safe Browsing server. The privacy server is operated independently by Fastly, meaning that Google doesn’t have access to potential user identifiers (including IP address and User Agent) from the original request. Once the Safe Browsing server receives the encrypted hash prefixes from the privacy server, it decrypts the hash prefixes with its private key and then continues to check the server-side list. Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes. No single party has access to both your identity and the hash prefixes. As such, your browsing activity remains private. Real-time check overview Staying speedy and reliable Compared with the hash-based check, the real-time check requires sending a request to a server, which adds additional latency. We have employed a few techniques to make sure your browsing experience continues to be smooth and responsive. First, before performing the real-time check, Chrome checks against a global and local cache on your device to avoid unnecessary delay. The global cache is a list of hashes of known-safe URLs that is served by Safe Browsing. Chrome fetches it in the background. If any full hash of the URL is found in the global cache, Chrome will consider it less risky and perform a hash-based check instead. The local cache, on the other hand, is a list of full hashes that are saved from previous Safe Browsing checks. If there is a match in the local cache, and the cache has not yet expired, Chrome will not send a real-time request to the Safe Browsing server. Both caches are stored in memory, so it is much faster to check them than sending a real-time request over the network. In addition, Chrome follows a fallback mechanism in case of unsuccessful or slow requests. If the real-time request fails consecutively, Chrome will enter a back-off mode and downgrade the checks to hash-based checks for a certain period. We are also in the process of introducing an asynchronous mechanism, which will allow the site to load while the real-time check is in progress. This will improve the user experience, as the real-time check won’t block page load. What real-time, privacy-preserving URL protection means for you Chrome users With the latest release of Chrome for desktop, Android, and iOS, we’re upgrading the Standard protection mode of Safe Browsing so it will now check sites using Safe Browsing’s real-time protection protocol, without sharing your browsing history with Google. You don't need to take any action to benefit from this improved functionality. If you want more protection, we still encourage you to turn on the Enhanced protection mode of Safe Browsing. You might wonder why you need enhanced protection when you'll be getting real-time URL protection in Standard protection – this is because in Standard protection mode, the real-time feature can only protect you from sites that Safe Browsing has already confirmed to be unsafe. On the other hand, Enhanced protection mode is able to use additional information together with advanced machine learning models to protect you from sites that Safe Browsing may not yet have confirmed to be unsafe, for example because the site was only very recently created or is cloaking its true behavior to Safe Browsing’s detection systems. Enhanced protection also continues to offer protection beyond real-time URL checks, for example by providing deep scans for suspicious files and extra protection from suspicious Chrome extensions. Enterprises The real-time feature of the Standard protection mode of Safe Browsing is on by default for Chrome. If needed, it may be configured using the policy SafeBrowsingProxiedRealTimeChecksAllowed. It is also worth noting that in order for this feature to work in Chrome, enterprises may need to explicitly allow traffic to the Fastly privacy server. If the server is not reachable, Chrome will downgrade the checks to hash-based checks. Developers While Chrome is the first surface where these protections are available, we plan to make them available to eligible developers for non-commercial use cases via the Safe Browsing API. Using the API, developers and privacy server operators can partner to better protect their products’ users from fast-moving malicious actors in a privacy-preserving manner. To learn more, keep an eye out for our upcoming developer documentation to be published on the Google for Developers site.
http://security.googleblog.com/2024/03/blog-post.html

• http://security.googleblog.com »

Posted by Sarah Jacobus, Vulnerability Rewards Team Last year, we again witnessed the power of community-driven security efforts as researchers from around the world contributed to help us identify and address thousands of vulnerabilities in our products and services. Working with our dedicated bug hunter community, we awarded $10 million to our 600+ researchers based in 68 countries. New Resources and Improvements Just like every year, 2023 brought a series of changes and improvements to our vulnerability reward programs: Through our new Bonus Awards program, we now periodically offer time-limited, extra rewards for reports to specific VRP targets. We expanded our exploit reward program to Chrome and Cloud through the launch of v8CTF, a CTF focused on V8, the JavaScript engine that powers Chrome. We launched Mobile VRP which focuses on first-party Android applications. Our new Bughunters blog shared ways in which we make the internet, as a whole, safer, and what that journey entails. Take a look at our ever-growing repository of posts! To further our engagement with top security researchers, we also hosted our yearly security conference ESCAL8 in Tokyo. It included live hacking events and competitions, student training with our init.g workshops, and talks from researchers and Googlers. Stay tuned for details on ESCAL8 2024. As in past years, we are sharing our 2023 Year in Review statistics across all of our programs. We would like to give a special thank you to all of our dedicated researchers for their continued work with our programs - we look forward to more collaboration in the future! Android and Google Devices In 2023, the Android VRP achieved significant milestones, reflecting our dedication to securing the Android ecosystem. We awarded over $3.4 million in rewards to researchers who uncovered remarkable vulnerabilities within Android and increased our maximum reward amount to $15,000 for critical vulnerabilities. We also saw a sharpened focus on higher severity issues as a result of our changes to incentivize report quality and increasing rewards for high and critical severity issues. Expanding our program’s scope, Wear OS has been added to the program to further incentivize research in new wearable technology to ensure users’ safety. Working closely with top researchers at the ESCAL8 conference, we also hosted a live hacking event for Wear OS and Android Automotive OS which resulted in $70,000 rewarded to researchers for finding over 20 critical vulnerabilities! We would also like to spotlight the hardwear.io security conferences. Hardwear.io gave us a platform to engage with top hardware security researchers who uncovered over 50 vulnerabilities in Nest, Fitbit, and Wearables, and received a total of $116,000 last year! The Google Play Security Reward Program continued to foster security research across popular Android apps on Google Play. A huge thank you to the researchers who made our program such a success. A special shout out to Zinuo Han (@ele7enxxh) of OPPO Amber Security Lab and Yu-Cheng Lin (林禹成) (@AndroBugs) for your hard work and continuing to be some of the top researchers contributing to Android VRPs! Chrome 2023 was a year of changes and experimentation for the Chrome VRP. In Chrome Milestone 116, MiraclePtr was launched across all Chrome platforms. This resulted in raising the difficulty of discovery of fully exploitable non-renderer UAFs in Chrome and resulted in lower reward amounts for MiraclePtr-protected UAFs, as highly mitigated security bugs. While code and issues protected by MiraclePtr are expected to be resilient to the exploitation of non-renderer UAFs, the Chrome VRP launched the MiraclePtr Bypass Reward to incentivize research toward discovering potential bypasses of this protection. The Chrome VRP also launched the Full Chain Exploit Bonus, offering triple the standard full reward amount for the first Chrome full-chain exploit reported and double the standard full reward amount for any follow-up reports. While both of these large incentives have gone unclaimed, we are leaving the door open in 2024 for any researchers looking to take on these challenges. In 2023, Chrome VRP also introduced increased rewards for V8 bugs in older channels of Chrome, with an additional bonus for bugs existing before M105. This resulted in a few very impactful reports of long-existing V8 bugs, including one report of a V8 JIT optimization bug in Chrome since at least M91, which resulted in a $30,000 reward for that researcher. All of this resulted in $2.1M in rewards to security researchers for 359 unique reports of Chrome Browser security bugs. We were also able to meet some of our top researchers from previous years who were invited to participate in bugSWAT as part of Google’s ESCAL8 event in Tokyo in October. We capped off the year by publicly announcing our 2023 Top 20 Chrome VRP reporters who received a bonus reward for their contributions. Thank you to the Chrome VRP security researcher community for your contributions and efforts to help us make Chrome more secure for everyone! Generative AI Last year, we also ran a bugSWAT live-hacking event targeting LLM products. Apart from fun, sun, and a lot to do, we also got 35 reports, totaling more than $87,000 - and discovered issues like Johann, Joseph, and Kai’s “Hacking Google Bard - From Prompt Injection to Data Exfiltration” and Roni, Justin, and Joseph’s “We Hacked Google A.I. for $50,000”. To help AI-focused bughunters know what’s in scope and what’s not, we recently published our criteria for bugs in AI products. This criteria aims to facilitate testing for traditional security vulnerabilities as well as risks specific to AI systems, and is one way that we are implementing the voluntary AI commitments that Google made at the White House in July. Looking Forward We remain committed to fostering collaboration, innovation, and transparency with the security community. Our ongoing mission is to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services. We look forward to continuing to drive greater advancements in the world of cybersecurity. A huge thank you to our bug hunter community for helping to make Google products and platforms more safe and secure for our users around the world! Thank you to Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez.
http://security.googleblog.com/2024/03/vulnerability-reward-program-2023-year.html

• http://security.googleblog.com »

Alex Rebert, Software Engineer, Christoph Kern, Principal Engineer, Security FoundationsGoogle’s Project Zero reports that memory safety vulnerabilities—security defects caused by subtle coding errors related to how a program accesses memory—have been "the standard for attacking software for the last few decades and it’s still how attackers are having success". Their analysis shows two thirds of 0-day exploits detected in the wild used memory corruption vulnerabilities. Despite substantial investments to improve memory-unsafe languages, those vulnerabilities continue to top the most commonly exploited vulnerability classes.In this post, we share our perspective on memory safety in a comprehensive whitepaper. This paper delves into the data, challenges of tackling memory unsafety, and discusses possible approaches for achieving memory safety and their tradeoffs. We'll also highlight our commitments towards implementing several of the solutions outlined in the whitepaper, most recently with a $1,000,000 grant to the Rust Foundation, thereby advancing the development of a robust memory-safe ecosystem. Why we’re publishing this now2022 marked the 50th anniversary of memory safety vulnerabilities. Since then, memory safety risks have grown more obvious. Like others', Google's internal vulnerability data and research show that memory safety bugs are widespread and one of the leading causes of vulnerabilities in memory-unsafe codebases. Those vulnerabilities endanger end users, our industry, and the broader society. We're encouraged to see governments also taking this issue seriously, as with the U.S. Office of the National Cyber Director publication of a paper on the topic last week.By sharing our insights and experiences, we hope to inspire the broader community and industry to adopt memory-safe practices and technologies, ultimately making technology safer. Our perspectiveAt Google, we have decades of experience addressing, at scale, large classes of vulnerabilities that were once similarly prevalent as memory safety issues. Our approach, which we call “Safe Coding”, treats vulnerability-prone coding constructs  themselves as hazards (i.e., independently of, and in addition to, the vulnerability they might cause), and is centered around ensuring developers do not encounter such hazards during regular coding practice.Based on this experience, we expect that high assurance memory safety can only be achieved via a Secure-by-Design approach centered around comprehensive adoption of languages with rigorous memory safety guarantees. As a consequence, we are considering a gradual transition towards memory-safe languages like Java, Go, and Rust.Over the past decades, in addition to large Java and Go memory-safe codebases, Google has developed and accumulated hundreds of millions of lines of C++ code that is in active use and under active, ongoing development. This very large existing codebase results in significant challenges for a transition to memory safety: We see no realistic path for an evolution of C++ into a language with rigorous memory safety guarantees that include temporal safety. A large-scale rewrite of all existing C++ code into a different, memory-safe language appears very difficult and will likely remain impractical. We consider it important to complement a transition to memory safe languages for new code and particularly at-risk components with safety improvements for existing C++ code, to the extent practicable. We believe that substantial improvements can be achieved through an incremental transition to a partially-memory-safe C++ language subset, augmented with hardware security features when available. For instance, see our work improving spatial safety in GCP's networking stack. Our investments in memory-safe languagesWe are actively investing in many of the solutions outlined in our whitepaper and in our response to the US Federal Government’s RFI on Open Source Software Security. Android has written several components in Rust over the last few years, leading to compelling security improvements. In Android’s Ultra-wideband (UWB) module, this has improved the security of the module while also reducing the memory usage and inter-procedural calls.  Chrome has started shipping some features in Rust; in one case, Chrome was able to move its QR code generator out of a sandbox by adopting a new memory-safe library written in Rust, leading to both better security and better performance. Google recently announced a $1,000,000 grant to the Rust foundation to enhance interoperability with C++ code. This will facilitate incremental adoption of Rust in existing memory-unsafe code bases, which will be key to enabling even more new development to occur in a memory-safe language. Relatedly, we are also working on addressing cross-language attacks that can occur when mixing Rust and C++ in the same binary. Google is investing in building the memory-safe open-source ecosystem through ISRG Prossimo and OpenSSF’s Alpha-Omega project. Back in 2021, we funded efforts to bring Rust to the Linux Kernel, which is now enabling us to write memory-safe drivers. This funding is also going towards providing alternatives or upgrades to key open-source libraries in a memory-safe language, such as providing a memory safe TLS implementation. We know that memory safe languages will not address every security bug, but just as our efforts to eliminate XSS attacks through tooling showed, removing large classes of exploits both directly benefits consumers of software and allows us to move our focus to addressing further classes of security vulnerabilities. To access the full whitepaper and learn more about Google's perspective on memory safety, visit https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/
http://security.googleblog.com/2024/03/secure-by-design-googles-perspective-on.html

• http://security.googleblog.com »

Posted by Eugene Liderman, Director of Mobile Security Strategy, Google From its founding, Android has been guided by principles of openness, transparency, safety, and choice. Android gives you the freedom to choose which device best fits your needs, while also providing the flexibility to download apps from a variety of sources, including preloaded app stores such as the Google Play Store or the Galaxy Store; third-party app stores; and direct downloads from the Internet.Keeping users safe in an open ecosystem takes sophisticated defenses. That’s why Android provides multiple layers of protections, powered by AI and backed by a large dedicated security & privacy team, to help to protect our users from security threats while continually making the platform more resilient. We also provide our users with numerous built-in protections like Google Play Protect, the world’s most widely deployed threat detection service, which actively scans over 125 billion apps on devices every day to monitor for harmful behavior. That said, our data shows that a disproportionate amount of bad actors take advantage of select APIs and distribution channels in this open ecosystem. Elevating app security in an open ecosystem While users have the flexibility to download apps from many sources, the safety of an app can vary depending on the download source. Google Play, for example, carries out rigorous operational reviews to ensure app safety, including proper high-risk API use and permissions handling. Other app stores may also follow established policies and procedures that help reduce risks to users and their data. These protections often include requirements for developers to declare which permissions their apps use and how developers plan to use app data. Conversely, standalone app distribution sources like web browsers, messaging apps or file managers – which we commonly refer to as Internet-sideloading – do not offer the same rigorous requirements and operational reviews. Our data demonstrates that users who download from these sources today face unusually high security risks due to these missing protections. We recently launched enhanced Google Play Protect real-time scanning to help better protect users against novel malicious Internet-sideloaded apps. This enhancement is designed to address malicious apps that leverage various methods, such as AI, to avoid detection. This feature, now deployed on Android devices with Google Play Services in India, Thailand, Singapore and Brazil, has already made a significant impact on user safety. As a result of the real-time scanning enhancement, Play Protect has identified 515,000 new malicious apps and issued more than 3.1 million warnings or blocks of those apps. Play Protect is constantly improving its detection capabilities with each identified app, allowing us to strengthen our protections for the entire Android ecosystem. A new pilot to combat financial fraud Cybercriminals continue to invest in advanced financial fraud scams, costing consumers more than $1 trillion in losses. According to the 2023 Global State of Scams Report by the Global Anti-Scam Alliance, 78 percent of mobile users surveyed experienced at least one scam in the last year. Of those surveyed, 45 percent said they’re experiencing more scams in the last 12 months. The Global Scam Report also found that scams were most often initiated by sending scam links via various messaging platforms to get users to install malicious apps and very often paired with a phone call posing to be from a valid entity. Scammers frequently employ social engineering tactics to deceive mobile users. Using urgent pretenses that often involve a risk to a user’s finances or an opportunity for quick wealth, cybercriminals convince users to disable security safeguards and ignore proactive warnings for potential malware, scams, and phishing. We’ve seen a large percentage of users ignore, or are tricked into dismissing, these proactive Android platform warnings and proceed with installing malicious apps. This can lead to users ultimately disclosing their security codes, passwords, financial information and/or transferring funds unknowingly to a fraudster. To help better protect Android users from these financial fraud attacks, we are piloting enhanced fraud protection with Google Play Protect. As part of a continued strategic partnership with the Cyber Security Agency of Singapore (CSA), we will launch this first pilot in Singapore in the coming weeks to help keep Android users safe from mobile financial fraud. This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers). This enhancement will inspect the permissions the app declared in real-time and specifically look for four permission requests: RECEIVE_SMS, READ_SMS, BIND_Notifications, and Accessibility. These permissions are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on screen content. Based on our analysis of major fraud malware families that exploit these sensitive permissions, we found that over 95 percent of installations came from Internet-sideloading sources. During the upcoming pilot, when a user in Singapore attempts to install an application from an Internet-sideloading source and any of these four permissions are declared, Play Protect will automatically block the installation with an explanation to the user. Collaborating to combat mobile fraud This enhanced fraud protection has undergone testing by the Singapore government and will be rolling out to Android devices with Google Play services. “The fight against online scams is a dynamic one. As cybercriminals refine their methods, we must collaborate and innovate to stay ahead, “ said Mr Chua Kuan Seah, Deputy Chief Executive of CSA. “Through such partnerships with technology players like Google, we are constantly improving our anti-scam defenses to protect Singaporeans online and safeguard their digital assets.” Together with CSA, we will be closely monitoring the results of the pilot program to assess its impact and make adjustments as needed. We will also support CSA by continuing to assist with malware detection and analysis, sharing malware insights and techniques, and creating user and developer education resources. How developers can prepareFor developers distributing apps that may be affected by this pilot, please take the time to review the device permissions your app is requesting and ensure you’re following developer best practices. Your app should only request permissions that the app needs to complete an action and ensure it does not violate the Mobile Unwanted Software principles. Always ensure that your app does not engage in behavior that could be considered potentially harmful or malware. If you find that your app is affected by the app protection pilot you can refer to our updated developer guidance for Play Protect warnings for tips on how to help fix potential issues with your app and instructions for filing an appeal if needed. Check out the video below to learn more.Our commitment to protecting Android users We believe industry collaboration is essential to protect users from mobile security threats and fraud. Piloting these new protections will help us stay ahead of new attacks and evolve our solutions to defeat scammers and their expanding fraud attempt. We have an unwavering commitment to protecting our users around the world and look forward to continuing to partner with governments, ecosystem partners and other stakeholders to improve user protections.
http://security.googleblog.com/2024/02/piloting-new-ways-to-protect-Android-users-from financial-fraud.html

• http://security.googleblog.com »

Posted by Lars Bergstrom – Director, Android Platform Tools & Libraries and Chair of the Rust Foundation Board Back in 2021, we announced that Google was joining the Rust Foundation. At the time, Rust was already in wide use across Android and other Google products. Our announcement emphasized our commitment to improving the security reviews of Rust code and its interoperability with C++ code. Rust is one of the strongest tools we have to address memory safety security issues. Since that announcement, industry leaders and government agencies have echoed our sentiment. We are delighted to announce that Google has provided a grant of $1 million to the Rust Foundation to support efforts that will improve the ability of Rust code to interoperate with existing legacy C++ codebases. We’re also furthering our existing commitment to the open-source Rust community by aggregating and publishing audits for Rust crates that we use in open-source Google projects. These contributions, along with our previous interoperability contributions, have us excited about the future of Rust. “Based on historical vulnerability density statistics, Rust has proactively prevented hundreds of vulnerabilities from impacting the Android ecosystem. This investment aims to expand the adoption of Rust across various components of the platform.” – Dave Kleidermacher, Google Vice President of Engineering, Android Security & Privacy While Google has seen the most significant growth in the use of Rust in Android, we’re continuing to grow its use across more applications, including clients and server hardware. “While Rust may not be suitable for all product applications, prioritizing seamless interoperability with C++ will accelerate wider community adoption, thereby aligning with the industry goals of improving memory safety.” – Royal Hansen, Google Vice President of Safety & Security The Rust tooling and ecosystem already support interoperability with Android and with continued investment in tools like cxx, autocxx, bindgen, cbindgen, diplomat, and crubit, we are seeing regular improvements in the state of Rust interoperability with C++. As these improvements have continued, we’ve seen a reduction in the barriers to adoption and accelerated adoption of Rust. While that progress across the many tools continues, it is often only expanded incrementally to support the particular needs of a given project or company. In order to accelerate both Rust adoption at Google as well as more broadly across the industry, we are eager to invest in and collaborate on any needed ABI changes, tooling and build system support, wrapper libraries, or other areas identified. We are excited to support this work through the Rust Foundation’s Interop Initiative and in collaboration with the Rust project to ensure that any additions made are suitable and address the challenges of Rust adoption that projects using C++ face. Improving memory safety across the software industry is one of the key technology challenges of our time, and we invite others across the community and industry to join us in working together to secure the open source ecosystem for everyone. Learn more about the Rust Foundation’s Interop Initiative by reading their recent announcement.
http://security.googleblog.com/2024/02/improving-interoperability-between-rust-and-c.html

• http://security.googleblog.com »

Royal Hansen, Vice President of Privacy, Safety and Security EngineeringThis week, the United Nations convened member states to continue its years-long negotiations on the UN Cybercrime Treaty, titled “Countering the Use of Information and Communications Technologies for Criminal Purposes.” As more aspects of our lives intersect with the digital sphere, law enforcement around the world has increasingly turned to electronic evidence to investigate and disrupt criminal activity. Google takes the threat of cybercrime very seriously, and dedicates significant resources to combating it. When governments send Google legal orders to disclose user data in connection with their investigations, we carefully review those orders to make sure they satisfy applicable laws, international norms, and Google’s policies. We also regularly report the number of these orders in our Transparency Report. To ensure that transnational legal demands are issued consistent with rule of law, we have long called for an international framework for digital evidence that includes robust due process protections, respects human rights (including the right to free expression), and aligns with existing international norms. This is particularly important in the case of transnational criminal investigations, where the legal protections  in one jurisdiction may not align with those in others. Such safeguards aren’t just important to ensuring free expression and human rights, they are also critical to protecting web security. Too often, as we know well from helping stand up the Security Researcher Legal Defense Fund, individuals working to advance cybersecurity for the public good end up facing criminal charges. The Cybercrime Treaty should not criminalize the work of legitimate cybersecurity researchers and penetration testers, which is designed to protect individual systems and  the web as a whole.  UN Member States have an opportunity to strengthen global cybersecurity by adopting a treaty that encourages the criminalization of the most egregious and systemic activities — on which all parties can agree — while adopting a framework for sharing digital evidence that is transparent, grounded in the rule of law, based on pre-existing international frameworks like the Universal Declaration on Human Rights, and aligned with principles of necessity and proportionality. At the same time, Member States should avoid attempts to criminalize activities that raise significant freedom of expression issues, or that actually undercut the treaty’s goal of reducing cybercrime. That will require strengthening critical guardrails and protections.  We urge Member States to heed calls from civil society groups to address critical gaps in the Treaty and revise the text to protect users and security professionals — not endanger the security of the web.  
http://security.googleblog.com/2024/02/un-cybercrime-treaty-could-endanger-web.html

• http://security.googleblog.com »

Dongge Liu and Oliver Chang, Google Open Source Security Team, Jan Nowakowski and Jan Keller, Machine Learning for Security TeamThe AI world moves fast, so we’ve been hard at work keeping security apace with recent advancements. One of our approaches, in alignment with Google’s Secure AI Framework (SAIF), is using AI itself to automate and streamline routine and manual security tasks, including fixing security bugs. Last year we wrote about our experiences using LLMs to expand vulnerability testing coverage, and we’re excited to share some updates. Today, we’re releasing our fuzzing framework as a free, open source resource that researchers and developers can use to improve fuzzing’s bug-finding abilities. We’ll also show you how we’re using AI to speed up the bug patching process. By sharing these experiences, we hope to spark new ideas and drive innovation for a stronger ecosystem security.Update: AI-powered vulnerability discoveryLast August, we announced our framework to automate manual aspects of fuzz testing (“fuzzing”) that often hindered open source maintainers from fuzzing their projects effectively. We used LLMs to write project-specific code to boost fuzzing coverage and find more vulnerabilities. Our initial results on a subset of projects in our free OSS-Fuzz service were very promising, with code coverage increased by 30% in one example. Since then, we’ve expanded our experiments to more than 300 OSS-Fuzz C/C++ projects, resulting in significant coverage gains across many of the project codebases. We’ve also improved our prompt generation and build pipelines, which has increased code line coverage by up to 29% in 160 projects. How does that translate to tangible security improvements? So far, the expanded fuzzing coverage offered by LLM-generated improvements allowed OSS-Fuzz to discover two new vulnerabilities in cJSON and libplist, two widely used projects that had already been fuzzed for years. As always, we reported the vulnerabilities to the project maintainers for patching. Without the completely LLM-generated code, these two vulnerabilities could have remained undiscovered and unfixed indefinitely. And more: AI-powered vulnerability fixingFuzzing is fantastic for finding bugs, but for security to improve, those bugs also need to be patched. It’s long been an industry-wide struggle to find the engineering hours needed to patch open bugs at the pace that they are uncovered, and triaging and fixing bugs is a significant manual toll on project maintainers. With continued improvements in using LLMs to find more bugs, we need to keep pace in creating similarly automated solutions to help fix those bugs. We recently announced an experiment doing exactly that: building an automated pipeline that intakes vulnerabilities (such as those caught by fuzzing), and prompts LLMs to generate fixes and test them before selecting the best for human review.This AI-powered patching approach resolved 15% of the targeted bugs, leading to significant time savings for engineers. The potential of this technology should apply to most or all categories throughout the software development process. We’re optimistic that this research marks a promising step towards harnessing AI to help ensure more secure and reliable software.Try it outSince we’ve now open sourced our framework to automate manual aspects of fuzzing, any researcher or developer can experiment with their own prompts to test the effectiveness of fuzz targets generated by LLMs (including Google’s VertexAI or their own fine-tuned models) and measure the results against OSS-Fuzz C/C++ projects. We also hope to encourage research collaborations and to continue seeing other work inspired by our approach, such as Rust fuzz target generation. If you’re interested in using LLMs to patch bugs, be sure to read our paper on building an AI-powered patching pipeline. You’ll find a summary of our own experiences, some unexpected data about LLM’s abilities to patch different types of bugs, and guidance for building pipelines in your own organizations. 
http://security.googleblog.com/2024/01/scaling-security-with-ai-from-detection.html

• http://security.googleblog.com »

Posted by Sherif Hanna, Group Product Manager, Pixel Security Helping Pixel owners upgrade to the easier, safer way to sign in Your phone contains a lot of your personal information, from financial data to photos. Pixel phones are designed to help protect you and your data, and make security and privacy as easy as possible. This is why the Pixel team has been especially excited about passkeys—the easier, safer alternative to passwords. Passkeys are safer because they’re unique to each account, and are more resistant against online attacks such as phishing. They’re easier to use because there’s nothing for you to remember: when it’s time to sign in, using a passkey is as simple as unlocking your device with your face or fingerprint, or your PIN/pattern/password. Google is working to accelerate passkey adoption. We’ve launched support for passkeys on Google platforms such as Android and Chrome, and recently we announced that we’re making passkeys a default option across personal Google Accounts. We’re also working with our partners across the industry to make passkeys available on more websites and apps. Recently, we took things a step further. As part of last December’s Pixel Feature Drop, we introduced a new feature to Google Password Manager: passkey upgrades. With this new feature, Google Password Manager will let you discover which of your accounts support passkeys, and help you upgrade with just a few taps. This new passkey upgrade experience is now available on Pixel phones (starting from Pixel 5a) as well as Pixel Tablet. Google Password manager will incorporate these updates for other platforms in the future. Best of all, today we’re happy to announce that we’ve teamed up with Adobe, Best Buy, DocuSign, eBay, Kayak, Money Forward, Nintendo, PayPal, Uber, Yahoo! Japan—and soon, TikTok as well, to help bring you this easy passkey upgrade experience and usher you into the passwordless future. If you have an account with one of these early launch partners, Google Password Manager on Pixel will helpfully guide you to the exact location on the partner’s website or app where you can upgrade to a passkey. There’s no need to manually hunt for the option in account settings. And because the technology that makes this possible is open, any website or app, as well as any other password manager, can leverage it to help their users upgrade to passkeys for supporting accounts. It’s all part of Google’s commitment to help make signing in easier and safer.
http://security.googleblog.com/2024/01/upgrade-to-passkeys-on-pixel-with-google-password-manager.html

• http://security.googleblog.com »

Posted by Keishi Hattori, Sergei Glazunov, Bartek Nowierski on behalf of the MiraclePtr team Welcome back to our latest update on MiraclePtr, our project to protect against use-after-free vulnerabilities in Google Chrome. If you need a refresher, you can read our previous blog post detailing MiraclePtr and its objectives. More platforms We are thrilled to announce that since our last update, we have successfully enabled MiraclePtr for more platforms and processes: In June 2022, we enabled MiraclePtr for the browser process on Windows and Android. In September 2022, we expanded its coverage to include all processes except renderer processes. In June 2023, we enabled MiraclePtr for ChromeOS, macOS, and Linux. Furthermore, we have changed security guidelines to downgrade MiraclePtr-protected issues by one severity level! Evaluating Security Impact First let’s focus on its security impact. Our analysis is based on two primary information sources: incoming vulnerability reports and crash reports from user devices. Let's take a closer look at each of these sources and how they inform our understanding of MiraclePtr's effectiveness. Bug reports Chrome vulnerability reports come from various sources, such as: Chrome Vulnerability Reward Program participants, our fuzzing infrastructure, internal and external teams investigating security incidents. For the purposes of this analysis, we focus on vulnerabilities that affect platforms where MiraclePtr was enabled at the time the issues were reported. We also exclude bugs that occur inside a sandboxed renderer process. Since the initial launch of MiraclePtr in 2022, we have received 168 use-after-free reports matching our criteria. What does the data tell us? MiraclePtr effectively mitigated 57% of these use-after-free vulnerabilities in privileged processes, exceeding our initial estimate of 50%. Reaching this level of effectiveness, however, required additional work. For instance, we not only rewrote class fields to use MiraclePtr, as discussed in the previous post, but also added MiraclePtr support for bound function arguments, such as Unretained pointers. These pointers have been a significant source of use-after-frees in Chrome, and the additional protection allowed us to mitigate 39 more issues. Moreover, these vulnerability reports enable us to pinpoint areas needing improvement. We're actively working on adding support for select third-party libraries that have been a source of use-after-free bugs, as well as developing a more advanced rewriter tool that can handle transformations like converting std::vector<T*> into std::vector<raw_ptr<T>>. We've also made several smaller fixes, such as extending the lifetime of the task state object to cover several issues in the “this pointer” category. Crash reports Crash reports offer a different perspective on MiraclePtr's effectiveness. As explained in the previous blog post, when an allocation is quarantined, its contents are overwritten with a special bit pattern. If the allocation is used later, the pattern will often be interpreted as an invalid memory address, causing a crash when the process attempts to access memory at that address. Since the dereferenced address remains within a small, predictable memory range, we can distinguish MiraclePtr crashes from other crashes. Although this approach has its limitations — such as not being able to obtain stack traces from allocation and deallocation times like AddressSanitizer does — it has enabled us to detect and fix vulnerabilities. Last year, six critical severity vulnerabilities were identified in the default setup of Chrome Stable, the version most people use. Impressively, five of the six were discovered while investigating MiraclePtr crash reports! One particularly interesting example is CVE-2022-3038. The issue was discovered through MiraclePtr crash reports and fixed in Chrome 105. Several months later, Google's Threat Analysis Group discovered an exploit for that vulnerability used in the wild against clients of a different Chromium-based browser that hadn’t shipped the fix yet. To further enhance our crash analysis capabilities, we've recently launched an experimental feature that allows us to collect additional information for MiraclePtr crashes, including stack traces. This effectively shortens the average crash report investigation time. Performance MiraclePtr enables us to have robust protection against use-after-free bug exploits, but there is a performance cost associated with it. Therefore, we have conducted experiments on each platform where we have shipped MiraclePtr, which we used in our decision-making process. The main cost of MiraclePtr is memory. Specifically, the memory usage of the browser process increased by 5.5-8% on desktop platforms and approximately 2% on Android. Yet, when examining the holistic memory usage across all processes, the impact remains within a moderate 1-3% range to lower percentiles only. The main cause of the additional memory usage is the extra size to allocate the reference count. One might think that adding 4 bytes to each allocation wouldn’t be a big deal. However, there are many small allocations in Chrome, so even the 4B overhead is not negligible. Moreover, PartitionAlloc also uses pre-defined allocation bucket sizes, so this extra 4B pushes certain allocations (particularly power-of-2 sized) into a larger bucket, e.g. 4096B → 5120B. We also considered the performance cost. We verified that there were no regressions to the majority of our top-level performance metrics, including all of the page load metrics, like Largest Contentful Paint, First Contentful Paint and Cumulative Layout Shift. We did find a few regressions, such as a 10% increase in the 99th percentile of the browser process main thread contention metric, a 1.5% regression in First Input Delay on ChromeOS, and a 1.5% regression in tab startup time on Android. The main thread contention metric tries to estimate how often a user input can be delayed and so for example on Windows this was a change from 1.6% to 1.7% at the 99th percentile only. These are all minor regressions. There has been zero change in daily active usage, and we do not anticipate these regressions to have any noticeable impact on users. Conclusion In summary, MiraclePtr has proven to be effective in mitigating use-after-free vulnerabilities and enhancing the overall security of the Chrome browser. While there are performance costs associated with the implementation of MiraclePtr, our analysis suggests that the benefits in terms of security improvements far outweigh these. We are committed to continually refining and expanding the feature to cover more areas. For example we are working to add coverage to third-party libraries used by the GPU process, and we plan to enable BRP on the renderer process. By sharing our findings and experiences, we hope to contribute to the broader conversation surrounding browser security and inspire further innovation in this crucial area.
http://security.googleblog.com/2024/01/miracleptr-protecting-users-from-use.html

• http://security.googleblog.com »

Posted by Ivan Lozano and Roger Piqueras Jover Android’s defense-in-depth strategy applies not only to the Android OS running on the Application Processor (AP) but also the firmware that runs on devices. We particularly prioritize hardening the cellular baseband given its unique combination of running in an elevated privilege and parsing untrusted inputs that are remotely delivered into the device. This post covers how to use two high-value sanitizers which can prevent specific classes of vulnerabilities found within the baseband. They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities. Beyond security, addressing the issues uncovered by these sanitizers improves code health and overall stability, reducing resources spent addressing bugs in the future. An increasingly popular attack surface As we outlined previously, security research focused on the baseband has highlighted a consistent lack of exploit mitigations in firmware. Baseband Remote Code Execution (RCE) exploits have their own categorization in well-known third-party marketplaces with a relatively low payout. This suggests baseband bugs may potentially be abundant and/or not too complex to find and exploit, and their prominent inclusion in the marketplace demonstrates that they are useful. Baseband security and exploitation has been a recurring theme in security conferences for the last decade. Researchers have also made a dent in this area in well-known exploitation contests. Most recently, this area has become prominent enough that it is common to find practical baseband exploitation trainings in top security conferences. Acknowledging this trend, combined with the severity and apparent abundance of these vulnerabilities, last year we introduced updates to the severity guidelines of Android’s Vulnerability Rewards Program (VRP). For example, we consider vulnerabilities allowing Remote Code Execution (RCE) in the cellular baseband to be of CRITICAL severity. Mitigating Vulnerability Root Causes with Sanitizers Common classes of vulnerabilities can be mitigated through the use of sanitizers provided by Clang-based toolchains. These sanitizers insert runtime checks against common classes of vulnerabilities. GCC-based toolchains may also provide some level of support for these flags as well, but will not be considered further in this post. We encourage you to check your toolchain’s documentation. Two sanitizers included in Undefined Behavior Sanitizer (UBSan) will be our focus – Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan). These have been widely deployed in Android userspace for years following a data-driven approach. These two are well suited for bare-metal environments such as the baseband since they do not require support from the OS or specific architecture features, and so are generally supported for all Clang targets. Integer Overflow Sanitizer (IntSan) IntSan causes signed and unsigned integer overflows to abort execution unless the overflow is made explicit. While unsigned integer overflows are technically defined behavior, it can often lead to unintentional behavior and vulnerabilities – especially when they’re used to index into arrays. As both intentional and unintentional overflows are likely present in most code bases, IntSan may require refactoring and annotating the code base to prevent intentional or benign overflows from trapping (which we consider a false positive for our purposes). Overflows which need to be addressed can be uncovered via testing (see the Deploying Sanitizers section) BoundsSanitizer (BoundSan) BoundSan inserts instrumentation to perform bounds checks around some array accesses. These checks are only added if the compiler cannot prove at compile time that the access will be safe and if the size of the array will be known at runtime, so that it can be checked against. Note that this will not cover all array accesses as the size of the array may not be known at runtime, such as function arguments which are arrays. As long as the code is correctly written C/C++, BoundSan should produce no false positives. Any violations discovered when first enabling BoundSan is at least a bug, if not a vulnerability. Resolving even those which aren’t exploitable can greatly improve stability and code quality. Modernize your toolchains Adopting modern mitigations also means adopting (and maintaining) modern toolchains. The benefits of this go beyond utilizing sanitizers however. Maintaining an old toolchain is not free and entails hidden opportunity costs. Toolchains contain bugs which are addressed in subsequent releases. Newer toolchains bring new performance optimizations, valuable in the highly constrained bare-metal environment that basebands operate in. Security issues can even exist in the generated code of out-of-date compilers. Maintaining a modern up-to-date toolchain for the baseband entails some costs in terms of maintenance, especially at first if the toolchain is particularly old, but over time the benefits, as outlined above, outweigh the costs. Where to apply sanitizers Both BoundSan and IntSan have a measurable performance overhead. Although we were able to significantly reduce this overhead in the past (for example to less than 1% in media codecs), even very small increases in CPU load can have a substantial impact in some environments. Enabling sanitizers over the entire codebase provides the most benefit, but enabling them in security-critical attack surfaces can serve as a first step in an incremental deployment. For example: Functions parsing messages delivered over the air in 2G, 3G, 4G, and 5G (especially functions handling pre-authentication messages that can be injected with a false/malicious base station) Libraries encoding/decoding complex formats (e.g. ASN.1, XML, DNS, etc…) IMS, TCP and IP stacks Messaging functions (SMS, MMS) In the particular case of 2G, the best strategy is to disable the stack altogether by supporting Android’s “2G toggle”. However, 2G is still a necessary mobile access technology in certain parts of the world and some users might need to have this legacy protocol enabled. Deploying Sanitizers Having a clear plan for deployment of sanitizers saves a lot of time and effort. We think of the deployment process as having three stages: Detecting (and fixing) violations Measuring and reducing overhead Soaking in pre-production We also introduce two modes in which sanitizers should be run: diagnostics mode and trapping mode. These will be discussed in the following sections, but briefly: diagnostics mode recovers from violations and provides valuable debug information, while trapping mode actively mitigates vulnerabilities by trapping execution on violations. Detecting (and Fixing) Violations To successfully ship these sanitizers, any benign integer overflows must be made explicit and accidental out-of-bounds accesses must be addressed. These will have to be uncovered through testing. The higher the code coverage your tests provide, the more issues you can uncover at this stage and the easier deployment will be later on. To diagnose violations uncovered in testing, sanitizers can emit calls to runtime handlers with debug information such as the file, line number, and values leading to the violation. Sanitizers can optionally continue execution after a violation has occurred, allowing multiple violations to be discovered in a single test run. We refer to using the sanitizers in this way as running them in “diagnostics mode”. Diagnostics mode is not intended for production as it provides no security benefits and adds high overhead. Diagnostics mode for the sanitizers can be set using the following flags: -fsanitize=signed-integer-overflow,unsigned-integer-overflow,bounds -fsanitize-recover=all Since Clang does not provide a UBSan runtime for bare-metal targets, a runtime will need to be defined and provided at link time: // integer overflow handlers __ubsan_handle_add_overflow(OverflowData *data, ValueHandle lhs, ValueHandle rhs) __ubsan_handle_sub_overflow(OverflowData *data, ValueHandle lhs, ValueHandle rhs) __ubsan_handle_mul_overflow(OverflowData *data, ValueHandle lhs, ValueHandle rhs) __ubsan_handle_divrem_overflow(OverflowData *data, ValueHandle lhs, ValueHandle rhs) __ubsan_handle_negate_overflow(OverflowData *data, ValueHandle old_val) // boundsan handler __ubsan_handle_out_of_bounds_overflow(OverflowData *data, ValueHandle old_val) As an example, see the default Clang implementation; the Linux Kernels implementation may also be illustrative. With the runtime defined, enable the sanitizer over the entire baseband codebase and run all available tests to uncover and address any violations. Vulnerabilities should be patched, and overflows should either be refactored or made explicit through the use of checked arithmetic builtins which do not trigger sanitizer violations. Certain functions which are expected to have intentional overflows (such as cryptographic functions) can be preemptively excluded from sanitization (see next section). Aside from uncovering security vulnerabilities, this stage is highly effective at uncovering code quality and stability bugs that could result in instability on user devices. Once violations have been addressed and tests are no longer uncovering new violations, the next stage can begin. Measuring and Reducing Overhead Once shallow violations have been addressed, benchmarks can be run and the overhead from the sanitizers (performance, code size, memory footprint) can be measured. Measuring overhead must be done using production flags – namely “trapping mode”, where violations cause execution to abort. The diagnostics runtime used in the first stage carries significant overhead and is not indicative of the actual performance sanitizer overhead. Trapping mode can be enabled using the following flags: -fsanitize=signed-integer-overflow,unsigned-integer-overflow,bounds -fsanitize-trap=all Most of the overhead is likely due to a small handful of “hot functions”, for example those with tight long-running loops. Fine-grained per-function performance metrics (similar to what Simpleperf provides for Android), allows comparing metrics before and after sanitizers and provides the easiest means to identify hot functions. These functions can either be refactored or, after manual inspection to verify that they are safe, have sanitization disabled. Sanitizers can be disabled either inline in the source or through the use of ignorelists and the -fsanitize-ignorelist flag. The physical layer code, with its extremely tight performance margins and lower chance of exploitable vulnerabilities, may be a good candidate to disable sanitization wholesale if initial performance seems prohibitive. Soaking in Pre-production With overhead minimized and shallow bugs resolved, the final stage is enabling the sanitizers in trapping mode to mitigate vulnerabilities. We strongly recommend a long period of internal soak in pre-production with test populations to uncover any remaining violations not discovered in testing. The more thorough the test coverage and length of the soak period, the less risk there will be from undiscovered violations. As above, the configuration for trapping mode is as follows: -fsanitize=signed-integer-overflow,unsigned-integer-overflow,bounds -fsanitize-trap=all Having infrastructure in place to collect bug reports which result from any undiscovered violations can help minimize the risk they present. Transitioning to Memory Safe Languages The benefits from deploying sanitizers in your existing code base are tangible, however ultimately they address only the lowest hanging fruit and will not result in a code base free of vulnerabilities. Other classes of memory safety vulnerabilities remain unaddressed by these sanitizers. A longer term solution is to begin transitioning today to memory-safe languages such as Rust. Rust is ready for bare-metal environments such as the baseband, and we are already using it in other bare-metal components in Android. There is no need to rewrite everything in Rust, as Rust provides a strong C FFI support and easily interfaces with existing C codebases. Just writing new code in Rust can rapidly reduce the number of memory safety vulnerabilities. Rewrites should be limited/prioritized only for the most critical components, such as complex parsers handling untrusted data. The Android team has developed a Rust training meant to help experienced developers quickly ramp up Rust fundamentals. An entire day for bare-metal Rust is included, and the course has been translated to a number of different languages. While the Rust compiler may not explicitly support your bare-metal target, because it is a front-end for LLVM, any target supported by LLVM can be supported in Rust through custom target definitions. Raising the Bar As the high-level operating system becomes a more difficult target for attackers to successfully exploit, we expect that lower level components such as the baseband will attract more attention. By using modern toolchains and deploying exploit mitigation technologies, the bar for attacking the baseband can be raised as well. If you have any questions, let us know – we’re here to help!
http://security.googleblog.com/2023/12/hardening-cellular-basebands-in-android.html

• http://security.googleblog.com »

Elie Bursztein, Cybersecurity & AI Research Director, and Marina Zhang, Software EngineerSystems such as Gmail, YouTube and Google Play rely on text classification models to identify harmful content including phishing attacks, inappropriate comments, and scams. These types of texts are harder for machine learning models to classify because bad actors rely on adversarial text manipulations to actively attempt to evade the classifiers. For example, they will use homoglyphs, invisible characters, and keyword stuffing to bypass defenses. To help make text classifiers more robust and efficient, we’ve developed a novel, multilingual text vectorizer called RETVec (Resilient & Efficient Text Vectorizer) that helps models achieve state-of-the-art classification performance and drastically reduces computational cost. Today, we’re sharing how RETVec has been used to help protect Gmail inboxes.Strengthening the Gmail Spam Classifier with RETVecFigure 1. RETVec-based Gmail Spam filter improvements.Over the past year, we battle-tested RETVec extensively inside Google to evaluate its usefulness and found it to be highly effective for security and anti-abuse applications. In particular, replacing the Gmail spam classifier’s previous text vectorizer with RETVec allowed us to improve the spam detection rate over the baseline by 38% and reduce the false positive rate by 19.4%. Additionally, using RETVec reduced the TPU usage of the model by 83%, making the RETVec deployment one of the largest defense upgrades in recent years. RETVec achieves these improvements by sporting a very lightweight word embedding model (~200k parameters), allowing us to reduce the Transformer model’s size at equal or better performance, and having the ability to split the computation between the host and TPU in a network and memory efficient manner.RETVec BenefitsRETVec achieves these improvements by combining a novel, highly-compact character encoder, an augmentation-driven training regime, and the use of metric learning. The architecture details and benchmark evaluations are available in our NeurIPS 2023 paper and we open-source RETVec on Github.Due to its novel architecture, RETVec works out-of-the-box on every language and all UTF-8 characters without the need for text preprocessing, making it the ideal candidate for on-device, web, and large-scale text classification deployments. Models trained with RETVec exhibit faster inference speed due to its compact representation. Having smaller models reduces computational costs and decreases latency, which is critical for large-scale applications and on-device models.Figure 1. RETVec architecture diagram.Models trained with RETVec can be seamlessly converted to TFLite for mobile and edge devices, as a result of a native implementation in TensorFlow Text. For web application model deployment, we provide a TensorflowJS layer implementation that is available on Github and you can check out a demo web page running a RETVec-based model.Figure 2.  Typo resilience of text classification models trained from scratch using different vectorizers.RETVec is a novel open-source text vectorizer that allows you to build more resilient and efficient server-side and on-device text classifiers. The Gmail spam filter uses it to help protect Gmail inboxes against malicious emails.If you would like to use RETVec for your own use cases or research, we created a tutorial to help you get started.This research was conducted by Elie Bursztein, Marina Zhang, Owen Vallis, Xinyu Jia, and Alexey Kurakin. We would like to thank Gengxin Miao, Brunno Attorre, Venkat Sreepati, Lidor Avigad, Dan Givol, Rishabh Seth and Melvin Montenegro and all the Googlers who contributed to the project.
http://security.googleblog.com/2023/11/improving-text-classification.html

• http://security.googleblog.com »

Royal Hansen, Vice President of Privacy, Safety and Security Engineering, GoogleNearly half of third-parties fail to meet two or more of the Minimum Viable Secure Product controls. Why is this a problem? Because "98% of organizations have a relationship with at least one third-party that has experienced a breach in the last 2 years."In this post, we're excited to share the latest improvements to the Minimum Viable Secure Product (MVSP) controls. We'll also shed light on how adoption of MVSP has helped Google improve its security processes, and hope this example will help motivate third-parties to increase their adoption of MVSP controls and thus improve product security across the industry.About MVSPIn October 2021, Google publicly launched MVSP alongside launch partners. Our original goal remains unchanged: to provide a vendor-neutral application security baseline, designed to eliminate overhead, complexity, and confusion in the end-to-end process of onboarding third-party products and services. It covers themes such as procurement, security assessment, and contract negotiation.Improvements since launchAs part of MVSP’s annual control review, and our core philosophy of evolution over revolution, the working group sought input from the broader security community to ensure MVSP maintains a balance between security and achievability.As a result of these discussions, we launched updated controls. Key changes include: expanded guidance around external vulnerability reporting to protect bug hunters, and discouraging additional costs for access to basic security features – inline with CISA’s "Secure-by-Design" principles.In 2022, we developed guidance on build process security based on SLSA, to reflect the importance of supply chain security and integrity.From an organizational perspective, in the two years since launching, we've seen the community around MVSP continue to expand. The working group has grown to over 20 global members, helping to diversify voices and broaden expertise. We've also had the opportunity to present and discuss the program with a number of key groups, including an invitation to present at the United Nations International Computing Centre – Common Secure Conference.Google at the UNICC conference in Valencia, SpainHow Google uses MVSPSince its inception, Google has looked to integrate improvements to our own processes using MVSP as a template. Two years later, we can clearly see the impact through faster procurement processes, streamlined contract negotiations, and improved data-driven decision making.HighlightsAfter implementing MVSP into key areas of Google's third-party life-cycle, we've observed a 68% reduction in the time required for third-parties to complete assessment process.By embedding MVSP into select procurement processes, Google has increased data-driven decision making in earlier phases of the cycle.Aligning our Information Protection Addendum’s safeguards with MVSP has significantly improved our third-party privacy and security risk management processes.You use MVSP to enhance your software or procurement processes by reviewing some common use-cases and adopting them into your third-party risk management and/or contracting workflows .What's next?We're invested in helping the industry manage risk posture through continuous improvement, while increasing the minimum bar for product security across the industry.By making MVSP available to the wider industry, we are helping to create a solid foundation for growing the maturity level of products and services. Google has benefited from driving security and safety improvements through the use of leveled sets of requirements. We expect the same to be true across the wider industry.We've seen success, but there is still work to be done. Based on initial observations, as mentioned above, 48% of third-parties fail to meet two or more of the Minimum Viable Secure Product controls.As an industry, we can't stand still when it comes to product security. Help us raise the minimum bar for application security by adopting MVSP and ensuring we as an industry don’t accept anything less than a strong security baseline that works for the wider industry.AcknowledgementsGoogle and the MVSP working group would like to thank those who have supported and contributed since its inception. If you'd like to get involved or provide feedback, please reach out.Thank you to Chris John Riley, Gabor Acs-Kurucz, Michele Chubirka, Anna Hupa, Dirk Göhmann and Kaan Kivilcim from the Google MVSP Group for their contributions to this post.
http://security.googleblog.com/2023/11/two-years-later-baseline-that-drives-up.html

• http://security.googleblog.com »

Posted by Nataliya Stanetsky, Android Security and Privacy Team The App Defense Alliance (ADA), an industry-leading collaboration launched by Google in 2019 dedicated to ensuring the safety of the app ecosystem, is taking a major step forward. We are proud to announce that the App Defense Alliance is moving under the umbrella of the Linux Foundation, with Meta, Microsoft, and Google as founding steering members. This strategic migration represents a pivotal moment in the Alliance’s journey, signifying a shared commitment by the members to strengthen app security and related standards across ecosystems. This evolution of the App Defense Alliance will enable us to foster more collaborative implementation of industry standards for app security. Uniting for App Security The digital landscape is continually evolving, and so are the threats to user security. With the ever-increasing complexity of mobile apps and the growing importance of data protection, now is the perfect time for this transition. The Linux Foundation is renowned for its dedication to fostering open-source projects that drive innovation, security, and sustainability. By combining forces with additional members under the Linux Foundation, we can adapt and respond more effectively to emerging challenges. The commitment of the newly structured App Defense Alliance’s founding steering members – Meta, Microsoft, and Google – is pivotal in making this transition a reality. With a member community spanning an additional 16 General and Contributor Members, the Alliance will support industry-wide adoption of app security best practices and guidelines, as well as countermeasures against emerging security risks. Continuing the Malware Mitigation Program The App Defense Alliance was formed with the mission of reducing the risk of app-based malware and better protecting Android users. Malware defense remains an important focus for Google and Android, and we will continue to partner closely with the Malware Mitigation Program members – ESET, Lookout, McAfee, Trend Micro, Zimperium – on direct signal sharing. The migration of ADA under the Linux Foundation will enable broader threat intelligence sharing across leading ecosystem partners and researchers. Looking Ahead and Connecting With the ADA We invite you to stay connected with the newly structured App Defense Alliance under the Linux foundation umbrella. Join the conversation to help make apps more secure. Together with the steering committee, alliance partners, and the broader ecosystem, we look forward to building more secure and trustworthy app ecosystems.
http://security.googleblog.com/2023/11/evolving-app-defense-alliance.html

• http://security.googleblog.com »

Posted by Andy Qin, Irene Ang, Kostya Serebryany, Evgenii Stepanov Since 2018, Google has partnered with ARM and collaborated with many ecosystem partners (SoCs vendors, mobile phone OEMs, etc.) to develop Memory Tagging Extension (MTE) technology. We are now happy to share the growing adoption in the ecosystem. MTE is now available on some OEM devices (as noted in a recent blog post by Project Zero) with Android 14 as a developer option, enabling developers to use MTE to discover memory safety issues in their application easily. The security landscape is changing dynamically, new attacks are becoming more complex and costly to mitigate. It’s becoming increasingly important to detect and prevent security vulnerabilities early in the software development cycle and also have the capability to mitigate the security attacks at the first moment of exploitation in production.The biggest contributor to security vulnerabilities are memory safety related defects and Google has invested in a set of technologies to help mitigate memory safety risks. These include but are not limited to: Shifting to memory safe languages such as Rust as a proactive solution to prevent the new memory safety bugs from being introduced in the first place. Tools for detecting memory safety defects in the development stages and production environment, such as widely used sanitizer technologies1 (ASAN, HWASAN, GWP-ASAN, etc.) as well as fuzzing (with sanitizers enabled). Foundational technologies like MTE, which many experts believe is the most promising path forward for improving C/C++ software security and it can be deployed both in development and production at reasonably low cost. MTE is a hardware based capability that can detect unknown memory safety vulnerabilities in testing and/or mitigate them in production. It works by tagging the pointers and memory regions and comparing the tags to identify mismatches (details). In addition to the security benefits, MTE can also help ensure integrity because memory safety bugs remain one of the major contributors to silent data corruption that not only impact customer trust, but also cause lost productivity for software developers. At the moment, MTE is supported on some of the latest chipsets: Focusing on security for Android devices, the MediaTek Dimensity 9300 integrates support for MTE via ARM's latest v9 architecture (which is what Cortex-X4 and Cortex-A720 processors are based on). This feature can be switched on and off in the bootloader by users and developers instead of having it always on or always off. Tensor G3 integrates support for MTE only within the developer mode toggle. Feature can be activated by developers. For both chipsets, this feature can be switched on and off by developers, making it easier to find memory-related bugs during development and after deployment. MTE can help users stay safe while also improving time to market for OEMs.Application developers will be the first to leverage this feature as a way to improve their application security and reliability in the software development lifecycle. MTE can effectively help them to discover hard-to-detect memory safety vulnerabilities (buffer overflows, user-after-free, etc.) with clear & actionable stack trace information in integration testing or pre-production environments. Another benefit of MTE is that the engineering cost of memory-safety testing is drastically reduced because heap bug detection (which is majority of all memory safety bugs) does not require any source or binary changes to leverage MTE, i.e. advanced memory-safety can be achieved with just a simple environment or configuration change.We believe that MTE will play a very important role in detecting and preventing memory safety vulnerabilities and provide a promising path towards improving software security. Notes ASAN = Address Sanitizer; HWASAN = HW based ASAN;GWP-ASAN = sampling based ASAN ↩
http://security.googleblog.com/2023/11/mte-promising-path-forward-for-memory.html

• http://security.googleblog.com »

Posted by Chrome Security team Improving the interoperability of web services is an important and worthy goal. We believe that it should be easier for people to maintain and control their digital identities. And we appreciate that policymakers working on European Union digital certificate legislation, known as eIDAS, are working toward this goal. However, a specific part of the legislation, Article 45, hinders browsers’ ability to enforce certain security requirements on certificates, potentially holding back advances in web security for decades. We and many past and present leaders in the international web community have significant concerns about Article 45's impact on security. We urge lawmakers to heed the calls of scientists and security experts to revise this part of the legislation rather than erode users’ privacy and security on the web.
http://security.googleblog.com/2023/11/qualified-certificates-with-qualified.html

• http://security.googleblog.com »

Posted by Nataliya Stanetsky, Android Security and Privacy Team Keeping Google Play safe for users and developers remains a top priority for Google. As users increasingly prioritize their digital privacy and security, we continue to invest in our Data Safety section and transparency labeling efforts to help users make more informed choices about the apps they use. Research shows that transparent security labeling plays a crucial role in consumer risk perception, building trust, and influencing product purchasing decisions. We believe the same principles apply for labeling and badging in the Google Play store. The transparency of an app’s data security and privacy play a key role in a user’s decision to download, trust, and use an app. Highlighting Independently Security Tested VPN Apps Last year, App Defense Alliance (ADA) introduced MASA (Mobile App Security Assessment), which allows developers to have their apps independently validated against a global security standard. This signals to users that an independent third-party has validated that the developers designed their apps to meet these industry mobile security and privacy minimum best practices and the developers are going the extra mile to identify and mitigate vulnerabilities. This, in turn, makes it harder for attackers to reach users' devices and improves app quality across the ecosystem. Upon completion of the successful validation, Google Play gives developers the option to declare an “Independent security review” badge in its Data Safety section, as shown in the image below. While certification to baseline security standards does not imply that a product is free of vulnerabilities, the badge associated with these validated apps helps users see at-a-glance that a developer has prioritized security and privacy practices and committed to user safety. To help give users a simplified view of which apps have undergone an independent security validation, we’re introducing a new Google Play store banner for specific app types, starting with VPN apps. We’ve launched this banner beginning with VPN apps due to the sensitive and significant amount of user data these apps handle. When a user searches for VPN apps, they will now see a banner at the top of Google Play that educates them about the “Independent security review” badge in the Data Safety Section. Users also have the ability to “Learn More”, which redirects them to the App Validation Directory, a centralized place to view all VPN apps that have been independently security reviewed. Users can also discover additional technical assessment details in the App Validation Directory, helping them to make more informed decisions about what VPN apps to download, use, and trust with their data. VPN providers such as NordVPN, Google One, ExpressVPN, and others have already undergone independent security testing and publicly declared the badge showing their good standing with the MASA program. We encourage and anticipate additional VPN app developers to undergo independent security testing, bringing even more transparency to users. If you are a VPN developer and interested in learning more about this feature, please submit this form. Our Commitment to App Security and Privacy Transparency on Google Play By encouraging independent security testing and displaying security badges for validated apps, we highlight developers who prioritize user safety and data transparency. We also provide developers with app security and privacy best practices – through Play PolicyBytes videos, webinars, blog posts, the Developer Help Community, and other resources – in accordance with our developer policies that help keep Google Play safe. We are continually working on improvements to our app review process, policies, and programs to keep users safe and to help developers navigate our policies with ease. To learn more about how we give developers the tools to succeed while keeping users safe on Google Play, read the Google Safety Center article. Our efforts to prioritize security and privacy transparency on Google Play are aligned with the needs and expectations we’ve heard from both users and developers. We believe that by prioritizing initiatives that bolster user safety and trust, we can foster a thriving app ecosystem where users can make more informed app decisions and developers are encouraged to uphold the highest standards of security and privacy.
http://security.googleblog.com/2023/11/more-ways-for-users-to-identify.html

• https://securityaffairs.com/ »

A Ukrainian national, a member of the REvil group, has been sentenced to more than 13 years in prison for his role in extortion activities. The Ukrainian national, Yaroslav Vasinskyi (24), aka Rabotnik, has been sentenced to more than 13 years in prison and must pay $16 million in restitution for conducting numerous ransomware attacks […]
https://securityaffairs.com/162679/cyber-crime/revil-gang-member-sentenced.html

• https://securityaffairs.com/ »

Government agencies from the US, Canada and the UK warn of Russian threat actors targeting critical infrastructure in North America and Europe The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug […]
https://securityaffairs.com/162672/hacking/pro-russia-hackers-target-critical-infrastructure.html

• https://securityaffairs.com/ »

HPE Aruba Networking addressed four critical remote code execution vulnerabilities impacting its ArubaOS network operating system. HPE Aruba Networking released April 2024 security updates that addressed four critical remote code execution (RCE) vulnerabilities affecting multiple versions of the network operating system ArubaOS. The four vulnerabilities are unauthenticated buffer overflow issues that could be exploited to […]
https://securityaffairs.com/162663/security/hpe-aruba-networking-critical-flaws.html

• https://securityaffairs.com/ »

Threat actors breached the Dropbox Sign production environment and accessed customer email addresses and hashed passwords Cloud storage provider DropBox revealed that threat actors have breached the production infrastructure of the DropBox Sign eSignature service and gained access to customer information and authentication data. Dropbox Sign is a service that allows users to electronically sign […]
https://securityaffairs.com/162654/hacking/dropbox-sign-production-environment-hacked.html

• https://securityaffairs.com/ »

CISA adds GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The […]
https://securityaffairs.com/162646/security/gitlab-known-exploited-vulnerabilities-catalog.html

• https://news.sophos.com/en-us/ »

To mark Earth Day on April 22, and its theme of Planet vs. Plastics, Sophos employees are being encouraged to use their Sophos Volunteering hours to take part in practical opportunities to join the fight against plastic pollution, as well as take part in a series of wellbeing webinars focused on sustainability and climate anxiety.
https://news.sophos.com/en-us/2024/04/22/earth-day-2024-sophos-supports-this-years-planet-vs-plastics-campaign/

• https://news.sophos.com/en-us/ »

A Sophos X-Ops investigation finds that a wave of crude, cheap ransomware could spell trouble for small businesses and individuals – but also provide insights into threat actor career development and the wider threat landscape
https://news.sophos.com/en-us/2024/04/17/junk-gun-ransomware-peashooters-can-still-pack-a-punch/

• https://news.sophos.com/en-us/ »

Guidance to support financial entities in the EU impacted by the Digital Operational Resilience Act (DORA).
https://news.sophos.com/en-us/2024/04/15/sophos-guidance-on-the-digital-operational-resilience-act-dora/

• https://news.sophos.com/en-us/ »

The largest CVE count in recent history rolls out
https://news.sophos.com/en-us/2024/04/10/a-tumultuous-titanic-patch-tuesday-as-microsoft-makes-some-changes/

• https://news.sophos.com/en-us/ »

Sophos X-Ops discovers a curious backdoored (and signed) executable, masquerading as something else entirely
https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/

• https://medium.com/@d0znpp?sou »

What is XMPP ❓ — Extensible Messaging & Presence ProtocolIntroductionIn the early 2000s, when the idea of chat applications was shaping, XMPP was allowing developers to construct interactive chat applications. Since its genesis, this protocol has come a long way and is now included in the tech stack (or framework) suggested for developing high-end chat apps like WhatsApp.More than two decades later too, this protocol hasn’t lost its sheen and significance in the abundance of the protocol. Why is it so? What makes XMPP time relevant? What are the key markers? Let’s know this protocol a little better.What is XMPP — Extensible Messaging & Presence Protocol?It is an XML-driven protocol utilized typically in open standard communication. To say it concisely, it is a chat protocol that permits the seamless to and fro sending of essential XML components such as data. Besides making IM and real-time ‘talks’ possible, XMPP also finds its applications in contact list maintenance and presence details.The UsageXMPP is most generally used in forthright message interaction between two points, checking the user status, sharing the status details with the server. It also takes care of server status record keeping, subscription management, contact list updates, and blockading certain users.The AttributesIt’s decentralized.It supports the asynchronous exchange of data/information.Transmits tiny pieces of the data instead of forwarding the big chunks directly.It works over TCP.Network configuration and components (hardware/software) has no role to play in the XMPP-based data transmission.It is designed for client-server model.It uses 3 statuses, namely ‘offline’, ‘busy’, or ‘online’, to tell about the status of a user or network.It transfers data back and forth between two end-points.XMPP ArchitectureOn a structural level, XMPP shares great similarities with protocols that work on the application layer. For example, it also concerns uniquely named clients communicating over an associated server. Enforcing the protocol as per both clients, XMPP monitors and handles routing for them.The overhead figure illustrates the XMPP architecture straightforwardly.However, in a complex implementation, multiple XMPP gateways might also exist. In this scenario, the protocol also needs to takes care of the intercommunication for multiple domain routing. So, the gateways act as a translating medium between various protocols and domains that are in the cycle during the information-exchange.Additionally, the XMPP gateway brooks the tasks like commencing and termination of the client-to-server sessios at the intended protocol while including the demanding protocol translation elements.Even with the use of considerable gateways and domains, one can succeed in achieving constant connectivity across all the network points with the help of XMPP.While comprehending the XMPP architecture, understanding a few terms is crucial.For example, you must know about XMPP stanzas. These, simply, are the small XML fragments that are used for starting a communication session. they can be of 3 types:The presence stanza defines the network or user’s present status to others. For example, the user/network is online or offline.Message stanza is a pushing instrument essential for chat messages exchange.IQ stanza is the element that XMPP utilizes for data requests and modification. Just as HTTP has GET and POST, XMPP has IQ stanza.How does XMPP protocol work?The entire processing of XMPP relies upon the client-server architecture that interests message transmission to the server first and then to the clients.To find out which client should receive the message, the XMPP server utilizes the unique ID of the receiver. The unique ID or Jabber ID is very much comparable to an email address with negligible changes.user@domain.com/resource is the format for the Jabber ID.Here, the user directs to the username, domain.com is the domain particulars of the sender, and resource is the device type of message receiver. For example,JohnDoe@technology.testing/terminal.In the example, John Ray is the user name, Technology.testing is the domain name, and terminal is the type of device or resource that is used by John. The resource is an optional part while the previous two are essential.XMPP server employs this Jabber ID for correct message routing over TCP connection. As soon as a communication session is started, an XML stream is shared to the server and client identification is done with the help of Jabber ID.Once the identification is done, the server will receive the request and will initiate another XML stream transmission request. This stream will be sent back to the client from the server’s side. This way, each XML stream becomes bi-directional.XMPP is efficient to generate a large-scale message network known as a federation. With the help of a federation, clients can communicate with multiple XMPP servers at a time.XMPP FeaturesFundamental features that make XMPP stand out from other protocols are as under:Asynchronous Push MessagingWith XMPP, continual and asynchronous message delivery is achievable. With this, we mean message dispatch in a row, not waiting for the receiver or sender reply, and not necessitating the user to be online to accept the message. Messages are shared in the form of XML stanzas that are distinctive information units featuring segments like metadata, message body, and unique ID of the sender & receiver.What makes XMPP distinguishable from other client-server systems is that XMPP doesn’t support polling. Polling is the process where the client prompts the server constantly to review whether or not any recent information is present. As polling is done at regular intervals, there is no instant communication experience for end-users. Also, it ushers in outrageous bandwidth consumption.Rather, XMPP automatically propels the recent message to the server even when the previous request is not processed or received by the server. It happens in the server-to-client side of communication as well. This constructs an instant communication experience for users.Client-Server ArchitectureThis is the core architecture that XMPP follows. In this architecture, XMPP disseminates only a small fraction of XML elements. This portative XML element will first reach to the server and then to the user.The XMPP clients are allocated separate names, just like an email. This unique ID is used to recognize the client and route the message in the right direction. This way, XMPP guarantees that each XMPP client observes a fixed and standard route to couple with the server.Persistent TCP ConnectionsOriginally, XMPP can transmit the data or designate a connection over TCP only. Connection built over here is invariant and doesn’t demand re-establishment whenever a new message is transmitted.This way, XMPP constructs an XML stream supporting free XML data exchange. However, certain cutting-edge XMPP extensions now use TLS and WebSockets as well.Decentralized HostingWith decentralized hosting, we refer to having no central authority controlling the server. Anyone can maintain, run, and even maintain the XMPP servers. Additionally, freedom to set up the servers on either cloud or premise is also granted. On this front also, it’s similar to email. Every email owner can set up emails as per their choices. They have the freedom to set up the login details, password, and other details as per their preferences.GatewaysOne another very distinguishing feature of XMPP is that it offers gateways for numerous chats and messaging protocols. It’s compatible with many protocols and can link to the networks at length.For instance, a given XMPP network can access an SMS domain when a message is supplied to the receiver on the mobile and simultaneously to the SMTP domain to deliver the same message on the receiver’s email. In addition to this, the XMPP network to deliver the message in another form, say IRC, can also use any other particular message protocol, concurrently.XMPP Protocol ExampleXMPP enjoys the reputation of a core element for many communication apps that we use presently. Some of the most famed apps, developed using XMPP, are as mentioned below.WhatApp is built using a proprietary XMPP.The amazing chat capability of Zoom is all because of XMPP.For instant push notification delivery, Apple uses XMPP both in the iPhone and Mac.XMPP is used in the chat functionality of Grindr.For development of highly functional chat apps, XMPP is one of the multiple choices offered. However, it continues to grow as a preferred one for many because of its distinctive features and multiple benefits that it brings on the table.Benefits of XMPPBacked by IETF and embraced by thousands of developers, XMPP has become a mainstream open standard protocol for chat application development.With outstanding markers, XMPP contrived to fill the gap, assembled by stringent protocols, and has affirmed itself as a necessity for peer-to-peer communication and beyond.Below are the fundamental benefits to enjoy after adopting the XMPP protocol.A Reliable Protocol to Back uponThis protocol has been serving the developer community for more than 20 years. Through these years, the protocol has strengthened its infrastructure and gained huge community backing. Presently, multiple XMPP servers are out there, thousands of developers have used it, and it is at the core of many applications.All of this ensures that this protocol is time-tested and has great technical support. If that doesn’t impress you then being free and too straightforward will surely do.Improves Communication Infrastructure for youBeing a highly extensible protocol, it enables end-users to use it in communicating different sorts of media and messages. It won’t ask you whether you’re transmitting audio or a video; XMPP will continue to support in creating an efficacious communication infrastructure.Guarantee of DeliveryWith XMPP, one can be double sure about the message delivery as it uses constant connectivity over TCP. It will hardly miss any XML stanza delivery, no matter how small it is.Support by most of the Standard Programming LanguagesAdoption at a large scale and huge global demand resulted in support for various languages. XMPP libraries are available in many leading languages like Perl, C++, C#, Java, Python, and many more. You name it and the XMPP library is most likely to be compatible with that language. This allowed developers to work in a compatible and preferred ecosystem.DecentralizedXMPP is decentralized and permits multiple implementations. There is a restriction in server and library setup. Everyone can go with it. This grants more freedom and creates space for flexibility.Higher SecurityBoosted security is an added advantage of XMPP. While setting-up distinct XMPP servers, developers can choose encryption, security protocols, and access preferences as per the choice. Security is in full control resulting in fewer cyber-attacks and better peace of mind.Uninterrupted Transmission of DataPerformance can be maintained easily as if one XMPP server is affected or is offline, regardless of the reasons, only corresponding users will be impacted. Rest will continue enjoying uninterrupted communication and data transmission. This has made achieving 100% operational continuity possible.Server-to-Server TransfersServer federation is an optional choice. Because of this, developers have the freedom to close the server-to-server for security reasons while assigning servers a specific task.CompatibilityOne major client-side advantage of XMPP is an abundance of clients. There is no dearth of XMPP clients. Regardless of the device type, you’ll find an XMPP client. It goes an extra mile for Windows and Unix systems by offering a command line. Also, one user can be signed up via different devices resulting in better accessibility.The CruxParamount for constructing applications adept in real-time communication, XMPP (Extensible Messaging & Presence Protocol) is an utterly extendable protocol. Read the above article and find out other particulars about this inventive protocol. We have tried covering it comprehensively.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-xmpp-extensible-messaging-presence-protocol-1365b71bb55e?source=rss-952c3fe8c7c7------2

• https://medium.com/@d0znpp?sou »

IntroductionA conceivable threat to cryptocurrency owners, cryptojacking is an attack using which threat attackers can mine cryptocurrency at the expenditure of the target’s resources and network health. If not managed properly at the premature stage, the consequences of this vulnerability can be too detrimental.If you are not aware of this threat’s existence, let us guide you thoroughly on this. In this article, we will cover what is cryptojacking attacks, what are general methods that attackers use, and a few real-word examples to make you aware about the severely of the matter.Cryptojacking definitionCrpytojacking is a type of cyber-attack and is the process of ill-intended cryptomining. The menace works by embedding a befouled code into the targeted device and eradicating its resources to mine unauthorized cryptocurrency.Cryptocurrency mining implicates solving tricky arithmetic equations, which is a tedious and resource-consuming task. At times, adequate resources are not available for the hackers. Hence, they plan a cryptojacking attack, gain access to targets’ devices and networks, and use them to unravel presented problems.Upon success solving the given equations, hackers are endowed with cryptocurrencies that can be used to trade virtually, buy other cryptocurrencies, or get exchanged with traditional money. The rise of cryptocurrency provoked a surge in cryptojacking.Depending upon the intention of the hacker, the cryptocurrency attained via a cryptojacking attack can either be used for trading or left in the liquidity pool. For a deeper understanding of the cryptojacking concept, knowing two terms, cryptocurrency and cryptomining are crucial.Cryptocurrency DefinitionInvented accidentally in 2009, cryptocurrency is a well-encrypted digital currency having the facility for end-to-end transaction tracking. The use of Blockchain technology, wherein multiple computer programs and processing powers are merged, is making cryptocurrency trading and invention conceivable.The first-ever created cryptocurrency is Bitcoin and it is one of the most high-valued cryptocurrencies. As of now, more than 2,500 cryptocurrency exist. Some other utterly renowned cryptocurrencies are Zcash, Ethereum, and Monero.Cryptomining DefinitionCrytomining refers to the computing process that makes cryptocurrency exchange possible. It usually concerns adding cryptocurrency transactions to the Blockchain ledger and revising the information.Cryptominer is what we call the professionals handling this job. They are likely to be skilled enough to use powerful servers and high-end hardware.Future of CryptojackingAs long as cryptocurrency will have huge market demand, cryptojacking will be trending as it allows the threat actor to mine cryptocurrency without even owning the needed resources. It keeps the attack free from the tension to pay for heft hardware and build a powerful network system.Cryptojacking relies fully upon the the growth of cryptocurrency industry. However, the latter faces the wrath due to this undesired connection. 2 most concerning factors due to this trend are:Strict law enforcement that makes things tougher for the crypto worldBan of CoinhiveThese two factors have caused little damp in cryptojacking. Let us tell you how:Even though cryptocurrency has come a long way, there still exist countries in a good number that do not support cryptocurrency usage. Even if it’s legal in certain regions, many restrictions drive its usage. This is a major reason and inhibition behind the limited acceptance of this digital currencies among people.Coinhive is the largest site for cryptominers. But, the site was shut down in 2019 as its code was badly abused and become a target of a hacker. The event caused limited accessibility of cryptocurrency for a while.How it Works?Performed in multiple stages, cryptojacking is a skilled job. The key steps involved in a successful cryptojacking attack are:The attacker integrated the script for mining in a webpage or an emailThe code is auto-installed as soon as the target clicks on the malicious code.The script program runs in the background stealthily, controlling the targeted device.The desired resources are consumed as per the need of the attacker.Attackers start mining using the targeted devices’ resources.As the primary step of cryptomining, hackers start cracking the complicated algorithms.Once the algorithm is solved, the hacker can earn the cryptocurrency.The entire procedure is about controlling a certain part of the device. This seems very much similar to a ransomware attack. The only difference is the visibility of the attack. While a ransomware is clearly visible, cryptojacking assaults remain hidden and work from behind the screen.This concealing nature of the attack makes it more difficult to identify and fix it in the early stage.Cryptojacking MethodsCryptojacking assaults seize its victim using mainly three methods: file-based, browser-based, and cloud cryptojacking. Each method has a different modus-operandi and a different course of action that can be understood by paying attention to the below-mentioned text.File-Based CryptojackingIt involves downloading and executing a corrupted file. The file features an infected script that spreads its impact throughout the targeted system’s IT ecosystem upon successful downloading. Mostly, emails are used to spread such files or links that are malicious in nature.Targets are lured to download or open the file. As soon as this step is done, the script becomes active and starts mining. It works stealthily without letting the target know about its presence.Browser-Based CryptojackingIt is more of a direct and aggressive attack that impacts the IT ecosystem of the targeted device straightforwardly from the browser.It begins with generating a maliciously programmed script. Once the code is generated correctly by the malicious actor, it’s embedded directly in multiple web pages of separate sites. The script is 100% automatic and doesn’t require any manual handling.As soon as the target visits the infected URL, his device auto-downloads the inserted code and supports hackers in cryptojacking unintentionally.Ads through third-parties and the outdated (or less secure) plugins are the general components that malicious actors use for hiding their scripts in general. Sometime, these attacks act even smartly and embed their malicious code in a JavaScript library. With this, it becomes easier to operate a bigger supply chain attack on the target(s).Cloud CryptojackingThis method is favorite of intruders trying to access your essential resources at a large scale. Using cloud cryptojacking technique, they try accessing the APIs your organization use for accessing organization’s cloud platform and related services.Thereafter, hackers are able to consume the CPU resources without any limitations. This leads to unwanted and excess resource consumption and operational cost for the organization. FYI, this method enables the user to mine at a big level and faster — without much hassles and efforts.‍Real examples of cryptojackingThough not affected many till the date, cryptojacking is a real trouble that affects businesses. It has caused damages beyond one’s understanding. Some of the world’s most notorious cryptojacking attacks are as followed:MicrosoftIn 2019, the prestigious Microsoft store spotted 8 apps involved in cryptomining activities. The problematic part was, resources that were being used in the process were the ones of the users who’ve installed and used the app.Though the apps were removed, a lot of damage was done. Spectacultions were made that though those apps came thorugh separare developers, just one person or organization strategically planned this attack and executed it.The infected apps featured corrupted JavaScript codes and were instructed to mine Monero. As a huge amount of resources was consumed for the job, the targeted devices used to encounter ill-effects like slowed-down performance and reduced2. A European DepartmentIn 2018 itself, there was another victim of cryptojacking. It was the central water control system of Europe. Here also, the cryptomining code was instructed to mine Monero.Threat actors infected the key operating system of the entire water utility network. Technically, it was the very 1st attack of its kind that targeted the industrial landscape for cryptojacking.3. Los Angeles TimesOne of the leading media houses, Los Angeles Times, has been victimized by cryptojacking. The incident happened in 2018 and targeted the report page. Anyone who accessed this page on their mobile or other data-driven device was infected. Unfortunately, this cryptojacking code remained unidentified for a longer time and allowed hackers to mine Monero.4. YouTubeSome of the CoinHive miners were spotted active in multiple YouTube ads.‍Detecting cryptojacking. Quick testIf you want to figure out how to stop cryptojacking, it is essential that you learn to discover it first.A strategically planned cryptojacking attack is potent enough to remain hidden and exhaust the resources extensively. At times, attackers plant the code so dexterously the targets remain unaware of its presence. However, a little bit of diligence and awareness plays a huge role in its early detection.The below-mentioned cryptojacking test methods can be of great help in this regard:Poor performance deliveryAs quoted above, the successful execution of malicious cryptomining code consumes the targeted device’s resources. So, a significant symptom in your device is the a sudden or gradual dip in its productivity. Its performance chart takes a downslope.This unwanted consumption increases the burden on the device and makes it slow. So, it’s obvious to experience slow processing, unexpected shutdown, and failures in opening certain apps or programs. At times, the targeted device may even refuse to open or start as it’s supposed to be.Excessive heatingThe extra resource consumption leads to overburden on the OS of the targeted device and makes it overheat.When it continues for a longer period, the average lifespan of the device decreases. However, this is not the obvious sign of a cryptojacking attack as overheating is the outcome of multiple reasons. Hence, one has to delve deeper and look at other obvious cryptojacking related behaviors.Inspect the CPU usageCPU’s health of the targeted devices will surely deteriorate when it will perform heavy tasks like mining. This is why one must check the CPU health regularly. If one witnesses too much CPU usage while visiting a website having no rich media data on it, a suspicious code snippet could be lying in it background.While doing it on personal computers, one must go to Task Manager (or any equivalent tool) and lookout the mention of excess CPU usages. In an enterprise ecosystem, there should be a dedicated IT team for this task.Keeping an eye on the websiteThreat actors remain highly vigilant and hunt for a website that is vulnerable and offers multiple opportunities to embed a code. Make sure that the website is not featuring any outdated plugin or add-on.Also, if you own a website, it’s crucial to inspect it regularly so that any corrupted code can be spotted in the early stage. The earlier is the detection, the lesser is the damage.Cryptojacking Prevention Tips and TricksCryptojacking is an issue for business because, if not addressed or fixed properly, these attacks can cause damage beyond one’s imagination. However, its dangers can be under-control by diligently following the below-mentioned tips:Use cybersecurity tools that could speedily detect malicious code in your system;Web browsers are the first choice of threat attackers. This is why protecting it is the first defense action. There are a few trustworthy add-ons (e.g., No Coin, AntiMiner, and minerBlock) you may bank upon for this.Be aware of current cryptojacking trends to figure out what all the attackers are capable of currently;Blocking ads from untrusted sources, one can reduce the risks of cryptojacking. For this, you can spend some time and find a reliable ad blocker for your use.Disable JavaScript while visiting a suspicious site or disable auto-downloading in your browser.Use Walarm API Security Platform, also read the important post about API securityOriginally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-cryptojacking-attack-definition-and-prevention-fe800ca2aab8?source=rss-952c3fe8c7c7------2

• https://medium.com/@d0znpp?sou »

APIs are paramount for constructing a steadfast and constant communication bridge that empowers devices to pass-on desired information seamlessly. Hackers adopt many ways to exploit the APIs and corrupt the targeted device. This API exploitation is a potential threat to API security and needs foremost attention while constructing utterly secured application development is the goal.What is API abuse?API abuse refers to the act of wrong-handling of APIs, gaining unsanctioned access, and modifying the key functions so that APIs can be used for adversarial processes like raiding a server or overburdening a server. It’s performed with the help of bots, phishing attacks, or manual insertion of malicious code.Consequences of API abuseA thriving API abuse permits hackers to achieve admin-like access to the targeted API. This access endows hackers to make API work as per their will. Hackers make use of existing API vulnerabilities to rob crucial private or business information while corrupting your websites or applications. In addition, one can take over the entire account or software ecosystem with a viable API abuse attack.API abuse exists in many forms, a few examples are:Injection AttacksThis method requires adding a piece of malicious code script in an API. The attack happened only on API featuring vulnerabilities. Presently, injection attackers are the most notorious abuse for web apps as well as APIs.Currently, SQLi and XSS are the most common types of this attack in use. The code insertion can happen in the API code or in the API message.DDoS AttacksIt is a key type of API abuse wherein the threat actor prevents legitimate access to a particular device or system. Hackers make this happen by encumbering APIs with huge traffic volumes. The traffic is sent with the help of a bot and asymmetrical processes.This type of attack consumes system resources at a huge scale and makes them inaccessible to intended users. The Distributed Denial of Service (DDoS) attack can occur at a slow pace, wherein negligible bandwidth is consumed, or at a fast speed as well. Either way, this type of API abuse tarnishes the reputation of the applications and systems as end-users fail to use them.Data ExposureAPIs are used mainly to let 2 or more endpoints communication and share data whenever required. When API abuse happens, the information warehoused in the APIs is likely to be exposed to ill resources. RESTful APIs are more prone to this hander as they transfer data over HTTP protocol.How to prevent API abuse?The outcomes of API abuse are deadly and hold the power to crush the entire IT ecosystem of the target. Hence, one must always remain aware of every possible solution of the ‘How do you prevent abuse of your public API?’ issue. Here are some tips that actually work:Every API call coming from bots should be monitored and managed through and through. As most API abuse happens with the help of bots, API calls made from bots shouldn’t be entertained casually.API authentication and authorization of the highest grade should be implemented.The API login process must have the backing of 2FA and robust encryption.The entire API path should be watched over carefully to spot any vulnerability in the infancy stage.For effective fault tolerance, one must adopt the cluster API implementation process.All sorts of APIs, public or private, SOAP or REST, and many more should have effective API security measures in place. Tools like Wallarm make this happen as it offers every necessary resource to keep API vulnerabilities at a minimum level and keep API abuse probabilities as low as possible.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-api-abuse-prevention-measures-1c277f4ba85d?source=rss-952c3fe8c7c7------2

• https://medium.com/@d0znpp?sou »

IntroductionHumans live in the 21st century where a large portion of our exchanges are taken care of on the web. Thus, people, businesses and organizations are presented with new online protection dangers. A significant number of these digital dangers will break into your framework and challenge a person’s activities. One of the most hazardous digital dangers in our present reality is this malware type. In this piece, we’ll talk about this malware’s significance, how the digital danger can influence your framework, how to recognize it and how to ensure your frameworks against it.What is Remote Access Trojan?This is a malware program that incorporates a secondary passage for authoritative command on a target PC. These malware are normally stored imperceptibly with a normal program such as games or delivered as an email connection. When the main framework is broken into, the interloper might utilize it to circulate the trojan to other weak PCs and create up a botnet.Since a RAT empowers regulatory control, it makes it workable for the interloper to do pretty much anything on the designated PC, including:Checking client conduct through keyloggers or other spyware.Getting to private data, for example, Mastercard and government backed retirement numbers.Enacting a framework’s webcam and recording video.Taking screen captures.Appropriating infections and other malware.Designing drives.Erasing, downloading or adjusting documents and record frameworks.THE BACK ORIFICE ROOTKIT is one of the most mind-blowing known instances of a RAT. A programmer known as the Cult of the Dead Cow made Back Orifice to uncover the security flaws of Microsoft’s Windows working frameworks.RATs can be hard to recognize on the grounds that they normally don’t appear in arrangements of running projects or assignments. The activities they perform can be like those of authentic projects. Besides, a gatecrasher will regularly deal with the degree of asset use. This way a drop in execution doesn’t prepare the client that something’s wrong.‍How Does A Remote Access Trojan Work?Like different types of malware, Remote Access Trojans are typically connected to what in particular seem, by all accounts, to be genuine documents, like messages or pre-introduced programming. In any case, it has lately been seen that these hazardous danger entertainers are rapidly changing working procedures when their techniques are found and openly uncovered.In any case, what truly makes this malware especially risky is the way that it can mirror dependable remote access applications. You won’t have the foggiest idea about it’s presence whenever they have been introduced as it doesn’t show up in a rundown of dynamic projects or running cycles. Why? It’s more invaluable for attackers to keep out of the spotlight and try not to be gotten. Assuming you’re not going to extreme security lengths, it’s conceivable you could have a Remote Access Trojan on your PC for a significant stretch without it being distinguished.Uniquely in contrast to keylogging, a sort of infection that records the keystrokes on a client’s console without the casualty acknowledging it, or ransomware, which encodes every one of the information on a PC or cell phone, hindering the information proprietor’s admittance to it until a payment is paid; Remote Access Trojans give aggressors complete regulatory command over the tainted framework, as long as they stay unseen.As you can envision, this sort of action can bring about fragile circumstances. For instance, on the off chance that a RAT is matched with a keylogger, it can undoubtedly acquire login data for monetary and individual records. To exacerbate the situation, they can covertly initiate a PC’s camera or mouthpiece, and even access private photographs and archives, or utilize your home organization as an intermediary server, to perpetrate violations secretly.Remote Access Trojan DetectionAs fraudsters develop their strategies to sidestep banks’ security, extortion prevention arrangements should likewise advance to keep pace. Most arrangements can’t identify the presence of RATs since they depend on conventional safety efforts like unique finger impression approval or gadget validation. Since this malware hides by not really trying to hide on the client’s authentic gadget and it is as yet the genuine client who is working the gadget . Therefore, banks need a complex way to deal with security in the event that they are to check RATs and RATs-in-the-Browser effectively.What’s more? Two-factor validation (a robust new guideline PSD2) offers restricted insurance, basically with regards to RATs. For instance, assuming the bank asks the assailant for an OTP (One Time Passcode) while they endeavor a false exchange, they can subtly utilize the genuine client’s suspended meeting to obtain it by means of the actual casualty.Social biometrics is generally perceived similar to the main network safety capacity with the capacity to recognize and in this manner defeat this malware assaults. This is on the grounds that, just as approving the known client gadget, biometrics likewise investigates the client’s conduct and intellectual capacities without meddling with the client experience itself. It can progressively profile the client behind the gadget utilizing advanced AI calculations to distinguish their extraordinary social biometric qualities.Through learning these standards of conduct — identifying peculiarities in their mouse direction, dubious console use or postponement in the gadget controlling the PC — high-tech social biometrics can signal startling changes in conduct that happen mid-meeting — but slight or transitory. These crucial pieces of information could flag a potential Remote Access Trojan penetration or Account Takeover ( ATO) endeavor.‍How To Protect Against Remote Access Trojan?RATs are intended to conceal themselves on contaminated machines, giving mystery admittance to an aggressor. They frequently achieve this by piggybacking pernicious usefulness on an apparently genuine application. For instance, a pilfered computer game or business application might be accessible free of charge since it has been changed to incorporate malware.The covertness of RATs can make them hard to ensure against. A few techniques to distinguish and limit the effect of RATs include:Zero in on Infection Vectors: RATs, similar to any malware, are just a risk on the off chance that they are introduced and executed on an objective PC. By sending against phishing and routinely fixing frameworks can diminish the danger of RATs by making it more hard for them to contaminate a PC in any case.Search for Abnormal Behavior: RATs are trojans that ordinarily take on the appearance of authentic applications and might be made out of vindictive usefulness added to a genuine application. Screen applications for strange conduct, for example, notepad.exe producing network traffic.Screen Network Traffic: RATs empower an aggressor to remotely control a contaminated PC over the organization, sending it orders and getting the outcomes. Search for atypical organization traffic that might be related to these interchanges.Carry out Least Privilege: The rule of least advantage expresses that clients, applications, frameworks, and so forth ought to just have the entrance and consents that they need to take care of their business. Executing and authorizing least advantage can assist with restricting what an assailant can accomplish utilizing a RAT.‍Send Multi-Factor Authentication (MFA): RATs generally endeavor to take usernames and passwords for online records. Sending MFA can assist with limiting the effect of qualification compromises.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-rat-remote-access-trojan-detection-and-removal-ac6786fd9011?source=rss-952c3fe8c7c7------2

• https://medium.com/@d0znpp?sou »

Enterprises using various business apps have a tough time maintaining data’s secrecy and access grants as per user roles throughout the infrastructure landscape. SAML (Security Assertion Markup Language) shows up as a great aid at this front.Let’s see what is it, how it works, what are its advantages, how it differs from SSO, what makes it similar to SSO, and how it helps in API access verification to ensure an astonishing security level.SAML — A Quick OverviewSAML’s main work is to permit IdP (the identity details providers) to share the authentication-concerned credential with the concerned authority. It is the open standard that allows granting unified access for all kinds of apps while making no compromise on data security.A few more things you must know about SAML are:It brings XML into action for completing the customary connection between IdPs and service-givers to communicate reliably.SAML authentication process confirms the end-user’s identity while SAML authorization defines which all resources should be in user’s access.It checks for SPs, IdPs, and end-users if the user is eligible for what it is demanding.It’s an OASIS standard.It ensures safe exchange of information.It supports SSO activation. However, this procedure will require connecting to an external IdP and sharing the XML tokens with it.A Quick Glimpse of Single Sign-on (SSO)Considered among the topmost viable authentication frameworks, SSO merges multiple sign-in screens. This implies, you won’t have to sign-in independently for your app(s). Instead, 1 set of sign-in data for your accounts will work fine for diverse SaaS apps.By doing so, it makes accessing the app faster, simpler, and auditable. It’s a key aspect of IAM strategies of businesses seeking frictionless app access validation and better security implementations.With SSO enabled, one can enjoy:Strong passwords, as there is no need to create multiple passwords sharing similarities. One tough and complex password is enough for everyone.Users do not have to memorize various passwords.Easy MFA deployment that verifies multiple factors, as its activation at 1 point will secure various applications.Quick password re-entry policy enforcement, as administrators have a single point where the policy should be enforced.Seamless internal credential management because the SSO stores user passwords internally and grants the IT team more control over the database.Instant recovery of user password as the IT team has to work on recovering one password.SAML Authentication — The Step-by-Step ProcessLet us tell you the whole procedure in a few steps.First of all, the identiy service hands over the user login related input to the SP. For the seamless of SAML parameters to the SPs, every end-user is bound to login via SSO once.Next, the SP contacts IdPs, asking about the credibility of a request. This process requires giving consent for SAML SSO configuration too. Doing so ensures that the same SAML settings are used for checking the identity and authorizing the user/request.BenefitsBeing a standard format, it grants an open approach to businesses that is free from platform compatibility and vendor implementations.It uses directories in a loose coupling manner, that implies there is no need to store or sync user data to local directories.As it supports SSO, end-users are going to have great experience in accessing applications.SAML lets businesses reuse integrations for registration/sign-in while maintaining the same level of security. It trims the account management cost.The burden of maintaining the user identities is shifted to the IdP when SAML is at work. This frees service-givers from registration and sign-in related hassles.What is SAML Assertion?In simple terms, it is an XML-formatted document that comprises the user authorization status information. This detail is offered by an IdP to a service-giver.Its 3 typesos assertions are:Authentication is all about the validation of user’s credibility, related technique, and session duration tracking details.Assigned takes care of successfully passing SAML tokens to the SP. IdP as well as SP directory use the same attributes to confirm the trustworthiness of request-creator.Finally, assertion of Authorization-decision type explains where or not the user is given access as per his request. Detailed reason behind denied access is also offered if it happens.SAML ExampleThe simplest example of how SAML processes its operations is given below:Let’s consider an end-user, named John, who tries to access a business application for official purposes.John will begin a session with SSO and complete the identity verification part of the procedure.Zoho CRM will request the IdP to share the user details for confirmation.The SaaS tool will access the fetched results to complete the authority verification step.IdP will revert to this request in SAML format. It will feature the digital signatures of John. Based upon the similarities between the identification details provided by John and the IdP, the revert message may feature other details as well.SaaS tool receives the response and grants or denies access, as instructed by the IdP.If access is permitted John is allowed to use his Zoho account.SAML vs SSOSAML helps in user identity verification and in making SSO possible. SSO can exist alone and allows end-users to use various applications with unified login details. SSO can bring the standard SAML protocols into action while performing information trading as it has no specific protocols of its own. Additionally, it can use third-party protocols like OpenID for effective cross-domain user identity check. SAML offers a wide range of protocols.SAML vs oAuth2Owing to similarities between key purposes, SAML 2.0 and oAuth 2.0 are often considered the same. While they both share great similarities, they differ from each other in various aspects.SimilaritiesBoth are required to promote secure application interoperability.Both support easy access management and fast integration.DifferencesoAuth 2.0 pays attention to authorization while SAML prioritizes authenticationSAML is XML based while oAuth 2.0 is utilizes JSONSAML maintains session data through cookies while API calls are used in the case of oAuth for this.API authentication with SAMLWhile the most common use of SAML is supporting user identity verification and enabling SSO, it can be proved highly fruitful for request’s genuinity checking in APIs. User access right verification, to check if the request is genuine, is crucial from the API security front and can be achieved by sending a SAML request that must comprise:SAML prepare authentication API based API auth requestSAML message that can support the SSO process auto-initiated by IdPBy all means, it’s crucial for a SAML request message to be based on an encoded XML document featuring <Response> root element.The request’s body must feature content, ids, and realm. The first two aspects are essentials while the last one is optional.The SAML response includes access_token (a SAML token granting or denying the access), username, expires_in, refresh_token, and realm.The Final WordSAML and Single Sign-On have a close relationship with each other. These are vital for zero-compromise data security. Hope this article helps you learn about these two efficiently.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-saml-authentication-how-does-it-work-221533fd58cc?source=rss-952c3fe8c7c7------2

• https://www.govtech.com/blogs/ »

With global cyber threats and other international tensions growing, what scenarios should state and local governments consider when conducting exercises to test their people, processes and technology?
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/cybersecurity-tabletop-exercises-how-far-should-you-go

• https://www.govtech.com/blogs/ »

Cybersecurity experts from state and local government, as well as top federal agencies, gathered this week to discuss everything from critical infrastructure attacks to concerns about China. Here are some top takeaways.
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/federal-state-local-cyber-leaders-meet-to-discuss-threats

• https://www.govtech.com/blogs/ »

In this interview with white hat hacker Mishaal Khan, we learn about open source intelligence gathering and how to hack humans — or not.
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/how-to-think-like-a-hacker-and-defend-your-data

• https://www.govtech.com/blogs/ »

Many global cyber teams are analyzing cyber defense gaps now that the NIST Cybersecurity Framework 2.0 has been released. How will this guidance move the protection needle?
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/nist-releases-cybersecurity-framework-2-0-whats-next

• https://www.govtech.com/blogs/ »

Major developments regarding implanting chips in human brains have been announced in 2024. Will this procedure become widespread? Are precautions — or even regulations — needed?
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/human-brain-chip-implants-helpful-safe-ethical

• Source »

Until recently, people had little control over how companies used their online data. But, with data privacy now a human... The post How to Delete Your Browser History appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-experts-guide-to-deleting-your-browser-history-for-good/

• Source »

All your online activity creates a trail of data. And that data tells a story. The story of you. The... The post How to Protect Your Personal Data appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/your-data-its-the-story-of-you/

• Source »

Data brokers are companies that collect your information from a variety of sources to sell or license it out to... The post How to Remove Personal Information From Data Broker Sites appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-remove-personal-information-from-data-broker-sites/

• Source »

It’s the romance scam story that plays out like a segment on a true crime show. It starts with a... The post How to Avoid Romance Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-avoid-romance-scams/

• Source »

You consider yourself a responsible person when it comes to taking care of your physical possessions. You’ve never left your wallet in... The post How to Protect Your Smartphone from SIM Swapping appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/what-is-sim-swapping/

• Source »

According to reports from the Federal Trade Commission’s Consumer Sentinel database, text message scams swindled $372 million from Americans in... The post How to Tell If Your Text Message Is Real appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-tell-if-your-text-message-is-real/

• Source »

For years now, the popularity of online dating has been on the rise—and so have the number of online romance... The post How to Spot Dating Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/online-dating-scams-and-how-to-spot-them/

• Source »

We’ve said it several times in our blogs — it’s tough knowing what’s real and what’s fake out there. And... The post How to Spot AI Audio Deepfakes at Election Time appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-spot-ai-audio-deepfakes-at-election-time/

• Source »

Is it real? Is it fake? Deepfake technology has certainly made everything far more complicated online. How do you know... The post How To Teach Your Kids About Deepfakes appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-teach-your-kids-about-deepfakes/

• Source »

Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the... The post Redline Stealer: A Novel Approach appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/

• Source »

Imagine receiving a call from a loved one, only to discover it’s not them but a convincing replica created by... The post How to Protect Yourself Against AI Voice Cloning Attacks appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-protect-yourself-against-ai-voice-cloning-attacks/

• Source »

‘Ensure your privacy settings are set to the highest level’ – if you’ve been reading my posts for a bit... The post How Do You Manage Your Social Media Privacy? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-do-you-manage-your-social-media-privacy/

• Source »

In recent news, Roku, a leading streaming platform, reported that over 591,000 user accounts were affected by credential stuffing attacks.... The post How to Protect Your Streaming Accounts: Lessons from Roku’s Data Leak appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-protect-your-streaming-accounts/

• Source »

Some conversations on social media can get … heated. Some can cross the line into harassment. Or worse. Harassment on... The post How to Protect Yourself From Social Media Harassment appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-rising-threat-of-social-media-harassment-heres-how-to-protect-yourself/

• Source »

In a world where digital communication dominates, the art of scamming has evolved into a sophisticated game of deception. A... The post A Finance Journalist Fell Victim to a $50K Vishing Scam – Are You Also at Risk? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/a-finance-journalist-fell-victim-to-a-50k-vishing-scam-are-you-also-at-risk/

• Source »

In today’s digital landscape, distinguishing between legitimate communications and phishing attempts can feel like navigating a labyrinth blindfolded. Phishing is... The post Stay Cyber Savvy: Your 5-Step Guide to Outsmarting Phishing Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/stay-cyber-savvy-your-5-step-guide-to-outsmarting-phishing-scams/

• Source »

While last-minute tax filers stare down the clock, scammers look for easy pickings. Tax scams are in full swing as... The post The Top Tax Scams of 2024 appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-top-tax-scams-of-2024/

• Source »

It’s that time of year again – tax season! Whether you’ve already filed in the hopes of an early refund... The post How to Steer Clear of Tax Season Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-steer-clear-of-tax-season-scams/

• Source »

Four in ten Americans say they use peer-to-peer payment services, like Venmo, PayPal, or Apple Pay, at least once a... The post How to Protect Against New Types of Scams Like QR Phishing appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-protect-against-new-types-of-scams-like-qr-phishing/

• Source »

Scammers are turning a buck on the eclipse. A rash of eclipse scams have appeared online, many involving the sale... The post How to Avoid Solar Eclipse Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-avoid-solar-eclipse-scams/

• Source »

Smartphones have enabled a whole new digital world, where apps are gateways to just about any service imaginable. However, like... The post The Four Rs of Personal Mobile Security appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/the-four-rs-of-personal-mobile-security/

• Source »

Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular... The post Distinctive Campaign Evolution of Pikabot Malware appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/

• Source »

With the rise of cheap and easy-to-use AI tools, deepfake attacks find themselves likewise on the rise. Startling as that... The post Are You a Victim of a Deepfake Attack? Here’s What to Do Next appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/are-you-a-victim-of-a-deepfake-attack-heres-what-to-do-next/

• Source »

As taxpayers prepare their returns for April 15th, scammers prepare too. They see tax season as high time to run... The post Watch Out For IRS Scams and Avoid Identity Theft appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/tax-season-scams-identity-theft/

• Source »

AT&T, one of the largest telecom giants, recently acknowledged a significant data leak that has affected millions of its customers.... The post AT&T Data Leak: What You Need to Know and How to Protect Yourself appeared first on McAfee Blog.
https://www.mcafee.com/blogs/security-news/att-data-leak-what-you-need-to-know-and-how-to-protect-yourself/

• Source »

Got any ‘rizz’? Did you ‘slay’ that dinner? Is the ‘cozzie livs’ stressing you out? If you do not comprehendo,... The post Teen Slang – What You Need To Know To Understand Your Teen appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/teen-slang-what-you-need-to-know-to-understand-your-teen/

• Source »

People under 60 are losing it online. And by it, I mean money—thanks to digital identity theft. In its simplest form,... The post How to Protect Your Digital Identity appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/guide-protecting-your-digital-identity/

• Source »

There used to be a time when one roommate split the cost of rent with another by writing a check. Who still owns a checkbook these days? Of... The post Avoid Making Costly Mistakes with Your Mobile Payment Apps appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/avoid-making-costly-mistakes-with-your-mobile-payment-apps/

• Source »

Before you take the fun-looking quiz that popped up in your social media feed, think twice. The person holding the answers may be a hacker. Where... The post Quizzes and Other Identity Theft Schemes to Avoid on Social Media appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/quizzes-and-other-identity-theft-schemes-to-avoid-on-social-media/

• Source »

W-2 phishing scams often involve emails that appear to be from the IRS or another official source, requesting personal information. The goal is to trick the recipient into revealing confidential data, such as social security numbers and financial information, which the perpetrator can then use for fraudulent purposes. The post How to Protect Your Financial Data During Tax Season appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/tax-season-scams/

• Source »

Using a VPN on your smartphone can boost your privacy in a big way, particularly with all the data tracking... The post Why You Need a VPN on Your Smartphone appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/privacy-please-why-a-vpn-on-your-smartphone-may-be-a-smart-move-for-you/

• Source »

What’s the difference between identity fraud and identity theft? Well, it’s subtle, so much so that it’s easy to use... The post How To Tell The Difference Between Identity Fraud and Identity Theft? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/whats-the-difference-between-identity-fraud-and-identity-theft/

• Source »

When it comes to identity theft, trust your gut when something doesn’t feel right. Follow up. What you’re seeing could be a problem. A missing bill or a mysterious charge on... The post How to Detect Signs of Identity Theft appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/top-signs-of-identity-theft/

• Source »

Can thieves steal identities with only a name and address? In short, the answer is “no.” Which is a good... The post Can Thieves Steal Identities With Only a Name and Address? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/can-thieves-steal-identities-with-only-a-name-and-address/

• Source »

How to Spot, and Prevent, the Tax Scams That Target Elders Elder scams cost seniors in the U.S. some $3... The post How to Spot, and Prevent, the Tax Scams That Target Elders appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-spot-and-prevent-the-tax-scams-that-target-elders/

• Source »

Authored by ZePeng Chen and Wenfeng Yu McAfee Mobile Research Team has observed an active scam malware campaign targeting Android... The post Android Phishing Scam Using Malware-as-a-Service on the Rise in India appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-phishing-scam-using-malware-as-a-service-on-the-rise-in-india/

• Source »

There’s little rest for your hard-working smartphone. If you’re like many professionals today, you use it for work, play, and a mix of personal... The post 7 Tips to Protect Your Smartphone from Getting Hacked appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/7-tips-to-protect-your-smartphone-from-getting-hacked/

• Source »

Doxing can be harmful to one’s reputation and can cost someone their job, their friends, or their privacy. Here are five things you should know about doxing, plus some tips on how to prevent it from happening to you. The post 5 Things About Doxing You Should Know appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/5-things-about-doxing-you-should-know/

• Source »

Hackers used one of the oldest tricks in the book to turn a buck. All at the expense of several... The post 15,000+ Roku Accounts Compromised — Take These Steps to Protect Yourself appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/15000-roku-accounts-compromised-take-these-steps-to-protect-yourself/

• Source »

According to reports from the Federal Trade Commission’s Consumer Sentinel database, text message scams swindled $330 million from Americans in... The post Scam or Not? How to Tell Whether Your Text Message Is Real appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/scam-or-not-how-to-tell-whether-your-text-message-is-real/

• Source »

Who else loves tax season besides accountants? Scammers. It’s high time of year for online risks here in the U.S.... The post How to Stay Safe When Paying Your Taxes to the IRS appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/tax-time-is-prime-time-for-scammers-how-to-stay-safe-when-paying-your-taxes-to-the-irs/

• Source »

“Jessica” cost him one million dollars. In an account to Forbes, one man described how he met “Jessica” online.i Readily,... The post What are Pig Butchering Scams and How Do They Work? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/what-are-pig-butchering-scams-and-how-do-they-work/

• Source »

International Women’s Day 2024’s theme, #InspireInclusion, reminds us that genuine change requires going beyond individual actions. It’s about fostering an... The post How we’re #InspiringInclusion at McAfee for International Women’s Day 2024 appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/how-were-inspiringinclusion-at-mcafee-for-international-womens-day-2024/

• Source »

There are more online users now than ever before, thanks to the availability of network-capable devices and online services. The internet... The post The What, Why, and How of AI and Threat Detection appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-what-why-and-how-of-ai-and-threat-detection/

• Source »

Did you just get word that your personal information may have been caught up in a data breach? If so,... The post How to Protect Yourself From Identity Theft After a Data Breach appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-protect-yourself-from-identity-theft-after-a-data-breach/

• Source »

Venmo, quick and convenient. A great way to pay back a friend or split the cost of a meal. Yet... The post How to Identify and Protect Yourself From Venmo Scams and Other Cash App Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-identify-and-protect-yourself-from-venmo-scams-and-other-cash-app-scams/

• Source »

Chocolate chip, oatmeal raisin, snickerdoodle: Cybercriminals have a sweet tooth just like you. But their favorite type of cookie is... The post How to Keep Cybercriminals Out of Your Accounts appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/cookie-theft-how-to-keep-cybercriminals-out-of-your-accounts/

• Source »

Who else loves tax season besides accountants? Scammers. It’s high time of year for online risks here in the U.S.... The post How to Protect Yourself Against Tax Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-protect-yourself-against-tax-scams/

• Source »

Authored by Yashvi Shah and Preksha Saxena McAfee Labs has recently observed a significant surge in the distribution of prominent... The post Rise in Deceptive PDF: The Gateway to Malicious Payloads appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-the-gateway-to-malicious-payloads/

• Source »

Over the past year and a half, workers everywhere have gotten used to working from home. They have adopted an... The post Hybrid Workplace Vulnerabilities: 4 Ways to Promote Online Safety appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/hybrid-workplace-vulnerabilities-4-ways-to-promote-online-safety/

• Source »

Authored by: Vignesh Dhatchanamoorthy In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding... The post GUloader Unmasked: Decrypting the Threat of Malicious SVG Files appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decrypting-the-threat-of-malicious-svg-files/

• Source »

The tables have turned. Now you can use AI to spot and block scam texts before they do you harm. ... The post Get Yourself AI-powered Scam Protection That Spots and Block Scams in Real Time appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mcafee-news/get-yourself-ai-powered-scam-protection-that-spots-and-block-scams-in-real-time/

• Source »

Employee Spotlight: Meet Jovohn! From military beginnings to mobile security champion, meet Jovohn, our passionate Product Marketer and MAHC President.... The post From Military Kid to Product Marketing: My McAfee Journey appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/from-military-kid-to-product-marketing-my-mcafee-journey/

• Source »

Imagine a tool that can transform text into captivating videos, bridging the gap between imagination and reality by creating videos... The post What is Sora and What Does It Mean for Your Personal Internet Security? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/what-is-sora-and-what-does-it-mean-for-your-personal-internet-security/

• Source »

If you’re concerned about your privacy on social media, you have plenty of company. Here’s something else you have —... The post Introducing Social Privacy Manager appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/introducing-social-privacy-manager/

• Source »

This year marks the world’s biggest election year yet. An estimated four billion voters will head to the polls across... The post McAfee Joins Tech Accord to Combat Use of AI in 2024 Elections appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mcafee-news/mcafee-joins-tech-accord-to-combat-use-of-ai-in-2024-elections/

• Source »

“My phone’s been hacked!” Words you probably don’t want to hear or say. Ever. Yes, a smartphone can get hacked... The post Help! I Think My Phone’s Been Hacked appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/help-i-think-my-phones-been-hacked/

• Source »

What is a VPN (virtual private network)? And how can it make your time online more secure—and a little more... The post How a VPN Can Make You More Private and Secure appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/what-is-a-vpn-how-it-can-make-your-time-online-more-private-and-secure/

• Source »

There are plenty of phish in the sea. Millions of bogus phishing emails land in millions of inboxes each day... The post How to Spot Phishing Emails and Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/plenty-of-phish-in-the-sea-your-guide-to-spotting-phishing-emails-and-scams/

• Source »

When you open your laptop or your mobile device, what is the first thing you do? Do you head to your... The post How to Protect Your Online Privacy appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/5-ways-to-protect-your-online-privacy/

• Source »

AI has made the dating scene. In a big way. Nearly one in four Americans say they’ve spiced up their... The post Love Bytes – How AI is shaping Modern Love appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/love-bytes-how-ai-is-shaping-modern-love/

• Source »

Advice and Insights from some of McAfee’s brightest STEM leaders This International Day of Women and Girls in Science, #TeamMcAfee... The post Celebrating International Day of Women and Girls in Science appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/celebrating-international-day-of-women-and-girls-in-science/

• Source »

Two massive data breaches in France have impacted roughly half the nation’s population. The data of an estimated 33 million... The post France Gets Hit with Its Largest Data Breach Ever — What You Need to Know appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/france-gets-hit-with-its-largest-data-breach-ever-what-you-need-to-know/

• Source »

As with any major holiday or special occasion, Valentine’s Day is unfortunately not immune to scammers looking for an opportunity to exploit unsuspecting individuals. In this article, we spotlight some common Valentine’s Day scams, offer tips on how to protect yourself and navigate this romantic day with confidence and caution. The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/valentines-alert-dont-let-scammers-break-your-heart-or-your-bank-account/

• Source »

Social media is part of our social fabric. So much so that over 56% of the global population are social... The post How to Protect Your Social Media Accounts appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-protect-your-social-media-accounts/

• Source »

Authored by Dexter Shin MoqHao is a well-known Android malware family associated with the Roaming Mantis threat actor group first... The post MoqHao evolution: New variants start automatically right after installation appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-evolution-new-variants-start-automatically-right-after-installation/

• Source »

The explosive growth of Generative AI has sparked many questions and considerations not just within tech circles, but in mainstream... The post Generative AI: Cross the Stream Where it is Shallowest appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/generative-ai-cross-the-stream-where-it-is-shallowest/

• Source »

ChatGPT is, without doubt, the biggest tech story of the year. It’s created debate in schools and universities, made history... The post A Parent’s Guide to ChatGPT appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/a-parents-guide-to-chatgpt/

• Source »

On Safer Internet Day, we ask an important question: how can you tell what’s real and what’s fake online? There’s... The post Safer Internet Day: Telling What’s Real from What’s Fake Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/safer-internet-day-telling-whats-real-from-whats-fake-online/

• Source »

While you can’t delete your personal info from the internet entirely, you can take strong steps to remove it from... The post How to Delete Yourself from the Internet appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-delete-yourself-from-the-internet/

• Source »

Some scams make a telltale sound—rinnng, rinnng! Yup, the dreaded robocall. But you can beat them at their game. Maybe it’s a call about renewing... The post How to Beat Robocallers at Their Game appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/beat-robocallers-at-their-game/

• Source »

Artificial intelligence (AI) is making its way from high-tech labs and Hollywood plots into the hands of the general population.... The post How to Spot Fake Art and Deepfakes appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/ai-in-the-hands-of-cybercriminals-how-to-spot-fake-art-and-deepfakes/

• Source »

It’s that time of year again: election season! You already know what to expect when you flip on the TV.... The post This Election Season, Be on the Lookout for AI-generated Fake News appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/this-election-season-be-on-the-lookout-for-ai-generated-fake-news/

• Source »

As voters in the recent New Hampshire primary have found, a fake robocall of President Joe Biden has been making... The post Was the Fake Joe Biden Robocall Created with AI? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/was-the-fake-joe-biden-robocall-created-with-ai/

• Source »

Imagine a “Privacy Facts” label on the apps, devices, and websites you use. Like a digital version of the “Nutrition... The post Protect What Matters on Data Privacy Day appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/protect-what-matters-on-data-privacy-day/

• Source »

Security researchers have discovered a massive data breach containing more than 26 billion records — a hacker’s trove of records... The post 26 Billion Records Released in “The mother of all breaches” appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/26-billion-records-released-the-mother-of-all-breaches/

• Source »

Authored by Preksha Saxena and Yashvi Shah McAfee Labs has been tracking a sophisticated VBS campaign characterized by obfuscated Visual... The post From Email to RAT: Deciphering a VB Script-Driven Campaign appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/

• Source »

Today, we celebrate the life and legacy of Dr. Martin Luther King Jr. Dr. King diligently dedicated his life to... The post Honoring Martin Luther King Jr.’s Legacy with McAfee’s African Heritage Community appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/honoring-martin-luther-king-jr-s-legacy-with-mcafees-african-heritage-community-2/

• Source »

Taylor Swift wants plenty of good things for her fans — but a free Dutch oven isn’t one of them. ... The post No, Taylor Swift Won’t Send You a Free Dutch Oven — The New AI Cloning Scam appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/no-taylor-swift-wont-send-you-a-free-dutch-oven-the-new-ai-cloning-scam/

• Source »

New year, new tech. That’s what hits the floor at the CES show each January in Las Vegas. Whether it’s... The post New Year, New Tech at CES — The Latest Protection for the Latest Tech appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/new-year-new-tech-at-ces-the-latest-protection-for-the-latest-tech/

• Source »

We’ve seen how AI can create — and how it can transform our lives. What gets talked about less is... The post How to Stay Safe in the Age of AI appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/staying-safe-in-the-age-of-ai/

• Source »

AI and major elections, deepfakes and the Olympics — they all feature prominently in our cybersecurity predictions for 2024. That’s... The post 6 Cybersecurity Predictions for 2024 – Staying Ahead of the Latest Hacks and Attacks appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/6-cybersecurity-predictions-for-2024-staying-ahead-of-the-latest-hacks-and-attacks/

• Source »

Authored by Fernando Ruiz McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows... The post Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/

• Source »

Imagine paying $16,000 to park your car in a lot for a couple of hours. That’s what happened to one... The post How to Protect Yourself from QR Code Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/click-protect-yourself-from-qr-code-scams/

• Source »

Crooks love a good gift card scam. It’s like stealing cash right out of your pocket. That includes Amazon and... The post Gift Card Scams — The Gift That Keeps on Taking appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/gift-card-scams-the-gift-that-keeps-on-taking/

• Source »

Authored by Neil Tyagi and Fernando Ruiz In a digitally evolving world, the convenience of banking through mobile applications has... The post Shielding Against Android Phishing in Indian Banking appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shielding-against-android-phishing-in-indian-banking/

• Source »

‘So, what is the ultimate goal of all of our parenting?’ When I asked this question to a group of... The post How to Raise Responsible Digital Citizens appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/how-to-raise-responsible-digital-citizens/

• Source »

Inquisitive, curious and fiercely independent. These are the three words that come to mind when I remember my boys as... The post How to Protect Your Kids From Inappropriate Online Content appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/five-ways-to-protect-your-kids-from-inappropriate-online-content/

• Source »

A disturbing story out of western Spain spotlights challenges of technological evolution. Unwitting children and teenagers were victims of users... The post Deepfake Defense: Your 8-Step Shield Against Digital Deceit appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/deepfake-defense-your-8-step-shield-against-digital-deceit/

• Source »

Depending on the day’s most popular headlines, AI is either a panacea or the ultimate harbinger of doom. We could... The post Safer AI: Four Questions Shaping Our Digital Future appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/safer-ai-four-questions-shaping-our-digital-future/

• Source »

You guard the keys to your home closely, right? They have their own special spot in your bag or in... The post What Is Credential Phishing? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/what-is-credential-phishing/

• Source »

In October, a hacker claimed to have hijacked profile information of “millions” of users from the popular genetic testing site... The post User Data from 23andMe Leaked Online – What Users Should Do, and the Rest of Us Too appeared first on McAfee Blog.
https://www.mcafee.com/blogs/security-news/user-data-from-23andme-leaked-online-what-users-should-do-and-the-rest-of-us/

• Source »

If you had to count the number of social media platforms your teen uses, I wonder what the score would... The post Do I Really Need to be on Snapchat to be a Good Digital Parent? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/do-i-really-need-to-be-on-snapchat-to-be-a-good-digital-parent/

• Source »

With the rush of Black Friday and Cyber Monday shopping comes a rush of another kind. Millions of fake delivery... The post Is That Delivery Text Real or Fake? How to Shop and Ship Safely this Season appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/is-that-delivery-text-real-or-fake-how-to-shop-and-ship-safely-this-season/

• Source »

By Lakshya Mathur & Yashvi Shah Phishing attackers aim to deceive individuals into revealing sensitive information for financial gain, credential... The post PDF Phishing: Beyond the Bait appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/pdf-phishing-beyond-the-bait/

• Source »

In the 80’s, train stations and church groups were the key places to meet boys. And despite the fact I... The post How to Help Your Teens Stay Safe When They Start Dating Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-help-your-teens-stay-safe-when-they-start-dating-online/

• Source »

Yes, there is a Cyber Grinch. In fact, you’ll find evidence of an entire host of grinches online — the... The post How to Shop Safely This Holiday Season appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/look-out-for-the-cyber-grinch-how-to-shop-safely-this-holiday-season/

• Source »

NetSupport malware variants have been a persistent threat, demonstrating adaptability and evolving infection techniques. In this technical analysis, we delve... The post Beneath the Surface: How Hackers Turn NetSupport Against Users appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/beneath-the-surface-how-hackers-turn-netsupport-against-users/

• Source »

Imagine this. You’re 15, feeling unsure about yourself in the world, possibly even a little lonely. One day, a pretty... The post Sextortion – What Every Parent Needs To Know appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/sextortion-what-every-parent-needs-to-know/

• Source »

November 20 is World Children’s Day, a day that celebrates “international togetherness, awareness among children worldwide, and improving children’s welfare.”... The post How to Protect Kids From Harmful Online Content appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/six-steps-to-protect-kids-from-harmful-online-content/

• Source »

This is the final in a series of three articles covering digital wellness programs in the workplace. Here we explore... The post The Benefits of Protection – How Organizations Gain from Digital Wellness appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-benefits-of-protection-how-organizations-gain-from-digital-wellness/

• Source »

Authored by Dexter Shin Most people have smartphones these days which can be used to easily search for various topics... The post Fake Android and iOS apps steal SMS and contacts in South Korea appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-android-and-ios-apps-steal-sms-and-contacts-in-south-korea/

• Source »

Sick and tired of scam messages? So are the 54% of Americans who said they’d rather get a root canal... The post Scam Texts Are More Painful Than Getting a Root Canal appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/scam-texts-are-more-painful-than-getting-a-root-canal/

• Source »

In workplaces around the world, employees agree — they feel strongly about online protection. Our joint research with Statista puts... The post The Benefits of Protection – Why Employees Place a High Value on Digital Wellness appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-benefits-of-protection-why-employees-place-a-high-value-on-digital-wellness/

• Source »

A simple click of a link can’t cause any trouble, right? Wrong. It doesn’t matter if you quickly close out... The post What Are the Risks of Clicking on Malicious Links? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/what-are-the-risks-of-clicking-on-malicious-links/

• Source »

Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware... The post Unmasking AsyncRAT New Infection Chain appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/

• Source »

This is the first in a series of three articles covering digital wellness programs in the workplace. Here we take... The post The Benefits of Protection – The Case for Digital Wellness in the Workplace appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-benefits-of-protection-the-case-for-digital-wellness-in-the-workplace/

• Source »

This time of year, the air gets chillier and a bit cheerier for everyone … including online scammers. Holiday scams... The post ’Tis the Season for Holiday Scams: 5 Common Schemes to Look Out For appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/tis-the-season-for-holiday-scams/

• Source »

AI is on your side. In fact, it’s kept you safer online for some time now. Now that scammers and... The post Advances in Our Use of AI Keep You Even Safer Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/advances-in-our-use-of-ai-keep-you-even-safer-online/

• Source »

Hackers love Ryan Gosling. In fact, hackers use his name as bait more than any other celebrity. With that, the... The post McAfee 2023 Hacker Celebrity Hot List – Why Hackers Love Ryan Gosling so Much appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/mcafee-2023-hacker-celebrity-hot-list/

• Source »

Reels of another kind rack up the views online. Stories about Facebook Marketplace scams. Recently, TikTok’er Michel Janse (@michel.c.janse) got... The post How to Look Out For Scams on Facebook Marketplace appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/the-top-facebook-marketplace-scams-to-look-out-for/

• Source »

Amidst the recent heartbreaking events in the Middle East, parents now face the challenge of protecting children from the overwhelming... The post Digital Strategies to Safeguard Your Child from Upsetting and Violent Content Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/digital-strategies-to-safeguard-your-child-from-upsetting-and-violent-content-online/

• Source »

Your pain is their gain. That’s how things go in a cryptojacking attack. Cryptomining is the utilization of computers to... The post Cryptojacking – Stop Hackers from Making Money Off You appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/cryptojacking-stop-hackers-from-making-money-off-you/

• Source »

As AI deepfakes and malware understandably grab the headlines, one thing gets easily overlooked—AI also works on your side. It... The post How to Win the Battle Against Deepfakes and Malware appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/artificial-intelligence-and-winning-the-battle-against-deepfakes-and-malware/

• Source »

Maybe you do armloads of shopping on it. Maybe you skip going to the bank because you can tackle the... The post How much do you count on the internet every day? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/cybersecurity-awareness-month/

• Source »

The unfortunate reality of our digital era is that devices are lost, misplaced, or stolen every day. A mobile device without password protection is a gold mine for anyone with malicious intent. The post How to Protect Your Mobile Device From Loss and Theft appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/unprotected-mobile-devices/

• Source »

A common misconception is that a password only needs to be memorable. Whilst this is a helpful trait, it does a disservice to the importance of having a secure series of characters. This guide will walk you through why "123456" is not an acceptable password. The post 123456 Is Not an Acceptable Password appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/password-checklist/

• Source »

Getting a text message is a lot like someone calling out your name. It’s tough to ignore. Delivery notifications, messages... The post Hold onto Your Phone, and Your Wallet – The Top Five Text Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/hold-onto-your-phone-and-your-wallet-the-top-five-text-scams/

• Source »

I have a confession to make – I so wish ChatGPT was around when my kids were younger. I realise... The post Could ChatGPT Be The Best Thing That’s Ever Happened To Your Family? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/could-chatgpt-be-the-best-thing-thats-ever-happened-to-your-family/

• Source »

Let’s be honest, talking to your kids about identity theft isn’t probably top of your list. There’s a long list... The post How to Talk To Your Kids About Identity Theft appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-talk-to-your-kids-about-identity-theft/

• Source »

Authored by Neil Tyagi On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an... The post Exploring Winrar Vulnerability (CVE-2023-38831) appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/

• Source »

I’m such a fan of RUOK? Day. Started in 2009, it’s an Australian non-profit suicide prevention that is all about... The post RUOK Day – How to Get Help Online When You’re Not Feeling OK appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/ruok-day-how-to-get-help-online-when-youre-not-feeling-ok/

• Source »

Authored by Yashvi Shah Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the... The post Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/

• Source »

How To Manage Your Privacy When Using ChatGPT or Other Generative AI Love it or hate it, generative artificial intelligence... The post ChatGPT’s Impact on Privacy and How to Protect Yourself appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/chatgpts-impact-on-privacy-and-how-to-protect-yourself/

• Source »

As of the writing of this article, the height of the pandemic seems like a distant but still vivid dream.... The post The Future of Work: How Technology & the WFH Landscape Are Making an Impact appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-future-of-work-technology-and-the-wfh-landscape/

• Source »

Your privacy means everything. And your identity too. The launch of McAfee Privacy & Identity Guard will protect them both. ... The post McAfee’s New Privacy & Identity Guard Launches at Staples Stores appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mcafee-news/mcafees-new-privacy-identity-guard-launches-at-staples-stores/

• Source »

The humble USB drive—the workhorse of students, professionals, and everyday computer users. No wonder hackers put USB drives in their... The post USB Drives – Protecting Your Humble Workhorse from Malware and Loss appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/usb-drives-protecting-your-humble-workhorse-from-malware-and-loss/

• Source »

It’s a longstanding question: can your phone really take selfies without your knowledge? The answer is yes, but with a... The post Secret Selfies: Can Phones Take Pictures and Videos of You Without Your Knowledge? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/secret-selfies-can-phones-take-pictures-and-videos-of-you-without-your-knowledge/

• Source »

We reported earlier this year, a fresh rash of online job scams continue to rope in plenty of victims. Now,... The post Online Job Scams – TikTokers Tell Their Stories, with a Warning appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/online-job-scams-tiktokers-tell-their-stories-with-a-warning/

• Source »

Authored by Preksha Saxena McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email.... The post Peeling Back the Layers of RemcosRat Malware appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/peeling-back-the-layers-of-remcosrat-malware/

• Source »

You can almost feel it in the air. Wi-Fi is everywhere. And if you tap into public Wi-Fi, do it... The post On Public Wi-Fi, a VPN is Your Friend appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/on-public-wi-fi-a-vpn-is-your-friend/

• Source »

Artificial intelligence used to be reserved for the population’s most brilliant scientists and isolated in the world’s top laboratories. Now,... The post 10 Artificial Intelligence Buzzwords You Should Know appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/10-artificial-intelligence-buzzwords-you-should-know/

• Source »

Have you ever lost your suitcase on vacation? You arrive at baggage claim, keeping your eyes peeled for your belongings.... The post A Traveler’s Guide to International Cybersecurity appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/travelers-guide-to-international-cybersecurity/

• Source »

Authored by: Neil Tyagi Scam artists know no bounds—and that also applies to stealing your cryptocurrency. Crypto scams are like... The post Crypto Scam: SpaceX Tokens for Sale appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scam-spacex-tokens-for-sale/

• Source »

If you’re a LinkedIn user, log in now and strengthen your security. Reports indicate that LinkedIn accounts are under attack.... The post How to Protect Your LinkedIn Account appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-safeguard-your-linkedin-account-and-strengthen-your-security/

• Source »

Instead of getting you out of a jam, tech support scams get you into one. And they can get costly.... The post Be on the Lookout for Scam Tech Support Calls appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/lookout-scam-tech-support-calls/

• Source »

Spotting fake news in your feed has always been tough. Now it just got tougher, thanks to AI. Fake news... The post How to Spot Fake News in Your Social Media Feed appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/spot-fake-news-and-misinformation-in-your-social-media-feed/

• Source »

Vanquishing aliens, building virtual amusement parks, mashing buttons in online battles royale. For some, playing video games is a way... The post 5 Online Gaming Tips to Stay Safe From Cybercriminals appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/5-online-gaming-tips-to-stay-safe-from-hackers/

• Source »

Authored by SangRyol Ryu, McAfee Threat Researcher We live in a world where advertisements are everywhere, and it’s no surprise... The post Invisible Adware: Unveiling Ad Fraud Targeting Android Users appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/invisible-adware-unveiling-ad-fraud-targeting-android-users/

• Source »

What does a hacker want with your social media account? Plenty. Hackers hijack social media accounts for several reasons. They’ll... The post How to Protect Your Social Media Passwords from Hacks and Attacks appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/protect-your-social-media-passwords-from-hacks-and-attacks/

• Source »

Farewell, summer. Hello, back-to-school season! While the chill may not be in the air yet, parents may be feeling the... The post 10 Back-to-School Tech Tips for Kids, Teens and College Students appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/10-back-to-school-tech-tips-for-kids-teens-and-college-students/

• Source »

Authored by: Lakshya Mathur and Yashvi Shah As the Back-to-School season approaches, scammers are taking advantage of the opportunity to... The post The Season of Back to School Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-season-of-back-to-school-scams/

• Source »

Are we in the Wild West? Scrolling through your social media feed and breaking news sites, all the mentions of... The post The Wild West of AI: Do Any AI Laws Exist? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-wild-west-of-ai-do-any-ai-laws-exist/

• Source »

The first of August marks the celebration of World Wide Web Day – a day dedicated to the global network... The post World Wide Web Day: How to Protect Your Family Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/world-wide-web-day-how-to-protect-your-family-online/

• Source »

It’s not all funny limericks, bizarre portraits, and hilarious viral skits. ChatGPT, Bard, DALL-E, Craiyon, Voice.ai, and a whole host... The post AI in the Wild: Malicious Applications of Mainstream AI Tools appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/ai-in-the-wild-malicious-applications-of-mainstream-ai-tools/

• https://www.nist.gov/ »

This post is part of a series on privacy-preserving federated learning. The series is a collaboration between NIST and the UK government’s Responsible Technology Adoption Unit (RTA), previously known as the Centre for Data Ethics and Innovation. Learn more and read all the posts published to date at NIST’s Privacy Engineering Collaboration Space or RTA’s blog . Our first post in the series introduced the concept of federated learning and described how it’s different from traditional centralized learning - in federated learning, the data is distributed among participating organizations, and
https://www.nist.gov/blogs/cybersecurity-insights/data-distribution-privacy-preserving-federated-learning

• https://www.nist.gov/ »

NIST CSF 2.0 QUICK LINKS | Explore our Full Suite of Resources: CSF 2.0 Quick Start Guides CSF 2.0 Profiles CSF 2.0 Informative References Cybersecurity & Privacy Reference Tool (CPRT) CSF 2.0 Reference Tool CSF 2.0 Website ( Homepage ) Official NIST News Announcement The NIST Cybersecurity Framework (CSF) development process all started with Executive Order (EO)13636 over a decade ago, which called for building a set of approaches ( a framework ) for reducing risks to critical infrastructure. Through this EO, NIST was tasked with developing a "Cybersecurity Framework." We knew that, to do
https://www.nist.gov/blogs/cybersecurity-insights/travel-update-nist-csf-20-herealong-many-helpful-resources

• https://www.nist.gov/ »

What is National Entrepreneurship (NatlEshipWeek) Week? Celebrated February 10-17, 2024, “NatlEshipWeek is a congressionally chartered week dedicated to empowering entrepreneurship across the United States. The annual initiative was relaunched in 2017 as NatlEshipWeek to bring together a network of partners from Maui to Miami to educate, engage, and build equitable access to America's Entrepreneurship Ecosystem.” Follow along online with #NatlEshipWeek. You can learn more about the initiative here: https://www.natleshipweek.org/about . Supporting Entrepreneurship is at the Heart of NIST’s
https://www.nist.gov/blogs/cybersecurity-insights/nist-celebrates-national-entrepreneurship-week

• https://www.nist.gov/ »

With the new year under way, NIST is continuing to engage with our international partners to enhance cybersecurity. Here are some updates on our international work from the end of 2023 into the beginning of 2024: Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0 . The current Draft CSF 2.0 has been shared in a public comment period that ended in November 2023. Stay tuned for the final version to be published soon! NIST international engagement continues through our support to the Department of State and the
https://www.nist.gov/blogs/cybersecurity-insights/nists-international-cybersecurity-and-privacy-engagement-update

• https://www.nist.gov/ »

It’s been four years since the release of The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0. Since then, many organizations have found it highly valuable for building or improving their privacy programs. We’ve also been able to add a variety of resources to support its implementation. We’re proud of how much has been accomplished in just a few short years, but we’re not resting on our laurels. As another, more famous, Dylan once said, “the times they are a-changin’.” For example, the past year has seen the release of the NIST AI Risk
https://www.nist.gov/blogs/cybersecurity-insights/new-year-new-initiatives-nist-privacy-framework

• https://www.nist.gov/ »

This post is part of a series on privacy-preserving federated learning. The series is a collaboration between NIST and the UK government’s Centre for Data Ethics and Innovation. Learn more and read all the posts published to date at NIST’s Privacy Engineering Collaboration Space or the CDEI blog . Our first post in the series introduced the concept of federated learning—an approach for training AI models on distributed data by sharing model updates instead of training data. At first glance, federated learning seems to be a perfect fit for privacy since it completely avoids sharing data
https://www.nist.gov/blogs/cybersecurity-insights/privacy-attacks-federated-learning

• https://www.nist.gov/ »

Words like “metaverse” and “augmented reality” may conjure up thoughts of friends in headsets wielding virtual sabers or folks roaming the streets at night in search of PokéStops. Virtual, augmented, and mixed reality technologies (“immersive technologies”) have entered the popular conscience thanks in part to the success of games, but their applications go well beyond new experiences in entertainment. They are already being utilized to increase access to education , improve manufacturing , bolster accessibility , and train workforces in healthcare and retail. Immersive technologies have the
https://www.nist.gov/blogs/cybersecurity-insights/journey-immersive-frontier-preliminary-nist-research-cybersecurity-and

• https://www.nist.gov/ »

In August 2023 the Digital Identity Guidelines team hosted a two-day workshop to provide a public update on the status of revision 4. As part of that session, we committed to providing further information on the status of each volume going forward. In fulfillment of this commitment, we wanted to offer a quick update on where we stand. Our goal remains to have the next version of each volume out by the Spring of 2024. With our gratitude for the robust and substantive engagement we received during the comment period, at this time we would like to announce that all four volumes of Special
https://www.nist.gov/blogs/cybersecurity-insights/note-progressnists-digital-identity-guidelines

• https://www.nist.gov/ »

This post is the first in a series on privacy-preserving federated learning. The series is a collaboration between CDEI and NIST. Advances in machine learning and AI, fueled by large-scale data availability and high-performance computing, have had a significant impact across the world in the past two decades. Machine learning techniques shape what information we see online, influence critical business decisions, and aid scientific discovery, which is driving advances in healthcare, climate modelling, and more. Training Models: Conventional vs Federated Learning The standard way to train
https://www.nist.gov/blogs/cybersecurity-insights/uk-us-blog-series-privacy-preserving-federated-learning-introduction

• https://www.nist.gov/ »

5G will eventually impact every single industry—from healthcare to financial to even agriculture and transportation...and its impact is only increasing over time. Despite its benefits, it comes with privacy and security risks. An increasing number of interconnected devices increases the attack surface. In addition, there are also increased supply chain vulnerabilities and network visibility issues (companies may have issues identifying attacks since there may be a lot of new web traffic from mobile devices and/or more sophistication when it comes to attacks). The goal of the NCCoE 5G
https://www.nist.gov/blogs/cybersecurity-insights/nccoe-5g-cybersecurity-connecting-dots-between-it-and-teleco

• https://www.nist.gov/ »

Our Cybersecurity Awareness Month may have come to a close at the end of October — but the importance of enhancing cybersecurity and engaging with our international partners to enhance cybersecurity is at the forefront of our minds all year long. Here are some updates on our international work: Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0 , and NIST hosted its final workshop on September 19 and 20 with in-person and hybrid attendance featuring international participation (via both speakers and panelists). While
https://www.nist.gov/blogs/cybersecurity-insights/nists-international-cybersecurity-and-privacy-engagement-update-trade

• https://www.nist.gov/ »

During this week’s blog series, we sat down with two of our NIST experts from the Visualization and Usability Group at NIST — Shanée Dawkins and Jody Jacobs — who discussed the importance of recognizing and reporting phishing . This blog wraps up our Cybersecurity Awareness Month 2023 blog series…but we of course plan to continue to share, collaborate, learn, and spread the word all year long. 1. This week’s Cybersecurity Awareness Month theme is ‘recognize and report phishing.’ How does your work/specialty area at NIST tie into this behavior? We work in the Information Technology Lab, but our
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2023-blog-series-recognizing-and

• https://www.nist.gov/ »

It’s week three in our Cybersecurity Awareness Month blog series! This week, we interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software. This week’s Cybersecurity Awareness Month theme is ‘updating software.’ How does your work/specialty area at NIST tie into this behavior? NIST’s Applied Cybersecurity Division’s core mission is to explore, measure, and evaluate both the cybersecurity guidance NIST provides as well as industry best practices. One of our current projects involves putting the practices described
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2023-blog-series-updating-software

• https://www.nist.gov/ »

Today’s blog is the second one in our 2023 Cybersecurity Awareness Month series and examines different factors associated with using strong passwords and a password manager. We interviewed NIST’s Yee-Yin Choong and Meghan Anderson to get their unique thoughts and insights. This week’s Cybersecurity Awareness Month theme is ‘ using strong passwords and a password manager .’ How does your work/specialty area at NIST tie into this behavior? Yee-Yin: At NIST, I’ve been conducting research on human factors and the usability aspects of human-technology interactions. One research area is human
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2023-blog-series-using-strong-passwords

• https://www.nist.gov/ »

October is always an exciting time for us as we celebrate Cybersecurity Awareness Month and some of NIST’s greatest accomplishments, resources, guidance, and latest news in the cybersecurity space. This year is a big one because 2023 marks the 20 th anniversary of this important initiative —and we will celebrate in various ways every day throughout the month. What is NIST Up to in October? We’ll be using our NIST Cybersecurity Awareness Month website to share information about our events, resources, blogs, and how to stay involved. We will be using our NISTcyber X account as a vehicle to
https://www.nist.gov/blogs/cybersecurity-insights/kicking-nists-cybersecurity-awareness-month-celebration-our

• https://www.nist.gov/ »

The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “ championing the human in cybersecurity.” With our new name, we hope to highlight that usability still
https://www.nist.gov/blogs/cybersecurity-insights/nist-unveils-newly-named-human-centered-cybersecurity-program

• https://www.nist.gov/ »

With a mention in the new National Cyber Workforce and Education Strategy and even a dedicated state law , K–12 cybersecurity education clearly has the eye of policymakers. However, despite public attention and new opportunities for high school students to pursue cybersecurity coursework, high schools often struggle to provide students with a clear understanding of what cybersecurity careers actually look like. Hands-on learning experiences, like those we’ve had at our schools and during our internship with NICE at NIST, can help bring cybersecurity education and career pathways into focus for
https://www.nist.gov/blogs/cybersecurity-insights/hands-learning-experiences-encourage-cybersecurity-career-discovery

• https://www.nist.gov/ »

Background: NIST Special Publication (SP) 800-66 Healthcare organizations face many challenges from cybersecurity threats. This can have serious impacts on the security of patient data, the quality of patient care, and even the organization’s financial status. Healthcare organizations also must comply with regulatory requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, which focuses on safeguarding the electronic protected health information (ePHI) held or maintained by HIPAA covered entities and business associates (collectively,
https://www.nist.gov/blogs/cybersecurity-insights/nists-planned-updates-implementing-hipaa-security-rule-cybersecurity

• https://www.nist.gov/ »

International engagement is an integral part of many ongoing NIST efforts, including the Journey to the Cybersecurity Framework (CSF 2.0) update , our update to the digital identity guidelines, and increasing awareness of the NIST Privacy Framework and IoT cybersecurity work. In the update to NIST CSF 2.0, NIST continues to work with the international community. At NIST’s February 2023 virtual workshop on the CSF 2.0 update, participants from Italian and New Zealand governments and Mexican industry spoke on panels. In addition, participants joined from several countries. We are continuing to
https://www.nist.gov/blogs/cybersecurity-insights/international-engagement-brussels-and-beyond

• https://www.nist.gov/ »

NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218) describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide
https://www.nist.gov/blogs/cybersecurity-insights/ssdf-and-iot-cybersecurity-guidance-building-blocks-iot-product

• https://www.nist.gov/ »

RSA Conference week is always a whirlwind. NIST was there front and center last month, and we learned a lot, shared a lot, and made a big announcement during the festivities… We were excited to announce that NIST’s DRAFT Identity and Access Management Roadmap was released for public comment on Friday, April 14 th and that the comment period will be extended to June 16 th. What is the Roadmap? The Roadmap provides a consolidated view of NIST’s planned identity efforts over the coming years and serves as a vehicle to communicate our priorities. It provides guiding principles, strategic
https://www.nist.gov/blogs/cybersecurity-insights/mapping-out-our-destination-responsible-innovation-nist-identity

• https://www.nist.gov/ »

Did you know that 99.9% of businesses in America are small businesses? [1] Small businesses are a major source of innovation for our country—but they’re often faced with limited resources and budgets. Many of them need cybersecurity solutions, guidance, and training so they can cost-effectively address and manage their cybersecurity risks. Hmmm…where can you find guidance like this all in one place? Voila! The Small Business Cybersecurity Corner ! This website was created by NIST in 2019 in response to the NIST Small Business Cybersecurity Act, which directed us to “disseminate clear and
https://www.nist.gov/blogs/cybersecurity-insights/small-business-big-priority-nist-expands-outreach-small-business

• https://www.nist.gov/ »

Who needs to know ‘What,’ ‘When,’ and ‘How’ to tell them The Challenge There are many challenges to providing and maintaining cybersecurity in today’s connected world. While product developers increasingly consider security as they design and build products, they may not always communicate critical cybersecurity information about their connected products. Information gaps present a challenge to stakeholders—especially customers—who have limited insight into the security processes, functions and features that protect connected products, components, and services. Effective communication is the
https://www.nist.gov/blogs/cybersecurity-insights/importance-transparency-fueling-trust-and-security-through

• https://www.nist.gov/ »

If you own a computer, watch the news, or spend virtually any time online these days you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself. Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple
https://www.nist.gov/blogs/cybersecurity-insights/phishing-resistance-protecting-keys-your-kingdom

• https://www.nist.gov/ »

Perhaps you’ve been hearing about data analytics, which is being promoted as a way for even small businesses to analyze communications with customers, enhance customer experience, save money, and ultimately improve your brand. However, data analytics can have big privacy implications. You may think of managing privacy risk as protecting sensitive customer information, such as credit cards. As the Venn diagram to the right demonstrates, data security is certainly one aspect of privacy risk, but privacy risks can also arise by means unrelated to cybersecurity incidents. People can experience
https://www.nist.gov/blogs/cybersecurity-insights/data-analytics-small-businesses-how-manage-privacy-risks

• https://www.nist.gov/ »

NIST has continued to collaborate into the fall season with partners throughout the world on the Cybersecurity Framework 2.0 update. International engagement and alignment with international standards are important themes for the 2.0 update and will drive changes to ensure global relevance. As part of this ongoing international engagement, NIST welcomed visitors to the NCCoE and NIST headquarters to discuss various cybersecurity topics and explore areas for mutual collaboration. In the past few weeks, NIST met with visitors from Italy, Singapore, New Zealand, Germany, and Brazil at the NCCoE
https://www.nist.gov/blogs/cybersecurity-insights/international-engagement-blog-singapore-international-cyber-week

• https://www.nist.gov/ »

There is a growing movement toward increasing the use of competency and skills-based education and hiring practices in both the public and private sectors. For example, the Executive Order on Modernizing and Reforming the Assessment and Hiring of Federal Job Candidates calls upon the Federal Government to “ensure that the individuals most capable of performing the roles and responsibilities required of a specific position are those hired for that position”—resulting in “merit-based reforms that will replace degree-based hiring with skills- and competency-based hiring.” Similarly, the
https://www.nist.gov/blogs/cybersecurity-insights/why-employers-should-embrace-competency-based-learning-cybersecurity

• https://www.nist.gov/ »

This blog will officially wrap up our 2022 Cybersecurity Awareness Month blog series — today we have a special interview from Marian Merritt, deputy director, lead for industry engagement for the National Initiative for Cybersecurity Education (NICE)! Marian will be discussing the importance of recognizing and reporting phishing incidents in detail. A phishing attack is an attempt to fool an individual into sharing private information or taking an action that gives criminals access to your accounts, your computer, login credentials or even your network. This week’s Cybersecurity Awareness
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-recognizing-reporting-phishing

• https://www.nist.gov/ »

Hi, our names are Aubrie, Kyle, and Lindsey! We participated in internships at the National Initiative for Cybersecurity Education (NICE) Program Office this past year. This is a career pivot for Aubrie, meaning this is her introduction to cybersecurity from another career; she is earning her master’s with a concentration in cybersecurity. Kyle was an undergraduate intern majoring in Computer Engineering. He is almost finished with his education and will soon be transitioning into the workforce. Lindsey is a high school member of the program. The three of us come from different academic and
https://www.nist.gov/blogs/cybersecurity-insights/student-insights-cybersecurity-careers

• https://www.nist.gov/ »

Cybersecurity Awareness Month is flying by, and today’s blog identifies different security vulnerabilities that can be exposed if you are unable to keep up with your software updates. We interviewed NIST’s Michael Ogata, a computer scientist in the Applied Cybersecurity Division, and he walked us through different strategies to minimize your cybersecurity risks. Michael also was able to provide cyber tips to improve online safety. This week’s Cybersecurity Awareness Month theme is updating software. How does your work/specialty area at NIST tie into this behavior? Today, mobile applications
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-updating-software

• https://www.nist.gov/ »

The key behavior that we are highlighting this week for Cybersecurity Awareness Month is using strong passwords and a password manager. In today’s blog we interviewed NIST’s Connie LaSalle, a senior technology policy advisor, and she offers four specific ways to mitigate your cybersecurity risks online while discussing the importance of adopting strong passwords. Take a look at her responses to our questions below… This week’s Cybersecurity Awareness Month theme is using strong passwords and a password manager. How does your work/specialty area at NIST tie into this behavior? As a senior
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-using-strong-passwords-and-password

• https://www.nist.gov/ »

In celebration of Cybersecurity Awareness Month, NIST will be publishing a dedicated blog series throughout October; we will be sharing blogs each week that will match up to four key behaviors identified by the National Cybersecurity Alliance (NCA). Today’s interview-style blog features two NIST experts —Bill Newhouse and Ryan Galluzzo—discussing different reasons to enable multi-factor authentication (a mechanism to verify an individual’s identity by requiring them to provide more information than just a username and password). Here are the questions they both were asked, along with their
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-enabling-multi-factor-authentication

• https://www.nist.gov/ »

The subject of international alignment and alignment with international resources continues to be an important focus for NIST, particularly with the process for the Cybersecurity Framework (CSF) 2.0 update. This was an important area for many of our stakeholders, as described in the summary of analysis of the Request for Information (RFI) from February. NIST hosted its first virtual workshop on the journey to the CSF 2.0 update process in August. During the workshop, NIST described the importance of international alignment as well as the feedback we heard on continuing our international
https://www.nist.gov/blogs/cybersecurity-insights/nist-international-engagement-updates-csf-20-update-workshop-and-more

• https://www.nist.gov/ »

Today’s blog will jumpstart NIST’s celebration of Cybersecurity Awareness Month 2022! We have a lot in store for October and are looking forward to sharing our work, progress, events, and news with you. This year’s theme is "See Yourself In Cyber" and will cover four key behaviors: Enabling multi-factor authentication Using strong passwords and a password manager Updating software Recognizing and reporting phishing As a repeat Cybersecurity Awareness Month Champion, NIST is dedicated to promoting a safer online environment and helping others learn and understand the complex world of
https://www.nist.gov/blogs/cybersecurity-insights/final-countdown-cybersecurity-awareness-month-2022-its-easy-stay-safe

• https://www.nist.gov/ »

In providing a foundation for cybersecurity advancements over the years, NIST has taken the global context into account when determining priorities and approaches. Our participation in Standards Developing Organizations (SDOs) has expanded steadily, and we encourage international participation in the development of our own programs and resources. As we celebrate the 50 th anniversary of cybersecurity at NIST, it is more important than ever that we work with our partners around the world. NIST’s growing impact on the international stage is reflected in the many translations of our signature
https://www.nist.gov/blogs/cybersecurity-insights/nists-expanding-international-engagement-cybersecurity

• https://be4sec.com »

Dutch semiconductor manufacturer Nexperia has suffered a significant data breach, exposing sensitive information, including intellectual property. The company’s servers were compromised, prompting Nexperia to take them offline and launch a full-scale investigation. The extent of the damage remains unclear, and Nexperia hasn’t confirmed whether the attackers demanded ransom. However, the
https://be4sec.com/2024/04/26/dutch-chipmaker-nexperia-hit-by-data-breach/

• https://be4sec.com »

A concerted effort by global law enforcement agencies has successfully dismantled LabHost, a notorious online platform specializing in phishing kits. Since its inception in 2021, LabHost accrued over $1 million in profits by providing cybercriminals with the tools to impersonate trusted websites and steal sensitive user data. The coordinated operation
https://be4sec.com/2024/04/23/international-crackdown-labhost-phishing-as-a-service-platform-busted/

• https://be4sec.com »

Meta, the company formerly known as Facebook, is taking a proactive step to limit the spread of misinformation during India’s upcoming elections. Their AI arm, Meta AI, is blocking certain election-related keywords and redirecting users to the Indian Election Commission’s website. This decision comes amid growing concerns that AI could
https://be4sec.com/2024/04/22/meta-ai-restricts-election-related-responses-in-india-to-combat-misinformation/

• https://be4sec.com »

A severe vulnerability (CVE-2024-31497) has been discovered in PuTTY, a widely used SSH and Telnet client. This flaw could allow attackers to steal users’ NIST P-521 private keys, potentially granting them unauthorized access to servers protected by those keys. Vulnerability Details The vulnerability lies in PuTTY’s generation of electronic signatures
https://be4sec.com/2024/04/18/critical-putty-flaw-exposes-users-ssh-keys-cve-2024-31497/

• https://be4sec.com »

In today’s world, where information spreads at lightning speed, it’s easy to fall into the trap of misinformation. Amidst the noise, Google Fact Checking Tools aim to empower you with the ability to distinguish reliable sources from those perpetuating false claims. What are Google Fact Checking Tools? Google offers a
https://be4sec.com/2024/04/16/a-guide-to-google-fact-checking-tools/