Bruce Schneier
2024-05-03T21:05:57ZSquid-shaped purses for sale. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here.
https://www.schneier.com/blog/archives/2024/05/friday-squid-blogging-squid-purses.html
I have spoken at several TED conferences over the years. TEDxPSU 2010: “Reconceptualizing Security” TEDxCambridge 2013: “The Battle for Power on the Internet” TEDMed 2016: “Who Controls Your Medical Data?” I’m putting this here because I want all three links in one place.
https://www.schneier.com/blog/archives/2024/05/my-ted-talks.html
The Polish Embassy has posted a series of short interview segments with Marian Rejewski, the first person to crack the Enigma. Details from his biography.
https://www.schneier.com/blog/archives/2024/05/rare-interviews-with-enigma-cryptanalyst-marian-rejewski.html
The UK is the first country to ban default passwords on IoT devices. On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for. The UK may be the first country, but as far as I know, California is the first jurisdiction. It ...
https://www.schneier.com/blog/archives/2024/05/the-uk-bans-default-passwords.html
Scammers tricked a company into believing they were dealing with a BBC presenter. They faked her voice, and accepted money intended for her.
https://www.schneier.com/blog/archives/2024/05/ai-voice-scam.html
Meta has threatened to pull WhatsApp out of India if the courts try to force it to break its end-to-end encryption.
https://www.schneier.com/blog/archives/2024/04/whatsapp-in-india.html
During the Cold War, the US Navy tried to make a secret code out of whale song. The basic plan was to develop coded messages from recordings of whales, dolphins, sea lions, and seals. The submarine would broadcast the noises and a computer—the Combo Signal Recognizer (CSR)—would detect the specific patterns and decode them on the other end. In theory, this idea was relatively simple. As work progressed, the Navy found a number of complicated problems to overcome, the bulk of which centered on the authenticity of the code itself. The message structure couldn’t just substitute the moaning of a whale or a crying seal for As and Bs or even whole words. In addition, the sounds Navy technicians recorded between 1959 and 1965 all had natural background noise. With the technology available, it would have been hard to scrub that out. Repeated blasts of the same sounds with identical extra noise would stand out to even untrained sonar operators...
https://www.schneier.com/blog/archives/2024/04/whale-song-code.html
A cruise ship is searching for the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here.
https://www.schneier.com/blog/archives/2024/04/friday-squid-blogging-searching-for-the-colossal-squid.html
Kashmir Hill has a really good article on how GM tricked its drivers into letting it spy on them—and then sold that data to insurance companies.
https://www.schneier.com/blog/archives/2024/04/long-article-on-gm-spying-on-its-cars-drivers.html
The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is coming to an end. The advent of AI threatens to destroy the complex online ecosystem that allows writers, artists, and other creators to reach human audiences. To understand why, you must understand publishing. Its core task is to connect writers to an audience. Publishers work as gatekeepers, filtering candidates and then amplifying the chosen ones. Hoping to be selected, writers shape their work in various ways. This article might be written very differently in an academic publication, for example, and publishing it here entailed pitching an editor, revising multiple drafts for style and focus, and so on...
https://www.schneier.com/blog/archives/2024/04/the-rise-of-large.html
Security.googleblog.com
2024-05-02T07:59:00.001-04:00Sriram Karra and Christiaan Brand, Google product managersLast year, Google launched passkey support for Google Accounts. Passkeys are a new industry standard that give users an easy, highly secure way to sign-in to apps and websites. Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts.As more users encounter passkeys, we’re often asked questions about how they relate to security keys, how Google Workspace administrators can configure passkeys for the user accounts that they manage, and how they relate to the Advanced Protection Program (APP). This post will seek to clarify these topics.Passkeys and security keysPasskeys are an evolution of security keys, meaning users get the same security benefits, but with a much simplified experience. Passkeys can be used in the Google Account sign-in process in many of the same ways that security keys have been used in the past — in fact, you can now choose to store your passkey on your security key. This provides users with three key benefits:Stronger security. Users typically authenticate with passkeys by entering their device’s screen lock PIN, or using a biometric authentication method, like a fingerprint or a face scan. By storing the passkey on a security key, users can ensure that passkeys are only available when the security key is plugged into their device, creating a stronger security posture.Flexible portability. Today, users rely on password managers to make passkeys available across all of their devices. Security keys provide an alternate way to use your passkeys across your devices: by bringing your security keys with you.Simpler sign-in. Passkeys can act as a first- and second-factor, simultaneously. By creating a passkey on your security key, you can skip entering your password. This replaces your remotely stored password with the PIN you used to unlock your security key, which improves user security. (If you prefer to continue using your password in addition to using a passkey, you can turn off “Skip password when possible” in your Google Account security settings.)Passkeys bring strong and phishing-resistant authentication technology to a wider user base, and we’re excited to offer this new way for passkeys to meet more user needs.Google Workspace admins have additional controls and choiceGoogle Workspace accounts have a domain level “Allow users to skip passwords at sign-in by using passkeys” setting which is off by default, and overrides the corresponding user-level configuration. This retains the need for a user’s password in addition to presenting a passkey. Admins can also change that setting and allow users to sign-in with just a passkey.When the domain-level setting is off, end users will still see a “use a security key” button on their “passkeys and security keys” page, which will attempt to enroll any security key for use as a second factor only. This action will not require the user to set up a PIN for their security key during registration. This is designed to give enterprise customers who have deployed legacy security keys additional time to make the change to passkeys, with or without a password.Passkeys for Advanced Protection Program (APP) usersSince the introduction of passkeys in 2023, users enrolled in APP have been able to add any passkey to their account and use it to sign in. However users are still required to present two security keys when enrolling into the program. We will be updating the enrollment process soon to enable a user with any passkey to enroll in APP. By allowing any passkey to be used (rather than only hardware security keys) we expect to reach more high risk users who need advanced protection, while maintaining phishing-resistant authentication.
http://security.googleblog.com/2024/05/passkeys-on-your-phone-computer-and-security-keys.html
Posted by Will Harris, Chrome Security Team Chromium's sandboxed process model defends well from malicious web content, but there are limits to how well the application can protect itself from malware already on the computer. Cookies and other credentials remain a high value target for attackers, and we are trying to tackle this ongoing threat in multiple ways, including working on web standards like DBSC that will help disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. Where it is not possible to prevent the theft of credentials and cookies by malware, the next best thing is making the attack more observable by antivirus, endpoint detection agents, or enterprise administrators with basic log analysis tools. This blog describes one set of signals for use by system administrators or endpoint detection agents that should reliably flag any access to the browser’s protected data from another application on the system. By increasing the likelihood of an attack being detected, this changes the calculus for those attackers who might have a strong desire to remain stealthy, and might cause them to rethink carrying out these types of attacks against our users. Background Chromium based browsers on Windows use the DPAPI (Data Protection API) to secure local secrets such as cookies, password etc. against theft. DPAPI protection is based on a key derived from the user's login credential and is designed to protect against unauthorized access to secrets from other users on the system, or when the system is powered off. Because the DPAPI secret is bound to the logged in user, it cannot protect against local malware attacks — malware executing as the user or at a higher privilege level can just call the same APIs as the browser to obtain the DPAPI secret. Since 2013, Chromium has been applying the CRYPTPROTECT_AUDIT flag to DPAPI calls to request that an audit log be generated when decryption occurs, as well as tagging the data as being owned by the browser. Because all of Chromium's encrypted data storage is backed by a DPAPI-secured key, any application that wishes to decrypt this data, including malware, should always reliably generate a clearly observable event log, which can be used to detect these types of attacks. There are three main steps involved in taking advantage of this log: Enable logging on the computer running Google Chrome, or any other Chromium based browser. Export the event logs to your backend system. Create detection logic to detect theft. This blog will also show how the logging works in practice by testing it against a python password stealer. Step 1: Enable logging on the system DPAPI events are logged into two places in the system. Firstly, there is the 4693 event that can be logged into the Security Log. This event can be enabled by turning on "Audit DPAPI Activity" and the steps to do this are described here, the policy itself sits deep within Security Settings -> Advanced Audit Policy Configuration -> Detailed Tracking. Here is what the 4693 event looks like: <Event xmlns&equals"http&colon&sol&solschemas&periodmicrosoft&periodcom&solwin&sol2004&sol08&solevents&solevent">&NewLine <System>&NewLine <Provider Name&equals"Microsoft-Windows-Security-Auditing" Guid&equals"&lcub&period&period&period&rcub" &sol>&NewLine <EventID>4693<&solEventID>&NewLine <Version>0<&solVersion>&NewLine <Level>0<&solLevel>&NewLine <Task>13314<&solTask>&NewLine <Opcode>0<&solOpcode>&NewLine <Keywords>0x8020000000000000<&solKeywords>&NewLine <TimeCreated SystemTime&equals"2015-08-22T06&colon25&colon14&period589407700Z" &sol>&NewLine <EventRecordID>175809<&solEventRecordID>&NewLine <Correlation &sol>&NewLine <Execution ProcessID&equals"520" ThreadID&equals"1340" &sol>&NewLine <Channel>Security<&solChannel>&NewLine <Computer>DC01&periodcontoso&periodlocal<&solComputer>&NewLine <Security &sol>&NewLine <&solSystem>&NewLine <EventData>&NewLine <Data Name&equals"SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104<&solData>&NewLine <Data Name&equals"SubjectUserName">dadmin<&solData>&NewLine <Data Name&equals"SubjectDomainName">CONTOSO<&solData>&NewLine <Data Name&equals"SubjectLogonId">0x30d7c<&solData>&NewLine <Data Name&equals"MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6<&solData>&NewLine <Data Name&equals"RecoveryReason">0x5c005c<&solData>&NewLine <Data Name&equals"RecoveryServer">DC01&periodcontoso&periodlocal<&solData>&NewLine <Data Name&equals"RecoveryKeyId" &sol>&NewLine <Data Name&equals"FailureId">0x380000<&solData>&NewLine <&solEventData>&NewLine<&solEvent> The issue with the 4693 event is that while it is generated if there is DPAPI activity on the system, it unfortunately does not contain information about which process was performing the DPAPI activity, nor does it contain information about which particular secret is being accessed. This is because the Execution ProcessID field in the event will always be the process id of lsass.exe because it is this process that manages the encryption keys for the system, and there is no entry for the description of the data. It was for this reason that, in recent versions of Windows a new event type was added to help identify the process making the DPAPI call directly. This event was added to the Microsoft-Windows-Crypto-DPAPI stream which manifests in the Event Log in the Applications and Services Logs > Microsoft > Windows > Crypto-DPAPI part of the Event Viewer tree. The new event is called DPAPIDefInformationEvent and has id 16385, but unfortunately is only emitted to the Debug channel and by default this is not persisted to an Event Log, unless Debug channel logging is enabled. This can be accomplished by enabling it directly in powershell: &dollarlog &equals &grave&NewLine New-Object System&periodDiagnostics&periodEventing&periodReader&periodEventLogConfiguration &grave&NewLine Microsoft-Windows-Crypto-DPAPI&solDebug&NewLine&dollarlog&periodIsEnabled &equals &dollarTrue&NewLine&dollarlog&periodSaveChanges&lpar&rpar&NewLine Once this log is enabled then you should start to see 16385 events generated, and these will contain the real process ids of applications performing DPAPI operations. Note that 16385 events are emitted by the operating system even for data not flagged with CRYPTPROTECT_AUDIT, but to identify the data as owned by the browser, the data description is essential. 16385 events are described later. You will also want to enable Audit Process Creation in order to be able to know a current mapping of process ids to process names — more details on that later. You might want to also consider enabling logging of full command lines. Step 2: Collect the events The events you want to collect are: From Security log: 4688: "A new process was created." From Microsoft-Windows-Crypto-DPAPI/Debug log: (enabled above) 16385: "DPAPIDefInformationEvent" These should be collected from all workstations, and persisted into your enterprise logging system for analysis. Step 3: Write detection logic to detect theft. With these two events is it now possible to detect when an unauthorized application calls into DPAPI to try and decrypt browser secrets. The general approach is to generate a map of process ids to active processes using the 4688 events, then every time a 16385 event is generated, it is possible to identify the currently running process, and alert if the process does not match an authorized application such as Google Chrome. You might find your enterprise logging software can already keep track of which process ids map to which process names, so feel free to just use that existing functionality. Let's dive deeper into the events. A 4688 event looks like this - e.g. here is Chrome browser launching from explorer: <Event xmlns&equals"http&colon&sol&solschemas&periodmicrosoft&periodcom&solwin&sol2004&sol08&solevents&solevent">&NewLine <System>&NewLine <Provider Name&equals"Microsoft-Windows-Security-Auditing" Guid&equals"&lcub...&rcub" &sol>&NewLine <EventID>4688<&solEventID>&NewLine <Version>2<&solVersion>&NewLine <Level>0<&solLevel>&NewLine <Task>13312<&solTask>&NewLine <Opcode>0<&solOpcode>&NewLine <Keywords>0x8020000000000000<&solKeywords>&NewLine <TimeCreated SystemTime&equals"2024-03-28T20&colon06&colon41&period9254105Z" &sol>&NewLine <EventRecordID>78258343<&solEventRecordID>&NewLine <Correlation &sol>&NewLine <Execution ProcessID&equals"4" ThreadID&equals"54256" &sol>&NewLine <Channel>Security<&solChannel>&NewLine <Computer>WIN-GG82ULGC9GO&periodcontoso&periodlocal<&solComputer>&NewLine <Security &sol>&NewLine <&solSystem>&NewLine <EventData>&NewLine <Data Name&equals"SubjectUserSid">S-1-5-18<&solData>&NewLine <Data Name&equals"SubjectUserName">WIN-GG82ULGC9GO&dollar<&solData>&NewLine <Data Name&equals"SubjectDomainName">CONTOSO<&solData>&NewLine <Data Name&equals"SubjectLogonId">0xe8c85cc<&solData>&NewLine <Data Name&equals"NewProcessId">0x17eac<&solData>&NewLine <Data Name&equals"NewProcessName">C&colon&bsolProgram Files&bsolGoogle&bsolChrome&bsolApplication&bsolchrome&periodexe<&solData>&NewLine <Data Name&equals"TokenElevationType">&percnt&percnt1938<&solData>&NewLine <Data Name&equals"ProcessId">0x16d8<&solData>&NewLine <Data Name&equals"CommandLine">"C&colon&bsolProgram Files&bsolGoogle&bsolChrome&bsolApplication&bsolchrome&periodexe" <&solData>&NewLine <Data Name&equals"TargetUserSid">S-1-0-0<&solData>&NewLine <Data Name&equals"TargetUserName">-<&solData>&NewLine <Data Name&equals"TargetDomainName">-<&solData>&NewLine <Data Name&equals"TargetLogonId">0x0<&solData>&NewLine <Data Name&equals"ParentProcessName">C&colon&bsolWindows&bsolexplorer&periodexe<&solData>&NewLine <Data Name&equals"MandatoryLabel">S-1-16-8192<&solData>&NewLine <&solEventData>&NewLine<&solEvent>&NewLine The important part here is the NewProcessId, in hex 0x17eac which is 97964. A 16385 event looks like this: <Event xmlns&equals"http&colon&sol&solschemas&periodmicrosoft&periodcom&solwin&sol2004&sol08&solevents&solevent">&NewLine <System>&NewLine <Provider Name&equals"Microsoft-Windows-Crypto-DPAPI" Guid&equals"&lcub...&rcub" &sol>&NewLine <EventID>16385<&solEventID>&NewLine <Version>0<&solVersion>&NewLine <Level>4<&solLevel>&NewLine <Task>64<&solTask>&NewLine <Opcode>0<&solOpcode>&NewLine <Keywords>0x2000000000000040<&solKeywords>&NewLine <TimeCreated SystemTime&equals"2024-03-28T20&colon06&colon42&period1772585Z" &sol>&NewLine <EventRecordID>826993<&solEventRecordID>&NewLine <Correlation ActivityID&equals"&lcub777bf68d-7757-0028-b5f6-7b775777da01&rcub" &sol>&NewLine <Execution ProcessID&equals"1392" ThreadID&equals"57108" &sol>&NewLine <Channel>Microsoft-Windows-Crypto-DPAPI&solDebug<&solChannel>&NewLine <Computer>WIN-GG82ULGC9GO&periodcontoso&periodlocal<&solComputer>&NewLine <Security UserID&equals"S-1-5-18" &sol>&NewLine <&solSystem>&NewLine <EventData>&NewLine <Data Name&equals"OperationType">SPCryptUnprotect<&solData>&NewLine <Data Name&equals"DataDescription">Google Chrome<&solData>&NewLine <Data Name&equals"MasterKeyGUID">&lcub4df0861b-07ea-49f4-9a09-1d66fd1131c3&rcub<&solData>&NewLine <Data Name&equals"Flags">0<&solData>&NewLine <Data Name&equals"ProtectionFlags">16<&solData>&NewLine <Data Name&equals"ReturnValue">0<&solData>&NewLine <Data Name&equals"CallerProcessStartKey">32651097299526713<&solData>&NewLine <Data Name&equals"CallerProcessID">97964<&solData>&NewLine <Data Name&equals"CallerProcessCreationTime">133561300019253302<&solData>&NewLine <Data Name&equals"PlainTextDataSize">32<&solData>&NewLine <&solEventData>&NewLine<&solEvent>&NewLine The important parts here are the OperationType, the DataDescription and the CallerProcessID. For DPAPI decrypts, the OperationType will be SPCryptUnprotect. Each Chromium based browser will tag its data with the product name, e.g. Google Chrome, or Microsoft Edge depending on the owner of the data. This will always appear in the DataDescription field, so it is possible to distinguish browser data from other DPAPI secured data. Finally, the CallerProcessID will map to the process performing the decryption. In this case, it is 97964 which matches the process ID seen in the 4688 event above, showing that this was likely Google Chrome decrypting its own data! Bear in mind that since these logs only contain the path to the executable, for a full assurance that this is actually Chrome (and not malware pretending to be Chrome, or malware injecting into Chrome), additional protections such as removing administrator access, and application allowlisting could also be used to give a higher assurance of this signal. In recent versions of Chrome or Edge, you might also see logs of decryptions happening in the elevation_service.exe process, which is another legitimate part of the browser's data storage. To detect unauthorized DPAPI access, you will want to generate a running map of all processes using 4688 events, then look for 16385 events that have a CallerProcessID that does not match a valid caller – Let's try that now. Testing with a python password stealer We can test that this works with a public script to decrypt passwords taken from a public blog. It generates two events, as expected: Here is the 16385 event, showing that a process is decrypting the "Google Chrome" key. <Event xmlns&equals"http&colon&sol&solschemas&periodmicrosoft&periodcom&solwin&sol2004&sol08&solevents&solevent">&NewLine <System>&NewLine < &period&period&period >&NewLine <EventID>16385<&solEventID>&NewLine < &period&period&period >&NewLine <TimeCreated SystemTime&equals"2024-03-28T20&colon28&colon13&period7891561Z" &sol>&NewLine < &period&period&period >&NewLine <&solSystem>&NewLine <EventData>&NewLine <Data Name&equals"OperationType">SPCryptUnprotect<&solData>&NewLine <Data Name&equals"DataDescription">Google Chrome<&solData>&NewLine < &period&period&period >&NewLine <Data Name&equals"CallerProcessID">68768<&solData>&NewLine <Data Name&equals"CallerProcessCreationTime">133561312936527018<&solData>&NewLine <Data Name&equals"PlainTextDataSize">32<&solData>&NewLine <&solEventData>&NewLine<&solEvent> Since the data description being decrypted was "Google Chrome" we know this is an attempt to read Chrome secrets, but to determine the process behind 68768 (0x10ca0), we need to correlate this with a 4688 event. Here is the corresponding 4688 event from the Security Log (a process start for python3.exe) with the matching process id: <Event xmlns&equals"http&colon&sol&solschemas&periodmicrosoft&periodcom&solwin&sol2004&sol08&solevents&solevent">&NewLine <System>&NewLine < &period&period&period >&NewLine <EventID>4688<&solEventID>&NewLine < &period&period&period >&NewLine <TimeCreated SystemTime&equals"2024-03-28T20&colon28&colon13&period6527871Z" &sol>&NewLine < &period&period&period >&NewLine <&solSystem>&NewLine <EventData>&NewLine < &period&period&period >&NewLine <Data Name&equals"NewProcessId">0x10ca0<&solData>&NewLine <Data Name&equals"NewProcessName">C&colon&bsolpython3&bsolbin&bsolpython3&periodexe<&solData>&NewLine <Data Name&equals"TokenElevationType">&percnt&percnt1938<&solData>&NewLine <Data Name&equals"ProcessId">0xca58<&solData>&NewLine <Data Name&equals"CommandLine">"c&colon&bsolpython3&bsolbin&bsolpython3&periodexe" steal&lowbarpasswords&periodpy<&solData>&NewLine < &period&period&period >&NewLine <Data Name&equals"ParentProcessName">C&colon&bsolWindows&bsolSystem32&bsolcmd&periodexe<&solData>&NewLine <&solEventData>&NewLine<&solEvent> In this case, the process id matches the python3 executable running a potentially malicious script, so we know this is likely very suspicious behavior, and should trigger an alert immediately! Bear in mind process ids on Windows are not unique so you will want to make sure you use the 4688 event with the timestamp closest, but earlier than, the 16385 event. Summary This blog has described a technique for strong detection of cookie and credential theft. We hope that all defenders find this post useful. Thanks to Microsoft for adding the DPAPIDefInformationEvent log type, without which this would not be possible.
http://security.googleblog.com/2024/04/detecting-browser-data-theft-using.html
Posted by Steve Kafka and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Play Trust and Safety) A safe and trusted Google Play experience is our top priority. We leverage our SAFE (see below) principles to provide the framework to create that experience for both users and developers. Here's what these principles mean in practice: (S)afeguard our Users. Help them discover quality apps that they can trust. (A)dvocate for Developer Protection. Build platform safeguards to enable developers to focus on growth. (F)oster Responsible Innovation. Thoughtfully unlock value for all without compromising on user safety. (E)volve Platform Defenses. Stay ahead of emerging threats by evolving our policies, tools and technology. With those principles in mind, we’ve made recent improvements and introduced new measures to continue to keep Google Play’s users safe, even as the threat landscape continues to evolve. In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play1 in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes. We have also strengthened our developer onboarding and review processes, requiring more identity information when developers first establish their Play accounts. Together with investments in our review tooling and processes, we identified bad actors and fraud rings more effectively and banned 333K bad accounts from Play for violations like confirmed malware and repeated severe policy violations. Additionally, almost 200K app submissions were rejected or remediated to ensure proper use of sensitive permissions such as background location or SMS access. To help safeguard user privacy at scale, we partnered with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over 31 SDKs impacting 790K+ apps. We also significantly expanded the Google Play SDK Index, which now covers the SDKs used in almost 6 million apps across the Android ecosystem. This valuable resource helps developers make better SDK choices, boosts app quality and minimizes integration risks. Protecting the Android Ecosystem Building on our success with the App Defense Alliance (ADA), we partnered with Microsoft and Meta as steering committee members in the newly restructured ADA under the Joint Development Foundation, part of the Linux Foundation family. The Alliance will support industry-wide adoption of app security best practices and guidelines, as well as countermeasures against emerging security risks. Additionally, we announced new Play Store transparency labeling to highlight VPN apps that have completed an independent security review through App Defense Alliance’s Mobile App Security Assessment (MASA). When a user searches for VPN apps, they will now see a banner at the top of Google Play that educates them about the “Independent security review” badge in the Data safety section. This helps users see at-a-glance that a developer has prioritized security and privacy best practices and is committed to user safety. To better protect our customers who install apps outside of the Play Store, we made Google Play Protect’s security capabilities even more powerful with real-time scanning at the code-level to combat novel malicious apps. Our security protections and machine learning algorithms learn from each app submitted to Google for review and we look at thousands of signals and compare app behavior. This new capability has already detected over 5 million new, malicious off-Play apps, which helps protect Android users worldwide. More Stringent Developer Requirements and Guidelines Last year we updated Play policies around Generative AI apps, disruptive notifications, and expanded privacy protections. We also are raising the bar for new personal developer accounts by requiring new testing requirements before developers can make their app available on Google Play. By testing their apps, getting feedback and ensuring everything is ready before they launch, developers are able to bring more high quality content to Play users. In order to increase trust and transparency, we’ve introduced expanded developer verification requirements, including D-U-N-S numbers for organizations and a new “About the developer” section. To give users more control over their personal data, apps that enable account creation now need to provide an option to initiate account and data deletion from within the app and online. This web requirement is especially important so that a user can request account and data deletion without having to reinstall an app. To simplify the user experience, we have also incorporated this as a feature within the Data safety section of the Play Store. With each iteration of the Android operating system (including its robust set of APIs), a myriad of enhancements are introduced, aiming to elevate the user experience, bolster security protocols, and optimize the overall performance of the Android platform. To further safeguard our customers, approximately 1.5 million applications that do not target the most recent APIs are no longer available in the Play Store to new users who have updated their devices to the latest Android version. Looking Ahead Protecting users and developers on Google Play is paramount and ever-evolving. We're launching new security initiatives in 2024, including removing apps from Play that are not transparent about their privacy practices. We also recently filed a lawsuit in federal court against two fraudsters who made multiple misrepresentations to upload fraudulent investment and crypto exchange apps on Play to scam users. This lawsuit is a critical step in holding these bad actors accountable and sending a clear message that we will aggressively pursue those who seek to take advantage of our users. We're constantly working on new ways to protect your experience on Google Play and across the entire Android ecosystem, and we look forward to sharing more. Notes In accordance with the EU's Digital Services Act (DSA) reporting requirements, Google Play now calculates policy violations based on developer communications sent. ↩
http://security.googleblog.com/2024/04/how-we-fought-bad-apps-and-bad-actors-in-2023.html
Lambert Rosique and Jan Keller, Security Workflow Automation, and Diana Kramer, Alexandra Bowen and Andrew Cho, Privacy and Security Incident ResponseIntroductionAs security professionals, we're constantly looking for ways to reduce risk and improve our workflow's efficiency. We've made great strides in using AI to identify malicious content, block threats, and discover and fix vulnerabilities. We also published the Secure AI Framework (SAIF), a conceptual framework for secure AI systems to ensure we are deploying AI in a responsible manner. Today we are highlighting another way we use generative AI to help the defenders gain the advantage: Leveraging LLMs (Large Language Model) to speed-up our security and privacy incidents workflows.Incident management is a team sport. We have to summarize security and privacy incidents for different audiences including executives, leads, and partner teams. This can be a tedious and time-consuming process that heavily depends on the target group and the complexity of the incident. We estimate that writing a thorough summary can take nearly an hour and more complex communications can take multiple hours. But we hypothesized that we could use generative AI to digest information much faster, freeing up our incident responders to focus on other more critical tasks - and it proved true. Using generative AI we could write summaries 51% faster while also improving the quality of them. Our incident response approachWhen suspecting a potential data incident, for example,we follow a rigorous process to manage it. From the identification of the problem, the coordination of experts and tools, to its resolution and then closure. At Google, when an incident is reported, our Detection & Response teams work to restore normal service as quickly as possible, while meeting both regulatory and contractual compliance requirements. They do this by following the five main steps in the Google incident response program:Identification: Monitoring security events to detect and report on potential data incidents using advanced detection tools, signals, and alert mechanisms to provide early indication of potential incidents.Coordination: Triaging the reports by gathering facts and assessing the severity of the incident based on factors such as potential harm to customers, nature of the incident, type of data that might be affected, and the impact of the incident on customers. A communication plan with appropriate leads is then determined.Resolution: Gathering key facts about the incident such as root cause and impact, and integrating additional resources as needed to implement necessary fixes as part of remediation.Closure: After the remediation efforts conclude, and after a data incident is resolved, reviewing the incident and response to identify key areas for improvement.Continuous improvement: Is crucial for the development and maintenance of incident response programs. Teams work to improve the program based on lessons learned, ensuring that necessary teams, training, processes, resources, and tools are maintained.Google’s Incident Response Process diagram flowLeveraging generative AI Our detection and response processes are critical in protecting our billions of global users from the growing threat landscape, which is why we’re continuously looking for ways to improve them with the latest technologies and techniques. The growth of generative AI has brought with it incredible potential in this area, and we were eager to explore how it could help us improve parts of the incident response process. We started by leveraging LLMs to not only pioneer modern approaches to incident response, but also to ensure that our processes are efficient and effective at scale. Managing incidents can be a complex process and an additional factor is effective internal communication to leads, executives and stakeholders on the threats and status of incidents. Effective communication is critical as it properly informs executives so that they can take any necessary actions, as well as to meet regulatory requirements. Leveraging LLMs for this type of communication can save significant time for the incident commanders while improving quality at the same time.Humans vs. LLMsGiven that LLMs have summarization capabilities, we wanted to explore if they are able to generate summaries on par, or as well as humans can. We ran an experiment that took 50 human-written summaries from native and non-native English speakers, and 50 LLM-written ones with our finest (and final) prompt, and presented them to security teams without revealing the author.We learned that the LLM-written summaries covered all of the key points, they were rated 10% higher than their human-written equivalents, and cut the time necessary to draft a summary in half. Comparison of human vs LLM content completenessComparison of human vs LLM writing stylesManaging risks and protecting privacyLeveraging generative AI is not without risks. In order to mitigate the risks around potential hallucinations and errors, any LLM generated draft must be reviewed by a human. But not all risks are from the LLM - human misinterpretation of a fact or statement generated by the LLM can also happen. That is why it’s important to ensure there is human accountability, as well as to monitor quality and feedback over time. Given that our incidents can contain a mixture of confidential, sensitive, and privileged data, we had to ensure we built an infrastructure that does not store any data. Every component of this pipeline - from the user interface to the LLM to output processing - has logging turned off. And, the LLM itself does not use any input or output for re-training. Instead, we use metrics and indicators to ensure it is working properly. Input processingThe type of data we process during incidents can be messy and often unstructured: Free-form text, logs, images, links, impact stats, timelines, and code snippets. We needed to structure all of that data so the LLM “knew” which part of the information serves what purpose. For that, we first replaced long and noisy sections of codes/logs by self-closing tags (<Code Section/> and <Logs/>) both to keep the structure while saving tokens for more important facts and to reduce risk of hallucinations.During prompt engineering, we refined this approach and added additional tags such as <Title>, <Actions Taken>, <Impact>, <Mitigation History>, <Comment> so the input’s structure becomes closely mirrored to our incident communication templates. The use of self-explanatory tags allowed us to convey implicit information to the model and provide us with aliases in the prompt for the guidelines or tasks, for example by stating “Summarize the <Security Incident>”.Sample {incident} inputPrompt engineeringOnce we added structure to the input, it was time to engineer the prompt. We started simple by exploring how LLMs can view and summarize all of the current incident facts with a short task:Caption: First prompt versionLimits of this prompt:The summary was too long, especially for executives trying to understand the risk and impact of the incidentSome important facts were not covered, such as the incident’s impact and its mitigationThe writing was inconsistent and not following our best practices such as “passive voice”, “tense”, “terminology” or “format”Some irrelevant incident data was being integrated into the summary from email threadsThe model struggled to understand what the most relevant and up-to-date information wasFor version 2, we tried a more elaborate prompt that would address the problems above: We told the model to be concise and we explained what a well-written summary should be: About the main incident response steps (coordination and resolution).Second prompt versionLimits of this prompt:The summaries still did not always succinctly and accurately address the incident in the format we were expectingAt times, the model lost sight of the task or did not take all the guidelines into accountThe model still struggled to stick to the latest updatesWe noticed a tendency to draw conclusions on hypotheses with some minor hallucinationsFor the final prompt, we inserted 2 human-crafted summary examples and introduced a <Good Summary> tag to highlight high quality summaries but also to tell the model to immediately start with the summary without first repeating the task at hand (as LLMs usually do).Final promptThis produced outstanding summaries, in the structure we wanted, with all key points covered, and almost without any hallucinations.Workflow integrationIn integrating the prompt into our workflow, we wanted to ensure it was complementing the work of our teams, vs. solely writing communications. We designed the tooling in a way that the UI had a ‘Generate Summary’ button, which would pre-populate a text field with the summary that the LLM proposed. A human user can then either accept the summary and have it added to the incident, do manual changes to the summary and accept it, or discard the draft and start again. UI showing the ‘generate draft’ button and LLM proposed summary around a fake incident Quantitative winsOur newly-built tool produced well-written and accurate summaries, resulting in 51% time saved, per incident summary drafted by an LLM, versus a human.Time savings using LLM-generated summaries (sample size: 300)The only edge cases we have seen were around hallucinations when the input size was small in relation to the prompt size. In these cases, the LLM made up most of the summary and key points were incorrect. We fixed this programmatically: If the input size is smaller than 200 tokens, we won’t call the LLM for a summary and let the humans write it. Evolving to more complex use cases: Executive updatesGiven these results, we explored other ways to apply and build upon the summarization success and apply it to more complex communications. We improved upon the initial summary prompt and ran an experiment to draft executive communications on behalf of the Incident Commander (IC). The goal of this experiment was to ensure executives and stakeholders quickly understand the incident facts, as well as allow ICs to relay important information around incidents. These communications are complex because they go beyond just a summary - they include different sections (such as summary, root cause, impact, and mitigation), follow a specific structure and format, as well as adhere to writing best practices (such as neutral tone, active voice instead of passive voice, minimize acronyms).This experiment showed that generative AI can evolve beyond high level summarization and help draft complex communications. Moreover, LLM-generated drafts, reduced time ICs spent writing executive summaries by 53% of time, while delivering at least on-par content quality in terms of factual accuracy and adherence to writing best practices. What’s nextWe're constantly exploring new ways to use generative AI to protect our users more efficiently and look forward to tapping into its potential as cyber defenders. For example, we are exploring using generative AI as an enabler of ambitious memory safety projects like teaching an LLM to rewrite C++ code to memory-safe Rust, as well as more incremental improvements to everyday security workflows, such as getting generative AI to read design documents and issue security recommendations based on their content.
http://security.googleblog.com/2024/04/accelerating-incident-response-using.html
Posted by Yoshi Yamaguchi, Santiago Díaz, Maud Nalpas, Eiji Kitamura, DevRel team The Reporting API is an emerging web standard that provides a generic reporting mechanism for issues occurring on the browsers visiting your production website. The reports you receive detail issues such as security violations or soon-to-be-deprecated APIs, from users’ browsers from all over the world. Collecting reports is often as simple as specifying an endpoint URL in the HTTP header; the browser will automatically start forwarding reports covering the issues you are interested in to those endpoints. However, processing and analyzing these reports is not that simple. For example, you may receive a massive number of reports on your endpoint, and it is possible that not all of them will be helpful in identifying the underlying problem. In such circumstances, distilling and fixing issues can be quite a challenge. In this blog post, we'll share how the Google security team uses the Reporting API to detect potential issues and identify the actual problems causing them. We'll also introduce an open source solution, so you can easily replicate Google's approach to processing reports and acting on them. How does the Reporting API work? Some errors only occur in production, on users’ browsers to which you have no access. You won't see these errors locally or during development because there could be unexpected conditions real users, real networks, and real devices are in. With the Reporting API, you directly leverage the browser to monitor these errors: the browser catches these errors for you, generates an error report, and sends this report to an endpoint you've specified. How reports are generated and sent. Errors you can monitor with the Reporting API include: Security violations: Content-Security-Policy (CSP), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP) Deprecated and soon-to-be-deprecated API calls Browser interventions Permissions policy And more For a full list of error types you can monitor, see use cases and report types. The Reporting API is activated and configured using HTTP response headers: you need to declare the endpoint(s) you want the browser to send reports to, and which error types you want to monitor. The browser then sends reports to your endpoint in POST requests whose payload is a list of reports. Example setup:# Example setup to receive CSP violations reports, Document-Policy violations reports, and Deprecation reports Reporting-Endpoints: main-endpoint="https://reports.example/main", default="https://reports.example/default"# CSP violations and Document-Policy violations will be sent to `main-endpoint`Content-Security-Policy: script-src 'self'; object-src 'none'; report-to main-endpoint;Document-Policy: document-write=?0; report-to=main-endpoint;# Deprecation reports are generated automatically and don't need an explicit endpoint; they're always sent to the `default` endpoint Note: Some policies support "report-only" mode. This means the policy sends a report, but doesn't actually enforce the restriction. This can help you gauge if the policy is working effectively. Chrome users whose browsers generate reports can see them in DevTools in the Application panel: Example of viewing reports in the Application panel of DevTools. You can generate various violations and see how they are received on a server in the reporting endpoint demo: Example violation reports The Reporting API is supported by Chrome, and partially by Safari as of March 2024. For details, see the browser support table. Google's approach Google benefits from being able to uplift security at scale. Web platform mitigations like Content Security Policy, Trusted Types, Fetch Metadata, and the Cross-Origin Opener Policy help us engineer away entire classes of vulnerabilities across hundreds of Google products and thousands of individual services, as described in this blogpost. One of the engineering challenges of deploying security policies at scale is identifying code locations that are incompatible with new restrictions and that would break if those restrictions were enforced. There is a common 4-step process to solve this problem: Roll out policies in report-only mode (CSP report-only mode example). This instructs browsers to execute client-side code as usual, but gather information on any events where the policy would be violated if it were enforced. This information is packaged in violation reports that are sent to a reporting endpoint. The violation reports must be triaged to link them to locations in code that are incompatible with the policy. For example, some code bases may be incompatible with security policies because they use a dangerous API or use patterns that mix user data and code. The identified code locations are refactored to make them compatible, for example by using safe versions of dangerous APIs or changing the way user input is mixed with code. These refactorings uplift the security posture of the code base by helping reduce the usage of dangerous coding patterns. When all code locations have been identified and refactored, the policy can be removed from report-only mode and fully enforced. Note that in a typical roll out, we iterate steps 1 through 3 to ensure that we have triaged all violation reports. With the Reporting API, we have the ability to run this cycle using a unified reporting endpoint and a single schema for several security features. This allows us to gather reports for a variety of features across different browsers, code paths, and types of users in a centralized way. Note: A violation report is generated when an entity is attempting an action that one of your policies forbids. For example, you've set CSP on one of your pages, but the page is trying to load a script that's not allowed by your CSP. Most reports generated via the Reporting API are violation reports, but not all — other types include deprecation reports and crash reports. For details, see Use cases and report types. Unfortunately, it is common for noise to creep into streams of violation reports, which can make finding incompatible code locations difficult. For example, many browser extensions, malware, antivirus software, and devtools users inject third-party code into the DOM or use forbidden APIs. If the injected code is incompatible with the policy, this can lead to violation reports that cannot be linked to our code base and are therefore not actionable. This makes triaging reports difficult and makes it hard to be confident that all code locations have been addressed before enforcing new policies. Over the years, Google has developed a number of techniques to collect, digest, and summarize violation reports into root causes. Here is a summary of the most useful techniques we believe developers can use to filter out noise in reported violations: Focus on root causes It is often the case that a piece of code that is incompatible with the policy executes several times throughout the lifetime of a browser tab. Each time this happens, a new violation report is created and queued to be sent to the reporting endpoint. This can quickly lead to a large volume of individual reports, many of which contain redundant information. Because of this, grouping violation reports into clusters enables developers to abstract away individual violations and think in terms of root causes. Root causes are simpler to understand and can speed up the process of identifying useful refactorings. Let's take a look at an example to understand how violations may be grouped. For instance, a report-only CSP that forbids the use of inline JavaScript event handlers is deployed. Violation reports are created on every instance of those handlers and have the following fields set: The blockedURL field is set to inline, which describes the type of violation. The scriptSample field is set to the first few bytes of the contents of the event handler in the field. The documentURL field is set to the URL of the current browser tab. Most of the time, these three fields uniquely identify the inline handlers in a given URL, even if the values of other fields differ. This is common when there are tokens, timestamps, or other random values across page loads. Depending on your application or framework, the values of these fields can differ in subtle ways, so being able to do fuzzy matches on reporting values can go a long way in grouping violations into actionable clusters. In some cases, we can group violations whose URL fields have known prefixes, for example all violations with URLs that start with chrome-extension, moz-extension, or safari-extension can be grouped together to set root causes in browser extensions aside from those in our codebase with a high degree of confidence. Developing your own grouping strategies helps you stay focused on root causes and can significantly reduce the number of violation reports you need to triage. In general, it should always be possible to select fields that uniquely identify interesting types of violations and use those fields to prioritize the most important root causes. Leverage ambient information Another way of distinguishing non-actionable from actionable violation reports is ambient information. This is data that is contained in requests to our reporting endpoint, but that is not included in the violation reports themselves. Ambient information can hint at sources of noise in a client's set up that can help with triage: User Agent or User Agent client hints: User agents are a great tell-tale sign of non-actionable violations. For example, crawlers, bots, and some mobile applications use custom user agents whose behavior differs from well-supported browser engines and that can trigger unique violations. In other cases, some violations may only trigger in a specific browser or be caused by changes in nightly builds or newer versions of browsers. Without user agent information, these violations would be significantly more difficult to investigate. Trusted users: Browsers will attach any available cookies to requests made to a reporting endpoint by the Reporting API, if the endpoint is same-site with the document where the violation occurs. Capturing cookies is useful for identifying the type of user that caused a violation. Often, the most actionable violations come from trusted users that are not likely to have invasive extensions or malware, like company employees or website administrators. If you are not able to capture authentication information through your reporting endpoint, consider rolling out report-only policies to trusted users first. Doing so allows you to build a baseline of actionable violations before rolling out your policies to the general public. Number of unique users: As a general principle, users of typical features or code paths should generate roughly the same violations. This allows us to flag violations seen by a small number of users as potentially suspicious, since they suggest that a user's particular setup might be at fault, rather than our application code. One way of 'counting users' is to keep note of the number of unique IP addresses that reported a violation. Approximate counting algorithms are simple to use and can help gather this information without tracking specific IP addresses. For example, the HyperLogLog algorithm requires just a few bytes to approximate the number of unique elements in a set with a high degree of confidence. Map violations to source code (advanced) Some types of violations have a source_file field or equivalent. This field represents the JavaScript file that triggered the violation and is usually accompanied by a line and column number. These three bits of data are a high-quality signal that can point directly to lines of code that need to be refactored. Nevertheless, it is often the case that source files fetched by browsers are compiled or minimized and don't map directly to your code base. In this case, we recommend you use JavaScript source maps to map line and column numbers between deployed and authored files. This allows you to translate directly from violation reports to lines of source code, yielding highly actionable report groups and root causes. Establish your own solution The Reporting API sends browser-side events, such as security violations, deprecated API calls, and browser interventions, to the specified endpoint on a per-event basis. However, as explained in the previous section, to distill the real issues out of those reports, you need a data processing system on your end. Fortunately, there are plenty of options in the industry to set up the required architecture, including open source products. The fundamental pieces of the required system are the following: API endpoint: A web server that accepts HTTP requests and handles reports in a JSON format Storage: A storage server that stores received reports and reports processed by the pipeline Data pipeline: A pipeline that filters out noise and extracts and aggregates required metadata into constellations Data visualizer: A tool that provides insights on the processed reports Solutions for each of the components listed above are made available by public cloud platforms, SaaS services, and as open source software. See the Alternative solutions section for details, and the following section outlining a sample application. Sample application: Reporting API Processor To help you understand how to receive reports from browsers and how to handle these received reports, we created a small sample application that demonstrates the following processes that are required for distilling web application security issues from reports sent by browsers: Report ingestion to the storage Noise reduction and data aggregation Processed report data visualization Although this sample is relying on Google Cloud, you can replace each of the components with your preferred technologies. An overview of the sample application is illustrated in the following diagram: Components described as green boxes are components that you need to implement by yourself. Forwarder is a simple web server that receives reports in the JSON format and converts them to the schema for Bigtable. Beam-collector is a simple Apache Beam pipeline that filters noisy reports, aggregates relevant reports into the shape of constellations, and saves them as CSV files. These two components are the key parts to make better use of reports from the Reporting API. Try it yourself Because this is a runnable sample application, you are able to deploy all components to a Google Cloud project and see how it works by yourself. The detailed prerequisites and the instructions to set up the sample system are documented in the README.md file. Alternative solutions Aside from the open source solution we shared, there are a number of tools available to assist in your usage of the Reporting API. Some of them include: Report-collecting services like report-uri and uriports. Application error monitoring platforms like Sentry, Datadog, etc. Besides pricing, consider the following points when selecting alternatives: Are you comfortable sharing any of your application's URLs with a third-party report collector? Even if the browser strips sensitive information from these URLs, sensitive information may get leaked this way. If this sounds too risky for your application, operate your own reporting endpoint. Does this collector support all report types you need? For example, not all reporting endpoint solutions support COOP/COEP violation reports. Summary In this article, we explained how web developers can collect client-side issues by using the Reporting API, and the challenges of distilling the real problems out of the collected reports. We also introduced how Google solves those challenges by filtering and processing reports, and shared an open source project that you can use to replicate a similar solution. We hope this information will motivate more developers to take advantage of the Reporting API and, in consequence, make their website more secure and sustainable. Learning resources Monitor your web application with the Reporting API | Capabilities | Chrome for Developers A Recipe for Scaling Security – Google Bug Hunters
http://security.googleblog.com/2024/04/uncovering-potential-threats-to-your.html
Posted Kaleigh Rosenblat, Chrome Enterprise Senior Staff Software Engineer, Security Lead Generative AI has emerged as a powerful and popular tool to automate content creation and simple tasks. From customized content creation to source code generation, it can increase both our productivity and creative potential. Businesses want to leverage the power of LLMs, like Gemini, but many may have security concerns and want more control around how employees make sure of these new tools. For example, companies may want to ensure that various forms of sensitive data, such as Personally Identifiable Information (PII), financial records and internal intellectual property, is not to be shared publicly on Generative AI platforms. Security leaders face the challenge of finding the right balance — enabling employees to leverage AI to boost efficiency, while also safeguarding corporate data. In this blog post, we'll explore reporting and enforcement policies that enterprise security teams can implement within Chrome Enterprise Premium for data loss prevention (DLP).1. View login events* to understand usage of Generative AI services within the organization. With Chrome Enterprise's Reporting Connector, security and IT teams can see when a user successfully signs into a specific domain, including Generative AI websites. Security Operations teams can further leverage this telemetry to detect anomalies and threats by streaming the data into Chronicle or other third-party SIEMs at no additional cost.2. Enable URL Filtering to warn users about sensitive data policies and let them decide whether or not they want to navigate to the URL, or to block users from navigating to certain groups of sites altogether.For example, with Chrome Enterprise URL Filtering, IT admins can create rules that warn developers not to submit source code to specific Generative AI apps or tools, or block them.3. Warn, block or monitor sensitive data actions within Generative AI websites with dynamic content-based rules for actions like paste, file uploads/downloads, and print. Chrome Enterprise DLP rules give IT admins granular control over browser activities, such as entering financial information in Gen AI websites. Admins can customize DLP rules to restrict the type and amount of data entered into these websites from managed browsers.For most organizations, safely leveraging Generative AI requires a certain amount of control. As enterprises work through their policies and processes involving GenAI, Chrome Enterprise Premium empowers them to strike the balance that works best. Hear directly from security leaders at Snap on their use of DLP for Gen AI in this recording here.Learn more about how Chrome Enterprise can secure businesses just like yours here.*Available at no additional cost in Chrome Enterprise Core
http://security.googleblog.com/2024/04/prevent-generative-ai-data-leaks-with.html
Posted by Dave Kleidermacher, VP Engineering, Android Security and Privacy Keeping people safe and their data secure and private is a top priority for Android. That is why we took our time when designing the new Find My Device, which uses a crowdsourced device-locating network to help you find your lost or misplaced devices and belongings quickly – even when they’re offline. We gave careful consideration to the potential user security and privacy challenges that come with device finding services. During development, it was important for us to ensure the new Find My Device was secure by default and private by design. To build a private, crowdsourced device-locating network, we first conducted user research and gathered feedback from privacy and advocacy groups. Next, we developed multi-layered protections across three main areas: data safeguards, safety-first protections, and user controls. This approach provides defense-in-depth for Find My Device users. How location crowdsourcing works on the Find My Device network The Find My Device network locates devices by harnessing the Bluetooth proximity of surrounding Android devices. Imagine you drop your keys at a cafe. The keys themselves have no location capabilities, but they may have a Bluetooth tag attached. Nearby Android devices participating in the Find My Device network report the location of the Bluetooth tag. When the owner realizes they have lost their keys and logs into the Find My Device mobile app, they will be able to see the aggregated location contributed by nearby Android devices and locate their keys. Find My Device network protections Let’s dive into key details of the multi-layered protections for the Find My Device network: Data Safeguards: We’ve implemented protections that help ensure the privacy of everyone participating in the network and the crowdsourced location data that powers it. Location data is end-to-end encrypted. When Android devices participating in the network report the location of a Bluetooth tag, the location is end-to-end encrypted using a key that is only accessible to the Bluetooth tag owner and anyone the owner has shared the tag with in the Find My Device app. Only the Bluetooth tag owner (and those they’ve chosen to share access with) can decrypt and view the tag’s location. With end-to-end encrypted location data, Google cannot decrypt, see, or otherwise use the location data. Private, crowdsourced location reports. These end-to-end encrypted locations are contributed to the Find My Device network in a manner that does not allow Google to identify the owners of the nearby Android devices that provided the location data. And when the Find My Device network shows the location and timestamp to the Bluetooth tag’s owner to help them find their belongings, no other information about the nearby Android devices that contributed the data is included. Minimizing network data. End-to-end encrypted location data is minimally buffered and frequently overwritten. In addition, if the network can help find a Bluetooth tag using the owner’s nearby devices (e.g., if their own phone detects the tag), the network will discard crowdsourced reports for the tag. Safety-first Protections: The Find My Device network protects against risks such as use of an unknown Bluetooth tag to stalk or identify another user, including: Aggregation by default. This is a first-of-its-kind safety protection that makes unwanted tracking to a private location, like your home, more difficult. By default, the Find My Device network requires multiple nearby Android devices to detect a tag before reporting its location to the tag's owner. Our research found that the Find My Device network is most valuable in public settings like cafes and airports, where there are likely many devices nearby. By implementing aggregation before showing a tag’s location to its owner, the network can take advantage of its biggest strength – over a billion Android devices that can participate. This helps tag owners find their lost devices in these busier locations while prioritizing safety from unwanted tracking near private locations. In less busy areas, last known location and Nest finding are reliable ways to locate items. At home protection. If a user has chosen to save their home address in their Google Account, their Android device will also ensure that it does not contribute crowdsourced location reports to the Find My Device network when it is near the user’s home. This provides additional protection on top of aggregation by default against unwanted tracking near private locations. Rate limiting and throttling. The Find My Device network limits the number of times that a nearby Android device can contribute a location report for a particular Bluetooth tag. The network also throttles how frequently the owner of a Bluetooth tag can request an updated location for the tag. We've found that lost items are typically left behind in stationary spots. For example, you lose your keys at the cafe, and they stay at the table where you had your morning coffee. Meanwhile, a malicious user is often trying to engage in real-time tracking of a person. By applying rate limiting and throttling to reduce how often the location of a device is updated, the network continues to be helpful for finding items, like your lost checked baggage on a trip, while helping mitigate the risk of real-time tracking. Unknown tracker alerts. The Find My Device network is also compliant with the integration version of the joint industry standard for unwanted tracking. Being compliant with the integration version of the standard means that both Android and iOS users will receive unknown tracker alerts if the on-device algorithm detects that someone may be using a Find My Device network-compatible tag to track them without their knowledge, proactively alerting the user through a notification on their phone. User Controls: Android users always have full control over which of their devices participate in the Find My Device network and how those devices participate. Users can either stick with the default and contribute to aggregated location reporting, opt into contributing non-aggregated locations, or turn the network off altogether. Find My Device also provides the ability to secure or erase data from a lost device. In addition to careful security architectural design, the new Find My Device network has undergone internal Android red team testing. The Find My Device network has also been added to the Android security vulnerability rewards program to take advantage of Android’s global ecosystem of security researchers. We’re also engaging with select researchers through our private grant program to encourage more targeted research. Prioritizing user safety on Find My Device Together, these multi-layered user protections help mitigate potential risks to user privacy and safety while allowing users to effectively locate and recover lost devices. As bad actors continue to look for new ways to exploit users, our work to help keep users safe on Android is never over. We have an unwavering commitment to continue to improve user protections on Find My Device and prioritize user safety. For more information about Find My Device on Android, please visit our help center. You can read the Find My Device Network Accessory specification here.
http://security.googleblog.com/2024/04/find-my-device-network-security-privacy-protections.html
Tianhao Chi and Puneet Sood, Google Public DNSThe Domain Name System (DNS) is a fundamental protocol used on the Internet to translate human-readable domain names (e.g., www.example.com) into numeric IP addresses (e.g., 192.0.2.1) so that devices and servers can find and communicate with each other. When a user enters a domain name in their browser, the DNS resolver (e.g. Google Public DNS) locates the authoritative DNS nameservers for the requested name, and queries one or more of them to obtain the IP address(es) to return to the browser.When DNS was launched in the early 1980s as a trusted, content-neutral infrastructure, security was not yet a pressing concern, however, as the Internet grew DNS became vulnerable to various attacks. In this post, we will look at DNS cache poisoning attacks and how Google Public DNS addresses the risks associated with them.DNS Cache Poisoning AttacksDNS lookups in most applications are forwarded to a caching resolver (which could be local or an open resolver like. Google Public DNS). The path from a client to the resolver is usually on a local network or can be protected using encrypted transports like DoH, DoT. The resolver queries authoritative DNS servers to obtain answers for user queries. This communication primarily occurs over UDP, an insecure connectionless protocol, in which messages can be easily spoofed including the source IP address. The content of DNS queries may be sufficiently predictable that even an off-path attacker can, with enough effort, forge responses that appear to be from the queried authoritative server. This response will be cached if it matches the necessary fields and arrives before the authentic response. This type of attack is called a cache poisoning attack, which can cause great harm once successful. According to RFC 5452, the probability of success is very high without protection. Forged DNS responses can lead to denial of service, or may even compromise application security. For an excellent introduction to cache poisoning attacks, please see “An Illustrated Guide to the Kaminsky DNS Vulnerability”.Cache poisoning mitigations in Google Public DNSImproving DNS security has been a goal of Google Public DNS since our launch in 2009. We take a multi-pronged approach to protect users against DNS cache-poisoning attacks. There is no silver bullet or countermeasure that entirely solves the problem, but in combination they make successful attacks substantially more difficult.RFC 5452 And DNS CookiesWe have implemented the basic countermeasures outlined in RFC 5452 namely randomizing query source ports and query IDs. But these measures alone are not sufficient (see page 8 of our OARC 38 presentation).We have therefore also implemented support for RFC 7873 (DNS Cookies) which can make spoofing impractical if it’s supported by the authoritative server. Measurements indicate that the DNS Cookies do not provide sufficient coverage, even though around 40% of nameservers by IP support DNS Cookies, these account for less than 10% of overall query volume. In addition, many non-compliant nameservers return incorrect or ambiguous responses for queries with DNS Cookies, which creates further deployment obstacles. For now, we’ve enabled DNS Cookies through manual configuration, primarily for selected TLD zones.Case Randomization (0x20)The query name case randomization mechanism, originally proposed in a March 2008 draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity”, however, is highly effective, because all but a small minority of nameservers are compatible with query name case randomization. We have been performing case randomization of query names since 2009 to a small set of chosen nameservers that handle only a minority of our query volume. In 2022 we started work on enabling case randomization by default, which when used, the query name in the question section is randomized and the DNS server’s response is expected to match the case-randomized query name exactly in the request. For example, if “ExaMplE.CoM” is the name sent in the request, the name in the question section of the response must also be “ExaMplE.CoM” rather than, e.g., “example.com.” Responses that fail to preserve the case of the query name may be dropped as potential cache poisoning attacks (and retried over TCP).We are happy to announce that we’ve already enabled and deployed this feature globally by default. It covers over 90% of our UDP traffic to nameservers, significantly reducing the risk of cache poisoning attacks.Meanwhile, we maintain an exception list and implement fallback mechanisms to prevent potential issues with non-conformant nameservers. However we strongly recommend that nameserver implementations preserve the query case in the response.DNS-over-TLSIn addition to case randomization, we’ve deployed DNS-over-TLS to authoritative nameservers (ADoT), following procedures described in RFC 9539 (Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS). Real world measurements show that ADoT has a higher success rate and comparable latency to UDP. And ADoT is in use for around 6% of egress traffic. At the cost of some CPU and memory, we get both security and privacy for nameserver queries without DNS compliance issues.SummaryGoogle Public DNS takes security of our users seriously. Through multiple countermeasures to cache poisoning attacks, we aim to provide a more secure and reliable DNS resolution service, enhancing the overall Internet experience for users worldwide. With the measures described above we are able to provide protection against passive attacks for over 90% of authoritative queries. To enhance DNS security, we recommend that DNS server operators support one or more of the security mechanisms described here. We are also working with the DNS community to improve DNS security. Please see our presentations at DNS-OARC 38 and 40 for more technical details.
http://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html
Posted by Eugene Rodionov and Ivan Lozano, Android Team With steady improvements to Android userspace and kernel security, we have noticed an increasing interest from security researchers directed towards lower level firmware. This area has traditionally received less scrutiny, but is critical to device security. We have previously discussed how we have been prioritizing firmware security, and how to apply mitigations in a firmware environment to mitigate unknown vulnerabilities. In this post we will show how the Kernel Address Sanitizer (KASan) can be used to proactively discover vulnerabilities earlier in the development lifecycle. Despite the narrow application implied by its name, KASan is applicable to a wide-range of firmware targets. Using KASan enabled builds during testing and/or fuzzing can help catch memory corruption vulnerabilities and stability issues before they land on user devices. We've already used KASan in some firmware targets to proactively find and fix 40+ memory safety bugs and vulnerabilities, including some of critical severity. Along with this blog post we are releasing a small project which demonstrates an implementation of KASan for bare-metal targets leveraging the QEMU system emulator. Readers can refer to this implementation for technical details while following the blog post. Address Sanitizer (ASan) overview Address sanitizer is a compiler-based instrumentation tool used to identify invalid memory access operations during runtime. It is capable of detecting the following classes of temporal and spatial memory safety bugs: out-of-bounds memory access use-after-free double/invalid free use-after-return ASan relies on the compiler to instrument code with dynamic checks for virtual addresses used in load/store operations. A separate runtime library defines the instrumentation hooks for the heap memory and error reporting. For most user-space targets (such as aarch64-linux-android) ASan can be enabled as simply as using the -fsanitize=address compiler option for Clang due to existing support of this target both in the toolchain and in the libclang_rt runtime. However, the situation is rather different for bare-metal code which is frequently built with the none system targets, such as arm-none-eabi. Unlike traditional user-space programs, bare-metal code running inside an embedded system often doesn’t have a common runtime implementation. As such, LLVM can’t provide a default runtime for these environments. To provide custom implementations for the necessary runtime routines, the Clang toolchain exposes an interface for address sanitization through the -fsanitize=kernel-address compiler option. The KASan runtime routines implemented in the Linux kernel serve as a great example of how to define a KASan runtime for targets which aren’t supported by default with -fsanitize=address. We'll demonstrate how to use the version of address sanitizer originally built for the kernel on other bare-metal targets. KASan 101 Let’s take a look at the KASan major building blocks from a high-level perspective (a thorough explanation of how ASan works under-the-hood is provided in this whitepaper). The main idea behind KASan is that every memory access operation, such as load/store instructions and memory copy functions (for example, memmove and memcpy), are instrumented with code which performs verification of the destination/source memory regions. KASan only allows the memory access operations which use valid memory regions. When KASan detects memory access to a memory region which is invalid (that is, the memory has been already freed or access is out-of-bounds) then it reports this violation to the system. The state of memory regions covered by KASan is maintained in a dedicated area called shadow memory. Every byte in the shadow memory corresponds to a single fixed-size memory region covered by KASan (typically 8-bytes) and encodes its state: whether the corresponding memory region has been allocated or freed and how many bytes in the memory region are accessible. Therefore, to enable KASan for a bare-metal target we would need to implement the instrumentation routines which verify validity of memory regions in memory access operations and report KASan violations to the system. In addition we would also need to implement shadow memory management to track the state of memory regions which we want to be covered with KASan. Enabling KASan for bare-metal firmware KASan shadow memory The very first step in enabling KASan for firmware is to reserve a sufficient amount of DRAM for shadow memory. This is a memory region where each byte is used by KASan to track the state of an 8-byte region. This means accommodating the shadow memory requires a dedicated memory region equal to 1/8th the size of the address space covered by KASan. KASan maps every 8-byte aligned address from the DRAM region into the shadow memory using the following formula: shadow_address = (target_address >> 3 ) + shadow_memory_base where target_address is the address of a 8-byte memory region which we want to cover with KASan and shadow_memory_base is the base address of the shadow memory area. Implement a KASan runtime Once we have the shadow memory tracking the state of every single 8-byte memory region of DRAM we need to implement the necessary runtime routines which KASan instrumentation depends on. For reference, a comprehensive list of runtime routines needed for KASan can be found in the linux/mm/kasan/kasan.h Linux kernel header. However, it might not be necessary to implement all of them and in the following text we focus on the ones which were needed to enable KASan for our target firmware as an example. Memory access check The routines __asan_loadXX_noabort, __asan_storeXX_noabort perform verification of memory access at runtime. The symbol XX denotes size of memory access and goes as a power of 2 starting from 1 up to 16. The toolchain instruments every memory load and store operations with these functions so that they are invoked before the memory access operation happens. These routines take as input a pointer to the target memory region to check it against the shadow memory. If the region state provided by shadow memory doesn’t reveal a violation, then these functions return to the caller. But if any violations (for example, the memory region is accessed after it has been deallocated or there is an out-of-bounds access) are revealed, then these functions report the KASan violation by: Generating a call-stack. Capturing context around the memory regions. Logging the error. Aborting/crashing the system (optional) Shadow memory management The routine __asan_set_shadow_YY is used to poison shadow memory for a given address. This routine is used by the toolchain instrumentation to update the state of memory regions. For example, the KASan runtime would use this function to mark memory for local variables on the stack as accessible/poisoned in the epilogue/prologue of the function respectively. This routine takes as input a target memory address and sets the corresponding byte in shadow memory to the value of YY. Here is an example of some YY values for shadow memory to encode state of 8-byte memory regions: 0x00 -- the entire 8-byte region is accessible 0x01-0x07 -- only the first bytes in the memory region are accessible 0xf1 -- not accessible: stack left red zone 0xf2 -- not accessible: stack mid red zone 0xf3 -- not accessible: stack right red zone 0xfa -- not accessible: globals red zone 0xff -- not accessible Covering global variables The routines __asan_register_globals, __asan_unregister_globals are used to poison/unpoison memory for global variables. The KASan runtime calls these functions while processing global constructors/destructors. For instance, the routine __asan_register_globals is invoked for every global variable. It takes as an argument a pointer to a data structure which describes the target global variable: the structure provides the starting address of the variable, its size not including the red zone and size of the global variable with the red zone. The red zone is extra padding the compiler inserts after the variable to increase the likelihood of detecting an out-of-bounds memory access. Red zones ensure there is extra space between adjacent global variables. It is the responsibility of __asan_register_globals routine to mark the corresponding shadow memory as accessible for the variable and as poisoned for the red zone. As the readers could infer from its name, the routine __asan_unregister_globals is invoked while processing global destructors and is intended to poison shadow memory for the target global variable. As a result, any memory access to such a global will cause a KASan violation. Memory copy functions The KASan compiler instrumentation routines __asan_loadXX_noabort, __asan_storeXX_noabort discussed above are used to verify individual memory load and store operations such as, reading or writing an array element or dereferencing a pointer. However, these routines don't cover memory access in bulk-memory copy functions such as memcpy, memmove, and memset. In many cases these functions are provided by the runtime library or implemented in assembly to optimize for performance. Therefore, in order to be able to catch invalid memory access in these functions, we would need to provide sanitized versions of memcpy, memmove, and memset functions in our KASan implementation which would verify memory buffers to be valid memory regions. Avoiding false positives for noreturn functions Another routine required by KASan is __asan_handle_no_return, to perform cleanup before a noreturn function and avoid false positives on the stack. KASan adds red zones around stack variables at the start of each function, and removes them at the end. If a function does not return normally (for example, in case of longjmp-like functions and exception handling), red zones must be removed explicitly with __asan_handle_no_return. Hook heap memory allocation routines Bare-metal code in the vast majority of cases provides its own heap implementation. It is our responsibility to implement an instrumented version of heap memory allocation and freeing routines which enable KASan to detect memory corruption bugs on the heap. Essentially, we would need to instrument the memory allocator with the code which unpoisons KASan shadow memory corresponding to the allocated memory buffer. Additionally, we may want to insert an extra poisoned red zone memory (which accessing would then generate a KASan violation) to the end of the allocated buffer to increase the likelihood of catching out-of-bounds memory reads/writes. Similarly, in the memory deallocation routine (such as free) we would need to poison the shadow memory corresponding to the free buffer so that any subsequent access (such as, use-after-free) would generate a KASan violation. We can go even further by placing the freed memory buffer into a quarantine instead of immediately returning the free memory back to the allocator. This way, the freed memory buffer is suspended in quarantine for some time and will have its KASan shadow bytes poisoned for a longer period of time, increasing the probability of catching a use-after-free access to this buffer. Enable KASan for heap, stack and global variables With all the necessary building blocks implemented we are ready to enable KASan for our bare-metal code by applying the following compiler options while building the target with the LLVM toolchain. The -fsanitize=kernel-address Clang option instructs the compiler to instrument memory load/store operations with the KASan verification routines. We use the -asan-mapping-offset LLVM option to indicate where we want our shadow memory to be located. For instance, let’s assume that we would like to cover address range 0x40000000 - 0x4fffffff and we want to keep shadow memory at address 0x4A700000. So, we would use -mllvm -asan-mapping-offset=0x42700000 as 0x40000000 >> 3 + 0x42700000 == 0x4A700000. To cover globals and stack variables with KASan we would need to pass additional options to the compiler: -mllvm -asan-stack=1 -mllvm -asan-globals=1. It’s worth mentioning that instrumenting both globals and stack variables will likely result in an increase in size of the corresponding memory which might need to be accounted for in the linker script. Finally, to prevent significant increase in size of the code section due to KASan instrumentation we instruct the compiler to always outline KASan checks using the -mllvm -asan-instrumentation-with-call-threshold=0 option. Otherwise, the compiler might inline __asan_loadXX_noabort, __asan_storeXX_noabort routines for load/store operations resulting in bloating the generated object code. LLVM has traditionally only supported sanitizers with runtimes for specific targets with predefined runtimes, however we have upstreamed LLVM sanitizer support for bare-metal targets under the assumption that the runtime can be defined for the particular target. You’ll need the latest version of Clang to benefit from this. Conclusion Following these steps we managed to enable KASan for a firmware target and use it in pre-production test builds. This led to early discovery of memory corruption issues that were easily remediated due to the actionable reports produced by KASan. These builds can be used with fuzzers to detect edge case bugs that normal testing fails to trigger, yet which can have significant security implications. Our work with KASan is just one example of the multiple techniques the Android team is exploring to further secure bare-metal firmware in the Android Platform. Ideally we want to avoid introducing memory safety vulnerabilities in the first place so we are working to address this problem through adoption of memory-safe Rust in bare-metal environments. The Android team has developed Rust training which covers bare-metal Rust extensively. We highly encourage others to explore Rust (or other memory-safe languages) as an alternative to C/C++ in their firmware. If you have any questions, please reach out – we’re here to help! Acknowledgements: Thank you to Roger Piqueras Jover for contributions to this post, and to Evgenii Stepanov for upstreaming LLVM support for bare-metal sanitizers. Special thanks also to our colleagues who contribute and support our firmware security efforts: Sami Tolvanen, Stephan Somogyi, Stephan Chen, Dominik Maier, Xuan Xing, Farzan Karimi, Pirama Arumuga Nainar, Stephen Hines.
http://security.googleblog.com/2024/03/address-sanitizer-for-bare-metal.html
Posted by Jasika Bawa, Xinghui Lu, Google Chrome Security & Jonathan Li, Alex Wozniak, Google Safe Browsing For more than 15 years, Google Safe Browsing has been protecting users from phishing, malware, unwanted software and more, by identifying and warning users about potentially abusive sites on more than 5 billion devices around the world. As attackers grow more sophisticated, we've seen the need for protections that can adapt as quickly as the threats they defend against. That’s why we're excited to announce a new version of Safe Browsing that will provide real-time, privacy-preserving URL protection for people using the Standard protection mode of Safe Browsing in Chrome. Current landscape Chrome automatically protects you by flagging potentially dangerous sites and files, hand in hand with Safe Browsing which discovers thousands of unsafe sites every day and adds them to its lists of harmful sites and files. So far, for privacy and performance reasons, Chrome has first checked sites you visit against a locally-stored list of known unsafe sites which is updated every 30 to 60 minutes – this is done using hash-based checks. Hash-based check overview But unsafe sites have adapted — today, the majority of them exist for less than 10 minutes, meaning that by the time the locally-stored list of known unsafe sites is updated, many have slipped through and had the chance to do damage if users happened to visit them during this window of opportunity. Further, Safe Browsing’s list of harmful websites continues to grow at a rapid pace. Not all devices have the resources necessary to maintain this growing list, nor are they always able to receive and apply updates to the list at the frequency necessary to benefit from full protection. Safe Browsing’s Enhanced protection mode already stays ahead of such threats with technologies such as real-time list checks and AI-based classification of malicious URLs and web pages. We built this mode as an opt-in to give users the choice of sharing more security-related data in order to get stronger security. This mode has shown that checking lists in real time brings significant value, so we decided to bring that to the default Standard protection mode through a new API – one that doesn't share the URLs of sites you visit with Google. Introducing real-time, privacy-preserving Safe Browsing How it works In order to transition to real-time protection, checks now need to be performed against a list that is maintained on the Safe Browsing server. The server-side list can include unsafe sites as soon as they are discovered, so it is able to capture sites that switch quickly. It can also grow as large as needed because the Safe Browsing server is not constrained in the same way that user devices are. Behind the scenes, here's what is happening in Chrome: When you visit a site, Chrome first checks its cache to see if the address (URL) of the site is already known to be safe (see the “Staying speedy and reliable” section for details). If the visited URL is not in the cache, it may be unsafe, so a real-time check is necessary. Chrome obfuscates the URL by following the URL hashing guidance to convert the URL into 32-byte full hashes. Chrome truncates the full hashes into 4-byte long hash prefixes. Chrome encrypts the hash prefixes and sends them to a privacy server (see the “Keeping your data private” section for details). The privacy server removes potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a TLS connection that mixes requests with many other Chrome users. The Safe Browsing server decrypts the hash prefixes and matches them against the server-side database, returning full hashes of all unsafe URLs that match one of the hash prefixes sent by Chrome. After receiving the unsafe full hashes, Chrome checks them against the full hashes of the visited URL. If any match is found, Chrome will show a warning. Keeping your data private In order to preserve user privacy, we have partnered with Fastly, an edge cloud platform that provides content delivery, edge compute, security, and observability services, to operate an Oblivious HTTP (OHTTP) privacy server between Chrome and Safe Browsing – you can learn more about Fastly's commitment to user privacy on their Customer Trust page. With OHTTP, Safe Browsing does not see your IP address, and your Safe Browsing checks are mixed amongst those sent by other Chrome users. This means Safe Browsing cannot correlate the URL checks you send as you browse the web. Before hash prefixes leave your device, Chrome encrypts them using a public key from Safe Browsing. These encrypted hash prefixes are then sent to the privacy server. Since the privacy server doesn’t know the private key, it cannot decrypt the hash prefixes, which offers privacy from the privacy server itself. The privacy server then removes potential user identifiers such as your IP address and forwards the encrypted hash prefixes to the Safe Browsing server. The privacy server is operated independently by Fastly, meaning that Google doesn’t have access to potential user identifiers (including IP address and User Agent) from the original request. Once the Safe Browsing server receives the encrypted hash prefixes from the privacy server, it decrypts the hash prefixes with its private key and then continues to check the server-side list. Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes. No single party has access to both your identity and the hash prefixes. As such, your browsing activity remains private. Real-time check overview Staying speedy and reliable Compared with the hash-based check, the real-time check requires sending a request to a server, which adds additional latency. We have employed a few techniques to make sure your browsing experience continues to be smooth and responsive. First, before performing the real-time check, Chrome checks against a global and local cache on your device to avoid unnecessary delay. The global cache is a list of hashes of known-safe URLs that is served by Safe Browsing. Chrome fetches it in the background. If any full hash of the URL is found in the global cache, Chrome will consider it less risky and perform a hash-based check instead. The local cache, on the other hand, is a list of full hashes that are saved from previous Safe Browsing checks. If there is a match in the local cache, and the cache has not yet expired, Chrome will not send a real-time request to the Safe Browsing server. Both caches are stored in memory, so it is much faster to check them than sending a real-time request over the network. In addition, Chrome follows a fallback mechanism in case of unsuccessful or slow requests. If the real-time request fails consecutively, Chrome will enter a back-off mode and downgrade the checks to hash-based checks for a certain period. We are also in the process of introducing an asynchronous mechanism, which will allow the site to load while the real-time check is in progress. This will improve the user experience, as the real-time check won’t block page load. What real-time, privacy-preserving URL protection means for you Chrome users With the latest release of Chrome for desktop, Android, and iOS, we’re upgrading the Standard protection mode of Safe Browsing so it will now check sites using Safe Browsing’s real-time protection protocol, without sharing your browsing history with Google. You don't need to take any action to benefit from this improved functionality. If you want more protection, we still encourage you to turn on the Enhanced protection mode of Safe Browsing. You might wonder why you need enhanced protection when you'll be getting real-time URL protection in Standard protection – this is because in Standard protection mode, the real-time feature can only protect you from sites that Safe Browsing has already confirmed to be unsafe. On the other hand, Enhanced protection mode is able to use additional information together with advanced machine learning models to protect you from sites that Safe Browsing may not yet have confirmed to be unsafe, for example because the site was only very recently created or is cloaking its true behavior to Safe Browsing’s detection systems. Enhanced protection also continues to offer protection beyond real-time URL checks, for example by providing deep scans for suspicious files and extra protection from suspicious Chrome extensions. Enterprises The real-time feature of the Standard protection mode of Safe Browsing is on by default for Chrome. If needed, it may be configured using the policy SafeBrowsingProxiedRealTimeChecksAllowed. It is also worth noting that in order for this feature to work in Chrome, enterprises may need to explicitly allow traffic to the Fastly privacy server. If the server is not reachable, Chrome will downgrade the checks to hash-based checks. Developers While Chrome is the first surface where these protections are available, we plan to make them available to eligible developers for non-commercial use cases via the Safe Browsing API. Using the API, developers and privacy server operators can partner to better protect their products’ users from fast-moving malicious actors in a privacy-preserving manner. To learn more, keep an eye out for our upcoming developer documentation to be published on the Google for Developers site.
http://security.googleblog.com/2024/03/blog-post.html
Posted by Sarah Jacobus, Vulnerability Rewards Team Last year, we again witnessed the power of community-driven security efforts as researchers from around the world contributed to help us identify and address thousands of vulnerabilities in our products and services. Working with our dedicated bug hunter community, we awarded $10 million to our 600+ researchers based in 68 countries. New Resources and Improvements Just like every year, 2023 brought a series of changes and improvements to our vulnerability reward programs: Through our new Bonus Awards program, we now periodically offer time-limited, extra rewards for reports to specific VRP targets. We expanded our exploit reward program to Chrome and Cloud through the launch of v8CTF, a CTF focused on V8, the JavaScript engine that powers Chrome. We launched Mobile VRP which focuses on first-party Android applications. Our new Bughunters blog shared ways in which we make the internet, as a whole, safer, and what that journey entails. Take a look at our ever-growing repository of posts! To further our engagement with top security researchers, we also hosted our yearly security conference ESCAL8 in Tokyo. It included live hacking events and competitions, student training with our init.g workshops, and talks from researchers and Googlers. Stay tuned for details on ESCAL8 2024. As in past years, we are sharing our 2023 Year in Review statistics across all of our programs. We would like to give a special thank you to all of our dedicated researchers for their continued work with our programs - we look forward to more collaboration in the future! Android and Google Devices In 2023, the Android VRP achieved significant milestones, reflecting our dedication to securing the Android ecosystem. We awarded over $3.4 million in rewards to researchers who uncovered remarkable vulnerabilities within Android and increased our maximum reward amount to $15,000 for critical vulnerabilities. We also saw a sharpened focus on higher severity issues as a result of our changes to incentivize report quality and increasing rewards for high and critical severity issues. Expanding our program’s scope, Wear OS has been added to the program to further incentivize research in new wearable technology to ensure users’ safety. Working closely with top researchers at the ESCAL8 conference, we also hosted a live hacking event for Wear OS and Android Automotive OS which resulted in $70,000 rewarded to researchers for finding over 20 critical vulnerabilities! We would also like to spotlight the hardwear.io security conferences. Hardwear.io gave us a platform to engage with top hardware security researchers who uncovered over 50 vulnerabilities in Nest, Fitbit, and Wearables, and received a total of $116,000 last year! The Google Play Security Reward Program continued to foster security research across popular Android apps on Google Play. A huge thank you to the researchers who made our program such a success. A special shout out to Zinuo Han (@ele7enxxh) of OPPO Amber Security Lab and Yu-Cheng Lin (林禹成) (@AndroBugs) for your hard work and continuing to be some of the top researchers contributing to Android VRPs! Chrome 2023 was a year of changes and experimentation for the Chrome VRP. In Chrome Milestone 116, MiraclePtr was launched across all Chrome platforms. This resulted in raising the difficulty of discovery of fully exploitable non-renderer UAFs in Chrome and resulted in lower reward amounts for MiraclePtr-protected UAFs, as highly mitigated security bugs. While code and issues protected by MiraclePtr are expected to be resilient to the exploitation of non-renderer UAFs, the Chrome VRP launched the MiraclePtr Bypass Reward to incentivize research toward discovering potential bypasses of this protection. The Chrome VRP also launched the Full Chain Exploit Bonus, offering triple the standard full reward amount for the first Chrome full-chain exploit reported and double the standard full reward amount for any follow-up reports. While both of these large incentives have gone unclaimed, we are leaving the door open in 2024 for any researchers looking to take on these challenges. In 2023, Chrome VRP also introduced increased rewards for V8 bugs in older channels of Chrome, with an additional bonus for bugs existing before M105. This resulted in a few very impactful reports of long-existing V8 bugs, including one report of a V8 JIT optimization bug in Chrome since at least M91, which resulted in a $30,000 reward for that researcher. All of this resulted in $2.1M in rewards to security researchers for 359 unique reports of Chrome Browser security bugs. We were also able to meet some of our top researchers from previous years who were invited to participate in bugSWAT as part of Google’s ESCAL8 event in Tokyo in October. We capped off the year by publicly announcing our 2023 Top 20 Chrome VRP reporters who received a bonus reward for their contributions. Thank you to the Chrome VRP security researcher community for your contributions and efforts to help us make Chrome more secure for everyone! Generative AI Last year, we also ran a bugSWAT live-hacking event targeting LLM products. Apart from fun, sun, and a lot to do, we also got 35 reports, totaling more than $87,000 - and discovered issues like Johann, Joseph, and Kai’s “Hacking Google Bard - From Prompt Injection to Data Exfiltration” and Roni, Justin, and Joseph’s “We Hacked Google A.I. for $50,000”. To help AI-focused bughunters know what’s in scope and what’s not, we recently published our criteria for bugs in AI products. This criteria aims to facilitate testing for traditional security vulnerabilities as well as risks specific to AI systems, and is one way that we are implementing the voluntary AI commitments that Google made at the White House in July. Looking Forward We remain committed to fostering collaboration, innovation, and transparency with the security community. Our ongoing mission is to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services. We look forward to continuing to drive greater advancements in the world of cybersecurity. A huge thank you to our bug hunter community for helping to make Google products and platforms more safe and secure for our users around the world! Thank you to Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez.
http://security.googleblog.com/2024/03/vulnerability-reward-program-2023-year.html
Alex Rebert, Software Engineer, Christoph Kern, Principal Engineer, Security FoundationsGoogle’s Project Zero reports that memory safety vulnerabilities—security defects caused by subtle coding errors related to how a program accesses memory—have been "the standard for attacking software for the last few decades and it’s still how attackers are having success". Their analysis shows two thirds of 0-day exploits detected in the wild used memory corruption vulnerabilities. Despite substantial investments to improve memory-unsafe languages, those vulnerabilities continue to top the most commonly exploited vulnerability classes.In this post, we share our perspective on memory safety in a comprehensive whitepaper. This paper delves into the data, challenges of tackling memory unsafety, and discusses possible approaches for achieving memory safety and their tradeoffs. We'll also highlight our commitments towards implementing several of the solutions outlined in the whitepaper, most recently with a $1,000,000 grant to the Rust Foundation, thereby advancing the development of a robust memory-safe ecosystem. Why we’re publishing this now2022 marked the 50th anniversary of memory safety vulnerabilities. Since then, memory safety risks have grown more obvious. Like others', Google's internal vulnerability data and research show that memory safety bugs are widespread and one of the leading causes of vulnerabilities in memory-unsafe codebases. Those vulnerabilities endanger end users, our industry, and the broader society. We're encouraged to see governments also taking this issue seriously, as with the U.S. Office of the National Cyber Director publication of a paper on the topic last week.By sharing our insights and experiences, we hope to inspire the broader community and industry to adopt memory-safe practices and technologies, ultimately making technology safer. Our perspectiveAt Google, we have decades of experience addressing, at scale, large classes of vulnerabilities that were once similarly prevalent as memory safety issues. Our approach, which we call “Safe Coding”, treats vulnerability-prone coding constructs themselves as hazards (i.e., independently of, and in addition to, the vulnerability they might cause), and is centered around ensuring developers do not encounter such hazards during regular coding practice.Based on this experience, we expect that high assurance memory safety can only be achieved via a Secure-by-Design approach centered around comprehensive adoption of languages with rigorous memory safety guarantees. As a consequence, we are considering a gradual transition towards memory-safe languages like Java, Go, and Rust.Over the past decades, in addition to large Java and Go memory-safe codebases, Google has developed and accumulated hundreds of millions of lines of C++ code that is in active use and under active, ongoing development. This very large existing codebase results in significant challenges for a transition to memory safety: We see no realistic path for an evolution of C++ into a language with rigorous memory safety guarantees that include temporal safety. A large-scale rewrite of all existing C++ code into a different, memory-safe language appears very difficult and will likely remain impractical. We consider it important to complement a transition to memory safe languages for new code and particularly at-risk components with safety improvements for existing C++ code, to the extent practicable. We believe that substantial improvements can be achieved through an incremental transition to a partially-memory-safe C++ language subset, augmented with hardware security features when available. For instance, see our work improving spatial safety in GCP's networking stack. Our investments in memory-safe languagesWe are actively investing in many of the solutions outlined in our whitepaper and in our response to the US Federal Government’s RFI on Open Source Software Security. Android has written several components in Rust over the last few years, leading to compelling security improvements. In Android’s Ultra-wideband (UWB) module, this has improved the security of the module while also reducing the memory usage and inter-procedural calls. Chrome has started shipping some features in Rust; in one case, Chrome was able to move its QR code generator out of a sandbox by adopting a new memory-safe library written in Rust, leading to both better security and better performance. Google recently announced a $1,000,000 grant to the Rust foundation to enhance interoperability with C++ code. This will facilitate incremental adoption of Rust in existing memory-unsafe code bases, which will be key to enabling even more new development to occur in a memory-safe language. Relatedly, we are also working on addressing cross-language attacks that can occur when mixing Rust and C++ in the same binary. Google is investing in building the memory-safe open-source ecosystem through ISRG Prossimo and OpenSSF’s Alpha-Omega project. Back in 2021, we funded efforts to bring Rust to the Linux Kernel, which is now enabling us to write memory-safe drivers. This funding is also going towards providing alternatives or upgrades to key open-source libraries in a memory-safe language, such as providing a memory safe TLS implementation. We know that memory safe languages will not address every security bug, but just as our efforts to eliminate XSS attacks through tooling showed, removing large classes of exploits both directly benefits consumers of software and allows us to move our focus to addressing further classes of security vulnerabilities. To access the full whitepaper and learn more about Google's perspective on memory safety, visit https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/
http://security.googleblog.com/2024/03/secure-by-design-googles-perspective-on.html
Posted by Eugene Liderman, Director of Mobile Security Strategy, Google From its founding, Android has been guided by principles of openness, transparency, safety, and choice. Android gives you the freedom to choose which device best fits your needs, while also providing the flexibility to download apps from a variety of sources, including preloaded app stores such as the Google Play Store or the Galaxy Store; third-party app stores; and direct downloads from the Internet.Keeping users safe in an open ecosystem takes sophisticated defenses. That’s why Android provides multiple layers of protections, powered by AI and backed by a large dedicated security & privacy team, to help to protect our users from security threats while continually making the platform more resilient. We also provide our users with numerous built-in protections like Google Play Protect, the world’s most widely deployed threat detection service, which actively scans over 125 billion apps on devices every day to monitor for harmful behavior. That said, our data shows that a disproportionate amount of bad actors take advantage of select APIs and distribution channels in this open ecosystem. Elevating app security in an open ecosystem While users have the flexibility to download apps from many sources, the safety of an app can vary depending on the download source. Google Play, for example, carries out rigorous operational reviews to ensure app safety, including proper high-risk API use and permissions handling. Other app stores may also follow established policies and procedures that help reduce risks to users and their data. These protections often include requirements for developers to declare which permissions their apps use and how developers plan to use app data. Conversely, standalone app distribution sources like web browsers, messaging apps or file managers – which we commonly refer to as Internet-sideloading – do not offer the same rigorous requirements and operational reviews. Our data demonstrates that users who download from these sources today face unusually high security risks due to these missing protections. We recently launched enhanced Google Play Protect real-time scanning to help better protect users against novel malicious Internet-sideloaded apps. This enhancement is designed to address malicious apps that leverage various methods, such as AI, to avoid detection. This feature, now deployed on Android devices with Google Play Services in India, Thailand, Singapore and Brazil, has already made a significant impact on user safety. As a result of the real-time scanning enhancement, Play Protect has identified 515,000 new malicious apps and issued more than 3.1 million warnings or blocks of those apps. Play Protect is constantly improving its detection capabilities with each identified app, allowing us to strengthen our protections for the entire Android ecosystem. A new pilot to combat financial fraud Cybercriminals continue to invest in advanced financial fraud scams, costing consumers more than $1 trillion in losses. According to the 2023 Global State of Scams Report by the Global Anti-Scam Alliance, 78 percent of mobile users surveyed experienced at least one scam in the last year. Of those surveyed, 45 percent said they’re experiencing more scams in the last 12 months. The Global Scam Report also found that scams were most often initiated by sending scam links via various messaging platforms to get users to install malicious apps and very often paired with a phone call posing to be from a valid entity. Scammers frequently employ social engineering tactics to deceive mobile users. Using urgent pretenses that often involve a risk to a user’s finances or an opportunity for quick wealth, cybercriminals convince users to disable security safeguards and ignore proactive warnings for potential malware, scams, and phishing. We’ve seen a large percentage of users ignore, or are tricked into dismissing, these proactive Android platform warnings and proceed with installing malicious apps. This can lead to users ultimately disclosing their security codes, passwords, financial information and/or transferring funds unknowingly to a fraudster. To help better protect Android users from these financial fraud attacks, we are piloting enhanced fraud protection with Google Play Protect. As part of a continued strategic partnership with the Cyber Security Agency of Singapore (CSA), we will launch this first pilot in Singapore in the coming weeks to help keep Android users safe from mobile financial fraud. This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers). This enhancement will inspect the permissions the app declared in real-time and specifically look for four permission requests: RECEIVE_SMS, READ_SMS, BIND_Notifications, and Accessibility. These permissions are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on screen content. Based on our analysis of major fraud malware families that exploit these sensitive permissions, we found that over 95 percent of installations came from Internet-sideloading sources. During the upcoming pilot, when a user in Singapore attempts to install an application from an Internet-sideloading source and any of these four permissions are declared, Play Protect will automatically block the installation with an explanation to the user. Collaborating to combat mobile fraud This enhanced fraud protection has undergone testing by the Singapore government and will be rolling out to Android devices with Google Play services. “The fight against online scams is a dynamic one. As cybercriminals refine their methods, we must collaborate and innovate to stay ahead, “ said Mr Chua Kuan Seah, Deputy Chief Executive of CSA. “Through such partnerships with technology players like Google, we are constantly improving our anti-scam defenses to protect Singaporeans online and safeguard their digital assets.” Together with CSA, we will be closely monitoring the results of the pilot program to assess its impact and make adjustments as needed. We will also support CSA by continuing to assist with malware detection and analysis, sharing malware insights and techniques, and creating user and developer education resources. How developers can prepareFor developers distributing apps that may be affected by this pilot, please take the time to review the device permissions your app is requesting and ensure you’re following developer best practices. Your app should only request permissions that the app needs to complete an action and ensure it does not violate the Mobile Unwanted Software principles. Always ensure that your app does not engage in behavior that could be considered potentially harmful or malware. If you find that your app is affected by the app protection pilot you can refer to our updated developer guidance for Play Protect warnings for tips on how to help fix potential issues with your app and instructions for filing an appeal if needed. Check out the video below to learn more.Our commitment to protecting Android users We believe industry collaboration is essential to protect users from mobile security threats and fraud. Piloting these new protections will help us stay ahead of new attacks and evolve our solutions to defeat scammers and their expanding fraud attempt. We have an unwavering commitment to protecting our users around the world and look forward to continuing to partner with governments, ecosystem partners and other stakeholders to improve user protections.
http://security.googleblog.com/2024/02/piloting-new-ways-to-protect-Android-users-from financial-fraud.html
Posted by Lars Bergstrom – Director, Android Platform Tools & Libraries and Chair of the Rust Foundation Board Back in 2021, we announced that Google was joining the Rust Foundation. At the time, Rust was already in wide use across Android and other Google products. Our announcement emphasized our commitment to improving the security reviews of Rust code and its interoperability with C++ code. Rust is one of the strongest tools we have to address memory safety security issues. Since that announcement, industry leaders and government agencies have echoed our sentiment. We are delighted to announce that Google has provided a grant of $1 million to the Rust Foundation to support efforts that will improve the ability of Rust code to interoperate with existing legacy C++ codebases. We’re also furthering our existing commitment to the open-source Rust community by aggregating and publishing audits for Rust crates that we use in open-source Google projects. These contributions, along with our previous interoperability contributions, have us excited about the future of Rust. “Based on historical vulnerability density statistics, Rust has proactively prevented hundreds of vulnerabilities from impacting the Android ecosystem. This investment aims to expand the adoption of Rust across various components of the platform.” – Dave Kleidermacher, Google Vice President of Engineering, Android Security & Privacy While Google has seen the most significant growth in the use of Rust in Android, we’re continuing to grow its use across more applications, including clients and server hardware. “While Rust may not be suitable for all product applications, prioritizing seamless interoperability with C++ will accelerate wider community adoption, thereby aligning with the industry goals of improving memory safety.” – Royal Hansen, Google Vice President of Safety & Security The Rust tooling and ecosystem already support interoperability with Android and with continued investment in tools like cxx, autocxx, bindgen, cbindgen, diplomat, and crubit, we are seeing regular improvements in the state of Rust interoperability with C++. As these improvements have continued, we’ve seen a reduction in the barriers to adoption and accelerated adoption of Rust. While that progress across the many tools continues, it is often only expanded incrementally to support the particular needs of a given project or company. In order to accelerate both Rust adoption at Google as well as more broadly across the industry, we are eager to invest in and collaborate on any needed ABI changes, tooling and build system support, wrapper libraries, or other areas identified. We are excited to support this work through the Rust Foundation’s Interop Initiative and in collaboration with the Rust project to ensure that any additions made are suitable and address the challenges of Rust adoption that projects using C++ face. Improving memory safety across the software industry is one of the key technology challenges of our time, and we invite others across the community and industry to join us in working together to secure the open source ecosystem for everyone. Learn more about the Rust Foundation’s Interop Initiative by reading their recent announcement.
http://security.googleblog.com/2024/02/improving-interoperability-between-rust-and-c.html
Royal Hansen, Vice President of Privacy, Safety and Security EngineeringThis week, the United Nations convened member states to continue its years-long negotiations on the UN Cybercrime Treaty, titled “Countering the Use of Information and Communications Technologies for Criminal Purposes.” As more aspects of our lives intersect with the digital sphere, law enforcement around the world has increasingly turned to electronic evidence to investigate and disrupt criminal activity. Google takes the threat of cybercrime very seriously, and dedicates significant resources to combating it. When governments send Google legal orders to disclose user data in connection with their investigations, we carefully review those orders to make sure they satisfy applicable laws, international norms, and Google’s policies. We also regularly report the number of these orders in our Transparency Report. To ensure that transnational legal demands are issued consistent with rule of law, we have long called for an international framework for digital evidence that includes robust due process protections, respects human rights (including the right to free expression), and aligns with existing international norms. This is particularly important in the case of transnational criminal investigations, where the legal protections in one jurisdiction may not align with those in others. Such safeguards aren’t just important to ensuring free expression and human rights, they are also critical to protecting web security. Too often, as we know well from helping stand up the Security Researcher Legal Defense Fund, individuals working to advance cybersecurity for the public good end up facing criminal charges. The Cybercrime Treaty should not criminalize the work of legitimate cybersecurity researchers and penetration testers, which is designed to protect individual systems and the web as a whole. UN Member States have an opportunity to strengthen global cybersecurity by adopting a treaty that encourages the criminalization of the most egregious and systemic activities — on which all parties can agree — while adopting a framework for sharing digital evidence that is transparent, grounded in the rule of law, based on pre-existing international frameworks like the Universal Declaration on Human Rights, and aligned with principles of necessity and proportionality. At the same time, Member States should avoid attempts to criminalize activities that raise significant freedom of expression issues, or that actually undercut the treaty’s goal of reducing cybercrime. That will require strengthening critical guardrails and protections. We urge Member States to heed calls from civil society groups to address critical gaps in the Treaty and revise the text to protect users and security professionals — not endanger the security of the web.
http://security.googleblog.com/2024/02/un-cybercrime-treaty-could-endanger-web.html
Dongge Liu and Oliver Chang, Google Open Source Security Team, Jan Nowakowski and Jan Keller, Machine Learning for Security TeamThe AI world moves fast, so we’ve been hard at work keeping security apace with recent advancements. One of our approaches, in alignment with Google’s Secure AI Framework (SAIF), is using AI itself to automate and streamline routine and manual security tasks, including fixing security bugs. Last year we wrote about our experiences using LLMs to expand vulnerability testing coverage, and we’re excited to share some updates. Today, we’re releasing our fuzzing framework as a free, open source resource that researchers and developers can use to improve fuzzing’s bug-finding abilities. We’ll also show you how we’re using AI to speed up the bug patching process. By sharing these experiences, we hope to spark new ideas and drive innovation for a stronger ecosystem security.Update: AI-powered vulnerability discoveryLast August, we announced our framework to automate manual aspects of fuzz testing (“fuzzing”) that often hindered open source maintainers from fuzzing their projects effectively. We used LLMs to write project-specific code to boost fuzzing coverage and find more vulnerabilities. Our initial results on a subset of projects in our free OSS-Fuzz service were very promising, with code coverage increased by 30% in one example. Since then, we’ve expanded our experiments to more than 300 OSS-Fuzz C/C++ projects, resulting in significant coverage gains across many of the project codebases. We’ve also improved our prompt generation and build pipelines, which has increased code line coverage by up to 29% in 160 projects. How does that translate to tangible security improvements? So far, the expanded fuzzing coverage offered by LLM-generated improvements allowed OSS-Fuzz to discover two new vulnerabilities in cJSON and libplist, two widely used projects that had already been fuzzed for years. As always, we reported the vulnerabilities to the project maintainers for patching. Without the completely LLM-generated code, these two vulnerabilities could have remained undiscovered and unfixed indefinitely. And more: AI-powered vulnerability fixingFuzzing is fantastic for finding bugs, but for security to improve, those bugs also need to be patched. It’s long been an industry-wide struggle to find the engineering hours needed to patch open bugs at the pace that they are uncovered, and triaging and fixing bugs is a significant manual toll on project maintainers. With continued improvements in using LLMs to find more bugs, we need to keep pace in creating similarly automated solutions to help fix those bugs. We recently announced an experiment doing exactly that: building an automated pipeline that intakes vulnerabilities (such as those caught by fuzzing), and prompts LLMs to generate fixes and test them before selecting the best for human review.This AI-powered patching approach resolved 15% of the targeted bugs, leading to significant time savings for engineers. The potential of this technology should apply to most or all categories throughout the software development process. We’re optimistic that this research marks a promising step towards harnessing AI to help ensure more secure and reliable software.Try it outSince we’ve now open sourced our framework to automate manual aspects of fuzzing, any researcher or developer can experiment with their own prompts to test the effectiveness of fuzz targets generated by LLMs (including Google’s VertexAI or their own fine-tuned models) and measure the results against OSS-Fuzz C/C++ projects. We also hope to encourage research collaborations and to continue seeing other work inspired by our approach, such as Rust fuzz target generation. If you’re interested in using LLMs to patch bugs, be sure to read our paper on building an AI-powered patching pipeline. You’ll find a summary of our own experiences, some unexpected data about LLM’s abilities to patch different types of bugs, and guidance for building pipelines in your own organizations.
http://security.googleblog.com/2024/01/scaling-security-with-ai-from-detection.html
Posted by Sherif Hanna, Group Product Manager, Pixel Security Helping Pixel owners upgrade to the easier, safer way to sign in Your phone contains a lot of your personal information, from financial data to photos. Pixel phones are designed to help protect you and your data, and make security and privacy as easy as possible. This is why the Pixel team has been especially excited about passkeys—the easier, safer alternative to passwords. Passkeys are safer because they’re unique to each account, and are more resistant against online attacks such as phishing. They’re easier to use because there’s nothing for you to remember: when it’s time to sign in, using a passkey is as simple as unlocking your device with your face or fingerprint, or your PIN/pattern/password. Google is working to accelerate passkey adoption. We’ve launched support for passkeys on Google platforms such as Android and Chrome, and recently we announced that we’re making passkeys a default option across personal Google Accounts. We’re also working with our partners across the industry to make passkeys available on more websites and apps. Recently, we took things a step further. As part of last December’s Pixel Feature Drop, we introduced a new feature to Google Password Manager: passkey upgrades. With this new feature, Google Password Manager will let you discover which of your accounts support passkeys, and help you upgrade with just a few taps. This new passkey upgrade experience is now available on Pixel phones (starting from Pixel 5a) as well as Pixel Tablet. Google Password manager will incorporate these updates for other platforms in the future. Best of all, today we’re happy to announce that we’ve teamed up with Adobe, Best Buy, DocuSign, eBay, Kayak, Money Forward, Nintendo, PayPal, Uber, Yahoo! Japan—and soon, TikTok as well, to help bring you this easy passkey upgrade experience and usher you into the passwordless future. If you have an account with one of these early launch partners, Google Password Manager on Pixel will helpfully guide you to the exact location on the partner’s website or app where you can upgrade to a passkey. There’s no need to manually hunt for the option in account settings. And because the technology that makes this possible is open, any website or app, as well as any other password manager, can leverage it to help their users upgrade to passkeys for supporting accounts. It’s all part of Google’s commitment to help make signing in easier and safer.
http://security.googleblog.com/2024/01/upgrade-to-passkeys-on-pixel-with-google-password-manager.html
Posted by Keishi Hattori, Sergei Glazunov, Bartek Nowierski on behalf of the MiraclePtr team Welcome back to our latest update on MiraclePtr, our project to protect against use-after-free vulnerabilities in Google Chrome. If you need a refresher, you can read our previous blog post detailing MiraclePtr and its objectives. More platforms We are thrilled to announce that since our last update, we have successfully enabled MiraclePtr for more platforms and processes: In June 2022, we enabled MiraclePtr for the browser process on Windows and Android. In September 2022, we expanded its coverage to include all processes except renderer processes. In June 2023, we enabled MiraclePtr for ChromeOS, macOS, and Linux. Furthermore, we have changed security guidelines to downgrade MiraclePtr-protected issues by one severity level! Evaluating Security Impact First let’s focus on its security impact. Our analysis is based on two primary information sources: incoming vulnerability reports and crash reports from user devices. Let's take a closer look at each of these sources and how they inform our understanding of MiraclePtr's effectiveness. Bug reports Chrome vulnerability reports come from various sources, such as: Chrome Vulnerability Reward Program participants, our fuzzing infrastructure, internal and external teams investigating security incidents. For the purposes of this analysis, we focus on vulnerabilities that affect platforms where MiraclePtr was enabled at the time the issues were reported. We also exclude bugs that occur inside a sandboxed renderer process. Since the initial launch of MiraclePtr in 2022, we have received 168 use-after-free reports matching our criteria. What does the data tell us? MiraclePtr effectively mitigated 57% of these use-after-free vulnerabilities in privileged processes, exceeding our initial estimate of 50%. Reaching this level of effectiveness, however, required additional work. For instance, we not only rewrote class fields to use MiraclePtr, as discussed in the previous post, but also added MiraclePtr support for bound function arguments, such as Unretained pointers. These pointers have been a significant source of use-after-frees in Chrome, and the additional protection allowed us to mitigate 39 more issues. Moreover, these vulnerability reports enable us to pinpoint areas needing improvement. We're actively working on adding support for select third-party libraries that have been a source of use-after-free bugs, as well as developing a more advanced rewriter tool that can handle transformations like converting std::vector<T*> into std::vector<raw_ptr<T>>. We've also made several smaller fixes, such as extending the lifetime of the task state object to cover several issues in the “this pointer” category. Crash reports Crash reports offer a different perspective on MiraclePtr's effectiveness. As explained in the previous blog post, when an allocation is quarantined, its contents are overwritten with a special bit pattern. If the allocation is used later, the pattern will often be interpreted as an invalid memory address, causing a crash when the process attempts to access memory at that address. Since the dereferenced address remains within a small, predictable memory range, we can distinguish MiraclePtr crashes from other crashes. Although this approach has its limitations — such as not being able to obtain stack traces from allocation and deallocation times like AddressSanitizer does — it has enabled us to detect and fix vulnerabilities. Last year, six critical severity vulnerabilities were identified in the default setup of Chrome Stable, the version most people use. Impressively, five of the six were discovered while investigating MiraclePtr crash reports! One particularly interesting example is CVE-2022-3038. The issue was discovered through MiraclePtr crash reports and fixed in Chrome 105. Several months later, Google's Threat Analysis Group discovered an exploit for that vulnerability used in the wild against clients of a different Chromium-based browser that hadn’t shipped the fix yet. To further enhance our crash analysis capabilities, we've recently launched an experimental feature that allows us to collect additional information for MiraclePtr crashes, including stack traces. This effectively shortens the average crash report investigation time. Performance MiraclePtr enables us to have robust protection against use-after-free bug exploits, but there is a performance cost associated with it. Therefore, we have conducted experiments on each platform where we have shipped MiraclePtr, which we used in our decision-making process. The main cost of MiraclePtr is memory. Specifically, the memory usage of the browser process increased by 5.5-8% on desktop platforms and approximately 2% on Android. Yet, when examining the holistic memory usage across all processes, the impact remains within a moderate 1-3% range to lower percentiles only. The main cause of the additional memory usage is the extra size to allocate the reference count. One might think that adding 4 bytes to each allocation wouldn’t be a big deal. However, there are many small allocations in Chrome, so even the 4B overhead is not negligible. Moreover, PartitionAlloc also uses pre-defined allocation bucket sizes, so this extra 4B pushes certain allocations (particularly power-of-2 sized) into a larger bucket, e.g. 4096B → 5120B. We also considered the performance cost. We verified that there were no regressions to the majority of our top-level performance metrics, including all of the page load metrics, like Largest Contentful Paint, First Contentful Paint and Cumulative Layout Shift. We did find a few regressions, such as a 10% increase in the 99th percentile of the browser process main thread contention metric, a 1.5% regression in First Input Delay on ChromeOS, and a 1.5% regression in tab startup time on Android. The main thread contention metric tries to estimate how often a user input can be delayed and so for example on Windows this was a change from 1.6% to 1.7% at the 99th percentile only. These are all minor regressions. There has been zero change in daily active usage, and we do not anticipate these regressions to have any noticeable impact on users. Conclusion In summary, MiraclePtr has proven to be effective in mitigating use-after-free vulnerabilities and enhancing the overall security of the Chrome browser. While there are performance costs associated with the implementation of MiraclePtr, our analysis suggests that the benefits in terms of security improvements far outweigh these. We are committed to continually refining and expanding the feature to cover more areas. For example we are working to add coverage to third-party libraries used by the GPU process, and we plan to enable BRP on the renderer process. By sharing our findings and experiences, we hope to contribute to the broader conversation surrounding browser security and inspire further innovation in this crucial area.
http://security.googleblog.com/2024/01/miracleptr-protecting-users-from-use.html
Posted by Ivan Lozano and Roger Piqueras Jover Android’s defense-in-depth strategy applies not only to the Android OS running on the Application Processor (AP) but also the firmware that runs on devices. We particularly prioritize hardening the cellular baseband given its unique combination of running in an elevated privilege and parsing untrusted inputs that are remotely delivered into the device. This post covers how to use two high-value sanitizers which can prevent specific classes of vulnerabilities found within the baseband. They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities. Beyond security, addressing the issues uncovered by these sanitizers improves code health and overall stability, reducing resources spent addressing bugs in the future. An increasingly popular attack surface As we outlined previously, security research focused on the baseband has highlighted a consistent lack of exploit mitigations in firmware. Baseband Remote Code Execution (RCE) exploits have their own categorization in well-known third-party marketplaces with a relatively low payout. This suggests baseband bugs may potentially be abundant and/or not too complex to find and exploit, and their prominent inclusion in the marketplace demonstrates that they are useful. Baseband security and exploitation has been a recurring theme in security conferences for the last decade. Researchers have also made a dent in this area in well-known exploitation contests. Most recently, this area has become prominent enough that it is common to find practical baseband exploitation trainings in top security conferences. Acknowledging this trend, combined with the severity and apparent abundance of these vulnerabilities, last year we introduced updates to the severity guidelines of Android’s Vulnerability Rewards Program (VRP). For example, we consider vulnerabilities allowing Remote Code Execution (RCE) in the cellular baseband to be of CRITICAL severity. Mitigating Vulnerability Root Causes with Sanitizers Common classes of vulnerabilities can be mitigated through the use of sanitizers provided by Clang-based toolchains. These sanitizers insert runtime checks against common classes of vulnerabilities. GCC-based toolchains may also provide some level of support for these flags as well, but will not be considered further in this post. We encourage you to check your toolchain’s documentation. Two sanitizers included in Undefined Behavior Sanitizer (UBSan) will be our focus – Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan). These have been widely deployed in Android userspace for years following a data-driven approach. These two are well suited for bare-metal environments such as the baseband since they do not require support from the OS or specific architecture features, and so are generally supported for all Clang targets. Integer Overflow Sanitizer (IntSan) IntSan causes signed and unsigned integer overflows to abort execution unless the overflow is made explicit. While unsigned integer overflows are technically defined behavior, it can often lead to unintentional behavior and vulnerabilities – especially when they’re used to index into arrays. As both intentional and unintentional overflows are likely present in most code bases, IntSan may require refactoring and annotating the code base to prevent intentional or benign overflows from trapping (which we consider a false positive for our purposes). Overflows which need to be addressed can be uncovered via testing (see the Deploying Sanitizers section) BoundsSanitizer (BoundSan) BoundSan inserts instrumentation to perform bounds checks around some array accesses. These checks are only added if the compiler cannot prove at compile time that the access will be safe and if the size of the array will be known at runtime, so that it can be checked against. Note that this will not cover all array accesses as the size of the array may not be known at runtime, such as function arguments which are arrays. As long as the code is correctly written C/C++, BoundSan should produce no false positives. Any violations discovered when first enabling BoundSan is at least a bug, if not a vulnerability. Resolving even those which aren’t exploitable can greatly improve stability and code quality. Modernize your toolchains Adopting modern mitigations also means adopting (and maintaining) modern toolchains. The benefits of this go beyond utilizing sanitizers however. Maintaining an old toolchain is not free and entails hidden opportunity costs. Toolchains contain bugs which are addressed in subsequent releases. Newer toolchains bring new performance optimizations, valuable in the highly constrained bare-metal environment that basebands operate in. Security issues can even exist in the generated code of out-of-date compilers. Maintaining a modern up-to-date toolchain for the baseband entails some costs in terms of maintenance, especially at first if the toolchain is particularly old, but over time the benefits, as outlined above, outweigh the costs. Where to apply sanitizers Both BoundSan and IntSan have a measurable performance overhead. Although we were able to significantly reduce this overhead in the past (for example to less than 1% in media codecs), even very small increases in CPU load can have a substantial impact in some environments. Enabling sanitizers over the entire codebase provides the most benefit, but enabling them in security-critical attack surfaces can serve as a first step in an incremental deployment. For example: Functions parsing messages delivered over the air in 2G, 3G, 4G, and 5G (especially functions handling pre-authentication messages that can be injected with a false/malicious base station) Libraries encoding/decoding complex formats (e.g. ASN.1, XML, DNS, etc…) IMS, TCP and IP stacks Messaging functions (SMS, MMS) In the particular case of 2G, the best strategy is to disable the stack altogether by supporting Android’s “2G toggle”. However, 2G is still a necessary mobile access technology in certain parts of the world and some users might need to have this legacy protocol enabled. Deploying Sanitizers Having a clear plan for deployment of sanitizers saves a lot of time and effort. We think of the deployment process as having three stages: Detecting (and fixing) violations Measuring and reducing overhead Soaking in pre-production We also introduce two modes in which sanitizers should be run: diagnostics mode and trapping mode. These will be discussed in the following sections, but briefly: diagnostics mode recovers from violations and provides valuable debug information, while trapping mode actively mitigates vulnerabilities by trapping execution on violations. Detecting (and Fixing) Violations To successfully ship these sanitizers, any benign integer overflows must be made explicit and accidental out-of-bounds accesses must be addressed. These will have to be uncovered through testing. The higher the code coverage your tests provide, the more issues you can uncover at this stage and the easier deployment will be later on. To diagnose violations uncovered in testing, sanitizers can emit calls to runtime handlers with debug information such as the file, line number, and values leading to the violation. Sanitizers can optionally continue execution after a violation has occurred, allowing multiple violations to be discovered in a single test run. We refer to using the sanitizers in this way as running them in “diagnostics mode”. Diagnostics mode is not intended for production as it provides no security benefits and adds high overhead. Diagnostics mode for the sanitizers can be set using the following flags: -fsanitize=signed-integer-overflow,unsigned-integer-overflow,bounds -fsanitize-recover=all Since Clang does not provide a UBSan runtime for bare-metal targets, a runtime will need to be defined and provided at link time: // integer overflow handlers __ubsan_handle_add_overflow(OverflowData *data, ValueHandle lhs, ValueHandle rhs) __ubsan_handle_sub_overflow(OverflowData *data, ValueHandle lhs, ValueHandle rhs) __ubsan_handle_mul_overflow(OverflowData *data, ValueHandle lhs, ValueHandle rhs) __ubsan_handle_divrem_overflow(OverflowData *data, ValueHandle lhs, ValueHandle rhs) __ubsan_handle_negate_overflow(OverflowData *data, ValueHandle old_val) // boundsan handler __ubsan_handle_out_of_bounds_overflow(OverflowData *data, ValueHandle old_val) As an example, see the default Clang implementation; the Linux Kernels implementation may also be illustrative. With the runtime defined, enable the sanitizer over the entire baseband codebase and run all available tests to uncover and address any violations. Vulnerabilities should be patched, and overflows should either be refactored or made explicit through the use of checked arithmetic builtins which do not trigger sanitizer violations. Certain functions which are expected to have intentional overflows (such as cryptographic functions) can be preemptively excluded from sanitization (see next section). Aside from uncovering security vulnerabilities, this stage is highly effective at uncovering code quality and stability bugs that could result in instability on user devices. Once violations have been addressed and tests are no longer uncovering new violations, the next stage can begin. Measuring and Reducing Overhead Once shallow violations have been addressed, benchmarks can be run and the overhead from the sanitizers (performance, code size, memory footprint) can be measured. Measuring overhead must be done using production flags – namely “trapping mode”, where violations cause execution to abort. The diagnostics runtime used in the first stage carries significant overhead and is not indicative of the actual performance sanitizer overhead. Trapping mode can be enabled using the following flags: -fsanitize=signed-integer-overflow,unsigned-integer-overflow,bounds -fsanitize-trap=all Most of the overhead is likely due to a small handful of “hot functions”, for example those with tight long-running loops. Fine-grained per-function performance metrics (similar to what Simpleperf provides for Android), allows comparing metrics before and after sanitizers and provides the easiest means to identify hot functions. These functions can either be refactored or, after manual inspection to verify that they are safe, have sanitization disabled. Sanitizers can be disabled either inline in the source or through the use of ignorelists and the -fsanitize-ignorelist flag. The physical layer code, with its extremely tight performance margins and lower chance of exploitable vulnerabilities, may be a good candidate to disable sanitization wholesale if initial performance seems prohibitive. Soaking in Pre-production With overhead minimized and shallow bugs resolved, the final stage is enabling the sanitizers in trapping mode to mitigate vulnerabilities. We strongly recommend a long period of internal soak in pre-production with test populations to uncover any remaining violations not discovered in testing. The more thorough the test coverage and length of the soak period, the less risk there will be from undiscovered violations. As above, the configuration for trapping mode is as follows: -fsanitize=signed-integer-overflow,unsigned-integer-overflow,bounds -fsanitize-trap=all Having infrastructure in place to collect bug reports which result from any undiscovered violations can help minimize the risk they present. Transitioning to Memory Safe Languages The benefits from deploying sanitizers in your existing code base are tangible, however ultimately they address only the lowest hanging fruit and will not result in a code base free of vulnerabilities. Other classes of memory safety vulnerabilities remain unaddressed by these sanitizers. A longer term solution is to begin transitioning today to memory-safe languages such as Rust. Rust is ready for bare-metal environments such as the baseband, and we are already using it in other bare-metal components in Android. There is no need to rewrite everything in Rust, as Rust provides a strong C FFI support and easily interfaces with existing C codebases. Just writing new code in Rust can rapidly reduce the number of memory safety vulnerabilities. Rewrites should be limited/prioritized only for the most critical components, such as complex parsers handling untrusted data. The Android team has developed a Rust training meant to help experienced developers quickly ramp up Rust fundamentals. An entire day for bare-metal Rust is included, and the course has been translated to a number of different languages. While the Rust compiler may not explicitly support your bare-metal target, because it is a front-end for LLVM, any target supported by LLVM can be supported in Rust through custom target definitions. Raising the Bar As the high-level operating system becomes a more difficult target for attackers to successfully exploit, we expect that lower level components such as the baseband will attract more attention. By using modern toolchains and deploying exploit mitigation technologies, the bar for attacking the baseband can be raised as well. If you have any questions, let us know – we’re here to help!
http://security.googleblog.com/2023/12/hardening-cellular-basebands-in-android.html
Elie Bursztein, Cybersecurity & AI Research Director, and Marina Zhang, Software EngineerSystems such as Gmail, YouTube and Google Play rely on text classification models to identify harmful content including phishing attacks, inappropriate comments, and scams. These types of texts are harder for machine learning models to classify because bad actors rely on adversarial text manipulations to actively attempt to evade the classifiers. For example, they will use homoglyphs, invisible characters, and keyword stuffing to bypass defenses. To help make text classifiers more robust and efficient, we’ve developed a novel, multilingual text vectorizer called RETVec (Resilient & Efficient Text Vectorizer) that helps models achieve state-of-the-art classification performance and drastically reduces computational cost. Today, we’re sharing how RETVec has been used to help protect Gmail inboxes.Strengthening the Gmail Spam Classifier with RETVecFigure 1. RETVec-based Gmail Spam filter improvements.Over the past year, we battle-tested RETVec extensively inside Google to evaluate its usefulness and found it to be highly effective for security and anti-abuse applications. In particular, replacing the Gmail spam classifier’s previous text vectorizer with RETVec allowed us to improve the spam detection rate over the baseline by 38% and reduce the false positive rate by 19.4%. Additionally, using RETVec reduced the TPU usage of the model by 83%, making the RETVec deployment one of the largest defense upgrades in recent years. RETVec achieves these improvements by sporting a very lightweight word embedding model (~200k parameters), allowing us to reduce the Transformer model’s size at equal or better performance, and having the ability to split the computation between the host and TPU in a network and memory efficient manner.RETVec BenefitsRETVec achieves these improvements by combining a novel, highly-compact character encoder, an augmentation-driven training regime, and the use of metric learning. The architecture details and benchmark evaluations are available in our NeurIPS 2023 paper and we open-source RETVec on Github.Due to its novel architecture, RETVec works out-of-the-box on every language and all UTF-8 characters without the need for text preprocessing, making it the ideal candidate for on-device, web, and large-scale text classification deployments. Models trained with RETVec exhibit faster inference speed due to its compact representation. Having smaller models reduces computational costs and decreases latency, which is critical for large-scale applications and on-device models.Figure 1. RETVec architecture diagram.Models trained with RETVec can be seamlessly converted to TFLite for mobile and edge devices, as a result of a native implementation in TensorFlow Text. For web application model deployment, we provide a TensorflowJS layer implementation that is available on Github and you can check out a demo web page running a RETVec-based model.Figure 2. Typo resilience of text classification models trained from scratch using different vectorizers.RETVec is a novel open-source text vectorizer that allows you to build more resilient and efficient server-side and on-device text classifiers. The Gmail spam filter uses it to help protect Gmail inboxes against malicious emails.If you would like to use RETVec for your own use cases or research, we created a tutorial to help you get started.This research was conducted by Elie Bursztein, Marina Zhang, Owen Vallis, Xinyu Jia, and Alexey Kurakin. We would like to thank Gengxin Miao, Brunno Attorre, Venkat Sreepati, Lidor Avigad, Dan Givol, Rishabh Seth and Melvin Montenegro and all the Googlers who contributed to the project.
http://security.googleblog.com/2023/11/improving-text-classification.html
Royal Hansen, Vice President of Privacy, Safety and Security Engineering, GoogleNearly half of third-parties fail to meet two or more of the Minimum Viable Secure Product controls. Why is this a problem? Because "98% of organizations have a relationship with at least one third-party that has experienced a breach in the last 2 years."In this post, we're excited to share the latest improvements to the Minimum Viable Secure Product (MVSP) controls. We'll also shed light on how adoption of MVSP has helped Google improve its security processes, and hope this example will help motivate third-parties to increase their adoption of MVSP controls and thus improve product security across the industry.About MVSPIn October 2021, Google publicly launched MVSP alongside launch partners. Our original goal remains unchanged: to provide a vendor-neutral application security baseline, designed to eliminate overhead, complexity, and confusion in the end-to-end process of onboarding third-party products and services. It covers themes such as procurement, security assessment, and contract negotiation.Improvements since launchAs part of MVSP’s annual control review, and our core philosophy of evolution over revolution, the working group sought input from the broader security community to ensure MVSP maintains a balance between security and achievability.As a result of these discussions, we launched updated controls. Key changes include: expanded guidance around external vulnerability reporting to protect bug hunters, and discouraging additional costs for access to basic security features – inline with CISA’s "Secure-by-Design" principles.In 2022, we developed guidance on build process security based on SLSA, to reflect the importance of supply chain security and integrity.From an organizational perspective, in the two years since launching, we've seen the community around MVSP continue to expand. The working group has grown to over 20 global members, helping to diversify voices and broaden expertise. We've also had the opportunity to present and discuss the program with a number of key groups, including an invitation to present at the United Nations International Computing Centre – Common Secure Conference.Google at the UNICC conference in Valencia, SpainHow Google uses MVSPSince its inception, Google has looked to integrate improvements to our own processes using MVSP as a template. Two years later, we can clearly see the impact through faster procurement processes, streamlined contract negotiations, and improved data-driven decision making.HighlightsAfter implementing MVSP into key areas of Google's third-party life-cycle, we've observed a 68% reduction in the time required for third-parties to complete assessment process.By embedding MVSP into select procurement processes, Google has increased data-driven decision making in earlier phases of the cycle.Aligning our Information Protection Addendum’s safeguards with MVSP has significantly improved our third-party privacy and security risk management processes.You use MVSP to enhance your software or procurement processes by reviewing some common use-cases and adopting them into your third-party risk management and/or contracting workflows .What's next?We're invested in helping the industry manage risk posture through continuous improvement, while increasing the minimum bar for product security across the industry.By making MVSP available to the wider industry, we are helping to create a solid foundation for growing the maturity level of products and services. Google has benefited from driving security and safety improvements through the use of leveled sets of requirements. We expect the same to be true across the wider industry.We've seen success, but there is still work to be done. Based on initial observations, as mentioned above, 48% of third-parties fail to meet two or more of the Minimum Viable Secure Product controls.As an industry, we can't stand still when it comes to product security. Help us raise the minimum bar for application security by adopting MVSP and ensuring we as an industry don’t accept anything less than a strong security baseline that works for the wider industry.AcknowledgementsGoogle and the MVSP working group would like to thank those who have supported and contributed since its inception. If you'd like to get involved or provide feedback, please reach out.Thank you to Chris John Riley, Gabor Acs-Kurucz, Michele Chubirka, Anna Hupa, Dirk Göhmann and Kaan Kivilcim from the Google MVSP Group for their contributions to this post.
http://security.googleblog.com/2023/11/two-years-later-baseline-that-drives-up.html
Posted by Nataliya Stanetsky, Android Security and Privacy Team The App Defense Alliance (ADA), an industry-leading collaboration launched by Google in 2019 dedicated to ensuring the safety of the app ecosystem, is taking a major step forward. We are proud to announce that the App Defense Alliance is moving under the umbrella of the Linux Foundation, with Meta, Microsoft, and Google as founding steering members. This strategic migration represents a pivotal moment in the Alliance’s journey, signifying a shared commitment by the members to strengthen app security and related standards across ecosystems. This evolution of the App Defense Alliance will enable us to foster more collaborative implementation of industry standards for app security. Uniting for App Security The digital landscape is continually evolving, and so are the threats to user security. With the ever-increasing complexity of mobile apps and the growing importance of data protection, now is the perfect time for this transition. The Linux Foundation is renowned for its dedication to fostering open-source projects that drive innovation, security, and sustainability. By combining forces with additional members under the Linux Foundation, we can adapt and respond more effectively to emerging challenges. The commitment of the newly structured App Defense Alliance’s founding steering members – Meta, Microsoft, and Google – is pivotal in making this transition a reality. With a member community spanning an additional 16 General and Contributor Members, the Alliance will support industry-wide adoption of app security best practices and guidelines, as well as countermeasures against emerging security risks. Continuing the Malware Mitigation Program The App Defense Alliance was formed with the mission of reducing the risk of app-based malware and better protecting Android users. Malware defense remains an important focus for Google and Android, and we will continue to partner closely with the Malware Mitigation Program members – ESET, Lookout, McAfee, Trend Micro, Zimperium – on direct signal sharing. The migration of ADA under the Linux Foundation will enable broader threat intelligence sharing across leading ecosystem partners and researchers. Looking Ahead and Connecting With the ADA We invite you to stay connected with the newly structured App Defense Alliance under the Linux foundation umbrella. Join the conversation to help make apps more secure. Together with the steering committee, alliance partners, and the broader ecosystem, we look forward to building more secure and trustworthy app ecosystems.
http://security.googleblog.com/2023/11/evolving-app-defense-alliance.html
Posted by Andy Qin, Irene Ang, Kostya Serebryany, Evgenii Stepanov Since 2018, Google has partnered with ARM and collaborated with many ecosystem partners (SoCs vendors, mobile phone OEMs, etc.) to develop Memory Tagging Extension (MTE) technology. We are now happy to share the growing adoption in the ecosystem. MTE is now available on some OEM devices (as noted in a recent blog post by Project Zero) with Android 14 as a developer option, enabling developers to use MTE to discover memory safety issues in their application easily. The security landscape is changing dynamically, new attacks are becoming more complex and costly to mitigate. It’s becoming increasingly important to detect and prevent security vulnerabilities early in the software development cycle and also have the capability to mitigate the security attacks at the first moment of exploitation in production.The biggest contributor to security vulnerabilities are memory safety related defects and Google has invested in a set of technologies to help mitigate memory safety risks. These include but are not limited to: Shifting to memory safe languages such as Rust as a proactive solution to prevent the new memory safety bugs from being introduced in the first place. Tools for detecting memory safety defects in the development stages and production environment, such as widely used sanitizer technologies1 (ASAN, HWASAN, GWP-ASAN, etc.) as well as fuzzing (with sanitizers enabled). Foundational technologies like MTE, which many experts believe is the most promising path forward for improving C/C++ software security and it can be deployed both in development and production at reasonably low cost. MTE is a hardware based capability that can detect unknown memory safety vulnerabilities in testing and/or mitigate them in production. It works by tagging the pointers and memory regions and comparing the tags to identify mismatches (details). In addition to the security benefits, MTE can also help ensure integrity because memory safety bugs remain one of the major contributors to silent data corruption that not only impact customer trust, but also cause lost productivity for software developers. At the moment, MTE is supported on some of the latest chipsets: Focusing on security for Android devices, the MediaTek Dimensity 9300 integrates support for MTE via ARM's latest v9 architecture (which is what Cortex-X4 and Cortex-A720 processors are based on). This feature can be switched on and off in the bootloader by users and developers instead of having it always on or always off. Tensor G3 integrates support for MTE only within the developer mode toggle. Feature can be activated by developers. For both chipsets, this feature can be switched on and off by developers, making it easier to find memory-related bugs during development and after deployment. MTE can help users stay safe while also improving time to market for OEMs.Application developers will be the first to leverage this feature as a way to improve their application security and reliability in the software development lifecycle. MTE can effectively help them to discover hard-to-detect memory safety vulnerabilities (buffer overflows, user-after-free, etc.) with clear & actionable stack trace information in integration testing or pre-production environments. Another benefit of MTE is that the engineering cost of memory-safety testing is drastically reduced because heap bug detection (which is majority of all memory safety bugs) does not require any source or binary changes to leverage MTE, i.e. advanced memory-safety can be achieved with just a simple environment or configuration change.We believe that MTE will play a very important role in detecting and preventing memory safety vulnerabilities and provide a promising path towards improving software security. Notes ASAN = Address Sanitizer; HWASAN = HW based ASAN;GWP-ASAN = sampling based ASAN ↩
http://security.googleblog.com/2023/11/mte-promising-path-forward-for-memory.html
Posted by Chrome Security team Improving the interoperability of web services is an important and worthy goal. We believe that it should be easier for people to maintain and control their digital identities. And we appreciate that policymakers working on European Union digital certificate legislation, known as eIDAS, are working toward this goal. However, a specific part of the legislation, Article 45, hinders browsers’ ability to enforce certain security requirements on certificates, potentially holding back advances in web security for decades. We and many past and present leaders in the international web community have significant concerns about Article 45's impact on security. We urge lawmakers to heed the calls of scientists and security experts to revise this part of the legislation rather than erode users’ privacy and security on the web.
http://security.googleblog.com/2023/11/qualified-certificates-with-qualified.html
Posted by Nataliya Stanetsky, Android Security and Privacy Team Keeping Google Play safe for users and developers remains a top priority for Google. As users increasingly prioritize their digital privacy and security, we continue to invest in our Data Safety section and transparency labeling efforts to help users make more informed choices about the apps they use. Research shows that transparent security labeling plays a crucial role in consumer risk perception, building trust, and influencing product purchasing decisions. We believe the same principles apply for labeling and badging in the Google Play store. The transparency of an app’s data security and privacy play a key role in a user’s decision to download, trust, and use an app. Highlighting Independently Security Tested VPN Apps Last year, App Defense Alliance (ADA) introduced MASA (Mobile App Security Assessment), which allows developers to have their apps independently validated against a global security standard. This signals to users that an independent third-party has validated that the developers designed their apps to meet these industry mobile security and privacy minimum best practices and the developers are going the extra mile to identify and mitigate vulnerabilities. This, in turn, makes it harder for attackers to reach users' devices and improves app quality across the ecosystem. Upon completion of the successful validation, Google Play gives developers the option to declare an “Independent security review” badge in its Data Safety section, as shown in the image below. While certification to baseline security standards does not imply that a product is free of vulnerabilities, the badge associated with these validated apps helps users see at-a-glance that a developer has prioritized security and privacy practices and committed to user safety. To help give users a simplified view of which apps have undergone an independent security validation, we’re introducing a new Google Play store banner for specific app types, starting with VPN apps. We’ve launched this banner beginning with VPN apps due to the sensitive and significant amount of user data these apps handle. When a user searches for VPN apps, they will now see a banner at the top of Google Play that educates them about the “Independent security review” badge in the Data Safety Section. Users also have the ability to “Learn More”, which redirects them to the App Validation Directory, a centralized place to view all VPN apps that have been independently security reviewed. Users can also discover additional technical assessment details in the App Validation Directory, helping them to make more informed decisions about what VPN apps to download, use, and trust with their data. VPN providers such as NordVPN, Google One, ExpressVPN, and others have already undergone independent security testing and publicly declared the badge showing their good standing with the MASA program. We encourage and anticipate additional VPN app developers to undergo independent security testing, bringing even more transparency to users. If you are a VPN developer and interested in learning more about this feature, please submit this form. Our Commitment to App Security and Privacy Transparency on Google Play By encouraging independent security testing and displaying security badges for validated apps, we highlight developers who prioritize user safety and data transparency. We also provide developers with app security and privacy best practices – through Play PolicyBytes videos, webinars, blog posts, the Developer Help Community, and other resources – in accordance with our developer policies that help keep Google Play safe. We are continually working on improvements to our app review process, policies, and programs to keep users safe and to help developers navigate our policies with ease. To learn more about how we give developers the tools to succeed while keeping users safe on Google Play, read the Google Safety Center article. Our efforts to prioritize security and privacy transparency on Google Play are aligned with the needs and expectations we’ve heard from both users and developers. We believe that by prioritizing initiatives that bolster user safety and trust, we can foster a thriving app ecosystem where users can make more informed app decisions and developers are encouraged to uphold the highest standards of security and privacy.
http://security.googleblog.com/2023/11/more-ways-for-users-to-identify.html
Security Affairs
Sat, 04 May 2024 15:38:01 +0000The Blackbasta extortion group claimed responsibility for the attack that in April severely impacted the operations of Synlab Italia. Since April 18, Synlab Italia, a major provider of medical diagnosis services, has been experiencing disruptions due to a cyber attack. The company initially cited technical issues as the cause leading to “temporary interruption of access […]
https://securityaffairs.com/162741/security/blackbasta-gang-claimed-responsibility-for-synlab-italia-attack.html
LockBit ransomware operators have published sensitive data allegedly stolen from the Simone Veil hospital in Cannes. In April, a cyber attack hit the Hospital Simone Veil in Cannes (CHC-SV), impacting medical procedures and forcing personnel to return to pen and paper. Non-urgent surgical procedures and consultations scheduled at the time of the attack were postponed. The French […]
https://securityaffairs.com/162721/cyber-crime/lockbit-published-simone-veil-hospital-data.html
The Ubiquiti EdgeRouter botnet is still used by Russia-linked group APT28 and cybercriminals organizations. Trend Micro researchers reported that the EdgeRouter botnet, called Moobot, used by the APT28 group is still active and is also used by cyber criminal organizations. In January, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and […]
https://securityaffairs.com/162706/apt/moobot-botnet-is-still-active.html
Microsoft devised an attack technique, dubbed ‘Dirty Stream,’ impacting widely used Android applications, billions of installations are at risk. Microsoft is warning Android users about a new attack technique, named Dirty Stream, that can allow threat actors to take control of apps and steal sensitive data. The IT giant describes Dirty Stream as an attack pattern, […]
https://securityaffairs.com/162699/hacking/dirty-stream-android-installs-risk.html
Zloader continues to evolve, its authors added an anti-analysis feature that was originally present in the Zeus banking trojan. Zloader (aka Terdot, DELoader, or Silent Night) is a modular trojan based on the leaked ZeuS source code. After a hiatus of almost two years, Zloader reappeared with new obfuscation techniques, domain generation algorithm (DGA), and […]
https://securityaffairs.com/162688/cyber-crime/zloader-malware-anti-analysis-feature.html
A Ukrainian national, a member of the REvil group, has been sentenced to more than 13 years in prison for his role in extortion activities. The Ukrainian national, Yaroslav Vasinskyi (24), aka Rabotnik, has been sentenced to more than 13 years in prison and must pay $16 million in restitution for conducting numerous ransomware attacks […]
https://securityaffairs.com/162679/cyber-crime/revil-gang-member-sentenced.html
Government agencies from the US, Canada and the UK warn of Russian threat actors targeting critical infrastructure in North America and Europe The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug […]
https://securityaffairs.com/162672/hacking/pro-russia-hackers-target-critical-infrastructure.html
HPE Aruba Networking addressed four critical remote code execution vulnerabilities impacting its ArubaOS network operating system. HPE Aruba Networking released April 2024 security updates that addressed four critical remote code execution (RCE) vulnerabilities affecting multiple versions of the network operating system ArubaOS. The four vulnerabilities are unauthenticated buffer overflow issues that could be exploited to […]
https://securityaffairs.com/162663/security/hpe-aruba-networking-critical-flaws.html
Threat actors breached the Dropbox Sign production environment and accessed customer email addresses and hashed passwords Cloud storage provider DropBox revealed that threat actors have breached the production infrastructure of the DropBox Sign eSignature service and gained access to customer information and authentication data. Dropbox Sign is a service that allows users to electronically sign […]
https://securityaffairs.com/162654/hacking/dropbox-sign-production-environment-hacked.html
CISA adds GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The […]
https://securityaffairs.com/162646/security/gitlab-known-exploited-vulnerabilities-catalog.html
news.sophos.com
Tue, 30 Apr 2024 16:28:37 +0000The IDC MarketScape evaluates the capabilities and business strategies of managed detection and response service providers worldwide.
https://news.sophos.com/en-us/2024/04/30/sophos-named-a-leader-in-the-2024-idc-marketscape-for-worldwide-managed-detection-and-response-mdr/
Our fifth annual report reveals how ransomware experiences have changed over the last year, plus brand-new insights into the business impact of an attack.
https://news.sophos.com/en-us/2024/04/30/the-state-of-ransomware-2024/
Sophos continues to deliver the strongest endpoint protection in the industry.
https://news.sophos.com/en-us/2024/04/29/sophos-endpoint-adaptive-attack-protection-gets-even-better/
New pop-up art display honors Autism Awareness Month at Sophos UK.
https://news.sophos.com/en-us/2024/04/26/showcasing-artwork-by-max-for-autism-awareness-month/
Command-and-control wares try to sneak onto systems disguised as various vendors; payloads vary, but Sophos customers are protected
https://news.sophos.com/en-us/2024/04/26/malware-campaign-abuses-legit-defender-binaries/
To mark Earth Day on April 22, and its theme of Planet vs. Plastics, Sophos employees are being encouraged to use their Sophos Volunteering hours to take part in practical opportunities to join the fight against plastic pollution, as well as take part in a series of wellbeing webinars focused on sustainability and climate anxiety.
https://news.sophos.com/en-us/2024/04/22/earth-day-2024-sophos-supports-this-years-planet-vs-plastics-campaign/
A Sophos X-Ops investigation finds that a wave of crude, cheap ransomware could spell trouble for small businesses and individuals – but also provide insights into threat actor career development and the wider threat landscape
https://news.sophos.com/en-us/2024/04/17/junk-gun-ransomware-peashooters-can-still-pack-a-punch/
Guidance to support financial entities in the EU impacted by the Digital Operational Resilience Act (DORA).
https://news.sophos.com/en-us/2024/04/15/sophos-guidance-on-the-digital-operational-resilience-act-dora/
The largest CVE count in recent history rolls out
https://news.sophos.com/en-us/2024/04/10/a-tumultuous-titanic-patch-tuesday-as-microsoft-makes-some-changes/
Sophos X-Ops discovers a curious backdoored (and signed) executable, masquerading as something else entirely
https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/
Ivan Novikov
Sun, 14 May 2023 06:55:29 GMTIn today’s fast-paced digital world, remote work has become the new normal. With the rise of video conferencing platforms like Zoom and Microsoft Teams, we have adapted to an all-remote culture where communication is largely virtual. One aspect of this culture that has become increasingly important is the visibility of participants’ hands during video calls. Hands have become an integral part of the modern video call etiquette, as they serve as a clear indicator of a person’s attention and presence.Take, for instance, the common scenario of employees multitasking during virtual meetings. Cameras may not always focus on a person’s eyes, making it hard to gauge their level of engagement. However, hands offer a candid snapshot of their activity. When hands are visible, it demonstrates that participants are focused on the conversation and not clicking around on their screens.This practice has proven to be particularly useful during interviews. As employers increasingly rely on video calls to screen candidates, ensuring that the interviewee’s hands are visible helps determine whether they are genuinely knowledgeable or simply googling answers on the fly.The prevalence of hands as a de-facto standard in modern video conferencing is no coincidence. It’s a universal signal that is easy for our colleagues to read and appreciate. When your hands are on display, you are subtly conveying your involvement and commitment to the conversation.In a recent virtual team-building exercise, for example, a project manager noticed how one of her team members always kept their hands visible during calls. She appreciated this gesture, as it demonstrated the team member’s attentiveness and dedication to the task at hand. This seemingly small action strengthened the sense of trust and collaboration within the team.Another example comes from a sales professional who closed a significant deal during a video call. He made sure to keep his hands in view throughout the negotiation, which helped build trust with his client. This simple act contributed to a successful outcome for both parties.So, hands have become an essential component of modern video call etiquette, reflecting our dedication and engagement in an all-remote culture. By keeping our hands visible, we send a powerful message to our colleagues, employers, and clients that we are present, attentive, and invested in the conversation. So, the next time you hop on a video call, remember to keep your hands in sight — it’s a small gesture that speaks volumes. Do you agree? Please comment.
https://d0znpp.medium.com/the-hand-y-etiquette-of-modern-all-remote-culture-46976b4ad025?source=rss-952c3fe8c7c7------2
Threat modeling is a method for upgrading the security of an application, system, or business process by distinguishing objections and weaknesses, just as carrying out countermeasures to stay away from or alleviate the impacts of structure dangers.Threat modeling supports recognizing the security prerequisites of a system or association — whatever is basic, touchy, or contains significant information. It’s a nitty-gritty and efficient strategy for recognizing possible dangers and shortcomings with the goal that the danger to IT assets is kept up with to a base. It likewise helps IT chiefs in grasping the effect of dangers, surveying their importance, and executing shields.Threat modeling processDanger displaying’s comprehensive person comes from the way that it includes more than essentially software engineers. You’ll require input from the accompanying partners to make a successful danger model.Define safety requirementsYou should initially conclude what you need to accomplish with this movement prior to utilizing danger displaying devices and systems. Objectives are generally made in view of the accompanying measures:Privacy is important to shield information from unapproved revelation.The ability to keep away from unapproved information changes is known as respectability.Regardless of whether the framework is under attack, the ability to offer basic administrations isn’t imperiled.Make a rundown of your accessibility and execution administration level arrangements (SLAs). How proprietary advantages and licensed innovation treat need to ensure? The main inquiry now is how long and cash you need to contribute to danger demonstrating.Identify the likely threatsThis stage involves ordering a rundown of the multitude of parts that make up your framework. An all around reported framework of your whole application can help with the accelerating of the system. This should be visible being used cases, information streams, information blueprints, and sending charts. There are two sorts of representations you can make.Information stream graph: It portrays how your information ought to go through your framework. At the functional level, it shows where information enters and leaves every part, just as information stores, cycles, connections, and trust limits.Stream diagram of the cycle: It shows how clients collaborate with each other and progress through different use cases. It’s at the level of the application. PFDs center around client and outsider collaborations with your framework, though DFDs center around the way that your framework works inside. You can use it is possible that one or both simultaneously.It’s an ideal opportunity to continue on to danger evaluation since you’ve distinguished the main players and resources in your application.Threat AssessmentYou made the charts to fathom your framework in the past stage. To get a handle on the genuine perils, you’ll have to concentrate on these designs in this stage. Now, you should decide the various techniques where your resources can be compromised, just as the personality of any expected assailants. This can be cultivated in an assortment of ways. In the accompanying part, we’ll go through the six most normal danger evaluation demonstrating procedures.Mitigating ThreatsYou’ll wind up with an expert rundown or library of dangers connected with every resource and its activities, just as a rundown of imminent aggressor profiles, whenever you’ve completed the process of recognizing dangers. You should now figure out which of these perils your application is presented to. Consider the model introduced in the principal part of this article. You’ll see that the danger was ‘beast power secret word hacking,’ while the framework weakness was ‘utilizing MD5 techniques to store passwords.’ After you’ve recognized your weaknesses, you’ll have to evaluate the dangers associated with every one. You can address the weaknesses in the accompanying ways in view of the danger examination:Nothing ought to be done (too generally safe or too hard to even consider conveying the related intimidation)Eliminate the usefulness that is connected to it.Diminish the convenience of the component or turn it off.Acquire new code, foundation, or plan upgrades.You’ll likewise monitor weaknesses that will be settled in ongoing releasesConfirmation of threat mitigationYou check assuming that all weaknesses have been settled during approval. Have each of the risks been killed? Is it conceivable to have a rundown of the leftover dangers? From that point onward, you should settle on the following measures to deal with the dangers that have been distinguished, just as the date for the following danger displaying cycle. Remember that danger displaying is a ceaseless cycle. It should be done at customary stretches or at specific stages during the improvement of the application.Why is it important to do this?Any program or framework should be worked to be impervious to assaults. Notwithstanding, deciding the security norms needed to achieve this may be troublesome. Engineers and clients think and act uniquely in contrast to assailants.Danger displaying is an essential way to deal with distinguishing dangers that aren’t typically assessed or found through code surveys or different kinds of reviews. It empowers a task group to conclude the security controls an application need, just as how to execute viable countermeasures against possible dangers and handle issues rapidly. This system brings about extensively safer applications, and assets are appropriately used by focusing on anticipated dangers.Danger models are a significant perspective in the production of a viable security framework. Engineers can install security into an undertaking during the turn of events and upkeep stages when danger demonstrating is essential for the DevOps cycle. This takes out continuous oversights including neglecting to really take a look at input, having helpless validation, not taking care of mistakes appropriately, and not encoding information.What are the popular threat modeling techniques?Stride threat modelSTRIDE has been applied to both digital just and digital actual frameworks with incredible achievement. STRIDE is not generally kept up with by Microsoft, despite the fact that it is as yet utilized as a feature of the Microsoft Security Development Lifecycle (SDL) with the Threat Modeling Tool. Microsoft fostered a comparable system called DREAD (harm potential, reproducibility, exploitability, impacted clients, discoverability), which is likewise a memory aide (harm potential, reproducibility, exploitability, impacted clients, discoverability) however adopts an alternate strategy to assess dangers.STRIDEPASTA threat modelingIn 2012, the Process for Attack Simulation and Threat Analysis (PASTA) was set up as a danger driven danger demonstrating worldview. It is a seven-venture, assault driven technique that considers business sway examination and consistence prerequisites while connecting specialized necessities with business targets.LINDDUNThe LINDDUN structure (linkability, recognizability, nonrepudiation, perceptibility, exposure of data, ignorance, rebelliousness) is an information security system. LINDDUN is a six-venture framework for assessing protection that follows an orderly methodology.The framework DFD, which depicts the information streams, information stores, cycles, and outer elements of the framework, is the initial phase in LINDDUN. Clients of LINDDUN recognize the pertinence of a danger to the framework and produce danger trees by emphasizing over every single model component and breaking down them from the danger classifications’ point of view.Attack TreesOn digital-only frameworks, digital actual frameworks, and simply actual frameworks, utilizing assault trees to reproduce dangers is one of the most seasoned and most widely utilized systems. At first utilized as an independent technique, assault trees have now been combined with different strategies and systems.Assault trees are tree-like representations that depict assaults on a framework. The assault’s motivation is to go to the tree root, and the leaves are courses to arrive. Every objective is portrayed just like own tree. Because of the framework danger investigation, a bunch of assault trees is created.TRIKE threat modelTrike is a security reviewing framework that utilizes danger displaying as a strategy. It looks at danger displaying from both a danger the executives and a cautious point of view.Trike, in the same way as other different methodologies, starts by characterizing a framework. By listing and appreciating the framework’s entertainers, resources, anticipated activities, and rules, the investigator makes a prerequisite model. This stage assembles an entertainer resource activity framework, with resources in the sections and entertainers in the lines.Every grid cell is isolated into four pieces, one for every CRUD activity (making, perusing, refreshing, and erasing).OCTAVEThe OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) procedure is a danger based system for assessing and planning network safety techniques. The SEI’s CERT Division made it in 2003, and it was refreshed in 2005. OCTAVE is a danger evaluation strategy that spotlights on hierarchical rather than mechanical dangers. The three principle parts are functional danger, security rules, and innovation.Make resource based danger profiles. (This is an assessment of the organization.)Decide the foundation’s weakness. (This is a glance at the information framework.)Set up a security methodology and plan. (Dangers to the association’s vital resources and direction are perceived.)VASTThreatModeler, a mechanized danger displaying stage, is the establishment for the Visual, Agile, and Simple Threat (VAST) Modeling procedure. Its adaptability and convenience empower it to be executed across the full foundation of enormous organizations to produce noteworthy and reliable outcomes for some partners.Huge requires the formation of two kinds of models: application danger models and functional danger models, to represent contrasts in tasks and worries among improvement and foundation groups. Process-stream charts are utilized in application danger models to portray the engineering perspective. DFDs are utilized to foster functional danger models according to the assailant’s point of view. This approach permits VAST to be incorporated into the turn of events and DevOps lifecycles of the association.Persona non GrataPersona non Grata (PnG) is a game with regards to human aggressors’ inspirations and capacities. It marks clients as models who could manhandle the framework, constraining investigators to think about the framework from an accidental utilize point of view. Figure 5 shows a few models.PnG can support the perception of dangers according to the foe’s viewpoint, which is valuable in the beginning stages of danger displaying. The intention is to acquaint a specialized master with a potential framework assailant so the aggressor’s capacities, inspirations, and objectives might be analyzed. This study helps the master in understanding the framework’s shortcomings according to the assailant’s point of view. PnG is appropriate to the Agile procedure, which utilizes personas.hTMMIn 2018, the SEI established the Hybrid Threat Modeling Method (hTMM). SQUARE, Security Cards, and PnG exercises are all important for it. No bogus up-sides, no ignored dangers, a predictable result paying little heed to who is doing the danger modelling, and expense adequacy are among the technique’s expected traits.The strategy’s principle steps are as per the following:Figure out which framework will be danger demonstrated.Apply Safety Cards as per engineer advice.PnGs that are probably not going to happen ought to be taken out (i.e., there are no sensible assault vectors).Make a synopsis of the discoveries with the assistance of the device.Keep on utilizing a conventional course of hazard evaluation.qTMMThis crossbreed approach agreeably incorporates assault trees, STRIDE, and CVSS. It endeavors to address a couple of key dangers displaying hardships for digital actual frameworks with complex interdependencies between their constituents.For every one of STRIDE’s five danger classes, the Quantitative Threat Modeling Method (Quantitative TMM) begins by creating part assault trees. This movement exhibits the connections between assault sorts and low-level part credits. The CVSS strategy is then used to compute scores for the tree’s parts.Benefits of Threat ModelingDanger displaying can assist with legitimizing security endeavors by offering a reasonable view all through a product project when done viably. An organization can utilize the danger demonstrating strategy to record known application security concerns and settle on informed choices regarding how to deal with them. Leaders may somehow or another make rushed ends in light of next to zero proof.Overall, a very much recorded danger model gives affirmations that are valuable in clarifying and guarding the security stance of an application or PC framework. Danger demonstrating is the best procedure to do the accompanying when the advancement organization is worried about security:Find issues from the get-go in the product advancement life cycle (SDLC)- even before any coding happens.Distinguish configuration gives that standard testing and code audits could miss.Analyze new sorts of assault that you probably won’t have considered previously.Assisting with focusing on testing and code audit can assist you with taking advantage of your testing financial plan.Decide the security necessities.Forestall exorbitant post-arrangement recoding by settling issues before programming is delivered.Think about risks other than ordinary attacks, like security weaknesses explicit to your application.Keep systems in front of the inner and outside aggressors who might be a danger to your applications.To sort out what parts aggressors will target, feature resources, danger specialists, and controls.To find potential assailants in association with the framework engineering, model the situation of danger specialists, intentions, abilities, and capacities.Threat modeling toolsDanger demonstrating is a troublesome undertaking. There are a limitless number of expected dangers. Regardless of whether the task is little, it’s a good idea to utilize a danger displaying apparatus to set aside time and cash.Danger demonstrating devices make the cycle more organized and reproducible by diminishing its intricacy. This eliminates the assets needed to assemble a danger model starting from the earliest stage and keep up with it over the long haul. A decent danger displaying apparatus permits clients to see, plan, plan for, and anticipate different dangers. Coming up next are probably the main characteristics to search for in an apparatus: danger insight stream to guarantee the most up to date distinguished dangers are assessed; danger dashboard with proposed relief arrangements; alleviation dashboard that interfaces with an issue tracker like Jira; and reports for consistence and partners.Coming up next are the absolute most frequently utilized danger demonstrating instruments:CAIRIS.A free programming stage that actions the assault surface and approves plans for realized security defects and potential GDPR consistence issues utilizing insight about expected assaults.IriusRisk.A theoretical model danger demonstrating apparatus with versatile inquiries that lead the client through the application’s specialized plan, arranged elements, and security setting.Microsoft Threat Modeling Tool.The Microsoft Threat Modeling Tool is a program that assists you with demonstrating dangers. This free apparatus is planned for the individuals who aren’t security trained professionals. As a feature of Microsoft’s Security Development Lifecycle, it gives assistance on creating and breaking down danger models. It utilizes standard documentation to portray framework parts, information streams, and security zones, conveying it easy to distinguish intimidation types in view of the product’s construction.Danger Dragon by OWASP.This open source application is accessible as an on the web or work area application. It monitors possible dangers, decides moderation methodologies, and showcases danger model parts and danger surfaces to clients.SD Elements.This Security Compass apparatus accumulates and arranges framework information relying upon weaknesses, bringing about review prepared reports.Threagile.This is a free and open source coordinated advancement climate that incorporates danger demonstrating in the application codebase. It very well may be utilized as an order line application, a Docker holder, or a REST server.ThreatModeler.Danger demonstrating is robotized locally, cloud security, and application security versions. Dangers are recognized, anticipated, and characterized, utilizing prebuilt engineering layouts to assist with coordination.EndThe danger demonstrating interaction should be revamped at whatever point the application, IT framework, or danger climate changes, no matter what whatever instrument is used. As new dangers arise, this keeps up with the danger model current.Danger investigation takes time and exertion. It’s anything but an agenda work out, however it’s smarter to reveal and fix a weakness before programmers do, and danger demonstrating procedure is the best way to deal with make it happen.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-threat-modeling-definition-methods-example-d0dbc0b1f7f3?source=rss-952c3fe8c7c7------2
IntroductionWebsite/application owners have tons of aspects to look into. However, ensuring end-to-end security ranks top as it is the most crucial factor that an end-user watches out for. Additionally, improved security bags higher ranking, and better SEO.SSL certificate is one of the many approaches permitting website/application owners to meet all the security-related requirements. What does it mean and what value does it bring to the table?Let’s figure all of it together.What is SSL and Where is it used?SSL standard is a successor of TLS. Technically, Secure Sockets Layers (SSL) works to safeguard the browser-server computing information exchange through encrypting and decrypting it. While it’s commonly used in securing communication taking place via IM, emails, and VoIP, securing HTTPS is what holds the highest value among its functions.To attain high-end communication security, the protocol introduces authentication, privacy, and data integrity practices on HTTPS-based information transmission channels.While understanding SSL, knowing the dissimilarity between SSL and TLS is crucial as these two share great similarities. For example — at SSL, you will connect using a port (e.g., 443) through a handshake, called ‘explicit’. On contrary, TLS uses a protocol to do the handshake, called ‘implicit’.TLS, responsible for taking care of the security on the transport layer, was developed in 1999. It replaced SSL very soon, but due to its popularity, the term ‘SSL’ is many times used as a replacement for the term ‘SSL’ by people.The SSL Certificate — A Quick OverviewThis certificate acts as digital evidence of the deployment of SSL for the application or a URL. Stored on your server, it is formatted as a data file containing details on what an application/website is using to operate. CA (Certificate Authority) is responsible for issuing it.It is crucial for products/services using SSL protocol as it has the ability to shield the ecosystem for its end-users.Data included in it is enlisted below:Identity markers;Site or app’s public key;Domain name associated with it;Linked subdomain details;CA’s digital signatures;Details of issuing date and validity period.As private key details are secret not to be shared with anyone, their details are not included in it.To confirm that a website has it, pay attention to certain markers:HTTPS in the URL in place of customary HTTP.The closed padlock sign before URL. (Padlock is red or open when it is absent)Why is SSL Certificate Essential and Who needs it?User data safely against dangers in the cyber world must be the first priority of site or app owners. At the same time, they should ensure authorizing the access to users correctly to the site. These two factors are crucial to win the users’ trust and increase popularity.By receiving and installing a relevant SSL TLS certificate, a website/application can prove its authenticity at the below-mentioned verticals. It brings reliability at both these, and many more fronts.Improved encryptionOne can enjoy levelled-up encryption and protecton with SSL certificate’s deployment as it facilitates the private-public key pairing. Web-browsers and other clients can easily get the public key to enjoying robust and well-encrypted connections.Better authenticationUsers visiting the SSL-certified websites are assured of using authorized resources and ecosystem, as the SSS-TLS speaks for your trustworthiness. It also plays a crucial role in preventing domain spoofing and other cyber vulnerabilities.Helps you Get HTTPS web address More EasilyWith SSL, moving to HTTPS from HTTP is easy. Shifting to HTTPS means offering highly encrypted and safe connectivity to the end-users.Dependable user data securityWebsites collecting sensitive user data can promise better security as SSL encryption keeps unauthorized access at bay. The list of such websites includes the ones needing bank information, medical records, payment method data, legal contracts, etc.How does it works?The core feature of SSL is to make communications, happening between two end-points, so secure that no unauthorized resource can interpret it or use it. It makes it happen by implementing encryption algorithms on the in-transit data. The encryption introduction makes data out of the reach of threat actors, as the data in transit becomes unreadable for them.The certification moves forward following the ‘SSL handshake’ methodology. On its completion, your website gets HTTPS as its URL-prefix alongside a cerificate. Steps are:An SSL-secure link is enabled between the browser/server and server.The connecting browser/server requests the identity-validation data from web server.Once SSL certificate’s duplicate image is forwarded as an answer.This revet forms the basis of decision-making, on whether to trust the web server or not.If the browser/server decides finalizes that the server in questoin is trustworthy, a digital acknowledgment (confirmation) is sent back. This marks the beginning of an encrypted plus SSL-backed session.Types of SSL certificatesThe type of authority-validation, security level, information shared, and othe such aspects divides these certificates in multiple classes. The list includes:Type #1: Organization ValidationCreated for confirming the business’s details and helping them to create a trustworthy reputation, this classification is based on a manual vetting technique. Its seekers will upload the CSR to CA, CA will contact the seeker, and will cross-check the details.Typically, the data to be crosschecked is the company’s name and address as its components.Key DetailsIt offers a moderate degree of validationIt takes a few days to activate it after applying to receive itThe authentication process involves humansAttracts substantial cost as it involves significant resourcesType #2: Domain ValidationThe most fundamental classification, this certificate concerned with affirming the domain’s ownership by the concerned business, individual, or organization. To make this happen, its seekers should alter the domain DNS records. Or, they can simply send an email to the involved CA. This is a fully automated process.Speaking of cost, obtaining a Domain Validation SSL certificate is least pocket-pinching and is often a preferred pick for blogging sites, single-page sites, small-business websites, and portfolio sites. With it, your all the online entities can own HTTPS websites quickly and at subsided cost.Key DetailsIt will be granted within a few minutesLeast expenses as no human interface are requiredType #3: Extended ValidationThe most extensive SSL certificate among its existing varieties, Extended Validation involves doing a detailed inspection of the certificate seeker. Any website that involves collecting sensitive customer data like credit card credentials, online transaction passwords, and so on should obtain it.Though it expands and is complex, it constructs a favorably trusted image of the company. CSR made for validation-extension will be comprehensively checked by the CA wherein the elements like whether or not organization exists are legally registered and are available on provided address.As so many details will be verified, obtaining Extended Validation certificate is both costly and time-consuming. But, once obtained, it leverages the market worth and presence of the website in no time. So, its demand iis high in scenarios like global enterprise, online stores, financial or banking bodies, and websites related to news agencies.Key DetailsStrict-level validationTakes many weeks to be awardedHigh costing as needed too much human involvementType #4: Single DomainAs the name denotes, this classification of the certificate refers to verifying the details of one particular domain. No other subdomains can utilize the Single Domain SSL certificate to verify their existence.However, all the pages, uploaded on the main/primary domain, will be backed by the same certificate.Key DetailsLimited utilityUseful for blogs and single page websitesType #5: Multi-domainThis variation of the SSL certificate verifies many domains with just 1 certificate. However, it also does not cover subdomains.Key DetailsRequired for the organization or people owning various domains with distinct extensionsUp to 100 domains can be verifiedType #6: Wildcard SSL CertificatesIt is efficient at securing your base/primary domain, along with all the linked sub-domains. Websites having this certificate will feature an ‘*’ mark in their name.Websites, using various sub-domains, should obtain a Wildcard SSL certificate to keep the overheads under control while keeping the hassles of obtaining different certificates for separate sub-domains.Key DetailsWorks for Unlimited domainsAny subdomain type is supportedHow to get an SSL Certificate?As cited above, the proven source to acquire it is Certificate Authority, a systematized body accountable for maintaining the security, transparency, and security of the internet that we all use presently. Each year, it approves millions of SSL certificates following the respective process.Interested people have to contact CA and follow a standard procedure to be SSL certified. The primary step is deciding the SSL certificate type for your requirement.Once that’s sorted, the next-to-follow steps are as given under:Begin with setting the server and matching the WHOIS credentials with what is offered to the CA. It generally refers to details such as domain name, company name, address, address, and so on. These details should be matched.Up next is creating a CSR or Certificate Signing Request on a server with the help of a web hosting company that you’ve hired. Unless you’re highly skilled, you shouldn’t try your hand at this.The properly devised CSR should be proffered to CA for verification of the provided details.CA will cross-check the details and will grant the certificate upon successful process.Install SSL certificate and configure it on the website(s) you have got it for.While the process appears straightforward on the surface, particular factors are highly influential.Certificate’s price will vary with its type;Based upon the type and provider, receiving SSL can be anything from a one-minute job (e.g., for domain validation only) to a week-long affair (e.g., for an extended one).The Final WordSSL certificate is the resource that a website/application requires to be extra secure for users. Without it, a website is nothing but a hub of online dangers. Now that you have learned about its significance and utility for the owner individual or organization, ensure confirming about your site’s reliability. For this, check SSL certificate status of your sites and in case it is missing, follow our guide to get it smoothly.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-an-ssl-certificate-meaning-and-types-4596b124c3f0?source=rss-952c3fe8c7c7------2
Organizations aspiring for all-around resource security against the damage-causing cyber vulnerabilities must upgrade their knowledge and get acquainted with all the existing types. CSRF is what is covered sizably in the post.What is CSRF Attack?A counterpart of XSS, CSRF is one of the multiples concerning cyber vulnerabilities wherein the authorized users are compelled to perpetrate something unaccepted or unauthorized action on the website that has authenticated them. By using two-factor login, password, and other means, a website authenticates the end-user and permits them access to the services/facilities of the website/application. This way, trust is built between end-user and websites.Threat actors use this trust factor to gain unauthorized access to the website by exploiting it via a CSRF attack. CSRF has many synonyms including Hostile Linking, Sea Surf, Session Riding, One-click attack, and so on.The attention-worthy markers of CSRF attack areas cited below -It is easy to carry out on websites/web applications that skip validating if action is with or without the user’s consent.While XSS concerns breach of user’s privacy by a website, CSRF relates to the circumstance where the user exploits the website. One must gather more information in XSS v/s CSRF for distinguishing between these vulnerabilities at a deeper level.It doesn’t interest using JavaScript or any other sort of code for successful execution.Single-page applications are likely to have a higher chance of being a CSRF victim as they store the CSRF token as cookies, which are favorite of the threat actors.What is a CSRF token?Crucial to keeping the occurrence possibility of CSRF attack as low as possible, CSRF token is a secure, and unique per-session token that is created at random. Challenge and synchronizer tokens are among the most common examples.CSRF token must be integrated inside the hidden/invisible components of HTML forms that are used for server-side functionalities and are shared with the end user’s browser. Its volume must be huge so that threat actors can’t make sense out of it.The CSRF-enabled websites and web apps will generate exclusive CSRF tokens for individual HTTP requests or login sessions.Correct validation of CSRF tokens will discourage CSRF attacks. However, certain factors are impacting the CSRF token validation.Validation is highly influenced by the type of request. For instance, some websites will completely validate HTTP post requests while rejecting the GET ones.Availability of the tokens also affects the validations. For example, if no token at an instance of time, the request is ignored.How does CSRF work?Carrying out a CSRF attack requires fulfilling 3 conditions.A privileged action happening on the website, such as, an action causing altering user-focused data.The target site, during the user identity validation, must use at least 1 HTTP request while session cookies also are enabled.No part of user request is hidden or non-readable for the attacker.Once all these three conditions are fulfilled, one is ready to execute the CSRF attack.CSRF is highly diverse when it comes to tricking the user to initiate a forgery request. Before understanding these ways, let’s know how to create the ill-intended request with the help of an example.ExampleSay John needs to transfer $500 to Jena via the money.com website.Now, the money.com website is not backed by robust CSRF protections and a threat attacker, Leo, uses this opportunity to receive the money that John is trying to transfer.To make this happen, attacker, Leo, will move ahead as:Creating a manipulated script or URLLuring John to use the corrected URL/script via social engineeringNow, let’s understand the working of CSRF attack under different scenarios:When website accepts GET requestsIn that case, the money transfer request, made by John, will look like:GET http ://money.com/transfer.do?acct=JENA&amount=500 HTTP/1.1Leo, the threat actor, will exploit this via John. Firstly, he will create a manipulated URL to direct John-initiated money transfer to his bank account.He will access the transfer command of John and replace Jena’s name with his. He can also alter the transfer value. The exploited command will look like:http ://money.com/transfer.do?acct=LEO&amount=5000In the exploited URL, Leo replaced the original transfer value with $5,000.Here, social engineering gambits like email featuring HTML content or placing the abused URL in front of the verified page fools John to load the exploited URL. As the altered page/URL/script looks very similar to the original URL/script/page, it’s easy to get fooled.When websites accept POST requestsIf the website obtains only POST requests then the John’s command will look like this:POST http ://money.com/transfer.do HTTP/1.1acct=JENA&amount=500Now, such request is delivered with FORM tags:<form action="http://money.com/transfer.do" method="POST"><input type="hidden" name="acct" value="Leo"/><input type="hidden" name="amount" value="5000"/><input type="submit" value="Check my pictures"/</form>Use of FORM tag enforces clicking on submit button for completing the request submission. Or, the request can be presented automatically with the usefulness of JavaScript.When a website is using other HTTP methodsOther than GET and POST, other HTTP request modes like PUT and DELETE are also used frequently. PUT-based HTTP requests will feature JavaScript in the manipulated page/URL. As advance browsers that we all are using presently enforce the same-origin policy, CSRF attacks on PUT and DELETE requests are not usually witnessed.How to detect cross site request forgery?Regardless of the type of vulnerability, early detection is the key to keeping the damage under control.The most practicable makers that help in the timely detection of CSRF are:Websites allowing session management through GET requests. Third-parties can get easy access to such sites. So, they are more prone to CSRF attacks. Make sure your site is not among them.Web Proxies are very helpful in CSRF detection. As it keeps track of HTTP requests’ journey from beginning to end, you can replay requests without initiating an interaction with the client-side interface of the app.How to Prevent CSRF Attack?When not dealt first-handedly, CSRF attacks can lead to data threats, money stealing, change of login details, and even losing control over crucial applications. Hence, along with the early detection, doable CSRF prevention strategies should also be deployed.CSRF-token-based preventionThe primary approach to defend a CSRF attack is to figure out whether or not the HTTP request is created legitimately i.e. using the user interface of the app only. CSRF tokens can be utilized by website owners or administrators for it.The app security team should figure out the attack-prone part of server-side functions and introduce the CSRF token in the HTML form of that vulnerable operational part.Make sure that the intended HTML form is not a component of session cookies. Also, utilize a cryptographically secured random number generator for token-creation.Utilizing the SameSite Cookie AttributeIt is generally used for supporting CSRF attack prevention methodology greatly. Sharing a lot in common with Secure Flag and HTTPOnly, it equips the browser adequately for handling the cookies as well as cross-site requests at once.Its acceptable values are as enlisted:A ‘Strict’ value will stop cookies transfer by browsing.‘Lax’ is the default value that maintains security for web solutions when they wish to allow user-access requests composed of external links. Presently, most browsers have this feature as an added line of defense against CSRF attacks while using the CSRF token alongside.The value ‘none’ is used you want to use cookies for accessing cross-site URLs.Utilizing user interaction for CSRF protectionIt is the easiest way to implement a CSRF prevention strategy. It involves the use of re-authentication, one-time token creation, and CAPTCHA deployment. All these techniques increase user interaction and leave less scope for threat attacks to barge in. Also, it enhances the user experience.Controlling Login CSRFMany developers fail to understand the fact that CSRF can exist in the login forms and cause damage. This is why it’s mostly ignored. One can prevent CSRF from impacting the login forms by generating pre-sessions for each user and introducing CSRF tokens in those sessions. It makes the early authentication safe. But, ensure that this pre-session should be destroyed once the real session is initiated. Ignoring this will give invitation to the session-fixation attack.Double submit cookiesThis method is commonly used as a CSRF defense strategy. It involves storing the similar token values in a cookie rather than a server session. Doing so encourages the cookie-like CSRF token forwarding while associating a hidden field/value with it. Upon receiving a request, the server needs to figure out whether the CSRF value, stored in hidden fields and cookies, matches.How to prevent CSRF attack in Javascript?Security experts willing to prevent JavaScript from CSRF attack can use custom request header as it banks upon the SOP or Same Origin Policy approach in order to safeguard the JavaScript part of the app. This header can only be implied on the origin of JavaScript. However, JavaScript is not allowed to create custom headers by default by the browser.This approach brings dual benefits like there is no need to do any changes in the UI and don’t ask for presenting the server-side state.Is it necessary to protect API from CSRF attacks?CRSF attacks are on an all-time rise and there are no exceptions.As API usage has increased and is crucial for web and mobile application development, it has become a prominent target for CSRF attacks. When an API is a victim of a CSRF attack, the whole digital solution or app is put on the stack.For robust API security, it’s crucial to protect API against CSRF attacks. CSRF attacks targeting the APIs can be prevented easily.API requests made to the content-type application or JSON should be restricted. With this, the possibilities of CSRF attacks are less. API requests, done via content type, are more secure.API access token should be presented on the request header. Also, APIs should neglect the cookies-based CSRF tokens.JavaScript-based single-page applications should be constructed only to use cookies for storage. Such applications should also complete the authentication token transfer to API as header and shouldn’t accept the requests missing the header.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-cross-site-request-forgery-csrf-example-and-methods-of-protection-59623ccd51b1?source=rss-952c3fe8c7c7------2
Server side template injection — SSTI vulnerability ⚠️IntroductionThere is hardly any software development or other linked elements that haven’t fallen into the trap of cyber vulnerabilities. Templates, used for HTML code management on the server-side, are amongst them. The attack targeting the server-side templates is known as SSTI (abbreviated). Let’s explore every aspect of it in detail.What is Server Side Template Injection?Most web app owners prefer using Twig, Mustache, and FreeMarker like template engines for the seamless embedding of dynamic & rich data in HTML parts of of e-mails or webpages. When the user input is introduced to the template unsafely or with the presence of malicious elements, an SSTI attack takes place.SSTI is the insertion of the malicious elements into the famous template engines via built-in templates that are used on the server-side. Here, the main aim of this act by the actor is to get a hold of server-side operations.The easy way to understand the process of SSTI is by explaining it via real-world examples. Now consider the scenario; you’re using a marketing app for sending customer emails in build and use Twig template system to address the email receivers by name.If the name is added in the template without granting any modification abilities to the receivers then things will be smooth. As soon as receiver-end customization of the emails is permitted, the sender starts losing the hold over the template content.Threat actors can use the user-end customization facility as an opportunity and perform an SSTI attack by figuring out the template-generation engine used in customization and altering the featured payload as per their preferences.Not always SSTI attacks are planned; at times, it occurs unknowingly when the user-side input contracts with the template directly. This situation creates an opportunity for the threat actors to introduce template engine distorting commands and operate servers as per their will. In each case, the outcomes of an SSTI attack are destructive mostly.How Do Server-Side Templates Work?Developers often use these templates to create a pre-populated web page featuring customized end-user data directed to the server. The use of these templates reduces the browser-to-server commute during the server-side request processing.As server-side templates offer great flexibility and shortcuts to the pre-embedded user inputs, it’s often mistaken with XXS or cross-site scripting.Template-creation engines are the most preferred resources to create dynamic HTML for web frameworks. On a structural level, a template features the static portion of the intended HTML user output and specific rules explaining the dynamic content insertion process.Despite adopting best practices, template systems are not well-guarded and are prone to get into the hands of threat actors or ill-intended template creators.Web applications granting the freedom of supplying or introducing user-created templates are likely to become a target of SSTI attacks. Suppose, an author edits data for a variable in this context. It will trigger the engine to use template files for adding dynamic components on the web app.Furthermore, the engine automatically starts generating HTML output responses as soon as an HTTP request takes place.To check, you may use an HTTP POST request:For example:POST /endpoint-detail HTTP/1.1Host: example.comparameter=test_dataHere are a few ways to test this vulnerability. We will use different parameter values for this purpose here.You may send a polyglot value, e.g. ${{<%[%’”}}%\., which is a particular pattern used in general for such tests. After the engine displays an error message, you may diagnose the URL in the alert text and figure out the right syntax to try for the template engine.When the error message do not reveal engine details, use the known syntax that are useful for various template engines, e.g.:=${7*3}=<%= 7*3 %>={{7*3}}Next, read the debug output (e.g., for Django). Different template engines will have slightly different ways of doing so.POST /endpoint-detail HTTP/1.1Host: example.comparameter={% debug %}This request will fetch you a list of readable objects, available for debugging. From here, objects like ‘settings’ might be accessible too. So, try reading the secret key and see if you could succeed:POST /endpoint-detail HTTP/1.1Host: example.comparameter={{settings.SECRET_KEY}}The impact of Server Side Template InjectionJust like any other cyber vulnerability, the SSTI impairs the target. For instance, its introduction makes the website prone to multiple attacks.The affected template engine type and the way an application utilizes it are two aspects determining the consequence of the SSTI attack.Mostly, the result is highly devastating for the target such as:Remote code execution.Unauthorized admin-like access enabled for back-end servers;Introduction of random files and corruption into your server-side systems;Numerous cyberattacks on the inner infrastructure.All these actions can cause havoc beyond one’s imagination. In very rare cases, SSTI remains less bothersome.How to Detect SSTI?The above-mentioned consequences of SSTI are a sign for developers and defenders to become foresighted and identify the injection in the early stage. However, that is not as easy as it sounds as SSTIs are complicated to understand, seems very similar to XSS attacks, and often remain unseeable. Hence, one has to make extra efforts for the earlier and precise detection of SSTI.As this is the case with any other attacks, the beginning detection step is to find its presence. The most viable way for this to happen is fuzzing out the template via familiarizing generally-used expressions with special character sequences.If the tester isn’t able to execute the character sequence, it implies the presence of SSTI.Additionally, one can look for the existence of web pages featuring extensions like .stm, .shtml, and .shtm. Websites having pages with these extensions are likely to be impacted by the SSTI attack.However, not all these approaches are enough to do 100% precise SSTI detection, because there exists 2 contexts for its presence: plain text and code text.Here is a detailed explanation of the most common approaches for detecting SSTI in both the contexts separately:PlaintextIn this detection method, XSS input-like plain text is used to check for presence of the vulnerability. To verify whether or not this is a favorable situation for SSTI, you may also use mathematical expressions in your parameter.To check a site, http://example.com/?username=${7*7} URL can help in SSTI detection. Here, you need to replace ‘example.com’ with the name of the site. If the URL search result features any mathematical value, it shows the presence of SSTI vulnerability.2. Code contextIt concerns constructing a payload that can procure error or blank responses present on the server. Also, it can be done by ensuring zero-probability for the XSS vulnerability. You may try injecting arbitrary HTML in the value to do so.When XSS is absent, the first approach, constructing a payload, should be used in this SSTI detection method.How to Identify SSTI?Upon successful detection of SSTI injection, emphasis must be upon recognizing the template engine that has been influenced.There are varied templating languages, but most of them use alike syntax. These syntaxes are created in a way that they won’t contradict with used HTML elements. This makes probing payload creation for impacted template engine testing an easy task.Submitting invalid syntax is also a viable way to identify SSTI compromise. Your submission will enforce error messages from server-side systems to give out crucial particulars.In most cases, this works. Testers looking for alternative ways must manually test the numerous payloads and analyze their interception procedure through the template-creator engines. To narrow down your options, you may try eliminating syntax patterns as per your trials during the process.Also, injecting arbitrary arithmetical operations as per the syntax followed by assorted template engines is a very common approach.The above-mentioned logic tree can be followed for accurate identification. While aiming at precise SSTI identification, keep in mind that similar payloads can deliver efficacious responses in multiple languages like Twig or Jinja2. So, testers should always accumulate multiple successful responses to reach a substantial conclusion.Server Side Template Injection Attack PreventionAfter comprehending the consequence of an SSTI attack, it’s not intelligent to disregard it and not to learn about the preventive ways. Ditching the use of a template engine is not a consider-worthy alternative as it supports modification at multiple fronts while not causing any disruptions to the code flow.Hence, developers and security experts must look out for other ways to keep the applications and websites away from the reach of SSTI’s reach. Here are some expert-approved SSTI prevention strategies to enforce.Limited ‘Edit’ AccessIn any case, templates shouldn’t be available for modification and alteration to anyone else, except developers and admins. Templates that are open to all are easy targets for hackers. Hence, it’s wise to execute the access rules on the templates and keep their accessibility restricted. However, this is not an achievable goal all time.2. A Quick ScrutinySanitization is another viable technique to keep the possibilities of SSTI attacks on the lower side. It refers to cross checking all the intended content for the presence of destructive elements beforehand. Most importantly, this prior scrutiny should be performed on the user transmitted data. One can make it happen by using regex and creating a list of verified expressions. Keep in mind that this solution doesn’t warrant 100% protection.3. SandboxingFor better protection from SSTI, sandboxing is a better option than sanitization. It’s a preventive approach involving creating a secure and close ecosystem for the user. The close environment is free from dangerous features and modules while restricted access to other data when any vulnerability is figured out. Though its efficacy is commendable, its implementation is a tough task. Also, it’s easy to bypass it by using oversights or misconfiguration.4. Go for Logicless TemplatesYou can use logic-less templates to prevent SSTI attacks. Logic-less engine templates are the templates used to detach code interpretation and visual rendering. Mustache is a common example of a logic-less template. As a logic-less template uses mil control flow statements, all sort of control is data-driven by default and makes application logic integration possible. This reduces the possibility of remote code execution.5. Utilize a Docker ContainerIf none of the above solutions work then defenders must admit that the remote code execution is inevitable and should try to trim its impact by implementing customized sandboxing by executing the template engine in a completely locked Docker container.The final wordEnsuring end-to-end system security demands a detailed understanding of the wide range of vulnerabilities. SSTI (Server Side Template Injection) is one such vulnerability. Hope that reading this article would have helped you understand its seriousness and made you aware about the need for cybersecurity for organizational digital assets.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/server-side-template-injection-ssti-vulnerability-%EF%B8%8F-8209660a3036?source=rss-952c3fe8c7c7------2
What is XMPP ❓ — Extensible Messaging & Presence ProtocolIntroductionIn the early 2000s, when the idea of chat applications was shaping, XMPP was allowing developers to construct interactive chat applications. Since its genesis, this protocol has come a long way and is now included in the tech stack (or framework) suggested for developing high-end chat apps like WhatsApp.More than two decades later too, this protocol hasn’t lost its sheen and significance in the abundance of the protocol. Why is it so? What makes XMPP time relevant? What are the key markers? Let’s know this protocol a little better.What is XMPP — Extensible Messaging & Presence Protocol?It is an XML-driven protocol utilized typically in open standard communication. To say it concisely, it is a chat protocol that permits the seamless to and fro sending of essential XML components such as data. Besides making IM and real-time ‘talks’ possible, XMPP also finds its applications in contact list maintenance and presence details.The UsageXMPP is most generally used in forthright message interaction between two points, checking the user status, sharing the status details with the server. It also takes care of server status record keeping, subscription management, contact list updates, and blockading certain users.The AttributesIt’s decentralized.It supports the asynchronous exchange of data/information.Transmits tiny pieces of the data instead of forwarding the big chunks directly.It works over TCP.Network configuration and components (hardware/software) has no role to play in the XMPP-based data transmission.It is designed for client-server model.It uses 3 statuses, namely ‘offline’, ‘busy’, or ‘online’, to tell about the status of a user or network.It transfers data back and forth between two end-points.XMPP ArchitectureOn a structural level, XMPP shares great similarities with protocols that work on the application layer. For example, it also concerns uniquely named clients communicating over an associated server. Enforcing the protocol as per both clients, XMPP monitors and handles routing for them.The overhead figure illustrates the XMPP architecture straightforwardly.However, in a complex implementation, multiple XMPP gateways might also exist. In this scenario, the protocol also needs to takes care of the intercommunication for multiple domain routing. So, the gateways act as a translating medium between various protocols and domains that are in the cycle during the information-exchange.Additionally, the XMPP gateway brooks the tasks like commencing and termination of the client-to-server sessios at the intended protocol while including the demanding protocol translation elements.Even with the use of considerable gateways and domains, one can succeed in achieving constant connectivity across all the network points with the help of XMPP.While comprehending the XMPP architecture, understanding a few terms is crucial.For example, you must know about XMPP stanzas. These, simply, are the small XML fragments that are used for starting a communication session. they can be of 3 types:The presence stanza defines the network or user’s present status to others. For example, the user/network is online or offline.Message stanza is a pushing instrument essential for chat messages exchange.IQ stanza is the element that XMPP utilizes for data requests and modification. Just as HTTP has GET and POST, XMPP has IQ stanza.How does XMPP protocol work?The entire processing of XMPP relies upon the client-server architecture that interests message transmission to the server first and then to the clients.To find out which client should receive the message, the XMPP server utilizes the unique ID of the receiver. The unique ID or Jabber ID is very much comparable to an email address with negligible changes.user@domain.com/resource is the format for the Jabber ID.Here, the user directs to the username, domain.com is the domain particulars of the sender, and resource is the device type of message receiver. For example,JohnDoe@technology.testing/terminal.In the example, John Ray is the user name, Technology.testing is the domain name, and terminal is the type of device or resource that is used by John. The resource is an optional part while the previous two are essential.XMPP server employs this Jabber ID for correct message routing over TCP connection. As soon as a communication session is started, an XML stream is shared to the server and client identification is done with the help of Jabber ID.Once the identification is done, the server will receive the request and will initiate another XML stream transmission request. This stream will be sent back to the client from the server’s side. This way, each XML stream becomes bi-directional.XMPP is efficient to generate a large-scale message network known as a federation. With the help of a federation, clients can communicate with multiple XMPP servers at a time.XMPP FeaturesFundamental features that make XMPP stand out from other protocols are as under:Asynchronous Push MessagingWith XMPP, continual and asynchronous message delivery is achievable. With this, we mean message dispatch in a row, not waiting for the receiver or sender reply, and not necessitating the user to be online to accept the message. Messages are shared in the form of XML stanzas that are distinctive information units featuring segments like metadata, message body, and unique ID of the sender & receiver.What makes XMPP distinguishable from other client-server systems is that XMPP doesn’t support polling. Polling is the process where the client prompts the server constantly to review whether or not any recent information is present. As polling is done at regular intervals, there is no instant communication experience for end-users. Also, it ushers in outrageous bandwidth consumption.Rather, XMPP automatically propels the recent message to the server even when the previous request is not processed or received by the server. It happens in the server-to-client side of communication as well. This constructs an instant communication experience for users.Client-Server ArchitectureThis is the core architecture that XMPP follows. In this architecture, XMPP disseminates only a small fraction of XML elements. This portative XML element will first reach to the server and then to the user.The XMPP clients are allocated separate names, just like an email. This unique ID is used to recognize the client and route the message in the right direction. This way, XMPP guarantees that each XMPP client observes a fixed and standard route to couple with the server.Persistent TCP ConnectionsOriginally, XMPP can transmit the data or designate a connection over TCP only. Connection built over here is invariant and doesn’t demand re-establishment whenever a new message is transmitted.This way, XMPP constructs an XML stream supporting free XML data exchange. However, certain cutting-edge XMPP extensions now use TLS and WebSockets as well.Decentralized HostingWith decentralized hosting, we refer to having no central authority controlling the server. Anyone can maintain, run, and even maintain the XMPP servers. Additionally, freedom to set up the servers on either cloud or premise is also granted. On this front also, it’s similar to email. Every email owner can set up emails as per their choices. They have the freedom to set up the login details, password, and other details as per their preferences.GatewaysOne another very distinguishing feature of XMPP is that it offers gateways for numerous chats and messaging protocols. It’s compatible with many protocols and can link to the networks at length.For instance, a given XMPP network can access an SMS domain when a message is supplied to the receiver on the mobile and simultaneously to the SMTP domain to deliver the same message on the receiver’s email. In addition to this, the XMPP network to deliver the message in another form, say IRC, can also use any other particular message protocol, concurrently.XMPP Protocol ExampleXMPP enjoys the reputation of a core element for many communication apps that we use presently. Some of the most famed apps, developed using XMPP, are as mentioned below.WhatApp is built using a proprietary XMPP.The amazing chat capability of Zoom is all because of XMPP.For instant push notification delivery, Apple uses XMPP both in the iPhone and Mac.XMPP is used in the chat functionality of Grindr.For development of highly functional chat apps, XMPP is one of the multiple choices offered. However, it continues to grow as a preferred one for many because of its distinctive features and multiple benefits that it brings on the table.Benefits of XMPPBacked by IETF and embraced by thousands of developers, XMPP has become a mainstream open standard protocol for chat application development.With outstanding markers, XMPP contrived to fill the gap, assembled by stringent protocols, and has affirmed itself as a necessity for peer-to-peer communication and beyond.Below are the fundamental benefits to enjoy after adopting the XMPP protocol.A Reliable Protocol to Back uponThis protocol has been serving the developer community for more than 20 years. Through these years, the protocol has strengthened its infrastructure and gained huge community backing. Presently, multiple XMPP servers are out there, thousands of developers have used it, and it is at the core of many applications.All of this ensures that this protocol is time-tested and has great technical support. If that doesn’t impress you then being free and too straightforward will surely do.Improves Communication Infrastructure for youBeing a highly extensible protocol, it enables end-users to use it in communicating different sorts of media and messages. It won’t ask you whether you’re transmitting audio or a video; XMPP will continue to support in creating an efficacious communication infrastructure.Guarantee of DeliveryWith XMPP, one can be double sure about the message delivery as it uses constant connectivity over TCP. It will hardly miss any XML stanza delivery, no matter how small it is.Support by most of the Standard Programming LanguagesAdoption at a large scale and huge global demand resulted in support for various languages. XMPP libraries are available in many leading languages like Perl, C++, C#, Java, Python, and many more. You name it and the XMPP library is most likely to be compatible with that language. This allowed developers to work in a compatible and preferred ecosystem.DecentralizedXMPP is decentralized and permits multiple implementations. There is a restriction in server and library setup. Everyone can go with it. This grants more freedom and creates space for flexibility.Higher SecurityBoosted security is an added advantage of XMPP. While setting-up distinct XMPP servers, developers can choose encryption, security protocols, and access preferences as per the choice. Security is in full control resulting in fewer cyber-attacks and better peace of mind.Uninterrupted Transmission of DataPerformance can be maintained easily as if one XMPP server is affected or is offline, regardless of the reasons, only corresponding users will be impacted. Rest will continue enjoying uninterrupted communication and data transmission. This has made achieving 100% operational continuity possible.Server-to-Server TransfersServer federation is an optional choice. Because of this, developers have the freedom to close the server-to-server for security reasons while assigning servers a specific task.CompatibilityOne major client-side advantage of XMPP is an abundance of clients. There is no dearth of XMPP clients. Regardless of the device type, you’ll find an XMPP client. It goes an extra mile for Windows and Unix systems by offering a command line. Also, one user can be signed up via different devices resulting in better accessibility.The CruxParamount for constructing applications adept in real-time communication, XMPP (Extensible Messaging & Presence Protocol) is an utterly extendable protocol. Read the above article and find out other particulars about this inventive protocol. We have tried covering it comprehensively.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-xmpp-extensible-messaging-presence-protocol-1365b71bb55e?source=rss-952c3fe8c7c7------2
IntroductionA conceivable threat to cryptocurrency owners, cryptojacking is an attack using which threat attackers can mine cryptocurrency at the expenditure of the target’s resources and network health. If not managed properly at the premature stage, the consequences of this vulnerability can be too detrimental.If you are not aware of this threat’s existence, let us guide you thoroughly on this. In this article, we will cover what is cryptojacking attacks, what are general methods that attackers use, and a few real-word examples to make you aware about the severely of the matter.Cryptojacking definitionCrpytojacking is a type of cyber-attack and is the process of ill-intended cryptomining. The menace works by embedding a befouled code into the targeted device and eradicating its resources to mine unauthorized cryptocurrency.Cryptocurrency mining implicates solving tricky arithmetic equations, which is a tedious and resource-consuming task. At times, adequate resources are not available for the hackers. Hence, they plan a cryptojacking attack, gain access to targets’ devices and networks, and use them to unravel presented problems.Upon success solving the given equations, hackers are endowed with cryptocurrencies that can be used to trade virtually, buy other cryptocurrencies, or get exchanged with traditional money. The rise of cryptocurrency provoked a surge in cryptojacking.Depending upon the intention of the hacker, the cryptocurrency attained via a cryptojacking attack can either be used for trading or left in the liquidity pool. For a deeper understanding of the cryptojacking concept, knowing two terms, cryptocurrency and cryptomining are crucial.Cryptocurrency DefinitionInvented accidentally in 2009, cryptocurrency is a well-encrypted digital currency having the facility for end-to-end transaction tracking. The use of Blockchain technology, wherein multiple computer programs and processing powers are merged, is making cryptocurrency trading and invention conceivable.The first-ever created cryptocurrency is Bitcoin and it is one of the most high-valued cryptocurrencies. As of now, more than 2,500 cryptocurrency exist. Some other utterly renowned cryptocurrencies are Zcash, Ethereum, and Monero.Cryptomining DefinitionCrytomining refers to the computing process that makes cryptocurrency exchange possible. It usually concerns adding cryptocurrency transactions to the Blockchain ledger and revising the information.Cryptominer is what we call the professionals handling this job. They are likely to be skilled enough to use powerful servers and high-end hardware.Future of CryptojackingAs long as cryptocurrency will have huge market demand, cryptojacking will be trending as it allows the threat actor to mine cryptocurrency without even owning the needed resources. It keeps the attack free from the tension to pay for heft hardware and build a powerful network system.Cryptojacking relies fully upon the the growth of cryptocurrency industry. However, the latter faces the wrath due to this undesired connection. 2 most concerning factors due to this trend are:Strict law enforcement that makes things tougher for the crypto worldBan of CoinhiveThese two factors have caused little damp in cryptojacking. Let us tell you how:Even though cryptocurrency has come a long way, there still exist countries in a good number that do not support cryptocurrency usage. Even if it’s legal in certain regions, many restrictions drive its usage. This is a major reason and inhibition behind the limited acceptance of this digital currencies among people.Coinhive is the largest site for cryptominers. But, the site was shut down in 2019 as its code was badly abused and become a target of a hacker. The event caused limited accessibility of cryptocurrency for a while.How it Works?Performed in multiple stages, cryptojacking is a skilled job. The key steps involved in a successful cryptojacking attack are:The attacker integrated the script for mining in a webpage or an emailThe code is auto-installed as soon as the target clicks on the malicious code.The script program runs in the background stealthily, controlling the targeted device.The desired resources are consumed as per the need of the attacker.Attackers start mining using the targeted devices’ resources.As the primary step of cryptomining, hackers start cracking the complicated algorithms.Once the algorithm is solved, the hacker can earn the cryptocurrency.The entire procedure is about controlling a certain part of the device. This seems very much similar to a ransomware attack. The only difference is the visibility of the attack. While a ransomware is clearly visible, cryptojacking assaults remain hidden and work from behind the screen.This concealing nature of the attack makes it more difficult to identify and fix it in the early stage.Cryptojacking MethodsCryptojacking assaults seize its victim using mainly three methods: file-based, browser-based, and cloud cryptojacking. Each method has a different modus-operandi and a different course of action that can be understood by paying attention to the below-mentioned text.File-Based CryptojackingIt involves downloading and executing a corrupted file. The file features an infected script that spreads its impact throughout the targeted system’s IT ecosystem upon successful downloading. Mostly, emails are used to spread such files or links that are malicious in nature.Targets are lured to download or open the file. As soon as this step is done, the script becomes active and starts mining. It works stealthily without letting the target know about its presence.Browser-Based CryptojackingIt is more of a direct and aggressive attack that impacts the IT ecosystem of the targeted device straightforwardly from the browser.It begins with generating a maliciously programmed script. Once the code is generated correctly by the malicious actor, it’s embedded directly in multiple web pages of separate sites. The script is 100% automatic and doesn’t require any manual handling.As soon as the target visits the infected URL, his device auto-downloads the inserted code and supports hackers in cryptojacking unintentionally.Ads through third-parties and the outdated (or less secure) plugins are the general components that malicious actors use for hiding their scripts in general. Sometime, these attacks act even smartly and embed their malicious code in a JavaScript library. With this, it becomes easier to operate a bigger supply chain attack on the target(s).Cloud CryptojackingThis method is favorite of intruders trying to access your essential resources at a large scale. Using cloud cryptojacking technique, they try accessing the APIs your organization use for accessing organization’s cloud platform and related services.Thereafter, hackers are able to consume the CPU resources without any limitations. This leads to unwanted and excess resource consumption and operational cost for the organization. FYI, this method enables the user to mine at a big level and faster — without much hassles and efforts.Real examples of cryptojackingThough not affected many till the date, cryptojacking is a real trouble that affects businesses. It has caused damages beyond one’s understanding. Some of the world’s most notorious cryptojacking attacks are as followed:MicrosoftIn 2019, the prestigious Microsoft store spotted 8 apps involved in cryptomining activities. The problematic part was, resources that were being used in the process were the ones of the users who’ve installed and used the app.Though the apps were removed, a lot of damage was done. Spectacultions were made that though those apps came thorugh separare developers, just one person or organization strategically planned this attack and executed it.The infected apps featured corrupted JavaScript codes and were instructed to mine Monero. As a huge amount of resources was consumed for the job, the targeted devices used to encounter ill-effects like slowed-down performance and reduced2. A European DepartmentIn 2018 itself, there was another victim of cryptojacking. It was the central water control system of Europe. Here also, the cryptomining code was instructed to mine Monero.Threat actors infected the key operating system of the entire water utility network. Technically, it was the very 1st attack of its kind that targeted the industrial landscape for cryptojacking.3. Los Angeles TimesOne of the leading media houses, Los Angeles Times, has been victimized by cryptojacking. The incident happened in 2018 and targeted the report page. Anyone who accessed this page on their mobile or other data-driven device was infected. Unfortunately, this cryptojacking code remained unidentified for a longer time and allowed hackers to mine Monero.4. YouTubeSome of the CoinHive miners were spotted active in multiple YouTube ads.Detecting cryptojacking. Quick testIf you want to figure out how to stop cryptojacking, it is essential that you learn to discover it first.A strategically planned cryptojacking attack is potent enough to remain hidden and exhaust the resources extensively. At times, attackers plant the code so dexterously the targets remain unaware of its presence. However, a little bit of diligence and awareness plays a huge role in its early detection.The below-mentioned cryptojacking test methods can be of great help in this regard:Poor performance deliveryAs quoted above, the successful execution of malicious cryptomining code consumes the targeted device’s resources. So, a significant symptom in your device is the a sudden or gradual dip in its productivity. Its performance chart takes a downslope.This unwanted consumption increases the burden on the device and makes it slow. So, it’s obvious to experience slow processing, unexpected shutdown, and failures in opening certain apps or programs. At times, the targeted device may even refuse to open or start as it’s supposed to be.Excessive heatingThe extra resource consumption leads to overburden on the OS of the targeted device and makes it overheat.When it continues for a longer period, the average lifespan of the device decreases. However, this is not the obvious sign of a cryptojacking attack as overheating is the outcome of multiple reasons. Hence, one has to delve deeper and look at other obvious cryptojacking related behaviors.Inspect the CPU usageCPU’s health of the targeted devices will surely deteriorate when it will perform heavy tasks like mining. This is why one must check the CPU health regularly. If one witnesses too much CPU usage while visiting a website having no rich media data on it, a suspicious code snippet could be lying in it background.While doing it on personal computers, one must go to Task Manager (or any equivalent tool) and lookout the mention of excess CPU usages. In an enterprise ecosystem, there should be a dedicated IT team for this task.Keeping an eye on the websiteThreat actors remain highly vigilant and hunt for a website that is vulnerable and offers multiple opportunities to embed a code. Make sure that the website is not featuring any outdated plugin or add-on.Also, if you own a website, it’s crucial to inspect it regularly so that any corrupted code can be spotted in the early stage. The earlier is the detection, the lesser is the damage.Cryptojacking Prevention Tips and TricksCryptojacking is an issue for business because, if not addressed or fixed properly, these attacks can cause damage beyond one’s imagination. However, its dangers can be under-control by diligently following the below-mentioned tips:Use cybersecurity tools that could speedily detect malicious code in your system;Web browsers are the first choice of threat attackers. This is why protecting it is the first defense action. There are a few trustworthy add-ons (e.g., No Coin, AntiMiner, and minerBlock) you may bank upon for this.Be aware of current cryptojacking trends to figure out what all the attackers are capable of currently;Blocking ads from untrusted sources, one can reduce the risks of cryptojacking. For this, you can spend some time and find a reliable ad blocker for your use.Disable JavaScript while visiting a suspicious site or disable auto-downloading in your browser.Use Walarm API Security Platform, also read the important post about API securityOriginally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-cryptojacking-attack-definition-and-prevention-fe800ca2aab8?source=rss-952c3fe8c7c7------2
APIs are paramount for constructing a steadfast and constant communication bridge that empowers devices to pass-on desired information seamlessly. Hackers adopt many ways to exploit the APIs and corrupt the targeted device. This API exploitation is a potential threat to API security and needs foremost attention while constructing utterly secured application development is the goal.What is API abuse?API abuse refers to the act of wrong-handling of APIs, gaining unsanctioned access, and modifying the key functions so that APIs can be used for adversarial processes like raiding a server or overburdening a server. It’s performed with the help of bots, phishing attacks, or manual insertion of malicious code.Consequences of API abuseA thriving API abuse permits hackers to achieve admin-like access to the targeted API. This access endows hackers to make API work as per their will. Hackers make use of existing API vulnerabilities to rob crucial private or business information while corrupting your websites or applications. In addition, one can take over the entire account or software ecosystem with a viable API abuse attack.API abuse exists in many forms, a few examples are:Injection AttacksThis method requires adding a piece of malicious code script in an API. The attack happened only on API featuring vulnerabilities. Presently, injection attackers are the most notorious abuse for web apps as well as APIs.Currently, SQLi and XSS are the most common types of this attack in use. The code insertion can happen in the API code or in the API message.DDoS AttacksIt is a key type of API abuse wherein the threat actor prevents legitimate access to a particular device or system. Hackers make this happen by encumbering APIs with huge traffic volumes. The traffic is sent with the help of a bot and asymmetrical processes.This type of attack consumes system resources at a huge scale and makes them inaccessible to intended users. The Distributed Denial of Service (DDoS) attack can occur at a slow pace, wherein negligible bandwidth is consumed, or at a fast speed as well. Either way, this type of API abuse tarnishes the reputation of the applications and systems as end-users fail to use them.Data ExposureAPIs are used mainly to let 2 or more endpoints communication and share data whenever required. When API abuse happens, the information warehoused in the APIs is likely to be exposed to ill resources. RESTful APIs are more prone to this hander as they transfer data over HTTP protocol.How to prevent API abuse?The outcomes of API abuse are deadly and hold the power to crush the entire IT ecosystem of the target. Hence, one must always remain aware of every possible solution of the ‘How do you prevent abuse of your public API?’ issue. Here are some tips that actually work:Every API call coming from bots should be monitored and managed through and through. As most API abuse happens with the help of bots, API calls made from bots shouldn’t be entertained casually.API authentication and authorization of the highest grade should be implemented.The API login process must have the backing of 2FA and robust encryption.The entire API path should be watched over carefully to spot any vulnerability in the infancy stage.For effective fault tolerance, one must adopt the cluster API implementation process.All sorts of APIs, public or private, SOAP or REST, and many more should have effective API security measures in place. Tools like Wallarm make this happen as it offers every necessary resource to keep API vulnerabilities at a minimum level and keep API abuse probabilities as low as possible.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-api-abuse-prevention-measures-1c277f4ba85d?source=rss-952c3fe8c7c7------2
IntroductionHumans live in the 21st century where a large portion of our exchanges are taken care of on the web. Thus, people, businesses and organizations are presented with new online protection dangers. A significant number of these digital dangers will break into your framework and challenge a person’s activities. One of the most hazardous digital dangers in our present reality is this malware type. In this piece, we’ll talk about this malware’s significance, how the digital danger can influence your framework, how to recognize it and how to ensure your frameworks against it.What is Remote Access Trojan?This is a malware program that incorporates a secondary passage for authoritative command on a target PC. These malware are normally stored imperceptibly with a normal program such as games or delivered as an email connection. When the main framework is broken into, the interloper might utilize it to circulate the trojan to other weak PCs and create up a botnet.Since a RAT empowers regulatory control, it makes it workable for the interloper to do pretty much anything on the designated PC, including:Checking client conduct through keyloggers or other spyware.Getting to private data, for example, Mastercard and government backed retirement numbers.Enacting a framework’s webcam and recording video.Taking screen captures.Appropriating infections and other malware.Designing drives.Erasing, downloading or adjusting documents and record frameworks.THE BACK ORIFICE ROOTKIT is one of the most mind-blowing known instances of a RAT. A programmer known as the Cult of the Dead Cow made Back Orifice to uncover the security flaws of Microsoft’s Windows working frameworks.RATs can be hard to recognize on the grounds that they normally don’t appear in arrangements of running projects or assignments. The activities they perform can be like those of authentic projects. Besides, a gatecrasher will regularly deal with the degree of asset use. This way a drop in execution doesn’t prepare the client that something’s wrong.How Does A Remote Access Trojan Work?Like different types of malware, Remote Access Trojans are typically connected to what in particular seem, by all accounts, to be genuine documents, like messages or pre-introduced programming. In any case, it has lately been seen that these hazardous danger entertainers are rapidly changing working procedures when their techniques are found and openly uncovered.In any case, what truly makes this malware especially risky is the way that it can mirror dependable remote access applications. You won’t have the foggiest idea about it’s presence whenever they have been introduced as it doesn’t show up in a rundown of dynamic projects or running cycles. Why? It’s more invaluable for attackers to keep out of the spotlight and try not to be gotten. Assuming you’re not going to extreme security lengths, it’s conceivable you could have a Remote Access Trojan on your PC for a significant stretch without it being distinguished.Uniquely in contrast to keylogging, a sort of infection that records the keystrokes on a client’s console without the casualty acknowledging it, or ransomware, which encodes every one of the information on a PC or cell phone, hindering the information proprietor’s admittance to it until a payment is paid; Remote Access Trojans give aggressors complete regulatory command over the tainted framework, as long as they stay unseen.As you can envision, this sort of action can bring about fragile circumstances. For instance, on the off chance that a RAT is matched with a keylogger, it can undoubtedly acquire login data for monetary and individual records. To exacerbate the situation, they can covertly initiate a PC’s camera or mouthpiece, and even access private photographs and archives, or utilize your home organization as an intermediary server, to perpetrate violations secretly.Remote Access Trojan DetectionAs fraudsters develop their strategies to sidestep banks’ security, extortion prevention arrangements should likewise advance to keep pace. Most arrangements can’t identify the presence of RATs since they depend on conventional safety efforts like unique finger impression approval or gadget validation. Since this malware hides by not really trying to hide on the client’s authentic gadget and it is as yet the genuine client who is working the gadget . Therefore, banks need a complex way to deal with security in the event that they are to check RATs and RATs-in-the-Browser effectively.What’s more? Two-factor validation (a robust new guideline PSD2) offers restricted insurance, basically with regards to RATs. For instance, assuming the bank asks the assailant for an OTP (One Time Passcode) while they endeavor a false exchange, they can subtly utilize the genuine client’s suspended meeting to obtain it by means of the actual casualty.Social biometrics is generally perceived similar to the main network safety capacity with the capacity to recognize and in this manner defeat this malware assaults. This is on the grounds that, just as approving the known client gadget, biometrics likewise investigates the client’s conduct and intellectual capacities without meddling with the client experience itself. It can progressively profile the client behind the gadget utilizing advanced AI calculations to distinguish their extraordinary social biometric qualities.Through learning these standards of conduct — identifying peculiarities in their mouse direction, dubious console use or postponement in the gadget controlling the PC — high-tech social biometrics can signal startling changes in conduct that happen mid-meeting — but slight or transitory. These crucial pieces of information could flag a potential Remote Access Trojan penetration or Account Takeover ( ATO) endeavor.How To Protect Against Remote Access Trojan?RATs are intended to conceal themselves on contaminated machines, giving mystery admittance to an aggressor. They frequently achieve this by piggybacking pernicious usefulness on an apparently genuine application. For instance, a pilfered computer game or business application might be accessible free of charge since it has been changed to incorporate malware.The covertness of RATs can make them hard to ensure against. A few techniques to distinguish and limit the effect of RATs include:Zero in on Infection Vectors: RATs, similar to any malware, are just a risk on the off chance that they are introduced and executed on an objective PC. By sending against phishing and routinely fixing frameworks can diminish the danger of RATs by making it more hard for them to contaminate a PC in any case.Search for Abnormal Behavior: RATs are trojans that ordinarily take on the appearance of authentic applications and might be made out of vindictive usefulness added to a genuine application. Screen applications for strange conduct, for example, notepad.exe producing network traffic.Screen Network Traffic: RATs empower an aggressor to remotely control a contaminated PC over the organization, sending it orders and getting the outcomes. Search for atypical organization traffic that might be related to these interchanges.Carry out Least Privilege: The rule of least advantage expresses that clients, applications, frameworks, and so forth ought to just have the entrance and consents that they need to take care of their business. Executing and authorizing least advantage can assist with restricting what an assailant can accomplish utilizing a RAT.Send Multi-Factor Authentication (MFA): RATs generally endeavor to take usernames and passwords for online records. Sending MFA can assist with limiting the effect of qualification compromises.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-rat-remote-access-trojan-detection-and-removal-ac6786fd9011?source=rss-952c3fe8c7c7------2
Enterprises using various business apps have a tough time maintaining data’s secrecy and access grants as per user roles throughout the infrastructure landscape. SAML (Security Assertion Markup Language) shows up as a great aid at this front.Let’s see what is it, how it works, what are its advantages, how it differs from SSO, what makes it similar to SSO, and how it helps in API access verification to ensure an astonishing security level.SAML — A Quick OverviewSAML’s main work is to permit IdP (the identity details providers) to share the authentication-concerned credential with the concerned authority. It is the open standard that allows granting unified access for all kinds of apps while making no compromise on data security.A few more things you must know about SAML are:It brings XML into action for completing the customary connection between IdPs and service-givers to communicate reliably.SAML authentication process confirms the end-user’s identity while SAML authorization defines which all resources should be in user’s access.It checks for SPs, IdPs, and end-users if the user is eligible for what it is demanding.It’s an OASIS standard.It ensures safe exchange of information.It supports SSO activation. However, this procedure will require connecting to an external IdP and sharing the XML tokens with it.A Quick Glimpse of Single Sign-on (SSO)Considered among the topmost viable authentication frameworks, SSO merges multiple sign-in screens. This implies, you won’t have to sign-in independently for your app(s). Instead, 1 set of sign-in data for your accounts will work fine for diverse SaaS apps.By doing so, it makes accessing the app faster, simpler, and auditable. It’s a key aspect of IAM strategies of businesses seeking frictionless app access validation and better security implementations.With SSO enabled, one can enjoy:Strong passwords, as there is no need to create multiple passwords sharing similarities. One tough and complex password is enough for everyone.Users do not have to memorize various passwords.Easy MFA deployment that verifies multiple factors, as its activation at 1 point will secure various applications.Quick password re-entry policy enforcement, as administrators have a single point where the policy should be enforced.Seamless internal credential management because the SSO stores user passwords internally and grants the IT team more control over the database.Instant recovery of user password as the IT team has to work on recovering one password.SAML Authentication — The Step-by-Step ProcessLet us tell you the whole procedure in a few steps.First of all, the identiy service hands over the user login related input to the SP. For the seamless of SAML parameters to the SPs, every end-user is bound to login via SSO once.Next, the SP contacts IdPs, asking about the credibility of a request. This process requires giving consent for SAML SSO configuration too. Doing so ensures that the same SAML settings are used for checking the identity and authorizing the user/request.BenefitsBeing a standard format, it grants an open approach to businesses that is free from platform compatibility and vendor implementations.It uses directories in a loose coupling manner, that implies there is no need to store or sync user data to local directories.As it supports SSO, end-users are going to have great experience in accessing applications.SAML lets businesses reuse integrations for registration/sign-in while maintaining the same level of security. It trims the account management cost.The burden of maintaining the user identities is shifted to the IdP when SAML is at work. This frees service-givers from registration and sign-in related hassles.What is SAML Assertion?In simple terms, it is an XML-formatted document that comprises the user authorization status information. This detail is offered by an IdP to a service-giver.Its 3 typesos assertions are:Authentication is all about the validation of user’s credibility, related technique, and session duration tracking details.Assigned takes care of successfully passing SAML tokens to the SP. IdP as well as SP directory use the same attributes to confirm the trustworthiness of request-creator.Finally, assertion of Authorization-decision type explains where or not the user is given access as per his request. Detailed reason behind denied access is also offered if it happens.SAML ExampleThe simplest example of how SAML processes its operations is given below:Let’s consider an end-user, named John, who tries to access a business application for official purposes.John will begin a session with SSO and complete the identity verification part of the procedure.Zoho CRM will request the IdP to share the user details for confirmation.The SaaS tool will access the fetched results to complete the authority verification step.IdP will revert to this request in SAML format. It will feature the digital signatures of John. Based upon the similarities between the identification details provided by John and the IdP, the revert message may feature other details as well.SaaS tool receives the response and grants or denies access, as instructed by the IdP.If access is permitted John is allowed to use his Zoho account.SAML vs SSOSAML helps in user identity verification and in making SSO possible. SSO can exist alone and allows end-users to use various applications with unified login details. SSO can bring the standard SAML protocols into action while performing information trading as it has no specific protocols of its own. Additionally, it can use third-party protocols like OpenID for effective cross-domain user identity check. SAML offers a wide range of protocols.SAML vs oAuth2Owing to similarities between key purposes, SAML 2.0 and oAuth 2.0 are often considered the same. While they both share great similarities, they differ from each other in various aspects.SimilaritiesBoth are required to promote secure application interoperability.Both support easy access management and fast integration.DifferencesoAuth 2.0 pays attention to authorization while SAML prioritizes authenticationSAML is XML based while oAuth 2.0 is utilizes JSONSAML maintains session data through cookies while API calls are used in the case of oAuth for this.API authentication with SAMLWhile the most common use of SAML is supporting user identity verification and enabling SSO, it can be proved highly fruitful for request’s genuinity checking in APIs. User access right verification, to check if the request is genuine, is crucial from the API security front and can be achieved by sending a SAML request that must comprise:SAML prepare authentication API based API auth requestSAML message that can support the SSO process auto-initiated by IdPBy all means, it’s crucial for a SAML request message to be based on an encoded XML document featuring <Response> root element.The request’s body must feature content, ids, and realm. The first two aspects are essentials while the last one is optional.The SAML response includes access_token (a SAML token granting or denying the access), username, expires_in, refresh_token, and realm.The Final WordSAML and Single Sign-On have a close relationship with each other. These are vital for zero-compromise data security. Hope this article helps you learn about these two efficiently.Originally published at https://www.wallarm.com.
https://d0znpp.medium.com/what-is-saml-authentication-how-does-it-work-221533fd58cc?source=rss-952c3fe8c7c7------2
Govtech.com
Sun, 05 May 2024 09:52:07 GMTThe NASCIO Midyear Conference this past week highlighted the good, the bad and the scary of generative AI, as well as the vital importance of the data that states are using to feed large language models.
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/genai-continues-to-dominate-cio-and-ciso-conversations
Where next for the most popular app in the world? President Biden signed a bill that could lead to a nationwide TikTok ban, but will it actually happen? What are the implications?
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/what-would-a-tiktok-ban-mean
A new book by Alan Shark offers an excellent guide and an AI road map for state and local governments. He answers basic questions that public-sector leaders are asking in 2024.
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/review-artificial-intelligence-a-primer-for-state-and-local-governments
Iowa’s Caitlin Clark clearly propelled NCAA women’s basketball viewership. But what do past numbers teach us about future expectations — in both basketball and cyber metrics?
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/deciphering-metrics-from-ncaa-womens-basketball-to-cyber-trends
Almost everyone has heard of ChatGPT. But Jeff Brown, CISO for the state of Connecticut, shares his concerns on some of the other “dark side” apps that have emerged with generative AI.
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/conn-ciso-raises-security-concerns-over-badgpt-fraudgpt
With global cyber threats and other international tensions growing, what scenarios should state and local governments consider when conducting exercises to test their people, processes and technology?
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/cybersecurity-tabletop-exercises-how-far-should-you-go
Cybersecurity experts from state and local government, as well as top federal agencies, gathered this week to discuss everything from critical infrastructure attacks to concerns about China. Here are some top takeaways.
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/federal-state-local-cyber-leaders-meet-to-discuss-threats
In this interview with white hat hacker Mishaal Khan, we learn about open source intelligence gathering and how to hack humans — or not.
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/how-to-think-like-a-hacker-and-defend-your-data
Many global cyber teams are analyzing cyber defense gaps now that the NIST Cybersecurity Framework 2.0 has been released. How will this guidance move the protection needle?
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/nist-releases-cybersecurity-framework-2-0-whats-next
Major developments regarding implanting chips in human brains have been announced in 2024. Will this procedure become widespread? Are precautions — or even regulations — needed?
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/human-brain-chip-implants-helpful-safe-ethical
McAfee blogs
Fri, 03 May 2024 12:05:37 +0000In today’s digital age, we know the importance of online privacy and security. However, with an increasing number of websites requiring passwords, it becomes tough to remember them all. This is where a password manager comes into play. The post Why Do I Need a Password Manager? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/why-do-i-need-a-password-manager/
In our digital age, a computer is not just a tool; it’s a gateway to a world of possibilities, entertainment,... The post McAfee Dominates AV-Comparatives PC Performance Test appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mcafee-news/mcafee-dominates-av-comparatives-pc-performance-test/
More and more transactions occur over the internet rather than at a teller’s window, and nearly every account has a username, password, and PIN associated with it. Whether you use online banking regularly or sparingly, you can protect yourself from being the victim of fraud by following a few straightforward steps. The post How to Protect Yourself from Bank Fraud appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/online-banking-simple-steps-to-protect-yourself-from-bank-fraud/
A data broker is an organization that makes money by collecting your personal information, analyzing it, and licensing it out to... The post What Is a Data Broker? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/what-is-a-data-broker/
Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with... The post The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen/
Until recently, people had little control over how companies used their online data. But, with data privacy now a human... The post How to Delete Your Browser History appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-experts-guide-to-deleting-your-browser-history-for-good/
All your online activity creates a trail of data. And that data tells a story. The story of you. The... The post How to Protect Your Personal Data appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/your-data-its-the-story-of-you/
Data brokers are companies that collect your information from a variety of sources to sell or license it out to... The post How to Remove Personal Information From Data Broker Sites appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-remove-personal-information-from-data-broker-sites/
It’s the romance scam story that plays out like a segment on a true crime show. It starts with a... The post How to Avoid Romance Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-avoid-romance-scams/
You consider yourself a responsible person when it comes to taking care of your physical possessions. You’ve never left your wallet in... The post How to Protect Your Smartphone from SIM Swapping appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/what-is-sim-swapping/
According to reports from the Federal Trade Commission’s Consumer Sentinel database, text message scams swindled $372 million from Americans in... The post How to Tell If Your Text Message Is Real appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-tell-if-your-text-message-is-real/
For years now, the popularity of online dating has been on the rise—and so have the number of online romance... The post How to Spot Dating Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/online-dating-scams-and-how-to-spot-them/
We’ve said it several times in our blogs — it’s tough knowing what’s real and what’s fake out there. And... The post How to Spot AI Audio Deepfakes at Election Time appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-spot-ai-audio-deepfakes-at-election-time/
Is it real? Is it fake? Deepfake technology has certainly made everything far more complicated online. How do you know... The post How To Teach Your Kids About Deepfakes appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-teach-your-kids-about-deepfakes/
Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the... The post Redline Stealer: A Novel Approach appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/
Imagine receiving a call from a loved one, only to discover it’s not them but a convincing replica created by... The post How to Protect Yourself Against AI Voice Cloning Attacks appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-protect-yourself-against-ai-voice-cloning-attacks/
‘Ensure your privacy settings are set to the highest level’ – if you’ve been reading my posts for a bit... The post How Do You Manage Your Social Media Privacy? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-do-you-manage-your-social-media-privacy/
In recent news, Roku, a leading streaming platform, reported that over 591,000 user accounts were affected by credential stuffing attacks.... The post How to Protect Your Streaming Accounts: Lessons from Roku’s Data Leak appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-protect-your-streaming-accounts/
Some conversations on social media can get … heated. Some can cross the line into harassment. Or worse. Harassment on... The post How to Protect Yourself From Social Media Harassment appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-rising-threat-of-social-media-harassment-heres-how-to-protect-yourself/
In a world where digital communication dominates, the art of scamming has evolved into a sophisticated game of deception. A... The post A Finance Journalist Fell Victim to a $50K Vishing Scam – Are You Also at Risk? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/a-finance-journalist-fell-victim-to-a-50k-vishing-scam-are-you-also-at-risk/
In today’s digital landscape, distinguishing between legitimate communications and phishing attempts can feel like navigating a labyrinth blindfolded. Phishing is... The post Stay Cyber Savvy: Your 5-Step Guide to Outsmarting Phishing Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/stay-cyber-savvy-your-5-step-guide-to-outsmarting-phishing-scams/
While last-minute tax filers stare down the clock, scammers look for easy pickings. Tax scams are in full swing as... The post The Top Tax Scams of 2024 appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-top-tax-scams-of-2024/
It’s that time of year again – tax season! Whether you’ve already filed in the hopes of an early refund... The post How to Steer Clear of Tax Season Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-steer-clear-of-tax-season-scams/
Four in ten Americans say they use peer-to-peer payment services, like Venmo, PayPal, or Apple Pay, at least once a... The post How to Protect Against New Types of Scams Like QR Phishing appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/how-to-protect-against-new-types-of-scams-like-qr-phishing/
Scammers are turning a buck on the eclipse. A rash of eclipse scams have appeared online, many involving the sale... The post How to Avoid Solar Eclipse Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-avoid-solar-eclipse-scams/
Smartphones have enabled a whole new digital world, where apps are gateways to just about any service imaginable. However, like... The post The Four Rs of Personal Mobile Security appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/the-four-rs-of-personal-mobile-security/
Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular... The post Distinctive Campaign Evolution of Pikabot Malware appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/
With the rise of cheap and easy-to-use AI tools, deepfake attacks find themselves likewise on the rise. Startling as that... The post Are You a Victim of a Deepfake Attack? Here’s What to Do Next appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/are-you-a-victim-of-a-deepfake-attack-heres-what-to-do-next/
As taxpayers prepare their returns for April 15th, scammers prepare too. They see tax season as high time to run... The post Watch Out For IRS Scams and Avoid Identity Theft appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/tax-season-scams-identity-theft/
AT&T, one of the largest telecom giants, recently acknowledged a significant data leak that has affected millions of its customers.... The post AT&T Data Leak: What You Need to Know and How to Protect Yourself appeared first on McAfee Blog.
https://www.mcafee.com/blogs/security-news/att-data-leak-what-you-need-to-know-and-how-to-protect-yourself/
Got any ‘rizz’? Did you ‘slay’ that dinner? Is the ‘cozzie livs’ stressing you out? If you do not comprehendo,... The post Teen Slang – What You Need To Know To Understand Your Teen appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/teen-slang-what-you-need-to-know-to-understand-your-teen/
People under 60 are losing it online. And by it, I mean money—thanks to digital identity theft. In its simplest form,... The post How to Protect Your Digital Identity appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/guide-protecting-your-digital-identity/
There used to be a time when one roommate split the cost of rent with another by writing a check. Who still owns a checkbook these days? Of... The post Avoid Making Costly Mistakes with Your Mobile Payment Apps appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/avoid-making-costly-mistakes-with-your-mobile-payment-apps/
Before you take the fun-looking quiz that popped up in your social media feed, think twice. The person holding the answers may be a hacker. Where... The post Quizzes and Other Identity Theft Schemes to Avoid on Social Media appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/quizzes-and-other-identity-theft-schemes-to-avoid-on-social-media/
W-2 phishing scams often involve emails that appear to be from the IRS or another official source, requesting personal information. The goal is to trick the recipient into revealing confidential data, such as social security numbers and financial information, which the perpetrator can then use for fraudulent purposes. The post How to Protect Your Financial Data During Tax Season appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/tax-season-scams/
Using a VPN on your smartphone can boost your privacy in a big way, particularly with all the data tracking... The post Why You Need a VPN on Your Smartphone appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/privacy-please-why-a-vpn-on-your-smartphone-may-be-a-smart-move-for-you/
What’s the difference between identity fraud and identity theft? Well, it’s subtle, so much so that it’s easy to use... The post How To Tell The Difference Between Identity Fraud and Identity Theft? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/whats-the-difference-between-identity-fraud-and-identity-theft/
When it comes to identity theft, trust your gut when something doesn’t feel right. Follow up. What you’re seeing could be a problem. A missing bill or a mysterious charge on... The post How to Detect Signs of Identity Theft appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/top-signs-of-identity-theft/
Can thieves steal identities with only a name and address? In short, the answer is “no.” Which is a good... The post Can Thieves Steal Identities With Only a Name and Address? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/can-thieves-steal-identities-with-only-a-name-and-address/
How to Spot, and Prevent, the Tax Scams That Target Elders Elder scams cost seniors in the U.S. some $3... The post How to Spot, and Prevent, the Tax Scams That Target Elders appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-spot-and-prevent-the-tax-scams-that-target-elders/
Authored by ZePeng Chen and Wenfeng Yu McAfee Mobile Research Team has observed an active scam malware campaign targeting Android... The post Android Phishing Scam Using Malware-as-a-Service on the Rise in India appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-phishing-scam-using-malware-as-a-service-on-the-rise-in-india/
There’s little rest for your hard-working smartphone. If you’re like many professionals today, you use it for work, play, and a mix of personal... The post 7 Tips to Protect Your Smartphone from Getting Hacked appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/7-tips-to-protect-your-smartphone-from-getting-hacked/
Doxing can be harmful to one’s reputation and can cost someone their job, their friends, or their privacy. Here are five things you should know about doxing, plus some tips on how to prevent it from happening to you. The post 5 Things About Doxing You Should Know appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/5-things-about-doxing-you-should-know/
Hackers used one of the oldest tricks in the book to turn a buck. All at the expense of several... The post 15,000+ Roku Accounts Compromised — Take These Steps to Protect Yourself appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/15000-roku-accounts-compromised-take-these-steps-to-protect-yourself/
According to reports from the Federal Trade Commission’s Consumer Sentinel database, text message scams swindled $330 million from Americans in... The post Scam or Not? How to Tell Whether Your Text Message Is Real appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/scam-or-not-how-to-tell-whether-your-text-message-is-real/
Who else loves tax season besides accountants? Scammers. It’s high time of year for online risks here in the U.S.... The post How to Stay Safe When Paying Your Taxes to the IRS appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/tax-time-is-prime-time-for-scammers-how-to-stay-safe-when-paying-your-taxes-to-the-irs/
“Jessica” cost him one million dollars. In an account to Forbes, one man described how he met “Jessica” online.i Readily,... The post What are Pig Butchering Scams and How Do They Work? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/what-are-pig-butchering-scams-and-how-do-they-work/
International Women’s Day 2024’s theme, #InspireInclusion, reminds us that genuine change requires going beyond individual actions. It’s about fostering an... The post How we’re #InspiringInclusion at McAfee for International Women’s Day 2024 appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/how-were-inspiringinclusion-at-mcafee-for-international-womens-day-2024/
There are more online users now than ever before, thanks to the availability of network-capable devices and online services. The internet... The post The What, Why, and How of AI and Threat Detection appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-what-why-and-how-of-ai-and-threat-detection/
Did you just get word that your personal information may have been caught up in a data breach? If so,... The post How to Protect Yourself From Identity Theft After a Data Breach appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-protect-yourself-from-identity-theft-after-a-data-breach/
Venmo, quick and convenient. A great way to pay back a friend or split the cost of a meal. Yet... The post How to Identify and Protect Yourself From Venmo Scams and Other Cash App Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-identify-and-protect-yourself-from-venmo-scams-and-other-cash-app-scams/
Chocolate chip, oatmeal raisin, snickerdoodle: Cybercriminals have a sweet tooth just like you. But their favorite type of cookie is... The post How to Keep Cybercriminals Out of Your Accounts appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/cookie-theft-how-to-keep-cybercriminals-out-of-your-accounts/
Who else loves tax season besides accountants? Scammers. It’s high time of year for online risks here in the U.S.... The post How to Protect Yourself Against Tax Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-protect-yourself-against-tax-scams/
Authored by Yashvi Shah and Preksha Saxena McAfee Labs has recently observed a significant surge in the distribution of prominent... The post Rise in Deceptive PDF: The Gateway to Malicious Payloads appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-the-gateway-to-malicious-payloads/
Over the past year and a half, workers everywhere have gotten used to working from home. They have adopted an... The post Hybrid Workplace Vulnerabilities: 4 Ways to Promote Online Safety appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/hybrid-workplace-vulnerabilities-4-ways-to-promote-online-safety/
Authored by: Vignesh Dhatchanamoorthy In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding... The post GUloader Unmasked: Decrypting the Threat of Malicious SVG Files appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decrypting-the-threat-of-malicious-svg-files/
The tables have turned. Now you can use AI to spot and block scam texts before they do you harm. ... The post Get Yourself AI-powered Scam Protection That Spots and Block Scams in Real Time appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mcafee-news/get-yourself-ai-powered-scam-protection-that-spots-and-block-scams-in-real-time/
Employee Spotlight: Meet Jovohn! From military beginnings to mobile security champion, meet Jovohn, our passionate Product Marketer and MAHC President.... The post From Military Kid to Product Marketing: My McAfee Journey appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/from-military-kid-to-product-marketing-my-mcafee-journey/
Imagine a tool that can transform text into captivating videos, bridging the gap between imagination and reality by creating videos... The post What is Sora and What Does It Mean for Your Personal Internet Security? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/what-is-sora-and-what-does-it-mean-for-your-personal-internet-security/
If you’re concerned about your privacy on social media, you have plenty of company. Here’s something else you have —... The post Introducing Social Privacy Manager appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/introducing-social-privacy-manager/
This year marks the world’s biggest election year yet. An estimated four billion voters will head to the polls across... The post McAfee Joins Tech Accord to Combat Use of AI in 2024 Elections appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mcafee-news/mcafee-joins-tech-accord-to-combat-use-of-ai-in-2024-elections/
“My phone’s been hacked!” Words you probably don’t want to hear or say. Ever. Yes, a smartphone can get hacked... The post Help! I Think My Phone’s Been Hacked appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/help-i-think-my-phones-been-hacked/
What is a VPN (virtual private network)? And how can it make your time online more secure—and a little more... The post How a VPN Can Make You More Private and Secure appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/what-is-a-vpn-how-it-can-make-your-time-online-more-private-and-secure/
There are plenty of phish in the sea. Millions of bogus phishing emails land in millions of inboxes each day... The post How to Spot Phishing Emails and Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/plenty-of-phish-in-the-sea-your-guide-to-spotting-phishing-emails-and-scams/
When you open your laptop or your mobile device, what is the first thing you do? Do you head to your... The post How to Protect Your Online Privacy appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/5-ways-to-protect-your-online-privacy/
AI has made the dating scene. In a big way. Nearly one in four Americans say they’ve spiced up their... The post Love Bytes – How AI is shaping Modern Love appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/love-bytes-how-ai-is-shaping-modern-love/
Advice and Insights from some of McAfee’s brightest STEM leaders This International Day of Women and Girls in Science, #TeamMcAfee... The post Celebrating International Day of Women and Girls in Science appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/celebrating-international-day-of-women-and-girls-in-science/
Two massive data breaches in France have impacted roughly half the nation’s population. The data of an estimated 33 million... The post France Gets Hit with Its Largest Data Breach Ever — What You Need to Know appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/france-gets-hit-with-its-largest-data-breach-ever-what-you-need-to-know/
As with any major holiday or special occasion, Valentine’s Day is unfortunately not immune to scammers looking for an opportunity to exploit unsuspecting individuals. In this article, we spotlight some common Valentine’s Day scams, offer tips on how to protect yourself and navigate this romantic day with confidence and caution. The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/valentines-alert-dont-let-scammers-break-your-heart-or-your-bank-account/
Social media is part of our social fabric. So much so that over 56% of the global population are social... The post How to Protect Your Social Media Accounts appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-protect-your-social-media-accounts/
Authored by Dexter Shin MoqHao is a well-known Android malware family associated with the Roaming Mantis threat actor group first... The post MoqHao evolution: New variants start automatically right after installation appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-evolution-new-variants-start-automatically-right-after-installation/
The explosive growth of Generative AI has sparked many questions and considerations not just within tech circles, but in mainstream... The post Generative AI: Cross the Stream Where it is Shallowest appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/generative-ai-cross-the-stream-where-it-is-shallowest/
ChatGPT is, without doubt, the biggest tech story of the year. It’s created debate in schools and universities, made history... The post A Parent’s Guide to ChatGPT appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/a-parents-guide-to-chatgpt/
On Safer Internet Day, we ask an important question: how can you tell what’s real and what’s fake online? There’s... The post Safer Internet Day: Telling What’s Real from What’s Fake Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/safer-internet-day-telling-whats-real-from-whats-fake-online/
While you can’t delete your personal info from the internet entirely, you can take strong steps to remove it from... The post How to Delete Yourself from the Internet appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/how-to-delete-yourself-from-the-internet/
Some scams make a telltale sound—rinnng, rinnng! Yup, the dreaded robocall. But you can beat them at their game. Maybe it’s a call about renewing... The post How to Beat Robocallers at Their Game appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/beat-robocallers-at-their-game/
Artificial intelligence (AI) is making its way from high-tech labs and Hollywood plots into the hands of the general population.... The post How to Spot Fake Art and Deepfakes appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/ai-in-the-hands-of-cybercriminals-how-to-spot-fake-art-and-deepfakes/
It’s that time of year again: election season! You already know what to expect when you flip on the TV.... The post This Election Season, Be on the Lookout for AI-generated Fake News appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/this-election-season-be-on-the-lookout-for-ai-generated-fake-news/
As voters in the recent New Hampshire primary have found, a fake robocall of President Joe Biden has been making... The post Was the Fake Joe Biden Robocall Created with AI? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/was-the-fake-joe-biden-robocall-created-with-ai/
Imagine a “Privacy Facts” label on the apps, devices, and websites you use. Like a digital version of the “Nutrition... The post Protect What Matters on Data Privacy Day appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/protect-what-matters-on-data-privacy-day/
Security researchers have discovered a massive data breach containing more than 26 billion records — a hacker’s trove of records... The post 26 Billion Records Released in “The mother of all breaches” appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/26-billion-records-released-the-mother-of-all-breaches/
Authored by Preksha Saxena and Yashvi Shah McAfee Labs has been tracking a sophisticated VBS campaign characterized by obfuscated Visual... The post From Email to RAT: Deciphering a VB Script-Driven Campaign appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/
Today, we celebrate the life and legacy of Dr. Martin Luther King Jr. Dr. King diligently dedicated his life to... The post Honoring Martin Luther King Jr.’s Legacy with McAfee’s African Heritage Community appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/honoring-martin-luther-king-jr-s-legacy-with-mcafees-african-heritage-community-2/
Taylor Swift wants plenty of good things for her fans — but a free Dutch oven isn’t one of them. ... The post No, Taylor Swift Won’t Send You a Free Dutch Oven — The New AI Cloning Scam appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/no-taylor-swift-wont-send-you-a-free-dutch-oven-the-new-ai-cloning-scam/
New year, new tech. That’s what hits the floor at the CES show each January in Las Vegas. Whether it’s... The post New Year, New Tech at CES — The Latest Protection for the Latest Tech appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/new-year-new-tech-at-ces-the-latest-protection-for-the-latest-tech/
We’ve seen how AI can create — and how it can transform our lives. What gets talked about less is... The post How to Stay Safe in the Age of AI appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/staying-safe-in-the-age-of-ai/
AI and major elections, deepfakes and the Olympics — they all feature prominently in our cybersecurity predictions for 2024. That’s... The post 6 Cybersecurity Predictions for 2024 – Staying Ahead of the Latest Hacks and Attacks appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/6-cybersecurity-predictions-for-2024-staying-ahead-of-the-latest-hacks-and-attacks/
Authored by Fernando Ruiz McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows... The post Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/
Imagine paying $16,000 to park your car in a lot for a couple of hours. That’s what happened to one... The post How to Protect Yourself from QR Code Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/click-protect-yourself-from-qr-code-scams/
Crooks love a good gift card scam. It’s like stealing cash right out of your pocket. That includes Amazon and... The post Gift Card Scams — The Gift That Keeps on Taking appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/gift-card-scams-the-gift-that-keeps-on-taking/
Authored by Neil Tyagi and Fernando Ruiz In a digitally evolving world, the convenience of banking through mobile applications has... The post Shielding Against Android Phishing in Indian Banking appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shielding-against-android-phishing-in-indian-banking/
‘So, what is the ultimate goal of all of our parenting?’ When I asked this question to a group of... The post How to Raise Responsible Digital Citizens appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/how-to-raise-responsible-digital-citizens/
Inquisitive, curious and fiercely independent. These are the three words that come to mind when I remember my boys as... The post How to Protect Your Kids From Inappropriate Online Content appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/five-ways-to-protect-your-kids-from-inappropriate-online-content/
A disturbing story out of western Spain spotlights challenges of technological evolution. Unwitting children and teenagers were victims of users... The post Deepfake Defense: Your 8-Step Shield Against Digital Deceit appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/deepfake-defense-your-8-step-shield-against-digital-deceit/
Depending on the day’s most popular headlines, AI is either a panacea or the ultimate harbinger of doom. We could... The post Safer AI: Four Questions Shaping Our Digital Future appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/safer-ai-four-questions-shaping-our-digital-future/
You guard the keys to your home closely, right? They have their own special spot in your bag or in... The post What Is Credential Phishing? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/what-is-credential-phishing/
In October, a hacker claimed to have hijacked profile information of “millions” of users from the popular genetic testing site... The post User Data from 23andMe Leaked Online – What Users Should Do, and the Rest of Us Too appeared first on McAfee Blog.
https://www.mcafee.com/blogs/security-news/user-data-from-23andme-leaked-online-what-users-should-do-and-the-rest-of-us/
If you had to count the number of social media platforms your teen uses, I wonder what the score would... The post Do I Really Need to be on Snapchat to be a Good Digital Parent? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/do-i-really-need-to-be-on-snapchat-to-be-a-good-digital-parent/
With the rush of Black Friday and Cyber Monday shopping comes a rush of another kind. Millions of fake delivery... The post Is That Delivery Text Real or Fake? How to Shop and Ship Safely this Season appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/is-that-delivery-text-real-or-fake-how-to-shop-and-ship-safely-this-season/
By Lakshya Mathur & Yashvi Shah Phishing attackers aim to deceive individuals into revealing sensitive information for financial gain, credential... The post PDF Phishing: Beyond the Bait appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/pdf-phishing-beyond-the-bait/
In the 80’s, train stations and church groups were the key places to meet boys. And despite the fact I... The post How to Help Your Teens Stay Safe When They Start Dating Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-help-your-teens-stay-safe-when-they-start-dating-online/
Yes, there is a Cyber Grinch. In fact, you’ll find evidence of an entire host of grinches online — the... The post How to Shop Safely This Holiday Season appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/look-out-for-the-cyber-grinch-how-to-shop-safely-this-holiday-season/
NetSupport malware variants have been a persistent threat, demonstrating adaptability and evolving infection techniques. In this technical analysis, we delve... The post Beneath the Surface: How Hackers Turn NetSupport Against Users appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/beneath-the-surface-how-hackers-turn-netsupport-against-users/
Imagine this. You’re 15, feeling unsure about yourself in the world, possibly even a little lonely. One day, a pretty... The post Sextortion – What Every Parent Needs To Know appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/sextortion-what-every-parent-needs-to-know/
November 20 is World Children’s Day, a day that celebrates “international togetherness, awareness among children worldwide, and improving children’s welfare.”... The post How to Protect Kids From Harmful Online Content appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/six-steps-to-protect-kids-from-harmful-online-content/
This is the final in a series of three articles covering digital wellness programs in the workplace. Here we explore... The post The Benefits of Protection – How Organizations Gain from Digital Wellness appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-benefits-of-protection-how-organizations-gain-from-digital-wellness/
Authored by Dexter Shin Most people have smartphones these days which can be used to easily search for various topics... The post Fake Android and iOS apps steal SMS and contacts in South Korea appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-android-and-ios-apps-steal-sms-and-contacts-in-south-korea/
Sick and tired of scam messages? So are the 54% of Americans who said they’d rather get a root canal... The post Scam Texts Are More Painful Than Getting a Root Canal appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/scam-texts-are-more-painful-than-getting-a-root-canal/
In workplaces around the world, employees agree — they feel strongly about online protection. Our joint research with Statista puts... The post The Benefits of Protection – Why Employees Place a High Value on Digital Wellness appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-benefits-of-protection-why-employees-place-a-high-value-on-digital-wellness/
A simple click of a link can’t cause any trouble, right? Wrong. It doesn’t matter if you quickly close out... The post What Are the Risks of Clicking on Malicious Links? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/what-are-the-risks-of-clicking-on-malicious-links/
Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware... The post Unmasking AsyncRAT New Infection Chain appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/
This is the first in a series of three articles covering digital wellness programs in the workplace. Here we take... The post The Benefits of Protection – The Case for Digital Wellness in the Workplace appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-benefits-of-protection-the-case-for-digital-wellness-in-the-workplace/
This time of year, the air gets chillier and a bit cheerier for everyone … including online scammers. Holiday scams... The post ’Tis the Season for Holiday Scams: 5 Common Schemes to Look Out For appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/tis-the-season-for-holiday-scams/
AI is on your side. In fact, it’s kept you safer online for some time now. Now that scammers and... The post Advances in Our Use of AI Keep You Even Safer Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/advances-in-our-use-of-ai-keep-you-even-safer-online/
Hackers love Ryan Gosling. In fact, hackers use his name as bait more than any other celebrity. With that, the... The post McAfee 2023 Hacker Celebrity Hot List – Why Hackers Love Ryan Gosling so Much appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/mcafee-2023-hacker-celebrity-hot-list/
Reels of another kind rack up the views online. Stories about Facebook Marketplace scams. Recently, TikTok’er Michel Janse (@michel.c.janse) got... The post How to Look Out For Scams on Facebook Marketplace appeared first on McAfee Blog.
https://www.mcafee.com/blogs/tips-tricks/the-top-facebook-marketplace-scams-to-look-out-for/
Amidst the recent heartbreaking events in the Middle East, parents now face the challenge of protecting children from the overwhelming... The post Digital Strategies to Safeguard Your Child from Upsetting and Violent Content Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/digital-strategies-to-safeguard-your-child-from-upsetting-and-violent-content-online/
Your pain is their gain. That’s how things go in a cryptojacking attack. Cryptomining is the utilization of computers to... The post Cryptojacking – Stop Hackers from Making Money Off You appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/cryptojacking-stop-hackers-from-making-money-off-you/
As AI deepfakes and malware understandably grab the headlines, one thing gets easily overlooked—AI also works on your side. It... The post How to Win the Battle Against Deepfakes and Malware appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/artificial-intelligence-and-winning-the-battle-against-deepfakes-and-malware/
Maybe you do armloads of shopping on it. Maybe you skip going to the bank because you can tackle the... The post How much do you count on the internet every day? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/cybersecurity-awareness-month/
The unfortunate reality of our digital era is that devices are lost, misplaced, or stolen every day. A mobile device without password protection is a gold mine for anyone with malicious intent. The post How to Protect Your Mobile Device From Loss and Theft appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mobile-security/unprotected-mobile-devices/
A common misconception is that a password only needs to be memorable. Whilst this is a helpful trait, it does a disservice to the importance of having a secure series of characters. This guide will walk you through why "123456" is not an acceptable password. The post 123456 Is Not an Acceptable Password appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/password-checklist/
Getting a text message is a lot like someone calling out your name. It’s tough to ignore. Delivery notifications, messages... The post Hold onto Your Phone, and Your Wallet – The Top Five Text Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/hold-onto-your-phone-and-your-wallet-the-top-five-text-scams/
I have a confession to make – I so wish ChatGPT was around when my kids were younger. I realise... The post Could ChatGPT Be The Best Thing That’s Ever Happened To Your Family? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/could-chatgpt-be-the-best-thing-thats-ever-happened-to-your-family/
Let’s be honest, talking to your kids about identity theft isn’t probably top of your list. There’s a long list... The post How to Talk To Your Kids About Identity Theft appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-talk-to-your-kids-about-identity-theft/
Authored by Neil Tyagi On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an... The post Exploring Winrar Vulnerability (CVE-2023-38831) appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/
I’m such a fan of RUOK? Day. Started in 2009, it’s an Australian non-profit suicide prevention that is all about... The post RUOK Day – How to Get Help Online When You’re Not Feeling OK appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/ruok-day-how-to-get-help-online-when-youre-not-feeling-ok/
Authored by Yashvi Shah Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the... The post Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
How To Manage Your Privacy When Using ChatGPT or Other Generative AI Love it or hate it, generative artificial intelligence... The post ChatGPT’s Impact on Privacy and How to Protect Yourself appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/chatgpts-impact-on-privacy-and-how-to-protect-yourself/
As of the writing of this article, the height of the pandemic seems like a distant but still vivid dream.... The post The Future of Work: How Technology & the WFH Landscape Are Making an Impact appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-future-of-work-technology-and-the-wfh-landscape/
Your privacy means everything. And your identity too. The launch of McAfee Privacy & Identity Guard will protect them both. ... The post McAfee’s New Privacy & Identity Guard Launches at Staples Stores appeared first on McAfee Blog.
https://www.mcafee.com/blogs/mcafee-news/mcafees-new-privacy-identity-guard-launches-at-staples-stores/
The humble USB drive—the workhorse of students, professionals, and everyday computer users. No wonder hackers put USB drives in their... The post USB Drives – Protecting Your Humble Workhorse from Malware and Loss appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/usb-drives-protecting-your-humble-workhorse-from-malware-and-loss/
It’s a longstanding question: can your phone really take selfies without your knowledge? The answer is yes, but with a... The post Secret Selfies: Can Phones Take Pictures and Videos of You Without Your Knowledge? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/secret-selfies-can-phones-take-pictures-and-videos-of-you-without-your-knowledge/
We reported earlier this year, a fresh rash of online job scams continue to rope in plenty of victims. Now,... The post Online Job Scams – TikTokers Tell Their Stories, with a Warning appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/online-job-scams-tiktokers-tell-their-stories-with-a-warning/
Authored by Preksha Saxena McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email.... The post Peeling Back the Layers of RemcosRat Malware appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/peeling-back-the-layers-of-remcosrat-malware/
You can almost feel it in the air. Wi-Fi is everywhere. And if you tap into public Wi-Fi, do it... The post On Public Wi-Fi, a VPN is Your Friend appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/on-public-wi-fi-a-vpn-is-your-friend/
Artificial intelligence used to be reserved for the population’s most brilliant scientists and isolated in the world’s top laboratories. Now,... The post 10 Artificial Intelligence Buzzwords You Should Know appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/10-artificial-intelligence-buzzwords-you-should-know/
Have you ever lost your suitcase on vacation? You arrive at baggage claim, keeping your eyes peeled for your belongings.... The post A Traveler’s Guide to International Cybersecurity appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/travelers-guide-to-international-cybersecurity/
Authored by: Neil Tyagi Scam artists know no bounds—and that also applies to stealing your cryptocurrency. Crypto scams are like... The post Crypto Scam: SpaceX Tokens for Sale appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scam-spacex-tokens-for-sale/
If you’re a LinkedIn user, log in now and strengthen your security. Reports indicate that LinkedIn accounts are under attack.... The post How to Protect Your LinkedIn Account appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/how-to-safeguard-your-linkedin-account-and-strengthen-your-security/
Instead of getting you out of a jam, tech support scams get you into one. And they can get costly.... The post Be on the Lookout for Scam Tech Support Calls appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/lookout-scam-tech-support-calls/
Spotting fake news in your feed has always been tough. Now it just got tougher, thanks to AI. Fake news... The post How to Spot Fake News in Your Social Media Feed appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/spot-fake-news-and-misinformation-in-your-social-media-feed/
Vanquishing aliens, building virtual amusement parks, mashing buttons in online battles royale. For some, playing video games is a way... The post 5 Online Gaming Tips to Stay Safe From Cybercriminals appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/5-online-gaming-tips-to-stay-safe-from-hackers/
Authored by SangRyol Ryu, McAfee Threat Researcher We live in a world where advertisements are everywhere, and it’s no surprise... The post Invisible Adware: Unveiling Ad Fraud Targeting Android Users appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/invisible-adware-unveiling-ad-fraud-targeting-android-users/
What does a hacker want with your social media account? Plenty. Hackers hijack social media accounts for several reasons. They’ll... The post How to Protect Your Social Media Passwords from Hacks and Attacks appeared first on McAfee Blog.
https://www.mcafee.com/blogs/privacy-identity-protection/protect-your-social-media-passwords-from-hacks-and-attacks/
Farewell, summer. Hello, back-to-school season! While the chill may not be in the air yet, parents may be feeling the... The post 10 Back-to-School Tech Tips for Kids, Teens and College Students appeared first on McAfee Blog.
https://www.mcafee.com/blogs/family-safety/10-back-to-school-tech-tips-for-kids-teens-and-college-students/
Authored by: Lakshya Mathur and Yashvi Shah As the Back-to-School season approaches, scammers are taking advantage of the opportunity to... The post The Season of Back to School Scams appeared first on McAfee Blog.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-season-of-back-to-school-scams/
Are we in the Wild West? Scrolling through your social media feed and breaking news sites, all the mentions of... The post The Wild West of AI: Do Any AI Laws Exist? appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/the-wild-west-of-ai-do-any-ai-laws-exist/
The first of August marks the celebration of World Wide Web Day – a day dedicated to the global network... The post World Wide Web Day: How to Protect Your Family Online appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/world-wide-web-day-how-to-protect-your-family-online/
It’s not all funny limericks, bizarre portraits, and hilarious viral skits. ChatGPT, Bard, DALL-E, Craiyon, Voice.ai, and a whole host... The post AI in the Wild: Malicious Applications of Mainstream AI Tools appeared first on McAfee Blog.
https://www.mcafee.com/blogs/internet-security/ai-in-the-wild-malicious-applications-of-mainstream-ai-tools/
https://www.nist.gov/blogs/cybersecurity-insights/rss.xml
Thu, 02 May 2024 12:00:00 +0000The problem The previous post in our series discussed techniques for providing input privacy in PPFL systems where data is horizontally partitioned. This blog will focus on techniques for providing input privacy when data is vertically partitioned . As described in our third post , vertical partitioning is where the training data is divided across parties such that each party holds different columns of the data. In contrast to horizontally partitioned data, training a model on vertically partitioned data is more challenging as it is generally not possible to train separate models on different
https://www.nist.gov/blogs/cybersecurity-insights/protecting-model-updates-privacy-preserving-federated-learning-part-two
The U.S. Small Business Administration is celebrating National Small Business Week from April 28 - May 4, 2024. This week recognizes and celebrates the small business community’s significant contributions to the nation. Organizations across the country participate by hosting in-person and virtual events, recognizing small business leaders and change-makers, and highlighting resources that help the small business community more easily and efficiently start and scale their businesses. To add to the festivities, this NIST Cybersecurity Insights blog showcases the NIST Cybersecurity Framework 2.0
https://www.nist.gov/blogs/cybersecurity-insights/take-tour-nist-cybersecurity-framework-20-small-business-quick-start
We all need supplements sometimes. Whether it’s a little extra vitamin C during flu season or some vitamin D during the dark days of Winter. When used correctly, supplements help our body adjust to the changing conditions around us. Similarly, we are applying this same concept for the first time to our NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. Today, we published a supplement that provides interim guidance for agencies seeking to make use of ‘syncable authenticators’ ( for example, passkeys) in both enterprise-facing and public-facing use cases
https://www.nist.gov/blogs/cybersecurity-insights/giving-nist-digital-identity-guidelines-boost-supplement-incorporating
In our second post we described attacks on models and the concepts of input privacy and output privacy. ln our last post, we described horizontal and vertical partitioning of data in privacy-preserving federated learning (PPFL) systems. In this post, we explore the problem of providing input privacy in PPFL systems for the horizontally-partitioned setting. Models, training, and aggregation To explore techniques for input privacy in PPFL, we first have to be more precise about the training process. In horizontally-partitioned federated learning, a common approach is to ask each participant to
https://www.nist.gov/blogs/cybersecurity-insights/protecting-model-updates-privacy-preserving-federated-learning
Last November, I was pleased to chair the most recent meeting of the Interagency International Cybersecurity Standardization Working Group (IICSWG) – a group NIST created in 2016. Our charge, from the Cybersecurity Enhancement Act of 2014, was to build a coordination mechanism for government agencies to discuss international cybersecurity standardization issues, consistent with agencies’ responsibilities under OMB Circular A-119. Since then, IICSWG has grown as a forum to discuss cybersecurity and privacy standardization topics, examine the overall cybersecurity standardization landscape (
https://www.nist.gov/blogs/cybersecurity-insights/updates-nists-interagency-international-cybersecurity-standardization
This post is part of a series on privacy-preserving federated learning. The series is a collaboration between NIST and the UK government’s Responsible Technology Adoption Unit (RTA), previously known as the Centre for Data Ethics and Innovation. Learn more and read all the posts published to date at NIST’s Privacy Engineering Collaboration Space or RTA’s blog . Our first post in the series introduced the concept of federated learning and described how it’s different from traditional centralized learning - in federated learning, the data is distributed among participating organizations, and
https://www.nist.gov/blogs/cybersecurity-insights/data-distribution-privacy-preserving-federated-learning
NIST CSF 2.0 QUICK LINKS | Explore our Full Suite of Resources: CSF 2.0 Quick Start Guides CSF 2.0 Profiles CSF 2.0 Informative References Cybersecurity & Privacy Reference Tool (CPRT) CSF 2.0 Reference Tool CSF 2.0 Website ( Homepage ) Official NIST News Announcement The NIST Cybersecurity Framework (CSF) development process all started with Executive Order (EO)13636 over a decade ago, which called for building a set of approaches ( a framework ) for reducing risks to critical infrastructure. Through this EO, NIST was tasked with developing a "Cybersecurity Framework." We knew that, to do
https://www.nist.gov/blogs/cybersecurity-insights/travel-update-nist-csf-20-herealong-many-helpful-resources
What is National Entrepreneurship (NatlEshipWeek) Week? Celebrated February 10-17, 2024, “NatlEshipWeek is a congressionally chartered week dedicated to empowering entrepreneurship across the United States. The annual initiative was relaunched in 2017 as NatlEshipWeek to bring together a network of partners from Maui to Miami to educate, engage, and build equitable access to America's Entrepreneurship Ecosystem.” Follow along online with #NatlEshipWeek. You can learn more about the initiative here: https://www.natleshipweek.org/about . Supporting Entrepreneurship is at the Heart of NIST’s
https://www.nist.gov/blogs/cybersecurity-insights/nist-celebrates-national-entrepreneurship-week
With the new year under way, NIST is continuing to engage with our international partners to enhance cybersecurity. Here are some updates on our international work from the end of 2023 into the beginning of 2024: Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0 . The current Draft CSF 2.0 has been shared in a public comment period that ended in November 2023. Stay tuned for the final version to be published soon! NIST international engagement continues through our support to the Department of State and the
https://www.nist.gov/blogs/cybersecurity-insights/nists-international-cybersecurity-and-privacy-engagement-update
It’s been four years since the release of The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0. Since then, many organizations have found it highly valuable for building or improving their privacy programs. We’ve also been able to add a variety of resources to support its implementation. We’re proud of how much has been accomplished in just a few short years, but we’re not resting on our laurels. As another, more famous, Dylan once said, “the times they are a-changin’.” For example, the past year has seen the release of the NIST AI Risk
https://www.nist.gov/blogs/cybersecurity-insights/new-year-new-initiatives-nist-privacy-framework
This post is part of a series on privacy-preserving federated learning. The series is a collaboration between NIST and the UK government’s Centre for Data Ethics and Innovation. Learn more and read all the posts published to date at NIST’s Privacy Engineering Collaboration Space or the CDEI blog . Our first post in the series introduced the concept of federated learning—an approach for training AI models on distributed data by sharing model updates instead of training data. At first glance, federated learning seems to be a perfect fit for privacy since it completely avoids sharing data
https://www.nist.gov/blogs/cybersecurity-insights/privacy-attacks-federated-learning
Words like “metaverse” and “augmented reality” may conjure up thoughts of friends in headsets wielding virtual sabers or folks roaming the streets at night in search of PokéStops. Virtual, augmented, and mixed reality technologies (“immersive technologies”) have entered the popular conscience thanks in part to the success of games, but their applications go well beyond new experiences in entertainment. They are already being utilized to increase access to education , improve manufacturing , bolster accessibility , and train workforces in healthcare and retail. Immersive technologies have the
https://www.nist.gov/blogs/cybersecurity-insights/journey-immersive-frontier-preliminary-nist-research-cybersecurity-and
In August 2023 the Digital Identity Guidelines team hosted a two-day workshop to provide a public update on the status of revision 4. As part of that session, we committed to providing further information on the status of each volume going forward. In fulfillment of this commitment, we wanted to offer a quick update on where we stand. Our goal remains to have the next version of each volume out by the Spring of 2024. With our gratitude for the robust and substantive engagement we received during the comment period, at this time we would like to announce that all four volumes of Special
https://www.nist.gov/blogs/cybersecurity-insights/note-progressnists-digital-identity-guidelines
This post is the first in a series on privacy-preserving federated learning. The series is a collaboration between CDEI and NIST. Advances in machine learning and AI, fueled by large-scale data availability and high-performance computing, have had a significant impact across the world in the past two decades. Machine learning techniques shape what information we see online, influence critical business decisions, and aid scientific discovery, which is driving advances in healthcare, climate modelling, and more. Training Models: Conventional vs Federated Learning The standard way to train
https://www.nist.gov/blogs/cybersecurity-insights/uk-us-blog-series-privacy-preserving-federated-learning-introduction
5G will eventually impact every single industry—from healthcare to financial to even agriculture and transportation...and its impact is only increasing over time. Despite its benefits, it comes with privacy and security risks. An increasing number of interconnected devices increases the attack surface. In addition, there are also increased supply chain vulnerabilities and network visibility issues (companies may have issues identifying attacks since there may be a lot of new web traffic from mobile devices and/or more sophistication when it comes to attacks). The goal of the NCCoE 5G
https://www.nist.gov/blogs/cybersecurity-insights/nccoe-5g-cybersecurity-connecting-dots-between-it-and-teleco
Our Cybersecurity Awareness Month may have come to a close at the end of October — but the importance of enhancing cybersecurity and engaging with our international partners to enhance cybersecurity is at the forefront of our minds all year long. Here are some updates on our international work: Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0 , and NIST hosted its final workshop on September 19 and 20 with in-person and hybrid attendance featuring international participation (via both speakers and panelists). While
https://www.nist.gov/blogs/cybersecurity-insights/nists-international-cybersecurity-and-privacy-engagement-update-trade
During this week’s blog series, we sat down with two of our NIST experts from the Visualization and Usability Group at NIST — Shanée Dawkins and Jody Jacobs — who discussed the importance of recognizing and reporting phishing . This blog wraps up our Cybersecurity Awareness Month 2023 blog series…but we of course plan to continue to share, collaborate, learn, and spread the word all year long. 1. This week’s Cybersecurity Awareness Month theme is ‘recognize and report phishing.’ How does your work/specialty area at NIST tie into this behavior? We work in the Information Technology Lab, but our
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2023-blog-series-recognizing-and
It’s week three in our Cybersecurity Awareness Month blog series! This week, we interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software. This week’s Cybersecurity Awareness Month theme is ‘updating software.’ How does your work/specialty area at NIST tie into this behavior? NIST’s Applied Cybersecurity Division’s core mission is to explore, measure, and evaluate both the cybersecurity guidance NIST provides as well as industry best practices. One of our current projects involves putting the practices described
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2023-blog-series-updating-software
Today’s blog is the second one in our 2023 Cybersecurity Awareness Month series and examines different factors associated with using strong passwords and a password manager. We interviewed NIST’s Yee-Yin Choong and Meghan Anderson to get their unique thoughts and insights. This week’s Cybersecurity Awareness Month theme is ‘ using strong passwords and a password manager .’ How does your work/specialty area at NIST tie into this behavior? Yee-Yin: At NIST, I’ve been conducting research on human factors and the usability aspects of human-technology interactions. One research area is human
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2023-blog-series-using-strong-passwords
October is always an exciting time for us as we celebrate Cybersecurity Awareness Month and some of NIST’s greatest accomplishments, resources, guidance, and latest news in the cybersecurity space. This year is a big one because 2023 marks the 20 th anniversary of this important initiative —and we will celebrate in various ways every day throughout the month. What is NIST Up to in October? We’ll be using our NIST Cybersecurity Awareness Month website to share information about our events, resources, blogs, and how to stay involved. We will be using our NISTcyber X account as a vehicle to
https://www.nist.gov/blogs/cybersecurity-insights/kicking-nists-cybersecurity-awareness-month-celebration-our
The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “ championing the human in cybersecurity.” With our new name, we hope to highlight that usability still
https://www.nist.gov/blogs/cybersecurity-insights/nist-unveils-newly-named-human-centered-cybersecurity-program
With a mention in the new National Cyber Workforce and Education Strategy and even a dedicated state law , K–12 cybersecurity education clearly has the eye of policymakers. However, despite public attention and new opportunities for high school students to pursue cybersecurity coursework, high schools often struggle to provide students with a clear understanding of what cybersecurity careers actually look like. Hands-on learning experiences, like those we’ve had at our schools and during our internship with NICE at NIST, can help bring cybersecurity education and career pathways into focus for
https://www.nist.gov/blogs/cybersecurity-insights/hands-learning-experiences-encourage-cybersecurity-career-discovery
Background: NIST Special Publication (SP) 800-66 Healthcare organizations face many challenges from cybersecurity threats. This can have serious impacts on the security of patient data, the quality of patient care, and even the organization’s financial status. Healthcare organizations also must comply with regulatory requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, which focuses on safeguarding the electronic protected health information (ePHI) held or maintained by HIPAA covered entities and business associates (collectively,
https://www.nist.gov/blogs/cybersecurity-insights/nists-planned-updates-implementing-hipaa-security-rule-cybersecurity
International engagement is an integral part of many ongoing NIST efforts, including the Journey to the Cybersecurity Framework (CSF 2.0) update , our update to the digital identity guidelines, and increasing awareness of the NIST Privacy Framework and IoT cybersecurity work. In the update to NIST CSF 2.0, NIST continues to work with the international community. At NIST’s February 2023 virtual workshop on the CSF 2.0 update, participants from Italian and New Zealand governments and Mexican industry spoke on panels. In addition, participants joined from several countries. We are continuing to
https://www.nist.gov/blogs/cybersecurity-insights/international-engagement-brussels-and-beyond
NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218) describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide
https://www.nist.gov/blogs/cybersecurity-insights/ssdf-and-iot-cybersecurity-guidance-building-blocks-iot-product
RSA Conference week is always a whirlwind. NIST was there front and center last month, and we learned a lot, shared a lot, and made a big announcement during the festivities… We were excited to announce that NIST’s DRAFT Identity and Access Management Roadmap was released for public comment on Friday, April 14 th and that the comment period will be extended to June 16 th. What is the Roadmap? The Roadmap provides a consolidated view of NIST’s planned identity efforts over the coming years and serves as a vehicle to communicate our priorities. It provides guiding principles, strategic
https://www.nist.gov/blogs/cybersecurity-insights/mapping-out-our-destination-responsible-innovation-nist-identity
Did you know that 99.9% of businesses in America are small businesses? [1] Small businesses are a major source of innovation for our country—but they’re often faced with limited resources and budgets. Many of them need cybersecurity solutions, guidance, and training so they can cost-effectively address and manage their cybersecurity risks. Hmmm…where can you find guidance like this all in one place? Voila! The Small Business Cybersecurity Corner ! This website was created by NIST in 2019 in response to the NIST Small Business Cybersecurity Act, which directed us to “disseminate clear and
https://www.nist.gov/blogs/cybersecurity-insights/small-business-big-priority-nist-expands-outreach-small-business
Who needs to know ‘What,’ ‘When,’ and ‘How’ to tell them The Challenge There are many challenges to providing and maintaining cybersecurity in today’s connected world. While product developers increasingly consider security as they design and build products, they may not always communicate critical cybersecurity information about their connected products. Information gaps present a challenge to stakeholders—especially customers—who have limited insight into the security processes, functions and features that protect connected products, components, and services. Effective communication is the
https://www.nist.gov/blogs/cybersecurity-insights/importance-transparency-fueling-trust-and-security-through
If you own a computer, watch the news, or spend virtually any time online these days you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself. Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple
https://www.nist.gov/blogs/cybersecurity-insights/phishing-resistance-protecting-keys-your-kingdom
Perhaps you’ve been hearing about data analytics, which is being promoted as a way for even small businesses to analyze communications with customers, enhance customer experience, save money, and ultimately improve your brand. However, data analytics can have big privacy implications. You may think of managing privacy risk as protecting sensitive customer information, such as credit cards. As the Venn diagram to the right demonstrates, data security is certainly one aspect of privacy risk, but privacy risks can also arise by means unrelated to cybersecurity incidents. People can experience
https://www.nist.gov/blogs/cybersecurity-insights/data-analytics-small-businesses-how-manage-privacy-risks
NIST has continued to collaborate into the fall season with partners throughout the world on the Cybersecurity Framework 2.0 update. International engagement and alignment with international standards are important themes for the 2.0 update and will drive changes to ensure global relevance. As part of this ongoing international engagement, NIST welcomed visitors to the NCCoE and NIST headquarters to discuss various cybersecurity topics and explore areas for mutual collaboration. In the past few weeks, NIST met with visitors from Italy, Singapore, New Zealand, Germany, and Brazil at the NCCoE
https://www.nist.gov/blogs/cybersecurity-insights/international-engagement-blog-singapore-international-cyber-week
There is a growing movement toward increasing the use of competency and skills-based education and hiring practices in both the public and private sectors. For example, the Executive Order on Modernizing and Reforming the Assessment and Hiring of Federal Job Candidates calls upon the Federal Government to “ensure that the individuals most capable of performing the roles and responsibilities required of a specific position are those hired for that position”—resulting in “merit-based reforms that will replace degree-based hiring with skills- and competency-based hiring.” Similarly, the
https://www.nist.gov/blogs/cybersecurity-insights/why-employers-should-embrace-competency-based-learning-cybersecurity
This blog will officially wrap up our 2022 Cybersecurity Awareness Month blog series — today we have a special interview from Marian Merritt, deputy director, lead for industry engagement for the National Initiative for Cybersecurity Education (NICE)! Marian will be discussing the importance of recognizing and reporting phishing incidents in detail. A phishing attack is an attempt to fool an individual into sharing private information or taking an action that gives criminals access to your accounts, your computer, login credentials or even your network. This week’s Cybersecurity Awareness
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-recognizing-reporting-phishing
Hi, our names are Aubrie, Kyle, and Lindsey! We participated in internships at the National Initiative for Cybersecurity Education (NICE) Program Office this past year. This is a career pivot for Aubrie, meaning this is her introduction to cybersecurity from another career; she is earning her master’s with a concentration in cybersecurity. Kyle was an undergraduate intern majoring in Computer Engineering. He is almost finished with his education and will soon be transitioning into the workforce. Lindsey is a high school member of the program. The three of us come from different academic and
https://www.nist.gov/blogs/cybersecurity-insights/student-insights-cybersecurity-careers
Cybersecurity Awareness Month is flying by, and today’s blog identifies different security vulnerabilities that can be exposed if you are unable to keep up with your software updates. We interviewed NIST’s Michael Ogata, a computer scientist in the Applied Cybersecurity Division, and he walked us through different strategies to minimize your cybersecurity risks. Michael also was able to provide cyber tips to improve online safety. This week’s Cybersecurity Awareness Month theme is updating software. How does your work/specialty area at NIST tie into this behavior? Today, mobile applications
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-updating-software
The key behavior that we are highlighting this week for Cybersecurity Awareness Month is using strong passwords and a password manager. In today’s blog we interviewed NIST’s Connie LaSalle, a senior technology policy advisor, and she offers four specific ways to mitigate your cybersecurity risks online while discussing the importance of adopting strong passwords. Take a look at her responses to our questions below… This week’s Cybersecurity Awareness Month theme is using strong passwords and a password manager. How does your work/specialty area at NIST tie into this behavior? As a senior
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-using-strong-passwords-and-password
In celebration of Cybersecurity Awareness Month, NIST will be publishing a dedicated blog series throughout October; we will be sharing blogs each week that will match up to four key behaviors identified by the National Cybersecurity Alliance (NCA). Today’s interview-style blog features two NIST experts —Bill Newhouse and Ryan Galluzzo—discussing different reasons to enable multi-factor authentication (a mechanism to verify an individual’s identity by requiring them to provide more information than just a username and password). Here are the questions they both were asked, along with their
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-enabling-multi-factor-authentication
The subject of international alignment and alignment with international resources continues to be an important focus for NIST, particularly with the process for the Cybersecurity Framework (CSF) 2.0 update. This was an important area for many of our stakeholders, as described in the summary of analysis of the Request for Information (RFI) from February. NIST hosted its first virtual workshop on the journey to the CSF 2.0 update process in August. During the workshop, NIST described the importance of international alignment as well as the feedback we heard on continuing our international
https://www.nist.gov/blogs/cybersecurity-insights/nist-international-engagement-updates-csf-20-update-workshop-and-more
Today’s blog will jumpstart NIST’s celebration of Cybersecurity Awareness Month 2022! We have a lot in store for October and are looking forward to sharing our work, progress, events, and news with you. This year’s theme is "See Yourself In Cyber" and will cover four key behaviors: Enabling multi-factor authentication Using strong passwords and a password manager Updating software Recognizing and reporting phishing As a repeat Cybersecurity Awareness Month Champion, NIST is dedicated to promoting a safer online environment and helping others learn and understand the complex world of
https://www.nist.gov/blogs/cybersecurity-insights/final-countdown-cybersecurity-awareness-month-2022-its-easy-stay-safe
In providing a foundation for cybersecurity advancements over the years, NIST has taken the global context into account when determining priorities and approaches. Our participation in Standards Developing Organizations (SDOs) has expanded steadily, and we encourage international participation in the development of our own programs and resources. As we celebrate the 50 th anniversary of cybersecurity at NIST, it is more important than ever that we work with our partners around the world. NIST’s growing impact on the international stage is reflected in the many translations of our signature
https://www.nist.gov/blogs/cybersecurity-insights/nists-expanding-international-engagement-cybersecurity
Be4Sec
Sat, 04 May 2024 07:44:09 +0000Dropbox, a popular cloud storage and collaboration platform, recently disclosed a security breach impacting its eSignature service,Dropbox Sign. On May 2, 2024, the company revealed that hackers successfully infiltrated the platform, gaining access to sensitive customer information. The stolen data includes customer emails, usernames, phone numbers, and hashed passwords. Additionally,
https://be4sec.com/2024/05/04/box-opened-customer-data-compromised/
The concept of living inside a computer-generated world, much like Neo in The Matrix, has long intrigued minds across science and philosophy. Now, a controversial concept called the Second Law of Infodynamics proposes evidence that the very fabric of our reality might be digital. Dr. Melvin Vopson of the University
https://be4sec.com/2024/04/29/is-our-universe-a-computer-simulation/
International Business Machines (IBM) has announced its intention to acquire HashiCorp, a cloud infrastructure automation company, in a deal valued at $6.4 billion. This strategic move aims to expand IBM’s cloud-based software offerings and capitalize on the surging demand driven by artificial intelligence (AI). The deal comes as IBM experiences
https://be4sec.com/2024/04/27/ibm-to-acquire-hashicorp-to-expand-cloud-software/
In a major move within the cybersecurity sector, KnowBe4, a leading security awareness training platform, has announced the acquisition of Egress, a prominent cloud email security provider. This strategic partnership blends two powerful forces in the battle against cyber threats. Who are KnowBe4 and Egress? Partnership Potential The integration of
https://be4sec.com/2024/04/27/strengthening-cybersecurity-defenses-and-human-risk-management/
A recent cyberattack on a wastewater treatment plant in Tipton, Indiana, has been claimed by the Cyber Army of Russia Reborn (CARR), a Russian-speaking hacker group. The incident spotlights the ongoing vulnerability of critical infrastructure in smaller communities, even as the plant itself reportedly experienced minimal disruption. CARR has previously
https://be4sec.com/2024/04/26/russian-hackers-target-indiana-water-plant/
Dutch semiconductor manufacturer Nexperia has suffered a significant data breach, exposing sensitive information, including intellectual property. The company’s servers were compromised, prompting Nexperia to take them offline and launch a full-scale investigation. The extent of the damage remains unclear, and Nexperia hasn’t confirmed whether the attackers demanded ransom. However, the
https://be4sec.com/2024/04/26/dutch-chipmaker-nexperia-hit-by-data-breach/
A concerted effort by global law enforcement agencies has successfully dismantled LabHost, a notorious online platform specializing in phishing kits. Since its inception in 2021, LabHost accrued over $1 million in profits by providing cybercriminals with the tools to impersonate trusted websites and steal sensitive user data. The coordinated operation
https://be4sec.com/2024/04/23/international-crackdown-labhost-phishing-as-a-service-platform-busted/
Meta, the company formerly known as Facebook, is taking a proactive step to limit the spread of misinformation during India’s upcoming elections. Their AI arm, Meta AI, is blocking certain election-related keywords and redirecting users to the Indian Election Commission’s website. This decision comes amid growing concerns that AI could
https://be4sec.com/2024/04/22/meta-ai-restricts-election-related-responses-in-india-to-combat-misinformation/
A severe vulnerability (CVE-2024-31497) has been discovered in PuTTY, a widely used SSH and Telnet client. This flaw could allow attackers to steal users’ NIST P-521 private keys, potentially granting them unauthorized access to servers protected by those keys. Vulnerability Details The vulnerability lies in PuTTY’s generation of electronic signatures
https://be4sec.com/2024/04/18/critical-putty-flaw-exposes-users-ssh-keys-cve-2024-31497/
In today’s world, where information spreads at lightning speed, it’s easy to fall into the trap of misinformation. Amidst the noise, Google Fact Checking Tools aim to empower you with the ability to distinguish reliable sources from those perpetuating false claims. What are Google Fact Checking Tools? Google offers a
https://be4sec.com/2024/04/16/a-guide-to-google-fact-checking-tools/