Search This Blog

Showing posts with label Google. Show all posts

$100 Million Pledged by Google to Groups that Manage Open-Source Projects

 

Google recently announced a $100 million donation to organizations that manage open-source security priorities and assist with vulnerability fixes, and it has now revealed eight of the projects it will fund. The Linux Foundation recently stated that it will directly support persons working on open-source project security. Google, Microsoft, the Open Source Security Foundation, and the Linux Foundation Public Health Foundation have all endorsed it. When problems are discovered, the Linux Foundation coordinates fixes. 

The foundation and its colleagues will use the Open Source Technology Improvement Fund's (OSTIF) security assessments to hunt for previously discovered problems. Two Linux kernel security audits are among these initiatives. 

The Open Source Technology Improvement Fund is a non-profit corporation committed to improving the security of open-source software. OSTIF makes it simple for projects to dramatically improve security by enabling security audits and reviews. 

"Google's support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open-source ecosystem," said Kaylin Trychon, a security comms manager on the Google Open Source Security team.

OSTIF selected 25 essential projects for MAP, which were then prioritized to determine the eight that will get Google funding. Trychon explains that the eight chosen projects, which include libraries, frameworks, and applications, were chosen because enhancing their security will have the most influence on the open-source ecosystem. 

Along with five other Java-related projects, these eight projects include Git, a prominent version control software, Lodash, a JavaScript utility library, and Laravel, a PHP web application framework. Git, the "de facto" version control software established by Linux kernel founder Linus Torvalds and which forms the backbone of platforms like GitHub and GitLab, is perhaps the largest of the eight audit projects Google is sponsoring. 

Well-known systems and tools used by developers, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat's Ansible, and Google's Guava Java framework, are among the projects with funding pending support. 

Google made a $10 billion commitment to boosting zero-trust programmes, securing software supply chains, and enhancing open-source security following a meeting between US President Joe Biden and leading US tech corporations last month.

Google Docs Scam Still Pose a Risk

 

A phishing attack known as the "Google Docs worm" proliferated over the internet in May 2017. It impersonated Google Docs and requested full access to Gmail accounts' emails and contact lists via specific web apps. Since the requests seemed to emerge from people the target knew, the scam worked so well. If they gave permission, the software would send the identical fake email to the victim's contacts, spreading the worm further. It affected over a million accounts before Google fixed the situation. 

However, a new study suggests that the company's solutions are insufficient. Another Google Docs phishing fraud might strike at any time. 

According to independent security researcher Matthew Bryant, Google Workspace phishing and scams draw most of their efficacy from abusing legal features and services. Targets are bound to succumb to the assaults since they trust Google's services. To a great extent, the strategy puts the action outside the domain of antivirus instruments or other security scanners since it's online and controls a legitimate framework. 

In research presented at the Defcon security meeting this month, Bryant found that attackers might actually use to move beyond Google's upgraded Workspace insurances. Recent scams utilized a similar general methodology of modifying genuine Google Workspace warnings and provisions to make phishing connections or pages look more real and interesting to targets. 

All of these problems, according to Bryant, arise from Workspace's conceptual design. The same qualities that make the platform versatile, adaptive, and sharing-friendly also make it vulnerable to misuse. The risks are significant, with over 2.6 billion Google Workspace users. 

“The design has issues in the first place, and that leads to all of these security problems, which can’t just be fixed—most of them are not magical one-off fixes. Google has made an effort, but these risks come from specific design decisions. A fundamental improvement would involve the painful process of potentially re-architecting this stuff,” he added. 

Following the 2017 incident, Google strengthened the rules for applications that interact with Google Workspace, particularly those that require essential data like emails or contacts. These “Apps Script” apps can be used by individuals, although Google mainly enables them so that corporate users can modify and enhance Workspace's features. With the additional restrictions in place, if an app has more than 100 users, the developer must submit it to Google for a thorough assessment before it can be released. Meanwhile, if people try to launch an app that hasn't been approved and has less than 100 users, Workspace will display a comprehensive warning page. 

Even with those safeguards in place, Bryant discovered a flaw. Such small applications can run without notifications if a user gets one attached to a document from someone in their Google Workspace organization. The notion is that users trust their coworkers sufficiently that they don't need to bother with strict cautions and notifications. These kinds of design decisions, on the other hand, leave possible attack points. 

“The design has issues in the first place, and that leads to all of these security problems, which can’t just be fixed.” 

Bryant discovered that by sharing a link to a Google Doc with one of these applications connected and modifying the word "edit" at the end of the URL to "copy," the user who accesses the link would get a visible "Copy document" popup. One can dismiss the tab, but if a user believes a document is genuine and clicks to create a copy, they become the creator and owner of that copy. They're also identified as the "developer" of the app, which is still there in the document. The victim would see their own email address in the popup when the program seeks permission to start and acquire their Google account data without any warnings.

Although not all of an app's elements would copy over with the document, Bryant found a method around this as well. An attacker can embed lost elements in Google Workspace's version of a task automation "macro," which is quite identical to the Microsoft Office macros that are frequently exploited. 

Finally, an attacker might persuade someone inside a company to take ownership of and provide access to a malicious app, seeking access to other people's Google accounts inside the same company without notice. 

A Google spokesperson told WIRED, "We’re appreciative of the researcher’s work in identifying and reporting these risks. We are actively making further product improvements based on this research.” 

None of these flaws, according to Bryant, are exclusive to Google Workspace. He also adds that the possibility of future Google Docs phishing attacks shouldn't be a reason to worry. The classic piece of advice applies: Users should only open files they expect, and if not sure why they're getting a specific document, they should verify with the claimed sender. 

On the other hand, the findings highlight the difficulty of preventing misuse on omnipresent platforms designed for flexibility and simplicity. Even something seemingly harmless like Google Docs may rapidly become a launchpad for an attack, possibly affecting billions of people.

New DNS Flaw Enables 'Nation-State Level Spying' on Companies

 

Researchers discovered a new category of DNS vulnerabilities hitting major DNS-as-a-Service (DNSaaS) providers, which may enable attackers to get access to sensitive data of company networks. 

DNSaaS providers (also referred to as managed DNS providers) rent DNS to other businesses who don't want to maintain and protect yet additional network resources on their own. 

These DNS vulnerabilities, as disclosed by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak at the Black Hat security conference, grant threat actors nation-state intelligence harvesting powers with simple domain registration. 

As per the description, they simply created a domain and utilized it to hijack a DNSaaS provider's nameserver (in this instance, Amazon Route 53), permitting them to eavesdrop on dynamic DNS traffic streaming from Route 53 users' networks. 

The Wiz researchers stated, "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," 

"The dynamic DNS traffic we 'wiretapped' came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies." 

Employee/computer identities and locations and extremely sensitive data about organizations' infrastructure, such as Internet-exposed network equipment, were among the data they acquired this way. 

In one instance, the researchers used network data from 40,000 corporate endpoints to trace the office locations of one of the world's major services companies. The information gathered in this manner would make it much simpler for threat actors to compromise an organization's network since it would offer them a bird's eye perspective of what's going on within corporations and governments and provide them with "nation-state level surveillance capacity." 

The researchers haven't found any indication that the DNS flaw they identified has ever been exploited in the open, but they do warn that anybody with the expertise of the vulnerabilities and the abilities to exploit it might have gathered data undiscovered for over a decade. 

"The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable," they added at Black Hat. 

Patched by some, likely to affect others: 

Although two significant DNS providers (Google and Amazon) have already patched these DNS vulnerabilities, others are still likely prone, potentially exposing millions of devices to attacks. 

Moreover, it is unclear who is responsible for fixing this serious DNS flaw. Microsoft has previously informed Wiz that this is not a vulnerability since it could alter the dynamic DNS mechanism that permits Windows endpoints to leak internal network traffic to rogue DNS servers. 

Microsoft explained, this flaw as "a known misconfiguration that occurs when an organization works with external DNS resolvers." 

To minimize DNS conflicts and network difficulties, Redmond recommends utilizing distinct DNS names and zones for internal and external hosts and provides extensive guidance on how to correctly handle DNS dynamic updates in Windows. 

Maintained DNS providers can mitigate nameserver hijacking by adhering to the RFC's "reserved names" specification and checking and confirming domain ownership and validity before enabling their customers to register them. Companies renting DNS servers can also modify the default Start-of-Authority (SOA) record to stop internal network traffic from leaking via dynamic DNS updates.

CISA Partners with Leading Technology Providers for New Cybersecurity Initiative

 

As part of a new campaign aimed at improving the country's cyber defences, the US government has announced partnerships with Amazon, Microsoft, Google, and other major corporations. According to CISA Director Jen Easterly, the Joint Cyber Defense Collaborative, or JCDC, would strive to take a proactive approach to cyber defense in the wake of multiple high-profile breaches that damaged the federal government and the general public. 

The JCDC would initially focus on battling ransomware and other cyberattacks against cloud computing providers, according to a Wall Street Journal report, in order to avoid situations like the recent Kaseya supply-chain ransomware incident that occurred earlier this summer. 

“The industry partners that have agreed to work side-by-side with CISA and our interagency teammates share the same commitment to defending our country’s national critical functions from cyber intrusions, and the imagination to spark new solutions,” Easterly said in the statement. 

CISA will be able to integrate unique cyber capabilities across numerous federal departments, state and local governments, and private sector firms to achieve shared objectives due to the establishment of the JCDC. The new programme will also enable the public and commercial sectors to share information, coordinate defensive cyber operations, and participate in joint exercises to improve cyber defense operations in the United States. 

 Aside from AWS, Microsoft, and Google Cloud, the JCDC will collaborate with AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon. Meanwhile, the Department of Defense (DoD), US Cyber Command, the National Security Agency (NSA), the Department of Justice (DoJ), the FBI, and the Office of the Director of National Intelligence are among the government's partners. 

 Rep. Jim Langevin, D-RI, is a member of the Cyberspace Solarium Commission and a senior member of the House Committee on Homeland Security, said the JCDC is “exactly the kind of aggressive, forward-thinking we need to combat the ever-growing cyber threats that face our nation.” In a statement, Langevin said the JCDC “brings together our [Cyberspace Solarium Commission] recommendations about planning, intelligence fusion and cybersecurity operations in a visionary way.” 

 According to a Langevin aide, the Joint Cyber Defense Collaborative will house the Joint Planning Office, which Congress has authorised, as well as the Joint Collaborative Environment, if passed this year as politicians like Langevin hope.

Security Researcher Discovers Serious Flaw in Chromium, Bags $15,000 Reward

 

A recently patched vulnerability in the Chromium project enabled malicious parties to inject code in embedded site pages, despite the fact that these resources were separated from the parent website. 

Chromium is an open-source browser project that intends to make the web a safer, faster, and more stable experience for everyone. The site provides design documents, architecture overviews, testing information to assists users in learning to build and work with the Chromium source code.

The security researcher who initially discovered the vulnerability presented a proof of concept that illustrates an attacker-controlled website abusing the vulnerability to manipulate the information of an embedded website, despite the fact that the target and destinations are on different servers. 

As illustrated in a recent post on the Chromium website, the vulnerability may be leveraged even if the web browser "site isolation" feature is turned on. Site isolation is a security feature that divides each website into its own process to increase security. 

According to the expert, inter-process communication of isolated processes featured a race condition, which is an attack that targets systems that must execute the task in several phases. If the system is susceptible for a brief period of time between execution steps, the attacker can take advantage of the security vulnerability to make destructive changes. Among other exploits, this flaw may allow intruders to insert malicious code into embedded sites or steal personal information from users. 

The vulnerability was discovered in late March and resolved before the end of April. The security researcher received $15,000 from Google's Vulnerability Rewards Program for his finding. The vulnerability has been demonstrated as a “site isolation break because of double fetch of shared buffer”. 

“We always appreciate working with the research community through our Vulnerability Rewards Program, and thanks to this report we were able to patch the issue in Chrome 90,” a Google spokesman stated The Daily Swig.

Chrome 92 Update by Google Patches 10 High Severity Vulnerabilities

 

Chrome 92 (92.0.4515.131), the Google security update issued for Windows, Mac, and Linux has patched at least 10 vulnerabilities. Chrome 92, is an update that improves browser efficiency on phish calculations, extends the scope of user website isolation technologies, and includes a few new 'Chrome Actions' to the repertory. 

The search giant established in California has awarded over $133,000 in rewards to users who identified some 35 vulnerabilities addressed in Chrome 92. At least 9 of the flaws were categorized under high severity, the current highest threat level from Google. 

The 360 Alpha Lab team from the Chinese cybersecurity company Qihoo 360's researchers Leecraso and Guang Gong have won $20,000 for detecting a high-severity vulnerability identified as CVE-2021-30590. The issue was described as a bookmark buffer overflow by Google. 

Leecraso told the SecurityWeek team that, CVE-2021-30590 is an issue of sandbox escape that could be "exploited with an extension or a compromised renderer." An intruder can exploit the fault to remotely execute code outside of the sandbox of Chrome. The vulnerability might be leveraged to breakout from the browser's sandbox because of its out-of-bounds write. And it would only need the user to download the extension to take advantage of. 

Google Chrome Sandbox is a creation and test environment for Google Chrome-based applications developers. A test and staging infrastructure is provided by the sandbox environment without the code getting tested for modifications to current code and databases. 

Two vulnerabilities uncovered by researcher David Erceg have also been rated with a high level of severity. CVE-2021-30592, characterized as an off-bound writing problem on Google's Tab Groups, rewarded him $10,000, while CVE-2021-30593 has earned him a $5,000 bug reward, which was defined as an out-of-bounds read bug in Tab Strips. 

“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out-of-bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.” 

CVE-2021-30591, an after-free flaw within the File System API is yet another elevated vulnerability that Google paid out at $20,000. Reportedly, it was discovered by the Researcher SorryMybad of Kunlun Lab.

It is worthy to be noted that Google pays up to $20,000 for Chrome's vulnerabilities of escape sandbox revealed in a high-quality report. If researchers additionally offer a functioning exploit, they can receive up to $30,000 for such flaws. 

Consumers must upgrade Chrome as soon as possible, given that the web browser seems to be increasingly targeted for malicious activity. It is worth noting that this year, Google fixed over half a dozen of zero-day vulnerabilities that were being actively exploited.

Google Took Down Luring Ads Posing as Brave Browser

 

Malicious advertising has attracted internet visitors to the bogus Brave website. The fraudulent website delivered an ArechClient (SectopRAT) malware variant of the Brave browser. Google put an end to the scam by removing the fraudulent advertisement. 

Website surfers who tried to install a copy of the Brave browser had a smartly camouflaged advertisement that sent the visitors to a dangerous website, wherein they implanted malware on their computers. 

This rogue website was placed on brav.com, wherein Brave is spelled in place of the standard Latin alphabet with a little Lithuanian capital (with a dot at the top). Brave's Web browser is free and open-source, created by Chromium-based Brave Software, Inc. 

Brave, indeed is a confidentiality-focused browser, which is distinguished for eliminating online ads and website tracking in its default settings. An ISO file claiming to carry the Brave installer was downloaded by users who visited the site, engineered to resemble the authentic Brave portal. 

In contrast to the Brave browser installation, an ArechClient malware variant (SecctopRAT) of the ISO file was downloaded, security researcher Bart Blaze told The Record after scanning the malicious file. The malware's key characteristic is to rob data from browsers and cryptocurrencies, Blaze claimed. 

It also contains many anti-VM and anti-emulator scanning functions to stop the identification of malicious capabilities for investigators and security solutions. 

It is advisable to change web account passwords and transfer cryptocurrency assets to new addresses for anybody who inadvertently downloaded this spyware. Nevertheless, Google has claimed that the fraudulent ad had been deleted. 

Such kinds of attacks are referred to as IDN homographic attacks which take place whenever threat actors record domains that are internationally similar to the Latin alphabet. 

Attacks, similar to that of against Brave, are being conducted over a decade since internationalized glyphs have been permitted for domain name use, and by Punycode, browsers have reacted to those non-standard characters. 

For instance, if the page is loaded within a modern browser, the fraudulent domain brav.com equals xn-brav-epa.com, but visitors would most probably download the malicious payload if the address bars are not paid attention to. 

Google Play Protect Fails Malware Detection Test by AV-TEST

 

The integrated malware defense mechanism of Google has yet failed again in an Antivirus Lab Test conducted by AV-TEST, which was a rigorous real-world security test. Between January 2021 and June 2021, the play store ranked lowest amongst all the 15 security Android apps examined. 

A test comprising of 15 safety apps on Android devices reported that the system detected only two-thirds of 20,000 harmful apps. Unlike Google Play Protect, the detection rate of applications from firms such as Bitdefender, McAfee, NortonLifeLock, and Trend Micro came out to be as high as 100%. 

During Google I/O in May 2017, Google unveiled Android mobile threat prevention, which works constantly for scanning more than 100 billion apps every day. Google Play Protect is used on billions of devices ever since, and today provides integrated malware security on more than 2.5 billion Android apps. 

In 2017 Google rolled out Google Play Protect, which helped decrease a large number of vulnerability cases on Android in 2018. Nevertheless, recent studies have shown that although Google Play Protect is installed by default, several malware applications might still target consumers. 

Google Play Protect features device capabilities that help maintain security for devices and data. These on-device services include cloud-based elements that enable Google to upgrade its performance consistently. 

Whereas every program that's loaded and opened on the smartphone is continually running and screening, "the endurance test revealed that this service does not provide particularly good security: every other security app offers better protection than Google Play Protect." 

The safety apps had to uncover more than 3,000 new malware samples including 3,000 existing malware samples, each one month old, in complex testing sessions. The AV-TEST reports that only the five programs – Bitdefender, G DATA, McAfee, NortonLifeLock, and Trend Micro – were in real-time able to identify malware with 100% precision. 

In real-time testing and reference set testing, Google Play Protect could only filter 68.8% of harmful apps from 76.6%. However, Ikarus also scored better than Google Play Protect for security, the lowest-rated third-party security app. 

Google didn't perform very well in respect to inaccuracies in malicious application detection. It found 70 applications to be unsafe, with approximately 10,000 more harmless applications for random testing. 

The best approach to be safe is to have one of the Android device's best-rated third-party apps. It is not a prudent option to rely solely on the Google Play Protect, as this exhaustive test by the AV-TEST demonstrates.

Google Plans to Ban 'Sugar Dating' Apps From September

 

Google is all set to remove ‘Super Dating' applications from the Play Store in order to make the Android app download market a safer place. From September 1, Sugar Dating" apps will no longer be available on play store, according to the company. 

Google is targeting applications that promote financial indemnity in relationships as there is a slew of “Sugar Daddy” type dating apps available. Google's "inappropriate content policy" has been modified and additional limits will be imposed on sexual content, especially forbidding compensated sexual relationships,” (i.e., sugar dating).  

A relationship in which a male provides money or possessions to someone younger than him in exchange for favors is referred to as a "Sugar Daddy" relationship. Previously, this didn't appear to be an issue for Google, but many platforms are rapidly attempting to establish an atmosphere that is more in touch with today's awareness culture. 

But, considering that certain traditional dating apps and social networks are also utilized for paid relationships, the question is how big of an impact it will have on them. Eventually, this update is primarily intended to safeguard young people from privacy and safety concerns while using applications. 

Google is taking these steps at a time when Trump's Fosta-Sesta law from 2018 is being increasingly utilized to target sites that encourage prostitution and online sex work. This legislation makes it simpler to penalize websites that aid in sex trafficking. Operators of sites that allow sex workers to communicate with clients, for example, may face a 25-year jail sentence. 

Although the law has been hardly ever enforced to date and could serve as a barrier, as per 2020 report by a group of sex workers called Hacking/Hustling mentioned that the law has had a "detrimental effect on online workers' economic stability, safety, access to the community, and clinical outcomes," as pressure on online platforms results in the elimination of tools such workers use to stay safe. 

Google's update also seeks to enhance children's safety, particularly their privacy. Advertisers will no longer be able to get advertising IDs from a child-oriented application. These IDs are basically surfing data that advertisers use to tailor their ad campaigns to effectively reach their target market and improve sales. Google, like other digital powerhouses, appears to be moving in the direction of effectively safeguarding young people on platforms and other networks.  

Furthermore, Google's Store Listing and Promotion policy will be updated on September 29, 2021, to ban spam text and images in app titles, icons, and developer names.

Facebook says Iranian Hackers Targeted U.S. Military Personnel

 

On Thursday, Facebook announced that it had shut down approximately 200 accounts operated by a group of hackers in Iran as part of a cyber-spying operation that focused primarily on US military officials and others working in defense and aerospace firms. 

The group, termed 'Tortoiseshell' by security experts, utilized fraudulent online identities to interact with targets, establish confidence over time (often months), and lead them to other sites where they were duped into clicking malicious links that infected their devices with spying software, according to Facebook. 

In a blog post, Facebook's investigative team stated, "This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who's behind it." 

Thus according to Facebook, the group created dubious identities on numerous social media sites to look more legitimate, frequently impersonating recruiters or staff of aerospace and defense firms. LinkedIn, which is controlled by Microsoft, announced the removal of several accounts, while Twitter said it was "actively investigating" the data in Facebook's report. 

The virus was distributed via email, chat, and collaboration platforms, according to Facebook, including malicious Microsoft Excel spreadsheets. In a statement, a Microsoft spokesman said the company was aware and following this actor, and that it takes action when harmful behavior is detected. 

Google stated it had discovered and prevented phishing on Gmail as well as provided user warnings. Slack, a workplace messaging service, claimed it has taken action against hackers who exploited the platform for social engineering and had shut down any Workspaces that broke its rules. 

According to Facebook, the hackers utilized customized domains to entice their targets, including phony defense recruitment websites and internet infrastructure that spoofed a real job search website for the US Department of Labor. 

In a campaign that began in mid-2020, Facebook claimed the hackers mostly targeted users in the United States, as well as some in the United Kingdom and Europe. It did not name the firms whose employees were targeted, but its chief of cyber espionage, Mike Dvilyanski, said the "fewer than 200 individuals" who were targeted were being alerted. 

The campaign appeared to demonstrate an extension of the group's operations, which had previously been claimed to focus mostly on the Middle East's I.T. and other businesses, according to Facebook. A section of the malware employed by the organization was developed by Mahak Rayan Afraz (MRA), a Tehran-based IT firm with links to the Islamic Revolutionary Guard Corps, as per the inquiry. 

Mahak Rayan Afraz's contact information was not readily available to Reuters, and former employees of the firm did not respond to LinkedIn messages sent to them. A request for comment from Iran's mission to the United Nations in New York was not promptly reported. The allegations that MRA is involved in Iranian state cyber espionage are not new. MRA was one of the numerous contractors suspected of assisting the IRGC's elite Quds Force, according to cybersecurity firm Recorded Future. 

Iranian spies, like other espionage services, have long been alleged of farming out their missions to a variety of domestic contractors. Facebook stated the fraudulent domains had been prohibited from being shared, while Google said the domains had been placed to its "blocklist."

Microsoft Adds DNS-over-HTTPS to Windows 11

 

DNS-over-HTTPS is a privacy feature in Windows 11 that allows users to evade censorship and Internet activity by doing encrypted DNS lookups. Your computer must first query a domain name system (DNS) server for the IP address associated with the hostname before connecting to a website or other host on the Internet. 

The method aims to improve user privacy and security by avoiding eavesdropping and DNS data modification by man-in-the-middle attacks by encrypting data between the DoH client and the DoH-based DNS resolver using the HTTPS protocol. Google and the Mozilla Foundation began testing DNS over HTTPS versions in March 2018. For users in the United States, Firefox switched to DNS over HTTPS by default in February 2020. 

The IETF published RFC 8484 (October 2018) as a proposed standard for DoH. It leverages HTTP/2 and HTTPS, and it accepts wire format DNS response data in an HTTPS payload with the MIME type application/dns-message, as returned in existing UDP responses. If HTTP/2 is implemented, the server may also communicate items that it predicts the client will find valuable in advance via HTTP/2 server push. 

As some governments and ISPs prohibit access to websites by monitoring a user's DNS traffic, DoH will help users to avoid censorship, reduce spoofing attacks, and increase privacy because their DNS requests will be more difficult to track. Microsoft has re-enabled the DoH capability in Windows 11, and users who are currently utilizing DNS servers from Cloudflare, Google, or Quad9 can begin testing it again. 

It would be preferable if the DoH server for a configured DNS server could be identified automatically, according to Microsoft, however, this would pose a privacy concern. "It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could be established, we would have to first send a plain-text DNS query to bootstrap it," says Tommy Jensen, a Program Manager on the Windows Core Networking team, in a new blog post. 

"This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates." Using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which Microsoft has submitted to the IETF ADD WG, Microsoft aims to learn about new DoH server configurations from a DNS server in the future.

Security Bug Detected in Google’s Android App

 

A vulnerability had existed in Google's eponymous Android app with over five billion downloads to date that might have enabled an attacker to stealthily steal the personal information of a victim's device. 

In a blog post-Sergey Toshin, the founder of Oversecured Mobile App Security Group, noted that it's about the way the Google app relies on code that is not packaged with the app directly. Several Android apps, notably the Google application, decrease download size and storage space by depending on code libraries installed on Android smartphones. 

However, the shortcoming in Google's code allowed the malicious application to inherit the permissions of the Google app and permit it to almost completely access data from a user. 

The malicious application could also pull the code library from a malicious app on the very same device rather than its legitimate code library. This access includes access to Google user accounts, search histories, e-mails, text messages, contacts, and call history, as well as microphone/camera triggering and user location. 

Toshin added that the malicious application will be activated once for the attack to start, but it is carried out without the knowledge or cooperation of the user. He added that removing the malicious program will not remove malicious components from the Google app. 

A Google spokesman told that last month it addressed the issue and there was no proof that the attackers would be using the flaw. The built-in malware scanner of Android, Google Protect Play, will stop the installation of harmful apps. However, there is no absolute safety feature, and malicious apps are already on the internet. 

Toshin stated that the vulnerability in Google's app is almost like a bug identified in TikTok earlier in this year that would allow an attacker to hijack a TikTok user's session tokens which are exploited to gain control of their account. 

Oversecured identified several other identical vulnerabilities, including the Google Play app for Android and more recent pre-installed apps on Samsung phones.

Tim Cook Claims Android has 47 Times the Amount of Malware as iOS

 

During a live chat, Apple CEO Tim Cook stated that Android has more malware than iOS and that "sideloading" mobile software is not in the "best interests of users." Sideloading apps entails manually downloading and installing software over the Internet rather than from an app store. Apple's security and privacy would be ruined if it were compelled to enable side-loading programmes, as Android does, he stated on June 16 while speaking remotely at the VivaTech 2021 conference in Paris, France. 

When asked about the planned European law known as the Digital Markets Act (DMA), which attempts to prohibit big digital corporations from monopolizing their market position, Cook stated that Apple opposes it because it would require the company to allow consumers to install apps outside of the App Store. Cook also stated that Android has "47 times more malware" than Apple since iOS is created with a single app store. 

Explaining the reason, Cook added, "It's because we've designed iOS in such a way that there's one app store and all of the apps are reviewed prior to going on the store. And so that keeps a lot of this malware stuff out of our ecosystem, and customers have told us very continuously how much they value that, and so we're going to be standing up for the user in the discussions." 

Cook further claimed that the DMA's present language, which will compel side-loading on the iPhone, will "destroy the security" of the smartphone and many of the App Store's privacy measures. 

DMA targets firms with a huge user base, such as Apple, Google, and Amazon, and encourages them to open up their platforms to competitors. The proposed rule also intends to provide a more level playing field for businesses and individuals who rely on large "gatekeeper" online platforms to sell their goods and services in a single market. 

“We've been focusing on privacy for over a decade,” Cook stated when asked about Apple's commitment to privacy. “We see it as a basic human right. A fundamental human right. And we've been focused on privacy for decades. Steve used to say privacy was stating in plain language what people are signing up for and getting their permission. And that permission should be asked repeatedly. We've always tried to live up to that.”

Google Meet's Server Down Globally, Twitter Flooded With Complaints

 

Since worldwide lockdown and restrictions over workplaces, schools and universities have been imposed, people are facing several problems. However, it did not stop them from working, and that has only been possible with the use of technology and social media platforms. 

We all have various meetings on Google-Meet and other similar applications owing to their reliability but on 5th June in India, Twitter witnessed many users struggled with server issues. More than 1,000 people have reported facing programs in joining their meetings links via Google-Meet. 

Users those were facing problems have started reporting their issues on many social media platform, including Twitter, requesting Google to solve the glitch as soon as possible. Users were facing server problems since 7 AM in, early morning. Many students were supposed to take classes by the service, they also reported complaints. Meanwhile, several others users have also reported issues related to the audio services. 

Following the event, many users have been found writing about the server issues on Downdetecter, an online platform that facilitates people regarding real-time information about the status of several websites and services. 

Many users are facing problems and they are still awaiting fixes. Although, from the officials, no statement has been published regarding the server down so far. Interestingly, it is about a few days back when Google Meet had introduced a new User Interface (UI) for its Web. 

Here are some glimpse of complaints that users reported; 

"Meet is not working specially for people in North India. I am getting disconnected and can't hear audio and see the presentation," wrote a user on Downdetecter. 

"Meet not working properly, disconnecting automatically and also no audio. Don't fix it's great. Thanks ?? no class today," another user said. 

Several users also took to Twitter to complain. "@GoogleIndia .Google meet not working, it's meeting Left Every time problem getting today after some updates from Microsoft Windows," tweeted a user.

Research Reveals More Than 2000 Chrome Extensions Disabled Security Headers

 

Tens of thousands of Google Chrome extensions accessible from the official Chrome Online Store manipulate security headers on major websites, posing the danger of web attacks for visitors. 

Although the security headers are little known, they are a vital aspect of the present internet ecosystem. A key component of website security is the HTTP security header. When implemented, it protects users against the kinds of attacks most probably happening on the website. These headers protect XSS, injection code, clickjacking, etc. 

In many other cases, as per the research team, they examined CSP and other security headers, deactivated Chrome extensions “to introduce additional seemingly benign functionalities on the visited web page,” and didn't even look like it was nefarious in purpose. That is because Chrome's framework forces extensions in the name of security to do that, paradoxically. Standard extension code could access the DOM page, but no scripts on the page can interact. 

If a user has access to the website, the browser requests the webpage of a server. While websites per se are presented through HTML, JavaScript, and CSS code, website owners can direct the browser to handle the provided material in various ways by adding additional parameters in the HTTP connection header. 

While not all websites have security headers, many of today's leading Web services commonly incorporate them to protect their customers against attacks, as they frequently face more web-based attacks than conventional sites, because of their larger size. 

Although website managers are configuring their security headers, this does not mean that security headers are still in existence at the client-side where such things can be detected and prevented by attackers with a mid-range attack scheme, malware executing on an operating system, or browser extensions. 

Researchers at the CISPA Helmholtz Centre stated that they were trying to evaluate the number of Chrome extensions that have been damaged by the security for the first time headers. 

The research team has studied 186,434 Chrome extensions, which were accessible last year on the official Chrome Web Store, using a custom infrastructure they particularly developed for the research. 

Their analysis discovered that 2,485 extensions intercepted and altered at least one safety header used by the most famous today's Top 100 websites. The study focused on the four most prevalent safety headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame Options, and X-Content-Type Options. 

While 2485 extensions had disabled at least one, researchers found that 553 were deactivated by all 4 safety headers studied during their investigation. 

CSP, a security header created to enable site owners to regulate what internet resources a page can charge inside a browser as well as a standard defense to prevent websites and browsers from XSS and dataset injections, was the most widely blocked header for security concerns.

Cyber Attackers Hijacked Google and Microsoft Services for Malicious Phishing Emails

 

Over recent months, the cybersecurity industry has seen a huge increase in malicious attackers exploiting the networks of Microsoft and Google to host and deliver threats through Office 365 and Azure. 

The actors who are at risk are quickly moving towards cloud-based business services during the pandemic by concealing themselves behind omnipresent, trustworthy services from Microsoft and Google to make their email phishing scams appear legitimate; and it works. 

In particular, during the first three months of the year 2021, researchers discovered that 7 million malicious e-mails were sent from Microsoft's 365, and also that 45 million were transported from Google's network. The Proofpoint team said that cyber-criminals had been able to send phishing e-mails and host attacks with Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase. 

“The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders,” the report, issued on Wednesday, explained. “This authenticity perception is essential, as email recently regained its status as the top vector for ransomware; and threat actors increasingly leverage the supply chain and partner ecosystem to compromise accounts, steal credentials and siphon funds.” 

Proofpoint estimated that 95% of cloud account organizations had been attacked, and more than half of them succeeded. Additionally, more than 30% of those organizations were compromised. 

Once attackers have access to passwords, they can easily enter or exit several services and send out more, persuasive phishing emails. 

Proofpoint offered many examples of projects behind Microsoft and Google that tried to scam users to give up or deliver their details. 

Attackers exploited Gmail to host another operation throughout March, that provided them with the message of the fake benefits together with a Microsoft Excel attachment, that delivered The Trick Bank Trojan to steal credentials whenever macros were activated. 

Another Gmail-hosted February attack seeks to persuade users to use their passwords for accessing zip-on MS Word documents. Upon opening, Xorist ransomware has been delivered. 

The use of Gmail and Microsoft by attackers to give their emails a patina of credibility is part of a broader trend: threats are developing increasingly persuasive appeals. 

“Our research demonstrates that attackers are using both Microsoft and Google infrastructure to disseminate malicious messages and target people, as they leverage popular cloud-collaboration tools,” the Proofpoint report added. “When coupled with heightened ransomware, supply chain, and cloud account compromise, advanced people-centric email protection must remain a top priority for security leaders.”

Google and Mozilla Develop an API for HTML Sanitization

 

Google, Mozilla, and Cure53 engineers have collaborated to create an application programming interface (API) that offers a comprehensive solution to HTML sanitization. The API will be used in upcoming versions of the Mozilla Firefox and Google Chrome web browsers. 

HTML sanitization is the process of reviewing an HTML document and creating a new HTML document that only contains the "secure" and desired tags. By sanitizing any HTML code submitted by a user, HTML sanitization can be used to defend against attacks like cross-site scripting (XSS).

Sanitation is usually carried out using either a whitelist or a blacklist strategy. Sanitization can be done further using rules that define which operations should be performed on the subject tags. 

When rendering user-generated content or working with templates, web applications are often expected to manage dynamic HTML content in the browser. Client-side HTML processing often introduces security flaws, which malicious actors exploit to stage XSS attacks, steal user data, or execute web commands on their behalf. 

“Historically, the web has been confronted with XSS issues ever since the inception of JavaScript,” Frederik Braun, security engineer at Mozilla, said. “The web has an increase in browser capabilities with new APIs and can thus be added to the attacker’s toolbox.” 

To protect against XSS attacks, many developers use open-source JavaScript libraries like DOMPurify. DOMPurify takes an HTML string as input and sanitizes it by deleting potentially vulnerable parts and escaping them. 

“The issue with parsing HTML is that it is a living standard and thus a quickly moving target,” Braun said. “To ensure that the HTML sanitizer works correctly on new input, it needs to keep up with this standard. The failure to do so can be catastrophic and lead to sanitizer bypasses.” 

The HTML Sanitizer API incorporates XSS security directly into the browser. The API's sanitizer class can be instantiated and used without the need to import external libraries. 

“This moves the responsibility for correct parsing into a piece of software that is already getting frequent security updates and has proven successful in doing it timely,” Braun said. According to Bentkowski, browsers already have built-in sanitizers for clipboard info, so repurposing the code to extend native sanitization capabilities makes perfect sense.

Modem Vulnerabilty Attacks Android Phones, Steals Data and Records Calls

Google and Android manufacturers always aim to keep their hardware and software security robust. However, a vulnerability found in Qualcomm SoCs recently revealed by Check Point Research is quite frightening. The vulnerability can allow a harmful application to patch software with MSM Qualcomm modem chips, which gives the actor access to call logs and chat history and can even record conversations. Check Point Research's breaking down of vulnerability is quite technical. "QMI is present on approximately 30% of all mobile phones in the world but little is known about its role as a possible attack vector," the report says. 

In simple terms, it found vulnerabilities in QMI (Qualcomm Modem Interface) software modem layer and debugger service connections, that let the vulnerability to patch software dynamically and escape the general security mechanisms. General 3rd party applications do not have the safety mechanisms to gain access to QMI, however, if any more critical aspects are exploited in Android, the attack can prove beneficial. Researchers that found the vulnerabilities believe that harmful apps can secretly listen to your calls and also record them, unlock a sim card and even steal call logs and messages. 

Experts believe that the vulnerable QMI software found during the investigation might be present in around 40% of smartphones, from brands Google, LG, Xiaomi, OnePlus, Samsung, etc. Basic info regarding the methods used in the attack was explained by the experts, but the technicalities of the attack weren't mentioned in the report to prevent any malicious actor from learning how to use the vulnerabilities. Currently, no evidence suggests that the attack is being used in the open. 

Check Point Research says "we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor. An attacker can use such a vulnerability to inject malicious code into the modem from Android. It gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations. A hacker can exploit the vulnerability to unlock the SIM, thereby overcoming the limitations of the service providers imposed on the mobile device."

App Census Study Reveals that Android Devices Leak User Data Stored in Contact Tracing Applications

 

According to security experts, hundreds of third-party applications on Android devices have access to confidential information collected by Google and Apple API contact-tracking devices. The Department of Homeland Security provided about $200,000 to App Census, a U.S. start-up that specializes in data protection practices in Android applications, earlier this year for testing and validating the reliability of contact tracking apps. 

The researchers of the business observed that the primary contact tracking information inside the device's system logs are recorded by Android Phones logging data from applications that use Google and Apple's Exposure Notifications System (ENS), that is used for collecting details, and usually where applications receive usage analytics and malfunction reports data. 

In an effort to assist medical authorities around the globe to develop contact tracing apps associated with the data protection requirement underlying the Android and iOS ecosystems, Google and Apple jointly launched ENS last year. API built by Apple and Google allows governments to build decentralized Bluetooth-based contact tracking software. 

The app-equipped devices send confidential, regularly changing IDs, known as RPIs, that are diffused via Bluetooth in such a way that nearby telephones that also use the application can be "heard". 

The observations of App Census reveal that the two Tech Giants' privacy pledge has certain deficiencies. Both transmitted and heard RPIs can indeed be identified in the machine logs of Android phones – as well as the device even records the existing Bluetooth MAC address of the destination server on RPIs that have been heard. Thus App Census found many ways of using and computing datasets to conduct data protection attacks since the RPI and the Bluetooth MAC addresses are unique and anonymized.

"Of course, the information has to be logged somewhere to do the contact-tracing, but that should be internally in the ENS," Gaetan Leurent, a researcher at the French National Institute for Research in Digital Science and Technology (INRIA), stated. "It is unsettling that this information was stored in the system log. There is no good reason to put it there." 

The RPIs could have been used along with different pieces of datasets to determine that whether users checked for COVID-19 positively, whether they had contacted an infectious individual or whether two persons met each other with access to device registers from multiple users. It is meant to preserve privacy in the contact tracing process, and precisely this type of data should be avoided. Therefore, the entire defense which should form the foundation of this protocol is defeated. 

A Google spokesperson told: "We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code." 

The spokesman added that these Bluetooth identifications neither disclose the location of a customer nor provide any other identifying details, and also they are not aware that they were used in any manner. As per Google, roll started many weeks ago with the upgrade on Android devices and is due to be completed in the coming days. Previous publications of the researcher have shown that irrespective of implementation, the use of digital technology for contact tracking would necessarily present a risk to privacy.

BGP Leak Causes 13x Spike in Misdirected Traffic

 

An enormous BGP routing leak that occurred on 16th April 2021 disrupted the connectivity for a great many significant organizations and sites all across the planet. Albeit the BGP routing leak happened in Vodafone's independent network (AS55410) situated in India, it has affected U.S. organizations, including Google, as indicated by sources. 
 
BGP or Border Gateway Protocol is the thing that makes the modern-day internet work. It is akin to having a "postal system" for the web that works with the redirection of traffic from one (autonomous) system of networks to another. The web is a network of networks, and for instance, a client situated in one nation needed to get to a site situated in another, there must be a system set up that understands what ways to take while diverting the client across different networked systems. And, that is the reason for BGP: to coordinate web traffic effectively over different ways and systems between the source and destination to make the internet function.

On 16th April 2021, Cisco's BGPMon detected a disparity in an internet routing system, possibly demonstrating some BGP hijacking activity taking place: "Prefix 24.152.117.0/24, is normally announced by AS270497 RUTE MARIA DA CUNHA, BR." "But beginning at 2021-04-16 15:07:01, the same prefix (24.152.117.0/24) was also announced by ASN 55410," stated BGPMon's announcement. 

Doug Madory, director of Internet analysis at Kentik further affirmed these discoveries expressing that the autonomous system ASN 55410 was seeing a 13 times spike in inbound traffic directed to it. The said autonomous system (AS55410) belongs to Vodafone India Limited.

“We have done a complete analysis of the reported matter and have not observed any issue in routing security at our end. A wrong advertising of the routing table publishing made by one of our Enterprise customers had led to this incident. This was responded to immediately and rectified,” a Vodafone Idea Ltd spokesperson said.

"This incident only affected traffic for about 10 minutes, but during that time there were likely countless internet connection problems for users around the world." "Anyone trying to reach web resources configured with the IP addresses in the routes that were leaked would have had their traffic misdirected to AS55410 in India and then dropped," Doug Madory from Kentik told BleepingComputer in an email interview.