Tag Archives: Chrome OS security
True to his word, security researcher Matt Johansen this week demonstrated the security holes in Google’s Chrome OS that have been the subject of so much discussion. Apparently, his demonstration…basically involved what he already showed us all last month. Just a touch anticlimactic, don’t you think? The way Johansen talked, I thought he might have a few new demonstrations for the lot of us.
The whole presentation wasn’t a retreading of old ground, though- while he did repeat a lot of what he said when he demoed the Scratchpad exploit, he also had a few new things to say about applications, extensions, and security on Google’s Chrome Operating System. For those of you who haven’t already discerned the nature of these statements, I’ll give you a hint- they aren’t good.
Google’s been marketing its Chrome OS as more secure than traditional PCs. And they’re right, in a sense- It is a lot more secure than your standard, run of the mill operating platform. That doesn’t mean that Chromebooks- and their users- are completely invulnerable. I’ve cautioned before against making such assumptions, and stories like this only drive home what I’ve been saying. Whitehat Security researcher Matt Johansen doesn’t believe for a second that the Chrome OS is safe or secure- and he claims he’s found evidence to prove it.
Google’s been marketing its Chrome OS as more secure than traditional PCs. And they’re right, in a sense- It is a lot more secure than your standard, run of the mill operating platform. That doesn’t mean that Chromebooks- and their users- are completely invulnerable. I’ve cautioned before against making such assumptions, and stories like this only drive home what I’ve been saying. Whitehat Security researcher Matt Johansen doesn’t believe for a second that the Chrome OS is safe or secure. At the end of last month, he claimed to have found evidence to prove it
In a piece he published on Reuters, Johansen discovered and demonstrated a vulnerability in Google’s operating system that could be used to gain total control of a Gmail account. CNet got in touch with Google after hearing about Johansen’s claims, and a Google spokeswoman confirmed that what the researcher reported was patched months ago, at the same time questioning why Chrome should be labeled as vulnerable simply because it uses extensions. She felt it wasn’t a particularly fair analysis- after all, all modern browsers run extensions. “If anything,” she told Cnet “this is more about Chrome the browser and what we do to protect extensions running in Chrome. All modern browsers run extensions, and all major computer lines support browsers. These kinds of web attacks are also valid on other browsers and devices, as even extension reviews are not foolproof.”
While Johansen acknowledged that Google had patched the vulnerabilities he directly demonstrated, he still wasn’t satisfied? Why? Evidently, he still knew something Google didn’t know, claiming that applications constituted a considerable- and rather crippling- vulnerability in Google’s cloud-based operating system. ”I can get at your online banking or your Facebook profile or your e-mail as it’s being loaded in the browser” Johansen said to Reuters. “If I can exploit some kind of web application to access the data, then I couldn’t care less what is on the hard drive.” Naturally, a lot of folks- myself included- thought his failure to back up his claims with solid proof rather suspicious. We wanted him to put his money where his mouth was.
As the old adage goes, “Be careful what you wish for”- because he just did.
Very much needed: both Citrix and VMware are gearing up to provide VM solutions for Chrome OS.
Former Google CEO Eric Schmidt is confident in Chrome OS being successful due to the number of users adopting the browser.
Microsoft is probably starting to get concern about Chrome OS, even though they’re not talking much.
The director of security at Trend Micro sees some concerns regarding Chrome OS’s security model.
Some think that this idea of Chrome OS on smartphones as a “shell” might just work.
While it’s useful to be able to open up the Cr-48 quickly and get to whatever it is you need to do, there may be circumstances where you might want to password protect the device in sleep mode. This can easily be done by heading into your options menu, clicking the Personal Stuff menu item on the left and checking off “Require password to wake from sleep”.
That way, no one can mess with your Chromebook. While the Cr-48 is safe and secure if you power it off all the time, I’ve noticed that I hardly ever take the time to do that. If you plan on taking the device to work or some other public place, it might do you well to enable this so no one can mess with the various accounts that you are logged in to.
Of course, if you’ve set the lid close to not allow the Cr-48 to sleep this tip isn’t going to do you any good.
At last year’s Pwn2Own competition at CanSecWest, Chrome stood as one platform that did not get hacked. That may change this year with another year of researchers being able to spend time with it, but Google wants to give out a little motivation to make sure that Chrome is secure.
The company will be awarding $20,000 to anyone who is able to hack the browser on the Cr-48. This would require finding a hole that allows escalation privileges from inside the sandbox. It can be combined with some other type of vulnerability involved, but there must be a break in the sandbox to get the award.
Prizes are given out for hacking other browsers, which include the top four: IE, Firefox, Chrome and Safari. Last year three of the four were hacked as well as the iPhone.
The awards are as follows: $15,000 for a hack of any of the above browsers. Google will offer the $20,000 on day 1 of the contest for a hack using Google code, the organizers will pony up $10,000 on day 2 for non-Google code and Google will offer $10,000 for the bug.
Pwn2Own 2011 is being held March 9-11 in Vancouver, BC. Read more details here on ZDI’s blog.
Yesterday, Free Software Foundation’s Richard Stallman went off about Chrome OS, calling it “careless computing” because with Google’s prototype operating system users store their data in the cloud. He then went on to say that because you cannot install native applications on a Chrome device that it is “rigged up to impede and discourage installing applications”.
Well, he’s right on one point here. The purpose is to impede and discourage installing native apps. But I’m not sure that it is specifically “rigged” to do so.
Let’s keep in mind that Google has adamantly said that Chrome OS is based on webapps. I do not understand why this is “rigged”.
Google’s Chrome team is very confident that Chrome OS will be the most secure consumer operating system on the market. That may be true, since the platform offers security features that you simply don’t see on other operating systems. According to Google’s own update on Chrome OS, their sense is that “even at this early stage, we feel there is no consumer or business operating system that is more secure.”
They’re feeling pretty confident, I take it.
As if this goes without being said, Chrome is my regular browser (over 70% of visitors here would agree with that). So when I see malware based on hyping Chrome that’s a bad sign even though more people using the browser is good. Recently I came across some Chrome-influenced malware myself while searching through Google Images.
Networkworld recently wrote a story about this, but I had not yet seen it personally until now. I think this is going to become a common occurrence, unfortunately.
A couple of things stand out, but first here are some images.
At the USENIX security conference held in Washington, DC last week, a group of researchers presented a new sandbox framework for lightweight operating systems called Capsicum. Developed by the University of Cambridge with a grant from Google, Capsicum will help to better protect Unix-derived systems as well as Chrome browser and Chrome OS.
Essentially, what this provides is a better framework for developers because they don’t have to spend so much time with security delegation in their own web applications.
“Privilege separation is a pattern that has been adopted for applications such as OpenSSH, Apple’s SecurityServer, and, more recently, Google’s Chromium web browser. Compartmentalisation is enforced using various access control techniques, but only with signiﬁcant programmer effort.”
“Capsicum addresses these problems by introducing new (and complementary) security primitives to support compartmentalisation: capability mode and capabilities”.
The UNIX-compliant FreeBSD 9 will integrate Capsicum when it is released. Capsicum features are even expected to hit the Chromium browser at some point for testing; at USENIX the researchers showed off a version of Chromium with the framework installed.
Seeing that the research was supported by Google and will be included into operating systems, it’s safe to say that Capsicum will also be a part of Chrome, further reducing the amount of coding developers have to do in order to allow webapps to be secure. Instead, Chrome will be able to handle all of the different requests that come to it via the web, and act accordingly.
In yesterday’s Technologizer post about Google Apps getting FISMA certification, Harry McCracken was at the press event for the government-clearing certification allowing the Google enterprise suite to be used for sensitive data. McCracken asked CEO Eric Schmidt about a version of Chrome OS that is FISMA certified.
“That’s like a ‘yes, absolutely,’” Schmidt said. “Let’s ship it first…All the apps we’re talking about will run incredibly well and incredibly securely on Chrome OS.”
That’s good to hear. But I think it goes without saying that apps should all run securely in Chrome OS, and they should be secure in whatever environment they are run in. While FISMA apparently doesn’t allow for classified information, it does allow for sensitive material. I would say that anything I deem private data would be “sensitive” as well, don’t you?
July 4 in the United States is a time for the celebration of independence, one of relaxation and removal from the pressures of work.
The problem with that from America’s standpoint is the fact that the rest of the world realizes there are few resources available during that time to withstand an attack by hackers.
So when reports are coming out that YouTube has been hacked with annoying pop-ups, apparently fueled by a <script> tag put in front of comment posts, this poses a deep problem. It appears that Google has put out a complete fix, but when the trouble first started, commenting on YouTube had to be disabled for over an hour.
Google’s done a good job here at fixing this problem, but the reality is that the “right time right place” mentality of hackers does not bode well for overall platform security. What would happen if malicious folks decided to wreak havoc on the Chrome browser on Christmas day? What about the potential implications if this could be used against Chrome OS, which could cause even more headaches as a complete computing platform?
We’re only trying to prod the point here. If YouTube is a target, as well as reportedly Apple’s iTunes, then there are those out there willing to go up against some of the biggest names in the business despite what rigorous security procedures they may have implemented. Let’s not forget here who are the biggest players in attempting to bring cloud computing to the masses, which are indeed both Google and Apple being attacked at a point of known vulnerability.