Tag Archives: security
Google Ups the Reward For Chromium Security Fixes
Posted on 20. Jul, 2010 by Daniel Cawrey. 
2 Comments
For the past six months, those who have been able to find a flaw in Chromium were awarded cash prizes for doing so. Now that this program has been ongoing for some time, the Chromium team has decided increase the amount given out for the most critical of flaws found, moving from $1,337 to $3,133.70. Most awards will remain at the $500 level, depending on the published severity guidelines.
The Chromium project has lead to Chrome being one of the most secure browsers on the market. The annual conference where researchers try to compromise browsers and other computer platforms, Pwn2Own, had no takers for Chrome browser this year. It could be because Chrome is still the newcomer on the market. Nevertheless all of the other major browsers ended up getting hacked at Pwn2Own.
It’s unknown whether or not the decision from the Chromium team relates to Mozilla recently raising their Security Bug Bounty Program award up from $500 to $3,000. With that being said, moving the amount just above Mozilla’s while keeping the cachet of the original award may mean something when thinking about Firefox versus Chrome: actions speak louder than words.
thechromesource Daily: Links for 6/4/10
Posted on 04. Jun, 2010 by Greg Farnum. 0 Comments
Google denies ties between patent application and Wi-Fi snooping.
WebSocket protocol updated to be more suitable for real time and dynamic web applications.
New white paper outlines security practices, policies, and technology supporting Google Apps.
Author provides a graphic display of “what Google knows” and asks: Too much?
Google Goggles headed for iPhone “soon” says Google project manager.
thechromesource Daily: Links for 5/23/10
Posted on 23. May, 2010 by Daniel Cawrey. 0 Comments
In response to the Chrome Web App Store, Mozilla has announced on its blog an initiative for an Open Web App Store.
Here is the FTC’s official statement on their decision to let the Google-AdMob deal go ahead.
GNU founder and open source maven Richard Stallman talks to Mashable about how open Google really is these days.
PCWorld looks at how Google’s search engine results have helped hackers get their software on unsuspecting users’ computers.
Amazon has been quietly successful in the cloud computing market, but should they now be concerned about Google?
Inside Google? Really? Seems More Like Outside
Posted on 22. May, 2010 by Daniel Cawrey. 1 Comments
Consumer Watchdog, a non-profit organization whose mission is to fight on the behalf of “American consumers and taxpayers” has launch a blog called Inside Google where they intend to keep in check some of the privacy issues that the search engine giant has been encountering recently. From a few of the articles that I have read on the site, Inside Google clearly believes that the folks at Google need to be more open about the way they do business, and one of the issues highlighted is the way their search algorithm is calculated to bring back query results.
This is especially true when looking at the post fuming about the fact that the term “Inside Google” doesn’t come up on the first few pages of a Google Search, yet does when querying Bing. The opposite end of this is perhaps Microsoft should be asked if they are trumping up the Inside Google site while Google is giving it a representative ranking since the Inside Google site is very new; the domain was only registered three months ago and currently has no PageRank.
Plus, there is no update on this post since it was written to point out that searching the term Inside Google appears in the first page of Google Search, at least when I queried it today. Even when done in Incognito Mode or another browser with cleared history. Looks like the “lack of transparency” tag placed on these posts doesn’t apply to Inside Google.
I know that I have not always written rosy things about Google, and they still rank me well, probably because their engine is based on a specific system to return the best results for a query, not by humans directly manipulating search results. Here are some examples of things I’ve written:
Concerned About Privacy? Scroogle Scrapes Your Searches
Do You Know Why Google Wants to Trade Energy?
Maybe Google Knows Too Much, GoogleSharing Can Help
Google Invests in Recorded Future
Inside Google is based on the foundation that because Google has seventy percent of the United States market of online search it should be investigated because it is a monopoly. But there are other competitors in the search market. In reality if Bing, Yahoo or Ask were actually better search engines than Google, I would use them. But they are not. Hence the reasoning behind the fact that I use Google Search as I’m sure others who read this post would agree.
If serious privacy or security issues arose that Google was not willing to face or to make amends for, I would be all for going after them, as would a great deal of others. In that regard perhaps Inside Google is on the right track with what they are doing but some of these articles posted on the site seem, well, a bit angst driven for some reason. Is there a motive to why Inside Google feels like they’ve been left on the outside? Possibly because its journalists were formally a part of the once dominant print media industry?
Reports of Trojan as a Chrome Extension Emerge
Posted on 20. Apr, 2010 by Daniel Cawrey. 1 Comments
There is a reason why Google has set up their own extension site, where they make sure that they do a security review of each “plug-in” that is submitted for their browser to check potential security problems. As more people use Chrome browser, the threat of malicious software increases. Think of the problems that Internet Explorer has had to deal with in the past. Because of those headaches, Google has tried really hard to start initiatives to thwart security issues in their own browser ecosystem before it gets too big.
The easiest way to obtain access to Chrome? One is through Flash, but Google has decided to add that as an integrated feature. Another way is through extensions. That’s why it’s a big deal when the Romanian antivirus company BitDefender reports that an extension now exists that has intentions on exploiting a user’s system, typical of a trojan virus.
The Malware City blog by BitDefender describes the situation whereby a user gets an email to download a Chrome extension that has not-so-good intentions. The user is led to a site that looks the same as the official Google extension site, but the URL is not the same, something akin to phishing. They also talk about the fact that some of the more savvy users will know that an extension will come as an install file with a .crx extension, as opposed to this malicious extension that has an .exe extension.
Herein lays the problem with extensions. Everyone must realize that the only place to install an extension is from Google’s official extension site. At the beginning of 2010, McAfee released a report that reiterated this point: the problem is that now the Chrome platform is reaching a stage of major adoption – starting with the browser. Fortunately Google has set up an extension site where we know we can get added functions to our browser without the worry that they will totally screw up our system.
What Does Your Browser Say About You? Find Out With BrowserSpy
Posted on 13. Apr, 2010 by Daniel Cawrey. 2 Comments
Your browser is very telling. And I don’t mean just what type of browser you use, but also your screen resolution, what version of Adobe Reader you have installed, whether you have Java installed and if so what version, what CPU you are running and CSS information that can show what sites you usually frequent:
All thanks to BrowserSpy. With this little website you can see just how much of you PC’s information is leaking all over the internet like a water balloon with a slight tear in it. Many people don’t realize this, and that’s why BrowserSpy’s founder, Henrik Gemal, set out to start a site that offers this information to the world. He keeps it updated, and keeps adding things that he finds which you may not know is available just by surfing the web.
Concerned about your privacy on the web? Chrome has options that allow you to turn off JavaScript, go into what’s know as Incognito Mode and there are also variations of Chromium open source builds that are built with privacy in mind. When I went to the BrowserSpy site with one of such browsers, known as Comodo Dragon, a few things were left undetected as I went through the list of tests on the left hand site of the site – but not everything.
At the same time, using Chrome with no privacy settings turned on, BrowserSpy pinpointed my IP address to somewhere north of Wichita Kansas on a Google Map. Which is highly incorrect. Maybe they don’t know that much about me.
Chrome the Only Major Browser Not Hacked at Pwn2Own
Posted on 28. Mar, 2010 by Daniel Cawrey. 10 Comments
While news has been sparse since Day 1 of Pwn2OWn, word is that Chrome was the only major browser to make it through the entire competition unscathed. That means it even got through the vaunted Windows XP Day 3, where many expected that Chrome would be exploited by using some of XP’s inherent holes. Not to mention withstanding the service packs that XP is nine years old.
Major browsers such as IE8, Safari and Firefox were hacked within minutes of the start.
Pwn2Own, by the way, is a contest that awards “researchers” cash prizes for successfully hacking computer platforms – prizes in the range of $10,000 to $15,000 plus the computer that they are hacked on.
OK, so Chrome made it through. But let’s think about this. Chrome has only been out since 2008, and there still aren’t that many users who have adopted it yet. W3schools, a web developer site, cites an 11.6% rate of users who visit their site as running Chrome for February 2010. And that is a site for early adopters of web technology! The real number for the entire web population is probably closer to five percent. That may be one of the reasons that researchers have yet to find vulnerabilities in it: they hack what they know, which are the other browsers out there.
Of course, there is also the idea that the other browsers on the market are simply weaker than Chrome which is also a possibility. There was some stir in the days leading up to the contest that Google quickly patched up a slew of security flaws in what was seen as a pre-emptive move. But when you are actually awarding outside experts with cash when they see a flaw in Chrome, it’s probably easier to patch up things that may be hard to see when they are right in front of you.
First $1,337 Prize Given Out by Chromium Team
Posted on 19. Mar, 2010 by Daniel Cawrey. 0 Comments
As mentioned previously, the Chromium team is giving out cash awards to researchers who are able to find vulnerabilities in the browser’s software. While most awards given out are in the $500 range, there is another tier for those who are able to find very serious flaw. Finally, someone has won the top award, getting $1,337 from Google for finding what must be a serious exploit. Although we cannot see what the flaw is because not all browsers have been updated, I’m Sergey Glazunov, who won the award, is happy to be receiving some recognition since most of the time these folks don’t get the appreciation that they deserve.
This is coming at a good time, and there is no doubt that the recent rash of updates to Chrome’s stable build has to do with the upcoming Pwn2Own contest which pits hackers against browsers and operating systems in a contest to see who can compromise a system the fastest. Charlie Miller, one of the past winners, has gone on record to say that he thinks Google Chrome is one of the most secure browsers along with Windows 7 being the most secure operating system.
Although it appears that smartphone operating systems will be a big focus of the year’s Pwn2Own, it will still be interesting to see which browsers are the most secure. Computerworld is predicting that Chrome will last the longest which is a promising sign and shows how much effort has been put into a browser that has only been around since 2008.
Video: Managing Cookies in Chrome Browser
Posted on 07. Mar, 2010 by Daniel Cawrey. 1 Comments
I came across this Google video today and found it useful. Cookies are an important element in the overall web browsing experience as they allow you to have settings saved on your favorite websites by storing some of your preferences. Plus, this video actually shows you how to create exceptions for cookies on particular sites if you were inclined to do so. To get a broad sense about cookies and how to manage them in Chrome browser, check out this clip:
It’s done pretty quickly in the example provided here, but you can get to your cookies settings by going to the Options menu and then from the Under the Hood Tab you can select the Content Settings button at the top.
There used to be a lot of concern over cookies and what kind of information is actually stored, but the reality is that since sites are no longer static pages having cookies is helpful. Cookies are almost necessary now so that you can avoid performing repetitive tasks on the web. There still are some privacy concerns, but most websites that are reputable have strong privacy policies and are in business to provide the end user with a good web experience.
Google has some pretty strongly worded privacy statements as well, however I think some of that is a direct response to the media’s reaction in regards to how much they actually know about internet users. Paying attention to their actions as opposed to their words is a key factor in this realm. Here’ s to hoping that they remain committed to doing the right thing as they continue to become ever more omnipresent.
Paper: Browser Extensions Have Potential Security Implications
Posted on 09. Feb, 2010 by Daniel Cawrey. 2 Comments
In a comprehensive paper that was recently published, researchers at Berkeley’s Department of Electrical Engineering and Computer Science studied the possible security impact that extensions could have on a browsers’ vulnerability to exploit and/or attack a computer. It was found that of twenty-five popular Firefox Extensions, all of them had the highest level of security privileges in the browser. That’s all that would theoretically be needed to attack a machine, which could potentially result in a compromised situation.
The paper also goes on to explain that the majority of extensions don’t need to have these types of privileges in order to execute what a developer is trying to accoplish, but that the Firefox API as it is currently is built to allow for powerful networked software development – even for extensions.
The group who wrote this paper has even worked with Google in order to better implement their own extensions directory. They proposed to Google a method whereby keys are used to help identify an extension. Developers must sign an agreement with Google to ensure that privileges for an extension do not have capabilites that allow for potential security problems before they can be listed at the official directory.
When installing extensions from the Google directory, which was launched last December, I had noticed a few times that the the URL for the location of the download was a bit unique:
This is by design, however. It’s a public key that has been set that identifies the extension with the website. The best part about this is that for the purposes of version updating, the key is identified with the extension and thus the URL that is located on the Google extension directory. This is in addition to scripts running separately from outside web sources and some other interesting features that offer a robust technical standard for these additional features of Chrome browser that independent developers are working on.
While Firefox offers a rating system that works to protect users, as well as a developmental system called Jetpack that offers narrow interfaces, I really got the impression that there was a lot of thought that was put into the extension system for Chrome. While trying to expose vulnerabilities through extensions doesn’t appear to be something that is deliberate by those who create them, there is potential for there to be problems down the line.
It’s also important to consider that if you plan on using extensions, you should probably use an official directory depending on the browser that you use. That means getting them from Mozilla.org for Firefox or the official Google extensions site for Chrome. I could not find an extension/add-in directory for Internet Explorer from Microsoft.
Firefox, Internet Explorer and Chrome are discussed in the paper in depth. Now that there is so much more that you can do with a browser with the speed of JavaScript performance increasing at such a huge rate over the past few years it has to be considered that browsers need to increasingly become more secure as they become more that just where you surf the web but also where you run applications. So it’s worth a read if you have time, and you can check out the abstract from here.
Maybe Google Knows Too Much, GoogleSharing Can Help
Posted on 20. Jan, 2010 by Daniel Cawrey. 4 Comments
I’ve previously written about the security implications that come with using Google’s services. However, this is especially problematic when you consider that if the trend of cloud computing and thin application technology is to continue, eventually a good portion of information about you will be stored on Google’s own servers. There are a wide array of issues associated with that – from Google using your tendencies to make more money, or possible ramifications that could occur if Google’s data were to be comprised in a more serious manner than the recent Chinese attacks that targeted activists from that country.
That’s why when I came across GoogleSharing, I was intrigued. To be honest, at first I thought that this was something that came from Google. The look of the site would certainly indicate that, complete with privacy quotes on the left hand side from CEO Eric Schmidt. But the reality is that it’s an independently developed experimental (for now) plugin for Firefox that allows users to search with Google independently. I say search because this plugin currently does not anonymize for use of Google’s Mail, Checkout, Health, Sites, Docs, and Reader applications.
Installation of GoogleSharing was done in a snap. Within Firefox you will see some text in the lower right hand side that indicates whether or not GoogleSharing is enabled. Right clicking on this area will also allow you to open an options menu to change the anonymous proxy settings if you wanted to. The add-in basically uses a proxy that is located at proxy.googlesharing.net that does a number of things to essentially confuse the engine that captures Google queries for search, as well as analytics.
One of the ways, among others that are detailed on the GoogleSharing site is that this works to submit to Google cookies that are “fresh”. This means that they are blank slates that don’t contain any of the usual information that would normally be saved during a browsing session that Google is then able to parse through its intricate data collection architecture. However, there is no way to avoid using some of these service such as Gmail and Google Checkout in a manner that is anonymous, and therefore everything that you do on these services is saved and could potentially be used as a profile that could sell you things such as ads in the future.
Not to say that is what Google using our search information, but who really knows other than those who are insiders? And do you think there would be a plugin like this available for Chrome browser?
McAfee Reports Chrome OS as 2010 Security Threat
Posted on 30. Dec, 2009 by Daniel Cawrey. 3 Comments
In a ten page report that was released Tuesday, McAfee outlined its predictions for computer security trends in 2010. Along with Twitter as well as Adobe’s Flash and Reader programs, McAfee is reporting that Chrome OS is going to be one of the top computer security issues that will have vulnerabilities in 2010.
In their 2010 Threat Predictions Report McAfee states, “HTML 5 will blur the line between desktop and online applications. This, along with the release of Google Chrome OS, will create another opportunity for malware writers to prey on users. ”
Google Wave is also singled out in the report, warning that the eXtensible Messaging and Presence Protocol (XMPP) is vulnerable to attacks.
We’ve previously written about HTML-5, and it’s going to be a pretty impressive advancement in terms of web technology and how the browser will be able to interpret code. However, it’s hard to say whether Chrome OS alone will be the single weak point in the emergence of HTML 5. Since there has been a lot of news about Chromium as of late, identifying it as a threat now keeps developers, network administrators and security professionals on their toes about potential attacks that could occur.
This is new territory for Google, as in the near future their hardware/software products are now going to be integrated into the computer infrastructure that we users interact every day with, and that is an appealing target for hackers.
The report does offer a positive outlook on the ability of law enforcement to stop cybercrime.
