Category Archives: Google

AVIEN resource updates: July 15th 2018

Updates to Anti-Social Media 

(1) ESET: Facebook fined over data privacy scandal

You’re probably already aware of the gentle tap on the wrist administered by the UK’s Information Commissioner’s Office (ICO), but this does actually indicate why the penalty was so much less than you might have expected (in theory, up to 4% of the company’s total income).

(2) An article from The Next Web: Experts warn DeepFakes could influence 2020 US election – “Fake AI-generated videos featuring political figures could be all the rage during the next election cycle, and that’s bad news for democracy.”

(3) Graham Cluley: Facebook doesn’t want to eradicate fake news. If it did they’d kick out InfoWars – “Social networks giving sick conspiracy theorists a platform to spread hate.” Graham points out that InfoWars misinformation is also an issue on YouTube.

Updates to Meltdown/Spectre and other chip-related resources

John Leyden for The Register: Google’s ghost busters: We can scare off Spectre haunting Chrome tabs – “Site Isolation keeps pages fully separate on Windows, Mac, Linux, Chrome OS … Rather than solely defending against cross-site scripting attacks, the technology is now positioned as a necessary defence against infamous data-leaking Spectre CPU vulnerabilities, as a blog post by Google explained this week…”

Updates to Chain Mail Check

Brian Krebs: Sextortion Scam Uses Recipient’s Hacked Passwords

The scammer claims to have made a video of the intended victim watching porn, and threatens to send it to their friends unless payment is made. Not particularly novel: the twist with this one is that it “references a real password previously tied to the recipient’s email address.” Krebs suggests that the scammer is using a script to extract passwords and usernames from a known data breach from at least ten years ago.

The giveaway is that very few people are likely to be using the same password now – and it’s unlikely that there are that many people receiving the email who might think that such a video could have been made. Still, it seems that some people have actually paid up, and it’s possible that a more convincing attack might be made sending a more recent password to a given email address, and perhaps using a different type of leverage.

Commentary from Sophos here.

David Harley

Advertisements

Machine learning: science, engineering, or magic fairy dust?

Here’s an interesting article by Tristan Greene  for The Next Web: Academic expert says Google and Facebook’s AI researchers aren’t doing science. The expert in question is Simon DeDeo, and he’s a astrophysicist rather than a practitioner in AI. But he’s speaking as a scientist and an academic when he points out – rightly, in my opinion – that “Machine learning is an amazing accomplishment of engineering. But it’s not science. Not even close. It’s just 1990, scaled up. It has given us *literally* no more insight than we had twenty years ago.”

He also remarks that “They said they did social science, but it was nothing of the sort. It was homo economicus spread out over 50 GPUs.” Which reminds me very much of Facebook’s dabbling in psychological manipulation and emotional contagion. Well, I’ve been fairly scathing from time to time about Facebook’s reliance on algorithms that presumably work well enough for its paying customers but may be irritating or even painful to its product those of us who trade its intrusiveness and willingness to share our data for its social advantages. And I’m not even going to mention Cambridge Analytica.

I will quote one more of DeDeo’s tweets, though: “The real subjectivity is in ML, which spends all its time developing new techniques to optimize a subjectively-chosen goal function on a subjectively-chosen test set.” I could draw a parallel there with the way in which some so-called next-gen security companies still cite their use of machine-learning as if it was their very own magic fairy dust that detects all malware (yeah, right…) while propagating a series of myths about how mainstream products work. (Relying on signatures? Which century are you living in, Help Net? You know better than that, and so does Cylance…)

In fact, as I may have mentioned before, machine learning is used by mainstream companies to sift through the ludicrously high volumes of potentially malicious samples we see on a daily basis to prioritize other analytical techniques. But we – and the black hats behind malware – are all too aware of the risks of relying purely on machine-learning to distinguish between Good and Evil samples. But I don’t think I’ll go further into that yet again at this point.

David Harley

Resource updates 5th July 2018

Updates to Anti-Social Media 

Graham Cluley: Carole Cadwalladr takes us behind the scenes of the Cambridge Analytica investigation – HOW MILLIONS OF FACEBOOK USERS’ PERSONAL DATA WERE USED TO INFLUENCE THE US ELECTION AND BREXIT. “Last week, Carole Cadwalladr won The Orwell Prize for Journalism for her work investigating the impact of big data on the EU Referendum at the US Presidential election.”

John E. Dunn for Sophos: Facebook gave certain companies special access to customer data – “What do Russian internet company Mail.ru, car maker Nissan, music service Spotify, and sports company Nike have in common? They, and 57 other companies, were revealed by Facebook in a US House of Representatives’ Energy and Commerce Committee submission to have been given temporary extensions to access private Friends data API despite the company supposedly changing the policy allowing this in May 2015.”

The Hacker News: Facebook Admits Sharing Users’ Data With 61 Tech Companies

Rhett Jones for Gizmodo: Google Says It Doesn’t Go Through Your Inbox Anymore, But It Lets Other Apps Do It

Updates to Cryptocurrency/Crypto-mining News and Resources

Pierluigi Paganini: Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation – “Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.”

Paul Ducklin for Sophos: Serious Security: How to cut-and-paste your way to Bitcoin riches – “Whether it’s cryptocurrency addresses, payment card details, ID numbers or other snippets of personal information, malware that sneakily changes data in the clipboard as you work online can trick you into paying the wrong people.”

Updates to GDPR page

The Register: United States, you have 2 months to sort Privacy Shield … or data deal is for the bin – Eurocrats – “MEPs call for urgent fix”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

DZone Security Zone: Glimpse Inside IoT-Triggered DDoS Attacks and Securing IT Infrastructures

Tech support scams resource page

SANS Ouch Newsletter: Phone Call Attacks & Scams

Updates to Mac Virus

Andrew Orlowski for The Register: Uh-oh. Boffins say most Android apps can slurp your screen – and you wouldn’t even know it – “Over 89 per cent of apps in the Google Play store make use of an API that requests screen capture or recording – and the user is oblivious as it evades the Android permission framework.” Summary of a paper”…titled Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications (summary and PDF).”

Pierluigi Paganini: A Samsung Texting App bug is sending random photos to contacts – ”

“The problem affected Galaxy S9 and S9+ devices, but we cannot exclude that other devices may have been affected…several users reported the anomalous behavior on Reddit and the company official forums.”

John E. Dunn for Sophos: Samsung phones sending photos to contacts without permission and also Your smartphone can watch you if it wants to, study finds.

Elcomsoft:  Apple Warns Users against Jailbreaking iOS Devices: True or False? Not whether Apple has issued the warnings – of course it has – but more about how justified the warnings are. The conclusion seems to be mostly true, with “with few caveats and one major exception.” Interesting article, anyway.

David Harley

Social media and privacy

Resource updates 21st March 2018

Additions to the new Anti-Social Media page:

Additions to Meltdown/Spectre – Related Resources

‘AdultSwine’ – Android malware with a dirty mind

The Register: ‘Mummy, what’s felching?’ Tot gets smut served by Android app – Google’s Play Store fails again

Actually, I didn’t know about felching, either, and I wish I hadn’t looked it up.

Based on Checkpoint’s blog article Malware Displaying Porn Ads Discovered in Game Apps on Google Play. Checkpoint says that this is a triple-threat attack: it may display ads that are often (very) pornographic, engineer users into installing fake security apps, and/or induce them to register with premium services.

David Harley

Meltdown/Spectre resources

[Content now transferred to the resource page here, which I intend to expand and maintain as time allows.]

Official commentary from Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs and from Google: Today’s CPU vulnerability: what you need to know

Related Resources:

David Harley

The great wall of Google

So, we hear the news that Google ‘really has’ ceased censorship in China. At least, that is the meme currently working its way around the internet. Actually, this is rather disingenuous, and shows a particularly unsavoury side of how the Google PR machine really works.

If you’ve been living on Mars or want some background, here are a couple of links on the story.

http://news.bbc.co.uk/1/hi/world/asia-pacific/8582233.stm

http://www.guardian.co.uk/technology/2010/mar/22/google-china-shut-down-censorships

Of course, a careful read of these articles shows that Google have done nothing more than redirect their front page to their existing Hong Kong search page, and that the censorship (which operates automatically between the mainland of China and…well…everywhere else) is still very much in place.

Users inside China have no greater freedom now, and this is a very different situation than if Google had really put its money where its (big) mouth is and uncensored its .cn site search results. Clearly they wouldn’t do that though, as not only would it be illegal in China, it very likely would have caused them to have to pull out of the lucrative market they so badly want a piece of – instead of getting a bit of bluster from the Chinese government and maybe a slap on the wrist.

Do a search for, say, ‘Tiananmen Square’ from inside China, and as the Guardian article points out, the internet connection will reset. Lest we forget, this is part of what Google is complicit in covering up. The Chinese government have been almost entirely successful in expunging this monstrous event from the consciousness of those living in their country, and Google (and others) have not only not done anything to stop this, they have actively aided them in their attempts at revisionist history.

This is a security blog, so I’ll get to the point that everyone seems to be missing. This whole story erupted because, allegedly, Google suffered attacks on its Gmail network from inside of China. Let’s leave aside for the moment, the whole “buzz” fiasco which probably did Google far more harm, but this is the rather grubby truth that Google is managing to cover up so well with its big talk about not “being evil” and opening up the freedom of the internet (which they so eagerly avoided doing for so long in order to get their hands on those lovely Chinese RMB).

The point is, that rather than look at what they were doing that was wrong and securing their network; or finding out what led to the compromises against their network, Google instead simply threw their toys out of the crib and made up a new story about solidarity and freedom and so on. Do you trust Gmail more now that they’ve engaged the NSA to help them secure it? I didn’t think so.

It’s a shame that so many tech bloggers have focused on the smokescreen political issues and ignored slamming Google for the real issues, that its approach to the privacy and security of its users is time and time again a huge disaster. The real problem is that they’ve got the money and the PR machine to cover it up with a different story, and swamp all those dissenting voices to avoid having to have that brief moment of introspection that might acutally change things for the better…rather like a certain government, don’t you think?

Andrew Lee
AVIEN CEO

With all the Buzz, some education is in order

So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).

The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.

All the fuss around social networking has  really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.

While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.

Andrew Lee
CEO, AVIEN & CTO K7 Computing

Who owns you?

David recently blogged here (http://avien.net/blog/?p=253) on his concerns over the ways that our personal data is increasingly online and available to everyone who might want it.

On a similar theme, a site called “Web 2.0 Suicide Machine” has recently been sent a cease and desist order by Facebook on the grounds that by “collecting login credentials, the site violates its Statement of Rights and Responsibilities”. This sort of controversy raises the question of who owns an account on a site – not just a social networking site – what about a webmail account? But, more on that shortly. It’s a tricky question, and I suspect that the answer is that the information is jointly owned once you give the information, you enter a contract to allow the recipient to use your info according to their terms and conditions (which could be to publish it all over the place, or just to change your password and never let you back into the account).

It’s only recently that Facebook provided its members with a facility to fully delete (rather than deactivate) their accounts. As someone who spends a lot of time on social networking sites, I’ve often felt the urge to be able to ‘get away from it all’. The idea of being able to commit ‘Web 2.0 suicide’ is in some ways quite appealing, and it does remove the awful problem of trying to delete all that data yourself – and avoids the thorny problem of always being able to get back in and start again. I did actually do this at one point, I entirely deleted my accounts on MySpace and Bebo, removed as much as I could from Orkut (more on Google below) and deactivated (the only option available at the time) my Facebook account. However, after some time after constant messages still arriving from Facebook I succumbed and reactivated my account (although I’m much less obsessive about it, and used the privacy controls to lock it down far more than had been the case before). I’ve never revived the other accounts, basically because I’m to lazy to set them up again. I’m pretty sure that I’d not have come back to Facebook had my account been actually deleted – but Web 2.0 Suicide Machine (and similar services) are in some ways even better, they leave you no option but to start again, because they change your password, and your profile will still exist, only you can’t get to it.

Of course, giving a third party (whether an SN site like Facebook or a service like W2.0SM) your account information is a risk, because you don’t really know what they’re going to do with it, maybe W2.0SM are going to sign you up to all sorts of groups or services on FB, or use your account to click through on site advertising to raise revenue, maybe they’ll harvest  your email addresses and send them to spammers, maybe they’re going to use your phone number and address to do all manner of things. I doubt it, but it’s possible were less ethical people in charge of it. At least, if you’re going to use such a service, remove your most critical private information first.

You can read more on this story here: http://news.bbc.co.uk/1/hi/technology/8441080.stm

Sometime last year, I got an invitation to Google Wave (http://wave.google.com) and had a play around with it. It’s interesting in many ways – not all of them obvious. There has been plenty of comment in other places about what Google Wave does, or what it doesn’t do, but I’m not really interested in that. As far as I’m concerned it was pretty much a failure because nobody could really think of a problem that it solved in a better way than existing technologies. But, what does interest me is what that sort of platform offers to Google. In a collaboration system you have multiple people working on topics. They will discuss the topic, and the group will be focused on a single issue (or set of issues). This is a goldmine for a company like Google which makes money from selling advertising. Nearly everything that Google does is ‘free’ to the user, and the cost is that everything you do is tracked and monetized somehow for Google’s advertising clients. The more services Google provides, and the more you sign up to use, the more exposed you are (and therefore the more useful to Google). I have Gmail (and therefore Gmail Chat), Picasa, Google Wave, Google Apps, a Google Books library, a Google Calendar and so on (as mentioned above I also have a Google Orkut account, though relatively denuded of information). Now, all of those things provide information about me and my interests to Google, allowing targeted advertising to be delivered, and useful demographic information to be collected.

Google wave is a whole different beast, because it doesn’t just connect a few random parts of my life that may or may not be current (for instance, me posting photographs of me with funny hair as a teenager isn’t really that interesting to Google – nor anyone else I should think), it connects people who are discussing a topic of mutual interest, in real time. Planning a trip to India? Great, in real time, to your group specifically, Google can target advertising from firms offering travel services in India. Working on a conference in Sydney? Google can target advertising from firms in the area. Even better, your conference is at the Four Points Sheraton? Great, Google can advertise a room discount, the restaurants withing walking distance, a limo service, the theaters, cinemas etc. About to go for a coffee break? Google can pop up the location of the nearest StarCostaPacket coffee store and offer a 50c discount good for the next two hours.

It’s clear that corporations are interested in getting the most relevant information to consumers, and what better way than exploiting real time data on topics currently under discussion. It’s a goldmine, or would be, if only there was a problem that only Google Wave could fix.

Andrew Lee CISSP
AVIEN CEO, CTO K7 Computing Pvt Ltd.