uncompiled.com

Google has paid out its highest sum yet, $2,000, for the discovery of a vulnerability found in its Chrome browser. The recipient is developer Sergey Glazunov, who found a DOM method-related means of circumventing the same origin policy. Details of the vulnerability are not yet publicly available, but it is likely that it could allow a web page to access content from other web pages. Google classifies the risk as high. Update 5.0.375.70 for Windows, Mac and Linux resolves the problem.

The update also fixes a further 10 vulnerabilities, eight of which are classified critical. Two of the vulnerabilities were discovered by Apple – both Chrome and Apple’s Safari being WebKit based. An update for Safari which fixed 48 vulnerabilities was released yesterday. One of the vulnerabilities in Chrome affects only the Linux version and enables escape from the sandbox.

As part of its Chromium Security Reward programme, launched earlier this year, Google has been rewarding those reporting security vulnerabilities with $500. In special cases, a committee can decide to increase the amount to a maximum of $1,337, but the maximum is only awarded for vulnerabilities which are particularly critical, or for particularly clever reports on vulnerabilities and their exploitation.

Google is hoping that this will improve the security of its browser and therefore the security of its users. It’s not clear why Google raised the sum to $2,000 in this case.

Source

In an effort to communicate its commitment to the security of its online services, Google on Friday published a paper that delves into its corporate security strategy.

Eran Feigenbaum, director of security for Google’s enterprise group, characterizes the paper as an attempt to be more transparent. It would also be fair to characterize the paper as an attempt to counter the perception that Google’s online services are somehow less secure than traditional on-premises systems, a claim often made by Google’s competitors.

“Feeling comfortable storing data in the cloud involves trusting a cloud services provider and the practices and policies they have in place,” said Feigenbaum in a blog post. “In today’s ultra-connected, Web-capable world, understanding how data will be protected is ultimately more meaningful than knowing it is physically located in one data center or another.”

Google itself put that trust at risk earlier this year when is disclosed that “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”

Part of Google’s response to that incident — said to be made possible as a result of a previously unrecognized flaw in Internet Explorer 6 — has reportedly been phasing out the use of Microsoft’s Windows operating system at the company, a move that may be motivated by marketing concerns in addition to worries about security.

But Google’s work making potential customers feel comfortable in its cloud isn’t done. In March, Yale delayed a planned move to Google Apps for Education over security concerns. When the City of Los Angeles was considering abandoning its Novell e-mail system for Google Apps and Gmail, similar concerns were raised. The deal ultimately went through but such fears remain.

Google’s paper, Security Whitepaper: Google Apps Messaging and Collaboration Products, should help allay those fears. It describes the company’s corporate security policies, organizational and operational security, asset classification and control practices, personnel, physical, and environmental security, access control, systems development and maintenance, and disaster recovery efforts.

It may not be quite as fun as, say, the comic book Google used to introduce its Chrome browser, but it’s likely to help IT decision makers render more informed judgments about Google’s services.

Source

Google has submitted final materials to get its cloud computing services certified for use by federal agencies, and is nearing release of its government-specific cloud, a top Google executive said Wednesday.

While Google Enterprise president Dave Girouard admitted in an interview after his keynote at the Gov 2.0 Expo in Washington, D.C., that the process had taken longer than some may have anticipated — Google announced its government cloud computing plans last September — he said that conversations with potential customers are already underway.

In the federal sector, more than 100 federal agencies are already customers of Google’s other products, including Google Earth, Google Maps, and Google Enterprise Search. Those relationships provide Google, which has been steadily building its federal presence with offices in Washington, D.C., and Reston, Va. under the watch of former Microsoft federal executive Mike Bradshaw, with the contacts necessary to develop business in the federal sector once Google completes its federal certifications and launches its government cloud.

“We have a lot of state and local interest, and, increasingly, with FISMA certification arriving soon, think we have an opportunity with the federal sector,” Girouard said, referring to the security requirements of the Federal Information Security Management Act, which govern federal cybersecurity.

Google is one of the launch vendors for FedRAMP, a forthcoming federal government process that will enable cloud computing vendors to certify their services once for federal use, and then have those certifications able to be leveraged by multiple agencies who want to use those services. The current process is to do everything agency by agency.

The FedRAMP process could decrease one of the primary concerns vendors have had about getting into the federal space, that of inconsistent security requirements across government. “Expectations about the cloud have to be a little different,” he said. “Although we have tried to make our services as flexible as possible in terms of the ability to set policies, we can’t have different settings for everything for everyone — it would fundamentally break the cloud.”

However, Girouard said that in addressing the federal government’s unique cybersecurity demands, the majority of Google’s work thus far has centered around documenting, clarifying, and explaining Google’s security rather than re-inventing or changing its security posture.

Still, one of the persistent concerns about Google has been its commitment to enterprise security, and the well-publicized recent hacking attempts on Google have done little to ameliorate those concerns. “We are going to be first and best in cloud security,” Girouard said, noting features like forced SSL encryption in the government cloud offerings.

Source

The hackers who penetrated the computer networks of Google and more than 30 other large companies used an increasingly common means of attack: duping system administrators and other executives who have access to passwords, intellectual property and other information, according to cybersecurity experts familiar with the cases.

“Once you gain access to the directory of user names and passwords, in minutes you can take over a network,” said George Kurtz, worldwide chief technology officer for McAfee, a Silicon Valley computer security firm that has been working with more than half a dozen of the targeted companies.

Kurtz and others said hackers are mounting ever more sophisticated and effective attacks that often begin with a ruse familiar to many computer users — a seemingly innocuous link or attachment that admits malicious software.

The attacks were publicized in January when Google, one of the world’s most advanced tech firms, announced that intruders had penetrated its network and compromised valuable intellectual property. Google asserted that the attacks originated in China; Chinese officials say they are investigating.

The New York Times reported on its Web site Monday that the Google theft included source code for a password system that controls access to almost all of the company’s Web services.

But the cyber-espionage campaign went far beyond Google, targeting companies with apparently strong intrusion-detection systems, including Adobe, Northrop Grumman and Yahoo, industry sources said.

A decade ago “it was the bad guys burrowing in, breaking through a firewall from the outside,” Kurtz said. “Now, in essence, what they’re doing is having good people on the inside unwittingly connect out to a malicious Web site where their machines can be infected.”

Once a hacker can impersonate a system administrator or a senior executive, it becomes difficult to identify the attackers. “Many of these other companies don’t know if source code has been stolen because the hackers have assumed the identities of people whose passwords have been stolen,” Kurtz said.

The hackers’ goal, industry officials and analysts said, is to obtain information that benefits China in strategic industries and in areas where the country seeks an advantage over U.S. firms.

“The bottom line here is if your company has any business dealings with China or has extremely valuable technology or intellectual property, you have a high likelihood of being a target,” said Rob Lee, a director with Mandiant, a security firm that is working with some of the targeted companies.

He said he believes the same group or groups that have targeted Google and the other companies have penetrated “hundreds if not thousands” more firms. They target not only system administrators but anyone with privileged access to a company’s network, he said.

Figuring out whom to target and how is the result of research, said Shawn Carpenter, a principal forensics analyst at the security firm NetWitness whose former job involved trying to hack into government agencies’ Web sites to help them find their weak spots. “One of the first things we do is build up a dossier,” he said. “What conferences has this person spoken at? What people do they know? Are they likely to open up this type of e-mail attachment if I spoof it as coming from a person who has sat on a panel with them?”

The essence of the attack is “exploiting those human tendencies of curiosity and trust,” Carpenter said.

The targeting of personnel is only one aspect of a larger, more sophisticated operation that involves planning the mode of attack, reconnaissance inside a company’s network, deciding what type of data to go after, and harvesting and analyzing the data, experts said.

“There’s a life cycle of activities that occurs, involving many steps, both with human intelligence and electronic intelligence, to ultimately penetrate these organizations,” said Eddie Schwartz, NetWitness’s chief security officer. “When you’re combining all of these techniques, this is the work of a highly organized group or groups that has specific targets in mind.”

Source

Google’s password system that controls access to almost all Google web services was among the losses incurred in January.

An insider told the New York Times that the Gaia program was attacked in a lightning raid taking less than two days last December. It claimed that this was only mentioned once at a technical conference four years ago, and the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

The report claimed that intruders did not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions.

Google executives declined on Monday to comment about the new details of the case, saying they had dealt with the security issues raised by the theft of the company’s intellectual property in their initial statement in January.

They also privately said that the company had been far more transparent about the intrusions than any of the more than two dozen other companies that were compromised, the vast majority of which have not acknowledged the attacks.

Google is continuing to use the Gaia system, now known as Single Sign-On. Hours after announcing the intrusions, Google said it would activate a new layer of encryption for the Gmail service. The company also tightened the security of its data centres and further secured the communications links between its services and the computers of its users.

David Harley, director of malware intelligence at ESET, said: “So I certainly wouldn’t assume any connection between the alleged Chinese breach disclosed in January and recent reports of compromised Gmail accounts, but I wouldn’t discount the possibility either. After all, many of the respondents to the thread flagged by Aleksandr Matrosov were adamant that they hadn’t fallen prey to a phishing attack, and earlier reports did suggest attempts to access the accounts of Chinese human rights activists.

“The point of a single sign-on is to access a range of services: the problem with a single sign-on is that if it’s compromised, it becomes a single point of failure. Of course, it’s a long stretch from confidentiality attacks on Chinese dissidents to a South Korean spam server: I can’t help but wonder, though, what interesting weaknesses the original attackers may have found, and how widely the information on those issues may have been disseminated subsequently.”

Source

The safety of the Internet is of paramount importance to Google, and helping web developers build secure, reliable web applications is an important part of the equation. To advance this goal, we have released projects such as ratproxy, a passive security assessment tool; and Browser Security Handbook, a comprehensive guide for web developers. We also worked with the community to improve the security of third-party browsers.

Today, we are happy to announce the availability of skipfish – our free, open source, fully automated, active web application security reconnaissance tool. We think this project is interesting for a few reasons:

* High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.

* Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

* Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.

As with ratproxy, we feel that skipfish will be a valuable contribution to the information security community, making security assessments significantly more accessible and easier to execute.

Source

BEIJING (Reuters) – U.S. government analysts believe a Chinese man with government links wrote the key part of a spyware program used in hacker attacks on Google last year, the Financial Times reported on Monday.

The man, a security consultant in his 30s, posted sections of the program to a hacking forum where he described it as something he was “working on,” the paper said, quoting an unidentified researcher working for the U.S. government.

The spyware creator works as a freelancer and did not launch the attack, but Chinese officials had “special access” to his programing, the report said.

“If he wants to do the research he’s good at, he has to toe the line now and again,” the paper quoted the unnamed U.S. government researcher saying.

“He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers’ work.”

The report did not say how analysts knew about the man’s government ties.

The allegations over the spyware are the latest episode in a dispute that has pitted Google and the United States against China, with its wall of Internet controls and legions of hackers.

In January, the giant internet search engine company, Google, threatened to pull back from China and shut its Google.cn Chinese-language portal over complaints of censorship and sophisticated hacking from within China.

Washington has backed those criticisms and urged Beijing to investigate hacking complaints thoroughly and transparently. Beijing has said it opposes hacking.

The Financial Times report also quoted unnamed sources backing a New York Times report that analysts had traced the online attacks to two Chinese educational institutions, the prestigious Shanghai Jiaotong University and the Lanxiang vocational school.

The two establishments have denied the reports. And the allegation that the latter, a high-school level institute that also trains hairdressers, chefs and car mechanics, could take on one of the world’s most powerful Internet firms, have been widely mocked in Chinese cyberspace.

“How can these future cooks be such powerful hackers?” a web user from Zhejiang province said on the portal www.163.com.

The use of the school’s IP address could simply mean that hackers had taken over its computers to hide their tracks.

But Lanxiang’s website also claims to have the “biggest” computer laboratory in the world, a boast it says is confirmed by Guinness World Records.

There was less online comment about the well-respected Jiaotong University, which attracts top graduates and has a School of Information Security Engineering.

(Reporting by Emma Graham-Harrison; Editing by Alex Richardson)

Source

Google today said that a “highly sophisticated and targeted” attack against its network last month originated in China, and tried to access the Gmail accounts of Chinese human rights activists.

In a blog post Tuesday, David Drummond, Google’s chief legal officer, said that attacks have forced the company to “review the feasibility of our business operations in China.” Google, continued Drummond, is “no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

The end result of those discussions, said Drummond, may be that Google shuts down its search engine and close its offices in the People’s Republic of China.

“This is a bold and a very difficult move on [Google's] part,” said Leslie Harris, the president and CEO of the Center for Democracy & Technology (CDT), a Washington, D.C.-based civil liberties group. “But with the revelations that there have been major cyber attacks aimed at human rights activists, both in China and in the West, it’s hard to see how Google could have remained silent.”

According to Drummond, Google was one of at least 20 large companies that were targeted by massive attacks in December. In Google’s case, the attacks resulted in the theft of some company intellectual property.

More troubling, said Drummond, was that the attacks were aimed at accessing the Gmail accounts of human rights activists in China. Gmail is officially unavailable in the country, but activists and others use anonymous proxies to circumvent that rule.

“We have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” said Drummond, who added that with the exception of two accounts, those attacks had been unsuccessful. The message content of those accounts was not compromised, Drummond claimed; instead, only some information, such as subject lines and the date the account was created, was accessed.

Drummond also said Google had discovered that the Gmail accounts of dozens of U.S.- and Europe-based advocates of human rights in China had been “routinely” accessed by unauthorized users.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” said Drummond.

Source

A security researcher has devised a successful attack on a Google-owned system for blocking malicious scripts on web-based email services and other types of sites.

The attack, described in a paper released Saturday, uses a combination of OCR, or optical character recognition, techniques and other methods to break reCAPTCHA, a widely used security measure acquired by Google in September. Short for Completely Automated Public Turing test to tell Computers and Humans Apart, the CAPTCHA is designed to block automated scripts from carrying out certain tasks by first requiring users to solve an optical puzzles that aren’t easily cracked by computers.

Jonathan Wilkins of iSEC Partners said the method had a total success rate of 17.5 percent against reCAPTCHA. The rate is significant because of the wide use of botnets by spammers and other miscreants. Even a modest-sized network of 10,000 infected machines with a success rate of 0.01 percent would yield 10 successes every second. That could translate into 864,000 new accounts every day, he said.

“Given this, the attacker doesn’t have to rebuild a complete set of solutions, just enough to get this minimal success rate,” Wilkins wrote. A Google spokesman said the data collected in the report was collected in early 2008 and didn’t reflect enhancements made to reCAPTCHA since then. “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” the spokesman wrote in an email. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Source

I just received this e-mail from Google:

Dear GrandCentral User (username):
We’re writing to let you know that we will be closing down the GrandCentral website as of December 31, 2009.

All GrandCentral accounts were upgraded to Google Voice earlier this year, but since that time, you’ve still been able to log-in to your GrandCentral account and listen to old messages there. You will no longer be able to log-in to your GrandCentral account after December 31. Because of this, we strongly suggest downloading any messages or contacts that you want to keep in the next 43 days.

We will send you another reminder before closing down the site, but we suggest you take action now to download any information you want to keep.

- The Google Voice Team