Tag Archive for: Google

Google Proposes Method for Stopping Multifactor Runaround

/in

Google recognizes that cookie theft poses a significant challenge for users and is actively working on a solution to mitigate it. They propose a mechanism called Device Bound Session Credentials (DBSC), which aims to tie authentication data to a specific device, rendering stolen cookies ineffective.

Cookies remain a common method for websites to store session information locally, enabling users to stay signed in and retain site preferences. However, malicious software can target cookies, extracting them from a user’s device and transmitting them to remote attackers for potential unauthorized access to user data.

Google’s DBSC initiative involves employing cryptographic keys to associate sessions with individual devices. This process involves generating a unique public/private key pair locally on the device, with the private key securely stored by the operating system, possibly leveraging hardware features like Trusted Platform Module (TPM) for enhanced security.

The DBSC API facilitates the association of sessions with the generated public key, allowing periodic refreshment of sessions with cryptographic proof of device binding. This verification occurs separately from regular web traffic and only when the user is actively engaged in the session.

Google emphasizes privacy protection, ensuring that each session is linked to a distinct key and preventing sites from correlating keys across different sessions on the same device. Only the per-session public key is transmitted to the server for proof of key possession.

Initial adoption of DBSC is expected to cover approximately half of desktop users, dependent on hardware capabilities like TPM availability. Google contemplates extending support to software-based keys for broader user coverage and compatibility.

To encourage widespread adoption, Google is collaborating with industry stakeholders, including identity providers and potentially Microsoft for integration into its Edge browser. The project is being developed openly on GitHub with the intention of establishing an open web standard.

DBSC aligns with Google’s strategy of phasing out third-party cookies in Chrome. Early experiments are underway to protect Google Account users in Chrome Beta, with plans to extend the technology to Google Workspace and Google Cloud customers for enhanced account security.

This initiative draws parallels to Intel’s past attempt with Processor Serial Number (PSN) for tracking, which faced backlash and discontinuation due to privacy concerns. However, Google aims to address privacy issues and gain broader industry support for DBSC as a standardized security measure.

 

Serious New Warning Issued for 1 Billion Google Chrome Users

/in


If you’re one of Chrome’s billion-plus desktop users, there’s a devious threat to your personal data and login credentials that’s now getting worse. Google has plans to fix it, but in the meantime you have just been warned to beware the risks…

Cookies get a bad press—these devilish little tracking files on your PC have a nasty habit of following you around the Internet, reporting back on your activity. Google’s long-delayed killing of such third-party trackers is now underway and long overdue.

But those tracking cookies have helpful little cousins, first-party cookies, that recognize your device as belonging to you, and log you back into accounts and websites as an accreditation shortcut—otherwise you’d spend your day logging in.

All very good—unless they’re stolen of course.

MORE FROM FORBESWhatsApp Deadline-10 Days To Accept New Terms Or Delete Your AccountBy Zak Doffman

“Many users across the web are victimized by cookie theft malware,” Google warns, “giving attackers access to their web accounts. Operators of Malware-as-a-Service (MaaS) frequently use social engineering to spread cookie theft malware.”

Google’s warning comes as part of a proposed update to its Chrome desktop browser to address this, acknowledging that while “fundamental to the modern web… due to their powerful utility, cookies are also a lucrative target for attackers.”

This is mainly a desktop challenge, and Google’s smart answer is to bind such cookies to the user’s device, rendering them useless if stolen absent access to that original device itself. “We’re prototyping a new web capability called Device Bound Session Credentials (DBSC) that will help keep users more secure against cookie theft… By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.”

Put Google’s new beta update to one side for now—take this as a warning to be aware of the risks and to keep those risks in mind—especially when logging into financial sites or enterprise systems belonging to the…

Source…

Google reports a significant surge in zero-day vulnerabilities in 2023

/in


A new report released today by Google LLC’s Threat Analysis Group and Google-owned Mandiant warns that zero-day exploits have become more common amid a rise in nation-state hackers.

The report, “We’re All in this Together: A Year in Review of Zero-Days Exploited In-the-Wild in 2023,” detailed 97 zero-day vulnerabilities observed by Google in 2023, up from 62 in 2023 but down from 106 in 2021. Zero-day attacks exploit a previously unknown vulnerability in software before developers have had the opportunity to fix it.

Of the 97 zero-days tracked in 2023, 36 targeted enterprise-focused technologies, such as security software and devices, while the remaining 61 affected end-user platforms and products, such as mobile devices, operating systems, browsers and other applications.

Adversary exploitation of enterprise-specific technologies jumped 64% over the previous year, with Google also seeing a general increase in the number of enterprise vendors targeted since 2019. Attackers were seen to be shifting to third-party components and libraries in 2023, as zero-day vulnerabilities in both were found to be a prime attack surface in 2023.

Commercial surveillance vendors — companies that develop and sell tools and software designed for monitoring and gathering intelligence, often used by governments — were found to be behind 75% of known zero-day exploits targeting Google products and Android ecosystem devices in 2023. CSVs were also found to be behind 60% of the 37 zero-day vulnerabilities in browsers and mobile devices exploited in 2023.

The report alleges that China was the lead source of government-back exploitation, claiming that Chinese cyber espionage groups exploited 12 zero-day vulnerabilities in 2023, up from seven in 2022.

Another finding in the report was surprising: The Google researchers found that exploitation associated with financially motivated actors proportionally decreased in 2023, with financially motivated actors found to account for only 10 zero-day exploits last year. Threat group FIN11 was found to be behind three of them.

“Exploiting zero-days is no longer a niche capability,” the report notes. “The proliferation of exploit technology…

Source…

Google Confirms Massive Increase In Zero-Day Vulnerabilities Exploited In Attacks Due To Spyware Vendors

/in


Google has published a new report that speaks about the significant rise in zero-day vulnerabilities that continue to be exploited in attacks from 2023.

Both its Threat Analysis Group, as well as the company’s subsidiary firm Mandiant, mentioned how the figures continue to grow as we speak and a lot of that has to do with spyware vendors.

The figures reached 97 zero-days and that stood for more than a 50% rise when you compare it to the past which was just 62. But despite such an increase, the numbers are still much lower than the rise of 106 seen back in the year 2021.

Both entities collectively witnessed 29 out of the 97 vulnerabilities. They even spoke about 61 impacted end users who made use of Google’s products and services such as mobile phones, browsers, and social media apps.

Furthermore, the rest of them were utilized to attack tech like security software and a host of other leading devices in this regard. As far as the enterprise side is concerned, there’s a mega array of vendors as well as products under target and we’re seeing more specific tech getting impacted as a result of this.

Let’s not forget how they’ve seen that as the years pass by, the faster they’re discovering the patch featuring bugs from attackers and this means shorter lifespans arising due to the exploit in question.

In 2023, plenty of threat actors made use of zero-day vulnerabilities that went up to Figure 10. And interestingly, it was China that was highlighted as being behind most of the attacks that had support from the government. Some of those entailed espionage groups from the country which was a trend moving upward.

In 2023, it was all thanks to commercial surveillance that seemed to be the culprit of these attacks that kept on targeting both Android as well as Google devices.

They include up to 75% of all those zero-day exploitations that kept on hitting the platforms. In addition to that, there were vendors

Other than that, most of the 37 zero-day vulnerabilities found on browsers as well as devices that were exploited in 2023 had Google linking close to 60% of all CSVs that keep on selling spyware to clients in the government.

Way back in February, Google revealed how so many…

Source…