Home Tags Alphabet

Tag: Alphabet

Alphabet’s Verily shows off health-focused smartwatch

The unobtrusive smartwatch will collect a bevy of data for Verily’s medical studies.

Adidas wants to sell 100,000 3-D printed sneakers

A personalized shoe that can “adjust the strength, durability, and the shape.”

Android cofounder gets serious about OEM startup, teases new device

The father of Android starts an Android OEM.

Nest reportedly planning a cheaper smart thermostat for “under $200”

The thermostat might even lack the current version's trademark metal ring.

Waymo, Google’s self-driving car division, sues Uber over alleged patent infringement

Google names Anthony Levandowski, once one of its top engineers, as chief suspect.

Google Fiber makes expansion plans for $60 wireless gigabit service

As Google Fiber scales back fiber builds, signs point to wireless expansion.

Spam and phishing in 2016

2016 saw a variety of changes in spam flows, with the increase in the number of malicious mass mailings containing ransomware being the most significant.

These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall.

Handful of “highly toxic” Wikipedia editors cause 9% of abuse on...

New study of Wikipedia comments reveals most attackers aren’t anonymous.

Chaos and alphabet soup: The verdict on the UK’s cyber security...

An 'inconsistent, dysfunctional and chaotic' approach to cybersecurity is giving the Public Accounts Committee concerns about national security.

Google moves into the Certificate Authority business

Google has launched its own root Certificate Authority (CA), which will allow the company to issue digital certificates for its own products and not have to depend on third-party CAs in its quest to implement HTTPS across everything Google. Thus fa...

Firefox bares teeth, attacks sites that collect personal data

If it wants a password and doesn't use HTTPS, Mozilla will breathe fire Shoddy sites will have fewer places to hide with Firefox joining Chrome in badging cleartext sites that collect personal information as insecure. Mozilla's labels won't be as prominent as Google's, introduced this year, which places the red letter label in the address bar.

Firefox will instead tuck its warning in the same spot behind a crossed-out lock that reads "not secure" when clicked. Firefox product veep Nick Nguyen says the move follows the company's many musings on the benefits of HTTPS. "Starting today in the latest Firefox, web pages that collect passwords, like an email service or bank, but have not been secured with HTTPS will be more clearly highlighted as potential threats," Nguyen says. "Up until now, Firefox has used a green lock icon in the URL bar to indicate when a website is secure (using HTTPS) and a neutral indicator (no lock icon), otherwise. "In order to more clearly highlight possible security risks, these pages will now be denoted by a grey lock icon with a red strike-through in the URL bar." The insecurity stickers will expand in future releases with a floating box triggered when users click password entry fields on cleartext sites that reads "logins entered here could be compromised". A further development will expand the struck-out lock icon and slap it on all cleartext sites regardless of whether they collect passwords or credit cards. "To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure," Firefox staffers Tanvi Vyas and Peter Dolanjski wrote. "As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS." Firefox on insecure sites. Browser barons are increasingly exercising their power to highlight weak security on web sites.

The push to end cleartext on sensitive sites was greased by the widely-supported Let's Encrypt initiative that offered free SSL certificates to sites and the means to easily implement it. In October, Google announced it would be forcing sites to enforce proper certificate security within a year. The Alphabet subsidiary said it would flag sites with unauthorised certificates and label those that do not subscribe to the initiative as untrusted in a move that will help combat phishing. Firefox's latest update also brought in audio playback for lossless FLAC fanatics, more efficient video performance, a zoom button, and ASLR and DEP bypassing security fixes. ® Sponsored: Customer Identity and Access Management

Chrome dev explains how modern browsers make secure UI just about...

The 'LINE OF DEATH' between safe content and untrustworthy stuff is receding every year Google Chrome engineer Eric Lawrence has described the battle of browser barons against the 'line of death', an ever-diminishing demarcation between trusted content and the no-man's land where phishers dangle their poison. The line, Lawrence (@ericlaw) says, is a conceptual barrier between content that browser developers control, such as areas around the address bar, and untrusted content like browser windows where attackers can serve malicious material. "If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re gonna die," Lawrence says. But the line is receding because untrusted content now appears above the line in tabs where attackers can enter their chosen web page title and icon. Chevrons that open small windows can display extended information on usage of HTTPS, requests for location information, and so on extend below the line and send trusted data into untrusted territory. Chevrons with trusted data breach the line.
Image: Lawrence. Those subtle intrusions across the line open avenues for phishers; chevron popups can be faked and 'block' and 'allow' buttons turned into malicious clickable links, for example. In 2005, a remote code execution flaw affecting Firefox was dug up which abused favicons, the untrusted icons websites set that appear in tabs and bookmarks. The line of death deteriorated in 2012 when Microsoft moved Windows 8 Internet Explorer to its full screen minimalistic immersive mode. Lawrence, then program lead for Internet Explorer with Microsoft, opposed the move and says it made the line of death indistinguishable from content, . "... because it (Internet Explorer) was designed with a philosophy of 'content over chrome', there were no reliable trustworthy pixels," he says. "I begged for a persistent trust badge to adorn the bottom-right of the screen - showing a security origin and a lock - but was overruled." He says one Microsoft security wonk built a "visually-perfect" Paypal phishing site that duped the browser and threw fake indicators. "It was terrifying stuff, mitigated only by the hope that no one would use the new mode." The breaching of the line of death is a boon to picture-in-picture phishing attacks, in which attackers create what appear to be fully functional browsers within a browser.
Immaculate reproductions of browsers including the trusted sections above the line of death have been created that fool even eagle-eyed researchers. Microsoft's own security researchers in 2007 would find picture-in-picture attacks to be virtually perfect.

The team of four wrote, in a paper titled An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks wrote in the paper [PDF] that the attack vector was so compelling it beat all other phishing techniques including homograph tricks in which letters of legitimate URLs are replaced with visually similar equivalents from, for example, the Cyrillic alphabet. Everything is untrusted: The line of death dies in HTML5.
Image: Lawrence. Picture-in-picture attacks also rendered ineffective the then-new extended validation SSL certificate scheme for determining malicious sites.

Extended validation, now mainstream, displays a green address bar padlock for participating and verified sites.

The inconvenient research spooked one large certificate vendor then in talks with Redmond over buddying up for the then new certificates. The line of death receded further with the advent of HTML 5, which brought with it the ability for websites, and phishers, to push browsers into fullscreen mode which wiped any line between trusted and untrusted content. And the line is all-but-absent on mobile devices, where simplicity and minimalism is king. "We are seeing a lot more hits on phishing links in mobile because it is so much harder to extract necessary information," Sophos senior technology consultant Sean Richmond tells El Reg . "Expanding the URLs is more difficult and it is harder to get the information users need to make decisions, so security awareness can suffer." Email apps are similarly breaching the line of death. Outlook's modern versions place a trusted message of "this message is from a trusted sender" within the untrusted email contents window, allowing phishers to replicate the notice. "Security UI is hard," Lawrence says. ® Sponsored: Customer Identity and Access Management