Google

now browsing by tag

 
 

#hacking | Google develops Linux tool that tackles USB keystroke injection attacks

Source: National Cyber Security – Produced By Gregory Evans

‘Voight kampff test’ provides warnings about thumb drive malfeasance

Google has developed a tool for Linux machines that combats USB keystroke injection attacks by flagging suspicious keystroke speeds and blocking devices classified as malicious.

Keystroke injection attacks can execute malicious commands via a thumb drive connected to a host machine, by running code that mimics keystrokes entered by a human user.

In a post on the Google Open Source blog, Google security engineer Sebastian Neuner explained Google’s tool uses two heuristic variables – KEYSTROKE_WINDOW and ABNORMAL_TYPING – to distinguish between benign and malicious inputs.

Measuring the time between two keystrokes, KEYSTROKE_WINDOW can generate false positives if users hit two keys almost simultaneously, although accuracy rises along with the number of keystrokes logged.

ABNORMAL_TYPING specifies the ‘interarrival time’ – or gap – between keystrokes.

The heuristic works because automated keystroke inputs are typically faster than those of humans, among other factors.

Neuner advises users to recalibrate the default parameters by gauging their own typing speed using online utilities whilst running the Google tool in ‘monitoring’ mode.

Done over several days or even weeks, this should gradually lower the false positive rate until eliminated, he explained.

The process trains the system to recognise the normal typing pattern of a user thereby helping it to reduce the number of false alarms, instances where genuine user input is incorrectly flagged up as malign.

Simple, inexpensive, widely available

Keystroke injection tools are relatively inexpensive and widely available online, noted Neuner.

Darren Kitchen, founder of pen test tool developer Hak5, is well placed to comment. He invented keystroke injection in 2008 and pioneered the first tool to simulate attacks: the USB Rubber Ducky, which featured in the iconic hacker TV Series Mr. Robot.

“Keystroke injection attacks are popular because they’re simple – the barrier to entry is extremely low,” Kitchen, also founder and host of the popular Hak5 Podcast, told The Daily Swig. “I developed the now de facto language, Ducky Script, so anyone can learn it in a minute or two.”

Keystroke injection attacks are also difficult to detect and prevent, according to Neuner, since they’re delivered via the most widely used computer peripheral connector: the humble USB.

Keystrokes are also sent “in a human eyeblink while being effectively invisible to the victim” sitting at the computer, he said. Kitchen pointed out that the “USB Rubber Ducky can type over 1,000 words per minute with perfect accuracy and never needs a coffee break”.

Kitchen recounts how he developed keystroke injection to “automate my then mundane IT job – fixing printers in the terminal with one-liners”, before realizing that it “violated the inherent trust computers have in humans.

“That’s a flaw that’s hard to fix,” he continued, “because we want computers to trust us, and the way we speak to them (Alexa notwithstanding) is by keystrokes.”

‘Hacking the Gibson’

However, the attack is “only as powerful as the user that logged in”, said Kitchen, adding that he probably wouldn’t be “hacking the Gibson” since his machines are restricted in what the ordinary user can do.

“On the other hand, if you’re in an organization that has ignored security best practices over the past decade, and all of your ordinary users have administrative privileges, then yeah – keystroke injection attacks are a problem (and you probably have many more).”

Neuner, who posted two videos demonstrating an attack against a machine with and without the tool installed, advised against viewing Google’s utility as a comprehensive fix.

“The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user’s machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked,” he said.

The security engineer added that Linux tools like fine-grained udev rules or open source projects like USBGuard, through which users can define policies and block specific or all USB devices while the screen is locked, can add further protection.

Matthias Deeg, head of research and development at German pen testing firm SySS GmbH, said it remained to be seen how effective Google’s tool would prove.

“In my opinion, this new tool is interesting and may actually help preventing automated keystroke injection attacks, for instance via bad USB devices,” Deeg, who has researched wireless input devices, including their use for keystroke injection attacks, told The Daily Swig.

“However, we have not yet tested this tool and its implemented heuristics used for detecting automated keystroke injection attacks, and thus cannot say how easily it can be bypassed by tweaking the keystroke injection behavior of the attacker tool. This appears to be a good old cat-and-mouse game.”

A Github README for the Google tool includes a step-by-step setup and operation guide. The utility is run as a systemd daemon, which is enabled on reboot.

RELATED WHID Elite: Weaponized USB gadgets boast multiple features for the stealthy red teamer

Source link

The post #hacking | Google develops Linux tool that tackles USB keystroke injection attacks appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Facebook, Google and Twitter Rebel Against Pakistan’s Censorship Rules

Source: National Cyber Security – Produced By Gregory Evans

Mr. Khan rose to power in Pakistan in 2018 partly because of his party’s strong presence on social media, a fact he acknowledges in his speeches. But now that he is in charge, he has shown little patience for online criticism.

Pakistan’s powerful military is also averse to debates on social media platforms, especially on Twitter, which is used by critics to question human rights violations and the military’s involvement in politics.

Over the past two years, Pakistani government requests for Facebook, Google and Twitter to remove content have increased sharply, according to transparency reports published by the companies. Pakistan disclosed in September that it had blocked more than 900,000 web pages for various reasons, including pornography, blasphemy and sentiments against the state and military.

Separately, regulators in Pakistan have proposed requiring online video sites to obtain licenses from the government.

There is a strong case to be made that the government is overstepping its authority with the new rules, said Muhammad Aftab Alam, executive director of the Institute for Research, Advocacy and Development, a Pakistani public policy group.

“This national coordinator is judge, jury, regulator and executioner as well,” he said.

At least two lawsuits challenging the rules have already been brought in Pakistani courts.

“The main objective of the impugned rules seems to be to control the social media through indirect control by the government and ruling party,” read the petition in one case, filed by Raja Ahsan Masood, who asked the court to declare them unconstitutional.

Vindu Goel reported from Mumbai, and Salman Masood from Islamabad, Pakistan. Zia ur-Rehman contributed reporting from Karachi, Pakistan, and Davey Alba from New York.

Source link

The post #nationalcybersecuritymonth | Facebook, Google and Twitter Rebel Against Pakistan’s Censorship Rules appeared first on National Cyber Security.

View full post on National Cyber Security

#infosec | Google Pulls 600 Apps from Play Store

Source: National Cyber Security – Produced By Gregory Evans

Google has removed almost 600 Android apps from its Play Store for violating its policy on disruptive advertising.

The tech giant has not only removed the titles from the Android marketplace but also banned them from Google AdMob and Ad Manager, meaning their developers will not be able to monetize them on its platforms.

The disruptive ad practices highlighted by Google included “out of context” advertising, which pops up when the user isn’t even logged into a specific app.

“This is an invasive maneuver that results in poor user experiences that often disrupt key device functions and this approach can lead to unintentional ad clicks that waste advertiser spend,” argued Per Bjorke, senior product manager for Ad Traffic Quality.

“For example, imagine being unexpectedly served a full-screen ad when you attempt to make a phone call, unlock your phone, or while using your favorite map app’s turn-by-turn navigation.”

Bjorke explained that Google had developed machine learning functionality to help detect such “out of context” ads, which led to this enforcement action.

“Mobile ad fraud is an industry-wide challenge that can appear in many different forms with a variety of methods, and it has the potential to harm users, advertisers and publishers,” he added.

Google is also getting better at finding and removing apps on its Play Store that contain malware. Last year, it claimed to have increased rejected app submissions by over 55% and app suspensions by more than 66% in 2018.

That doesn’t stop the black hats trying, however: malicious apps still make their way onto the platform and sometimes are downloaded millions of times before being blocked.

In June last year, adware was found in 238 apps on the Play Store, installed by an estimated 440 million Android users.

However, downloading apps from the official marketplace is still the recommended option: last year, Android malware dubbed “Agent Smith” was downloaded over 25 million times from a popular third-party store.

____________________________________________________________________________________________________________________

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
____________________________________________________________________________________________________________________

Source link

The post #infosec | Google Pulls 600 Apps from Play Store appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | HMS and Huawei app store target Google, Apple: When it all changed

Source: National Cyber Security – Produced By Gregory Evans

The year 2020 will prove to the world just how ready Huawei is to live in a world without Google on Android. Huawei was blocked last year from working with Google directly, leading them to seek an alternative to GMS: Google Mobile Services, aka official license from Google to include Google apps and the Google Play digital content store on Android devices. Here in 2020, Huawei’s about to release their first phone with both the Huawei app store and HMS: Huawei Mobile Services, and it won’t be the last.

The launch

Honor President Zhao Ming spoke in an interview with WEMP/ Tencent Deep Web via author Ma Guanxia, confirming the release of the Honor V30 for an event in Barcelona “next week.” That’ll probably be on or after the 24th of February, 2020. At that time, though MWC 2020 was cancelled due to NCoV-2019 (novel coronavirus), local European Huawei/Honor employees will take up the mantle and hold a Huawei conference / press event via the web.

Huawei will reveal the Huawei V30 series smartphone line as well as at least one new Huawei smartwatch and Huawei notebook / laptop computer. This will be the first time a smartphone is released anywhere in the world with HMS, Huawei Mobile Services, the Huawei-made alternative to GMS, Google Mobile Services, on Android OS.

Development and growth

“Our solid hardware capabilities and distributed operating system capabilities, as well as our ability to share future-oriented industry development with the industry, will help the rapid development of the entire Huawei Mobile Services,” said Zhao Ming [roughly translated]. “Because of this,” said Zhao Ming, “[HMS deployment] may exceed many original pre-judgments and expectations.”

Zhao Ming went on to state that at some point in the future, Huawei expects HMS to have one massive set of their own apps that exist within their own app store, or “app gallery” as he put it. “The app gallery will be the third largest application platform,” said Zhao Ming, “after Apple and GMS.”

Ditching Google or not

At the end of January, 2020, Huawei leadership had some differing opinions – or some messaging that ended up a bit lost in translation. A report in Der Standard suggested that a Huawei official* stated they’d no longer be working with Google services.

“Even if the United States trade ban were cancelled, Huawei will no longer return to Google-Diensten (Google services), the company stressed when asked by Der Standard,” wrote Andreas Proschofsky for Der Standard. “The reason for this is simple: After all, one can not rely on the possibility that a new ban will not be enacted soon afterwards. We want to get rid of this dependence on US politics.”

*UPDATE: The official’s name: Fred Wangfei, Huawei Country Manager for Austria.

Huawei Germany went on to make a statement with the publication T3N. “An open Android system and ecosystem are still Huawei’s first choice,” said a Huawei Germany representative. “However, if we are prevented from using it, we will be able to develop our own operating and ecosystem.”

At the same time, journalist Arnoud Wokke of the publication Tweakers spoke with a Huawei Netherlands general manager, who said that Huawei would go back to using Google Services saying, “Google has been a partner for many years and is a priority for us. We believe in choice for consumers in services on their devices.”

Added once other statements were made, Proschofsky wrote the following: “Just as a note for others who read this. There was no wiggle room in what Huawei told me, I asked them several times (as I was rather surprised myself) and they insisted on not going back to Google – even if the US ban falls.”

Clear as mud

One way or the other, events that took place in 2019 between Huawei and the United States government affected the course of the entire mobile smart device industry from this point forward. We’ll get our next big update on how this is all going to play out next week, as Huawei reveals their hand in Barcelona.

Source link
——————————————————————————————————

The post #deepweb | <p> HMS and Huawei app store target Google, Apple: When it all changed <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Google Just Gave Millions Of Users A Reason To Quit Chrome

Source: National Cyber Security – Produced By Gregory Evans

Google Chrome’s seamless updates have long been a big part of its appeal. But perhaps not anymore. With the latest version of Chrome already installed on hundreds of millions of computers and smartphones around the world, a significant warning has been issued that you might not like what it has running inside. 

Picked up by The Register, Chrome 80 (check your version by going to Settings > About Chrome) contains a new browser capability called ScrollToTextFragment. This is deep linking technology tied to website text, but multiple sources have revealed it is a potentially invasive privacy nightmare. 

To understand why requires a brief guide to how ScrollToTextFragment works. The simple version is it allows Google to index websites and share links down to a single word of text and its position on the page. It does this by creating its own anchors to text (using the format: #:~:text=[prefix-,]textStart[,textEnd][,-suffix]) and it doesn’t require the permission of the web page author to do so. Google gives the harmless example: 

“[https://en.wikipedia.org/wiki/Cat#:~:text=On islands, birds can contribute as much as 60% of a cat’s diet] This loads the page for Cat, highlights the specified text, and scrolls directly to it.”

The deep linking freedom of ScrollToTextFragment can be very useful for sharing very specific links to parts of webpages. The problem is it can also be exploited. Warning about the development of ScrollToTextFragment in December, Peter Snyder, a privacy researcher at Brave Browser explained: 

“Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with [the anchor] #:~:text=cancer. On certain page layouts, I might be able [to] tell if the employee has cancer by looking for lower-on-the-page resources being requested.” 

And it was Snyder who spotted that ScrollToTextFragment is now active inside Chrome 80 stating that “Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a ‘don’t break the web’, never-cross, redline. This spec does that.”

David Baron, a principal engineer at Mozilla, maker of Firefox, also warned against the development of ScrollToTextFragment, saying: “My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.” 

Defending the decision, Google’s engineers have issued a document outlining the pros/cons of the deep linking technology in ScrollToTextFragment and Chromium engineer David Bokan wrote this week that “We discussed this and other issues with our security team and, to summarize, we understand the issue but disagree on the severity so we’re proceeding with allowing this without requiring opt-in.” 

Bokan says the company will work on an opt-out option, but how many will even know ScrollToTextFragment exists? And here lies the nub of it: Google has such power it can be judge and jury to decide what is or isn’t acceptable. So ScrollToTextFragment, with its unresolved privacy concerns and lack of support from other browser makers, is now out there, running in the background of hundreds of millions of Chrome installations. 

Whether you want to be part of that is up to you. 

___

Follow Gordon on Facebook

More On Forbes

Google Pixel 4, Pixel 4 XL Review: Smart Phones, Dumb Decisions

Google Pixel 3a Review: The Best Smartphone Under $500

Apple iPhone 12: Everything We Know So Far

Apple AirPods Pro Vs AirPods: What’s The Difference?

Source link
——————————————————————————————————

The post #deepweb | <p> Google Just Gave Millions Of Users A Reason To Quit Chrome <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Someone else may have your videos, Google tells users – Naked Security

Source: National Cyber Security – Produced By Gregory Evans As the well-worn internet saying goes – there is no cloud, it’s just someone else’s computer. This week, an unknown number of Google Photos users were alarmed to find that this can turn out to be true in surprisingly personal ways. According to an email sent […] View full post on AmIHackerProof.com

#comptia | Google searches for coronavirus will now show you safety tips

Source: National Cyber Security – Produced By Gregory Evans Searching Google for “coronavirus” will now send users to a curated search results page with resources from the World Health Organization, safety tips, and news updates, Google and the WHO announced today. This effort, which is just one of Google’s SOS Alerts, is now live. Google […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | Google Cloud Identity Pricing – Security Boulevard

Source: National Cyber Security – Produced By Gregory Evans Google Cloud Identity is free to some extent, but if interested in the broader features of Google Cloud Identity, it can be quite expensive over time. The post Google Cloud Identity Pricing appeared first on JumpCloud. *** This is a Security Bloggers Network syndicated blog from […] View full post on AmIHackerProof.com

Malicious Google Play Apps Linked to SideWinder APT

Source: National Cyber Security – Produced By Gregory Evans

The active attack involving three malicious Android applications is the first exploiting CVE-2019-2215, Trend Micro researchers report.

Researchers have discovered an attack exploiting CVE-2019-2215, which leverages three malicious apps in the Google Play store to compromise a target device and collect users’ data.

This threat is linked to the SideWinder advanced persistent threat (APT) group, report Trend Micro’s Ecular Xu and Joseph Chen in a blog post. Sidewinder, a group detected by Kaspersky Labs in the first quarter of 2018, primarily targets Pakistani military infrastructure and has been active since at least 2012. Security researchers believe the threat group is associated with Indian espionage interests and has a history of targeting both Windows and Android devices.

CVE-2019-2215 was disclosed in October 2019 by Maddie Stone of Google’s Project Zero. The zero-day local privilege escalation vulnerability affected hundreds of millions of Android phones at the time it was published. A patch was released in December 2017 for earlier Android versions; however, new source code review indicated newer versions of the software were vulnerable.

The use-after-free vulnerability is considered “high severity” and requires a target to download a malicious application for potential exploitation. An attacker would have to chain CVE-2019-2215 with another exploit to remotely infect and control a device via the browser or another attack vector. The bug allows for a “full compromise” of a vulnerable device, Stone explained.

While it was “highly likely” the bug was being used in attacks last October, this marks the first known active campaign using it in the wild, Xu and Chen report. This particular vulnerability exists in Binder, the main interprocess communication system that exists in Android, and the three malicious apps used in the attack were disguised as photography and file manager tools.

Android apps Camero, FileCrypt Manager, and callCam are believed to be related to the SideWinder group and have been active on Google Play since March 2019, based on one of the apps’ certificate information. All have since been removed from the Play store.

CallCam is the payload app and is installed in two stages, the researchers explain. First a DEX file — an Android file format — is downloaded from the command-and-control server. The downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility. Camero and FileCrypt Manager both act as droppers. After downloading the DEX file from the C2 server, they call extra code to download, install, and launch the callCam app.

Researchers note the C2 servers used are suspected to be part of SideWinder’s infrastructure. Further, a URL linking to one of the apps’ Google Play pages is on one of the C2 servers.

SideWinder relies on device rooting as one of its tactics to deploy callCam without alerting the victim. The malware retrieves a specific exploit from the C2 server depending on the DEX the dropper downloads. This approach only works on Google Pixel (Pixel 2 and Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F0 (CPH1881), and Redmi 6A devices.

Over the course of its investigation, Trend Micro was able to download five exploits from the C2 server and found they used CVE-2019-2215 and MediaTek-SU to gain root privileges. Once they achieve this, the malware installs callCam, enables accessibility permissions, and launches.

Another approach is using the accessibility permission, a technique used by the FileCrypt Manager on Android phones running Android 1.6 or higher. After launch, FileCrypt asks the user to enable accessibility. When granted, this displays a full-screen overlay that says it requires further setup. In the background, the app is calling code from the DEX file so it can download more apps and install callCam. It enables the accessibility permission and launches the payload.

“All of this happens behind the overlay screen, unbeknownst to the user,” Xu and Chen write.

After launch, the callCam icon is hidden on the target device and collects data in the background to send to the C2 server. This information includes location, battery status, files stored on the device, list of installed apps, account data, Wi-Fi data, and information related to the device, sensor, and camera. It also pulls data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. CallCam encrypts all of this stolen data using RSA and AES encryption, and uses SHA256 to verify the data’s integrity and customize the encoding routine.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

More Insights

Source link

The post Malicious Google Play Apps Linked to SideWinder APT appeared first on National Cyber Security.

View full post on National Cyber Security