Category Archives: Google

Well THAT Didn’t Take Long

Last Week Microsoft Announced Microsoft Azure Sentinel, a cloud based Security Information and Event Management System (SIEM) and a Threat Hunting and Analysis Service called Microsoft Threat Experts.

As Ray and I discussed on a recent video, available on Youtube, the best outcome of that announcement is if Google and Amazon make a similar announcement.

Well guess what?

One of those two made an announcement this week at RSA.

Google’s Chronicle Backstory is a direct competitor to Azure Sentinel.  Chronicle is Google’s security arm.

Chronicle says that they have tested Backstory on organizations up to 500,000 users.  For a year,  THAT is big data.

Based on work that Google’s Threat Analysis Group used internally, this system is designed to allow a company to store petabytes of data in the Google cloud,analyze it and detect threat patterns.

The tools leverage Google’s Virus Total, which analyzes millions of malware samples, probably every day,  and includes a dashboard called Nirvana.

Google says that you can upload your data –  DNS traffic, Netflow data from your firewalls, endpoint logs, proxy data, etc. and it will be indexed and analyzed.  Google SAYS that your data will remain private, but Google doesn’t have a great track record in that department.  Of course, this is a different Alphabet company, Chronicle, and they will not be ad supported.

One thing that Google did at launch that Microsoft has not done, except vaguely, is announce what they call an Index Partner program – companies that have agreed to integrate with Backstory.  They are demonstrating Carbon Black (an endpoint security product) and their integration with Backstory.  They will be demoing Backstory at booth 2251 at RSA this week.

CAVEAT:  Both of these technologies are young;  neither has announced pricing.

Still this is nothing short of wonderful for the user community.

Maybe Amazon will be next.  Surely, even with Mr. Bezos’ current personal distractions, he didn’t miss this one-two punch.

Stay tuned – closely tuned.  This is good for you and me.

Source: Medium

Facebooktwitterredditlinkedinmailby feather

Facebook 0, Apple 1; Google is Collateral Damage

You would think that in light of all of the negative publicity that Facebook has had, it would reign in some of it’s badder practices, but maybe they are just daring Congress to regulate them.

Facebook created a VPN product called Onavo Protect.  The public claim was that it was designed to protect your traffic, but in reality, it was a data collection tool since every web site that you visited, every search query you made and every link that you clicked on while using their VPN was visible and captured (and sold) by Facebook.

When the Ka-Ka hit the proverbial rotating air movement device (AKA the sh*t hit the fan) Apple banned the product from the iWorld.

Well Facebook is not easily deterred.

Unlike Android, Apple makes it difficult for developers to bypass the Apple store, in part to protect users and in part so that Apple can control developers.  But, in order to get enterprises to allow employees to use iPhones for work, Apple created an Enterprise signing certificate.  According to the rules, apps signed with those certificates can only be used inside a company.

Facebook decided that those rules did not apply to them and used that enterprise certificate to distribute an app to users age 13 to 35 where Facebook paid users up to $20 a month plus referral fees to install an app called Facebook Research.  Under the hood, it is just Onavo Protect that collects all of a user’s Internet activity so that they can better target that high value demographic.  To hide what they were doing, they offered it through several “beta testing” firms.

After Apple found out about it they REVOKED – aka invalidated – Facebook’s enterprise certificate.  Not only did this shut down the Facebook Research app, but also shut down any iPhone apps that Facebook was using internally to run it’s business.  This gave Apple a huge crowbar to swing at Facebook’s head to get them to change their ways.

As a side note, Google was also doing the same thing (with a product called Screenwise), although not quite so covertly and Apple also revoked their enterprise cert.  Of course, 99% of the people at Google likely use Google or other Android phones, so the impact on Google is likely a lot less than at Facebook.  Google shut down the service before Apple whacked them and apologized.  Facebook did neither of those.

After some behind the scenes begging, no doubt, Apple restored Facebook’s cert after a day and a half.

Facebook is saying that users should trust them.  Some Congress-people are suggesting a new law may be required.  Certainly, they are not doing a great job at building trust.

So what does all this mean to a user?

Since this was targeted, in part, at kids under 18, parents need to educate kids that they should not sell their soul for $20 a month.  Apparently both Facebook and Google think this is a good business model.

It also indicates how much your data is worth.  There were millions of copies installed and if they were paying $20 a month per user plus other perks, that means that the data was worth hundreds of millions of dollars a month to them.

If adults think that selling all of their data – every single click that they make online plus all of the data going up and down – for $20 a month, I guess that is okay, but kids are probably not in a position to make an informed decision.

By the way, because of how the software was installed, they would have the ability to see every password, your banking information and your health information, in addition to your surfing habits.

But trust them;  they wouldn’t keep that data.  Or use it.  Or sell it.

Definitely a case of buyer beware.

Information from the post came from Apple Insider, here and here.

Facebooktwitterredditlinkedinmailby feather

25 Android Phones Vulnerable

No big surprise here really, but still disappointing.

Researchers at Def Con last week reported that they had found 47 vulnerabilities in the firmware and default apps of 25 Android phones.

When they talk firmware, I don’t think they really mean firmware.  Rather, they mean the operating system like Android Oreo or Nougat, although it is possible that they mean the software that lives below the operating system and controls things like the radio hardware or camera hardware.  That stuff is buggy too.

The good news is that the bugs are not serious.  All they allow a hacker to do is:

  • Send or receive text messages
  • Take screenshots of whatever you are looking at
  • Record videos of your screen
  • Steal your contacts
  • Install malware and crimeware without your approval
  • Wipe your data

Other than that, not really a big deal.

Just kidding.  Holy cow!  That pretty much means they can do whatever they want.

Part of the problem are those apps that come preinstalled on your phone because the manufacturer or carrier gets paid to put them there.  Affectionately, that software is called crapware.  Those are the apps that they will not let you remove.  But some of them are vulnerable to attack.

Android phone vendors affected include:

  • ZTE
  • Sony
  • Nokia
  • LG
  • Asus
  • and a host of smaller players

This does not mean all models were tested or all models were affected.

IT ALSO DOESN’T MEAN THAT BECAUSE YOUR VENDOR ISN’T LISTED IT IS SAFE.  THE RESEARCHERS ONLY HAD A LIMITED AMOUNT OF TIME AND MONEY.

Part of the problem is that many of the companies that manufacture phones are used to selling washing machines and headphones – stuff that you do not have to patch.  As a result, they are not really culturally ready to deal with a product that releases hundreds of patches a year.

But they need to.

So what should you do?

Some people say “but my phone is not broke, why do I need to get a new one”? That is because, even though it works, after a while, it doesn’t get any patches.  That doesn’t mean that researchers won’t find new security holes for the Chinese to exploit to steal your data and try to get you to pay them to give it back.  In fact, old phones are the most likely to get attacked because they are the least likely to get patched.

BEFORE you buy any phone, look for the manufacturer’s guarantee of patches.  For example, Google is about to release the Pixel 3, but they say they will be issuing patches for the Pixel 2 Until October 2020 – at least.  If the manufacturer is cagey about patches and support, choose a different one.  Apple calls their unsupported products “Vintage”, but that just is just a cute term for “You are on your own, buddy”.  iPhone 4 and older are vintage.  Reports indicate that due to less than exciting sales, the iPhone X might see the end of its life as early as this year.  That doesn’t mean that they won’t patch it however.  They just won’t sell it.  The iPhone 5s is the oldest phone that supports iOS 12.  Apple does a very nice job of supporting older phones.

See how often your chosen vendor releases software patches.  Google and Apple release patches monthly.  Some vendors don’t ever release patches and others release them quarterly or less frequently.  Long wait for a patch?  Find a different vendor.

It is not just the manufacturer you have to worry about, but also all of the apps that you have installed.  Less apps is better.  Maybe not as much fun, but definitely more secure.  Uninstall anything you are not using any more.  Really. 

I know this is a pain in the tush, but, sorry, you just have to deal with it.  iPhones and Google Pixel phones are definitely the best when it comes to timely patches.

Remember that all it takes to get infected is to receive a well crafted malicious email (you don’t have to click on anything), a malicious text or visit a malicious web site.  NO. CLICKING. REQUIRED!

Don’t say I didn’t warn you.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Google to Add GMail Features – Maybe – For A Fee?

Google has a interesting strategy.  Build prototypes of products.  Show them or leak them.  See if anyone cares.   Kill them if it doesn’t work out – there are lots of examples.  After many users are already using them.

One other thing that they do is attempt to lock users into the Google ecosystem.  Of course.

Tech Crunch is reporting that Google is working on a self destructing email (like Snap Chat for email?).  But it only works if both users are on GMail and only if both users use the web client for GMail.  Sounds a bit limiting.  If one user is not using the GMail web client, they get a link instead that takes them to the web.

They may also be adding a feature to stop printing and stop forwarding.

Again, if they do, it will only work for GMail on both ends and only with the GMail web client.

Information for this post came from The Register.

So what does this mean?

Well first, what seems to be missing is end to end encryption, which seems like a pretty important feature.  

But encryption stops them from reading your email and doing things that they like to do.  They don’t read your emails to target ads – they have better ways to target ads – but they do read them for other features.

Next, the speculation is that this will only be available under the paid GMail model (GMail for business).  The paid version costs either $10 or $25 a month per user.  At that price there are competitors.

As of last year, Google said that they had 3 million paying users.  Microsoft says that they have 60 million paying Office 365 users and adding 50,000 customers (not mailboxes) a month.  Google never wants to play second fiddle.

It is certainly possible that they will give it away for free, but given that they are so far behind Microsoft, maybe not.  With GDPR taking effect in the European Union next month and other countries, not including the U.S. following the EU lead, maybe ad revenue might be less predictable going forward.  Millions of monthly paying customers might be nice.

If you are looking for a free answer for secure email, Proton mail is a good choice.  They also have a paid version with more features, but the free version is pretty good.

Office 365 has nice security features at well below $25 a month.  Microsoft has said that they are about to roll out end to end encryption for all paid Office 365 users at all levels.

The bottom line is that if you are looking for a secure email solution there are some decisions to make.  To me, Google’s solution is not so great.

 

Facebooktwitterredditlinkedinmailby feather

Chrome to Mark All HTTP Sites as Not Secure in July

For those companies that haven’t installed HTTPS certificates on their web site because, you know, why bother – Google has just upped the ante a bit.

Starting in July, the Chrome browser will mark all websites that do not use HTTPS by default NOT SECURE.

It used to be that HTTPS certificates were expensive and complicated, but that has gotten a lot simpler and a lot cheaper in the last few years.

Chrome, which leads the way in market share with about 60% of the market, is often the bell weather for other browser makers to follow.

Additionally, even currently, sites that are not HTTPS get their Google search engine page rank lowered, so they appear further down in the Google listings than other sites.

While they have not said this, if history is any indicator, the next move after this release will be to issue a warning to users saying the site they are about to visit is not secure and do you really want to proceed.  They will have to click on a box to get the browser to display the web page.

Our recommendation is that if you have not already made your site AUTOMATICALLY use HTTPS, now it the time to get that done.

Information for this post came from Google’s Blog.

Facebooktwitterredditlinkedinmailby feather

Google Creates New Security Center for G-Suite Enterprise Customers

Google is trying to keep up with the Jones (AKA Micosoft) and is building some security tools for its enterprise customers.  Microsoft is way ahead in this area and if Google wants to compete in the enterprise space it needs to offer enterprise class tools.

First of all, this only is available to G-Suite Enterprise customers.  Most Google users use the free version.  Above that is Basic at $5 per user per month, then Business at $10 and finally Enterprise at $25.  So this capability is only available to a small percentage of Google customers.

Still, those customers are the ones with the best revenue per customer and Google is losing some of them back to Microsoft.

For enterprise customers, this is a great addition.

For some customers, this may be motivation to upgrade to the next level of pricing plan.

The first piece of the security center is a dashboard that gives admins a view of their overall security posture.  It gives those admins a view across products like GMail, Google Drive and others.

The second feature gives the admin an overview of the company’s cyber security settings and make recommendations for improving security.

Google’s plan is to continue to enhance the dashboard so that it will have more features and functionality.

This is a smart move on Google’s part.  Hopefully, they will give Business class users access to this.  It may be that they are testing it on enterprise customers to tune it or maybe they will create a stripped down version for Business customers.  Clearly, this is a useful tool.

If you are a Google Enterprise customer, you should check this out.

 

Information for this post came from Techcrunch.

Facebooktwitterredditlinkedinmailby feather