Category Archives: Google

Google to Test Replacement for Third Party Cookies

First, what are cookies? For those who don’t know, they are small text files, often encrypted, placed on your phone or computer by web sites so that they can track your actions. Cookies come in two flavors. FIRST PARTY cookies are cookies placed on your device by the website that you are visiting. THIRD PARTY cookies are those cookies put on your device by others, trying to track your broader activities across websites.

While first party cookies are usually used to track what you are doing on the web site you are visiting, tracking your “state” on that site, third party cookies are used to track you as you move from site to site.

Many browsers are completely blocking third party cookies, making this method of tracking you less effective. Many users have installed blocking software like Ad Block Plus which also blocks many cookies.

Some companies are using first party cookies in a covert manner to replace third party cookies. In this case, lets say you are visiting XYZ.Com . XYZ sets up a subdomain called, lets say, TRACKME.XYZ.Com and lets the tracking company control what is in there. If a lot of companies do the same thing then these covert first party subdomains work in the same manner to track your actions. One company detected 6,000 web sites doing this.

Since Google need to protect its ad revenue, it is trying to come up with a replacement for third party cookies that will satisfy at least some privacy folks.

FLoC or Federated Learning of Cohorts is a technique that Google is about to test. Instead of tracking your individual actions, it instead categorizes your activities and puts you in a FLoC Cohort. Each cohort has an ID and advertisers can pay to show their ads to a particular cohort. Since cohorts have similar surfing patterns, maybe they have similar buying habits.

Of course, this is far from perfect and there are concerns that people could wind up being put in cohorts based on say, race or sexual orientation, since it is possible that those characteristics could have similar browsing habits.

At this point even Google doesn’t know if this will work, but you are soon become a guinea pig, whether you know it or not.

The EFF is not fond of the idea saying that websites might uniquely fingerprint FLoC users to better target ads.

Personally, I think the whole thing is a losing battle. I visit hundreds of websites a week and I cannot recall the last time I clicked on any ad. Still, it must work to some degree as companies continue to buy these ads. Credit: The Hacker News

U.S. v. Google – Let the Games Begin!

In a fight the likes of which we have not seen since the battle between Microsoft and the DoJ that ended around 20 years ago, the Justice Department sued Google this week, accusing it of using its market dominance to hobble its rivals.

Just to be clear from the beginning, I am not a huge fan of Google’s actions and I think its motto of do no evil is probably a bit tarnished at best.

Like the Microsoft case, which distracted the company for close to a decade, this fight is likely to go on for a long time. And be at least equally distracting.

The downside for Google, which is likely pretty clear to them, is that the government can literally print money to fight this battle and Google has to use its investor’s cash for their defense. Also, the government probably doesn’t care much if the case takes a decade to resolve. Google, on the other hand, probably does not want to be burdened by a decade of litigation by a legal team that has unlimited resources.

What we don’t know is what might happen if there is a change in teams in Washington in January. It may not make any difference.

The DoJ and the Attorneys General of 11 states say that Google used its monopoly power to crush competitors in the search and search advertising business.

While Facebook does have a very thriving advertising business, most other competitors have withered.

And, when it comes to search, Google has become a verb, as in “go Google it”. That cannot be a factor in their favor.

The Government says that Google has 90% of all general search engine traffic in the U.S. and 95% of all mobile search.

When asked if DoJ wants to break up Google, the attorneys said that they will leave that up to the court. Fat chance; it is just that this is not the time to show your hand.

Justice says that Americans have been hurt by having less choice, less innovation and less competitive pricing.

Not surprisingly, Google said nah!, that’s not true. What else might they say?

There is some truth to the suggestion that Google or Alphabet, Google’s parent, is incredibly intertwined with hundreds of entities and would be ridiculously hard to unwind. A few hundred billion dollars in cash (to fund competitors) as a penalty is a possible alternative.

Given that this was done a couple of weeks before a Presidential election, it could be seen as a political move and probably Bill Barr did push for the filing to occur before the election since Trump has, on many occasions, threatened to crack down on tech companies that he sees as his enemies. Still, it is HIGHLY unlikely that DoJ filed this lawsuit if it didn’t think it had a reasonable chance of getting something out of it.

The 11 AGs that joined the suit are all Republicans. That doesn’t mean that the Democratic AGs love Google. It may mean that they want to file their own competing lawsuit. All this is great news for law firms. There will be hundreds of thousands of billable hours. Credit: Reuters

The Cloud is NOT Disasterproof – Are You

Over the weekend, Google suffered an outage that lasted about 4 hours. (See Google Appstatus Dashboard)

The good news is that the outage happened on a Sunday afternoon because that reduced the impact of the outage.   Next time it could happen on a Monday morning instead.

The outage took down virtually every Google service at some point during the outage.

But worse than that, it took down all of those companies that depended on one Google service or another.  Examples include Snapchat, Shopify, Discord and even a number of Apple services went down because Apple is not in the data center business.  iCloud mail and drive and iMessage were all affected.

This is not to beat up on Google.  Both Amazon and  Microsoft have had similar meltdowns and so have much smaller providers.

And they will again.  Human beings design computers, build computers and operate them.  And, after all, humans are, well, just human.

One more time, this is a lesson for users of cloud services.  

Maybe you can deal with a 4 hour outage on a Sunday.

But can you deal with an 8 hour or 24 hour outage on a Wednesday (like Microsoft had recently)?

What is the cost in lost productivity when users can’t get to their email or their office documents?

What is the impact to your customers if they can’t get to your service?  Will they move to a competitor?  And stay there?

I am not proposing any solution.  What I am proposing that you consider what the impact is of an outage like this.  Impact on both YOU and also on your CUSTOMER.

Then you need to consider what the business risk is of an inevitable outage and what your business continuity plan is.  Will your BC plan sufficiently mitigate the risk to a level that is acceptable to your company.

Finally, you need to look at your Vendor Cyber Risk Management program.  

Apple’s systems went down on Sunday NOT due anything Apple did, but rather something their vendor (Google) did.

At this point Google has not said what happened, but they said they will provide an after action report soon.  But, remember, this is not, ultimately, a Google problem, but rather a problem with cloud consolidation.  When there are only a handful of cloud providers hosting everything (3 tier one providers — Google, Microsoft and Amazon) and a slightly larger handful of tier two providers, if one of them burps, a lot of companies get indigestion.

Source: Vice 

 

Well THAT Didn’t Take Long

Last Week Microsoft Announced Microsoft Azure Sentinel, a cloud based Security Information and Event Management System (SIEM) and a Threat Hunting and Analysis Service called Microsoft Threat Experts.

As Ray and I discussed on a recent video, available on Youtube, the best outcome of that announcement is if Google and Amazon make a similar announcement.

Well guess what?

One of those two made an announcement this week at RSA.

Google’s Chronicle Backstory is a direct competitor to Azure Sentinel.  Chronicle is Google’s security arm.

Chronicle says that they have tested Backstory on organizations up to 500,000 users.  For a year,  THAT is big data.

Based on work that Google’s Threat Analysis Group used internally, this system is designed to allow a company to store petabytes of data in the Google cloud,analyze it and detect threat patterns.

The tools leverage Google’s Virus Total, which analyzes millions of malware samples, probably every day,  and includes a dashboard called Nirvana.

Google says that you can upload your data –  DNS traffic, Netflow data from your firewalls, endpoint logs, proxy data, etc. and it will be indexed and analyzed.  Google SAYS that your data will remain private, but Google doesn’t have a great track record in that department.  Of course, this is a different Alphabet company, Chronicle, and they will not be ad supported.

One thing that Google did at launch that Microsoft has not done, except vaguely, is announce what they call an Index Partner program – companies that have agreed to integrate with Backstory.  They are demonstrating Carbon Black (an endpoint security product) and their integration with Backstory.  They will be demoing Backstory at booth 2251 at RSA this week.

CAVEAT:  Both of these technologies are young;  neither has announced pricing.

Still this is nothing short of wonderful for the user community.

Maybe Amazon will be next.  Surely, even with Mr. Bezos’ current personal distractions, he didn’t miss this one-two punch.

Stay tuned – closely tuned.  This is good for you and me.

Source: Medium

Facebook 0, Apple 1; Google is Collateral Damage

You would think that in light of all of the negative publicity that Facebook has had, it would reign in some of it’s badder practices, but maybe they are just daring Congress to regulate them.

Facebook created a VPN product called Onavo Protect.  The public claim was that it was designed to protect your traffic, but in reality, it was a data collection tool since every web site that you visited, every search query you made and every link that you clicked on while using their VPN was visible and captured (and sold) by Facebook.

When the Ka-Ka hit the proverbial rotating air movement device (AKA the sh*t hit the fan) Apple banned the product from the iWorld.

Well Facebook is not easily deterred.

Unlike Android, Apple makes it difficult for developers to bypass the Apple store, in part to protect users and in part so that Apple can control developers.  But, in order to get enterprises to allow employees to use iPhones for work, Apple created an Enterprise signing certificate.  According to the rules, apps signed with those certificates can only be used inside a company.

Facebook decided that those rules did not apply to them and used that enterprise certificate to distribute an app to users age 13 to 35 where Facebook paid users up to $20 a month plus referral fees to install an app called Facebook Research.  Under the hood, it is just Onavo Protect that collects all of a user’s Internet activity so that they can better target that high value demographic.  To hide what they were doing, they offered it through several “beta testing” firms.

After Apple found out about it they REVOKED – aka invalidated – Facebook’s enterprise certificate.  Not only did this shut down the Facebook Research app, but also shut down any iPhone apps that Facebook was using internally to run it’s business.  This gave Apple a huge crowbar to swing at Facebook’s head to get them to change their ways.

As a side note, Google was also doing the same thing (with a product called Screenwise), although not quite so covertly and Apple also revoked their enterprise cert.  Of course, 99% of the people at Google likely use Google or other Android phones, so the impact on Google is likely a lot less than at Facebook.  Google shut down the service before Apple whacked them and apologized.  Facebook did neither of those.

After some behind the scenes begging, no doubt, Apple restored Facebook’s cert after a day and a half.

Facebook is saying that users should trust them.  Some Congress-people are suggesting a new law may be required.  Certainly, they are not doing a great job at building trust.

So what does all this mean to a user?

Since this was targeted, in part, at kids under 18, parents need to educate kids that they should not sell their soul for $20 a month.  Apparently both Facebook and Google think this is a good business model.

It also indicates how much your data is worth.  There were millions of copies installed and if they were paying $20 a month per user plus other perks, that means that the data was worth hundreds of millions of dollars a month to them.

If adults think that selling all of their data – every single click that they make online plus all of the data going up and down – for $20 a month, I guess that is okay, but kids are probably not in a position to make an informed decision.

By the way, because of how the software was installed, they would have the ability to see every password, your banking information and your health information, in addition to your surfing habits.

But trust them;  they wouldn’t keep that data.  Or use it.  Or sell it.

Definitely a case of buyer beware.

Information from the post came from Apple Insider, here and here.

25 Android Phones Vulnerable

No big surprise here really, but still disappointing.

Researchers at Def Con last week reported that they had found 47 vulnerabilities in the firmware and default apps of 25 Android phones.

When they talk firmware, I don’t think they really mean firmware.  Rather, they mean the operating system like Android Oreo or Nougat, although it is possible that they mean the software that lives below the operating system and controls things like the radio hardware or camera hardware.  That stuff is buggy too.

The good news is that the bugs are not serious.  All they allow a hacker to do is:

  • Send or receive text messages
  • Take screenshots of whatever you are looking at
  • Record videos of your screen
  • Steal your contacts
  • Install malware and crimeware without your approval
  • Wipe your data

Other than that, not really a big deal.

Just kidding.  Holy cow!  That pretty much means they can do whatever they want.

Part of the problem are those apps that come preinstalled on your phone because the manufacturer or carrier gets paid to put them there.  Affectionately, that software is called crapware.  Those are the apps that they will not let you remove.  But some of them are vulnerable to attack.

Android phone vendors affected include:

  • ZTE
  • Sony
  • Nokia
  • LG
  • Asus
  • and a host of smaller players

This does not mean all models were tested or all models were affected.

IT ALSO DOESN’T MEAN THAT BECAUSE YOUR VENDOR ISN’T LISTED IT IS SAFE.  THE RESEARCHERS ONLY HAD A LIMITED AMOUNT OF TIME AND MONEY.

Part of the problem is that many of the companies that manufacture phones are used to selling washing machines and headphones – stuff that you do not have to patch.  As a result, they are not really culturally ready to deal with a product that releases hundreds of patches a year.

But they need to.

So what should you do?

Some people say “but my phone is not broke, why do I need to get a new one”? That is because, even though it works, after a while, it doesn’t get any patches.  That doesn’t mean that researchers won’t find new security holes for the Chinese to exploit to steal your data and try to get you to pay them to give it back.  In fact, old phones are the most likely to get attacked because they are the least likely to get patched.

BEFORE you buy any phone, look for the manufacturer’s guarantee of patches.  For example, Google is about to release the Pixel 3, but they say they will be issuing patches for the Pixel 2 Until October 2020 – at least.  If the manufacturer is cagey about patches and support, choose a different one.  Apple calls their unsupported products “Vintage”, but that just is just a cute term for “You are on your own, buddy”.  iPhone 4 and older are vintage.  Reports indicate that due to less than exciting sales, the iPhone X might see the end of its life as early as this year.  That doesn’t mean that they won’t patch it however.  They just won’t sell it.  The iPhone 5s is the oldest phone that supports iOS 12.  Apple does a very nice job of supporting older phones.

See how often your chosen vendor releases software patches.  Google and Apple release patches monthly.  Some vendors don’t ever release patches and others release them quarterly or less frequently.  Long wait for a patch?  Find a different vendor.

It is not just the manufacturer you have to worry about, but also all of the apps that you have installed.  Less apps is better.  Maybe not as much fun, but definitely more secure.  Uninstall anything you are not using any more.  Really. 

I know this is a pain in the tush, but, sorry, you just have to deal with it.  iPhones and Google Pixel phones are definitely the best when it comes to timely patches.

Remember that all it takes to get infected is to receive a well crafted malicious email (you don’t have to click on anything), a malicious text or visit a malicious web site.  NO. CLICKING. REQUIRED!

Don’t say I didn’t warn you.

Information for this post came from Bleeping Computer.