Tag Archives: google

Google accounts hit with malware — a million and growing

86 apps available in third-party maketplaces can root 74 percent of Android phones.

More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.

More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.

Check Point said in a blog post that the attack campaign, known as Gooligan, is expanding to an additional 13,000 devices a day. It’s malware that infects devices and steals their authentication tokens to breach data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and other programs.

The malware attack is said to be the biggest single theft of Google accounts on record, according to Forbes. But the reason for the attack may not be what you’d expect. It’s not to grab personal information from the accounts of Google users. Instead, it’s to force them to download apps that are part of an advertising fraud scheme that makes up to $320,000 a month, Michael Shaulov, head of mobile and cloud security at Check Point, told Forbes.

Google responded to a request for comment with a link to its blog post about the attack. In the post, Google said it has found no evidence that Gooligan has accessed user data or that specific groups of people have been targeted. “The motivation…is to promote apps, not steal information,” Google said.

The episode comes at a time when cyber attacks have been a high profile problem, hitting everyone from internet giants to the Democratic National Committee. In September, Yahoo suffered what is believed to be the biggest cyber attack in history, in which hackers swiped information from more than half a billion accounts. And in July, the White House said it believed Russia was behind hacks of the DNC.

Gooligan belongs to a family of malware called Ghost Push. It features a Trojan horse type of attack, in which the malicious software poses as legitimate apps for Android smartphones and tablets. Names of the malicious apps include StopWatch, Perfect Cleaner and WiFi Enhancer, according to The Wall Street Journal. Once installed, these apps automatically install other apps, some of which can steal usernames and passwords to post fake reviews.

Those downloads and reviews apparently feed into the hackers’ ad fraud scheme. The hackers have run ads in those forcibly downloaded apps, so every click or download helps the hackers make money, Forbes reported.

Check Point said Gooligan is a variant of an Android malware campaign found by researchers in the SnapPea app last year.

The Gooligan apps come from third-party app stores or websites, instead of the Google Play store, where the company has more authorization over apps. But Check Point said some apps that Gooligan downloads without permission can be found on the Play store.

Google said it has removed those apps from the Play store.

People who are worried that their Google accounts may be compromised can consult the Check Point website.

Pokémon GO: Safe to Download or Not?

PokemonThe newest game craze to sweep the nation is Pokémon GO. The popular game, created by Silicon Valley’s Niantic Labs, uses your phone’s GPS to detect where you are and make the Pokémon characters appear on your phone’s screen. As you move, you encounter more characters. Of course, this is all from second hand as I have chosen not to download and play.

No, I am not a hater on latest trends. Actually, I love the idea of an augmented reality game that gets users out and about on a hunt; it’s a very cool concept. However, there are some issues with the download.

pokemongogoogle1_jpg_CROP_original-originalThose who chose to download the game via Google on an iPhone gave the creators at Niantic full and total access to their Google accounts. This allowed the developers access to users’ Google photos, e-mail, browser history, map history and more. Yikes!

Niantic released a statement Monday stating they are currently working on a fix:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”
It appears that Niantic used an outdated version of Google’s shared sign-on service.  This approach uses credentials that already exist on your phone, so the user does not have to create another online account, saving time.
 However, this method should ask the user what permissions they want to grant the app, which Niantic did not do. Since they used an outdated and unsupported version of the sign-on, that permission granting step was completely left out, leaving Niantic full access to the users’ accounts.
It is hard to believe that the creators would do anything harmful withusers’ information that could ruin their reputation as stock for Nintendo is growing exponentially. However, users may want to beware for the time being.

Is It Time to Join the Cloud?

Wondering if joining the cloud is the right move for your company? It’s a question that many CTOs have considered recently as the advantages of cloud computing  are frequently heralded as the next evolution of managing an IT infrastructure. Moving your IT infrastructure to a cloud could save your company money on hardware and software costs, it could save time by providing maintenance and management for your data, and it can save resources by eliminating the needs and requirements for equipment storage.

However, any shift from the norm is met with some fair amount of healthy skepticism. And no company should hastily make the switch to cloud computing without first examining the disadvantages as well as the advantages. The reality is there is no one-size-fits-all answer when it comes to cloud computing and ultimately the decision must be made by examining the needs and operational requirements of each company and comparing these to the available cloud computing services.

Understanding the benefits of cloud computing first comes by examining the three different levels of service that cloud computing can provide: infrastructure-as-a-service, platform-as-a-service and software-as-a-service.

Infrastructure-as-a-service, also known as hardware as a service, uses virtual machines to connect to a partitioned space on the cloud servers. The local computers connect through via the Internet to the cloud server that does all the heavy lifting. The obvious benefit here is that it eliminates the cost of an in-house infrastructure – companies do not need to invest in capital expenditures like servers, data center space, and network equipment to get up and running. You can still use your own software, but it is all run on the cloud instead of your local computers. This is a great option for small, startup companies because they can immediately have access to an enterprise-grade infrastructure for a fixed monthly fee. Some vendors of hardware as a service include Rackspace, Sunguard, Cloudscaling, Amazon, Google and IBM.

The next level of cloud computing is platform-as-a-service. This option provides you with a development platform where you can develop software applications for the web. The cloud provider takes care of handling the loading for you and ensures your applications are elastic with the number of users. Think of Facebook as an example of a platform as a service provider. Third party developers can write new applications that Facebook makes available on their social application platform. Google also provides APIs to developers to build web applications. This service is useful for software development companies because the cloud provider facilitates the development of applications without the cost and complexity of buying and managing the underlying hardware and software provision hosting capabilities. You have all the facilities required to complete the development life cycle, from development, to testing, to deployment, to hosting, to maintenance in the same integrated development environment. This is a useful solution for companies that want to focus exclusively on software development because it relieves their platform woes. For companies that already use a platform internally, the platform-as-a-service advantage is that the cloud platforms are designed to scale linearly. Cloud development platforms have guidelines that help the application scale to accommodate any number of users. SalesForce.com’s Force.com is an example of a platform as a service vendor

The highest level of cloud computing is software-as-a-service, also called software on demand. Here, companies simply use software on a cloud rather than buy it, license it, upgrade it, and patch it on their local machines. Anyone using a service like Yahoo Mail or Google Docs is already using software as a service cloud computing. This is the most popular form of cloud computing because it is highly flexible and minimizes the maintenance of software. This service is best suited for companies that are not specifically in the technology business and simply need their software to be available and require little maintenance. Even companies who already have their own software should look into using software-as-a-service if they spend a lot of time on the maintenance of in-house software. There are many providers of software-as-a-service, including Amazon, Microsoft and Google.

Now, while many of these cloud computing services sound beneficial, there are still some disadvantages to take into account before jumping into a cloud. Keep in mind that all of these services require an Internet connection. If your connection goes out, you won’t be able to connect to the cloud and use the hardware, platform, and/or software that your company requires to operate. In this case, companies may want to still invest in some local infrastructure so operations do not come to a crashing halt.

Another concern is that some companies are apprehensive about turning all their data over to a third party (not to mention, it can be a chore to migrate massive amounts of data to a cloud). How can they be sure their data is protected? What if the cloud server is hacked? While these questions should be investigated, remember that cloud computing services live and die by their reputations, so information assurance is a high priority for all of them.

These fears of cloud computing stem from the fact that your company is at the mercy of a third party. There is a loss of control and it is not a predictive as having a local infrastructure. If something goes wrong, you have to depend on your cloud provider to respond and troubleshooting can be very complicated. Many companies are still reluctant to give up control over their data.

But with these warnings in mind, cloud computing has many general advantages that all companies can appreciate. Company data is backed up and secured by your cloud provider. Less equipment and hardware saves space and reduces electricity costs. Users have access to the same data and software no matter how geographically diverse. With less time spent on “keeping the lights on” with in-house maintenance, CTOs can better spend their time and resources on future growth. And with a fixed cost structure for the service, you can better allocate your IT budget.

Companies may want to consider first testing the waters by using an existing cloud offering as an extension of their in-house architecture. Then, if the company is comfortable with the service, they can move new projects to cloud-based services. Finally, the company can migrate their existing applications to the cloud if the cloud is reliable and it makes sense economically.

In the end, it is up to each individual CTO to determine if the advantages of cloud computing make sense for their company. This can only be determined with a thorough assessment of the costs and requirements of their technology needs and comparing it to the costs and risks of a cloud computing service. While it may be economical for some companies, it may not be for others. But for every company, it is worth at least worth the time and effort to look into.

Google CEO Sides With Apple And Tim Cook, Opposes FBI’s Demand For iPhone Backdoor

apple-googleGoogle’s CEO Sundar Pichai has joined a number of other high profile individuals in expressing his opinions on FBI’s request for Apple to provide backdoor access to an iPhone 5c that forms part of the San Bernardino shooting case. A federal judge has ruled that Apple must indeed assist law enforcement in granting access to a seized iPhone 5c that belonged to one of the shooters accused of killing 14 individuals in California. Commenting on the situation via the use of social media, Sundar Pichai called it a “troubling precedent”.

If you weren’t privy to the whole situation, then it’s probably worth noting that Apple’s CEO Tim Cook almost instantly responded to the ruling with a public and open message to Apple’s customers. In addition to providing a little insight into the ruling and how it came about, Cook also took the opportunity to inform the customers that Apple would be contesting the ruling, claiming that the FBI essentially wants Apple’s engineers to create a new version of iOS that comes with the ability to circumvent very specific security features (read: backdoor access). Cook clearly doesn’t want to have to build in a backdoor to the iPhone or iPad.

Google’s CEO didn’t instantly get involved in the situation, but has since posted a series of tweets which show that he sides with Tim Cook and Apple as a whole. Most notably, Pichai’s five tweets on the predicament claimed Apple’s acceptance of the ruling, if that was indeed the company’s stance, “could compromise a user’s privacy”. He also stated publicly that acceptance of a ruling to provide access to data based on valid legal order is “wholly different than requiring companies to enable hacking of customer devices & data”. It’s difficult to disagree with those views.

Of course, not everyone weighing in with an option on the San Bernardino iPhone situation is fully accepting of Apple’s stance on the ruling. Republic candidate, and general worldwide laughing stock, Donald Trump, predictably doesn’t agree with Tim Cook’s decision to resist the order, stating that he agrees “100 percent with the courts” and calling Apple “Who do they think they are?”.

We’re pretty sure that the public backing of a fellow CEO in the position of Pichai carries a whole lot more importance than the negativity of Mr. Trump.

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web.

Password cracking attacks on Bitcoin wallets net $103,000

Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years’ worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required.

The heists were carried out against almost 900 accounts where the owners used passwords to generate the private encryption keys required to withdraw funds. In many cases, the vulnerable accounts were drained within minutes or seconds of going live. The electronic wallets were popularly known as “brain wallets” because, the thinking went, Bitcoin funds were stored in users’ minds through memorization of a password rather than a 64-character private key that had to be written on paper or stored digitally. For years, brain wallets were promoted as a safer and more user-friendly way to secure Bitcoins and other digital currencies, although Gregory Maxwell, Gavin Andresen, and many other Bitcoin experts had long warned that they were a bad idea.

The security concerns were finally proven once and for all last August when Ryan Castellucci, a researcher with security firm White Ops, presented research at the Defcon hacker convention that showed how easy it was to attack brain wallets at scale. Brain wallets used no cryptographic salt and passed plaintext passwords through a single hash iteration (in this case, the SHA256 function), a shortcoming that made it possible for attackers to crack large numbers of brain wallet passwords at once. Worse, a form of the insecurely hashed passwords are stored in the Bitcoin blockchain, providing all the material needed to compromise the accounts.

By contrast, Google, Facebook, and virtually all other security-conscious services protect passwords by storing them in cryptographic form that’s been passed through a hash function, typically tens of thousands of times or more, a process known as key stretching that greatly increases the time and resources required by crackers. The services also use cryptographic salt, a measure that requires each hash to be processed separately to prevent the kind of mass cracking Castellucci did. Security-conscious services also go to great lengths to keep password hashes confidential, a secrecy that’s not possible with Bitcoin because of the transparency provided by the blockchain.

Brain drain

According to a recently published research paper, the brain wallet vulnerability was known widely enough to have been regularly exploited by real attackers going after real accounts. Over a six-year span that ended last August, attackers used the cracking technique to drain 884 brain wallet accounts of 1,806 bitcoins. Based on the value of each coin at the time the theft took place, the value of the purloined coins was $103,000.

“Our results reveal the existence of an active attacker community that rapidly steals funds from vulnerable brain wallets in nearly all cases we identify,” the paper authors wrote. “In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value. Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours.”

The paper, titled “The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets,” is scheduled to be presented later this month at the Financial Cryptography and Data Security 2016 conference. Its publication comes about six months after Brainwallet.org, the most widely used Bitcoin-based brain wallet service, permanently ceased operations. The service voluntarily shut down following the Defcon presentation by Castellucci, who is one of the authors of the most recent paper.Crackers tap new sources to uncover “givemelibertyorgivemedeath” and other phrases.

To identify brain wallets and then crack them, the research team compiled 300 billion password candidates taken from more than 20 lists, including the Urban Dictionary, the English language Wikipedia, the seminal plaintext password leak from the RockYou gaming website, and other large online compromises. By collecting words and entire phrases from a wide body of sources, the researchers employed a technique Ars covered in 2013 that allowed them to crack words and phrases many people would have considered to be strong passwords. Cracked passphrases included “say hello to my little friend,” “yohohoandabottleofrum,” and “dudewheresmycar.”

The researchers ran each password candidate through the SHA256 function to derive a list of potential private keys for Bitcoin addresses used by brain wallets. They then used a cryptographic operation based on elliptic curves to find the public key corresponding to each potential private key. Since the Bitcoin blockchain contains the public key of every account wallet, it was easy to know when a password guess was used by a real Bitcoin user.

The paper reported that vulnerable accounts were often drained within minutes of going live, and in an interview, Castellucci said that some accounts were liquidated in seconds. Castellucci said he suspects the speed was the result of attackers who used large precomputed tables containing millions or billions of potential passwords. While many of the attackers who drained vulnerable accounts earned paltry sums for their work, the top four drainers netted about a total of $35,000 among them. Meanwhile, the drainer who emptied the most brain wallets—about 100 in all—made $3,219.

The thefts were often chronicled in online forums, where participants would report that their Bitcoin wallets had mysteriously been emptied. For a while, people assuming the role of a digital Robin Hood claimed to crack vulnerable wallets, drain them of their contents, and then wait for the victim to publicly complain of the theft on Reddit or various bitcoin forums. The Robin Hood and Little John hackers would then claim to return the funds once the victim proved control of the compromised private key.

While plenty of people publicly warned of risks of brain wallets over the years, the vulnerability was often dismissed as theoretical by some. Brain wallets are now generally shunned by Bitcoin users, but Castellucci warned that an alternative crypto currency known as Ethereum can use a brain wallet scheme that’s every bit as weak as the Bitcoin one was. He is withholding details for now in the hopes that Ethereum brain wallets will soon be abandoned.