All about Google Chrome & Google Chrome OS

19 May 12 Banking Trojan poses as Google Chrome installer

Online financial fraudsters are hiding their latest bank-account-stealing weapon inside what appears to be a legitimate Google Chrome installer.

The downloadable file, “ChromeSetup.exe,” contains a sophisticated, multifaceted banking Trojan that, once running on a system, relays that computer’s information to a remote IP address. Most of the compromised browsers connect to IP addresses in Brazil and Peru, researchers at Trend Micro explained. The fake Chrome installer appears to be hosted on popular domains including Facebook, Google and MSN.

The real danger occurs when the malware implants a file that triggers the victim’s Web browser to redirect to a rigged banking site when the user attempts to visit his legitimate banking platform. The Trojan, identified as “TSPY_BANKER.EUIQ,” hijacks the user’s banking session and displays a dialogue box that reads, “Loading system security,” giving the victim the belief that he’s actually being protected when, in fact, the crooks are picking his virtual pockets.

[9 Safe Ways to Bank Online With Your Smartphone]

Adding insult to injury, the Trojan uninstalls GbPlugin, a software plugin built to protect Brazilian online banking customers. Trend Micro said the malware, which was first spotted in October 2011, is currently being used in the wild and is morphing to evade detection and more effectively fleece its victims.

You can protect yourself and your online banking sessions by making sure any site that requires you to enter your financial information is secured with “HTTPS” encryption — look for “HTTPS” highlighted in green and a picture of a lock in your Web browser. If a website seems suspicious, or requests information you don’t feel comfortable handing over, do not trust it.

© 2012 SecurityNewsDaily. All rights reserved

Article source:

Tags: , , , , ,

02 Mar 12 EFF Releases HTTPS Everywhere Extension For Firefox, Chrome

Like it or not, the internet is changing. We who use the internet have passed into the era of uncertain privacy and questionable surveillance of our online activities. Rather than await the full implications of what the Googles and Facebooks are doing with our private information, the Electronic Frontier Foundation and Tor have partnered to not only encourage internet users to take a more proactive role in protecting their internet security, but offered a few tools to help out with the task.

For those that don’t know, Tor is basically the internet’s shadow: it’s a network of “virtual tunnels” that allows users to enhance their privacy on the internet by preventing “traffic analysis,” a common form of internet surveillance used by pretty much any entity with the means and determination to find out what you’re doing on the internet.

One of the first and best ways in which people can increase their level of online security is by installing a new browser extension for Firefox and Chrome called HTTPS Everywhere. The extension “encrypts your communication with many websites and, in conjunction with Tor, helps to protect your anonymity online.” HTTPS Everywhere will most notably improve your online security against anybody that’s snooping around on your wireless network, plus it’ll protect you against any eavesdroppers hanging around on the network you’re using to communicate with a website.

To better understand how HTTPS and Tor can level up your online security, EFF put together an interactive graphic to help you answer any lingering questions you may have about what HTTPS is, why you need to be concerned about the vulnerability of your online privacy, and how these guidelines will keep you safer and sounder.

As we slouch onward into this new age of online hyper-surveillance, the old maxim “better to be safe than sorry” can not be valued enough.

Article source:

Tags: ,

29 Feb 12 HTTPS Everywhere Keeps Your Personal Information Safe on Over 1400 Sites …

HTTPS Everywhere Keeps Your Personal Information Safe on Over 1,400 Sites, Available for Firefox and ChromeChrome/Firefox: HTTPS Everywhere is a simple extension that, with just a one-click installation, can seriously increase your security on over 1,400 web sites by encrypting your connection.

We’ve talked before about HTTPS, what it does, and why you should use it. Many sites, like Gmail (and Facebook, with caveats) have options that let you browse with HTTPS always turned on, but the HTTPS Everywhere extension makes this simpler. Instead of turning it on for individual sites, HTTPS Everywhere will automatically routes all your data through a secure connection on any of its 1,400 supported web sites, keeping your information safe and away from prying eyes—in short, it’s an extension everyone should have installed.

HTTPS Everywhere has long been a favorite of Firefox users, but today marks the first time Chrome users can get in on the fun, with a new beta version of the extension that quietly sits in your address bar and switches you to HTTPS whenever possible. The Firefox version has also been updated to 2.0, which adds a new feature called the Observatory which, when turned on, detects encryption weaknesses and will notify you when you’re browsing a site with a security vulnerability. To read more about the new version of the extension and install it in your browser, hit the link below.

HTTPS Everywhere is a free extension, works wherever Chrome and Firefox do.

New ‘HTTPS Everywhere’ Version Warns Users About Web Security Holes | Electronic Frontier Foundation

Photo by dgbomb (Shutterstock).

Article source:


14 Feb 12 Chrome turns its back on security standard

Google is right that digital certificate revocation checking is broken, but wrong to abandon the standard

Follow @rogeragrimes

I’m still trying to wrap my head around Google’s surprising revelation (in Google engineer Adam Langley’s blog) that it will disable online certificate revocation checking in a future version of the Chrome browser. Standard across all the leading browsers, online revocation checking is the process of conducting a verification query of a certificate authority when presented with a new digital certificate tied to a particular website. Although the certificate revocation process is currently broken, as I’ll explain below, Google’s Chrome-only fix is problematic in a number of ways. And a much simpler fix — for Chrome and every other browser — is plain for all to see. 

When your browser connects to an HTTPS-protected website, it will examine the digital certificate the site presents, locate the revocation link pointer embedded in the digital certificate (if it exists), then query the indicated certificate authority to determine whether the certificate has been revoked by the issuer. Common reasons for revocation include a compromise of the certificate owner’s private key or just periodic certificate replacement, but a certificate can be revoked for any reason the issuer chooses. I’ve seen certificates revoked because the owner didn’t pay the issuer in a timely manner.

[ Roger A. Grimes offers a guided tour of the latest threats in InfoWorld's Shop Talk video, "Fighting today's malware." | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Revocation checking allows applications such as your Web browser to make sure that the presented certificate is still valid and a reliable vouchsafe for the site you’re visiting. As such, it is integral to PKI, and without it, maliciousness can occur. Unfortunately, revocation has often been neglected or ignored. Whether and how it’s done is completely dependent upon the “consuming” application or system. In many scenarios, revocation checking is so poorly implemented that it’s hard to say it’s being performed or provides any value.

For example, the digital certificates for many websites either don’t contain a revocation link pointer, or they point to a location that isn’t contactable. One presentation I saw at Black Hat Las Vegas a few years ago found that more than 90 percent of HTTPS-enabled websites didn’t implement digital certificates correctly. Not all of those failures were due to revocation issues, although a large number of them were.

Certificate revocation checking is broken
HTTPS revocation checking is so hit or miss that most popular browsers fail “open” — meaning that if the certificate’s revocation information cannot be confirmed, the browser will proceed as if the certificate were still valid. Worse, in most cases, the user isn’t aware that revocation checking doesn’t work. Many browsers can be configured to fail closed (that is, if revocation checking can’t be performed, then the browser won’t let the user connect to the protected website), but no browser vendor has the stomach to make this the default behavior. Many legitimate websites would become unreachable, and no browser maker wants to risk widespread user frustration.

All PKI and crypto experts understand the current problems with revocation checking, so it’s not just Google. However, Google is drawing a line in the sand to protect the users of its browser by stating that today’s generally accepted standards for doing digital certificate revocation, Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP), are too broken to fix.

Article source:

Tags: , , ,

24 Nov 11 Google future-proofs your e-mail, documents from spies

Chrome users can check whether they have forward secrecy connections by clicking on the green padlock icon in the Web address bar.

Chrome users can check whether they have forward secrecy connections by clicking on the green padlock icon in the Web address bar.



Google is strengthening the encryption on Gmail and other services so that messages stored today can’t easily be decrypted later by faster computers using brute force methods.

The company is enabling what is called “forward secrecy” by default, Adam Langley from Google’s security team, wrote in a blog post yesterday.

“Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today,” he wrote. “In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.”

With forward secrecy, the private crypto keys for a connection are not kept in persistent storage, which would allow an adversary to decrypt past connections by breaking a single key.

Forward secret HTTPS (Hyper Text Transfer Protocol Secure) is live for Gmail, Google Docs, SSL (Secure Sockets Layer) Search, and Google+.

Chrome users can check whether they have forward secret connections by clicking on the green padlock in the address bar of HTTPS sites and looking for the “ECDHE_RSA” key exchange mechanism.

Firefox and Internet Explorer on Vista and later support forward secrecy using elliptic curve Diffie-Hellman. However, only Chrome and Firefox will initially use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. “We hope to support IE in the future,” Langley wrote.

Google has been aggressive in rolling out encryption options for its users, starting with a Gmail option back in July 2008, then SSL by default in Gmail in January 2010, and more recently, default SSL for search in October.

Article source:

Tags: , , ,

24 Oct 11 Bug allows remote code execution in Chrome

In September ACROS Security notified Google about a peculiar behavior of the Chrome browser that can be exploited for execution of remote code outside Chrome sandbox under specific conditions. It is another case of file planting, where an application loads a data file (as opposed to binary file, leading to binary planting) from the current working directory. Similarly to our previously reported file planting in Java Runtime Environment (still there in current build 1.6.0_29 if you want to play with it), Chrome loads a data file, namely pkcs11.txt, from the root of the current working directory and in case the file exists, parses and processes its content. Security-wise, the most interesting value in a pkcs11.txt file is called library. Consider the following line in pkcs11.txt:


This line will instruct Chrome to load library c:tempmalicious.dll. To allow remote code execution attacks, it works with remote shared folders too; in our demonstration, the following line is used:


In addition, the library file doesn’t have to have a known extension (such as “.dll”), which makes it harder to block it on a firewall.

Finally, Chrome sandbox doesn’t provide any protection here as the entire process of loading pkcs11.txt and the associated library is done by the parent chrome.exe process.

HTTPS, NSS And pkcs11.txt

Chrome loads “/pkcs11.txt” the first time it needs to do anything encryption-related, which in most cases means visiting an HTTPS URL. Chrome developers tracked this issue to one of Mozilla’s Network Security Services (NSS) libraries, and it seems that it is a matter of unfortunate circumstances that gave life to this bug in Chrome, although the same bug may potentially exist in some other products integrating NSS libraries.

Exploit conditions

If you carefully read the previous paragraph, you noticed two things:

1. Chrome loads pkcs11.txt the first time it needs PKCS #11 capabilities, and it never does it again until re-launched. This means that if the user has already visited an HTTPS address before, or any of the sites he visited has loaded an image or any other data via HTTPS, the attack opportunity is gone. What makes things worse for the attacker is the fact that when Google is the selected search engine – and it is by default -, Chrome sends a request to… to determine your local Google domain immediately upon startup. This triggers the loading of pkcs11.txt from the root of user’s local system drive and closes the attacker’s window of opportunity before it was ever really opened.

2. The initial forward slash in the file name “/pkcs11.txt” means that pkcs11.txt will be loaded from the root of the current working directory, and not from the current working directory. For instance, if current working directory is C:usersjames, Chrome will try to load C:pkcs11.txt. In a shared folder case, if current working directory is \serversharesomefolder, Chrome will try to load \serversharepkcs11.txt.

So how can this vulnerability be exploited? Three conditions need to be met:

Google must not be the selected search engine. This setting is configurable under the Options page, and users can set Yahoo, Bing, or any other search provider as their selected search engine. We confirmed that Yahoo and Bing don’t send any HTTPS requests when Chrome is launched and are therefore suitable for mounting the attack.

User must not have visited any HTTPS resources before the attack. As described above, the attack relies on the fact that the NSS capabilities have not been initialized yet in the running parent Chrome process. Ideally for the attacker, the user would have just launched Chrome and not visit any web sites that send HTTPS requests.

Chrome’s current working directory must be set to attacker-controlled location. Since Chrome sets its current working directory to its own folder on user’s machine upon startup, double-clicking on HTML file in a remote shared folder (which often works for binary planting attacks) wouldn’t achieve anything for the attacker. The best remaining way we know of to set the current working directory in Chrome are then the file browse dialogs. If the attacker could get the user to try to load a file from her network shared folder, and trigger the first HTTPS request while the user had this folder opened in the “Open” dialog, Chrome would load pkcs11.txt from the root of attacker’s network share and load the library specified in it.

On-line demonstration

We have prepared an on-line demonstration here. Simply open this page with Chrome and follow instructions. If you don’t have Chrome handy and want to see what would happen if you did, here’s a video of this demonstration:

Attack improvements and variations

Our demonstration requires you to wait until the count-down reaches 0 before the attack is completed and the remote DLL is loaded. The reason for this waiting is to make sure the “Open” dialog has successfully loaded the remote shared folder – which can take anywhere from 5 to 30 seconds according to our tests. A real attack would not keep you waiting: the attacker-controlled server could detect the incoming requests (SMB or WebDAV) indicating that Chrome’s current working directory has been set to its network share and then instruct the web page already loaded in Chrome to make some HTTPS request – which would result in Chrome loading pkcs11.txt from attacker’s network share just like in our demonstration.

Current working directory can also be set via the “Save As…” dialog and any other file browse dialog the attacker feels her victim would most likely be duped into opening.

A bizarre local variant of this same exploit is also possible in the extremely unlikely case that the user has his Downloads folder in the root of any one of his local drives. In that case, all the attacker would have to do is get a malicious pkcs11.txt downloaded in user’s Chrome (which can happen in a drive-by fashion as .txt is not a “dangerous” extension) and wait for the user to open the “Save As…” dialog, which by default opens the Downloads folder’s location.

Is this a vulnerability or not?

Google decided that this was not a vulnerability, but rather a “strange behavior that [they] should consider changing”. The reason they provided was that “the social engineering level involved here is significantly higher than ‘Your computer is infected with a virus, download this free anti-virus software and run the exe file to fix it.’”

This is actually hard to dispute. From attacker’s perspective, given these two attack options, she would probably be more successful with the “fake anti-virus” one than the “file planting” one. However, the “fake anti-virus” option may not work against corporate users whose firewalls are likely to prevent them from downloading an executable, and who may not be technically allowed (e.g., with AppLocker) to launch unauthorized executables. Additionally, employees who attended at least one security awareness session could be more suspicious about a “please download and execute this” than an “open a file from this folder” request. Then again, they may not be, who knows.

Regardless, as security researchers we consider any “feature” that allows silent downloading of remote code and its execution on user’s computer without warnings a vulnerability. Clearly the same criteria cannot apply to Joe Average and someone working at a nuclear power plant, and it’s not a big deal if Google doesn’t share our vulnerability criteria (security experts disagree on many things all the time), but Google’s reasoning opens up an interesting and important question: how much social engineering is too much?

Microsoft’s Security Intelligence Report Volume 11 reveals (based on Microsoft’s data) that 88% of attacks in the first half of 2011 were depending on what they call “user interaction” and “feature abuse”, both of which are part of what is generally considered “social engineering,” i.e., getting users to do something they otherwise wouldn’t. While this doesn’t answer the above question, it sheds some light on how prevalent, and successful, social engineering seems to be in the real attacks out there. It seems plausible that as technical security countermeasures block more and more attack paths, attackers will be looking for the remaining paths of least resistance: both technical resistance and social one.

What can we learn?

1. Loading data files from untrusted locations can be dangerous, and this includes current working directory. Action item: fire up Process Monitor while testing your applications and see what they’re loading.

2. 3rd party libraries can introduce vulnerabilities into your software, and possibly only into your software. Action item: use 3rd party libraries whose developers are quick in fixing or at least which you can patch yourself. (The NSS library with this particular bug fortunately has both of these properties.)

3. What is a vulnerability to some, can be just strange behavior to others, and there’s no industry criteria for telling who’s right. (Although we can probably agree that the actual attacker is always right.) Action item for the issue described in this post: Make sure your Chrome home page is an HTTPS address or loads at least one HTTPS resource, and you won’t have to care who’s right.

Author: Mitja Kolsek, CEO of ACROS Security.

Article source:

Tags: , , ,