msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

03 Jun 12 Google Chrome Tabs Let Malware Sneak Into Businesses


Google Drive: 10 Alternatives To See
(click image for larger view and for slideshow)

Google Chrome users: Watch your sync habits. The browser’s ability to synchronize tabs across different computers could be used by a malicious attacker to eavesdrop on personal or corporate communications.

The tab-synchronization capability appeared last month in the latest version of the Google Chrome browser, and allows users to synchronize their open browser tabs across devices. As a result, users can log into any version of the Google Chrome browser–on home PCs, work PCs, or mobile devices–and access their saved tabs.

Unfortunately, the same would go for malware. “Consider the following scenario: The user is signed in to Chrome on both work and home computer. … The home computer gets infected by a malware. Now all of the work synced data (such as work-related passwords) is owned by the malware,” said Rob Rachwald, director of security strategy at Imperva, in a blog post.

“We name this kind of threats BYOB for ‘Bring Your Own Browser,’” he said. “While BYOD creates challenges of mixing work data and personal end points, BYOB does exactly the same–but it’s more elusive as there’s no physical device involved.”

Furthermore, IT departments could have difficulty successfully spotting and blocking malware that infiltrates the enterprise in this manner, especially given the number of attacks that could be launched from an infected home PC. “Even if the malware gets disinfected on work computer, the malware is able to infect over and over again–as the root cause of the infection–the home computer–is outside of the reach of the IT department,” Rachwald said.

Two Ways In

Google didn’t immediately respond to a request for comment about the feasibility of this attack, or steps that users could take to mitigate this type of threat. To be sure, this is a theoretical attack; no such Chrome-targeting malware campaign has been seen in the wild. But malware could potentially piggyback into a corporate environment, using Chrome tabs, in two ways.

The first exploit technique would be if “the malware changes the homepage or some bookmark to point to a malware-infection site on the home computer,” said Rachwald. “Settings are synced to your work environment. When you open your browser at work, you get infected with some zero-day drive-by download.” In this scenario, attackers could instruct the malware to keep attacking the corporate network, and even vary the attack being used, in an attempt to evade defenses. This would be difficult for a business to stop with complete reliability.

“Even if the malware gets disinfected on work computer, the malware is able to infect over and over again, as the root cause of the infection–the home computer–is outside of the reach of the IT department,” he said.

Another potential attack vector would be if the malware installed a rogue Chrome extension, and such extensions have appeared on the official Chrome Web Store in the past. As Google notes, “anyone can upload items to the Chrome Web Store, so you should only install items created by people you trust,” and by reviewing the ratings and reviews for an extension to help deduce whether it’s reliable. Google quickly removes any malicious Chrome extensions, once they’re spotted. But until that happens, any malicious extension is able to operate with impunity.

“Chrome extensions are evil,” noted Felix “FX” Lindner, head of Recurity Labs in Berlin. That comment came during a talk he delivered at Black Hat Europe earlier this year, in which he highlighted how Chrome extensions can be used by an attacker to inject JavaScript directly into the browser. What’s more, any users who sign into Chrome on a different workstation will have their extensions automatically installed on the current PC. As a result, a malicious extension installed at home could easily appear on a workplace PC, creating a vulnerability similar to the one that Rachwald highlighted.

Why are malicious Chrome extensions so dangerous? “If you have an extension installed, it has … pretty much omnipotent control over your Chrome browser,” said Lindner, speaking by phone. “Google tries to prevent the extension from accessing your extension manager, but we’ve found ways to do it. Google fixed them, but I’m pretty confident that there are other ways.”

Preventing users from installing Chrome extensions is nearly impossible. For starters, while the IT department can issue its own Chrome build, and set it to block extensions, you can install and run your own installation of the browser on any PC for which you have permission to write to the home directory–no administrator rights required.

Security defenses also won’t spot malicious extensions. “This all being JavaScript and HTML, the corporate antivirus is not going to catch it–on top of the fact that you’re downloading the extension via SSL from Google’s Web store,” said Lindner. “Unless corporate [IT] breaks SSL for you, they’re not going to see it anyway.

Since the browser’s preferences are handled with JavaScript, a malicious extension could automatically–and without a user being aware–install and run arbitrary code in the browser. For example, the extension might unleash a Trojan application that recorded everything the user did, or open a malicious website in the browser. Furthermore, if this extension was first installed at home, it would automatically get pushed to work when the user logged in there.

Attackers aren’t the only concern for Chrome users, as the Google tab synchronization feature could also be used during digital forensic investigations. “Imagine there’s a case against you at work, and they do forensics, and they get all of your accounts at home,” said Lindner.

But the bigger picture, he said, is that users should consider the security implications of synchronizing information between Chrome tabs or even between Google services. “I’m really not sure who would want to: a) give all this information to Google, and then, b) actually sync it onto every single machine they’re using,” Lindner said. “So much for defense. But maybe I’m the wrong person to ask–I don’t even have a Google account. Wrong religion.”

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Article source: http://www.informationweek.com/news/security/attacks/240001345

Tags: , , , , ,

24 May 12 First look at Chrome’s new retail store in downtown Portland


New Chrome store in downtown Portland-21

Chrome, a well-known bag and urban bicycling/lifestyle apparel brand, opened a new retail store in downtown Portland yesterday. Staffers from the company’s San Francisco headquarters spent three weeks completely renovating a 1,300 square foot space at 425 SW 10th Avenue (around the corner from the Ace Hotel and up the street from Powell’s). Portland is just the fourth city where Chrome has opened a store, and we’re by far the smallest. Their other stores are in San Francisco (their headquarters), New York City, and Chicago.

Chrome was founded 17 years ago in Boulder, Colorado and moved to San Francisco a few years later. Since then, due in large part to their iconic messenger bags, they’ve extended their product line and now offer apparel, backpacks, and footwear. While their gear is not bike-specific, the brand lives and breathes urban biking and everything is made with the assumption that the customer will move around the city on a bike.

I dropped by their new store yesterday. Even though the doors had only been open for a few hours, the place was already buzzing. Customers milled around both outside and around the store’s TV (which was playing old clips of Eddy Merckx at the Tour de France). And as you might expect from a brand that made its name with bomb-proof quality messenger bags, a lot of the folks hanging out at the store were local bike messengers.

Here are a few shots from inside…

New Chrome store in downtown Portland-15

New Chrome store in downtown Portland-13

New Chrome store in downtown Portland-19

New Chrome store in downtown Portland-14

New Chrome store in downtown Portland-12

New Chrome store in downtown Portland-18

New Chrome store in downtown Portland-9

New Chrome store in downtown Portland-11

I met one guy near the front door, Barry, who said he was the store’s first customer. He’s been a fan of Chrome for awhile. “I’m glad they came to Portland!” he said, smiling and showing off his new backpack (which he likes because he can carry his laptop and clothes in it and it’s “great for traveling because it fits in the overhead bin.”)

<!–/*
* The backup image section of this tag has been generated for use on a
* non-SSL page. If this tag is to be placed on an SSL page, change the
* ‘http://ads.neighborhoodnotes.com/openx/www/delivery/…’
* to
* ‘https://ads.neighborhoodnotes.com/openx/www/delivery/…’
*
* This noscript section of this tag only shows image banners. There
* is no width or height in these banners, so if you want these tags to
* allocate space for the ad before it shows, you will need to add this
* information to the tag.
*
* If you do not want to deal with the intricities of the noscript
* section, delete the tag (from … to ). On
* average, the noscript tag is called from less than 1% of internet
* users.
*/–>


<!–

–>

Another person who’s glad Chrome came to Portland is the store’s manager, Amanda Sundvor. Many of you might already know Amanda as the high-fiving and fun-loving mechanic at 21st Avenue Bicycles (where she used to work), as the DJ who keeps local bike parties thumping, or as the force of nature behind Backyard Blam (the folks who brought you the recent Cross Up event, among others).

New Chrome store in downtown Portland-8

Sundvor loved working at 21st Avenue, but recently suffered a bad hand injury that made working on bikes painful. She had gotten to know the folks at Chrome over the years and when they asked her to manage the new store, she says, “It was very serendipitous.” Now she’s overseeing a crew of six employees and her infectious energy will help keep this place ticking.

New Chrome store in downtown Portland-24

Chrome’s Retail Marketing Manager Paul Wilson, came up from San Francisco to train employees and make the store look just right. Wilson, like many businesses I’ve asked over the years, says his company wanted to be in Portland because of, “The great vibe and community here.” Wilson says he wants Chrome to become a “hub” (they don’t call them stores) for the community. “We’re here in Portland to support our dealers and urban cycling in general… We want people to come here, hang out, and find out what’s going on… It’s a community thing, we want to foster that.”

New Chrome store in downtown Portland-10

The store itself is gorgeous. The 18-foot ceilings make you want to linger and the hand-made, wooden fixtures are tastefully integrated with Chrome’s urban graphics and dizzying array of colorful products. At the center of the store is a wide wooden table for taking a closer look at the bags. Want to know how it feels all packed up? They’ve got some weights you can toss in the bag to find out.

Near the shoe section is a tastefully-sized TV (not a huge big screen) and some stairs and couches to view it on.

New Chrome store in downtown Portland-6

In the rear of the store is what they call the “sewing station.” Sundvor says customers can make an appointment to have certain bag models made custom by the store’s full-time seamstress. Just call ahead, pick your bag, choose a color and other options and they’ll make it right in front of your eyes. Through a partnership with courier company MercuryPDX, they’ll even deliver the bag to your door later the same day (usually) using local bike messengers.

New Chrome store in downtown Portland-4

This is definitely a store worth checking out (for locals and visitors alike). There’s a big grand opening planned for First Thursday on June 7th. Amanda says to bring your guns because there’ll be an arm-wrestling contest.

    Chrome Portland Retail Store
    425 SW 10th
    Hours: Monday – Saturday 10-7, Sunday 10-6
    Website

Welcome to Portland Chrome! Hope you don’t mind all the rain…

New Chrome store in downtown Portland-3

<!–

–>

Email This Post Email This Post

Posted on May 24th, 2012 at 12:43 pm. Filed under
Business, Front Page and tagged with .

You can skip to the end and leave a response. Pinging
is currently not allowed.

Possibly related posts

Article source: http://bikeportland.org/2012/05/24/first-look-at-chromes-new-retail-store-in-downtown-portland-72301

Tags: , , , , ,

24 Apr 12 Firefox 12 released, takes Chrome mimicry to the next level


Firefox logo (huge)

Though version numbers are fairly meaningless at this point, I am happy to announce that Firefox 12 has been officially released. There are two major changes: Moving forward, Firefox (on Windows) will automatically (and silently) update, and — praise be — the Find function is now a lot better at centering the page on any matches.

The ability to silently update very closely mirrors Chrome, and really it’s a surprise that Mozilla has taken so long to introduce this key feature, after switching to the six-week rapid release cycle almost a year ago, with Firefox 5. While making the update process opt-in sounds like the right thing to do, it has basically resulted in a very fragmented install base. When Chrome updates, almost everyone immediately moves to the new version — Mozilla, on the other hand, now has lots and lots of users spread out across a huge range of browsers, dating all the way back to Firefox 3.

Firefox Software Updater UACWhen you install Firefox 12, Windows UAC will ask you to approve Firefox Software Updater — and after that, you should never see an update dialog ever again.

Updated @ 14:55: You can disable automatic updates by going to Options Advanced Updates.

Unfortunately, despite what we previously reported, neither the New Tab Page or Home Tab made it into Firefox 12. Both features should arrive with Firefox 13, however — in just six weeks from now!

Firefox 14 favicon changeIn other news, the latest Nightly version of Firefox 14 has removed favicons from the address bar; the icon will now simply display a globe, or a padlock if the site is SSL-secured — just like Chrome. This is primarily a security fix: Nefarious websites could use a padlock favicon to trick users into thinking that the site is secure.

You can download Firefox 12 from the official website, or if you already use Firefox your browser should prompt you to update soon. Check out the official Mozilla blog for the full release notes.

Article source: http://www.extremetech.com/computing/127295-firefox-12-released-takes-chrome-mimicry-to-the-next-level

Tags: , , , ,

14 Apr 12 Chrome’s False Start lives up to its name: web security gets slower (but more …


In 2010, Google claimed it had a way to significantly reduce the time it took to load encrypted websites, and in 2011, it proclaimed success: “False Start” reportedly reduced the latency of SSL handshakes for users of the Google Chrome browser by 30 percent. The only problem was that the company couldn’t find a way to make it work with all such websites, only about 95 percent, and those that didn’t work couldn’t fail reliably enough that Google could add them to a blacklist or refused to fix their incompatibility. That’s why Google security researcher Adam Langley announced that starting in version 20 of the Chrome browser, False Start will be turned off by default… and why the Google initiative will likely join the ranks of other tech industry in-jokes like Digital Rights Management and Microsoft Works.

Article source: http://www.theverge.com/2012/4/14/2947644/chromes-false-start-lives-up-to-its-name

Tags: , , ,

09 Apr 12 PSA: How to temporarily fix the Chrome SSL bug


Over the weekend, Google Chrome received an update that prevented the browser from accessing SSL based services such as Gmail, as well as Facebook and Twitter. While Google has acknowledged the problem on Google Groups, a solution has yet to be pushed out. In the meantime, there are two temporary fixes for the problem so that you can continue using Chrome without frustration.

The current version of Chrome, 18.0.1025.151, creates a file called “chrome_shutdown_ms.txt” every time the browser is closed. When reopened, SSL sites are no longer accessible, instead giving a “Invalid Server Certificate” message. Here’s how to temporarily avoid the problem on Windows 7: navigate to “Users[username]AppDataLocalGoogleChromeUser Data”, and delete chrome_shutdown_ms.txt. Reopen Chrome, and SSL sites should work again.

That can get tedious if you’re having to close and reopen the browser on a regular basis, but there is a way to stop the file from being generated in the first place. To stop chrome_shutdown_ms.txt from being written, close your current tabs (and the browser) with Ctrl+W, or click to close them individually rather than closing everything with the big red X.

There’s no word yet on when Google will be pushing out an update to Chrome to fix the problem, which seems to have affected a wide range of users. We recommend you keep an eye on this Google Groups thread in the meantime.

Article source: http://www.slashgear.com/psa-how-to-temporarily-fix-the-chrome-ssl-bug-09222097/

Tags: , , , , ,

07 Apr 12 Google Chrome hit by SSL bug restricting Google services


Google Chrome today has been hit by a bug that prevents the browser from logging on to Google services requiring SSL, such as Gmail and Google Docs. After an update was pushed to Google Chrome, users on Windows 7 found that trying to access Google services resulted in an “Invalid Server Certificate” message, with no way around the problem except to use another browser.

The problem seems to be isolated to those using the latest version of Chrome, 18.0.1025.151, and running the 64-bit version of Windows 7. So far the only way to gain access to Google services with Chrome again is to reinstall the browser, which will give temporary access. Once you close the browser and reopen it, the server certificate error will return.

We stumbled across the bug earlier this afternoon after updating Chrome, and had to switch to Firefox in order to access Google’s services. The bug has hit one of our desktop machines running Windows 7, but doesn’t seem to have affected a MacBook Air running Windows 7 via BootCamp.

Users of Chrome have taken to Google’s support pages with the same problem. There are two threads on Google Groups, with dozens of people all reporting the same issue. A representative from Google has replied, saying that they’re looking into the issue, as well as asking people for more details in order to troubleshoot. The exact cause of the problem is unclear right now.

Article source: http://www.slashgear.com/google-chrome-hit-by-ssl-bug-restricting-google-services-06221921/

Tags: , , , ,

05 Apr 12 Google Chrome Updates Stable And Beta Channels


Google Chrome Updates Stable And Beta Channels

Google is constantly busy hammering away at new updates to Chrome. The hope is to obviously make it the safest and fastest browser on the Web. While Chrome has multiple channels it updates through, the stable and beta channels receive the permanent updates that define the platform. Both channels received a small update today that provides a number of fixes.

Detailing the updates on the Google Chrome Releases page, the team has notified users that an update has been rolled out to the stable and betat channels in Chrome for Windows, Mac, Linux and Chrome Frame. The updates made today fix a variety of small bugs related to HTML5 Canvas, CSS, etc. The fixes are:

Black screen on Hybrid Graphics system with GPU accelerated compositing enabled
CSS not applied to element
Regression rendering a div with background gradient and borders
Canvas 2D line drawing bug with GPU acceleration
Multiple crashes
Pop-up dialog is at wrong position
HTML Canvas patterns are broken if you change the transformation matrix
SSL interstitial error “proceed anyway” / “back to safety” buttons don’t work

Google also found an issue with the Mac version of Chrome. It seems that HTML5 audio doesn’t work on some Mac computers. A fix for that will probably be coming sooner than later.

The new release also includes a new version of Flash Player. Adobe issued a major security fix last week for Flash Player, but this release seems to be unrelated. The Adobe Web site says that the update “addresses memory corruption vulnerabilities in the Chrome Interface.”

As per tradition, Google hands out cash rewards for security loopholes pointed out by members of the community. In all, Google handed out $6,000 in cash to three developers. One person in particular going by the screen name miaubiz took home $4,500 for pointing out five security flaws.

It’s these kind of incentives that keeps Chrome on top of its game as being one of the most secure browsers on the Web. For full details on this release and more, check out the revision log.

Article source: http://www.webpronews.com/google-chrome-updates-stable-and-beta-channels-2012-04

Tags: , , , , ,

21 Feb 12 Symantec criticises Google for stripping security certificate checks from Chrome


Stripping OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) checks from Google Chrome could have dangerous implications because it will turn Google into a single point of failure, according to security vendor Symantec.

When accessing a website over HTTPS, browsers check whether its SSL certificate has been revoked by the issuing certificate authority. This is done by querying the CA’s OCSP responder or by checking its published certificate revocation list.

For usability reasons, all major browsers currently ignore OCSP and CRL requests that result in network errors by default, in what is known as a soft fail mechanism. However, some of them do offer users the option to enable hard fail, which triggers errors for every request that goes unanswered.

Adam Langley, security engineer at Google, has announced that Chrome will stop performing OCSP and CRL checks in future versions. Instead, these checks are to be replaced with a locally cached list of revoked certificates that will be kept up to date by Google.

The reasons behind the decision are related to performance and security issues. OCSP and CRL requests increase page load times and are susceptible to blocking by man-in-the-middle attackers or captive portals, websites commonly used by Wi-Fi access points to prevent HTTP connections before users authenticate.

“This is a corner case that happens very infrequently. We argue that one shouldn’t discard OCSP and CRLs because they don’t work in a tiny fraction of cases,” said Fran Rosch, vice president of Trust Services and SSL at Symantec. “His proposal to have the browser maintain a list of revoked certificates turns Google into a single point of failure, which Langley himself agrees is bad engineering practice.”

According to Rosch, the soft fail mechanism currently used by browsers is the real issue, since it allows HTTPS sessions to continue without establishing whether the SSL certificate is valid or not. Symantec has maintained an uptime of 100 percent for its OCSP and CRL services for the past ten years, so CA-level downtime shouldn’t be a concern, he said.

“OCSP clearly does not work today because all major browsers operate it in soft fail mode. That needs fixing,” said Ivan Ristic, director of engineering at security firm Qualys. “My view is that Google should have first made an effort to fix the problem,” he said.

Qualys plans to start a project called “Global OCSP Responder monitoring” which will track the availability of all OCSP responders and identify CAs with unreliable ones. “That would hopefully enable everyone to switch to hard fail by default,” Ristic said.

According to Ristic, the performance issues could be resolved with the help of a technique known as OCSP stapling, which involves the owner of a SSL certificate querying the CA’s OCSP server periodically and caching a signed response. This response would then be served to clients directly without them needing to open a connection to a separate host.

“Even without OCSP stapling, browsers can start to display a website and perform the check in the background, so there’s not going to be an immediate performance impact,” Ristic said. “They could hard fail after a second or two, possibly preventing further interactions with the site.”

Removing OCSP checks from Google Chrome might even have legal implications for users, who won’t be able to claim warranties for damages resulting from the use of bad certificates if the software they rely on doesn’t make an effort to check certificate revocation status, said Eddy Nigg, founder and chief technology officer of certificate authority StartCom, via email.

“Strictly speaking, Google as a relying party and software vendor might not be able to make use of the CA root certificates its browser currently uses, due to non-compliance to those relying party obligations,” Nigg said.

Nigg agreed that the problem is the soft fail mechanism implemented in browsers, which he described as a failure in itself. “It’s rather the browsers that have fairly weak implementations at their side and don’t try hard enough (and smart enough) in order to obtain a status response,” he said.

Article source: http://rss.feedsportal.com/c/270/f/470440/s/1cc94381/l/0Lnews0Btechworld0N0Capplications0C33386850Csymantec0Ecriticises0Egoogle0Efor0Estripping0Esecurity0Ecertificate0Echecks0Efrom0Echrome0C0Dolo0Frss/story01.htm

Tags: , , ,

20 Feb 12 Symantec criticises Google for stripping security certificate checks from Chrome


Stripping OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) checks from Google Chrome could have dangerous implications because it will turn Google into a single point of failure, according to security vendor Symantec.

When accessing a website over HTTPS, browsers check whether its SSL certificate has been revoked by the issuing certificate authority. This is done by querying the CA’s OCSP responder or by checking its published certificate revocation list.

For usability reasons, all major browsers currently ignore OCSP and CRL requests that result in network errors by default, in what is known as a soft fail mechanism. However, some of them do offer users the option to enable hard fail, which triggers errors for every request that goes unanswered.

Adam Langley, security engineer at Google, has announced that Chrome will stop performing OCSP and CRL checks in future versions. Instead, these checks are to be replaced with a locally cached list of revoked certificates that will be kept up to date by Google.

The reasons behind the decision are related to performance and security issues. OCSP and CRL requests increase page load times and are susceptible to blocking by man-in-the-middle attackers or captive portals, websites commonly used by Wi-Fi access points to prevent HTTP connections before users authenticate.

“This is a corner case that happens very infrequently. We argue that one shouldn’t discard OCSP and CRLs because they don’t work in a tiny fraction of cases,” said Fran Rosch, vice president of Trust Services and SSL at Symantec. “His proposal to have the browser maintain a list of revoked certificates turns Google into a single point of failure, which Langley himself agrees is bad engineering practice.”

According to Rosch, the soft fail mechanism currently used by browsers is the real issue, since it allows HTTPS sessions to continue without establishing whether the SSL certificate is valid or not. Symantec has maintained an uptime of 100 percent for its OCSP and CRL services for the past ten years, so CA-level downtime shouldn’t be a concern, he said.

“OCSP clearly does not work today because all major browsers operate it in soft fail mode. That needs fixing,” said Ivan Ristic, director of engineering at security firm Qualys. “My view is that Google should have first made an effort to fix the problem,” he said.

Qualys plans to start a project called “Global OCSP Responder monitoring” which will track the availability of all OCSP responders and identify CAs with unreliable ones. “That would hopefully enable everyone to switch to hard fail by default,” Ristic said.

According to Ristic, the performance issues could be resolved with the help of a technique known as OCSP stapling, which involves the owner of a SSL certificate querying the CA’s OCSP server periodically and caching a signed response. This response would then be served to clients directly without them needing to open a connection to a separate host.

“Even without OCSP stapling, browsers can start to display a website and perform the check in the background, so there’s not going to be an immediate performance impact,” Ristic said. “They could hard fail after a second or two, possibly preventing further interactions with the site.”

Removing OCSP checks from Google Chrome might even have legal implications for users, who won’t be able to claim warranties for damages resulting from the use of bad certificates if the software they rely on doesn’t make an effort to check certificate revocation status, said Eddy Nigg, founder and chief technology officer of certificate authority StartCom, via email.

“Strictly speaking, Google as a relying party and software vendor might not be able to make use of the CA root certificates its browser currently uses, due to non-compliance to those relying party obligations,” Nigg said.

Nigg agreed that the problem is the soft fail mechanism implemented in browsers, which he described as a failure in itself. “It’s rather the browsers that have fairly weak implementations at their side and don’t try hard enough (and smart enough) in order to obtain a status response,” he said.

Article source: http://news.techworld.com/applications/3338685/symantec-criticises-google-for-stripping-security-certificate-checks-from-chrome/

Tags: , , ,