Wavety.com » Google Security

Google Offers Cash For Rooting Out YouTube Security Flaws

admin — Tue, 02 Nov 2010 17:13:16 +0000

Google has expanded its existing bug ‘bounty hunter’ programme to include YouTube and Blogger.

Under a scheme launched in January, hackers were offered cash rewards for finding bugs in Google’s Chromium open-source project. That incentive scheme is now being widened to include the company’s web sites Google.com, Youtube.com, blogger.com and Orkut.com.

The company said in a blog post that the basic reward for finding a vulnerability will be $500, but that hackers could stand to earn as much as $3,133 if the reported bug is “severe or unusually clever”.

“It’s difficult to provide a definitive list of vulnerabilities that will be rewarded,” Google’s Security Team explained, but added that “any serious bug which directly affects the confidentiality or integrity of user data” might be included in the scope of the scheme.

Google has instructed participants to search for flaws using their own accounts and not to access the data of other users.

The company also warned hackers of the importance of responsible disclosure of any bugs found on its channels.

Originally published on ITProPortal.com

Google Set To Simplify Privacy Policy

admin — Mon, 06 Sep 2010 10:15:54 +0000

Google is set to simplify its privacy policy by cutting down on the legal jargon found in its user privacy policy documents.

The move is an attempt to make privacy policy more transparent and understandable for its users.

In a blog post, Mike Yang, Google’s Associate General Counsel, described the privacy polices as “Long, complicated and lawyerly.

He said that the company plans to simplify its product privacy polices by deleting some of the content.

The company has stated that, although the language will change, it will not be changing its privacy practises.

Yang said that from 3 October, Google will be deleting 12 product specific privacy policies as their content is already repeated in Google’s main privacy policy.

The changes will be related to how information is exchanged between the services, including Gmail, Talk, Calender and Docs. The services will be governed by one single privacy policy.

Google is also making changes to its main privacy policy, deleting the parts which are redundant and rewriting parts deemed to contain too much legal jargon.

Originally published on ITProPortal.com

Google Not Happy With IBM Security Report

admin — Wed, 01 Sep 2010 13:58:13 +0000

Google has dismissed the security statistics cited by IT services giant IBM and has challenged the accuracy of the report.

According to Dark Reading, the Mountain-View, California-based search engine giant claimed that facts stated by IBM regarding its inability to patch maximum number of highly critical flaws, are wrong and inaccurate.

X-Force 2010 Mid-Year Trend and Risk Report released by IBM last week states that Google tops the list of software vendors with 33 percent of critical and dangerous flaws found in its services that went unpatched in the first half of 2010.

“We questioned a number of surprising findings concerning Google’s vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report’s conclusions,” wrote Adam Mien, Google’s security program manager on company blog.

Tom Cross, manager of X-Force unit at Big Blue has acknowledged the mistake and a revised report will be available shortly; he added that “As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart”.

Originally published on ITProPortal.com

Google Wi-Fi Contains No Personal Info, Says IC

admin — Thu, 29 Jul 2010 14:23:56 +0000

The UK Information Commissioner’s Office (ICO) has declared that the Wi-Fi data mistakenly collected by Google’s Street View service contains no meaningful personal data.

The privacy watchdog said that it had visited Google premises to examine a sample of the Wi-Fi data and found that it contained no meaningful personal information. The ICO added that it believed that no individual was harmed because of the data collection.

The ICO maintained that it had only examined a sample of the data and that other countries investigating Google may find that the company had collected personal information that could be linked to individuals.

European nations, including France, Germany and the Czech Republic are currently conducting criminal investigations against the company, believing that Google had collected personal payload information, such as passwords and e-mail addresses.

In a statement, The ICO said: “As we have only seen samples of the records collected in the UK we recognise that other data protection authorities conducting a detailed analysis of all the payload data collected in their jurisdictions may nevertheless find samples of information.”

Originally published on ITProPortal.com

Google Aurora Hackers May Have Changed Source Code

admin — Mon, 08 Mar 2010 12:00:13 +0000

A recent report by a security firm is claiming that the recent wave of hacking attacks on Google, along with dozens of other firms, pilfered and modified crucial system source code by intruding into the employees’ PCs via privileged login credentials.

The hackers actually targeted only a small bunch of employees who were responsible for controlling source code management systems, which control several changes that developers introduce while they write any software, according to George Kurtz, CTO at the security firm McAfee.

The white paper, published by McAfee during RSA security conference in San Francisco, divulges some unexplored details about the recent attacks, codenamed as “Operation Aurora”, which impacted as many as 34 companies, such as Google and Adobe, starting from July last year.

Incidentally, McAfee assisted Adobe in investigating the kind of attacks launched on its systems, and even provided crucial details to Google about malware used in exploiting its systems.

Dmitri Alperovitch, McAfee’s VP for threat research, described the software configuration management (SCM) systems as the “crown jewels” of the companies.

Along the same line, he said: “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting”.

Originally published on ITProPortal.com

Google Aurora Attack Carried Out By “Amateurs”?

admin — Fri, 05 Mar 2010 12:00:17 +0000

An analytical study conducted by US security firm Damballa has been revealed that the cyber attack which was targeted at Google’s corporate infrastructure and that of 20 other US companies, was apparently carried out by a group of amateurs, who had been testing the attack since July 2009.

The company revealed that upon thorough investigation of the malware and CnC (Command And Control) topologies used by the cyber criminals, it was determined that the attack was a version of an increasingly common botnet attack, albeit a dangerous one.

Gunter Ollmann, vice president of research at Damballa, dismissing the Google attack as a state-sponsored operation, said in a statement that “I would say this particular botnet group was not well funded because the level of the tools used would have been far superior to what it was. Some of the codes within the malware were at least five years old.”

Explaining the functionality behind the alleged amateur botnet attack, Ollmann said that the botnet was based on basic command topology and relied heavily on Dynamic DNS CnC techniques which are hardly used by professional botnet developers who prefer more sophisticated techniques.

Mr. Ollmann went to add that criminals had targeted companies in seven other countries before setting their eyes on Google.

Originally published on ITProPortal.com

Chinese Schools Deny Involvement In Google Aurora Hack

admin — Wed, 24 Feb 2010 12:00:23 +0000

US investigators have zeroed in on the source of recent wave of cyber attacks that crippled the servers of Google along with 20 other companies, according to reports.

Quoting a researcher working with the US investigators, the Financial Times reported yesterday that a freelance security consultant in China published the code that helped exploiting vulnerabilities in Microsoft’s Internet Explorer 6 web browser.

The Financial Times also claimed that the Chinese authorities had “special access” to the work of this consultant, and he published at least some part of the code to a hacking forum. However, the consultant himself didn’t launch the attack, but he facilitated for the same, the report said.

The report comes high on the heels of The New York Times report that pinpointed two Chinese schools, namely Lanxiang Vocational School and Shanghai Jiaotong University, for the attacks.

Of the two, the Lanxiang Vocational School was reportedly claimed to have connections with the Chinese military. However, a day later, the two schools denied their alleged involvement in the attacks, and representatives from Lanxiang rebuffed the reports of having ties with the Chinese PLA.

Originally published on ITProPortal.com

More Details Emerge About Chinese Involvement In Google Cyber Attacks

admin — Tue, 23 Feb 2010 12:00:41 +0000

The team of cyber security experts investigating the cyber attack on Google has apparently established the identity of the Chinese programmer who created the sophisticated program that was used to hack into Google and other US companies.

This fresh piece of evidence linking the Chinese government to the cyber attack comes days after the team of cyber investigators traced the spyware back to two well known educational institutes in China, with one of them having close ties with the Chinese military.

The Financial Times has reported that according to a security researcher working for the US government, the Chinese programmer is a 30 year-old freelance cyber security expert, who after developing the program, posted a part of it on a Chinese hacking forum, as something he was ‘working on’.

Last year in December, Google had reported a hacking attempt on the firm’s corporate infrastructure, which had also targeted the Gmail accounts of some Chinese human rights activists. The company had also revealed that the cyber attack, which had originated from China, had also targeted 20 other US based companies.

Search engine giant Google had threatened to close down its operations in China if the country does not permit it to operate in a censorship free environment.

Originally published on ITProPortal.com

Google Aurora Attack Originated From Chinese Schools

admin — Mon, 22 Feb 2010 12:00:42 +0000

A security expert investigating the cyber-attack on Google, that had targeted the Gmail accounts of Chinese human right activists, has claimed that the hackers behind the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half year.

According to security analyst, James C. Mulvenon, cyber investigators have succeeded in creating profiles of the hackers involved in the Google attack based on the types of cyber violations, the way the computer code was written and the symbols used in the code.

The profiles thus created have revealed to the investigators that the same hackers were involved in several other cyber-intrusions made on Fortune 100 companies.

Surprisingly, the attacks seem to originate from two Chinese schools, the Shanghai Jiaotong University and the Lanxiang Vocational School.

Last month in January, search engine Google had revealed to the world that the company’s corporate infrastructure had been breached by a cyber-attack originating from the People’s Republic of China. Google had also reported that the cyber-attack also targeted 20 other US multinational companies.

This revelation by Google had triggered a global debate on freedom of information over the internet and countries like China, Iran and Egypt were criticised for restricting information over the internet.

Originally published on ITProPortal.com

NSA Teams With Google Over Cybersecurity

admin — Fri, 05 Feb 2010 12:00:00 +0000

The electronic surveillance agency of the US government, the National Security Agency (NSA), will soon be assisting search engine giant Google, to improve the company’s cyber security in order to prevent any further cyber attacks on the company’s corporate infrastructure, similar to the one, which was reported by Google several weeks ago.

According to sources privy to the matter, the agreement between the two heavy weights, which is still being finalised, will see both organisations working together in order to investigate the nature of the cyber attack, which is said to have originated in China.

The idea behind this cyber security alliance, according to anonymous sources, is to allow the two organisations to share vital information and resources that will help the government and the industry to set-up cyber security measures that are both in favor of national security, interests of US businesses and most importantly, the US citizens.

However, the news of a possible cyber security alliance between NSA and Google has caused apprehensions in the mind of many who feel that the NSA will intrude on the privacy of Google users.

Such worries may be unfounded with the Washington Post reporting that it sources have claimed that “The deal does not mean the NSA will be viewing users’ searches or e-mail accounts or that Google will be sharing proprietary data.”

Originally published on ITProPortal.com