Chrome warns users of out-of-date browser plugins

Posted by Panayiotis Mavrommatis and Noé Lutz, Google Security Team

The new version of Google Chrome is not only speedier and simpler but it also improves user security by automatically disabling out-of-date, vulnerable browser plugins.

As browsers get better at auto-updating, out-of-date plugins are becoming the weakest link against malware attacks. Thousands of web sites are compromised every week, turning those sites into malware distribution vectors by actively exploiting out-of-date plugins that run in the browser. Simply visiting one of these sites is usually enough to get your computer infected.

Keeping all of your plugins up-to-date with the latest security fixes can be a hassle, so a while ago we started using our 20% time to develop a solution. The initial implementation was a Chrome extension called “SecBrowsing,” which kept track of the latest plugin versions and encouraged users to update accordingly. The extension helped us gather valuable knowledge about plugins, and we started working with the Chrome team to build the feature right inside the browser.

With the latest version of Chrome, users will be automatically warned about any out-of-date plugins. If you run into a page that requires a plugin that’s not current, it won’t run by default. Instead, you’ll see a message that will help you get the latest, most secure version of the plugin. An example of this message is below, and you can read more about the feature at the Chromium blog.

MHTML vulnerability under active exploitation

Posted by Chris Evans, Robert Swiecki, Michal Zalewski, and Billy Rios, Google Security Team

We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web
services.

Advanced sign-in security for your Google account

Posted by Nishit Shah, Product Manager, Google Security

(Cross-posted from the Official Google Blog)

Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic "Mugged in London" scam) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.

Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we've developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.

2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page that looks like this:

Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you.

It's an extra step, but it's one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone. A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a "Remember verification for this computer for 30 days" option, and you won't need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.

To learn more about 2-step verification and get started, visit our Help Center. And for more about staying safe online, see our ongoing security blog series or visit http://www.staysafeonline.org/. Be safe!

Update Dec 7, 2011: Updated the screenshots in this post.

Quick update on our vulnerability reward program

Posted by Matt Moore, Michal Zalewski, Adam Mein, Chris Evans; Google Security Team

About a week and a half ago we launched a new web vulnerability reward program, and the response has been fantastic. We've received many high quality reports from across the globe. Our bug review committee has been working hard, and we’re pleased to say that so far we plan to award over $20,000 to various talented researchers. We'll update our 'Hall of Fame' page with relevant details over the next few days.

Based on what we've received over the past week, we've clarified a few things about the program — in particular, the types of issues and Google services that are in scope for a reward. The review committee has been somewhat generous this first week, and we’ve granted a number of awards for bugs of low severity, or that wouldn’t normally fall under the conditions we originally described. Please be sure to review our original post and clarification thoroughly before reporting a potential issue to us.

Rewarding web application security research

Posted by Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski; Google Security Team

Back in January of this year, the Chromium open source project launched a well-received vulnerability reward program. In the months since launch, researchers reporting a wide range of great bugs have received rewards — a small summary of which can be found in the Hall of Fame. We've seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users.

Today, we are announcing an experimental new vulnerability reward program that applies to Google web properties. We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page. As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.

In the spirit of the original Chromium blog post, we have some information about the new program in a question and answer format below:

Q) What applications are in scope?
A) Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples could include:

• *.google.com
• *.youtube.com
• *.blogger.com
• *.orkut.com

For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc) are not in scope. We may expand the program in the future.

UPDATE: We also recommend reading our additional thoughts about these guidelines to help clarify what types of applications and bugs are eligible for this program.

Q) What classes of bug are in scope?
A) It's difficult to provide a definitive list of vulnerabilities that will be rewarded; however, any serious bug which directly affects the confidentiality or integrity of user data may be in scope. We anticipate most rewards will be in bug categories such as:

• XSS
• XSRF / CSRF
• XSSI (cross-site script inclusion)
• Bypassing authorization controls (e.g. User A can access User B's private data)
• Server side code execution or command injection

Out of concern for the availability of our services to all users, we ask you to refrain from using automated testing tools.

These categories of bugs are definitively excluded:

• attacks against Google’s corporate infrastructure
• social engineering and physical attacks
• denial of service bugs
• non-web application vulnerabilities, including vulnerabilities in client applications
• SEO blackhat techniques
• vulnerabilities in Google-branded websites hosted by third parties
• bugs in technologies recently acquired by Google

Q) How far should I go to demonstrate a vulnerability?
A) Please, only ever target your own account or a test account. Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.

Q) I've found a vulnerability — how do I report it?
A) Contact details are listed here. Please only use the email address given for actual vulnerabilities in Google products. Non-security bugs and queries about problems with your account should should instead be directed to the Google Help Centers.

Q) What reward might I get?
A) The base reward for qualifying bugs is $500. If the rewards panel finds a particular bug to be severe or unusually clever, rewards of up to $3,133.7 may be issued. The panel may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.

We understand that some researchers aren’t interested in the money, so we’d also like to give you the option to donate your reward to charity. If you do, we'll match it — subject to our discretion.

Regardless of whether you're rewarded monetarily or not, all vulnerability reporters who interact with us in a respectful, productive manner will be credited on a new vulnerability reporter page. If we file a bug internally, you'll be credited.

Superstar performers will continue to be acknowledged under the "We Thank You" section of this page.

Q) How do I find out if my bug qualified for a reward?
A) You will receive a comment to this effect in an emailed response from the Google Security Team.

Q) What if someone else also found the same bug?
A) Only the first report of a given issue that we had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.

Q) Will bugs disclosed without giving Google developers an opportunity to fix them first still qualify?
A) We believe handling vulnerabilities responsibly is a two-way street. It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered. Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release.

Q) Do I still qualify if I disclose the problem publicly once fixed?
A) Yes, absolutely! We encourage open collaboration. We will also make sure to credit you on our new vulnerability reporter page.

Q) Who determines whether a given bug is eligible?
A) Several members of the Google Security Team including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski.

Q) Are you going to list my name on a public web page?
A) Only if you want us to. If selected as the recipient of a reward, and you accept, we will need your contact details in order to pay you. However, at your discretion, you can choose not to be listed on any credit page.

Q) No doubt you wanted to make some legal points?
A) Sure. We encourage broad participation. However, we are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. This program is also not open to minors. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Thank you for helping us to make Google's products more secure. We look forward to issuing our first reward in this new program.

This Internet is Your Internet: Digital Citizenship from California to Washtenaw County

Posted by Adrienne St. Aubin, Public Policy Analyst

In the physical world, basic safety measures are second-nature to almost everyone (look both ways, stop drop and roll!). In the digital world, however, many of us expect security to be handled on our behalf by experts, or come in a single-box solution. Together, we must reset those expectations.

The Internet is the biggest neighborhood in the world. Security-related initiatives in the technology sector and government play an important role in making the Internet safer, but efforts from Silicon Valley and Washington, D.C. alone are not enough. Much of the important work that needs to be done must happen closer to home—wherever that may be.

As part of National Cyber Security Awareness Month I recently traveled from California to Washtenaw County, MI to speak to group of local community leaders, educators, business owners, law enforcement officials and residents who recently formed the Washtenaw Cyber Citizenship Coalition. They are working to create a digitally aware, knowledgeable and more secure community by providing residents with the tools and resources to be good digital citizens. No one in the room self-identified as a “cyber security expert,” but the information sharing that’s happening in Washtenaw County is the kind of holistic effort that can enable everyone to use the Internet more safely and benefit from the great opportunities that it provides.

The Washtenaw Cyber Citizenship Coalition is channeling the community’s efforts through volunteer workgroups in areas such as public/private partnerships, awareness, education and law enforcement. Their strategy is to “share the wheel" whenever possible, instead of recreating it. They’ve collected tips and resources for kids, parents, businesses, educators and crime victims so that citizens can find and access these materials with ease.

If you are interested in raising awareness in your own community, staysafeonline.org, stopthinkconnect.org and onguardonline.gov are examples of sites that offer such materials for public use.

Protecting your data in the cloud

Posted by Priya Nayak, Consumer Operations, Google Accounts

Like many people, you probably store a lot of important information in your Google Account. I personally check my Gmail account every day (sometimes several times a day) and rely on having access to my mail and contacts wherever I go. Aside from Gmail, my Google Account is tied to lots of other services that help me manage my life and interests: photos, documents, blogs, calendars, and more. That is to say, my Google Account is very valuable to me.

Unfortunately, a Google Account is also valuable in the eyes of spammers and other people looking to do harm. It’s not so much about your specific account, but rather the fact that your friends and family see your Google Account as trustworthy. A perfect example is the “Mugged in London” phishing scam that aims to trick your contacts into wiring money — ostensibly to help you out. If your account is compromised and used to send these messages, your well-meaning friends may find themselves out a chunk of change. If you have sensitive information in your account, it may also be at risk of improper access.

As part of National Cyber Security Awareness month, we want to let you know what you can do to better protect your Google Account.

Stay one step ahead of the bad guys

Account hijackers prey on the bad habits of the average Internet user. Understanding common hijacking techniques and using better security practices will help you stay one step ahead of them.

The most common ways hijackers can get access to your Google password are:

• Password re-use: You sign up for an account on a third-party site with your Google username and password. If that site is hacked and your sign-in information is discovered, the hijacker has easy access to your Google Account.
• Malware: You use a computer with infected software that is designed to steal your passwords as you type (“keylogging”) or grab them from your browser’s cache data.
• Phishing: You respond to a website, email, or phone call that claims to come from a legitimate organization and asks for your username and password.
• Brute force: You use a password that’s easy to guess, like your first or last name plus your birth date (“Laura1968”), or you provide an answer to a secret question that’s common and therefore easy to guess, like “pizza” for “What is your favorite food?”

As you can see, hijackers have many tactics for stealing your password, and it’s important to be aware of all of them.

Take control of your account security across the web

Online accounts that share passwords are like a line of dominoes: When one falls, it doesn’t take much for the others to fall, too. This is why you should choose unique passwords for important accounts like Gmail (your Google Account), your bank, commerce sites, and social networking sites. We’re also working on technology that adds another layer of protection beyond your password to make your Google Account significantly more secure.

Choosing a unique password is not enough to secure your Google Account against every possible threat. That’s why we’ve created an easy-to-use checklist to help you secure your computer, browser, Gmail, and Google Account. We encourage you to go through the entire checklist, but want to highlight these tips:

• Never re-use passwords for your important accounts like online banking, email, social networking, and commerce.
• Change your password periodically, and be sure to do so for important accounts whenever you suspect one of them may have been at risk. Don’t just change your password by a few letters or numbers (“Aquarius5” to “Aquarius6”); change the combination of letters and numbers to something unique each time.
• Never respond to messages, non-Google websites, or phone calls asking for your Google username or password; a legitimate organization will not ask you for this type of information. Report these messages to us so we can take action. If you responded and can no longer access your account, visit our account recovery page.

We hope you’ll take action to ensure your security across the web, not just on Google. Run regular virus scans, don’t re-use your passwords, and keep your software and account recovery information up to date. These simple yet powerful steps can make a difference when it really counts.