Google is switching to its own Root Certificate Authority for issuing its own TLS/SSL certificates for securing its web traffic via HTTPS, and not rely on intermediaries, as it was so for.
In the past years, Google has used certificates issued by several companies, with the lastly supplied by GlobalSign and GeoTrust.
Currently, Google is operating a subordinate Certificate Authority (Google Internet Authority G2 – GIAG2), which manages and deploys certificates to Google’s infrastructure.
Google is currently in the process of migrating all services and products from GIAG2 certificates to the new Root Certificate Authority, named Google Trust Services (GTS).
The search giant said, the migration to GTS will take time, and users will see mixed certificates from both GIAG2 and GTS until then.
What this means for regular users is that when they’ll click to view a site’s HTTPS security certificate, it will say “Google Trust Services” instead of Google Internet Authority, GeoTrust, GlobalSign, or any other term. This will make it easier to identify authentic Google services.
For Google, GTS means its engineers will have full control over its HTTPS certificates since the time they’re issued to the time they’re revoked.
Situations, when another Certificate Authority issues SSL certificates for Google domains, will stand out immediately.
GTS will provide HTTPS certificates for a broad range of services, such as public websites to API servers, for all Alphabet companies, not just Google.
More technical information, such as Google’s current active root certificates and their https://pki.goog/SHA1 fingerprints are available on the Google Trust Services homepage.
Google Trust Services now operates the following Root Certificates:
A vulnerability was identified in the Lenovo Transition program specific to some Lenovo Yoga, Flex and Miix systems running Windows where a user with local privileges could execute arbitrary code with administrative or system level privileges.
Lenovo Transition is no longer supported, and Lenovo recommends that all users using Lenovo Transition update to the supported Lenovo Yoga Mode Control program by pressing the “Update software” button in Lenovo Transition or by manually uninstalling Lenovo Transition and installing Yoga Mode Control.
Lenovo Transition is a program used in Lenovo Yoga systems running Windows 8.1 and earlier whose function is to transition the system between “Book,” “Laptop” and “Tablet” modes.
Mitigation Strategy for Customers (what you should do to protect yourself):
Uninstall Lenovo Transition and install Yoga Mode Control. To do this, right click on the Lenovo Transition icon in the system tray and select “About” to see what version of Lenovo Transition you are running.
1. If the user is running Lenovo Transition version 1.x, uninstall Lenovo Transition via Programs and Features, and install Lenovo Yoga Mode Control by following the link here.
2. If the user is running Lenovo Transtion version 2.x, open Lenovo Transition, click on “About” and then select the “Update software”.
Follow the prompts to automatically uninstall Lenovo Transition and install Yoga Mode Control, which is the replacement program for Lenovo Transition.
Product Impact:
The following Lenovo systems running Windows 8.1 or earlier:
Edge 15
Flex2 14/Flex2 15
Flex2 14D/Flex2 15D
Flex2 Pro15
Miix 2-10, Miix 2-11
Miix 3-1030
Yoga 11S, Yoga 13
Yoga 2-11, Yoga 2-13, Yoga 2 Pro
Acknowledgements:
Lenovo thanks Security Researcher Viktor Minin.
Revision History:
Revision
Date
Description
1.1
9 January 2017
Added instructions to update Lenovo Transition version 1.0
None of us need strangers getting to our account on the web. You may use a password manager or two-factor validation by SMS, yet there’s another way you can remain ensured – physical security keys.
Today Facebook reported that USB Key support is currently live.
What does USB security key mean?
Security tokens are utilized to prove one’s identity electronically. The token is used as a part of an expansion to or in place of a password to prove that the client is who they claim to be. The token demonstrations like an electronic key to use account.
Security keys offer certain advantages, though, and we wanted to offer people the option.
Why we need it?
Physical keys should be more powerful than mobile applications and SMS authentication, in light of the fact that there’s no possibility of phishing or man-in-the-center assaults.
Utilizing security keys for two-consider authentication gives various vital advantages:
Compatibility: Security keys that support U2F don’t simply work for Facebook accounts. You can utilize a similar key for any supported online accounts (e.g. Google, Dropbox, GitHub, Salesforce), and those records can remain safe on the grounds that the key doesn’t hold any records of where it is utilized.
Phishing: Your login is essentially immune to phishing in light of the fact that you don’t need to enter a code yourself and the equipment gives cryptographic confirmation that it’s on your machine.
Fast Login: On the off chance that you utilize a security key with your desktop PC, signing in is as basic as a tap on the key after your enter your secret key.
Security keys for Facebook logins as of now just work with certain web browsers and gadgets, so Facebook asks you to likewise enroll an extra login endorsement technique, for example, your gadget or Code Generator.
To include a security key from your PC, you should utilize the most recent versions of Chrome or Opera the browsers that support U2F.
Just to be clear, it’s not necessary for Facebook clients to empower this security highlight, however, it’s decent to realize that the organization is presently offering this to the people who need it.
At this time Facebook doesn’t support security key logins for the mobile Facebook app, but if you have an NFC-capable Android device with the latest version of Chrome and Google Authenticator installed, you can use an NFC-capable key to log in from our mobile website.
How to add a Security Key?
To include a security key, you’ll utilize the most recent version of Chrome or Opera. Once you’ve done this
On the off chance that you effectively included your security key, it will show up with the name you’ve given it in your Security Keys section.
How to use your Security Key?
In the event that you have login approvals enabled and included a security key, whenever you sign in from a compatible browser you’ll be made a request to tap your security key.
On the off chance that you don’t have your security key or it isn’t working, you can simply click “Utilize an alternate technique” to sign in utilizing one of your other login approval strategies, for example, a mobile phone or Code Generator.
Gmail will block you from attaching Javascript files as Google hopes to extend the steadily developing security of their services.
Gmail already blocks the attachment of certain file types in emails for this very same reason, and those with the .js tag at the end will just be the latest added to the existing list of blocked attachments.
Javascript files are to be blocked after February 13th
As of right now, it’s still possible to add Javascript attachments to emails. As February 13th looming, just around the corner, any individuals or businesses who may use Gmail to send Javascript files may want to start looking for an alternative way to send the files back and forth between colleagues so they aren’t left without a solution on the day.
Google doesn’t give a point by point clarification past the specified “security reasons” for blocking Javascript files.
However, they have highlighted that there are other alternative ways for sending Javascript files forward and backward if clients still need to send these legitimately.
The word legitimately alludes to part of Google’s reasoning as there must not be very many legitimate reasons for attaching this type of file to an email, and for the remaining few people as a collective whole that do have a need, it’s still entirely possible to share Javascript files through two other Google services which include both Drive and Google Cloud Storage.
If after February 13th rolls around users are still trying to attach .js files to emails before sending, they will be met with an alert in the attachment link that states the file type has been blocked.
There will be a little “help” link which they can click on that will open a popup menu with more details and information why it was blocked.
This information will also be accompanied by other expandable dropdown links which inform the user of why certain email messages with or without attachments get blocked, so they can brush up on other reasons why an email not be allowed to go through if they care to know.
The Google Forms WordPress Plugin fetches a published Google Form using a WordPress custom post or shortcode, removes the Google wrapper HTML and then renders it as an HTML form embedded in your blog post or page.
A PHP Object injection vulnerability was found in the Google Forms WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects.
Abstract
A PHP Object injection vulnerability was found in the Google Forms WordPress Plugin by sumofpwn, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.
OVE ID
OVE-20160803-0001
Tested versions
This issue was successfully tested on the Google Forms WordPress Plugin version 0.84 – 0.87.
This issue is possible due to two unsafe calls to unserialize() in the ProcessGoogleForm() method. The input is taken directly from the POST request as can be seen in the following code fragment:
wpgform-core.php:
// Need the action which was saved during form construction
$action = unserialize(base64_decode($_POST['wpgform-action'])) ;
unset($_POST['wpgform-action']) ;
$options = $_POST['wpgform-options'] ;
unset($_POST['wpgform-options']) ;
$options = unserialize(base64_decode($options)) ;
It has been confirmed that this issues can be used to execute arbitrary PHP code.
New Android play Store Malware called HummingBad Download several million times by unsuspecting users and possible to gain all root access of the infected Android phone.
Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play.
Earlier 2016, Check Point on customer’s devices was discovered this HummingBad Malware.According to the Check point Report,
” HummingBad stands out as an extremely sophisticated and well-developed malware, which employed a chain-attack tactic and a rootkit to gain full control over the infected device “
How This malware infect your Adroid Phone
Check point identified several new HummingBad samples which operate as the previous version did and begun to promote the new HummingWhale version as part of their activity.
This new malware was also heavily packed and contained its main payload in the ‘group.png’ file, which is, in fact, an apk, meaning they can be run as executables.
” This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad”
This dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.
First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user.
Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device.
This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators.
All of the Malicious apps were uploaded under the names of fake Chinese developers. In addition to the camera family, researchers were able to identify 16 additional, distinct package names related to the same malware.
All the Related malware contain apps also Discovered in same Google play store.
However, the most suspicious property of these apps was a 1.3MB encrypted file called ‘assets/group.png’ – a suspiciously large file. Some later HummingBad samples disguised as an app called “file-explorer” had the exact same encrypted file with a similar size.
How this Malware Generate Revenue
It allows the malware to install apps without gaining elevated permissions first.
It disguises the malicious activity, which allows it to infiltrate Google Play.
It allows the malware to let go of its embedded rootkit since it can achieve the same effect even without it.
It can install an infinite number of fraudulent apps without overloading the device.
HummingWhale also conducted further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users
How many Victims Affected
The malware was spread through third-party app stores and affected over 10 million victims, rooting thousands of devices each day and generating at least $300,000 per month.
HummingBad was so widespread that in the first half of 2016 it reached fourth place in ‘the most prevalent malware globally’ list, and dominated the mobile threat landscape with over 72% of attacks, Check Point Said.
This infected application has been reported to Google Security Team by Check point malware Research Team and google were Removed those all infected Applications.
Mobile Security researchers from Checkpoint recognize a new ransomware called Charger embedded in app EnergyRescue.
Like other malware found before, Charger checks the local settings of the device and does not run its malicious logic if the device is situated in Ukraine, Russia, or Belarus.This is likely done to shield the designers from being arraigned in their own nations or being removed between nations.
The charger was discovered inserted in an application called EnergyRescue.The damaged application takes contacts and SMS messages from the client’s device and requests administrator authorizations.
If authorized ransomware locks the device and exhibits a message requesting payment.The ransom interest for 0.2 Bitcoins (generally $180) is a higher payoff request than has been found in mobile ransomware in this way.
You need to pay for us, otherwise, we will sell a portion of your personal information on black market every 30 minutes.
WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN Be SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data.
All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.
Likewise Also Read :No more ransom adds immense power to globe against Ransomware Battle
Adware usually found on Play gathers benefits from advertisement systems, however, mobile ransomware dispenses harm to clients. Like FakeDefender and DataLust, Charger could be a pointer of a more extensive exertion by mobile malware engineers to get up to speed with their PC ransomware cousins.
Most malware found on Google Play has just a dropper that later downloads the original malware segments to the device.
Charger, nonetheless, uses a real pressing methodology which it harder for the malware to remain hidden, so it must remunerate with different means.
The designers of Charger gave it all that they needed to lift its avoidance abilities thus it could remain covered up on Google Play for whatever length of time that conceivable.
Advanced Hidden methods
It encodes strings into binary arrays, making it difficult to assess them.
It loads code from encrypted assets progressively, which most recognition engines can’t enter and investigate.
The powerfully stacked code is likewise overflowed with senseless commands that veil the real commands going through.
It checks whether it is being kept running in an emulator before it begins its malicious activity. PC malware initially presented this procedure which is turning into a pattern in malware having been embraced by a few malware families including Dendroid.
Common Defence Against ransomware
1.Backup data. 2.Disable files running from AppData/LocalAppData folders. 3.Filter EXEs in the email. 4.Patch or Update your software. 5.Use the Cryptolocker Prevention Kit. 6.Use a reputable security suite. 7.CIA cycle(Confidentiality, integrity, and availability) 8.Utilize System Restore to recover the computer. 9.Disconnect Internet connection immediately.
WhatsApp for iPhone has received an update which included many needed features for users. Recent update includes extended the sharing limit of WhatsApp photo and video to 30 at a time.
An overhauled and more valuable Storage Usage screen, and the capacity to queue messages – a feature which was available on Android for a long while now.
The most recent WhatsApp version 2.17.1 is presently accessible for download to all iPhone users (running iOS 7 or higher).
The WhatsApp redesign size is only 134MB and we prescribe you to update under a solid Wi-Fi connection and great battery life. It brings the necessary ability to queue messages notwithstanding when in ranges of poor or no network.
You can simply send a WhatsApp message to individual/group even when connectivity is not available, and the message will be sent naturally once you get network on your iPhone.
In the in the meantime, WhatsApp’s Storage Usage screen is a convenient to see which individual/group chat is accumulating the most storage room, and to erase the contents of the chat to free storage area.
Previously, the Storage Usage screen just let you see the WhatsApp individual/group that occupied more space, and after that you needed to visit the chat screen to clear the contents. Now it gives you a chance to clear messages appropriate from the Storage Usage screen itself.
Besides, WhatsApp now gives you a chance to pick message types, like text, images, videos, GIFs, voice messages from chat, to erase precisely what you need and keep the rest.
How To Free Storage:
To utilize this feature move to Settings – > Data and Storage Usage – > Storage Usage on your iPhone and clear all the undesirable space-accumulating records effortlessly.
WhatsApp is also working on a new feature to allow users to cancel/edit messages sent to your contacts. Which is available in WhatsApp’s iPhone beta form.
New research from Lancaster University, Northwest University in China, and the University of Bath, which profited from subsidizing from the Engineering and Physical Sciences Research Council (EPSRC), shows for the first time that attackers can break Pattern Lock dependably inside five endeavors by utilizing video and PC vision algorithm.
Pattern Lock is a safety measure that ensures device, such as, cell phones or tablets, and which is favored by many to PIN codes or content passwords.
If you feel that the well-known popular secure lock Android smartphones is the best choice to shield your device, you are mixed up as security scientists have found that there’s nothing more needed than five endeavors to break into Android device.
By secretively videoing the proprietor drawing their example lock shape to open their device, the assailant, who is putting on a show to play with their phone, can then utilize software to rapidly track the owner’s finger developments with respect to the position of the device.
Within seconds, the algorithm produces a small number of candidate patterns to use the Android phone or tablet,” the researchers said in a university statement.
The attack works even without the video film having the capacity to perceive any of the on-screen items, and paying little mind to the measure of the screen.
Results are exact on video recorded on a cell phone from up to over two meters away – thus assaults are more hidden than shoulder-surfing.
It additionally works dependably with film recorded on a computerized SLR camera at separations up to nine meters away.
During tests, scientists could break everything except one of the patterns sorted as the complex within the first attempt. They could effectively split 87.5 for each penny of middle complex examples and 60 for each percent of straightforward examples with the first attempt.
“Contrary to many people’s perception that more complex patterns give better protection, this attack actually makes more complex patterns easier to crack and so they may be more secure using shorter, simpler patterns,” Guixin Ye, the leading student author from Northwest University, added.
Security researcher Dan Melamed came across the vulnerability in June 2016. The bug is some ways similar to a vulnerability discovered by another researcher around the same time. There’s just one major exception.
Dan Melamed said ,c Dan Melamed In addition, also had the ability to disable commenting on any video. This allows a bad actor the ability to delete videos on Facebook without permission or authentication.
The security researcher exploited the flaw by first creating a public event. On the Discussion part of the event, he uploaded a video and intercepted the POST request using Fiddler.
This request, which looks something like https://www.facebook.com/media/upload/photos/composer/?av<Profile ID>&dpr=1, comes with composer_unpublished_photo[0]=<Video ID>; as one of its parameters.
The crux of the vulnerability rested with the Video ID value. All someone needed to do was change the Video ID to any other video on the social media platform. Sure, Facebook would then have responded with a server error, but the new video would have displayed just fine.
From there, an attacker could have simply deleted the video. Doing so would have removed the video from the social networking site.
Computer criminals might have any number of reasons for deleting a video off Facebook. Perhaps they work for a company and want to sabotage a marketing campaign of one of their employer’s competitors.
Alternatively, they might just be jerks and so don’t care if the world doesn’t see your toddler taking their first few steps.
Fortunately, we don’t worry to have worry about this vulnerability any longer. Facebook, patched the vulnerability a short time after Melamed reported the flaw to its security teams. A $10,000 bug bounty award shortly followed after that.
