URL shortener services distributing Android malware – Week in security with Tony Anscombe

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The Zero Trust architecture offers an increasingly popular way to minimize cyber-risk in a world of hybrid cloud, flexible working and persistent threat actors.

The post Protecting the hybrid workplace through Zero Trust security appeared first on WeLiveSecurity

To mitigate the chances of their Wi-Fi home routers being compromised, users would do well to change the manufacturer’s default access credentials

The post Popular Wi‑Fi routers still using default passwords making them susceptible to attacks appeared first on WeLiveSecurity

Cybercriminals may target the popular event with ransomware, phishing, or DDoS attacks in a bid to increase their notoriety or make money

The post Cybercriminals may target 2020 Tokyo Olympics, FBI warns appeared first on WeLiveSecurity

Chrome’s Site Isolation is an essential security defense that makes it harder for malicious web sites to steal data from other web sites. On Windows, Mac, Linux, and Chrome OS, Site Isolation protects all web sites from each other, and also ensures they do not share processes with extensions, which are more highly privileged than web sites. As of Chrome 92, we will start extending this capability so that extensions can no longer share processes with each other. This provides an extra line of defense against malicious extensions, without removing any existing extension capabilities.

Meanwhile, Site Isolation on Android currently focuses on protecting only high-value sites, to keep performance overheads low. Today, we are announcing two Site Isolation improvements that will protect more sites for our Android users. Starting in Chrome 92, Site Isolation will apply to sites where users log in via third-party providers, as well as sites that carry Cross-Origin-Opener-Policy headers.

Our ongoing goal with Site Isolation for Android is to offer additional layers of security without adversely affecting the user experience for resource-constrained devices. Site Isolation for all sites continues to be too costly for most Android devices, so our strategy is to improve heuristics for prioritizing sites that benefit most from added protection. So far, Chrome has been isolating sites where users log in by entering a password. However, many sites allow users to authenticate on a third-party site (for example, sites that offer “Sign in with Google”), possibly without the user ever typing in a password. This is most commonly accomplished with the industry-standard OAuth protocol. Starting in Chrome 92, Site Isolation will recognize common OAuth interactions and protect sites relying on OAuth-based login, so that user data is safe however a user chooses to authenticate.

Additionally, Chrome will now trigger Site Isolation based on the new Cross-Origin-Opener-Policy (COOP) response header. Supported since Chrome 83, this header allows operators of security-conscious websites to request a new browsing context group for certain HTML documents. This allows the document to better isolate itself from untrustworthy origins, by preventing attackers from referencing or manipulating the site’s top-level window. It’s also one of the headers required to use powerful APIs such as SharedArrayBuffers. Starting in Chrome 92, Site Isolation will treat non-default values of the COOP header on any document as a signal that the document’s underlying site may have sensitive data and will start isolating such sites. Thus, site operators who wish to ensure their sites are protected by Site Isolation on Android can do so by serving COOP headers on their sites.

As before, Chrome stores newly isolated sites locally on the device and clears the list whenever users clear their browsing history or other site data. Additionally, Chrome places certain restrictions on sites isolated by COOP to keep the list focused on recently-used sites, prevent it from growing overly large, and protect it from misuse (e.g., by requiring user interaction on COOP sites before adding them to the list). We continue to require a minimum RAM threshold (currently 2GB) for these new Site Isolation modes. With these considerations in place, our data suggests that the new Site Isolation improvements do not noticeably impact Chrome’s overall memory usage or performance, while protecting many additional sites with sensitive user data.

Given these improvements in Site Isolation on Android, we have also decided to disable V8 runtime mitigations for Spectre on Android. These mitigations are less effective than Site Isolation and impose a performance cost. Disabling them brings Android on par with desktop platforms, where they have been turned off since Chrome 70. We advise that sites wanting to protect data from Spectre should consider serving COOP headers, which will in turn trigger Site Isolation.

Users who desire the most complete protection for their Android devices may manually opt in to full Site Isolation via chrome://flags/#enable-site-per-process, which will isolate all websites but carry higher memory cost.

It’s no secret that lack of diversity in corporate America is a well-documented problem and improvements have been slow. To help improve female representation in the cybersecurity industry, Google teamed up with Women in Cybersecurity (WiCyS) and SANS Institute a year ago to establish the Security Training Scholarship Program.

The multi-stage security training program set participants on a path to launch and advance their careers in cybersecurity through skills development, introducing them to fundamental cybersecurity concepts with interactive challenges like Capture the Flag (CTF) and the SANS CyberStart Game, which introduces topics such as Linux, web attacks, programming, forensics, and more. Mentors and peers guide the participants through each stage of the program and top qualifiers then graduate and receive access to the SANS foundational security training courses, which readies and prepares these women for their first roles in the security industry. The goal is to get them employed in cybersecurity within the next 1.5 years and to create a powerful network of women in the field – in essence, drawing more women to the industry and helping to close the talent gap.

As the inaugural program comes to an end, we are proud to report that its overall impact includes:

  • 112 people received training-based scholarship
  • 15 Full Scholarship Recipients received the full course training, which includes:
    • CyberStart Game and SANS BootUp CTF
    • SANS SEC275 Foundations & Exam
    • SANS 401 Security Essentials Bootcamp and GSEC
    • Elective – SANS SEC504/GCIH, SEC488/GCLD, SEC560/GPEN, or SEC548/GWAPT
  • 24 certifications earned to date with 100% pass rate, with average score on GSEC 90%
  • Since 2013, only 2 people have scored 99% on GIAC Certified Incident Handler (GCIH) one is a WiCyS Scholarship Recipient
  • 1/3 of students were employed in direct information security roles before the program ended
  • 100% of Full Scholarship Recipients intend to have long term careers in information security (15+ years)

Participants praise the program’s strong networking component where they can support one another, share best practices, ask questions from SANS security experts and receive industry insight from members across Google’s security team. As Lynn Dohm, executive director of WiCyS, told us, “You cannot put a price tag on the power of community, and last year’s WiCyS Security Training Program proved just that.”

Here at Google, we are inspired by the dedication and passion the scholarship recipients have shown throughout the program and are eager to see what they accomplish throughout their careers.

Elizabeth Beattie, who was part of the inaugural program told us, “I learned that, as part of my scholarship program with WiCyS, SANS Institute and Google, I’ve been awarded a scholarship to attend the WiCyS 2021 conference in September. In fact, I’ve volunteered to co-author a panel there with some of my amazing fellow recipients. And the crowning achievement? Tonight, I passed my first GIAC certification (GSEC)!”

Despite these great results, we know there is still a lot of work to be done to help educate and develop a more inclusive information security workforce. So this year we are expanding the Security Trainings Scholarship Program to help us reach even more women and generate a steady stream of talent in the field of information security. This expansion would not have been possible without the added support of Facebook and Bloomberg, who have come on board this year to boost this important program.

“We are thrilled to scale the program this year, powered by scholarships from Google, Bloomberg, and Facebook,” said Dohm. “Now, more WiCyS members will be able to dive deep and change the trajectory of their career in less than a year, all within a cohort setting with extensive support and resources provided by mentors and colleagues. That’s what empowerment looks like, and we are thrilled that these three incredible strategic partners of WiCyS can make this happen for not only the WiCyS community, but also for the sake of the cybersecurity workforce at large.”

The next round of scholarships is open through August 2, 2021. To learn more and apply, please visit the WiCyS application page. We can’t wait to meet the next cohort of recipients.

On iOS we have seen link shortener services pushing spam calendar files to victims’ devices.

The post Some URL shortener services distribute Android malware, including banking or SMS trojans appeared first on WeLiveSecurity

Lessons to learn from the Kaseya cyberincident to protect your business’ data when doing business with a MSP. Our best tips to keep you safe while streaming, and more.

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The newest update fixes a total of eight vulnerabilities affecting the desktop versions of the popular browser.

The post Google patches Chrome zero‑day vulnerability exploited in the wild appeared first on WeLiveSecurity

From securing your devices to avoiding public Wi-Fi hotspots for logging into apps we look at measures you can take to remain safe while this holiday season.

The post Vacationing? How to avoid the cybersecurity blues appeared first on WeLiveSecurity