Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google Security Tools. Show all posts

Google Backs Messaging Layer Security for Enhanced Privacy and Interoperability

 

In 2023, Google pledged its support for Messaging Layer Security (MLS), a protocol designed to provide practical interoperability across various messaging services while scaling efficiently to accommodate large groups. This move marks a significant step towards enhancing security and privacy across platforms. Although Google has not officially announced the timeline for adopting MLS, references to the standard have been found in a recent Google Messages build, suggesting that its implementation might be on the horizon. 

To appreciate the significance of MLS, it is essential to understand the basics of end-to-end encryption (E2EE). E2EE ensures secure communication by preventing unauthorized entities, such as hackers and internet service providers (ISPs), from accessing data. In asymmetric or public key encryption, both parties possess a public and a private key. The public key is available to anyone and is used to encrypt messages, while the private key, which is much harder to crack, is used to decrypt them. 

Despite its advantages in providing privacy, security, and data integrity, E2EE has its shortcomings. If security is compromised at either the sender’s or receiver’s end, malicious actors can intercept the public key, allowing them to eavesdrop on conversations or impersonate one of the parties. Additionally, E2EE does not conceal metadata, which can be exploited to gather information about the communication. Messaging Layer Security (MLS) is a standard proposed by the Internet Engineering Task Force (IETF) that offers enhanced security for communication groups, ranging from small to large sizes. 
While popular messaging services typically use E2EE for one-on-one chats, group chats present a unique challenge. MLS addresses this by using sender keys over secure channels to provide forward secrecy, meaning that the theft of a single key does not compromise the rest of the data. The protocol is based on asynchronous ratcheting trees (ART), which enable group members to derive and update shared keys. This tree structure approach ensures forward secrecy, post-compromise security, scalability, and message integrity, even as group sizes increase.  

Google Messages, the default messaging app on most Android phones, currently uses Rich Communication Services (RCS) to offer features like encrypted chats, read receipts, high-resolution media sharing, typing indicators, and emoji reactions. Although the Universal Profile version used by Google Messages does not support E2EE, it uses the Signal Protocol as a workaround for security. Recent APK teardowns of Google Messages have revealed code snippets mentioning MLS, hinting that Google might incorporate this feature in future updates. 

If MLS becomes the default security layer in Google Messages, it will significantly enhance the app’s security and interoperability. Google’s adoption of MLS could set a precedent for other messaging services, promoting better interoperability and security across communication apps. This move might also influence how Apple integrates RCS in iOS. With iOS 18 set to support the RCS Universal Profile 2.4 for messaging without E2EE, Apple may need to consider adopting MLS to stay competitive in offering secure communication. 

As Google prepares to implement MLS, we can expect a push towards standardizing communication protocols. Google Messages already offers features like auto spam detection, photomojis, and cross-device compatibility, making it a robust choice for staying connected. Should MLS be integrated, users can look forward to even more secure and private messaging experiences.

Google's Magika: Revolutionizing File-Type Identification for Enhanced Cybersecurity

 

In a continuous effort to fortify cybersecurity measures, Google has introduced Magika, an AI-powered file-type identification system designed to swiftly detect both binary and textual file formats. This innovative tool, equipped with a unique deep-learning model, marks a significant leap forward in file identification capabilities, contributing to the overall safety of Google users. 

Magika's implementation is integral to Google's internal processes, particularly in routing files through Gmail, Drive, and Safe Browsing to the appropriate security and content policy scanners. The tool's ability to operate seamlessly on a CPU, with file identification occurring in a matter of milliseconds, sets it apart in terms of efficiency and responsiveness. 

Under the hood, Magika leverages a custom, highly optimized deep-learning model developed and trained using Keras, weighing in at a mere 1MB. During inference, Magika utilizes the Open Neural Network Exchange (ONNX) as an inference engine, ensuring rapid file identification, almost as fast as non-AI tools, even on the CPU. Magika's prowess was tested in a benchmark involving one million files encompassing over a hundred file types. 

The AI model, coupled with a robust training dataset, outperformed rival solutions by approximately 20% in performance. This heightened performance translated into enhanced detection quality, especially for textual files such as code and configuration files. The increase in accuracy enabled Magika to scan 11% more files with specialized malicious AI document scanners, significantly reducing the number of unidentified files to a mere 3%. 

Magika showcased a remarkable 50% improvement in file type detection accuracy compared to the prior system relying on handcrafted rules. For users keen on exploring Magika, the tool is available through the Magika command line tool, enabling the identification of various file types. 

Interested individuals can also access the Magika web demo or install it as a Python library and standalone command line tool using the standard command 'pip install Magika.' The code and model for Magika are freely available on GitHub under the Apache2 License, fostering an environment of collaboration and transparency. 

The journey doesn't end here for Magika, as Google envisions an integration with VirusTotal. This integration aims to bolster the platform's existing Code Insight feature, which employs generative AI to analyze and identify malicious code. Magika's role in pre-filtering files before they undergo analysis by Code Insight enhances the accuracy and efficiency of the platform, ultimately contributing to a safer digital environment. 

In the collaborative spirit of cybersecurity, this integration with VirusTotal underscores Google's commitment to contributing to the global cybersecurity ecosystem. As Magika continues to evolve and integrate seamlessly into existing security frameworks, it stands as a testament to the relentless pursuit of innovation in safeguarding user data and digital interactions.

5 Ways to Delete Your Digital Presence

Depending on the year you were born, there is a strong probability that you have either spent a significant amount of time online or have never experienced an offline environment. You may have spent many years online or have never experienced an offline environment, relying on when you were born. Anyhow, there is no denying that the internet and the companies that dominate its advertising know a lot about you.

1. Examine alternatives to account deletion

Users may lose information, forfeit whatever marketable online presence you have built, and in some circumstances, lose the chance to start a new account with the same name because the majority of these processes cannot be undone.

2. Updated Google Search Results

You can use Google's tool to delete out-of-date content if a web page's owner updates it but Google's search results don't reflect the change.

3. Disable gaming and social media profiles

Considering the trend, social media and gaming sites are frequently where people look to locate you online. Although it could be difficult to recall every account you've had over the years, it's a good idea to start by removing yourself from the most popular websites. It's a decent place to start, even if it won't necessarily erase the 'deep web' memories of oneself. 

4. Eliminate Digital History

Photos or writing that has been publicly shared are obviously much more likely to be spotted by others. Consider installing and backing up your posts before you decide to go ahead and delete your existing profiles or current posts. The settings of almost all significant social networking platforms include backup options.

5. Delete payment and shopping accounts

Users on websites like eBay and Amazon can view public versions of your profile, and search engines may make that information readily available. Such accounts must be deleted without dread, but if you wish to take a step further, you can also remove your PayPal and Venmo payment accounts.

There are certain actions you can take moving forward even though it is practically difficult to completely preserve your information off the internet. Think over whether you need to input your personal information when you register a new online account or if setting up a burner account to hide your identity would be preferable.

Google: 5-year-old Apple Flaw Exploited

 

Google Project Zero researchers have revealed insights into a vulnerability in Apple Safari that has been extensively exploited in the wild. The vulnerability, known as CVE-2022-22620, was first patched in 2013, but experts identified a technique to overcome it in 2016. 

Apple has updated a zero-day vulnerability in the WebKit that affects iOS, iPadOS, macOS, and Safari and could have been extensively exploited in the wild, according to CVE org. 

In February, Apple patched the zero-day vulnerability; it's a use-after-free flaw that may be accessed by processing maliciously generated web content, spoofing credentials, and resulting in arbitrary code execution ."When the issue was first discovered in 2013, the version was patched entirely," Google Project Zero's Maddie Stone stated. "Three years later, amid substantial restructuring efforts, the variant was reintroduced. The vulnerability remained active for another five years before being addressed as an in-the-wild zero-day in January 2022." 

While the flaws in the History of API bug from 2013 and 2022 are fundamentally the same, the routes to triggering the vulnerability are different. The zero-day issue was then reborn as a "zombie" by further code updates made years later. 

An anonymous researcher discovered the flaw, and the corporation fixed it with better memory management. Maddie Stone examined the software's evolution over time, beginning with the code of Apple's fix and the security bulletin's description of the vulnerability, which stated that the flaw is a use-after-free flaw. 

“As an offensive security research team, we can make assumptions about the main issues that current software development teams face: Legacy code, short reviewer turn-around expectations, under-appreciation and under-rewarding of refactoring and security efforts, and a lack of memory safety mitigations” the report stated. 

"In October, 40 files were modified, with 900 additions and 1225 removals. The December commit modified 95 files, resulting in 1336 additions and 1325 removals," Stone highlighted. 

Stone further underlined the need of spending appropriate time to audit code and patches to minimize instances of duplication of fixes and to understand the security implications of the modifications being made, citing that the incident is not unique to Safari.

Google’s security tools can shield from cyber-attacks

Google has long been asking users to enable its security tools for shielding all its services - from Gmail to Google Photos - from hacking attempts.

The search giant has been pretty vocal about the importance of these features, but now, instead of urging users, it has released hard stats revealing how useful these capabilities can really be.

Let's take a look.

Advantage

Adding phone number can fend off bot-based attacks.

Researchers from New York University and the University of California, San Diego partnered with Google to assess at the impact of its security tools in preventing hijack attempts.

The results, presented recently at The Web Conference, revealed that simply adding a recovery phone number to Google account helped block a 100% bot-based attacks, 99% of automated phishing attacks, and 66% of targeted attacks.

Protection

Two-factor authentication offers highest security.

Google has been saying this for years and the stats prove it - two-step verification is the securest offering right now.

The studies reveal that using phone number-based 2SV (SMS verification) blocked 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.

Meanwhile, on-device prompts prevented 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.

Security key offers strongest shield.

Notably, among all two-step verification methods, using a physical security key proved to be the strong account shield. It blocked all kind of attacks with a 100% success rate.

Risk

Google also showed what happens when you don't use 2SV.

The same study also measured the effectiveness of default sign-in verification techniques, like last location signed-in or your secondary email.

These knowledge-based methods are used when the company detects a suspicious sign-in attempt, say from a new device/location, and you don't have a 2SV on.

The results showed these methods can block bot-based attacks but can fail miserably against phishing or targeted hijack.