Skip to content

Posts from the ‘Shoddy Security’ Category


How fitting: The NSA has been *pretending to be Google* in order to covertly capture user data

There’s no low the NSA won’t stoop to in order to snoop:

[I]n some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.

Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events”) and also allows spies to collect information about specific SSL encryption certificates.

GCHQ, for those who don’t know, is the British equivalent of the NSA.

So much for Google’s security measures. Forced SSL may deter petty man-in-the-middle attacks from amateur hackers, but it doesn’t shield anyone from the likes of the NSA.

This isn’t to say that SSL is useless and shouldn’t be used. HTTPS is better than HTTP. But if Google was serious about security and protecting its users, it would make Gmail like Hushmail, offering the ability to encrypt entire user accounts and encrypt messages. There are enough Gmail users that offering encryption by default would have an immediate and huge effect on email security.

But, of course, if Google were to offer such encryption, it would no longer be able to read its users’ emails and place targeted ads within Gmail. Messages would be scrambled and unreadable by Google’s algorithms. So Google is never going to do what Hushmail does. It would interfere with their ability to offer “free” Gmail.


Google inadvertently distributing malware to its own users through “Google Play” Store

The Monster of Mountain View has been caught with its pants down again:

Google has been caught hosting more than a dozen malicious titles in its official Android app market. Some had been downloaded tens of thousands of times and turn smartphones into zombies that await commands from their attacker overlords, security researchers said.

A stash of 17 malicious apps remained freely available in the Google Play store, according to a blog post published Thursday by researchers from antivirus provider Trend Micro. Six of those titles contained a highly stealthy code dubbed Plankton, which causes Android-based phones to connect to command and control servers and wait for commands. At least 10 Plankton-based apps found last year in the Android market collected users’ browsing history, bookmarks, and device information and sent them to servers under the control of the attackers.

Isn’t one of the major justifications for walled garden-style app stores like “Google Play” to protect users? To prevent people from downloading malicious software? (Yes, that was a rhetorical question).

There’s no question app stores have been successful in allowing companies like Apple and Google to wield a huge degree of control over the user experience on their mobile platforms. But while that control may be good for the corporate bottom line (it keeps people locked in), it’s bad for user freedom, privacy, and security, as this report makes clear.


Another high-profile YouTube account hacked

First it was the Sesame Street YouTube account. Now it’s Microsoft’s:

Microsoft’s official YouTube channel appears to have been taken over by someone not affiliated with the company, who has removed all of the videos and posted solicitations for sponsorships, apparently anticipating an influx of traffic as the news spreads.

I subscribe to the company’s YouTube updates and received notification this morning of two new uploads by the company, both of them rudimentary videos apparently soliciting advertisements for the channel. Since then a third video has been uploaded, along the same lines.

A YouTube account is, of course, a Google account – meaning that someone who signs up for YouTube isn’t just creating an identity on YouTube; they’re creating an identity that can be used with other Google offerings, such as Gmail, Blogger, Picasa, or Google Maps. The list goes on… and on… and on…

Who knows what else the hackers compromised that was in that Google account?

This is why it’s a bad idea to do business the Google way. Google’s account security sucks, as demonstrated by these recent break-ins.

When you trust one company to handle your emails, chat, videos, documents, pictures, credit card data, and other sensitive information, you’re asking for trouble. A lot of trouble.


City of Los Angeles demands partial refund from Google; LAPD says Google Apps not secure

The City of Los Angeles made a big mistake when it decided to do business with the Monster of Mountain View. Now the city is trying to get a partial refund from Google because some of its departments refuse to use Google’s insecure Apps offering:

Two years after the City of Los Angeles approved a $7.25 million deal to move its e-mail and productivity infrastructure to Google Apps, the migration has still not been completed because the Los Angeles Police Department and other agencies are unsatisfied with Google’s security related to the handling of criminal history data.

Los Angeles officials originally expected to roll Google Apps out to its 30,000 users by June 2010, in partnership with systems integration contractor CSC. But that number has been reduced to about 17,000 employees, largely because of security objections raised by the LAPD and other safety-related departments. Advocacy group Consumer Watchdog opposed the deal, and this week released a letter LA officials sent to CSC in August, which states “The City is in receipt of your letter dated May 13, 2011, wherein CSC indicates that it is unable to meet the security requirements of the City and the Los Angeles Police Department (LAPD) for all data and information, pursuant to U.S. DOJ Criminal Justice Information Systems (CJIS) policy requirements.”

Google has a poor reputation when it comes to privacy and security. That’s because Google’s business model is built on collecting as much user data as possible and monetizing it. Google’s response to security problems has been to collect even more personal information; these days, Gmail users are asked to associate their mobile phone numbers with their Google accounts, all in the name of improved security.

Of course, if a person who uses only GoogleTech loses their Android phone, their email, contacts, web history, and so much more could all be compromised simultaneously. That’s the danger of trusting one company with your data.


Google’s “Chromebooks” have gaping security holes, researcher says

Surprise, surprise:

Google may see its Chrome operating system as more secure than traditional alternatives, but one security researcher believes the cloud-based OS is vulnerable, according to a Reuters story published yesterday.

WhiteHat Security researcher Matt Johansen said he found a flaw in a Chrome OS application that he was able to exploit to gain control of a Google e-mail account. Though Google fixed the flaw after it was reported, Johansen claims to have discovered other applications with the same flaw, Reuters said.

In citing the security holes in Chrome OS, Johansen specifically pointed to the ability of hackers who can steal data as it moves between the cloud and the Chrome OS browser instead of hacking directly into a user’s PC.

“I can get at your online banking or your Facebook profile or your e-mail as it is being loaded in the browser,” he told Reuters. “If I can exploit some kind of Web application to access that data, then I couldn’t care less what is on the hard drive.”

Google’s “Chromebooks” are basically nothing more than glorified computer security terminals providing access to Google’s opaque datacenters with sod-all security. People concerned about their privacy and security would do well to stay far, far away from Google’s offerings.

Google, of course, reacted very defensively when asked for comment about this. They’d like people to believe their products are secure. But reality has proved otherwise. Security seems to be an afterthought as far as Google is concerned. That’s because Google’s business isn’t security, it’s data-mining.


Researchers: 99% of Google’s Android devices are vulnerable to password theft

Surprise, surprise…. security on Android is sod-all:

The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned.

The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it is possible, and it is quite easy to do so.”

The researchers’ findings are pretty damning. Although Google has supposedly released a patch to address the problem, it has only been made available for newer versions of Android. 99% of the Android devices currently in use run a version that hasn’t been patched. Android users are being advised to avoid public wi-fi networks to mitigate this incredibly serious problem.

But it’s unlikely that most of the people walking around with Google spyware-laden phones and tablets have even heard about this issue, or could taken action even if they knew (Google’s deals with major mobile carriers give them control over updates to Android devices, which prevents the Monster of Mountain View from delivering all updates directly to users).

For all of its sins, Apple at least refuses to allow carriers to have any say in when and how iOS updates are delivered. That’s not to say that the proprietary business model Apple has built is a good thing, but users should be able to update software for their devices when it is available, and it should be their choice. Smartphones and tablets ought to be under the control of the people who own them, not the giant corporations that sell them.


Young Armenian blogger discovers huge Google security hole

Kudos to Vahe G for once again reminding us why entrusting our user data to Google is a bad idea:

Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of (don’t visit that site just yet) emailed us this morning to explain.

If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.

What Vahe did is use Google’s Blogger to create a blog (on BlogSpot) and then take advantage of a security vulnerability to harvest the email address of anyone signed in with a Google account. The harvesting was taking place just by visiting the blog in question. As proof, Vahe was sending messages to the harvested addresses urging the individuals who own those addresses to share a shortlink pointing to the blog with friends.

After TechCrunch reported the exploit, Google took down the blog, and Vahe sent an email to TechCrunch’s founder, Mike Arrington, explaining the vulnerability:

Hi Mr. Arrington,

I see you have already shared the news. It’s good that google got it down, I really don’t want people to know about how that was done (if Google contacts I will definitely tell them – they just don’t answer my emails). Problem relies solely on Google.

Problem is I asked a lot of people, and most of them don’t really understand and care about this kind of things and big companies act like they all really protect our privacy and such, but they see that people don’t care and don’t do anything really.

Vahe G. (Armenian 21yrs guy whom Google doesn’t wanted to even talk to)

That’s one incredibly smart guy.

Google’s response?

We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to

It’s telling that the issue only got addressed after it made it onto one of the most widely-read technology blogs in the world. By not catching these things earlier, Google is exposing its users to external harm. All the more reason not to have a Google account and not do business with Google at all.