Search results for Mac ecosystem
Scaling security with AI: from detection to solution
Dongge Liu and Oliver Chang, Google Open Source Security Team, Jan Nowakowski and Jan Keller, Machine Learning for Security TeamThe AI world moves fast, so we've been hard at work keeping security apace with recent advancements. One of our approaches, in alignment with Google's Safer AI Framework (SAIF), is using AI itself to automate and streamline routine and manual security tasks, including fixing security bugs. Last year we wrote about our experiences using LLMs to expand vulnerability testing coverage, and we're excited to share some updates. Today, we're releasing our fuzzing framework as a free, open source resource that researchers and developers can use to improve fuzzing's bug-finding abilities. We'll also show you how we're using AI to speed up the bug patching process. By sharing these experiences, we hope to spark new ideas and drive innovation for a stronger ecosystem security.Update: AI-powered vulnerability discoveryLast August, we announced our framework to automate manual aspects of fuzz testing (“fuzzing”) that often hindered open source maintainers from fuzzing their projects effectively. We used LLMs to write project-specific code to boost fuzzing coverage and find more vulnerabilities. Our initial results on a subset of projects in our free OSS-Fuzz service were very promising, with code coverage increased by 30% in one example. Since then, we've expanded our experiments to more than 300 OSS-Fuzz C/C++ projects, resulting in significant coverage gains across many of the project codebases. We've also improved our prompt generation and build pipelines, which has increased code line coverage by up to 29% in 160 projects. How does that translate to tangible security improvements? So far, the expanded fuzzing coverage offered by LLM-generated improvements allowed OSS-Fuzz to discover two new vulnerabilities in cJSON and libplist, two widely used projects that had already been fuzzed for years. As always, we reported the vulnerabilities to the project maintainers for patching. Without the completely LLM-generated code, these two vulnerabilities could have remained undiscovered and unfixed indefinitely. And more: AI-powered vulnerability fixingFuzzing is fantastic for finding bugs, but for security to improve, those bugs also need to be patched. It's long been an industry-wide struggle to find the engineering hours needed to patch open bugs at the pace that they are uncovered, and triaging and fixing bugs is a significant manual toll on project maintainers. With continued improvements in using LLMs to find more bugs, we need to keep pace in creating similarly automated solutions to help fix those bugs. We recently announced an experiment doing exactly that: building an automated pipeline that intakes vulnerabilities (such as those caught by fuzzing), and prompts LLMs to generate fixes and test them before selecting the best for human review.This AI-powered patching approach resolved 15% of the targeted bugs, leading to significant time savings for engineers. The potential of this technology should apply to most or all categories throughout the software development process. We're optimistic that this research marks a promising step towards harnessing AI to help ensure more secure and reliable software.Try it outSince we've now open sourced our framework to automate manual aspects of fuzzing, any researcher or developer can experiment with their own prompts to test the effectiveness of fuzz targets generated by LLMs (including Google's VertexAI or their own fine-tuned models) and measure the results against OSS-Fuzz C/C++ projects. We also hope to encourage research collaborations and to continue seeing other work inspired by our approach, such as Rust fuzz target generation. If you're interested in using LLMs to patch bugs, be sure to read our paper on building an AI-powered patching pipeline. You'll find a summary of our own experiences, some unexpected data about LLM's abilities to patch different types of bugs, and guidance for building pipelines in your own organizations.
Scaling security with AI: from detection to solution...
Dongge Liu and Oliver Chang, Google Open Source Security Team, Jan Nowakowski and...
Source: Google Online Security Blog
OSC&R - Open Software Supply Chain Attack Reference
Slides: https://static.sched.com/hosted_files/owasp2023globalappsecwashin/e2/OSC%26R%20OWASP%20Final.pptx.pdf The past decade the software development lifecycle evolved dramatically with the wide adoption of DevOps culture, cloud-first strategy and the surge of SaaS business application and the ever-growing use of open source code. This served as a ground to the current emerging attack vector - the software supply chain. The attackers goals did not change they are still attempting to stealing data and infecting machines. The attacker tactics may be utilizing common attack techniques such as exploiting vulnerabilities and misconfigurations. However, the technology, people, and culture of the software supply chain ecosystem have unique characteristics that require a distinct understanding and approach. The Open Software Supply Chain Attack Reference (OSC&R) is a new security framework that aims to address these issues and provide a common language for the software supply chain. In this talk, we will provide an in-depth exploration of the OSC&R model through real-world examples, including analyzing past attacks, assessing supply chain security posture, conducting tabletop exercises, and addressing incident response and crisis management. By the end of this presentation, attendees will have the better knowledge and skills necessary to evaluate their DevSecOps programs and a good idea of how they can improve their overall software supply chain security posture. Eyal Paz OX Security VP of Research Eyal Paz is the VP of Research at OX Security, a software supply chain security startup. His work includes hands-on security research toward a holistic DevSecOps solution. Before joining OX Security, Eyal spent eleven years at Check Point working on security research for product innovation in application security, malware analysis, and phishing prevention. Eyal is also a sought-after university lecturer on various cyber security topics. He has a bachelor's degree in Software Engineering and a master's in Computer Science. Currently, he is a Ph.D. candidate researching the problem of encrypted traffic classification. Ronen Atias OX Security Security Researcher Ronen Atias is a seasoned security professional working as a security researcher at OX Security, a leader in software supply chain security. Before joining OX Security, Ronen spent 15 years a security researcher in various cyber security companies: Finjan (Trustwave). Incapsula, Cato Networks and Imperva. He's research subjects are very diverse from browser security, web application security, bots to network security and DDoS. In the recent years he pivoted towards a security practitioner position as a Secruity Architect - evangelizing secure software development life cycle to software developers, DevOPS, SOC and DevSecOps engineers. Managed by the OWASP® Foundation https://owasp.org/
OSC&R - Open Software Supply Chain Attack Reference...
Slides: https://static.sched.com/hosted_files/owasp2023globalappsecwashin/e2/OSC%26R%20OWASP%20Final.pptx.pdf The...
Source: OWASP Foundation
Rust for Cyber Security and Red Teaming
Pipidae – the latest malware to take over the Mac ecosystem
What is Pipidae? Recently, a wave of disturbing pop-up alerts that proclaim “Pipidae will damage… Pipidae – the latest malware to take over the Mac ecosystem on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
Increasing transparency in AI security
Mihai Maruseac, Sarah Meiklejohn, Mark Lodato, Google Open Source Security Team (GOSST)New AI innovations and applications are reaching consumers and businesses on an almost-daily basis. Building AI securely is a paramount concern, and we believe that Google's Secure AI Framework (SAIF) can help chart a path for creating AI applications that users can trust. Today, we're highlighting two new ways to make information about AI supply chain security universally discoverable and verifiable, so that AI can be created and used responsibly. The first principle of SAIF is to ensure that the AI ecosystem has strong security foundations. In particular, the software supply chains for components specific to AI development, such as machine learning models, need to be secured against threats including model tampering, data poisoning, and the production of harmful content. Even as machine learning and artificial intelligence continue to evolve rapidly, some solutions are now within reach of ML creators. We're building on our prior work with the Open Source Security Foundation to show how ML model creators can and should protect against ML supply chain attacks by using SLSA and Sigstore.Supply chain security for MLFor supply chain security of conventional software (software that does not use ML), we usually consider questions like:Who published the software? Are they trustworthy? Did they use safe practices?For open source software, what was the source code?What dependencies went into building that software?Could the software have been replaced by a tampered version following publication? Could this have occurred during build time?All of these questions also apply to the hundreds of free ML models that are available for use on the internet. Using an ML model means trusting every part of it, just as you would any other piece of software. This includes concerns such as:Who published the model? Are they trustworthy? Did they use safe practices?For open source models, what was the training code?What datasets went into training that model?Could the model have been replaced by a tampered version following publication? Could this have occurred during training time?We should treat tampering of ML models with the same severity as we treat injection of malware into conventional software. In fact, since models are programs, many allow the same types of arbitrary code execution exploits that are leveraged for attacks on conventional software. Furthermore, a tampered model could leak or steal data, cause harm from biases, or spread dangerous misinformation. Inspection of an ML model is insufficient to determine whether bad behaviors were injected. This is similar to trying to reverse engineer an executable to identify malware. To protect supply chains at scale, we need to know how the model or software was created to answer the questions above.Solutions for ML supply chain securityIn recent years, we've seen how providing public and verifiable information about what happens during different stages of software development is an effective method of protecting conventional software against supply chain attacks. This supply chain transparency offers protection and insights with:Digital signatures, such as those from Sigstore, which allow users to verify that the software wasn't tampered with or replacedMetadata such as SLSA provenance that tell us what's in software and how it was built, allowing consumers to ensure license compatibility, identify known vulnerabilities, and detect more advanced threatsTogether, these solutions help combat the enormous uptick in supply chain attacks that have turned every step in the software development lifecycle into a potential target for malicious activity.We believe transparency throughout the development lifecycle will also help secure ML models, since ML model development follows a similar lifecycle as for regular software artifacts:Similarities between software development and ML model developmentAn ML training process can be thought of as a “build:” it transforms some input data to some output data. Similarly, training data can be thought of as a “dependency:” it is data that is used during the build process. Because of the similarity in the development lifecycles, the same software supply chain attack vectors that threaten software development also apply to model development: Attack vectors on ML through the lens of the ML supply chainBased on the similarities in development lifecycle and threat vectors, we propose applying the same supply chain solutions from SLSA and Sigstore to ML models to similarly protect them against supply chain attacks.Sigstore for ML modelsCode signing is a critical step in supply chain security. It identifies the producer of a piece of software and prevents tampering after publication. But normally code signing is difficult to set up—producers need to manage and rotate keys, set up infrastructure for verification, and instruct consumers on how to verify. Often times secrets are also leaked since security is hard to get right during the process.We suggest bypassing these challenges by using Sigstore, a collection of tools and services that make code signing secure and easy. Sigstore allows any software producer to sign their software by simply using an OpenID Connect token bound to either a workload or developer identity—all without the need to manage or rotate long-lived secrets.So how would signing ML models benefit users? By signing models after training, we can assure users that they have the exact model that the builder (aka “trainer”) uploaded. Signing models discourages model hub owners from swapping models, addresses the issue of a model hub compromise, and can help prevent users from being tricked into using a bad model. Model signatures make attacks similar to PoisonGPT detectable. The tampered models will either fail signature verification or can be directly traced back to the malicious actor. Our current work to encourage this industry standard includes:Having ML frameworks integrate signing and verification in the model save/load APIsHaving ML model hubs add a badge to all signed models, thus guiding users towards signed models and incentivizing signatures from model developersScaling model signing for LLMs SLSA for ML Supply Chain Integrity
Enhanced Google Play Protect real-time scanning for app installs
Posted by Steve Kafka, Group Product Manager and Roman Kirillov, Senior Engineering Manager Mobile devices have supercharged our modern lives, helping us do everything from purchasing goods in store and paying bills online to storing financial data, health records, passwords and pictures. According to Data.ai, the pandemic accelerated existing mobile habits – with app categories like finance growing 25% year-over-year and users spending over 100 billion hours in shopping apps. It's now even more important that data is protected so that bad actors can't access the information. Powering up Google Play Protect Google Play Protect is built-in, proactive protection against malware and unwanted software and is enabled on all Android devices with Google Play Services. Google Play Protect scans 125 billion apps daily to help protect you from malware and unwanted software. If it finds a potentially harmful app, Google Play Protect can take certain actions such as sending you a warning, preventing an app install, or disabling the app automatically. To try and avoid detection by services like Play Protect, cybercriminals are using novel malicious apps available outside of Google Play to infect more devices with polymorphic malware, which can change its identifiable features. They're turning to social engineering to trick users into doing something dangerous, such as revealing confidential information or downloading a malicious app from ephemeral sources – most commonly via links to download malicious apps or downloads directly through messaging apps. For this reason, Google Play Protect has always also offered users protection outside of Google Play. It checks your device for potentially harmful apps regardless of the install source when you're online or offline as well. Previously, when installing an app, Play Protect conducted a real-time check and warned users when it identified an app known to be malicious from existing scanning intelligence or was identified as suspicious from our on-device machine learning, similarity comparisons, and other techniques that we are always evolving. Today, we are making Google Play Protect's security capabilities even more powerful with real-time scanning at the code-level to combat novel malicious apps. Google Play Protect will now recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats. Scanning will extract important signals from the app and send them to the Play Protect backend infrastructure for a code-level evaluation. Once the real-time analysis is complete, users will get a result letting them know if the app looks safe to install or if the scan determined the app is potentially harmful. This enhancement will help better protect users against malicious polymorphic apps that leverage various methods, such as AI, to be altered to avoid detection. Our security protections and machine learning algorithms learn from each app submitted to Google for review and we look at thousands of signals and compare app behavior. Google Play Protect is constantly improving with each identified app, allowing us to strengthen our protections for the entire Android ecosystem. This enhancement to Google Play Protect has started to roll out to all Android devices with Google Play services in select countries, starting with India, and will expand to all regions in the coming months. Our Multi-Layered User Protections on Android Android takes a multi-layered defense approach to help keep you safe from mobile malware and unwanted software on Android. Android's built-in proactive and advanced user protections like Google Play Protect, ongoing security updates, app permission controls, Safe Browsing, and more – alongside spam and phishing protection in Messages by Google and Gmail – work together to help protect your data security and privacy. We are constantly improving this multi-layered approach to find new ways to protect our billions of users. Keeping Android users safe is a top priority. We are committed to working with our ecosystem partners and app developer community to improve the security of apps and combat malware and unwanted software to make Android even more secure.
Enhanced Google Play Protect real-time scanning for...
Posted by Steve Kafka, Group Product Manager and Roman Kirillov, Senior Engineering...
Source: Google Online Security Blog
Blue Team Operations : Educational Series
Blue Team Operations : Educational SeriesEnhancing Cyber Defense Proficiency through Comprehensive Blue Team Operationshttps://www.sourcesecurity.com/Welcome to educational series of Blue Team Operations. In this series, we are going to explore different areas of Blue Teaming with some practical and theory base scenarios. I hope this series will help people who wants to start their career in Blue Team Operations.Here are list of topics we are going to cover in upcoming blogs. I will try to post at least two posts per week in this series.Introduction to Blue Teaming Operationshttps://www.cybervie.com/Blue teaming is a concept in cybersecurity that refers to the defensive side of operations. We will start with introducing Blue Team Operations and why it is required. This topic will give overview of blue team operations and aspects of blue teamer.Wireshark for Blue Teaminghttps://www.freecodecamp.org/Wireshark for Blue Teaming is a critical tool in the arsenal of cybersecurity professionals responsible for defending network environments against cyber threats and intrusions. Wireshark, an open-source network protocol analyzer, empowers Blue Teams by providing deep insights into network traffic and facilitating proactive defense measures.Key attributes of Wireshark for Blue Teaming:Network Traffic Analysis: Wireshark allows Blue Teams to capture and dissect network packets in real-time or from packet capture files. This deep visibility enables the detection of anomalies and potential security issues.Protocol Understanding: It provides a comprehensive understanding of network protocols, facilitating the identification of unusual or malicious behavior.Anomaly Detection: Wireshark can assist Blue Teams in spotting irregular patterns and unexpected traffic flows, which can be indicative of security incidents.Incident Response: When a security incident occurs, Wireshark helps Blue Teams investigate the incident by examining packet-level details, identifying the attack vectors, and understanding the extent of the compromise.Forensics and Evidence: Wireshark is invaluable for collecting evidence in the aftermath of a security breach, supporting investigations and compliance requirements.Intrusion Detection with Snorthttps://upcloud.com/Intrusion detection with Snort is a fundamental approach to bolstering network security by actively monitoring and identifying potential threats and vulnerabilities. Snort, an open-source intrusion detection system (IDS) and intrusion prevention system (IPS), stands as a stalwart guardian at the forefront of your network defenses.Here's how Snort excels in the realm of intrusion detection:1. Network Traffic Analysis: Snort inspects network traffic in real-time, scrutinizing data packets for patterns and behaviors that match known attack signatures and suspicious activities.2. Customizable Rule-Based Detection: It employs a rule-based detection mechanism, enabling organizations to create and fine-tune their own detection rules to suit their specific security requirements.3. Alerting and Logging: When Snort identifies potentially malicious traffic, it generates alerts and logs, providing security teams with crucial information to respond promptly to threats.4. Passive and Inline Modes: Snort can operate in both passive mode (IDS) and inline mode (IPS), allowing it to detect and block threats actively when configured as an IPS.5. Community Support and Updates: The Snort community continuously develops and shares detection rules and updates, ensuring that the system remains current in identifying emerging threats.6. Integration: Snort can integrate with other security tools and SIEM platforms, facilitating comprehensive threat detection and response across the entire security stack.Intrusion detection with Snort is an essential component of a robust cybersecurity strategy. By tirelessly monitoring network traffic and rapidly alerting to potential threats, Snort helps organizations fortify their defenses, mitigate risks, and maintain the integrity and availability of their digital assets in an ever-evolving threat landscape.Threat Detection & Active Response with Wazuhhttps://wazuh.com/Threat detection and active response with Wazuh is a comprehensive strategy for fortifying network security and rapidly mitigating potential threats. Wazuh, a powerful open-source security information and event management (SIEM) platform, serves as the central nervous system of this security framework. It actively collects, normalizes, and analyzes log and event data from various sources across your network, enabling real-time threat detection.Wazuh excels in:1. Log Analysis: By aggregating logs from diverse sources such as firewalls, intrusion detection systems, and servers, Wazuh creates a unified view of your network's security posture.2. Real-time Alerting: Wazuh is equipped with predefined rules and the flexibility to customize detection rules to your organization's specific needs. When suspicious activities are detected, Wazuh triggers alerts instantly.3. Active Response: Wazuh goes beyond passive monitoring by enabling active response mechanisms. It can execute automated actions in response to detected threats, such as blocking IP addresses, isolating compromised systems, or launching countermeasures.4. Correlation and Analysis: Wazuh's correlation engine identifies complex attack patterns and trends, helping security teams pinpoint sophisticated threats that may evade traditional detection methods.5. Integration: It seamlessly integrates with other security tools and platforms, enhancing the overall security ecosystem.By combining threat detection and active response capabilities, Wazuh empowers organizations to proactively defend against cyber threats, minimize the impact of security incidents, and maintain the integrity and confidentiality of their data assets. In an era of evolving and persistent cyber threats, Wazuh plays a pivotal role in safeguarding digital environments.Log Processing with Suricata & Wahuzhttps://suricata.io/Suricata is an open-source based intrusion detection system (IDS) and intrusion prevention system (IPS). It was developed by the Open Information Security Foundation.Log processing with Suricata and Wazuh is an effective approach to bolstering network security and streamlining log analysis. Suricata, an open-source intrusion detection and prevention system (IDS/IPS), takes on the role of safeguarding your network, actively monitoring traffic, and triggering alerts in response to suspicious activities.Wazuh, a robust security information and event management (SIEM) platform, complements Suricata by providing an efficient and centralized log processing and analysis environment. Together, these tools create a dynamic synergy where Suricata detects potential threats, and Wazuh processes and interprets the generated logs, enabling organizations to identify security incidents promptly and gain actionable insights from their log data.In this collaborative effort, Suricata acts as the first line of defense, while Wazuh efficiently handles log management and analysis, strengthening overall network security and enhancing operational visibility.Log Analysis with Snort & Splunkhttps://invicti.com/Splunk is a software platform designed for collecting, searching, monitoring, and analyzing machine-generated data. Log analysis with Snort and Splunk is a powerful approach to enhancing network security and visibility. Snort, an open-source intrusion detection and prevention system, serves as the frontline guardian, actively monitoring network traffic and alerting against suspicious activities.Splunk, a comprehensive log management and analysis platform, complements Snort's capabilities by providing a robust and user-friendly environment for collecting, searching, and visualizing log data. Together, these tools form a dynamic duo that not only helps organizations detect and respond to security threats but also empowers them to gain valuable insights from the wealth of data generated by their network infrastructure.In this synergy, Snort identifies potential issues, while Splunk unlocks the intelligence within the logs, enabling proactive security measures and informed decision-making.Future AspectsThe continuation of this series may include delving into more advanced subjects such as EDR, XDR, SOAR, Reverse Engineering, Memory Forensics, and a variety of other advanced topics.You can join us with vibrant community as “CyberVerse Community”. CyberVerse Community is a place where like minded people like us learns and shares knowledge with each other.CyberVerse Lnk.Bio · link in bioThis is it for today's article. If you found it to be interesting and informative then share it with your friends. Thank you for reading till here. Let me know your queries or topics which you want to read an article in the comment section.You can follow on social media here: LinkedIn, Instagram, TwitterBlue Team Operations : Educational Series was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
Belgium Cybersec Community (Be.Cyber)
Join the Be.Cyber community! On the program: news and tools monitoring, mutual aid and knowledge sharing, event organization (workshops, CTF resolution), ... And it's all in good fun!
Belgium Cybersec Community (Be.Cyber)
Join the Be.Cyber community! On the program: news and tools monitoring, mutual aid...
Downfall and Zenbleed: Googlers helping secure the ecosystem
Tavis Ormandy, Software Engineer and Daniel Moghimi, Senior Research ScientistFinding and mitigating security vulnerabilities is critical to keeping Internet users safe. However, the more complex a system becomes, the harder it is to secure—and that is also the case with computing hardware and processors, which have developed highly advanced capabilities over the years. This post will detail this trend by exploring Downfall and Zenbleed, two new security vulnerabilities (one of which was disclosed today) that prior to mitigation had the potential to affect billions of personal and cloud computers, signifying the importance of vulnerability research and cross-industry collaboration. Had these vulnerabilities not been discovered by Google researchers, and instead by adversaries, they would have enabled attackers to compromise Internet users. For both vulnerabilities, Google worked closely with our partners in the industry to develop fixes, deploy mitigations and gather details to share widely and better secure the ecosystem.What are Downfall and Zenbleed?Downfall (CVE-2022-40982) and Zenbleed (CVE-2023-20593) are two different vulnerabilities affecting CPUs - Intel Core (6th - 11th generation) and AMD Zen2, respectively. They allow an attacker to violate the software-hardware boundary established in modern processors. This could allow an attacker to access data in internal hardware registers that hold information belonging to other users of the system (both across different virtual machines and different processes). These vulnerabilities arise from complex optimizations in modern CPUs that speed up applications: Preemptive multitasking and simultaneous multithreading enable users and applications to share CPU cores, while the CPU enforces security boundaries at the architecture level to stop a malicious user accessing data from other users. Speculative execution allows the CPU core to execute instructions from a single execution thread without waiting for prior instructions to be completed.SIMD enables data-level parallelism where an instruction computes the same function multiple times with different data.Downfall, affecting Intel CPUs, exploits the speculative forwarding of data from the SIMD Gather instruction. The Gather instruction helps the software access scattered data in memory quickly, which is crucial for high-performance computing workloads performing data encoding and processing. Downfall shows that this instruction forwards stale data from the internal physical hardware registers to succeeding instructions. Although this data is not directly exposed to software registers, it can trivially be extracted via similar exploitation techniques as Meltdown. Since these physical hardware register files are shared across multiple users sharing the same CPU core, an attacker can ultimately extract data from other users. Zenbleed, affecting AMD CPUs, shows that incorrectly implemented speculative execution of the SIMD Zeroupper instruction leaks stale data from physical hardware registers to software registers. Zeroupper instructions should clear the data in the upper-half of SIMD registers (e.g., 256-bit register YMM) which on Zen2 processors is done by just setting a flag that marks the upper half of the register as zero. However, if on the same cycle as a register to register move the Zeroupper instruction is mis-speculated, the zero flag doesn't get rolled back properly, leading to the upper-half of the YMM register to hold stale data rather than the value of zero. Similar to Downfall, leaking stale data from physical hardware registers expose the data from other users who share the same CPU core and its internal physical registers. ComparisonDownfallZenbleedAffectsIntel Core (6th-11th Gen)AMD Zen 2LeaksEntire XMM/YMM/ZMM RegisterUpper-half of 256-bit YMM RegistersExploitGather Data SamplingArchitectural Data LeakDiscovered byMicroarchitectural AnalysisFuzzingFixMicrocode blocking speculative forwarding from GatherMicrocode properly wiping out YMM register when Zeroupper Mitigation overhead0-50% depending on the workload Statistically insignificantReported onAugust 24, 2022May, 15 2023Fixed onAugust 8, 2023July 19, 2023How did we protect our users?Vulnerability research continues to be at the heart of our security work at Google. We invest in not only vulnerability research, but in the community as a whole in order to encourage further research that keeps all users safe. These vulnerabilities were no exception, and we worked closely with our industry partners to make them aware of the vulnerabilities, coordinate on mitigations, align on disclosure timelines and a plan to get details out to the ecosystem. Upon disclosures, we immediately published Security Bulletins for both Downfall and Zenbleed that detailed how Google responded to each vulnerability, and provided guidance for the industry. In addition to our bulletins, we posted technical details for insights on both Downfall and Zenbleed. It's imperative that vulnerability research continues to be supported by the industry, and we're dedicated to doing our part to helping protect those that do this important work.Lessons learned These long existing vulnerabilities, their discovery and the mitigations that followed have provided several lessons learned that will help the industry move forward in vulnerability research, including: There are fundamental challenges in designing secure hardware that requires further research and understanding.There are gaps in automated testing and verification of hardware for vulnerabilities. Optimization features that are supposed to make computation faster are closely related to security and can introduce new vulnerabilities, if not implemented properly.As Downfall and Zenbleed, suggest, computer hardware is only becoming more complex everyday, and so we will see more vulnerabilities, which is why Google is investing in CPU/hardware security research. We look forward to continuing to share our insights and encourage the wider industry to join us in helping to expand on this work. Want to learn more?Downfall will be presented at Blackhat USA 2023 on August 9 at 1:30pm. You can also read more about Zenbleed on this advisory.
Downfall and Zenbleed: Googlers helping secure the...
Tavis Ormandy, Software Engineer and Daniel Moghimi, Senior Research ScientistFinding...
Source: Google Online Security Blog
Implementing MITRE D3FEND for ATT&CK Technique T1059: Command and Scripting Interpreter
Command and Scripting Interpreter attacks were the second most common technique seen in MITRE's Engenuity's Sightings Ecosystem report, representing 15.77% of 1.1 million sightings. MITRE's D3FEND matrix outlines how to address this technique however security teams struggle to consistently implement D3FEND's recommendations.This blog demonstrates how Security Orchestration, Automation, and Response (SOAR) can be used to consistently implement each stage of the D3FEND framework.MITRE ATT&CK Technique OverviewThe Command and Scripting Interpreter technique (ATT&CK technique T1059) refers to the exploitation of command-line interpreters to execute malicious commands on a targeted system. Interfaces, such as PowerShell, Bash, or Windows Command Prompt, provide a direct means to interact with the underlying system, allowing users to execute commands and scripts to perform legitimate administrative tasks. These interpreters are far-reaching and common across many devices, making them attractive targets.The D3FEND MatrixThe MITRE D3FEND Matrix has six stages: model, harden, detect, isolate, deceive, and evict. Each has different tasks that can be completed to address T1059. In the examples below, I will show you how Smart SOAR playbooks can turn D3FEND's recommendations into automated workflows.Stage One: ModelD3FEND Recommendation: Asset Vulnerability Enumeration. In stage one, MITRE recommends running vulnerability scans on affected devices. This is possible in Smart SOAR using one of our many integrations. For example, Qualys Vulnerability Management can be used to:Get Scanned Hosts: Retrieve a list of hosts that have been previously scanned by the Qualys vulnerability management solution. If the target machine has not been scanned recently, the playbook progresses to the next task.Launch Vulnerability Scan: Initiate a new vulnerability scan on a specified set of target hosts. During the scan, Qualys actively checks for security vulnerabilities, misconfigurations, and potential weaknesses in the target hosts.Fetch Scan Results: This task allows administrators to access detailed reports, including lists of identified vulnerabilities, their severity levels, and recommended actions for remediation. The scan results provide a clear overview of security issues, allowing organizations to prioritize and address the most critical vulnerabilities.Stage Two: HardenD3FEND Recommendation: Local File Permissions. If a compromised account has been confirmed, permission restriction is the next stage of the D3FEND framework. An identity and access management tool can be used to view user permissions, available groups, and limit access to files, applications, or devices. In this example we use Okta to execute these tasks.Get User Groups: By providing the user's identifier or username, this task queries Okta's identity and access management system to return a comprehensive list of groups the user is a member of.Get Groups: By executing this task, Okta's identity platform provides details about each group, such as group names, unique identifiers, and other attributes. This information is valuable for understanding the user's access rights and privileges.Add Users to Group: By providing the group identifier and the corresponding user identifiers, administrators can add the selected users as members of the targeted group. This task simplifies user management by centralizing access assignments and helps maintain a structured approach to access control.Stage Three: DetectIn stage three, MITRE recommends conducting a detailed file analysis including dynamic, emulated, and file analysis. Many security tools have this capability. For example, CrowdStrike can be used to submit files to a sandbox environment and review the results of the report directly within Smart SOAR. The commands include:Submit Files: This task lets users upload suspicious or potentially malicious files to the Crowdstrike Falcon platform for analysis.Check Analysis Status: After submitting files for examination, this task queries the Crowdstrike Falcon platform to retrieve real-time updates on the analysis process.Get Reports: This task lets users access detailed reports and insights generated by the Crowdstrike Falcon platform. These reports typically include comprehensive information about detected threats, malware behaviors, attack patterns, and affected systems.Stage Four: IsolateD3FEND Recommendation: Executable Allow/Denylisting. If a malicious file is found to be running on a device, then the next action a security team needs to take is to add the process it's executing to the denylist. Conversely, if the executables are found to be benign, and triggered from a false positive, they can be added to an allowlist to eliminate future false positives.Terminate Process: The “Terminate Process” task in Trend Micro Vision One allows security administrators to forcefully end a running process on a system.Remove from Blocklist: By removing an item from Trend Micro's blocklist, administrators can allow its normal and legitimate operation, preventing unnecessary disruptions.Add to Blocklist: When suspicious or confirmed malicious entities are encountered, administrators can proactively add them to the blocklist, preventing their execution or access.Stage Five: DeceiveD3FEND Recommendation: Decoy File. Playbooks can create new files and add the hashes to an EDR's watchlist to monitor the file and detect suspicious activity. This is a way for security teams to trick an adversary, monitoring their actions, and ultimately removing them from the network.Create File: Users can provide the file's content, format, and location to generate a custom file.Add File to User-Defined Suspicious Objects list (UDSO): The UDSO list in Trend Micro Vision One can be updated via the playbook to specify files, applications, or other entities that need to be monitored for suspicious activity.Stage Six: EvictD3FEND Recommendation: File Removal. The final stage of the D3FEND framework is Eviction. For Command and Scripting Interpreter threats, this means removing malicious files from the network. Crowdstrike's Delete IOCs command is one example of an integration command that can be used to remove the file from affected devices.ConclusionMITRE D3FEND is a reliable framework; however, it's difficult to implement consistently because of its detailed nature. Without an automated workflow, it's easy for teams to miss crucial steps in the incident response process. By building playbooks inside of Smart SOAR that are directly in line with MITRE D3FEND best practices, security leaders can follow the right process, everytime.Read More: Implementing MITRE D3FEND for ATT&CK Technique T1053: Scheduled Task/JobImplementing MITRE D3FEND for ATT&CK Technique T1059: Command and Scripting Interpreter was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
How we fought bad apps and bad actors in 2022
Posted by Anu Yamunan and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Compute Trust and Safety) Keeping Google Play safe for users and developers remains a top priority for Google. Google Play Protect continues to scan billions of installed apps each day across billions of Android devices to keep users safe from threats like malware and unwanted software. In 2022, we prevented 1.43 million policy-violating apps from being published on Google Play in part due to new and improved security features and policy enhancements — in combination with our continuous investments in machine learning systems and app review processes. We also continued to combat malicious developers and fraud rings, banning 173K bad accounts, and preventing over billion in fraudulent and abusive transactions. We've raised the bar for new developers to join the Play ecosystem with phone, email, and other identity verification methods, which contributed to a reduction in accounts used to publish violative apps. We continued to partner with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over one million apps on Google Play. With strengthened Android platform protections and policies, and developer outreach and education, we prevented about 500K submitted apps from unnecessarily accessing sensitive permissions over the past 3 years. Developer Support and Collaboration to Help Keep Apps Safe As the Android ecosystem expands, it's critical for us to work closely with the developer community to ensure they have the tools, knowledge, and support to build secure and trustworthy apps that respect user data security and privacy. In 2022, the App Security Improvements program helped developers fix ~500K security weaknesses affecting ~300K apps with a combined install base of approximately 250B installs. We also launched the Google Play SDK Index to help developers evaluate an SDK's reliability and safety and make informed decisions about whether an SDK is right for their business and their users. We will keep working closely with SDK providers to improve app and SDK safety, limit how user data is shared, and improve lines of communication with app developers. We also recently launched new features and resources to give developers a better policy experience. We've expanded our Helpline pilot to give more developers direct policy phone support. And we piloted the Google Play Developer Community so more developers can discuss policy questions and exchange best practices on how to build safe apps. More Stringent App Requirements and Guidelines In addition to the Google Play features and policies that are central to providing a safe experience for users, each Android OS update brings privacy, security, and user experience improvements. To ensure users realize the full benefits of these advances — and to maintain the trusted experience people expect on Google Play — we collaborate with developers to ensure their apps work seamlessly on newer Android versions. With the new Target API Level policy, we're strengthening user security and privacy by protecting users from installing apps that may not have the full set of privacy and security features offered by the latest versions of Android.This past year, we rolled out new license requirements for personal loan apps in key geographies – Kenya, Nigeria, and Philippines – with more stringent requirements for loan facilitator apps in India to combat fraud. We also clarified that our impersonation policy prohibits the impersonation of an entity or organization – helping to give users more peace of mind that they are downloading the app they're looking for. We are also working to help fight fraudulent and malicious ads on Google Play. With an updated ads policy for developers, we are providing key guidelines that will improve the in-app user experience and prohibit unexpected full screen interstitial ads. This update is inspired by the Mobile Apps Experiences - Better Ads Standards. Improving Data Transparency, Security Controls and Tools We launched the Data safety section in Google Play last year to give users more clarity on how their app data is being collected, shared, and protected. We're excited to work with developers on enhancing the Data safety section to share their data collection, sharing, and safety practices with their users. In 2022, the Google Play Store was the first commercial app store to recognize and display a badge for any app that has completed an independent security review through App Defense Alliance's Mobile App Security Assessment (MASA). The badge is displayed within an app's respective Data Safety section. MASA leverages OWASP's Mobile Application Security Verification Standard, which is the most widely adopted set of security requirements for mobile applications. We're seeing strong developer interest in MASA with widely used apps across major app categories, e.g., Roblox, Uber, PayPal, Threema, YouTube, and many more. This past year, we also expanded the App Defense Alliance, an alliance of partners with a mission to protect Android users from bad apps through shared intelligence and coordinated detection. McAfee and Trend Micro joined Google, ESET, Lookout, and Zimperium, to reduce the risk of app-based malware and better protect Android users. We've also continued to enhance protections for developers and their apps, such as hardening Play Integrity API with KeyMint and Remote Key Provisioning. Bringing Continuous Security and Privacy Enhancements to Pixel Users For Pixel users, we added more powerful features to help keep our users safe. The new security and privacy settings have been launched to all Pixel devices running Android 13, improving the security and privacy posture for millions of users' around the world every month. Private Compute Core also allows Pixel phones to detect harmful apps in a privacy preserving way. Looking Ahead We remain committed to keeping Google Play and our ecosystem of users and developers safe, and we look forward to many exciting security and safety announcements in 2023.
Supply chain security for Go, Part 1: Vulnerability management
Posted by Julie Qiu, Go Security & Reliability and Oliver Chang, Google Open Source Security Team High profile open source vulnerabilities have made it clear that securing the supply chains underpinning modern software is an urgent, yet enormous, undertaking. As supply chains get more complicated, enterprise developers need to manage the tidal wave of vulnerabilities that propagate up through dependency trees. Open source maintainers need streamlined ways to vet proposed dependencies and protect their projects. A rise in attacks coupled with increasingly complex supply chains means that supply chain security problems need solutions on the ecosystem level. One way developers can manage this enormous risk is by choosing a more secure language. As part of Google's commitment to advancing cybersecurity and securing the software supply chain, Go maintainers are focused this year on hardening supply chain security, streamlining security information to our users, and making it easier than ever to make good security choices in Go. This is the first in a series of blog posts about how developers and enterprises can secure their supply chains with Go. Today's post covers how Go helps teams with the tricky problem of managing vulnerabilities in their open source packages. Extensive Package Insights Before adopting a dependency, it's important to have high-quality information about the package. Seamless access to comprehensive information can be the difference between an informed choice and a future security incident from a vulnerability in your supply chain. Along with providing package documentation and version history, the Go package discovery site links to Open Source Insights. The Open Source Insights page includes vulnerability information, a dependency tree, and a security score provided by the OpenSSF Scorecard project. Scorecard evaluates projects on more than a dozen security metrics, each backed up with supporting information, and assigns the project an overall score out of ten to help users quickly judge its security stance (example). The Go package discovery site puts all these resources at developers' fingertips when they need them most—before taking on a potentially risky dependency. Curated Vulnerability Information Large consumers of open source software must manage many packages and a high volume of vulnerabilities. For enterprise teams, filtering out noisy, low quality advisories and false positives from critical vulnerabilities is often the most important task in vulnerability management. If it is difficult to tell which vulnerabilities are important, it is impossible to properly prioritize their remediation. With granular advisory details, the Go vulnerability database removes barriers to vulnerability prioritization and remediation. All vulnerability database entries are reviewed and curated by the Go security team. As a result, entries are accurate and include detailed metadata to improve the quality of vulnerability scans and to make vulnerability information more actionable. This metadata includes information on affected functions, operating systems, and architectures. With this information, vulnerability scanners can reduce the number of false positives using symbol information to filter out vulnerabilities that aren't called by client code. Consider the case of GO-2022-0646, which describes an unfixed vulnerability present in all versions of the package. It can only be triggered, though, if a particular, deprecated function is called. For the majority of users, this vulnerability is a false positive—but every user would need to spend time and effort to manually determine whether they're affected if their vulnerability database doesn't include function metadata. This amounts to enormous wasted effort that could be spent on more productive security efforts. The Go vulnerability database streamlines this process by including accurate affected function level metadata for GO-2022-0646. Vulnerability scanners can then use static analysis to accurately determine if the project uses the affected function. Because of Go's high quality metadata, a vulnerability such as this one can automatically be excluded with less frustration for developers, allowing them to focus on more relevant vulnerabilities. And for projects that do incorporate the affected function, Go's metadata provides a remediation path: at the time of writing, it's not possible to upgrade the package to fix the vulnerability, but you can stop using the vulnerable function. Whether or not the function is called, Go's high quality metadata provides the user with the next step. Entries in the Go vulnerability database are served as JSON files in the OSV format from vuln.go.dev. The OSV format is a minimal and precise industry-accepted reporting format for open source vulnerabilities that has coverage over 16 ecosystems. OSV treats open source as a first class citizen by including information specific to open source, like git commit hashes. The OSV format ensures that the vulnerability information is both machine readable and easy for developers to understand. That means that not only are the database entries easy to read and browse, but that the format is also compatible with automated tools like scanners. Go provides such a scanner that intelligently matches vulnerabilities to Go codebases. Low noise, reliable vulnerability scanning The Go team released a new command line tool, govulncheck, last September. Govulncheck does more than simply match dependencies to known vulnerabilities in the Go vulnerability database; it uses the additional metadata to analyze your project's source code and narrow results to vulnerabilities that actually affect the application. This cuts down on false positives, reducing noise and making it easier to prioritize and fix issues. You can run govulncheck as a command-line tool throughout your development process to see if a recent change introduced a new exploitable path. Fortunately, it's easy to run govulncheck directly from your editor using the latest VS Code Go extension. Users have even incorporated govulncheck into their CI/CD pipeline. Finding new vulnerabilities early can help you fix them before they're in production. The Go team has been collaborating with the OSV team to bring source analysis capabilities to OSV-Scanner through a beta integration with govulncheck. OSV-Scanner is a general purpose, multi-ecosystem, vulnerability scanner that matches project dependencies to known vulnerabilities. Go vulnerabilities can now be marked as “unexecuted” thanks to govulncheck's analysis. Govulncheck is under active development, and the team appreciates feedback from users. Go package maintainers are also encouraged to contribute vulnerability reports to the Go vulnerability database. Additionally, you can report a security bug in the Go project itself, following the Go Security Policy. These may be eligible for the Open Source Vulnerability Rewards Program, which gives financial rewards for vulnerabilities found in Google's open source projects. These contributions improve security for all users and reports are always appreciated. Security across the supply chain Google is committed to helping developers use Go software securely across the end-to-end supply chain, connecting users to dependable data and tools throughout the development lifecycle. As supply chain complexities and threats continue to increase, Go's mission is to provide the most secure development environment for software engineering at scale. Our next installment in this series on supply chain security will cover how Go's checksum database can help protect users from compromised dependencies. Watch for it in the coming weeks!