Keep An Eye On Google ‘Security’ Projects

There are quite a few Google projects of which some are focused on security(there are many more projects, but these are the ones that could be cybersecurity. The explanation which is in italics- i.e. copied from theGoogle project webpages):

https://opensource.google.com/projects/

Abseil   Abseil  an open-source collection of library code.   also at https://abseil.io/

Abseil C++ code is designed to augment the C++ standard library. In some cases, Abseil provides pieces missing from the C++ standard; in others, Abseil provides alternatives to the standard. Abseil is not meant to be competitor to any standard library code; we’ve found that many of these utilities serve a purpose within our code base, and we now want to provide those resources to the C++ community as a whole.  

AdaNet  Fast and flexible AutoML(Machine Learning) with learning guarantees  also at https://github.com/tensorflow/adanet

AdaNet is a lightweight TensorFlow-based framework for automatically learning high-quality models with minimal expert intervention. It uses the AdaNet algorithm by Cortes et al. 2017 to learn the structure of a neural network as an ensemble of subnetworks while providing learning guarantees. Importantly, AdaNet provides a general framework for not only learning a neural network architecture, but also for learning to ensemble to obtain even better models.

Angular – a web application framework for mobile, desktop, and web. also at https://angular.io/

Angular is a development platform that aims to make web development feel effortless, focused on developer productivity, speed and testability. Applications built with Angular can be deployed to mobile devices and desktops as websites and native applications.

Apache Beam – unified model to define and execute processing pipelines. also at https://beam.apache.org/

Apache Beam provides an advanced unified programming model, allowing you to implement batch and streaming data processing jobs that can run on any execution engine. It is easy to use with Apache Apex, Apache Flink, Apache Spark, and Google Cloud Dataflow among other distributed processing back-ends.

badssl.com – memorable site for testing clients against bad configs – also at Apache Beam

badssl.com has a suite of subdomains with various HTTPS configurations. These can be used to test browsers and other TLS clients to see how they behave when they encounter sites with various security-sensitive issues on the web.

Bazel –  a Build System for fast and correct builds – also at.  https://bazel.build/

Bazel is Google’s own build tool. Bazel has built-in support for building both client and server software, including client applications for both Android and iOS platforms. It also provides an extensible framework that you can use to develop your own build rules.

Blockly -Open Source Library for adding drag and drop block coding to apps. also at https://developers.google.com/blockly

Blockly is a library for adding drag and drop block coding to an app. This is primarily used for computer science education, but can also give users a way to write their own scripts or configuration for an app. Blockly has libraries for Web (JavaScript), Android (Java), and iOS (Swift/Obj-C).

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs. also at https://boringssl.googlesource.com/boringssl/

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

Bullet Physics SDK – Real-time collision detection and multi-physics simulation  for VR, games, visual effects and robotics. also at http://bulletphysics.org/

The Bullet Physics SDK is a professional open source collision detection, rigid body and soft body dynamics library written in portable C++. The library is primarily designed for use in games, visual effects and robotic simulation. The library is free for commercial use under the zlib license.

Portable laser range-finders and simultaneous localization and mapping (SLAM) are an efficient method of acquiring as-built floor plans. Generating and visualizing floor plans in real-time helps the operator assess the quality and coverage of capture data. Building a portable capture platform necessitates operating under limited computational resources.

Cauliflower Vest – A recovery key escrow solution. also at https://github.com/google/cauliflowervest

The goal of this project is to streamline cross-platform enterprise management of disk encryption technologies. The project initially started with end-to-end Mac OS X FileVault 2 support, and later added support for BitLocker (Windows), LUKS (Linux), and Duplicity.

Cauliflower Vest offers the ability to:

  • Automatically escrow recovery keys to a secure Google App Engine server.
  • Delegate secure access to recovery keys so that volumes may be unlocked or reverted.
  • Forcefully enable FileVault 2 encryption.
  • Sync BitLocker recovery keys from Active Directory.

Chromium – A safer , faster, and more stable web browser. also at  https://www.chromium.org/

Chromium is the web browser that Google Chrome is built on. It is meant to feel lightweight (cognitively and physically) and fast. When released, it brought a sandbox security model, minimalist user interface, and tabbed window manager that many other browsers have since adopted.

Copybara – A tool for transforming and moving code between repositories. also at https://github.com/google/copybara

Often, source code needs to exist in multiple repositories, and Copybara allows you to transform and move source code between these repositories. A common case is a project that involves maintaining a confidential repository and a public repository in sync.

Copybara requires you to choose one of the repositories to be the authoritative repository, so that there is always one source of truth. However, the tool allows contributions to any repository, and any repository can be used to cut a release.

 

dart – a language designed to be productive, stable, and free of surprises. also at https://www.dartlang.org/

Dart is a programming language developed at Google and approved as a standard by Ecma. It is ideal for web development and can be transcompiled to JavaScript, but can also be used to build server, desktop, and mobile applications. Dart is designed with a ‘batteries included’ philosophy and minimizes magic, such as automatic type coercion in order to avoid surprises when developing large applications.

deepMind lab a customizable 3D platform for agent-based AI research. also at https://github.com/deepmind/lab

DeepMind Lab is a first-person 3D game platform designed for research and development of general artificial intelligence and machine learning systems. It provides a suite of challenging navigation and puzzle-solving tasks that are especially useful for deep reinforcement learning. Its simple and flexible API enables creative task-designs and novel AI-designs to be explored and quickly iterated upon.

Dopamine – A research framework for fast prototyping of reinforcement learning algorithms. also at  https://github.com/google/dopamine

Dopamine is a TensorFlow-based research framework for fast prototyping of reinforcement learning algorithms. It aims to fill the need for a small, easily grokked codebase in which users can freely experiment with wild ideas (speculative research).

fastlane – automate building and releasing iOS and Android apps. also at https://fastlane.tools/

fastlane allows you to automate the complete release process of your iOS and Android apps. It handles tedious tasks like generating screenshots, dealing with code signing and releasing your application.

Firebase SDK – An app development platform to develop high-quality apps. Also at https://firebase.google.com/

Firebase is an app development platform that provides integrated tools to help you build, grow and monetize your apps. The Firebase SDK enables access to the Firebase services in an intuitive and idiomatic manner on several platforms.

FlatBuffers – A serialization library for games and other memory constrained apps. Also at  http://google.github.io/flatbuffers

FlatBuffers is an efficient cross platform serialization library for C++, C#, C, Go, Java, JavaScript, PHP, and Python. It was originally created at Google for game development and other performance-critical applications. It allows you to directly access serialized data without unpacking/parsing it first, while still having great forwards/backwards compatibility.

Flutter – Build apps for iOS and Android from a single codebase. Also at Flutter

Flutter is a mobile app SDK for building high-performance, high-fidelity apps for iOS and Android, from a single codebase. The goal is to deliver apps that feel natural on different platforms, embracing differences in scrolling behaviors, typography, icons, and more.

FontDiff – tool for finding visual differences between font versions. Also at Flutter

FontDiff is a utility for testing fonts. When you modify a TrueType or OpenType font, FontDiff generates a PDF showing the typeset text both before and after the change. You can use this PDF to easily review the changes and spot any errors caused by a font switch.

FontView– demo app displays fonts using a free stack. Also at https://github.com/googlei18n/fontview

FontView is a little demo app that shows the contents of a font file. It opens *.ttf, *.otf, *.ttc, *.otc, *.pfa, and *.pfb files. To render text, FontView uses open-source libraries.

Forseti Security – Open source tools for Google Cloud Platform(GCP) Security. Also at  Forseti Security

Forseti Security helps you secure your Google Cloud Platform organization.

Keep track of your environment

Gerrit – web-based code review system for projects using Git. Also at https://www.gerritcodereview.com/

Gerrit is a highly extensible and configurable tool for web-based code review and repository management for projects using the Git version control system. It allows teams to discuss code, serve Git as an integrated experience within the larger code review flow, and manage workflows with deeply integrated and delegatable access controls.

Go – open source programming language to make it easy to build simple, reliable and efficient software. Also at https://golang.org/

Go is expressive, concise, clean, and efficient. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel type system enables flexible and modular program construction. Go compiles quickly to machine code yet has the convenience of garbage collection and the power of run-time reflection. It’s a fast, statically typed, compiled language that feels like a dynamically typed, interpreted language.

Google Cloud datalab

 

Kritis – open source solution for securingyour software supply chain for Kubernetes applications, by enforcing deploy-time security. Also at https://github.com/grafeas/kritis

Kritis (“judge” in Greek), is an open source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API, which uses Grafeas underneath.

MOE: Make Open Easy – Synchronizes, translates, and scrubs source code repositories. Also at  https://github.com/google/moe

MOE is a system for synchronizing, translating, and scrubbing source code repositories. Often, a project needs to exist in two forms, typically because it is released in open-source, which may use a different build system, only be a subset of the wider project, etc. Maintaining code in two repositories is burdensome.

mtail – extract whitebox monitoring data from application logs for collection in a timeseries database. Also at https://github.com/google/mtail

mtail is a tool for extracting metrics from application logs to be exported into a timeseries database or timeseries calculator for alerting and dashboarding.

It aims to fill a niche between applications that do not export their own internal state, and existing monitoring systems, without patching those applications or rewriting the same framework for custom extraction glue code.

 

Open Images Dataset

OpenScience Journal –   An app that allows one to gather information using the sensors in the Android phone. Also at https://makingscience.withgoogle.com/science-journal/

Science Journal allows you to gather data from the world around you. It uses sensors to measure your environment, like light and sound, so you can graph your data, record your experiments, and organize your questions and ideas. It’s the lab notebook you always have with you.

OpenWeave – open source implementation of Weave network app layer, secure communications backbone for NEST products. Also at OpenScience Journal

OpenWeave is an open-source implementation of the Weave network application layer, the secure, reliable communications backbone for Nest products.

At Nest, we believe the core technologies that underpin connected home products need to be open and accessible. Alignment around common fundamentals will help products securely and seamlessly communicate with one another.

Outline – an open source VPN software released by Jigsaw March 2018. also at https://getoutline.org/

The Outline software allows for the creation of a personal or corporate VPN server on a cloud provider of the user’s choice, with minimal effort. Once set up, Outline server administrators can share access with other users, who can connect to the VPN using Outline clients developed for Windows, macOS, iOS, Android and ChromeOS. Outline uses the Shadowsocks protocol (shadowsocks.org) for communication between the client and server.

Stackdriver – Monitors, logs, and diagnostics for cloud applications. Also at https://cloud.google.com/stackdriver/

Google Stackdriver provides powerful monitoring, logging, and diagnostics. It equips you with insight into the health, performance, and availability of cloud-powered applications, enabling you to find and fix issues faster.The Stackdriver agents and libraries are open source projects.

Upspin – experimental framework for sharing files securely. Also at https://upspin.io/

Upspin is an experimental project to build a framework for naming and sharing files and other data securely, uniformly, and globally: a global name system of sorts.

It is not a file system, but a set of protocols and reference implementations that can be used to join things like file systems and other storage services to the name space.

 

 

https://bugs.chromium.org/p/project-zero/issues/list

I have included several machine learning(ML) projects which I believe can be used to create many programs (including security based),  the future in security is in AI, of which ML is a piece of it.

There is an interesting article in Wall Street Journal:

Google’s Enemies Gear Up to Make Antitrust Case

The article goes into a case Yelp and TripAdvisor are making that Google is using it’s position as search engine to place it’s own services ahead of Tripadviser and Yelp.

I wonder if they know about these 70 projects on the Google projects list of which 27 have security implications in my opinion:

Abseil, Adanet, Angular, Apache beam, badssl.com, Bazel, Blockly,  Dart, Deepmind, Dopamine, Fastlane, FlatbuffersSDK, Flatbuffers, Flutter, Fontdiff, Fontview, Forseti Scurity, Gerrit, Go, Kritis, MOE(make open easy),mtail, Opensciencejournal, Openweave, Outline, Stackdrivers, Upspin

It definitely looks to me that Google is building a larger organization, does this mean that they should be broken into pieces? Maybe this was why the Sherman Antitrust act was created and passed by Congress in 1890. This law declared illegal all combinations “in restraint of trade”.  (from http://www.ushistory.org/us/43b.asp)

Google is building a future AI power house, that will make today’s search power  seem like a mouse versus a tiger.

 

Microsoft Bug Disclosed Before Patch Available

As we have mentioned before the cycle of bugs found to patches released can sometimes be long. Tavis Ormandy has disclosed this bug in Microsoft Windows’ SymCrypt. Which can cause your system to have to reboot (with the right file or data passing through).  Tavis Ormandy is a Vulnerability researcher at Google.

This bug is the underlying infrastructure for within a core crypto -library

From a Reddit post this is a good explanation:

Tavis Ormandy found a bug in Windows core crypto-library SymCrypt. PoC(Proof of Concept) is based on a crafted X.509 certificate. For example: embedding this file in a S/MIME email could crash a windows server remotely. Since more than 90 days have passed Project Zero made this bug public (Patch should follow in July)

Here is the SymCrypt page:

SymCrypt is the core cryptographic function library currently used by Windows.

History

The library was started in late 2006 with the first sources committed in Feb 2007. Initially the goal was limited to implement symmetric cryptographic operations, hence the name. Starting with Windows 8, it has been the primary crypto library for symmetric algorithms.

In 2015 we started the work of adding asymmetric algorithms to SymCrypt. Since the 1703 release of Windows 10, SymCrypt has been the primary crypto library for all algorithms in Windows.

 

So what is the true meaning of this bug?

A ‘well crafted’ certificate or otherwise another way to kick off this bug can cause your machine to hang (DOS – Denial of Service).  In general someone has not found a mass market way to hit thousands of machines (YET!).

Thus it is not a high priority problem to be fixed, but it does need to be. It is slated to come out in the July patch update (2nd Tuesday) July 9th.

Contact us to understand the patch cycle process:

If you see my image above that is Day60, so Microsoft has not forced the fix before day91 due to the low risk nature of this problem. I.e. rebooting is annoying but at least hackers are not reformatting all your data with ransomware.  So it looks like with a July 9 patchday it will be close to Day 117+

This is unfortunately typical as it is not that easy to create a patch for hundreds of different devices.  I also wonder if this issue could have been better handled by Tavis,  or if this is a small competition thing between Google and Microsoft. Either way we have to pick up the pieces and deal with the possible consequences.

 

 

Current Attacks Massive 1.6Mil unique addresses found hacked by “GoldBrute”

Internet Storm Center discusses an attack by the ‘GoldBrute’ botnet

They found 1.5mil servers being used by the botnet.

This means that a weakness in Microsoft (CVE-2019-0708)  May 14 Customer Guidance page:

Specifically:  CVE-2019-0708

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

So it seems GoldBrute is taking advantage of this Microsoft weakness to infect machines that have not been patched.  especially the older systems (with Windows7 and Windows Server 2008) You can solve this by downloading the patch and updating as soon as possible.

The other solution is to Disable Remote  Desktop Services  (as per https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708)

A workaround is also possible:

The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:

1. Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2

You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.

2. Block TCP port 3389 at the enterprise perimeter firewall.

 

Contact Us to discuss this latest possible attack and re-mediate your #cybersecurity risks

Chinese Cyberattacks Unrelenting And Will Not Stop

It is all part of the Chinese strategy to steal technology and information as they work on being the top country in the world.

There is an excellent article on the history of China and how it pertains to today’s world by Brandon J. Weichert at New English Review.

The “trade war” is part of a complex struggle by China to come to parity and overtake the United States.

 

The struggle with China is also pertinent in the Cyber world, as we know from Mandiant’s report the Chinese PLA (People’s Liberation Army) has a unit that actively attacks western companies and countries to steal technology and anything else that might be important.  this was the APT1 operational attack on the world.

China is actively attacking systems (as you will see below).

The PLA units are hundreds if not thousands of attackers.

In Mandiant’s report there is some history where the APT1 was first used in 2006.  So for the last 13 years the Chinese have been systematically trying to attack and steal relevant information from Western companies.

Every industry was attacked (just like it is easy to do as everyone is connected to everyone on the Internet).  Some industries are more important than others:

Above image is from Mandiant’s report linked above.

This is from a report in 2012 about an old attack, but today these items have not changed much.

 

Let’s go back to Mr Weichert’s article (“Much More Than a Trade War With China”)  where in the warring states period of Chinese history (771-475BC) was a unique time period.  In this era the Qin Dynasty was able to overcome a superior adversary in the Zhou dynasty, due to superior statecraft and mastery of strategy.

Mr Weichert brings up a quote by Jiang Zemin (Chinese leader  1995-2003) “there cannot be two suns in the sky”.  Because the history of China showed only one dynasty will eventually defeat the other and survive  to rule over all.

In here the “Barbarian-Handling” techniques are analyzed by Edward Luttwak:

  • Initially, concede all that must be conceded to the superior power, to avoid damage and obtain whatever benefits or at least forbearance that can be had from it;
  • Entangle the ruler and ruling class of the superior power in webs of material dependence that reduce its original vitality and strength, while preferring equality in a privileged bipolarity that excludes every other power;
  • Finally, when the formerly superior power has been weakened enough, withdraw all tokens of equality and impose subordination.

And then the Chinese culture assimilates the ‘Barbarian’ culture.   Such as when the Mongols invaded and eventually used Chinese methods which were eventually surpassed later.  There are many older cultures in Asia that have been completely swallowed up by China.

 

Whether this is a good methodology by China is not a question here (I believe it is not), we note that it is occurring and part of the “entanglement” strategy to steal technology. The technology advantage will not be significant or even an advantage over time with more and more tech thefts.

What is the easiest way to steal technology today? Over the internet!!

This is why the PLA is systematic in its actions. They attack everyone and then find the nuggets in the network stream. China’s strategy is deliberate and systematic.  In the 80s and 90s we had neighborhood kids who were trying to hack companies for the ‘fun’ of it. Today we have nation states with MASSIVE budgets and techniques.

If you do not think there is a serious Cyberattack happening you must wake up and smell the roses.  If you have something to protect, and even if you do not the wide swaths of Cyberattacks coming out out China will make your life more difficult.

The above image does not surprise me and is the number of attacks on this website in a week. And this website has no data beyond what you see on the blog (i.e. there is no customer data or other data hidden)

Contact us to review your Cyber defense strategy.

What We Can learn From Baltimore City Ransomware Attack

From WSJ article

On May 7th hackers were able to shut down a number of city of Baltimore computers. They demanded $100k worth of bitcoins to release their stranglehold. On this day that is about 13 Bitcoins (value of Bitcoins fluctuates).

So Baltimore is refusing to pay as they should. The ransomware the hackers used is called RobbinHood.

And apparently if no payment within 10 days the price goes up.  How did RobbinHood get access to the systems (and then corrupt them)?

Bleepingcomputer.com goes into some of the RobbinHood details.

Apparently this ransomware is not coming in through Spam (like many others). Arstechnica has some more details of the IT details in Baltimore City departments:

“Tracking down how and when the malware got into the city’s network is a significant task. The city has a huge attack surface, with 113 subdomains—about a quarter of which are internally hosted—and at least 256 public IP addresses (of which only eight are currently online, thanks to the network shutdown).”

Part of this problem seems to stem out of mismanagement of GRC (Governance, Risk, Compliance).  The IT department was underfunded, which seems obvious now, but was not earlier.  And now the decision is do we pay ransom to get back to normal?  Or suffer through a restore which is an unknown amount of time and resources. Will the restore work? If not, then we have to rebuild systems from scratch. Reinstall operating systems and applications, while also making sure this problem does not resurface (create proper procedures of installing and patching).  So all the things that were obvious in the past and had a long time to resolve, now must be done under the glare of the public eye, in a quick manner. There are plenty of stories of how real estate transactions are not closing without some department computers. So where the city wanted to be paperless, it has to reinstate paper based processes.

Needless to say Baltimore is the poster child of how not to do things.

There is a price to pay at some point for bad management decisions (underfunding IT updates or security initiatives). When you do not update systems in a sprawling campus of hundreds of systems, then it is inevitable that there will be a system that can get attacked. Hackers are ingenious and find ways in. Once they are in, the game is to elevate credentials (privileges).

Let me ask you a question: If it is relatively easy to come in and take a system (for the hacker) then elevating privileges will also be ‘easy’. As privilege escalation vulnerabilities are more numerous.

So now the hacker is in the network and can do pretty much as they please. Now the hacker will try and find the most important systems (email and file servers among others) to infect. This is  exactly what happened in the city of Baltimore campus.

Contact US to discuss GRC and prevent a disaster like this to your organization.