» Google - Roger's Information Security Blog

Posts tagged ‘Google’

Chrome and the multi-user computer.

January 27, 2011, 5:11 pm

Google Chrome installs on a “per user” basis. That means the application installs to the user’s profile rather than on a system wide basis. The user doesn’t need to have local administrator rights in order to perform the install. That works great if you’re into corporate chaos, or you just don’t want to have to contact an administrator to install Chrome. It doesn’t work so well for multi-user computers. Bob, Sally and Joe each individually install Chrome. The Chrome application directory is north of 100 MB and has a tendency not to remove old versions. That’s a lot of space.

And what about updates? Google has been praised for their silent update of Chrome, but that only works for the logged on user. The other user profiles aren’t updated until they are used.

Is this even a problem? A classic argument. The vulnerable version of Chrome isn’t running. It should update if it is ever used. Unfortunately, it shows up on the vulnerability scan results. So it is hard to ignore. How could I tell the difference between a Chrome version that hasn’t been using and one that has?

After a bit of investigating, I found evidence that Chrome had been installed on this computer as a user named Template. This profile was then copied to the default user profile. The default user profile is the basis for every new user account, so every user after that had Chrome in their user profile. I doubt this was intentional or that Google ever said this was a way to make it available to all users on a system. I don’t know for sure.

At this point, I have a set of lab type computers where over time multiple people have logged in. Each user profile is seen as having a vulnerable version of Chrome. The best thing I can figure is to perform a manual uninstall of Chrome from each user profile. If I attempt a regular uninstall it fails because I am unable to delete the registry keys required in the uninstall script. It attempts to delete registry keys from hkey_current_user. That works for the logged on user, but not when remotely trying to remove all instances of a chrome install.

I think I’m left with a tedious manual process.

Google now has a MSI install of Chrome. This would install for all users and be updated once. Only downside is it requires admin rights to update. But that is no different from any of the other unsupported third-party software that is put on these computers. Going forward, that would be a much better method if we want to run Chrome on these computers.

Tags: Chrome, Google
Category: General | Comment

Google Chrome Security Updates

July 8, 2010, 10:41 am

I see over on US Cert that Google Chrome has issues a security update for the third time in the past 30 days. US CERT isn’t particularly timely with its posts but you they do link to the original blog posts at Google where you can get the dates.
Google Releases Chrome 5.0.375.99
Google Releases Chrome 5.0.375.86
Google Releases Chrome 5.0.375.70

It seems like these security updates don’t get the press that other security updates get. Is Chrome used that little?

Is it a good thing that Google is using its silent updates to update security issues frequently rather than having to wait for a monthly patch dump? I imagine most people dont even know their browser was updated. I see it has updated because Secunia PSI complains about the old version that Google’s update doesn’t delete.

Tags: Google, Patching
Category: General | Comment

Thanks for Nothing Google

June 10, 2010, 3:46 pm

Yesterday I wrote about the importance of using good passwords because people are trying to bruteforce your email and social networking accounts. Today I logged into GMail and received a dire red letter message. “your email has been accessed from the United States.”

Upon reviewing the Gmail account activity log, I see access to my account from United States (CA) (204.176.49.44). An IPWhois wasn’t very helpful , its been registered to Verizon Business/MCI/UUNet. A google happened to include reverse DNS in the results showing me that 204.176.49.44 resolves to host44.tivo.com. After verifying that that host44.tivo.com also resolves to 204.176.49.44, I recalling using TiVo to watch some Youtube clips the other night. I used my Google account to log into Youtube from the Tivo. Mystery solved.

Apparently Google’s GMail tripwire is catching all Google authentications. Either that TiVo took my Google credentials and logged into GMail as well as youtube. The timestamp for the authentication doesn’t really line up with when I was watching the Youtube. Make me wonder if this is as innocent as I’d like to believe. Google really should differentiate between email access and authentications to other Google services.

Tags: Gmail, Google, Passwords, TiVo
Category: General | 1 Comment

SPF Usefulness

May 31, 2010, 9:36 pm

The SANS ISC Handler Diary is asking for your experiences with SPF. Its funny timing because i just configured SPF for my domains last night. I’d been using SPF records previously, but when I left PowWeb for Dreamhost (which changed my authoritative DNS server) I didn’t set up SPF again.

I’m using Google as the mail server for my personal domains. Configuring SPF for google is pretty easy. Just create a txt record for v=spf1 include:_spf.google.com ~all. Like most SPF implementations, they recommend you use “~all” which tells the remote server the list of authoritative servers is merely information and not to reject mail based on this alone. I kind of wonder what use that is. But it seems to take more guts to use a “-all”.

To me, SPF is not exceptionally useful. It just seems like the only thing you can do to prevent yourself from being Joe Jobbed. Sadly through the years remote mail servers are more likely to allow backscatter than use SPF.
At the same time, its never shot me in the foot. ~all instead of -all is probably to thank. I have seen Hotmail headers that indicated that if I was using -all they would have blocked me. They just had a screwed up implementation that couldn’t handle “include” statements in SPF records. SPF is not well liked by *nix folk. It breaks .forward. It breakes mailing lists that send as the message poster.

Tags: DNS, Google, SANS, SPF
Category: Spam | Comment

AdobeARM.exe

January 1, 2010, 11:34 am

Back in October, I expressed my frustration with Adobe Reader updates. After updating Reader 8 and 9 too many times to count, suddenly in 9.2 I was left with more questions than answers. Part of that post was wondering what adobearm.exe was. That post is still strangely popular so I thought I’d post an update.

Adobe still has nothing about adobeARM.exe in its knowledgebase.

When you Google adobeARM.exe after finding the link for this site, you find some sites claiming adobeARM.exe is malware. Hard to believe since this file is part of the installation package from Adobe Reader.

The best info I’ve found is in this Adobe Forum thread.

Ignore the usual misinformation about Flash for ARM powered mobile devices, and the ubiquitous advice to just switch to FoxIT.

You find the same info that we had a commenter post in October. “AdobeARM.exe is a part of new Adobe Acrobat\Reader updater. If you manage updates yourself, it is absolutely safe to remove it from Run registry.”
While this info is far from authoritative, I would suggest home users leave it alone. In corporations that manage updates, I’d continue to disable updates via the Adobe Tuner and remove this exe from the startup directory.

Tags: Adobe, Google
Category: General | 21 Comments

Facebook Google Indexing Tempest in a Teapot

December 15, 2009, 12:13 am

Earlier today I started getting status updates from friends that read

If you don’t know, as of today, Facebook will automatically index all your publicly available info on Google, which allows everyone to view it. To change this option, go to Settings –> Privacy Settings –> Search –> then UN-CLICK the box that says ‘Allow indexing’. Facebook kept this one quiet. Copy and paste onto your status for all on your news feed.

Facebook’s chain letter detection kicked in (not sure if that was an automatic or manual process) to deter future exact duplicates of that status update. This made people all the more suspicious about why Facebook would be blocking their attempts to warn about Facebook privacy.
If you did wander over to the Facebook privacy page you’d see the following message from Facebook.

Worried about privacy? Your information is safe.
There have been misleading rumors recently about Facebook indexing all your information on Google. This is not true. Facebook created public search listings in 2007 to enable people to search for your name and see a link to your Facebook profile.

Security hoaxes have been around forever. Misconceptions about genuine security threats are tough to deal with. While Facebook has made some debatable privacy changes lately, I believe Facebook is right that the search settings are hardly new. What really matters is the security settings you place on you data.
When someone asks you to share information with everyone you know, as this dire warning did, unless its the Gospel of Jesus, I think your crap detector should be sounding the alarm. If the source is not a computer security expert stop and ask if it makes sense. If the source IS a computer security expert stop and ask if it makes sense and then make sure your wallet hasn’t been stolen by the security expert.
Search engines index Facebook status, but only the status that has the Everyone permission. If you’re going to freak out, do it by reviewing your privacy settings. You know, the privacy settings Facebook had you review this week. Everyone means everyone on the internet.

Tags: Facebook, Google
Category: Awareness | 2 Comments

A Little Respect Regarding Reblogging

December 2, 2009, 12:43 am

I noticed this week that a site out there is using wp-o-matic to present my work as his own information security blog.
Some people incorrectly think that a RSS feed is a permanent license to do whatever you want with content. Its not. While it doesn’t look like it, I do spend a lot of time on posts trying to make them semi-literate. Reposting withing credit or link-back steals my Google juice. Without attribution they are clearly plagiarizing my work. Not cool.
I think that presenting my work as his own is a violation of the CISSP ethics.
I may need to put a footer on each post in the RSS feed. “This post and more like it are available at Roger’s Infosec Blog www.infosecblog.org”
If you’re interested in learning more about your rights as a blogger regarding plagiarism check out CopyScape
This post is not about the people who have asked and the people who do link back. I appreciate that you like my work and provide some traffic back my way.

Tags: CISSP, Google
Category: Housekeeping | 2 Comments

VanMorrison.com Iframe

October 21, 2009, 3:55 pm

Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on “van morrison” (another termination offense). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack.
Manually looking at www.vanmorrison.com’s source, I currently see a iframe loading ‘http://iqsp.ru:8080/index.php’. Perhaps someone can remind me, aren’t there sites like virus total where you can send them a link and they’ll tell you what’s up. I haven’t yet learned javascript deobfuscation but that didn’t look like good stuff was happening.
So I took a sacrificial lamb system. (still dangerous don’t try this at home). And went to www.vanmorrison.com using various security systems to see what the result was.
Bluecoat – detected the virus on the site. Blocked Access to the entire site.
Scansafe – detected the virus on the site. blocked access to the entire site.
Purewire – site loaded. Wanted me to install Flash (seemed legit but I didn’t do it). Java started up. I was prompted to download a file and run a ActiveX control. I chose not to install the ActiveX control but I did download the file. It was a pdf file.
Virus total saw the pdf file first on October 16th (today is the 21st). Currently 13 out of 41 venders are detecting this as a virus. Did I mention signature detection is dead dead dead.
Did you notice the link to the Russian site is on port 8080? I wonder how many HTTP security implementation are proxying 8080 traffic in addition to 80.
Update 10/23/09
I see Sophos and eweek have linked to this article. Thanks!
Pob is correct, the infection changed after I posted this entry. I went back yesterday to see if anyone cleaned it. I found the site on Google’s naughty list and the site had obfuscated code like he screenshots. Didn’t check on it today.

Tags: AntiSpyware, Antivirus, BlueCoat, Google
Category: General | 5 Comments

Evaluating HTTP Security Solutions

September 15, 2009, 7:53 pm

While trying to eval a HTTP security solution I’ve been trolling for viruses by browsing Google Top Trends.
The vender advertizeing their zero day protection detects the virus even when virustotal has only one scanner detecting (and not one used by this vender). So they are showing off their zero day protection rather well. The problem I have is the incumbent protection which would not have detected the virus with AV was able to block the site completely with URL filtering.
I normally don’t think too much of URL filtering as protection anymore. Malware can be on legitimate sites. New sites that aren’t catagorized come online. But for my extremely small sample set, its actually providing the same level of protection.

Tags: Google, Zero Day
Category: Antivirus | Comment

Google Trends

September 1, 2009, 9:40 pm

Todays Hot Trends based on top Google Results.
1. gmail down
2. gmail outage
3. gmail not working
4. people of walmart
5. gmail problems
6. gmail down september 1 2009
7. what s wrong with gmail
8. leah lust video
9. tropical storm erika
10. gmail server error
Not a strong day for Google

Tags: Google
Category: General | Comment

Roger's Information Security Blog