Google Ups Their Security Ante

Share if the site was helpful

Google Ups Their Security Ante

If you’ve ever been interested in learning more about cyber-security (and are also interested in Android’s) then there’s never been a more enticing offer on the table.  This week Google has officially announced a new top reward for being able to pinpoint a security flaw in the operating system.  Are you hooked yet?  Well, here’s the new figure: $1.5 million dollars!

A Quick History:

Way back in 2015 Google announced the launch of a security rewards program for Android (The one we’ve come to know and love today as it’s improved the operating system). The program covered security vulnerabilities affecting Nexus phones and tablets, and asked individuals to try to find defensive holes.  In exchange for finding one of these you could earn up to $38,000.

This is no small chunk of change, but it’s also obviously a long way away from $1.5 million.  What happened?  Well Android grew in popularity and more security researchers came on board unearthing security flaws.  In fact, from it’s first bug bounty program in 2010 Google was paying over $1 million a year to hundreds of researches who found issues.  So it’s not a complicated story.  Google offers rewards for security help.  People find flaws.  Google makes a more secure environment and ups the ante.  Rinse and repeat.

The $1.5 Million Dollar Man:

Which brings us to the 2019 cap in the program.  Google won’t pay that large a sum to just any bug though.  Their looking for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.”  In simpler terms they want to find a bug that lets a hacker execute code on a device even after it’s been reset and without physical access. 

The Titan M security chip was first introduced in the Pixel 3.  Its job is to oversee security (passcodes, verify firmware signatures, and identify malicious apps).  It’s done a fairly good job and has been carried over into the new Pixel 4. And since it does such a good job security flaws are harder and harder to find.  But that doesn’t mean they aren’t there.  The only way security can get better is by someone figuring out how to hack it.  If you find a hole in your defenses, you know exactly what needs to be patched up.

So the $1.5 million dollar bug is the big one, but it’s not the only reward.  There are plenty of other security flaws that have led to hundred thousand-dollar payouts to dozens of individuals.  If you are interested in learning about Android security, it’s safe to say these prizes are only going to go up, so there’s no time like the present to start!

Searching For Privacy

Share if the site was helpful

Searching For Privacy

We’ve grown somewhat used to the phrase “If you’re doing nothing wrong then you have nothing to hide”.  That being said, plenty of us don’t take it as truth that privacy has to die.  There are countless stories of security leaks, and it’s impossible to hear the letters NSA without thinking about being watched.  But taking a few simple steps can drastically improve your right to privacy in everyday life.  Step one being how you browse the internet.

You don’t have to be watched:

Yes, it’s a little-known secret, but there are ways you can search the web without giving up your privacy.  Over the years the word “Google” has become synonymous to looking something up.  And for good reason because Google has a huge market share on global searches.  But they’re by no means your only option.  At the start of 2018 Google searches accounted for roughly 70% of all searches.  The bottom line being that they aren’t going away any time soon, but there’s 30% worth of other options.

The purpose of this blog post is not to bash Google by any means.  It’s an incredible search engine that yields top tier results.  It’s grown to the size it is for many reasons.  This post is simply to inform you of options besides the traditional search engines like Google and Internet Explorer.  There are some players that do things differently.  A key difference being that your search history is just that: yours.

Some alternatives:

If you’ve ever looked into private search engines, then you’re undoubtedly familiar with DuckDuckGo.  Its CEO is famous for saying “if the FBI comes to us, we have nothing to tie back to you.”  Their motto is simple: they don’t store your personal information. Ever.  They also offer an interesting feature known as “bangs”.  Not really privacy related, but bangs allow you to quickly search results on other sites by adding a “!” to your search.  So if you knew you wanted to search for something on Wikipedia you could jump straight to it.

Another solid option is Tor.  Tor Browser secures your connection to the internet with three layers of encryption, and passes it through voluntarily operated servers around the world.  It’s goal is to make you one in a million person crowd that is indistinguishable from others, and thus untargeted for any kind of privacy extraction.  Tor’s onion services allow for users to publish things online without needing to reveal their location.  Even the U.S. Navy has used Tor for open source intelligence gathering.  Don’t worry, by that I don’t mean info on your browsing sessions!

A 3rd favorite is StartPage.  Developed by Ixquick, StartPage gets you the privacy you want but actually gives you the results straight from Google. It features a proxy service, URL generator, and HTTPS support that allow you to revisit your browsing sessions without needing cookies.  In other words, it remembers your browsing in a privacy friendly way.

More than just security:

If you’re like me, you’ve been shocked before at some of the ads you see.  They’ve become so practical at targeting you you’ll see an ad for something you had only thought about in the privacy of your own mind.  Browsing in private mode can certainly help with this as the less data there is collected on you, the harder it is to target you with personalized ads.  Or even ads in general.  Just another big perk to consider when deciding if you want to check out other browsers!

All in all, you could be perfectly happy with the way you’re surfing the internet right now, but there are always other options if you decide to give them a try.  What are your thoughts on the recent privacy issues?  Maybe you use a VPN. Do you take other precautions to keep your information secure?  Let us know in the comments below!

Google Minus And Project Strobe

Share if the site was helpful

Google Minus and Project Strobe

After 7 years of effort Google has decided that enough is enough for Google+.  The tech giant has admitted to failing its entrance into the social media marketplace. As both a business decision and safety concern they’ve decided to take Google+ off the web and focus on other things.

Project Strobe

Security has been at the forefront of everyone’s minds this year as privacy scandal after privacy scandal has surfaced.  Facebook’s Cambridge Analytics scandal made us hyper aware of how much data is exposed to third-parties.  In an attempt to combat privacy issues Google launched Project Strobe.  It’s a root-and-branch review of third-party developer access to Google accounts and Android devices.  Essentially it’s a research project to check up on how secure everyone’s information really is.

The findings: not the best.   Today Google announced four key findings from the project along with steps to remedy each.

1. There are significant challenges in creating and maintain a successful Google+ product that meets consumer’s expectations.

Google+ has a pretty serious bug in it that exposed user data to third-party applications that didn’t have proper access.  Google says that there is no evidence anyone else found this out before they did (hard to be sure).  But combining this with the lack of adoption among users and the end result has been to remove Google+ entirely.  I don’t think anyone is too upset at this move, and it’s probably for the best Google diverts its time towards new innovations.

2. People want fine-grained controls over the data they share with apps

When you download a new app that performs certain functions, it may need permission to do so.  Whether that’s accessing your camera to take a picture or seeing your contacts so that it can share a picture with others, apps can’t do these things until you let them.  This is a big plus for Android security, but unfortunately sometimes it’s not organized well enough.

There are some permissions that are grouped together when presented to a user, and this can potentially be a problem.  If you want an app to do one thing you shouldn’t have to grant it access to 3 permission, yet this is sometimes how things are organized.  Google has announced they’ll be launching more granular account permissions that will show individual dialog boxes for each.  Maybe a little more frustrating for relaxed users, but definitely a win for security.

3. When users grant apps access to their Gmail, they do so with certain user cases in mind

To correct the security issue of third-parties abusing contact information Google is limiting what kinds of apps are allowed to access Gmail data.  The only apps allowed will be those that are “directly enhancing email functionality”.  Basically, if there’s not real reason for your app to need to write an email, it’s banned.

4. When users grant SMS, Contacts and Phone permissions to Android apps they do so with certain use cases in mind.

3 and 4 are pretty similar to one another, but this other finding takes things past email and into the phone/contacts.  Google is limiting how many apps will be allowed to access this information.  In addition to this Contact interaction data will no longer be available vie the Android Contacts API.

The bottom line is that Google did a security sweep and decided a few things needed to change.  It seems that these changes are proactive which is always a good things, but if you’re one of the world’s Google+ user’s then I’m sorry you have to say goodbye.  For everyone else these changes should be nothing but good as security continues to improve.

What are your thoughts on Project Strobe?  Let us know in the comments below!

 

en English
X