Connect with us

Gadgets

Google enables end-to-end encryption for Android’s default SMS/RCS app

Published

on

Enlarge / If you and your chatting partner are both on Google Messages and both have RCS enabled, you’ll see these lock icons to show that encryption is on.

Google

Google has announced that end-to-end encryption is rolling out to users of Google Messages, Android’s default SMS and RCS app. The feature has been in testing for months, and now it’s coming to everyone.

Encryption in Google Messages works only if both users are on the service. Both users must also be in a 1:1 chat (no group chats allowed), and they both must have RCS turned on. RCS was supposed to be a replacement for SMS—an on-by-default, carrier-driven text messaging standard. RCS was cooked up in 2008, and it adds 2008-level features to carrier messaging, like user presence, typing status, read receipts, and location sharing.

Text messaging used to be a cash cow for carriers, but with the advent of unlimited texting and the commoditization of carrier messaging, there’s no clear revenue motivation for carriers to release RCS. The result is that the RCS rollout has amounted to nothing but false promises and delays. The carriers nixed a joint venture called the “Cross-Carrier Messaging Initiative” in April, pretty much killing any hopes that RCS will ever hit SMS-like ubiquity. Apple executives have also indicated internally that they view easy messaging with Android as a threat to iOS ecosystem lock-in, so it would take a significant change of heart for Apple to support RCS.

The result is that Google is the biggest player that cares about RCS, and in 2019, the company started pushing its own carrier-independent RCS system. Users can dig into the Google Messages app settings and turn on “Chat features,” which refers to Google’s version of RCS. It works if both users have turned on the checkbox, but again, the original goal of a ubiquitous SMS replacement seems to have been lost. This makes Google RCS a bit like any other over-the-top messaging service—but tied to the slow and out-of-date RCS protocol. For instance, end-to-end encryption isn’t part of the RCS spec. Since it’s something Google is adding on top of RCS and it’s done in software, both users need to be on Google Messages. Other clients aren’t supported.

Google released a whitepaper detailing the feature’s implementation, and there aren’t too many surprises. The company uses the Signal protocol for encryption, just like Signal, Whatsapp, and Facebook Messenger. The Google Messages web app works fine since it still relies on an (encrypted) local connection to your phone to send messages. Encrypted messages on Wear OS are not supported yet but will be at some point (hopefully in time for that big revamp). Even though the message text is encrypted, third parties can still see metadata like sent and received phone numbers, timestamps, and approximate message sizes.

If you and your messaging partner have all the settings right, you’ll see lock icons next to the send button and the “message sent” status.

Continue Reading

Gadgets

Feds list the top 30 most-exploited vulnerabilities. Many are years old

Published

on

Government officials in the US, UK, and Australia are urging public- and private-sector organizations to secure their networks by ensuring firewalls, VPNs, and other network-perimeter devices are patched against the most widespread exploits.

In a joint advisory published Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the top 30 or so most-exploited vulnerabilities. The vulnerabilities reside in a host of devices or software marketed by the likes of Citrix, Pulse Secure, Microsoft, and Fortinet.

“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the advisory stated. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”

What, me patch?

Four of the most-targeted vulnerabilities last year resided in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in work-from-home employees driven by the COVID-19 pandemic, many VPN gateway devices remained unpatched during 2020.

Discovery dates of the top 4 vulnerabilities ranged from 2018 to 2020, an indication of how common it is for many organizations using the affected devices to withhold applying security patches. The security flaws include CVE-2019-19781, a remote code-execution bug in Citrix’s application delivery controller (which customers use to perform load balancing of inbound application traffic); CVE 2019-11510, which allows attackers to remotely read sensitive files stored by the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path-traversal weakness in VPNs made by Fortinet; and CVE 2020-5902, a code-execution vulnerability in the BIG-IP advanced delivery controller made by F5.

The top 12 flaws are:

Vendor CVE Type
Citrix CVE-2019-19781 arbitrary code execution
Pulse CVE 2019-11510 arbitrary file reading
Fortinet CVE 2018-13379 path traversal
F5- Big IP CVE 2020-5902 remote code execution (RCE)
MobileIron CVE 2020-15505 RCE
Microsoft CVE-2017-11882 RCE
Atlassian CVE-2019-11580 RCE
Drupal CVE-2018-7600 RCE
Telerik CVE 2019-18935 RCE
Microsoft CVE-2019-0604 RCE
Microsoft CVE-2020-0787 elevation of privilege
Netlogon CVE-2020-1472 elevation of privilege

Breaching the gate

The vulnerabilities—all of which have received patches from vendors—have provided the opening vector from an untold number of serious intrusions. For instance, according to an advisory the US government issued in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.

That same month, word emerged that a different set of hackers was also exploiting CVE-2018-13379. In one case, the hackers allowed ransomware operators to seize control of two production facilities belonging to a European manufacturer.

Wednesday’s advisory went on to say:

CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.

The officials also listed 13 vulnerabilities discovered this year that are also being exploited in large numbers. The vulnerabilities are:

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  • VMware: CVE-2021-21985

The advisory provides technical details for each vulnerability, mitigation guidance, and indicators of compromise to help organizations determine if they’re vulnerable or have been hacked. The advisory also provides guidance for locking down systems.

Continue Reading

Gadgets

Apple, AMD, and Intel shift priorities as chip shortages continue

Published

on

Enlarge / Sure, it’s cheaply produced clip art… but it’s also a disturbingly accurate picture of the current state of supply and demand in the semiconductor product market.

2021’s infamous chip shortages aren’t only affecting automakers. In a post-earnings conference call Tuesday, Apple CEO Tim Cook said, “We’ll do everything we can to mitigate whatever circumstances we’re dealt”—a statement that likely means the company will ration its chip supplies, prioritizing the most profitable and in-demand items such as iPhones and AirPods, at the expense of less profitable and lower-demand items.

CFRA analyst Angelo Zino told Reuters that Cook’s somewhat cryptic statement “largely reflects the timing of new product releases”—specifically, new iPhone releases in September. Counterpoint Research Director Jeff Fieldhack speculates from the flip side of the same coin, saying the company will likely direct supply chain “pain” to its least lucrative products. “Assuming Apple prioritizes the iPhone 12 family, it probably affects iPads, Macs, and older iPhones more,” Fieldhack said.

Processor manufacturer AMD has also been carefully managing its supply chain in response to pandemic-induced shortages. With flagship products that finally outperform rival Intel’s, AMD is focusing on the more profitable high end of the market while leaving the economy segment—until a few years ago, its strongest performer—to Intel. “We’re focusing on the most strategic segments of the PC market,” CEO Lisa Su told investors on a conference call.

Apple and AMD are two of semiconductor foundry TSMC’s largest customers—but the problem isn’t limited to TSMC. Intel, which operates its own foundries, acknowledges supply problems of its own. Intel CEO Pat Gelsinger told the BBC that shortages will get worse in the second half of 2021—and that it will be “a year or two” before supplies return to normal.

Gelsinger played up the importance of building new foundries, as Intel is currently doing in Arizona. But he warns that the foundries will take time to get up to speed and begin alleviating shortages—predicting “a year to two years until we’re back to some reasonable supply-demand balance.” This news arrives on the heels of a delay Intel announced this week for its forthcoming 7 nm process, now not expected until 2022.

In some ways, Intel may actually benefit long-term from the pandemic-related supply chain shortages. Although Intel is falling behind rivals AMD and Apple in both performance and power efficiency, the market can only move so far in the absence of supply.

With all vendors selling essentially every processor they can build, Intel’s long-standing ability to produce 80 percent of the world’s x86 desktop CPUs and 90 percent of x86 data center CPUs cements its place in the market—for now—despite ceding performance crowns to its rivals.

Continue Reading

Gadgets

Here’s what that Google Drive “security update” message means

Published

on

“A security update will be applied to Drive,” Google’s weird new email reads. A whole bunch of us on the Ars Technica staff got blasted with this last night. If you visit drive.google.com, you’ll also see a message saying, “On September 13, 2021, a security update will be applied to some of your files.” You can even see a list of the affected files, which have all gotten an unspecified “security update.” So what is this all about?

Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a “get link” option (where anyone with the link can access the file). The “get link” option works the same way as unlisted YouTube videos—it’s not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Along with Drive, Google is also changing the way unlisted YouTube links work, and the YouTube support page actually describes this change better than Drive does:

In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven’t shared the link with them.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn’t affect links you’ve shared in the past, and soon Google is going to require your old links to change, which can break them. Google’s new link scheme adds a “resourcekey” to the end of any shared Drive links, making them harder to guess. So a link that used to look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/” will now look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w.” The resource key makes it harder to guess.

If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you’ll see a button on the right to remove or apply the security update. “Applied” means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while “removed” means the resourcekey isn’t required and any links out there should keep working.

Google's "impacted files" interface. Feel free to add or remove that security update.

Google’s “impacted files” interface. Feel free to add or remove that security update.

YouTube already went through this process earlier in the month, with all unlisted links before 2017 going dead, unless the owners of the videos are still active on YouTube and opted out. Drive is doing this with a bit more finesse than YouTube, though. Thanks to account-based sharing, anyone who accessed your unlisted Drive links in the past will still be granted access to them, even if you upgrade the security. No new people will be able to access the old, upgraded link, though. This way, if you have a stable community that uses an unlisted file, it should mostly be able to keep on trucking. Any new members, however, will be locked out and will need to request access. If you don’t want this, at any point the owner of the file can hit the “share” button and change the settings to generate a new link or turn off the link altogether.

Not letting third parties create a list of all your unlisted files is a good thing, but don’t confuse this link change with any actual security. You should never share anything over the “unlisted” or “get link” features on YouTube, Drive, or Google Photos if you actually want it to be private. Secret links are just security through obscurity, and even with Google’s upgrades, they should not be considered secure or undiscoverable. This arrangement is totally fine for casual documents, but always assume that anyone in the world can read an “unlisted” file. If you’re OK with that, fine. But if not, use Google’s actually private account-based sharing options.

Continue Reading

Trending