Connect with us

Biz & IT

Google walkout organizer: ‘I hope I still have a career in Silicon Valley after this’

Published

on

Shouting “women’s rights are worker’s rights” and a number of other #TimesUp and #MeToo chants, upwards of 1,000 Google employees gathered at San Francisco’s Harry Bridges Plaza Thursday to protest the company’s handling of sexual harassment and misconduct cases.

Staffers from all of Google’s San Francisco offices were in attendance. An organizer who declined to be named told TechCrunch there were 1,500 Google employees across the globe that participated in the 48-hour effort to arrange a worldwide walkout. The effort was a success. More than 3,000 Googlers and supporters of the movement attended the New York City walkout alone. The organizers said that the 1,000 people who came out for the San Francisco walkout was double the number they expected.

Cathay Bi, a Google employee in San Francisco and one of the walkout organizers, told a group of journalists at the rally that she was conflicted with participating in the walkout and ultimately decided not to go public with her own story of sexual harassment.

“I experienced sexual harassment at Google and I didn’t feel safe talking about it,” said Bi, pictured above. “That feeling of not being safe is why I’m out here today. I’d love it if everyone felt safe talking about it.”

“There were many times over the course of the last 24 hours that I emailed the group and said ‘I’m not doing this because I’m scared,’ but that fear is something everyone else feels,” she said. “I said to myself last night, I hope I still have a career in Silicon Valley after this.”

Other organizers declined to go on the record.

There were protests around the globe today, including in London, Dublin, Montreal, Singapore, New York City, San Francisco, Seattle and Cambridge, following a New York Times investigation that revealed Google had given Android co-creator Andy Rubin a $90 million exit package despite multiple relationships with other Google staffers and credible accusations of sexual misconduct made against him. That story, coupled with tech’s well-established issue of harassment and discrimination toward women and underrepresented minorities, was a catalyst for today’s rallies.

At the rally, Google employees read off their list of demands, which includes an end to forced arbitration in cases of harassment and discrimination, a commitment to end pay and opportunity inequity, and a clear, inclusive process for reporting sexual misconduct safely and anonymously.

They’re also requesting that the search giant promote chief diversity officer Danielle Brown to a role in which she reports directly to chief executive officer Sundar Pichai, as well as the addition of an employee representative to the company’s board of directors.

Here’s the statement from Pichai that Google provided to TechCrunch this morning: “Earlier this week, we let Googlers know that we are aware of the activities planned for today and that employees will have the support they need if they wish to participate. Employees have raised constructive ideas for how we can improve our policies and our processes going forward. We are taking in all their feedback so we can turn these ideas into action.”

Now, employees around the globe await Google’s highly-anticipated course of “action.”

“These types of changes don’t happen overnight,” Bi said. “If we expected them overnight we would have the wrong expectations of how these movements take place.”

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Biz & IT

Google closes data loophole amid privacy fears over abortion ruling

Published

on

Google is closing a loophole that has allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy campaigners in the wake of the US Supreme Court’s decision to end women’s constitutional right to abortion.

It also took a further step on Friday to limit the risk that smartphone data could be used to police new abortion restrictions, announcing it would automatically delete the location history on phones that have been close to a sensitive medical location such an abortion clinic.

The Silicon Valley company’s moves come amid growing fears that mobile apps will be weaponized by US states to police new abortion restrictions in the country.

Companies have previously harvested and sold information on the open market including lists of Android users using apps related to period tracking, pregnancy and family planning, such as Planned Parenthood Direct.

Over the past week, privacy researchers and advocates have called for women to delete period-tracking apps from their phones to avoid being tracked or penalised for considering abortions.

The US tech giant announced last March that it would restrict the feature, which allows developers to see which other apps are installed and deleted on individuals’ phones. That change was meant to be implemented last summer, but the company failed to meet that deadline citing the pandemic among other reasons.

The new deadline of July 12 will hit just weeks after the overturning of Roe vs Wade, a ruling that has thrown a spotlight on how smartphone apps could be used for surveillance by US states with new anti-abortion laws.

“It’s long overdue. Data brokers have been banned from using the data under Google’s terms for a long time, but Google didn’t build safeguards into the app approvals process to catch this behavior. They just ignored it,” said Zach Edwards, an independent cyber security researcher who has been investigating the loophole since 2020.

“So now anyone with a credit card can purchase this data online,” he added.

Google said: “In March 2021, we announced that we planned to restrict access to this permission, so that only utility apps, such as device search, antivirus, and file manager apps, can see what other apps are installed on a phone.”

It added: “Collecting app inventory data to sell it or share it for analytics or ads monetisation purposes has never been allowed on Google Play.”

Despite widespread usage by app developers, users remain unaware of this feature in Android software—a Google-designed programming interface, or API, known as the “Query All Packages.” It allows apps, or snippets of third-party code inside them, to query the inventory of all other apps on a person’s phone. Google itself has referred to this type of data as high-risk and “sensitive,” and it has been discovered being sold on to third parties.

Researchers have found that app inventories “can be used to precisely deduce end users interests and personal traits,” including gender, race and marital status, among other things.

Edwards has found that one data marketplace, Narrative.io, was openly selling data obtained by intermediaries in this way, including smartphones using Planned Parenthood, and various period tracking apps.

Narrative said it removed pregnancy tracking and menstruation app data from its platform in May, in response to the leaked draft outlining the Supreme Court’s forthcoming decision.

Another research company, Pixalate, discovered that consumer apps, like a simple weather app, were running bits of code that exploited the same Android feature and were harvesting data for a Panamanian company with ties to US defense contractors.

Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover violations we take action,” adding it had sanctioned multiple companies believed to be selling user data.

Google said it would restrict the Query All Packages feature to only those who require it from July 12. App developers will be required to fill out a declaration explaining why they need access, and notify Google of this before the deadline so it can be vetted.

“Deceptive and undeclared uses of these permissions may result in a suspension of your app and/or termination of your developer account,” the company warned.

Additional reporting by Richard Waters.

© 2022 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Biz & IT

Billing fraud apps can disable Android Wi-Fi and intercept text messages

Published

on

Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to pricey wireless services, and intercept text messages, all in a bid to collect hefty fees from unsuspecting users, Microsoft said on Friday.

This threat class has been a fact of life on the Android platform for years, as exemplified by a family of malware known as Joker, which has infected millions of phones since 2016. Despite awareness of the problem, little attention has been paid to the techniques that such “toll fraud” malware uses. Enter Microsoft, which has published a technical deep dive on the issue.

The billing mechanism abused in this type of fraud is WAP, short for wireless application protocol, which provides a means of accessing information over a mobile network. Mobile phone users can subscribe to such services by visiting a service provider’s web page while their devices are connected to cellular service, then clicking a button. In some cases, the carrier will respond by texting a one-time password (OTP) to the phone and requiring the user to send it back in order to verify the subscription request. The process looks like this:

Microsoft

The goal of the malicious apps is to subscribe infected phones to these WAP services automatically, without the notice or consent of the owner. Microsoft said that malicious Android apps its researchers have analyzed achieve this goal by following these steps:

  1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
  2. Silently navigate to the subscription page
  3. Auto-click the subscription button
  4. Intercept the OTP (if applicable)
  5. Send the OTP to the service provider (if applicable)
  6. Cancel the SMS notifications (if applicable)

Malware developers have various ways to force a phone to use a cellular connection even when it’s connected to Wi-Fi. On devices running Android 9 or earlier, the developers can invoke the setWifiEnabled method of the WifiManager class. For versions 10 and above, developers can use the requestNetwork function of the ConnectivityManager class. Eventually, phones will load data exclusively over the cellular network, as demonstrated in this image:

Microsoft

Once a phone uses the cellular network for data transmission, the malicious app surreptitiously opens a browser in the background, navigates to the WAP subscription page, and clicks a subscribe button. Confirming the subscription can be tricky because confirmation prompts can come by SMS, HTTP, or USSD protocols. Microsoft lays out specific methods that malware developers can use to bypass each type of confirmation. The Microsoft post then goes on to explain how the malware suppresses periodic messages that the subscription service may send the user to remind them of their subscription.

“By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges,” Microsoft researchers wrote. “Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.”

Google actively bars apps from its Play market when it detects signs of fraud or malice, or when it receives reports of malicious apps from third parties. While Google often doesn’t remove malicious apps until after they have infected millions of users, apps downloaded from Play are generally regarded as more trustworthy than apps from third-party markets.

Continue Reading

Biz & IT

Microsoft Exchange servers worldwide hit by stealthy new backdoor

Published

on

Getty Images

Researchers have identified stealthy new malware that threat actors have been using for the past 15 months to backdoor Microsoft Exchange servers after they have been hacked.

Dubbed SessionManager, the malicious software poses as a legitimate module for Internet Information Services (IIS), the web server installed by default on Exchange servers. Organizations often deploy IIS modules to streamline specific processes on their web infrastructure. Researchers from security firm Kaspersky have identified 34 servers belonging to 24 organizations that have been infected with SessionManager since March 2021. As of earlier this month, Kaspersky said, 20 organizations remained infected.

Stealth, persistence, power

Malicious IIS modules offer an ideal means to deploy powerful, persistent, and stealthy backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. To the untrained eye, the HTTP requests look unremarkable, even though they give the operator complete control over the machine.

“Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,” Kaspersky researcher Pierre Delcher wrote. “As a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files.”

Kaspersky

Once SessionManager is deployed, operators use it to profile the infected environment further, gather passwords stored in memory, and install additional tools, including a PowerSploit-based reflective loader, Mimikat SSP, ProcDump, and a legitimate Avast memory dump tool. Kaspersky obtained multiple SessionManager variants that date back to at least March 2021. The samples show a steady evolution that has added more features with each new version. The most recent version of the malicious module includes the following:

Command name
(SM_SESSION cookie value)
Command parameters
(additional cookies)
Associated capability
GETFILE FILEPATH: path of file to be read. FILEPOS1: offset at which to start reading, from file start.

FILEPOS2: maximum number of bytes to read.

Read the content of a file on the compromised server and send it to the operator as an HTTP binary file named cool.rar.
PUTFILE FILEPATH: path of file to be written.

FILEPOS1: offset at which to start writing.

FILEPOS2: offset reference.

FILEMODE: requested file access type.

Write arbitrary content to a file on the compromised server. The data to be written in the specified file is passed within the HTTP request body.
DELETEFILE FILEPATH: path of file to be deleted. Delete a file on the compromised server.
FILESIZE FILEPATH: path of file to be measured. Get the size (in bytes) of the specified file.
CMD None. Run an arbitrary process on the compromised server. The process to run and its arguments are specified in the HTTP request body using the format: <executable path>t<arguments>. The standard output and error data from process execution are sent back as plain text to the operator in the HTTP response body.
PING None. Check for SessionManager deployment. The “Wokring OK” (sic.) message will be sent to the operator in the HTTP response body.
S5CONNECT S5HOST: hostname to connect to (exclusive with S5IP).

S5PORT: offset at which to start writing.

S5IP: IP address to connect to if no hostname is given (exclusive with S5HOST).

S5TIMEOUT: maximum delay in seconds to allow for connection.

Connect from compromised host to a specified network endpoint, using a created TCP socket. The integer identifier of the created and connected socket will be returned as the value of the S5ID cookie variable in the HTTP response, and the status of the connection will be reported in the HTTP response body.
S5WRITE S5ID: identifier of the socket to write to, as returned by S5CONNECT. Write data to the specified connected socket. The data to be written in the specified socket is passed within the HTTP request body.
S5READ S5ID: identifier of the socket to read from, as returned by S5CONNECT. Read data from the specified connected socket. The read data is sent back within the HTTP response body.
S5CLOSE S5ID: identifier of the socket to close, as returned by S5CONNECT. Terminate an existing socket connection. The status of the operation is returned as a message within the HTTP response body.

Remember ProxyLogon?

SessionManager gets installed after threat actors have exploited vulnerabilities known as ProxyLogon within Microsoft Exchange servers. Kaspersky has found it infecting NGOs, governments, militaries, and industrial organizations in Africa, South America, Asia, and Europe.

Kaspersky

Kaspersky said it has medium-to-high confidence that a previously identified threat actor that researchers call Gelsemium has been deploying SessionManager. Security firm ESET published a deep dive on the group (PDF) last year. Kaspersky’s attribution is based on the overlap of code used by the two groups and victims targeted.

Disinfecting servers that have been hit by SessionManager or similar malicious IIS modules is a complicated process. Kaspersky’s post contains indicators that organizations can use to determine if they’ve been infected and steps they should take in the event they’ve been infected.

Continue Reading

Trending