Security News
In emails sent over the weekend, Google warned customers again that it would start deleting inactive accounts on December 1st, 2023. Once a Google Account is deleted, the associated Gmail address will become ineligible for use in creating a new Google Account.
Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that elevates the value and use of disclosed flaws for extended periods. Once Google learns about it, it becomes an n-day, with the n reflecting the number of days since it became publicly known.
Google's plans to introduce the Web Environment Integrity API on Chrome has been met with fierce backlash from internet software developers, drawing criticism for limiting user freedom and undermining the core principles of the open web. Google says this is not a privacy risk as it does not enable cross-site user tracking and won't interfere with browser or plugins/extensions functionality.
OpenAI, Google, Microsoft and Anthropic have announced the formation of the Frontier Model Forum. The goal of the Frontier Model Forum is to have member companies contribute technical and operational advice to develop a public library of solutions to support industry best practices and standards.
A new malvertising campaign has been observed leveraging ads on Google Search and Bing to target users seeking IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP, and trick them into downloading trojanized installers with an aim to breach enterprise networks and likely carry out future ransomware attacks. Dubbed Nitrogen, the "Opportunistic" activity is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos said in a Wednesday analysis.
A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. [...]
Google is set to improve Chrome by introducing a new "Link Preview" feature. Link Preview allows users to view a small popup web page preview simply by clicking or hovering over a hyperlink.
Google has announced that it intends to add support for Message Layer Security to its Messages service for Android and open source implementation of the specification. "Like the widely used Double Ratchet protocol, MLS allows for asynchronous operation and provides advanced security features such as post-compromise security. And, like TLS 1.3, MLS provides robust authentication."
About Bruce Schneier I am a public-interest technologist, working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.
Infosec in brief A security weakness in Google Cloud Build could have allowed attackers to tamper with organizations' code repositories and application images, according to Orca Security researchers. The issue, as Google describes it, is more about poorly defined permissions.