Google Project Zero is a team of highly talented security analysts with a brief to uncover zero-day vulnerabilities. If a vulnerability is found, Project Zero reports to the vendor concerned and starts a 90-day countdown for a fix to be issued before full public disclosure is made. LastPass is also in the security business, being one of the most popular password management solutions with more than 16 million users, including 58,000 businesses. Project Zero has just disclosed that a security vulnerability left some of those 16 million users exposed to the risk of credential compromise as, in an ironic twist, LastPass could leak the last password used to any website visited.
How could the LastPass ‘last password’ vulnerability be exploited?
In a tweet posted September 16, Google Project Zero analyst Tavis Ormandy stated that “LastPass could leak the last used credentials due to a cache not being updated,” adding “this was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!”
Ormandy reported the vulnerability on August 29, as Project Zero issue 1930, which showed how the credentials previously filled by LastPass could be exposed to any website under certain circumstances.
Ferenc Kun, the security engineering manager for LastPass at LogMeIn, which owns LastPass, said in an online statement that this “limited set of circumstances on specific browser extensions” could potentially enable the attack scenario described.
“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” Kun said, “any potential exposure due to the bug was limited to specific browsers (Chrome and Opera.)”
The answer, thankfully, is nothing. LastPass has already patched the vulnerability, and the fix was comprehensively verified with Project Zero. Indeed, the fix was rolled out on September 13, and Kun confirmed that “we have now resolved this bug; no user action is required and your LastPass browser extension will update automatically.”
As a precaution, the LastPass update was deployed to all web browsers and not just Chrome and Opera.
How severe was this vulnerability and should you stop using LastPass?
Let’s deal with the last part of that question first; there’s absolutely no reason to stop using LastPass or your preferred password manager for that matter. “Although password managers like any other software have flaws the benefits of using one far outweigh the risks,” says ethical hacker John Opdenakker. “It’s far more likely that your accounts will get compromised by attacks that exploit poor passwords,” Opdenakker says, “such as through credential reuse, than by attacks against password managers themselves.”
OK, so how serious was this particular vulnerability? It certainly sounds serious enough, right? Tavis Ormandy at Project Zero allocated the vulnerability a “high” severity rating. Opdenakker isn’t so sure it merits that. “I think it’s most important that LastPass fixed this bug, which is certainly not a critical one, within a reasonable amount of time,” Opdenakker says, “it’s debatable whether it’s high or medium because, as Ormandy says, it doesn’t work for all URLs.”
LastPass security recommendations
Ferenc Kun said that LastPass continues to recommend the following best practices for added online security:
Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
Always enable Multi-Factor Authentication (MFA) for LastPass and other services like your bank, email, Twitter, Facebook, etc.
Never reuse your LastPass master password and never disclose it to anyone, including us.
Use different, unique passwords for every online account.
Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.
I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at email@example.com if you have a story to reveal or research to share
This is a short intro to how to use LastPass. Links: https://www.lastpass.comhttps://youtu.be/M4Z0xwzpQrk (My Diceware Video) ======================================== Follow me on Twitter: @redfalconsec Like me on Facebook: search “RedFalcon Security” Fonts used: Digitalt by gluk (http://www.dafont.com/digitalt.font) Royalty free ClipArt provided by LibrOffice Impress and clker (www.clker.com). This video made entirely in Linux using open source tools.
As anyone who follows baseball or saw the 2011 film Moneyballknows, America’s favorite pastime now runs on data. Players are monitored on a minute level, generating a flood of statistics that both players and managers use to make better decisions. What would happen if we tried the same approach to leadership, Microsoft recently wondered?
What came next is the subject of a fascinating recent New York Times article by Neil Irwin, chronicling the effort of Microsoft HR manager Dawn Klinghoffer and Ryan Fuller, the founder of a data analysis startup, VoloMetrix, acquired by Microsoft, to wring insights from employees’ calendar and email metadata.
The long piece is centered on a mystery: why did people hate working at Microsoft’s hardware division so much (spoiler: the answer is mostly meeting bloat) and is a great read if you have a half hour to spare. But in the course of teasing out this answer, Irwin also reveals a few short, easy-to-digest takeaways of the project that can help anyone become a better leader.
1. Long hours are a sign of a bad leader.
Being a leader is an intense job, so we often expect that those at the top are going to need to put in intense hours. Not so, according to Microsoft’s data on managers. In fact, the analysis showed, “that people who worked extremely long work weeks were not necessarily more effective than those who put in a more normal 40 to 50 hours.”
Leaders, in particular, saw negative effects when they worked long hours. “When managers put in lots of evening and weekend hours, their employees started matching the behavior and became less engaged in their jobs, according to surveys,” notes Irwin.
While the entire Microsoft project could be seen as one big indictment of bloated meetings, that doesn’t mean all get togethers are bad. In fact, the analysis suggested that one type in particular is essential if you aim to be a great leader.
“One of the strongest predictors of success for middle managers was that they held frequent one-on-one meetings with the people who reported directly to them,” writes Irwin.
3. Wide networks beat deep ones.
Everyone knows that who you know is key to business success, but exactly what sort of contacts are best? The Microsoft data provided a clear answer. When it comes to climbing the ladder, it’s not the depth of your connections that matter most, it’s the breadth.
“People who made lots of contacts across departments tended to have longer, better careers within the company. There was even an element of contagion, in that managers with broad networks passed their habits on to their employees,” Irwin reports.
Again, this jives with previous research showing that having an open network — i.e. being the type of person who connects different groups and knows people in a broad array of social and professional circles — is one of the best predictors of career success, not just for managers, but for everyone.
But just because these findings aren’t totally groundbreaking, doesn’t mean they aren’t valuable. Despite the data, a great many aspiring leaders try to grind their way to the top, neglect one-on-one relationship building, and work mostly to leverage their existing network full of people similar to them rather than trying to broader their connections.
These results out of Microsoft suggest that just by following the numbers and making a few small changes, you can give yourself a huge leg up in the race to become a successful leader.
I’m a creature of habit. I like to drink the same 400-calorie smoothie every morning after my morning workout, wear the same three black pairs of leggings, listen to the same pump-up jams that I’ve listened to since high school (what’s up, early-2000s pop/punk). And as a creature of habit, I tend to make the same handful of recipes over and over.
Sure, that’s mostly because I’m a terrible cook and not that adventurous in the kitchen, but eating the same things over and over again can help you achieve your weight-loss goals. I have lost about 15 pounds since January, and I find that eating the same lunches repeatedly has kept me on track and takes the guesswork out of tracking my meals.
Since I usually order a takeout salad for lunch anyway, I thought it would be easier if I just made my own salad and brought it in. My 450-calorie salad is actually delicious and provides all three macronutrients (protein, carbs, and fat) to keep me feeling full and satisfied all afternoon. To make things even easier, I just bring all my ingredients to work and chop the veggies when I get there. I don’t have time to slice up a bell pepper or a cucumber in the morning before work, but I do have time to throw all my ingredients in a plastic salad bowl with a lid and run out the door — I like the 2.5-quart bowl from this Sterilite 8 Piece Covered Bowl Set ($12). Check out my recipe below.
450-Calorie Weight-Loss Salad Recipe
Mixed greens (usually bagged Spring mix)
3 ounces of rotisserie chicken (no skin)
1/4 of a cucumber
1/4 of a red bell pepper
1/4 of an avocado
2 tablespoons Greek dressing
In my opinion, the dressing makes all the difference. That’s why I love Primal Kitchen Greek Vinaigrette dressing ($21 for two bottles). It’s made with avocado oil, so it’s full of satiating, healthy fats. I also get more healthy fat from one-fourth of an avocado. For protein, I opt for a slice of rotisserie chicken; I buy a rotisserie chicken from the store on Sunday night and have it the whole week. I also love a variety of colorful veggies to add some healthy carbs.
Although it’s probably easier to keep a bottle of salad dressing in the work fridge, I don’t trust my coworkers (kidding! sort of . . .) so I use the GladWare Mini Round containers ($7 for an eight-count). I can measure out two tablespoons and store it easily. I love these little reusable containers for not only salad dressings, but also stashing nuts, nut butters, and berries.
I’ve been tracking my calories using the Noom weight-loss app and love how the Noom food database is huge and includes all of my favorite foods, snacks, and salad dressings. It makes tracking so much easier. Using the Noom app, I calculated that my salad is 445 calories.
Millions of shiny new Android smartphones are being purchased with dangerous malware factory-installed, according to Google’s own security research team. There have been multiple headlines about the millions of harmful apps being installed from the Play Store, but this is something new. And the danger to unsuspecting users, trusting that new boxed devices are safe and clean, is that some of that preinstalled malware can download other malware in the background, commit ad fraud, or even take over its host device.
Android is a thriving open-source community, which is great for innovation but not so great when threat actors seize the opportunity to hide malware in basic software loads that come on boxed devices. New phones can have as many as 400 apps factory-installed, many of which we just ignore. But it transpires that many of those apps have not been vetted. The apps themselves will work as billed, providing a useful capability or service, so we can be forgiven for not considering the risk that might lurk within.
Google’s Maddie Stone, a security researcher with the company’s Project Zero, shared her team’s findings at Black Hat on Thursday. “If malware or security issues come as preinstalled apps,” she warned, “then the damage it can do is greater, and that’s why we need so much reviewing, auditing and analysis.”
The risk impacts Android’s Open-Source Project (AOSP), a lower-cost alternative to the full-fat version. AOSP is installed on lower-cost smartphones where cheaper software alternatives help keep prices down. This means owners of Android-badged devices from the likes of Samsung and Google itself are safe from this particular risk.
For an attacker, Stone warned, the benefit of supply chain compromise is that they “only have to convince one company to include their app, rather than thousands of users.” The Google team didn’t disclose any details of the brands of phones involved, but more than 200 device manufacturers fell foul of the testing, with malware allowing the devices to be attacked remotely.
Of particular concern were two particularly virulent malware campaigns: Chamois and Triada. Chamois generates various flavors of ad fraud, installs background apps, downloads plugins and can even send premium rate text messages. Chamois alone was found to have come installed on 7.4 million devices. Triada is an older variant of malware, one that also displays ads and installs apps.
Google is working to help device manufacturers screen for such vulnerabilities, and between March 2018 and March 2019, Stone claims such screening helped reduce the instances of devices infected by Chamois from 7.4 million to “only” 700,000. “The Android ecosystem is vast,” she warned, “with a diversity of OEMs and customizations—if you are able to infiltrate the supply chain out of the box, then you already have as many infected users as how many devices they sell—that’s why it’s a scarier prospect.”
In the meantime, the usual advice applies around downloading and installing apps from the Play Store. A healthy dose of skepticism does not go amiss when the app is from an unknown source. Not much users can do if those threats come preinstalled, though, and that’s why this revelation is so dangerous. For this one we need to rely on manufacturers to do the right thing and follow Google’s advice in screening software fully to eradicate such risks.
I am the Founder/CEO of Digital Barriers, a provider of video surveillance and analytics technologies to security and defense agencies as well as commercial organizations. I cover the sectors in which DB operates, potential conflicts are highlighted.
Berlin, Germany – February 26: In this photo illustration the app of Google Chrome is displayed on a smartphone on February 26, 2018 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
Google is planning to restrict modern ad blocking Chrome extensions to enterprise users only, according to 9to5Google. This is despite a backlash to an announcement by Google in January proposing changes that will stop current ad blockers from working efficiently.
The proposal–dubbed Manifest V3–will see a major transformation to Chrome extensions that includes a revamp of the permissions system. It will mean modern ad blockers such as uBlock Origin—which uses Chrome’s webRequest API to block ads before they’re downloaded–won’t work. This is because Manifest V3 sees Google halt the webRequest API’s ability to block a particular request before it’s loaded.
People aren’t impressed. Many have complained about the move, which effectively takes control away from the user and creates an incentive to use other services instead.
9to5Google highlighted a single sentence buried in the text of Google’s response to the complaints, which clarified the changes: “Chrome is deprecating the blocking capabilities of the webRequest API in Manifest V3, not the entire webRequest API (though blocking will still be available to enterprise deployments).”
In other words, paid enterprise-only users will still have the ability to block unwanted content. It probably means enterprise customers can develop in-house Chrome extensions, not for ad blocking use, 9to5Googlesays. For everyone else, the changes announced in January will remain the same.
It’s annoying, to say the least, but the reason for these changes is obvious: Ads are at the heart of Google’s business model.
“We are starting to see Google’s conflict of interest arising,” Sean Wright, an independent security consultant told me. “Google relies on the revenue of advertising, so one can see why they would make such a move.”
It’s important to note that the changes won’t stop all ad blockers from working, but exactly who is affected isn’t totally clear. Google sent me a statement by email, which reads: “Chrome supports the use and development of ad blockers. We’re actively working with the developer community to get feedback and iterate on the design of a privacy-preserving content filtering system that limits the amount of sensitive browser data shared with third parties.”
For now, Wright thinks people should use Brave instead: “Brave is built upon Chromium so all existing Chrome plugins and even themes work on it. This is perhaps why it’s seen an increase in user numbers.”
Another option is using something like Pi-Hole, says Wright. “This works on the DNS level and has blacklists of adverts as well as malicious URLs.”
It’s a balmy 80 degrees on a mid-December day in Singapore, and something is puzzling Allen Day, a 41-year-old data scientist. Using the tools he has developed at Google, he can see a mysterious concerted usage of artificial intelligence on the blockchain for Ethereum. Ether is the world’s third-largest cryptocurrency (after bitcoin and XRP), and it still sports a market cap of some $11 billion despite losing 83% of its value in 2018. Peering into its blockchain—the distributed database of transactions underpinning the cryptocurrency…………
Share Your World 12-31-18 Writing this on the last day of the year to be published on the first of the new one, so it is the last and the first. May everyone’s New Year be full of joy, laughter, health, and hope! For the parents in the crowd: What would be the absolute worst name […]
It’s called Project Oxygen. Beginning in 2008, Google researchers wanted to understand what makes a manager great at Google. Here’s what they found.Project Oxygen…Google sought to identify the common threads among Google’s highest performing managers. Based on internal research, Google then applied its findings to its manager development programs….
When you’re working in a word processor, every second you save matters. And while Google Docs may seem simple on the surface, it’s practically overflowing with out-of-sight options that can help you get more done with less effort.
The best part? They’re all already there and just waiting to be embraced. All you have to do is find them–and then remember to put them to use. Here’s a head start.
(Note that the items listed below are mostly specific to Docs’s version for desktop web browsers. Unless otherwise noted, they don’t apply to the mobile apps.)
Edit like a pro
1. The next time you need to move text within a document, skip the cutting and pasting and shift text the faster way: Just highlight the paragraph you want to reposition and then click and drag it with your mouse–or, in an even more efficient twist, place your cursor anywhere inside the paragraph, hold down Alt and Shift together, and then use your arrow keys to move it wherever you want.
2. Need your text to be a little larger or smaller? Docs has a pair of super-handy shortcuts that’ll change font size on the fly: Hold down Ctrl (or Cmd) and Shift and then press the period key to bump the font size up by one point or the comma key to bump it down.
3. With just a few quick clicks, Docs can copy the formatting from one area of text and apply it to another. The trick lies within that paint roller icon in the upper-left corner of the Docs toolbar (directly to the right of the print icon). Place your cursor on the text that has the formatting you want, click the paint roller, and then click the paragraph where you want the formatting to be applied. The font, size, style, and color should all show up instantly.
If you want to apply the formatting to more than one area of text, double-click the paint roller at the start of the process. That’ll force it to remain active through numerous applications.You can get to any Google Docs function in no time by using the program’s menu search command.
4. Save yourself the trouble of digging through Docs’s menus to find what you need and instead use the Alt-/ shortcut to search all available functions in no time. Say you want to convert some text into title case, for instance. Rather than digging around in the Format menu, you can simply highlight the text in question, hit Alt and then /, type “ti”–and then, when “Title Case” appears as the top option, hit Enter to apply it.
5. Docs can automatically organize your documents to make them easier to get around: Open up the View menu and select “Show document outline”–or just hit Ctrl-Alt-H (or Cmd-Alt-H)–and the app will create a complete outline in the left area of the screen, with every line of header text representing a section. You can then click on any of those sections to jump directly to that part of the document. (This one is also available in the Docs mobile apps; just look for the “Document outline” option in the apps’ main menu.)
6. Give your fingers a break and let Docs turn your spoken words into text: As long as your computer has a microphone, all you have to do is open the Tools menu and select “Voice typing”–or hit Ctrl-Shift-S (or Cmd-Shift-S)–and then speak away. Docs will use Google’s standard voice-to-text system to figure out what you’re saying (mostly, anyway) and put it on the page.
7. Docs’s voice-to-text function also lets you speak commands for common forms of punctuation and paragraph formatting. You can say things like “period,” “comma,” and “question mark” or give instructions like “new line” or “new paragraph.” If you want to take a break, say “stop listening” and then say “resume” when you’re ready to continue.
8. In addition to taking down text, Docs’s voice typing mode allows you to perform advanced edits via spoken command. The system supports a huge range of functions–selecting specific words, phrases, or paragraphs; applying different types of formatting to text; cutting, copying, and pasting; and even scrolling through a document or jumping to specific parts of the page. You can find a full list of available commands here.
9. Docs’s dictation feature is good for more than just regular writing and editing: Anytime you have some audio that needs to be turned into text–from a recorded interview, a podcast, or whatever the case may be–find a quiet room for your computer, fire up Docs’s voice typing mode, and let the audio play. Docs will provide a full transcription of your recorded audio, no specialty services or fees required. Docs’s Explore function brings a world of research right into your word processor.
10. Docs makes it possible to do all of your research without ever leaving your word processor–both on the desktop and from your mobile device. Open up Docs’s Explore tool by looking in the Explore menu (or pressing Ctrl-Alt-Shift-I or Cmd-Alt-Shift-I) on the desktop site or by finding the “Explore” option in the mobile apps’ main menu (while you’re actually editing a document). Docs will bring up a series of web results, images, and related documents from your own past work. You can perform new searches right within that window as well–and when you find something you’d like to include in your current document, you can add it and even attach a footnote citation with a single click or tap.
11. Attention, Google Photos users: Docs makes it easy as can be to add images from your Photos collection directly into your documents. Click the Insert menu and select “Image” to find the option. You can also add an image from your Google Drive storage, by URL, or by searching the web from that same area.
12. Docs has its own tool to let you crop or edit images: Just click on an image within your document, then click the Format menu and select “Image.” There, you’ll find the command for cropping as well as a broader “Image Options” selection that contains functions for recoloring and adjusting the image’s transparency, brightness, and contrast.
13. Not confident about a word’s meaning? Hit Ctrl-Shift-Y (or Cmd-Shift-Y) while your cursor’s on the word. Docs will dig up a definition for you and show it to you on the right side of the screen.
14. If you use Google Keep as a note-taker, you can access your notes while working on a document and even insert an entire note into your current page. Look for the “Keep notepad” option within the Tools menu to pull up the Keep sidebar. Once it’s there, you can view and edit your notes–and if you want to dump a note’s contents in your document, hover over the note and then click the three-dot menu icon that appears.
Collaborate and share
15. Don’t let a language barrier keep you from communicating. Docs has a native system that can translate entire documents into other languages: Click the Tools menu, then select “Translate document.” You’ll then be able to select the language you want and provide a new name for your translated file. Fácil, ¿no?
16. You’d never know it, but Google Docs allows you to tag other users to get their attention while collaborating. Just start writing a comment–by clicking the circular icon that appears when you hover over the right side of a document on the desktop or by tapping the plus icon and then selecting “Comment” in the mobile app–and then type @ or + followed by the first few letters of a person’s name. Docs will start offering options from your Google Contacts list. And if you want to add someone who isn’t in your contacts list, just use an email address instead of a name.
If the person you select already has access to the document, they’ll receive an email notifying them of the mention. If they don’t, Docs will prompt you to share the document with them before proceeding.
17. You can also email any message you want to collaborators, along with an attachment of a document, directly from Docs. Look for the “Email collaborators” option in the File menu to get started. (Your message will come from the primary email address associated with your Google account.)
18. Maybe you want to send a copy of your document to someone via email without adding them as a collaborator–to provide the file to a client, for instance, or share it with someone outside of your organization for review. Docs can do that: Just open up the File menu and select “Email as attachment.” You’ll be able to select from a variety of formats or even opt to include the text within the email body.
19. Docs can turn any document into a live, functioning web page that you can then share or embed as you wish. See the “Publish on the web” option within the File menu to explore the possibility.
20. If you want to point people to a specific section of your document, use Docs’s bookmarking feature to create a direct link to any area of the text. Place your cursor where you want the link to reside, then open the Insert menu and select “Bookmark.” A pop-up will appear with the link, though you’ll still need to be sure to share the document appropriately (either with the people you want to be able to view it or publicly, if you want everyone to be able to access it) before it’ll work for anyone other than you.
21. Want to send someone a link to a PDF version of your document? Copy the full URL in your browser’s address bar while you’re editing the document, then change the “/edit” at the very end to “/export?format=pdf” (without the quotation marks). As long as people to whom you’re sending have access to the document, they’ll get a PDF of your work as soon as they open the link.
22. You can use a similar trick to turn your document into a template for other people’s ongoing use: Once again, copy the full URL in your browser’s address bar while you’re editing the document—but this time, change the “/edit” at the end to “/copy” (again, without the quotation marks). Send that link to anyone with whom you’ve shared the file, and when they open it, they’ll be prompted to make a copy in their own Docs storage and then work on it from there.
Expand your word processing horizons
23. Google Docs can give you a helping hand with design by way of its built-in template gallery: Open up the gallery to browse through the available options–ranging from résumés to project proposals and even some advanced business and legal document formats–and then select any item to open it in Docs and use it as a starting point
24. Start a new document from anywhere within your browser by adding docs.google.com/create as a bookmark and then placing it in your bookmarks bar–or creating a custom keyboard shortcut that’ll pull the link up on demand.
25. Don’t limit yourself to Docs’s list of default fonts. You can add dozens of fonts into your word processing setup–and once they’re added, they’ll always be available in the regular font dropdown menu. All you have to do is open that dropdown menu and look for the “More fonts” option at the top. Click it and browse or search Google’s web font archive to find the style that meets your needs–then write away with the right look for every project you tackle.