Google+ to go offline after security breach discovered

Following an exposé by WSJ that revealed Google had kept a huge bug in their Google+ social network under wraps, the search giant has decided to shut it down by late 2019. The bug might have enabled malicious apps to extract profile data such as name, gender, email address, occupation, and age. To make matters worse, Google isn’t sure how many profiles could have been compromised as they only keep log data for two weeks.

The decision to axe Google+ came after an exhaustive review called Project Strobe. The review highlighted a glaring flaw in Google+ API, through which apps could access profile fields that were not public. Only static fields were compromised though, as well as data involving posts, messages, Google account data, and phone numbers. G Suite content was still safe.  

Surprisingly, Google chose not to reveal the bug, and only patched it in March 2018, even though it may have been present since 2015. Google’s Privacy & Data Protection Office decided not to act, as there was no evidence of misuse. Coupled with the social network’s lack of commercial success, Google has finally decided to pull the plug on its consumer version. Google+ for business will still remain a part of their product line.

9th-gen Intel CPUs immune against decades-old vulnerabilities

Intel has quietly introduced hardware protection against a 23-year-old flaw into its new 9th-gen CPUs. Called Meltdown and Spectre, the bugs affect almost all CPUs from major manufacturers and could enable apps to steal information from a CPU’s memory.

While the names may have a Bond-esque ring to them, both Meltdown and Spectre certainly pose a real world threat. Discovered in 2017, the bugs are the product of an optimization technique called “speculative execution.” CPUs speculate which information is most vital and keep them ready if needed. If unused, the CPU simply disregards the data.

Google’s Project Zero discovered a way to access this information in two unintended ways. The first was named Meltdown as it “melts” a CPU’s security measures using speculative execution, while the second, called Spectre, uses the same to trick programs into revealing sensitive information. Spectre is much harder to utilize than Meltdown, but is trickier to patch too. While previous generation CPUs have software patches to address these, the new Intel processors will come with built-in measures against them.

California outlaws weak passwords

A new bill has been enacted by California that requires devices to enforce strong passwords. Called the Information Privacy: Connected Devices Bill, the legal mandate will demand electronic manufacturers to install more robust security features on their devices, such as requiring a new password the first time the user boots it up.

Weak passwords are usually the first entry point for threat actors because they are the easiest to beat. Most modern malware like IoT botnets and ransomware often use brute force tactics to break through passwords and launch their attacks. With mobile devices and IoT becoming more ubiquitous with each passing day, easy-to-guess passwords can prove exceptionally devastating. In addition to IoT, mobile devices and PCs, Industrial Control Systems were also found to be vulnerable as they often come with default credentials that are left unchanged. The bill goes into effect in 2020.

“This may be a game changer,” says Luis Corrons, Avast Security Evangelist. “Most issues surrounding connected devices nowadays are because the device is shipped with a default password. This enables cybercriminals to gain access to them all too easily.” Corrons continues, “While it won't have a huge effect in the short term, in the mid- and long-term it can be really helpful, especially if other states and countries decide to follow California's example.”

Novel hacking campaign against government targets uncovered

A new threat actor using off-the-shelf products to conduct international espionage has been discovered by researchers. The hackers are using free tools like Metaspoilt framework (used to probe for security vulnerabilities), WinZip, Rex Powershell, and codes from Github to carry out the attacks.

Now called Gallmaker, the group is thought to be state-sponsored and is purposefully avoiding regular malware or custom-built tools to avoid suspicion. The majority of their targets are overseas embassies of certain East European countries and military targets in the Middle East. Certain patterns in the group’s target selection have caused researchers to speculate that they may be a state-affiliated actor.

Gallmaker’s attacks start with a spear-phishing email campaign involving content that uses military, government or diplomatic themes. The emails themselves do not contain any malware. Rather they exploit a vulnerability in MS Office’s Dynamic Data Exchange (DDS) to access a computer. The baited document asks the user to enable “protected content” to start the DDE protocol, thereby allowing attackers to issue remote commands to the targeted system.

“Such malware-less attacks are not that new,” says Corrons. “We have seen them for a while in SMBs and enterprises. In most cases, we are talking about advanced and/or targeted attacks.” But Corrons goes on to point out that in order for organizations to defend themselves, “it is important to make sure that your security solution has a behavior module,” he explains. “For example, with Avast, one of our many layers of protection is all about behavior. We do not have to depend on detecting whether or not a file is malicious. If we see that the behavior itself is malicious, even when it is performed by non-malicious software, we will stop it.”

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.