Image: Mika Baumeister

Google is hiring to create a special Android security team that will be tasked with finding vulnerabilities in highly sensitive apps on the Google Play Store.
“As a Security Engineering Manager in Android Security […] Your team will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers,” reads a new Google job listing posted on Wednesday.
Applications that this new team will focus on include the likes of COVID-19 contact tracing apps and election-related applications, with others to follow, according to Sebastian Porst, Software Engineering Manager for Google Play Protect.
The new team will complete the work independent security researchers are doing through the Google Play Security Reward Program (GPSRP).
The GPSRP is Google’s bug bounty program for Android apps listed on the Play Store. Google takes bug reports from security researchers and pays for the bugs on behalf of the app owners.
However, this program is only limited to apps that have more than 100 million users.
Apps that handle sensitive data or perform critical tasks aren’t always eligible for GPSRP rewards and are less likely to be mass-tested by bug hunters.
“Definitely a good move,” Lukáš Štefanko, a mobile malware analyst at Slovak security firm ESET told ZDNet today when asked to describe Google’s latest effort.
“Finding security issues with serious impact isn’t that easy and requires a lot of time and experience,” Štefanko added.
Having a dedicated team ensures that some of the world’s best security talent and full effort is put into looking at apps that might slip under the radar and end up being exploited with devastating consequences. More

These foam tips are a cost-effective replacement that will help keep your earbuds in place. Jack Wallen/ZDNETZDNET’s key takeawaysFoam earbud tips are readily available on Amazon More

Microsoft’s inaugural Security Signals report for March 2021 shows that 80% of enterprises have experienced one firmware attack during the past two years, but less than a third of security budgets are dedicated to protecting firmware.  Firmware attacks are tricky to deal with. State-sponsored hacking group APT28, or Fancy Bear, was caught in 2018 using a Unified Extensible Firmware Interface (UEFI) rootkit to target Windows PCs. There have also been attacks that rely on hardware drivers, such as RobbinHood, Uburos, Derusbi, Sauron and GrayFish, as well as ThunderSpy, a theoretical attack aimed at Thunderbolt ports.

Microsoft launched a new range of “Secured-Core” Windows 10 PCs last year to counter malware that tampers with the code in motherboards that boots a PC. It’s also released a UEFI scanner in Microsoft Defender ATP to scan inside the firmware filesystem for the presence of malware. SEE: Network security policy (TechRepublic Premium) But enterprises aren’t treating the firmware attacks seriously enough, according to a study that Microsoft commissioned Hypothesis Group to conduct.   “The study showed that current investment is going to security updates, vulnerability scanning, and advanced threat protection solutions,” Microsoft notes.    “Yet despite this, many organizations are concerned about malware accessing their system as well as the difficulty in detecting threats, suggesting that firmware is more difficult to monitor and control. Firmware vulnerabilities are also exacerbated by a lack of awareness and a lack of automation.”

It’s worth noting that Microsoft is promoting its “emerging class of secured-core hardware”, such as the Arm-based Surface Pro X, which start at $1,500, with the SQ2 processor, or HP’s Dragonfly laptops that retail for no less than $2,000.  But the company does have a point. Firmware lives below the operating system and is where credentials and encryption keys are stored in memory, where it’s not visible to antivirus software. “Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime bellow the kernel. And attackers have noticed,” Microsoft says.  SEE: Phishing: These are the most common techniques used to attack your PC The question is whether security teams are looking enough at future threats. Microsoft thinks they’re not. The Security Signals survey found that 36% of businesses invest in hardware-based memory encryption and 46% are buying in hardware-based kernel protections. Microsoft’s study found that security teams are focussing on “protect and detect” models of security, pointing out that only 39% of security teams’ time is spent on prevention.  The lack of proactive defense investment in kernel attack vectors is an example of this outdated model, according to Microsoft. Most of the 1,000 enterprise security decision makers interviewed (82%) said they don’t have enough resources to address high-impact security work because they’re too busy dealing with patching, hardware upgrades, and mitigating internal and external vulnerabilities. More

GitHub has finally fixed a high severity security flaw reported to it by Google Project Zero more than three months ago. 
The bug affected GitHub’s Actions feature – a developer workflow automation tool – that Google Project Zero researcher Felix Wilhelm said was “highly vulnerable to injection attacks”. GitHub’s Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.  

More on privacy

While Google described it as a ‘high severity’ bug, GitHub argued it was a ‘moderate security vulnerability’.
SEE: Network security policy (TechRepublic Premium)
Google Project Zero usually discloses any flaws it finds 90 day after reporting them, and by November 2, GitHub had exceeded Google’s one-off grace period of 14 days without having fixed the flaw. 
A day before the extended disclosure deadline, GitHub told Google it would not be disabling the vulnerable commands by November 2 and then requested an additional 48 hours – not to fix the issue, but to notify customers and determine a ‘hard date’ at some point in the future. Google then published details of the bug 104 days after it reported the issue to GitHub.
GitHub finally got around to addressing the issue last week by disabling the feature’s old runner commands, “set-env” and “add-path”, as per Wilhelm’s suggestion. 

The fix was implemented on November 16, or two weeks after Wilhelm publicly disclosed the issue.
As Wilhelm noted in his bug report, the former version of Github’s action runner command “set-env” was interesting from a security perspective because it can be used to define arbitrary environment variables as part of a workflow step. 
“The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable,” wrote Wilhelm. 
SEE: Google to GitHub: Time’s up – this unfixed ‘high-severity’ security bug affects developers
“In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.”
Now that GitHub has disabled the two vulnerable commands, Wilhelm has also updated his issue report to confirm the issue is fixed.     More

Antivirus vendor NortonLifeLock this afternoon said it will merge with Britain’s Avast PLC in a transaction combining cash and stock in two different options, totaling between $8.1 billion and $8.6 billion in stock. That value is roughly equivalent to the value in U.S. dollars of Avast’s enterprise value, which takes into account its cash and debt, of £6.5 billion, based on the closing price of Avast stock tuesday of £5.68 on the London Stock Exchange.   NortonLifeLock shares rose 2.5% in late trading.The two companies said in the joint press release that their respective boards of directors see an opportunity to “create a new, industry-leading consumer Cyber Safety business, leveraging the established brands, technology and innovation of both groups to deliver substantial benefits to consumers, shareholders, and other stakeholders.”The two companies said the deal will bring together product lines that are broadly complementary, while giving the combined company a user base of over half a billion customers. The deal will broaden the geographic market coverage of the combined company. In addition, the two expect to realize “$280 million of annual gross cost synergies.”Under terms of the deal, “Avast shareholders will be entitled to receive a combination of cash consideration and newly issued shares in NortonLifeLock with alternative consideration elections available.”Based on NortonLifeLock’s closing share price of USD 27.20 on July 13, 2021 (being the last trading day for NortonLifeLock shares before market speculation began in relation to the merger on July 14, 2021, resulting in the commencement of the offer period), the merger values Avast’s entire issued and to be issued ordinary share capital between approximately USD 8.1B and USD 8.6B, depending on Avast shareholders’ elections.In a companion deck of slides, the two companies detail two options for shareholders. Option one is to receive 31% of the deal in cash and 69% in stock, option two is to receive 90% in cash and 10% in stock. 

NortonLifeLock CEO Vincent Pilette called the deal “a huge step forward for consumer Cyber Safety” that he said “will ultimately enable us to achieve our vision to protect and empower people to live their digital lives safely.” Added Pilette, “With this combination, we can strengthen our Cyber Safety platform and make it available to more than 500 million users. We will also have the ability to further accelerate innovation to transform Cyber Safety.” Also: NortonLifeLock fiscal Q4 tops expectations, sees double-digit long-term revenue growth Said Avast CEO Ondřej Vlček, “At a time when global cyber threats are growing, yet cyber safety penetration remains very low, together with NortonLifeLock, we will be able to accelerate our shared vision of providing holistic cyber protection for consumers around the globe.”  Added Vlček, “Our talented teams will have better opportunities to innovate and develop enhanced solutions and services, with improved capabilities from access to superior data insights. Through our well-established brands, greater geographic diversification and access to a larger global user base, the combined businesses will be poised to access the significant growth opportunity that exists worldwide.” Pilette, and NortonLifeLock’s CFO, Natalie Derse, will remain in those positions in the combined company. Avast CEO Vlček will join NortonLifeLock as President and will join the Board of Directors. Pavel Baudiš, a co-founder and current director of Avast, is expected to join the Board as an independent director, the companies said.NortonLifeLock, formerly the consumer security technology arm of Symantec, separated from Symantec when the enterprise security business was purchased by Broadcom in late 2019. Eleven-year-old Avast focuses on software for consumers and small and medium businesses. The take-out price represents a multiple of roughly 9.6 times projected revenue this year for Avast of £678 million, and a multiple of projected Ebitda profit of 17 times. More