A New Company Called Alphabet Now Owns Google

Well, this was a very unexpected move by Google.

Google Co-Founder Larry Page announced a restructuring of the whole company, revealing the creation of the umbrella "Alphabet" corporation.

But, don’t worry… Google isn’t dead! Rather, Google will become part of Alphabet.

Why Google Rebrands As ‘Alphabet’
Over time, Google, the Mountain View company has become a lot more than just a Search Engine.

Google created and acquired a large number of other popular Internet services, including Android, YouTube and Gmail, that makes too much difficult for a single company to manage all of them effectively.

According to Google Founders, it’s time, when different projects require different leaders, different company cultures, and different types of resources.

"Our model is to have a strong CEO, who runs each business, with Sergey and me in service to them as needed," Page wrote.

So the founders decided to create an all new parental brand that will manage both Google as well as its other far-flung projects — called ‘Alphabet’, going to be the biggest tech company most people have never heard of.

As a part of the new structure, Alphabet will manage Google and all of its other products, including:

• Google
• Calico, an anti-aging biotech Research Division
• Nest, Google's Smart-Home project
• Sidewalk, a company, focused on Smart Cities
• Fiber, Company for High-speed Internet services
• Investment arms, such as Google Capital and Google Ventures
• R&D unit, such as Google X, developing Self-driving cars and Drones.
• Alphabet Inc. will replace Google Inc. as the publicly traded company on the Nasdaq Stock Exchange, and shareholders will get one Alphabet share for every Google share they previously owned.

G is for 'Google' and 'Sundar Pichai 'is New CEO
Google’s senior vice president Sundar Pichai (Pichai Sundararajan), currently senior vice president of products, will be the new CEO of the Search Engine.

Google is now a more coherent company than it was previous. Google will now include the company's core businesses, including:

• Search Engine
• Advertising, Adwords, and Adsense
• Google Maps
• YouTube, the Video Service
• Android, Mobile operating system
• Chrome operating system
• related technical infrastructure.

And the current CEO Larry Page will become Alphabet’s CEO. Co-founder Sergey Brin will be its president, and Eric Schmidt will be the executive chairman of Alphabet.

"It is clear to us and our board that it is time for Sundar to be CEO of Google," Larry Page wrote in the open letter announcing the creation of Alphabet.

"Google itself is also making all sorts of new products and I know Sundar will always be focused on innovation—continuing to stretch boundaries. I know he deeply cares that we can continue to make 
big strides on our core mission to organize the world's information."

The 43-year-old Sundar Pichai rose quickly at Google, from working with the Chrome team to lead both the team as well as Android as senior vice president of Products.

The Launch of Alphabet Inc. will not affect you at all, but Good news… the company’s shares jumped 6 percent after hours, adding tens of billions of dollars to its value.

Chrome extension for identifying insecure code

In a bid to help developers keep their websites clear of security holes, Google has built - and offered for free - a (currently experimental) Chrome extension called DOM Snitch.

The extension intercepts potentially dangerous JavaScript calls. "Once a JavaScript call has been intercepted, DOM Snitch records the document URL and a complete stack trace that will help assess if the intercepted call can lead to cross-site scripting, mixed content, insecure modifications to the same-origin policy for DOM access, or other client-side issues," explains Radoslav Vasilev on Google's Online Security blog.

Sounds like a good tool for all developers, but especially for those who are still unsure of their JavaScript coding capabilities and wish to be sure they are writing secure code.

By using it, not only can developers monitor the DOM modifications as they happen inside the browser, but they can also export the captured modifications in order to show them to and consult with co-workers.

Apps with dangerous permissions pulled from Chrome Web Store

Do you trust Google to review and ban potentially malicious applications from its online stores?

The Android Market has already been found offering "trojanized" apps, and now the Chrome Web Store has been spotted offering two popular game extensions that request potentially dangerous permissions of users that want to install them.


The apps in question are named Super Mario World and Super Mario 2 and are not manufactured by Nintendo. The fact that they are asking questionable permissions of the users has been discovered by David Rogers, the blogger behind blog.mobilephonesecurity.org, when he was in the process of installing one of them.

"Installation is pretty instantaneous," says Rogers. "As I looked at the screen, I saw the box to the bottom right. 'This extension can access: Your data on all websites, Your bookmarks, Your browsing history'".

He proceeded to deinstall the extension immediately, and searched for an explanation for the unduly broad permissions. The permission to access the user's bookmarks include the permission to read, change, add to and organize his bookmarks, and the one for accessing the user's browser history is supposedly necessary for the app to be able to open new tabs or windows.

But the worst one is the one that gives access to the user's data on all websites. Not only can the app read every page the user visits (think e-mail, Facebook, online banking), but can also use cookies to request the user's data from various websites - in short, the app can impersonate the user to the website.

Apart from being disappointed that Google has failed to spot the problematic permissions and ban the apps, Rogers really takes issues with the "permissions by default" installation.

"You click one button and it’s there, almost immediately with no prompt. Now, I’m not the greatest fan of prompts, but there are times when prompts are appropriate and install time is actually one of them," he explains. "It gives me the chance to review what I’ve selected and make a decision, especially if I hadn't spotted that information on a busy and cluttered webpage."

While I do think that Google has basically made no grave mistake here - it did, after all show the permissions needed - the problem is that for this system to work as it should is that you need to have careful and judicious users. And let's face it, they don't constitute a majority on the Internet.

Rogers also points out that to the average user, the fact that the Chrome Web Store is operated by Google makes him trust implicitly the downloads from it. In his opinion, this should make Google extremely careful when it comes to evaluating and vetting possibly dangerous apps.

In the end, Google has quietly removed the two apps from the market, but has not commented officially on the action. Let's just hope that they will take Rogers' objections in consideration.

Google Chrome sandbox apparently cracked

French security firm VUPEN has announced that its researchers have managed manufacture an exploit able to bypass Google Chrome's sandbox, ASLR and DEP.

It is precisely the sandbox feature what made hackers eschew or fail in their attacks directed at Chrome at Pwn2Own time and time again - since, as researcher Charlie Miller pointed out, it has a "sandbox model that's hard to get out of". The feature is also what secured its reputation as the most secure browser around.

VUPEN researchers have also presented a video that shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), though no details about it can be actually gleaned from it. According to VUPEN, the user only needs to visit a specially crafted web page with the exploit and a number of payloads are automatically executed, which ultimately allows an attacker to execute arbitrary code outside the sandbox at Medium integrity level.

"The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64)," they simply say, and add that the code and the technical details of the underlying vulnerabilities will not be publicly disclosed, but shared only with their Government customers.

While I understand that various governments will likely pay infinitely more for the details of the vulnerabilities than Google would through it's bounty program, the creation of this exploit, the discovery of this 0day vulnerability, and VUPEN's refusal to share it with the public or Google is extremely bad news for Chrome users.

In the end, we can't know which governments have shelled out for the exploit and how will they use it. If VUPEN doesn't change its mind, I'm afraid the only thing left for Google to do is to try to find out the hole for themselves and patch it, or hope that a researcher more inclined to share with them the details finds it and notifies them.

Safari And Internet Explorer, First To Fall In Pwn2Own

The Pwn2Own contest, reported earlier by SecurityProNews, has taken place this week and two web browsers have already fallen.According to a ComputerWorld report, Apple's Safari fell to a french security company, the hack only took five seconds to implement.

The team which hacked Safari was able to walk home with a $15,000 cash prize and the MacBook Air they performed the hack on. What makes the hack impressive is Apple released asecurity update for the browser which fixed 64 security flaws.

While the Safari hack was done quickly, many have been greatly impressed by the Internet Explorer exploit. Instead of a company, the IE8 hack was developed by a single person, Stephen Fewer. He's an independent researcher who caught the eye of Aaron Portnoy, one of the TippingPoint's team, the group who put the Pwn2Own contest together.

Fewer had to use a few vulnerabilities to successfully hack IE8 on Windows 7. Here's what Portnoy said of the hack, "The most impressive so far" he continues, "He used three vulnerabilities to [not only] bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before."

While Safari and IE8 have been hacked, Chrome has remained safe. No one has attempted to hack the browser, so their $20,000 prize is safe. The purse was only available to those who hacked the browser on the first day of the content. If anyone is able to successfully hack the browser now or later on, they will receive $10,000 from Google and $10,000 more from TippingPoint.

Pwn2Own has two more days before all is said and done, which will see hackers make their attempts at Mozilla Firefox, and the four smartphone operating systems: Apple iOS, Google Android, Microsoft Windows 7, and RIM' Blackberry.

Pwn2Own Contest Pays Hackers To Exploit Firefox, Internet Explorer, And Google Chrome

Pwn2Own is a contest put together which pits hackers against the major web browsers. Their goal is to successfully exploit the browsers and find bugs which allow for these hacks. The hackers aren't just doing this to be nice either, there's a prize pool worth $125,000. Cash, laptops, and desktops will all be available to win.

The contest features all the major browsers (Firefox, Internet Explorer, Safari, and Chrome), and will be functioning on both Windows 7 PC's and Mac OS X machines. The contest is hosted by TippingPoint, a research organization who works to provide protection against system vulnerabilities.

There are a couple of new additions to the contest, both of which will pay prize money. First, there will be a mobile hacking event. This will pit researchers against the likes of Apple's iOS, Google Android, Microsoft's Windows 7 Phone, and RIM's Blackberry OS.

The news which is really drawing attention to the event is Google Chrome joining in on the action. Not only are they participating, but they're ponying up their own dough to award the hackers. $20,000 will go to the hacker who can find an exploit in Google Chrome first.

Google has been very confident in their belief that Chrome cannot be hacked. This is due to their using of a 'sandbox' anti-exploit defense. This type of defense isolates a program from other system processes, and requires hackers to take an additional step to truly perform a successful breach.

Only on the first day will Google be providing their $20,000 prize. This is due to the fact that on the first day only the browsers themselves will be available to the contestants. On the second and third day, they are allowed to utilize system bugs on the operating systems to perform their hacks. For the last two days Google will still provide a $10,000 award, which will be matched by Tipping Point. So no matter what day a hacker might successfully exploit Chrome, they'll still receive $20,000.

This is the contest's fifth running, and the award money has never been higher. The contest itself is about helping the browser developers better implement security strategies that keep malicious hackers from fulfilling their exploits.

Trojan disguised as Google Chrome extension

The announcement that Google Chrome is now the third most widely used browser wasn't lost on cybercriminals. They follow the crowd, and that explains the recent appearance of a bogus Google Chrome extension that purportedly enables access to documents from emails.

Malware City reports that the offer of downloading the extension comes to the users via email. If the user follows the link, he is taken to a look-alike of the Google Chrome Extensions page, where the "extension" is provided for download.

But, one obvious indication that the file is not what it supposed to be is the extension of the file - instead of .crx, the file in question sports an .exe extension:

It turns out that it's a Trojan that messes with the Windows HOSTS file in such a way that every time the user wants to access Google and Yahoo webpages, he is redirected to malware-laden clones of the search sites.

IE8, iPhone will fall first day of hacking contest, predicts organizer

Microsoft's Internet Explorer 8, not Apple's Safari, will be the first browser to fall in next week's Pwn2Own hacking challenge, the contest organizer said today.

Aaron Portnoy, security research team lead with 3Com TippingPoint, the sponsor of Pwn2Own, also predicted that Apple's iPhone will be the only smartphone hacked during the contest, which starts March 24.

Researchers will compete for $100,000 in cash prizes next week at CanSecWest, the Vancouver, British Columbia, security conference that has been the home of Pwn2Own. The dual-track contest -- one for browsers, the other for mobile operating systems -- will pit hackers against the latest versions of Chrome, Firefox, Internet Explorer (IE) and Safari running on Windows 7 or Mac OS X. The smartphone track will set hackers against Apple's iPhone 3GS, a Blackberry Bold 9700, a Nokia phone running the Symbian S60 platform and a Motorola, most likely a Droid, powered by Google's Android.

So, who do you think are the contenders for surviving this hacking challenge?

Read full report here and updates of the event here.

Google Safe Browsing Feature Could Compromise Privacy

Researcher RSnake has discovered that Google's anti-malware and anti-phishing features for Chrome and Firefox tracks information about user's browsing habits

Google basically stores a cookie on the user's computer that can be used to track him or her, he says. And the cookie can be used to identify the IP addresses he or she visits, for instance. Hansen says Google logs that data for anti-distributed denial-of-service (DDoS) purposes.

"In Chrome, every five hours it phones home" to check for the current version and"sends a payload including machine ID and user ID," says RSnake.

The only way to protect your privacy from this, he says, is to turn off the anti-phishing and anti-malware options. "The bummer is you're turning off a great service," he says. "It protects you from malware" and other threats, he says.

The good news, he says, is that Google only retains the data for two weeks, and then stores it in aggregate form. "But having this IP address, this cookie, and this timestamp is enough information to decloak someone for a [hacking] incident they did two years ago," he says. "So if you use Firefox or Chrome, you should know the risks" of the Safe Browsing feature, he says.

Read here for detailed article.

What is a browser?

If a major piece of your security strategy revolves around employee training, the following video might be a major setback. Many security pros pride themselves on the amount of training they give their employees. But I wonder, is it all for naught?

A Google employee took a camera and microphone onto the streets of New York City to find out if non-techies knew what a browser is and the results were astounding. Less than 8% of those interviewed knew. And these guys don’t reside in an assisted living facility or a 55 and over community. Many of them could have Facebook accounts and even Twitter handles.

After watching the video, I wonder, how would I begin a security training program if many of my employees don’t know what a browser is?

Phishing sounds like a foreign language and malware sounds like a bad word. Maybe the next generation will have a better understanding. But how long can we wait?

Origins of Google Chrome logo

Ever wondered how the Google Chrome logo came about?