Blog - Page 103 of 157 - Advantage Computers NJ

Announcing the winners of the 2020 GCP VRP Prize

Posted by Harshvardhan Sharma, Information Security Engineer, Google

We first announced the GCP VRP Prize in 2019 to encourage security researchers to focus on the security of Google Cloud Platform (GCP), in turn helping us make GCP more secure for our users, customers, and the internet at large. In the first iteration of the prize, we awarded $100,000 to the winning write-up about a security vulnerability in GCP. We also announced that we would reward the top 6 submissions in 2020 and increased the total prize money to $313,337.

2020 turned out to be an amazing year for the Google Vulnerability Reward Program. We received many high-quality vulnerability reports from our talented and prolific vulnerability researchers.

Vulnerability reports received year-over-year

This trend was reflected in the submissions we received for the GCP VRP Prize. After careful evaluation of the many innovative and high-impact vulnerability write-ups we received this year, we are excited to announce the winners of the 2020 GCP VRP Prize:

First Prize, $133,337: Ezequiel Pereira for the report and write-up RCE in Google Cloud Deployment Manager. The bug discovered by Ezequiel allowed him to make requests to internal Google services, authenticated as a privileged service account. Here’s a video that gives more details about the bug and the discovery process.

Second Prize, $73,331: David Nechuta for the report and write-up 31k$ SSRF in Google Cloud Monitoring led to metadata exposure. David found a Server-side Request Forgery (SSRF) bug in Google Cloud Monitoring’s uptime check feature. The bug could have been used to leak the authentication token of the service account used for these checks.
Third Prize, $73,331: Dylan Ayrey and Allison Donovan for the report and write-up Fixing a Google Vulnerability. They pointed out issues in the default permissions associated with some of the service accounts used by GCP services.
Fourth Prize, $31,337: Bastien Chatelard for the report and write-up Escaping GKE gVisor sandboxing using metadata. Bastien discovered a bug in the GKE gVisor sandbox’s network policy implementation due to which the Google Compute Engine metadata API was accessible.
Fifth Prize, $1,001: Brad Geesaman for the report and write-up CVE-2020-15157 “ContainerDrip” Write-up. The bug could allow an attacker to trick containerd into leaking instance metadata by supplying a malicious container image manifest.
Sixth Prize, $1,000: Chris Moberly for the report and write-up Privilege Escalation in Google Cloud Platform’s OS Login. The report demonstrates how an attacker can use DHCP poisoning to escalate their privileges on a Google Compute Engine VM.

Congratulations to all the winners! If we have piqued your interest and you would like to enter the competition for a GCP VRP Prize in 2021, here’s a reminder on the requirements.

Find a vulnerability in a GCP product (check out Google Cloud Free Program to get started)
Report it to the VRP (you might get rewarded for it on top of the GCP VRP Prize!)
Create a public write-up
Submit it here

Make sure to submit your VRP reports and write-ups before December 31, 2021 at 11:59 GMT. Good luck! You can learn more about the prize for this year here. We can’t wait to see what our talented vulnerability researchers come up with this year!

March 17, 2021/by Advantage Computer Inc.

Uncategorized

Google fixes Chrome zero‑day bug exploited in the wild

The latest update patches a total of five vulnerabilities affecting the browser’s desktop versions

The post Google fixes Chrome zero‑day bug exploited in the wild appeared first on WeLiveSecurity

March 16, 2021/by Advantage Computer Inc.

Uncategorized

Google, HTTPS, and device compatibility

Posted by Ryan Hurst, Product Management, Google Trust Services

Encryption is a fundamental building block when you’re on a mission to organize the world’s information and make it universally accessible with strong security and privacy. This is why a little over four years ago we created Google Trust Services—our publicly trusted Certificate Authority (CA).

The road to becoming a publicly trusted certificate authority is a long one – especially if the certificates you issue will be used by some of the most visited sites on the internet.

When we started on this journey, our goal was that within five years our root certificates would be embedded in enough devices that we could do a single transition to our long-term root certificates.

There are still a large number of active used devices that have not been updated with our root certificates.

To ensure as many clients as possible continue to have secure connections when using Google Trust Services certificates, we needed to obtain a cross-sign. A cross-sign allows a certificate authority that is already trusted by a device to extend its device compatibility to another certificate authority.

The rules governing public CA operations require that the CA being cross-signed meet the same strict operational, technological, and audit criteria as the certificate authority providing this cross-sign. Google Trust Services is already a publicly trusted CA that is operated to the highest standards and is in all major browser trust stores, so we already met the requirements for a cross-sign from another CA.. The key was to find one that is already trusted by the devices we wanted to be able to validate our certificates. We worked with GMO GlobalSign for this cross sign because they operate one of the oldest root certificates in wide use today.

Why are we telling you about this now? On December 15, 2021, the primary root certificate we use today (GlobalSign R2 which is owned and operated by Google Trust Services) will expire.

To ensure these older devices continue to work smoothly with the certificates we issue we will start sending a new cross-signed certificate to services when we issue new certificates.

The good news is that users shouldn’t notice the change. This is because the cross-certificate (GTS Root R1 Cross) we’re deploying was signed by a root certificate created and trusted by most devices over 20 years ago.

In summary, when you use certificates from Google Trust Services, you and your customers will continue to get the benefit of the best device compatibility in the industry.

We know you might have some questions about this change. Here are our answers to the most frequent ones:

I am a developer or ISV that uses a Google API. What do I need to do?

Certificate Authorities change which root CA certificates they use from time to time, so we have always provided a list of certificates that we currently use or may use in the future. Anybody using this list won’t have to change anything. If you have not been using this list and updating it based on our published guidance, you will need to update your application to use these roots and regularly update the list you use so future changes go smoothly for your users.

I am a website operator that uses Google Trust Services certificates. Do I need to change anything?

You do not! Google Trust Services offers certificates to Alphabet products and services including many Google Cloud services. This means that those services are the ones responsible for configuring and managing TLS for you.

When will this change go into effect?

We will begin rolling out certificate chains that use this cross-certificate in March 2021. We will slowly roll these changes out throughout the rest of the year and will complete them before December 15, 2021.

I use a service or product that uses Google Trust Services. Is there anything I need to change? No, this change should be invisible to all end users.

How can I test to see if my devices will trust certificates that rely on this cross-sign?

We operate a test site that uses the cross-certificate that you can visit here. If you see “Google Trust Services Demo Page – Expected Status: good” and some additional certificate information, the new certificate chain works correctly on your device. If you get an error, the list of trusted roots for the device you’re testing needs to be updated.

When does this cross-certificate expire and what happens when it does?

The cross-certificate expires January 28th, 2028. Sometime between now and when it looks like it is no longer needed for broad device compatibility, we will stop providing this extra certificate to certificate requesters, as it will no longer be needed.

I use an old device and it does not trust the cross-sign. What should I do?

Many devices handle root certificate updates as part of their security patching process. If you are running one of these devices, you should make sure you apply all relevant security updates. It is also possible the manufacturer no longer provides security updates for your device. If this is the case you may want to contact your provider or consider replacing your device.

Does this mean you are no longer using the Google Trust Services roots? We are still using the Google Trust Services roots, they are simply cross-signed. When it is no longer necessary to use the cross-sign, we will no longer distribute the cross-sign to certificate requestors.

To learn more, visit Google Trust Services.

March 15, 2021/by Advantage Computer Inc.

Uncategorized

PayPal fraud: What merchants should know

From overpayment to shipping scams, what are some of the most common threats that merchants using PayPal should watch out for?

The post PayPal fraud: What merchants should know appeared first on WeLiveSecurity

March 15, 2021/by Advantage Computer Inc.

Uncategorized

Week in security with Tony Anscombe

ESET research into exploitation of Microsoft Exchange flaws – How smart sex toys may expose your privacy – E-health versus your personal data

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

March 12, 2021/by Advantage Computer Inc.

Security, Uncategorized

A Spectre proof-of-concept for a Spectre-proof web

Posted by Stephen Röttger and Artur Janc, Information Security Engineers

Three years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers could make about preventing data leaks between applications. As a result, web browser vendors have been continuously collaborating on approaches intended to harden the platform at scale. Nevertheless, this class of attacks still remains a concern and requires web developers to deploy application-level mitigations.

In this post, we will share the results of Google Security Team’s research on the exploitability of Spectre against web users, and present a fast, versatile proof-of-concept (PoC) written in JavaScript which can leak information from the browser’s memory. We’ve confirmed that this proof-of-concept, or its variants, function across a variety of operating systems, processor architectures, and hardware generations.

By sharing our findings with the security community, we aim to give web application owners a better understanding of the impact Spectre vulnerabilities can have on the security of their users’ data. Finally, this post describes the protections available to web authors and best practices for enabling them in web applications, based on our experience across Google.

A bit of background

The Spectre vulnerability, disclosed to the public in January 2018, makes use of a class of processor (CPU) design vulnerabilities that allow an attacker to change the intended program control flow while the CPU is speculatively executing subsequent instructions. For example, the CPU may speculate that a length check passes, while in practice it will access out-of-bounds memory. While the CPU state is rolled back once the misprediction is noticed, this behavior leaves observable side effects which can leak data to an attacker.

In 2019, the team responsible for V8, Chrome’s JavaScript engine, published a blog post and whitepaper concluding that such attacks can’t be reliably mitigated at the software level. Instead, robust solutions to these issues require security boundaries in applications such as web browsers to be aligned with low-level primitives, for example process-based isolation.

In parallel, browser vendors and standards bodies developed security mechanisms to protect web users from these classes of attacks. This included both architectural changes which offer default protections enabled in some browser configurations (such as Site Isolation, out-of-process iframes, and Cross-Origin Read Blocking), as well as broadly applicable opt-in security features that web developers can deploy in their applications: Cross-Origin Resource Policy, Cross-Origin Opener Policy, Cross-Origin Embedder Policy, and others.

These mechanisms, while crucially important, don’t prevent the exploitation of Spectre; rather, they protect sensitive data from being present in parts of the memory from which they can be read by the attacker. To evaluate the robustness of these defenses, it’s therefore important to develop security tools that help security engineers understand the practical implications of speculative execution attacks for their applications.

Demonstrating Spectre in a web browser

Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector. We have developed an interactive demonstration of the attack available at https://leaky.page/; the code and a more detailed writeup are published on Github here.

The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes.

While experimenting, we also developed other PoCs with different properties. Some examples include:

A PoC which can leak 8kB/s of data at a cost of reduced stability using performance.now() as a timer with 5μs precision.
A PoC which leaks data at 60B/s using timers with a precision of 1ms or worse.

We chose to release the current PoC since it has a negligible setup time and works in the absence of high precision timers, such as SharedArrayBuffer.

The main building blocks of the PoC are:

A Spectre gadget: code that triggers attacker-controlled transient execution.
A side-channel: a way to observe side effects of the transient execution.

1. The gadget

For the published PoC, we implemented a simple Variant 1 gadget: a JavaScript array is speculatively accessed out of bounds after training the branch predictor that the compiler-inserted length check will succeed. This particular gadget can be mitigated at the software level; however, Chrome’s V8 team concluded that this is not the case for other gadgets: “we found that effective mitigation of some variants of Spectre, particularly variant 4, to be simply infeasible in software.”

We invite the security community to extend our research and develop code that makes use of other Spectre gadgets.

2. The side-channel

A common way to leak secret data via speculative execution is to use a cache side-channel. By observing if a certain memory location is present in the cache or not, we can infer if it has been accessed during the speculative execution. The challenge in JavaScript is to find a high resolution timer allowing to distinguish cache from memory accesses, as modern browsers have reduced the timer granularity of the performance.now() API and disabled SharedArrayBuffers in contexts without cross-origin isolation to prevent timing attacks.

Already in 2018, the V8 team shared their observation that reduced timer granularity is not sufficient to mitigate Spectre, since attackers can arbitrarily amplify timing differences. The presented amplification technique was based on reading secret data multiple times which can, however, reduce the effectiveness of the attack if the information leak is probabilistic.

In our PoC, we developed a new technique that overcomes this limitation. By abusing the behavior of the Tree-PLRU cache eviction strategy commonly found in modern CPUs, we were able to significantly amplify the cache timing with a single read of secret data. This allowed us to leak data efficiently even with low precision timers. For technical details, see the demonstration at https://leaky.page/plru.html.

While we don’t believe this particular PoC can be re-used for nefarious purposes without significant modifications, it serves as a compelling demonstration of the risks of Spectre. In particular, we hope it provides a clear signal for web application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites.

Deploying web defenses against Spectre

The low-level nature of speculative execution vulnerabilities makes them difficult to fix comprehensively, as a proper patch can require changes to the firmware or hardware on the user’s device. While operating system and web browser developers have implemented important built-in protections where possible (including Site Isolation with out-of-process iframes and Cross-Origin Read Blocking in Google Chrome, or Project Fission in Firefox), the design of existing web APIs still makes it possible for data to inadvertently flow into an attacker’s process.

With this in mind, web developers should consider more robustly isolating their sites by using new security mechanisms that actively deny attackers access to cross-origin resources. These protections mitigate Spectre-style hardware attacks and common web-level cross-site leaks, but require developers to assess the threat these vulnerabilities pose to their applications and understand how to deploy them. To assist in that evaluation, Chrome’s web platform security team has published Post-Spectre Web Development and Mitigating Side-Channel Attacks with concrete advice for developers; we strongly recommend following their guidance and enabling the following protections:

Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers allow developers to control which sites can embed their resources, such as images or scripts, preventing data from being delivered to an attacker-controlled browser renderer process. See resourcepolicy.fyi and web.dev/fetch-metadata.

Cross-Origin Opener Policy (COOP) lets developers ensure that their application window will not receive unexpected interactions from other websites, allowing the browser to isolate it in its own process. This adds an important process-level protection, particularly in browsers which don’t enable full Site Isolation; see web.dev/coop-coep.

Cross-Origin Embedder Policy (COEP) ensures that any authenticated resources requested by the application have explicitly opted in to being loaded. Today, to guarantee process-level isolation for highly sensitive applications in Chrome or Firefox, applications must enable both COEP and COOP; see web.dev/coop-coep.

In addition to enabling these isolation mechanisms, ensure your application also enables standard protections, such as the X-Frame-Options and X-Content-Type-Options headers, and uses SameSite cookies. Many Google applications have already deployed, or are in the process of deploying these mechanisms, providing a defense against speculative execution bugs in situations where default browser protections are insufficient.

It’s important to note that while all of the mechanisms described in this article are important and powerful security primitives, they don’t guarantee complete protection against Spectre; they require a considered deployment approach which takes behaviors specific to the given application into account. We encourage security engineers and researchers to use and contribute to our Spectre proof-of-concept to review and improve the security posture of their sites.

Tip: To help you protect your website from Spectre, the Google Security Team has created Spectroscope, a prototype Chrome extension that scans your application and finds resources which may require enabling additional defenses. Consider using it to assist with your deployments of web isolation features.

March 12, 2021/by Advantage Computer Inc.

Uncategorized

Continuing to Raise the Bar for Verifiable Security on Pixel

Posted by Eugene Liderman, Android Security and Privacy Team

Evaluating the security of mobile devices is difficult, and a trusted way to validate a company’s claims is through independent, industry certifications. When it comes to smartphones one of the most rigorous end-to-end certifications is the Common Criteria (CC) Mobile Device Fundamentals (MDF) Protection Profile. Common Criteria is the driving force for establishing widespread mutual recognition of secure IT products across 31 countries . Over the past few years only three smartphone manufacturers have continually been certified on every OS version: Google, Samsung, and Apple. At the beginning of February, we successfully completed this certification for all currently supported Pixel smartphones running Android 11. Google is the first manufacturer to be certified on the latest OS version.

This specific certification is designed to evaluate how a device defends against the real-world threats facing both consumers and businesses. The table below outlines the threats and mitigations provided in the CC MDF protection profile:

Threats

Mitigations

Network Eavesdropping – An attacker is positioned on a wireless communications channel or elsewhere on the network infrastructure

Network Attack – An attacker is positioned on a wireless communications channel or elsewhere on the network infrastructure

Protected Communications – Standard protocols such as IPsec, DTLS, TLS, HTTPS, and Bluetooth to ensure encrypted communications are secure

Authorization and Authentication – Secure authentication for networks and backends

Mobile Device Configuration – Capabilities for configuring and applying security policies defined by the user and/or Enterprise Administrator

Physical Access – An attacker, with physical access, may attempt to retrieve user data on the mobile device, including credentials

Protected Storage – Secure storage (that is, encryption of data-at-rest) for data contained on the device

Authorization and Authentication – Secure device authentication using a known unlock factor, such as a password, PIN, fingerprint, or face authentication

Malicious or Flawed Application – Applications loaded onto the Mobile Device may include malicious or exploitable code

Protected Communications – Standard protocols such as IPsec, DTLS, TLS, HTTPS, and Bluetooth to ensure encrypted communications are secure

Authorization and Authentication – Secure authentication for networks and backends

Mobile Device Configuration – Capabilities for configuring and applying security policies defined by the user and/or Enterprise Administrator

Mobile Device Integrity – Device integrity for critical functionality of both software and hardware

End User Privacy and Device Functionality – Application isolation/sandboxing and framework permissions provide separation and privacy between user activities

Persistent Presence – Persistent presence on a device by an attacker implies that the device has lost integrity and cannot regain it

Mobile Device Integrity – Device integrity to ensure the integrity of critical functionality of both software and hardware is maintained

End User Privacy and Device Functionality – Application isolation/sandboxing and framework permissions provide separation and privacy between user activities

What makes this certification important is the fact that it is a hands on evaluation done by an authorized lab to evaluate the device and perform a variety of tests to ensure that:

Every mitigation meets a predefined standard and set of criteria.
Every mitigation works as advertised.

At a high level, the target of evaluation (TOE) is the combination of device hardware (i.e. system on chip) and operating system (i.e. Android). In order to validate our mitigations for the threats listed above, the lab looks at the following security functionality:

Protected Communications (encryption of data-in-transit) – Cryptographic algorithms and transport protocols used to encrypt the Wi-Fi traffic and all other network operations and communications.
Protected Storage (encryption of data-at-rest) – Cryptography provided by the system on chip, trusted execution environment, and any other discrete tamper resistant hardware such as the Titan M and the Android OS. Specifically looking at things like implementation of file-based encryption, hardware root of trust, keystore operations (such as, key generation), key storage, key destruction, and key hierarchy.
Authorization and Authentication – Mechanisms for unlocking the user’s devices, such as password, PIN or Biometric. Mitigation techniques like rate limiting and for biometrics, False Acceptance and Spoof Acceptance Rates.
Mobile Device Integrity – Android’s implementation of Verified Boot, Google Play System Updates, and Seamless OS Updates.
Auditability – Features that allow a user or IT admin to log events such as device start-up and shutdown, data encryption, data decryption, and key management.
Mobile Device Configuration – Capabilities that allow the user or enterprise admin to apply security policies to the device using Android Enterprise.

Why this is important for enterprises

It’s incredibly important to ensure Pixel security can specifically support enterprise needs. Many regulated industries require the use of Common Criteria certified devices to ensure that sensitive data is backed by the strongest possible protections. The Android Enterprise management framework enables enterprises to do things like control devices by setting restrictions around what the end user can do and audit devices to ensure all software settings are configured properly. For example, enterprise IT admins wish to enforce policies for features like the camera, location services or app installation process.

Why this is important for consumers

Security isn’t just an enterprise concern and many of the protections validated by Common Criteria certification apply to consumers as well. For example, when you’re connecting to Wi-Fi, you want to ensure no one can spy on your web browsing. If your device is lost or stolen, you want to be confident that your lock screen can reduce the chances of someone accessing your personal information.

We believe in making security & privacy accessible to all of our users. This is why we take care to ensure that Pixel devices meet or exceed these certification standards.. We’re committed to meeting these standards moving forward, so you can rest assured that your Pixel phone comes with top-of-the-line security built in, from the moment you turn it on.

Why this is important to the Android Ecosystem

While certifications are a great form of third party validation, they often fall under what we like to call the 3 C’s:

Complex – Due to the scope of the evaluation including the device hardware, the operating system and everything in between.
Costly – Because they require a hands on evaluation by a certified lab for every make/model combination (SoC + OS) which equates to hundreds of individual tests.
Cumbersome – Because it’s a fairly lengthy evaluation process that can take upwards of 18 months the first time you go through it.

We have been working these last three years to reduce this complexity for our OEM partners. We are excited to tell you that the features required to satisfy the necessary security requirements are baked directly into the Android Open Source Project. We’ve also added all of the management and auditability requirements into the Android Enterprise Management framework. Last year we started publishing the tools we have developed for this on GitHub to allow other Android OEMs to take advantage of our efforts as they go through their certification.

While we continue certifying Pixel smartphones with new Android OS versions, we have worked to enable other Android OEMs to achieve this certification as well as others, such as:

National Institute of Technology’s Cryptographic Algorithm and Module Validation Programs which is an evaluation of the cryptographic algorithms and/or modules and is something the US Public Sector and numerous other regulated verticals look for. With Android 11, BoringSSL which is part of the conscrypt mainline module has completed this validation (Certificate #3753)
US Department of Defense’s Security Technical Implementation Guide; STIG for short is a guideline for how to deploy technology on a US Department of Defense network. In the past there were different STIGs for different Android OEMs which had their own implementations and proprietary controls, but thanks to our efforts we are now unifying this under a single Android STIG template so that Android OEMs don’t have to go through the burden of building custom controls to satisfy the various requirements.

We’ll continue to invest in additional ways to measure security for both enterprises and consumers, and we welcome the industry to join us in this effort.

March 11, 2021/by Advantage Computer Inc.

Security, Uncategorized

#ShareTheMicInCyber: Brooke Pearson

Posted by Parisa Tabriz, Head of Chrome Product, Engineering and UX

In an effort to showcase the breadth and depth of Black+ contributions to security and privacy fields, we’ve launched a profile series that aims to elevate and celebrate the Black+ voices in security and privacy we have here at Google.

Brooke Pearson manages the Privacy Sandbox program at Google, and her team’s mission is to, “Create a thriving web ecosystem that is respectful of users and private by default.” Brooke lives this mission and it is what makes her an invaluable asset to the Chrome team and Google.

In addition to her work advancing the fields of security and privacy, she is a fierce advocate for women in the workplace and for elevating the voices of her fellow Black+ practitioners in security and privacy. She has participated and supported the #ShareTheMicInCyber campaign since its inception.

Brooke is passionate about delivering privacy solutions that work and making browsing the web an inherently more private experience for users around the world.

Why do you work in security or privacy?

I work in security and privacy to protect people and their personal information. It’s that simple. Security and privacy are two issues that are core to shaping the future of technology and how we interact with each other over the Internet. The challenges are immense, and yet the ability to impact positive change is what drew me to the field.

Tell us a little bit about your career journey to Google

My career journey into privacy does not involve traditional educational training in the field. In fact, my background is in public policy and communications, but when I transitioned to the technology industry, I realized that the most pressing policy issues for companies like Google surround the nascent field of privacy and the growing field of security.

After I graduated from college at Azusa Pacific University, I was the recipient of a Fulbright scholarship to Macau, where I spent one year studying Chinese and teaching English. I then moved to Washington D.C. where I initially worked for the State Department while finishing my graduate degree in International Public Policy at George Washington University. I had an amazing experience in that role and it afforded me some incredible networking opportunities and the chance to travel the world, as I worked in Afghanistan and Central Asia.

After about five years in the public sector, I joined Facebook as a Program Manager for the Global Public Policy team, initially focused on social good programs like Safety Check and Charitable Giving. Over time, I could see that the security team at Facebook was focused on fighting the proliferation of misinformation, and this called to me as an area where I could put my expertise in communication and geopolitical policy to work. So I switched teams and I’ve been in the security and privacy field ever since, eventually for Uber and now with Google’s Chrome team.

At Google, privacy and security are at the heart of everything we do. Chrome is tackling some of the world’s biggest security and privacy problems, and everyday my work impacts billions of people around the world. Most days, that’s pretty daunting, but every day it’s humbling and inspiring.

What is your security or privacy “soapbox”?

If we want to encourage people to engage in more secure behavior, we have to make it easy to understand and easy to act on. Every day we strive to make our users safer with Google by implementing security and privacy controls that are effective and easy for our users to use and understand.

As a program manager, I’ve learned that it is almost always more effective to offer a carrot than a stick, when it comes to security and privacy hygiene. I encourage all of our users to visit our Safety Center to learn all the ways Google helps you stay safe online, every day.

If you are interested in following Brooke’s work here at Google and beyond, please follow her on Twitter @brookelenet. We will be bringing you more profiles over the coming weeks and we hope you will engage with and share these with your network.

If you are interested in participating or learning more about #ShareTheMicInCyber, click here.

March 11, 2021/by Advantage Computer Inc.

Uncategorized

Sex in the digital era: How secure are smart sex toys?

ESET researchers investigate what could possibly go wrong when you connect your bedroom to the internet of things

The post Sex in the digital era: How secure are smart sex toys? appeared first on WeLiveSecurity

March 11, 2021/by Advantage Computer Inc.

Security, Uncategorized

Fuzzing Java in OSS-Fuzz

Posted by Jonathan Metzman, Google Open Source Security Team

OSS-Fuzz, Google’s open source fuzzing service, now supports fuzzing applications written in Java and other Java Virtual Machine (JVM) based languages (e.g. Kotlin, Scala, etc.). Open source projects written in JVM based languages can add their project to OSS-Fuzz by following our documentation.

The Google Open Source Security team partnered with Code Intelligence to integrate their Jazzer fuzzer with OSS-Fuzz. Thanks to their integration, open source projects written in JVM-based languages can now use OSS-Fuzz for continuous fuzzing.

OSS-Fuzz has found more than 25,000 bugs in open source projects using fuzzing. We look forward to seeing how this technique can help secure and improve code written in JVM-based languages.

What can Jazzer do?

Jazzer allows users to fuzz code written in JVM-based languages with libFuzzer, as they already can for code written in C/C++. It does this by providing code coverage feedback from JVM bytecode to libFuzzer. Jazzer already supports important libFuzzer features such as:

FuzzedDataProvider for fuzzing code that doesn’t accept an array of bytes.
Evaluation of code coverage based on 8-bit edge counters.
Value profile.
Minimization of crashing inputs.

The intent for Jazzer is to support all libFuzzer features eventually.

What Does Jazzer Support?

Jazzer supports all languages that compile to JVM bytecode, since instrumentation is done on the bytecode level. This includes:

Java
Kotlin
Scala
Clojure

Jazzer can also provide coverage feedback from native code that is executed through JNI. This can uncover interesting memory corruption vulnerabilities in memory unsafe native code.

Why Fuzz Java/JVM-based Code?

As discussed in our post on Atheris, fuzzing code written in memory safe languages, such as JVM-based languages, is useful for finding bugs where code behaves incorrectly or crashes. Incorrect behavior can be just as dangerous as memory corruption. For example, Jazzer was used to find CVE-2021-23899 in json-sanitizer which could be exploited for cross-site scripting (XSS). Bugs causing crashes or incorrect exceptions can sometimes be used for denial of service. For example, OSS-Fuzz recently found a denial of service issue that could have been used to take “a major part of the ethereum network offline”.

When fuzzing memory safe code, you can use the same classic approach for fuzzing memory unsafe code: passing mutated input to code and waiting for crashes. Or you can take a more unit test like approach where your fuzzer verifies that the code is behaving correctly (example).

Another way fuzzing can find interesting bugs in JVM-based code is through differential fuzzing. With differential fuzzing, your fuzzer passes mutated input from the fuzzer to multiple library implementations that should have the same functionality. Then it compares the results from each library to find differences.
Check out our documentation to get started. We will explore this more during our OSS-Fuzz talk at FuzzCon Europe.

March 10, 2021/by Advantage Computer Inc.

4.9
andre wellington
18:49 06 Jan 25
I had a problem with my laptop charging port not working properly. I took it to Advantage Computer Solution on the day after Christmas where I spoke to Al who quickly diagnosed that the port was broken and offered to fix it for less than what I would have paid if I had gone to Best Buy or another local technician. Their service was fast, both guys were friendly and he even fixed my laptop lid which turned out to be broken. If that's not a Christmas gift then I don't know what is. I am truly grateful and if ever I need my laptop or PC to be cleaned or repaired, this is where I will go. You should too.
louis savaglio
01:27 04 Jan 25
The best IT service I ever had. They have been servicing my business for over 20 years. I am an accountant and I can't survive without them. Very quick turn around and they are able to remotely fix issues on my system when they can. Thank you
Vincent Manno
19:40 31 Dec 24
Very attentive, great customer service and very helpful.
Hanadi Seyam
01:29 28 Dec 24
I took my older Sony notebook for repair, the battery needed replacement. I didn't have to leave it, I left a small deposit, they ordered the battery and when it came in, it took 3 hours and they called me, it didn't cost much. Great service and very pleasant staff. Thank you.
Riky Lozado
20:16 26 Dec 24
Great costumer service!
Daniel Ritz
23:07 19 Dec 24
I was referred their for a repair of a Dell All-In-One. Nasser and his associate are super pleasant and polite to work with. They did the repair quickly and affordably. I like their intake system that generated a receipt and a label for my unit. I knew right there that they are organized and responsible. Couldn't have been a better.
Nicolas Bermúdez
22:19 14 Dec 24
Thanks for repairing my computer man
Jonathan Rodriguez
23:01 20 Nov 24
This is an amazing store for all your computer needs. I built my own computer, and when things stopped working and I couldn’t figure out why, I sent it to this shop. The owners were very polite and knowledgeable from the start. He not only fixed my issue but also explained what I could do to prevent it in the future and gave me options for upgrading parts later down the road all of this for a very reasonable price.I could not recommend this store more and will definitely be coming here for any computer needs I might have in the future.Thank you, Advantage Computer Solutions!!
Georgia
20:41 11 Nov 24
The best computer specialist you can find around!! They are prompt and solve any problems you might have when it comes to your computer programs! thank you guys for all you do for our company!
Jacob Fontanez Kanaropoulos
22:10 30 Oct 24
Customer service was AMAZING!!! Fixed the problem within minutes and was fairly priced as well. Thank you guys🙏
Mark Stevens
21:41 30 Oct 24
Very helpful and honest. They fixed my wife's computer very fast and very reasonable cost.
Soufian Aglaguel
04:28 27 Oct 24
The best people ever! They were able to fix my problems, they fixed my computer which I had an issue with for a week now. The man Naser and Aref were super nice, understanding and were able ti get the job done overnight. Thank you! I wish I can give this more stars!!!!!
Mateusz Marciniak
22:17 30 Aug 24
Gave me free computer advice. Great guys running the place!
Faisal s.m
00:43 28 Aug 24
I found Advantage Computer Solutions from Google. I was impressed to get their great customer service. They gave me reasonable price for my laptop’s cracked screen and they fixed it in short time. Thanks AdvantageComputer Solutions!!!
kathleen denny
16:26 15 Aug 24
fantastic . so helpful, so instructive, Absolutely saved me. i will be forever grateful for the assistance and the knowledge
Matt Font
05:15 04 Aug 24
Al and Zach are worth the visits and not just because of knowledge/secondary opinions... my family's been infrequent visitors for almost over 2 decades! I don't often have the tools/ foresight for electrographical malfunctions during an arbitrary power outage or whaling out emotional kicks on my desktop from a game-over screen en masse. These guys resurrected my desktop numerous times & will always eclipse any kind of troubleshooting you'd expect at a big box computer retailer (who could only resort to selling me bricked hardware and underperforming specs versus a 5 year dinosaur from their own supply chain). Ordinary people have a responsibility to shop small and support the establishments that don't see obsolescence and sales as the defacto norm.
East Ridgelawn Cemetery
18:14 12 Jul 24
For over two decades, Advantage Computer Solutions has been our go-to for all things tech. As a family-owned business, they bring a personal touch and genuine care that's hard to find these days.Their expertise is undeniable. They've tackled every computer issue we've thrown their way, from routine maintenance to complex repairs, all with a professionalism and reliability that keeps our business running smoothly.We can't recommend Advantage Computer Solutions enough. If you're looking for a trustworthy, expert partner for your computer needs, look no further!
Alexandra Alvarez
23:20 09 Jul 24
They did a great job at fixing my husbands computer. The price was very reasonable and they took great care of it. The attention is top 1. Thank you for all your help☺️
Stefanie
17:34 06 Jul 24
Would give them 10 stars if I could! I called Al after a quick google search because part of my laptop was damaged. It took a few seconds for him to recognize the problem and he helped me pop the loose piece back into place. He did not charge me. That's how you know he likes to do good, honest business. An act of kindness goes a long way. I will recommend you to family and friends :) thanks again!
Rich Lanning
11:39 14 May 24
Zack is the best! He took the time to explain in user friendly terms the steps he took to optimize our network connectivity and to enhance the performance of our multiple laptops. Whether a small business, a work from home employee or a family with multiple devices on a network, I highly recommend Advantage Computer Systems to help you with computer & network setup and or maintenance issues.
Mattie B
19:12 09 May 24
I've known these guys for I'd say roughly 20 years. They've done great work for both my family and for my dad's business, extremely friendly and professional. They were also our tenants prior to COVID and were great to work with. I highly recommend them.
Matthew Davila
20:59 27 Apr 24
Great people honest and do great work. They fixed my system at a very reasonable price and quick turnaround.
June Neblung
20:36 24 Apr 24
These good folks provide us with our security cameras and all of our computer and internet needs. Al, Nasser and Zach are the best!
Dank F
22:39 15 Apr 24
Amazing people helped me with all my problems great work on my machine I’m definitely coming back !!!
Manoj Bhagat
18:44 28 Mar 24
Great service, they revived my old notebook and made it fast again.. Very reasonable prices. Thank you
Berman Taylor
15:34 17 Mar 24
They have taken care of my computers for years! I can't imagine getting anything done without them. I appreciate their calm, good humor and advice.
Orelvis Redwoods
14:26 27 Feb 24
My computer didn't want to turn on, display anything at all, etc. Took it to these gentlemen and they fixed it for a reasonable price, totally recommend them.
Ashley Aguirre
22:26 19 Feb 24
Good prices they have everything and provide great service.
Laura H
12:50 17 Feb 24
The best computer support for a small business.
moira crabtree
19:15 17 Aug 22
I want to praise this company to the heavens! They are so very good. If your computer has ANY problem, particularly a difficult problem, THIS IS THE COMPANY TO CALL! They come quickly (eases any computer anxiety whether it's a business or personal situation). They are so smart (and you need someone smart enough to solve your issue), thorough (you do not need a half-baked job done), and so very pleasant to deal with (in a time when most service people are cranky.). This company was recommended by a business that needs flawlessly running systems. I was told they were good and reliable. They are so much better than that. I will never use anyone else. Once I have found the best, why look anywhere else? Save your sanity. Just call Advantage Computer Solutions. You won't regret it.
Amy Neustein
18:10 13 Jul 22
From Today --July 13, 2022I just had my computer serviced at Advantage Computer Solutions and again I couldn't be more pleased!! Al and Zack were fantastic! Not only did they diagnose the problem, and jump in immediately to help me, but they did it in record time!!! Al gave me a new SSD which makes my computer work at record speed. In addition, he cleaned out my fan to help with the freezing of the computer when the fan overheated. The concern and care afforded by Advantage Computer Solutions are extraordinary. This is a family-owned business that truly treats each client like a family member! I wholeheartedly recommend this place over the chain repair shops. I have complete confidence in Advantage Computer Solutions, which is a blessing indeed!!!Amy Neustein, Ph.D.Fort Lee, NJFrom six years agoI don't have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen County and travel to Passaic County because of the trust I have in the competence and honesty of Advantage Computers. What a blessing to have such seasoned and caring professionals available to service my computer. The company has deep respect for its customers. I am very pleased as I have been using their services successfully since 2010.
MikSchlag
13:46 15 Mar 22
Quickly attuned and all options presented within minutes. I was back up and running within 20 minutes ( on main computer) and it cost me 1/3rd of an office visit (they had everything (memory and SSD and didn't push options) in stock for my older computers)! Outstanding... or you could be standing out in the cold. They kept my business running!!
Steve Walden
14:00 10 Feb 22
I never leave reviews, but I have to give a shout out to Al and Advantage Computers because they do terrific work. Had my house wired with ethernet cable and they worked quickly, efficiently, were pleasant to deal with. Everything was cleaned up and done professionally. Among the best service I've had as a homeowner. Would highly recommend!
Dmitry Kreslavskiy
19:31 04 Jan 22
Had a great experience here. Nice, very polite and highly professional people and very reasonable charges as well.A laptop died suddenly for no apparent reason, occasionally allowing you to peek into BIOS setup, but not always, and always ending up with a black screen without going into Windows.Microcenter people told me to wait a week because of COVID, Nasser here took it and had good quality research results for me the morning after, - it was a dead motherboard, and he even explained the likely reasons for its failure.He salvaged the data for us to a USB stick and he let us spend all the time we needed picking the data we wanted copied.He spent a ton of time on us and only charged us about $50 for the research and another $50 for data copying, very reasonable, - Best Buy and Microcenter wouldn't been more pricey.Happy to recommend and come back again as well. Thank you so much for a great service!
RICHARD DEMAYO
14:45 22 Jan 21
The best guys in the business bring them any problem and give them a little time and they will give you a solution.
PRO AUTO BROKERS
23:50 11 Jan 21
These guys are the best in the business, very knowledgeable and easy going. Highly recommended, top notch in the computer business. My main man Al took care of us efficiently and fast, also great prices.Ed
Carlos Santos
23:24 26 Oct 19
I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens thousands of dollars they saved us over the years; they can be trusted to never scam anyone even though they would do so very easily. The turnaround time is also excellent, even if they don’t have a particular part in stock. They work fast and they work smart. In the decade I’ve known them, I’ve never had to return a computer because something wasn’t fixed. I believe that they’re one of the industries’ best kept secret.
D Lobiondo
18:07 30 Apr 19
They're true problem solvers for anyone with computer issues. We received expert help and courtesy at a reasonable price. We trust them and will return!
Sonya G
03:01 06 Aug 18
I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after my appointment, and really resolved IT issues in my home office that had been plaguing me for years. I am so relieved to not have to think about this anymore! I will definitely call Zack again should I have any more IT needs.
Camp Sparkles
02:18 05 Aug 18
Al and Zack were so nice and knowledgeable. They figured out immediately what the problem was but instead of fixing it they let me know that my computer was still under warranty and that I should send it back to Dell. I stood in their store for 50 min on the phone with Dell and Al and Zack walked me through the process. I will definitely tell all my friends about their honesty and refer them. Thank you!
Mary Ann Adams
01:23 23 Mar 18
Very professional, excellent work, reasonable price. They definitely know their business.
Clemons Kunkel
06:16 07 Jan 18
Has worked on my computer for years.. Al does a great job and very Friendly. Have brought 3 computer because ever thing Changes. Thanks
Gennady Lager
18:04 17 Aug 17
I hired Advantage Computers to install an access point and improve the wifi signal at my home office. Zack took the time to understand my problem, communicate via email and phone, come up with a proposed solution, and schedule the work. He showed up on time and was very fair on price. The quality of the work is solid. I would hire him for all of my IT needs that I cannot resolve on my own.
Holly Kaplansky
13:09 02 Feb 16
Advantage Computer Solutions is absolutely great. They show up, do what they say they are going to, complete the job without issues (my other computer companies had to keep coming back to fix things they "forgot" to do....) and are fairly priced. Zack is awesome, reliable, dependable, knowledgeable....everything you want in a computer solutions vendor.
trudy holt
19:47 20 Nov 14
Excellent service! I am the administrator for a busy medical office which relies heavily on our computer system. We have used Advantage Computer Solutions for installation, set-up and for service. The response time is immediate and the staff is often able to provide help remotely. Very affordable and honest.... A++!!! Essex Surgical relies on Advantage Computer Solutions.
More reviews

Easy Contact
253 Main Ave, Passaic NJ 07055
Call 973-777-5656
info@advantagecomputers.com
Fax 973-777-5821

© 2025 ~ All Rights Reserved
Advantage Computer Solutions, Inc
Company
Home

About Us

Contact

Testimonials

Blog

Partners

Services
Managed IT Solutions

Medical IT Solutions

Cloud Services

Firewall Installation

Server Solutions

Data Backup and Recovery

Network Cabling Installation

Computer Repair

Virus and Spyware Removal

Testimonials
Zack is amazing! I have gone to him with computer issues for the past few years now and he always finds a way to fix things and at a reasonable price. This time I went to Advantage Computer Solutions to find a new laptop. I needed help because like most of us I had no… Read more “Amazing!”
Amanda Tolve
Cannot say enough good things about Zack Rahhal and his team. Professional, smart, sensitive to small biz budgets and a helluva good guy. Could not operate my small biz without them!
Karen Schloss
stars indeed. So reliable and helpful and kind and smart. We call Al and he is “on it” immediately and such a FABULOUS teacher, patient and terrific. So happy with Advantage Computer Solutions and Al and his AMAZINGLY WONDERFUL STAFF.
Nancy Alberga
I’ve been a customer of the staff at Advantage for many years now. They have never let me down! Whatever my need, however big or small my problem, they have been unfailingly helpful, friendly and professional. Services are performed promptly and effectively, and they are very fair with pricing, too. I am lucky to have… Read more “Whatever my need, unfailingly helpful”
Michael Lesher
I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens thousands of dollars they saved us over the years; they can be trusted to never scam anyone even though they would do so very easily. The turnaround time is also… Read more “Best Kept Secret”
Carlos Santos
I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after my appointment, and really resolved IT issues in my home office that had been plaguing me for years. I am so relieved to not have to think about this anymore!… Read more “Excellent Experience”
Sonya G
Simply The Best! Our company has been working with Advantage Computer Solutions for a few years, Zack and his Team are AWESOME! They are super reliable – whether it’s everyday maintenance or emergencies that may arise, The Advantage Team take care of us! Our team is grateful for their knowledgeable and professional services – a… Read more “Simply The Best!”
Kara Steible
Advanced Technology Search
The engineering team at Advantage Computers is the best in the business. They are nothing short of technical wizards.
Susannah Rubenstein
Al, Nasser and Zack have been keeping our operations going for over a decade, taking care of our regular upgrades and our emergency system problems. When we have an emergency, they make it their emergency. Its like having a cousin in the business.
lenny steinbach
Lucille Laundry - Monroe St Passaic NJ
In many cases, exceptional people do not receive recognition for their hard work and superior customer service. We do not want this to be one of those times. Zack Rahhal has been our hardware and technical consultant for our servers, Pc’s and other technical equipment since April 2004 and has provided valuable input and courteous service to… Read more “Exceptional People”
John Belly
Cambridge Paving Stones and Wall Systems, Inc
I became a customer about 6-7 months and I can say nothing but great things about this business. Zack takes care of me. I am an attorney and operate my own small firm. I have limited knowledge of computers. Zack is very patient in explaining things. He has offered practical and economical solutions to multiple… Read more “Highly Recommended”
Nick T.
West New York, NJ
THANK GOD for this local computer repair business who saved me hundreds, my hard drive was messed up, i called the company with warranty they said it would be $600, I went in they did a quick diagnostic, and based on his observations he gave me a step by step of the possible problems and… Read more “Life Savers”
Desirée A.
East Rutherford, NJ
I don’t have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen County and travel to Passaic County because of the trust I have in the competence and honesty of Advantage Computers. What a blessing to have such seasoned and caring professionals… Read more “I don’t have enough words to express my appreciation”
Amy Neustein
Advantage Computer Solutions is absolutely great. They show up, do what they say they are going to, complete the job without issues (my other computer companies had to keep coming back to fix things they “forgot” to do….) and are fairly priced. Zack is awesome, reliable, dependable, knowledgeable….everything you want in a computer solutions vendor.
Holly Kaplansky
Minuteman Press Newark
Knowledgeable, Reliable, Reasonable Working with Advantage Computers since 1997 for both personal and business tech support has been a rewarding and enjoyable experience. Rewarding, in that the staff is very knowledgeable, approaching needs and issues in a very straightforward, common sense manner, resulting in timely solutions and resolutions. Enjoyable, these guys are really friendly (not… Read more “Knowledgeable, Reliable, Reasonable”
Ben Rowner
MR Capital Group, Inc
Excellent service! I am the administrator for a busy medical office which relies heavily on our computer system. We have used Advantage Computer Solutions for installation, set-up and for service. The response time is immediate and the staff is often able to provide help remotely. Very affordable and honest…. A++!!! Essex Surgical relies on Advantage… Read more “Excellent service!”
Trudy Holt
Essex Surgical
Advantage offers great advice and service I bought parts for my gaming pc online and they put it together in a day for a great price. They are very professional. I was very satisfied with their service. I am a newbie in terms of PC gaming so they gave me great advice on this new piece… Read more “Great Advice and Service”
Jose
Clifton NJ
Our company has been using the services of Advantage Computers since 2006. It was important to find a reliable company to provide us with the technical support both onsite and offsite. It was through a recommendation that we contacted Advantage to have them provide us with a quote to install a new server and update our… Read more “Great Service, Support and Sales”
John Mezzina
Synatech, Inc.
Our company has been working with Advantage since the 1990’s and have been a loyal client ever since. Advantage does not make it very difficult to be loyal as they offer services from the most intricate and personalized to the global scale. Our company has grown beyond its doors of a local office to National… Read more “Extremely Professional and Passionate”
Cherie Avinger
RCL Agencies, Inc. Clifton, NJ
Advantage Computer Solutions has handled all of our computer and IT needs for the past 2 years. The staff is always professional and the service is always prompt. When your computers are down or not working properly is affects all aspects of your business, it is wonderful to have such a reliable team on our… Read more “Handles all our Office IT”
Jennifer Raspanti
Optimum Orthopedics
Since 1996 the Housing Authority of the City of Passaic has been a client of Advantage Computer Solutions. Our Agency has utilized their outstanding services and expertise to solve our technologic problems and growth over the past eighteen years. We would like to personally thank them for proposing cost effective solutions while reducing labor-intense tasks… Read more “Passaic Housing Authority”
Michael S. O’Hara
Passaic Housing Authority
“When the computer I use to run my photography business started acting erratically and kept shutting down, I was in a panic. I depend on that computer to deliver final products to my clients. Fortunately, I brought my HP into Advantage for repair and in one day I had my computer back. Not only did… Read more “They made sure EVERYTHING was working”
Phil Cantor
Phil Cantor Photography