Category: Google

Security issues caused by the WebRTC feature in Chrome browser

What is WebRTC?

Web Real-Time Communication (WebRTC) is a collection of communications protocols and APIs originally developed by Google that enables real-time voice and video communication over peer-to-peer connections.

WebRTC is a set of protocols and APIs that allow web browsers to request real-time information from the browsers of other users, enabling real-time peer-to-peer and group communication including voice, video, chat, file transfer, and screen sharing.

WebRTC implements STUN (Session Traversal Utilities for Nat), a protocol that allows the discovery of your externally assigned IP address as well as your local IP address also.

 

How secure is WebRTC?

WebRTC works from browser to browser, you don’t need to download any software or plugins in order to set up a video conference or VOIP call. All the security that you need is already contained within your browser and the WebRTC platform. Some of the inbuilt security features contained within the WebRTC platform include:

  • End-to-end encryption between peers
  • Datagram Transport Layer Security (DTLS)
  • Secure Real-Time Protocol (SRTP)

End-to-End Encryption

Encryption is built into WebRTC as a permanent feature and addresses all security concerns effectively. Regardless of what server or compatible browser you’re using, private peer-to-peer communication is safe thanks to WebRTC’s advanced end-to-end encryption features.

Data Transport Layer Security (DTLS)

Any data that is transferred through a WebRTC system is encrypted using the Datagram Transport Layer Security method. This encryption is already built-in to compatible web browsers (Firefox, Chrome, Opera) so that eavesdropping or data manipulation can’t happen.

Secure Real-Time Protocol (SRTP)

In addition to offering DTLS encryption, WebRTC also encrypts data through Secure Real-Time Protocol, which safeguards IP communications from hackers, so that your video and audio data is kept private.

Camera and Microphone Security

Unlike some other video and audio conferencing software, WebRTC requires the user to enable access to their microphone and camera before communications begin. Typically, a pop-up box will appear in your web browser, asking you to allow the program access. The image below shows what a webcam and microphone permission pop-up might look like on a chrome browser.

Security issue caused by the WebRTC feature in Chrome

It is well known that the WebRTC feature in Chrome will leak your IP address even if you are behind a proxy server or using a VPN service. While most people who do not use proxy or VPN reveals their IP addresses to whatever web server they visit all the time, the IP address is the most easily accessible piece of information to track a website visitor.

For the minimum, big companies such as Google and Facebook are using the IP addresses to analyzing your habits and behavior and send your highly-targeted ads. While most people are fine with targeted ads, there are people who don’t like to be tracked at all for whatever reason. They will choose to use either proxy or VPN service to avoid being tracked. However, in a browser which supports WebRTC, including Chrome, Slimjet, and Firefox, the website owner can easily obtain the website visitor’s/user’s true IP addresses, but also their local network address too, by a simple piece of JavaScript.

In addition to that, the WebRTC Media Device Enumeration API also enables the website owner to obtain a unique media device id from the user, which can be used to uniquely identify the visitor.

How to verify the IP leakage issue caused by WebRTC?

Here are three websites which can let you detect if your browser is liable to the IP leakage issue caused by WebRTC:

How to prevent the IP leakage caused by WebRTC?

WebRTC Control: http://bit.ly/29aqJnt

Test it: https://www.browserleaks.com/webrtc

Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication

What if your laptop is listening to everything that is being said during your phone calls or other people near your laptop and even recording video of your surrounding without your knowledge?

A UX design flaw in the Google’s Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on.

AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way.

Here’s the lowdown. Once you give a site permission to use your microphone or camera, Chrome assumes that site will have permission to do so in the future. That means every instance of that site, every page on that site, also has access to your camera and microphone, meaning a sketchy site owner could throw up a pop-under window in the background that’s listening in to everything you say, or worse, listening and set to trigger some action (like recording) when you say specific words or phrases.

After reporting it to Google, For their part, Google doesn’t see it as a problem and says it’s in compliance with W3C (the World Wide Web Consortium) standards. Google does have a point: In order for the issue to be a real threat, not only do you have to visit a site that would want to record your speech, you’d have to grant it access to your microphone, and then you’d have to not notice a pop-under window from that site lingering in the background.

Google consider this a security vulnerability or not, but the bug is surely a privacy issue, which could be exploited by hackers to potentially launch more sophisticated attacks.

In order to stay on the safer side, simply disable WebRTC which can be done easily if you don’t need it. But if you require the feature, allow only trusted websites to use WebRTC and look for any other windows that it may spawn afterward on top of that.

Following such privacy concerns, even Facebook CEO Mark Zuckerberg and former FBI director James Comey admitted that they put tape on their laptops just to be on the safer side.

Although putting a tape over your webcam would not stop hackers or government spying agencies from recording your voice, at least, it would prevent them from watching or capturing your live visual feeds.

If you want to block your camera and Microphone, follow the steps given below:

To improve your Chrome security settings, go to the Settings area, which can be accessed in the top right corner of the browser.

WebRTC-1 Click on Settings –> Advanced Settings –> Content Settings –> Block Camera and Microphone

or  type in the Chrome browser chrome://settings/content –> Block Camera and Microphone.

What Is My Browser – Displays fingerprinting information such as the local and remote IP address, browser, plugins, location, screen resolution and more.

http://ip-check.info/?lang=en << JonDonym

Happy and Safe browsing 🙂

Source: ghacksthehackernewsslimjettwilio,  heimdalsecurity

 

Google Apps with Microsoft Active Directory

Google Apps with Microsoft Active Directory:

About Google Apps Directory Sync:

With Google Apps Directory Sync (GADS), you can automatically add, modify, and delete users, groups, and non-employee contacts to synchronize the data in your G Suite domain with your LDAP directory server. The data in your LDAP directory server is never modified or compromised. GADS is a secure tool that help you easily keep track of users and groups.

Key benefits of GADS:

  • Synchronizes your G Suite user accounts to match the user data in an existing LDAP server.
  • Supports sophisticated rules for custom mapping of users, groups, non employee contacts, user profiles, aliases, calendar resources, and exceptions.
  • Performs a one-way synchronization. Data on your LDAP server is never updated or altered.
  • Runs as a utility in your server environment. There is no access to your LDAP directory server data outside your perimeter.
  • Includes extensive tests and simulations to ensure correct synchronization.
  • Includes all necessary components in the installation package.

Configuration tips:

  • Use the 64-bit version of GADS if you plan to install it on a 64-bit compatible server. This version performs better than other versions when you need to synchronize large amounts of data.
  • Never share your GADS configuration files. The files contain sensitive information about your LDAP server and your G Suite domain.
  • Simulate a synchronization before you perform a real synchronization. And, simulate again whenever you upgrade GADS or change a configuration. If you don’t, you may accidentally delete an account or restrict a user.

How does it work?

Google offers a free tool called Google Apps Directory Sync. This is a program which can be installed on any system in your internal network (Windows XP/7/2003/2008, Linux or Solaris. The tool synchronizes Google Apps users with Active Directory (or other directory) users.

you must have administrator rights both in AD and your Google Apps environments. A setting in the Google Apps Control Panel called “Enable provisioning API” must be turned on.

To enable Domain Admin API access:

  1. Sign into the Google Admin console.
  2. From the dashboard, go to Security> API reference.
  3. CheckEnable API access.
  4. Click Save changes.
Step 1: Prepare your servers

Download and install Google Apps Directory Sync.

Before you begin, make sure you can meet the system requirements for Google Apps Directory Sync (GADS).

Click on the below given link to download the GADS installer:

https://support.google.com/a/answer/6120989?hl=en&ref_topic=6120988

Use the 64-bit version of GADS if you plan to install it on a 64-bit compatible server. This version performs better than other versions when you need to synchronize large amounts of data.

Step 2: Setup Configuration Manager:

Configuration Manager is a step-by-step user interface that guides you through creating, testing, and running a synchronization in Google Apps Directory Sync (GADS).

Open Configuration Manager from the Start menu (Shown in Figure GADS-1)

gads-1
GADS-1

Specify your general settings:

On the General Settings page, specify what you intend to synchronize from your LDAP server. Select one or more from:

gads-2
GADS-2

Define your G Suite settings:

On the Google Apps Configuration page of Configuration Manager, enter your G Suite (Google Apps) domain connection information.

Click the tabs to enter the following information:

  • Connection settings: If you check theReplace domain names in LDAP email addresses box, all LDAP email addresses are changed to match the domain listed in the Domain Name

Authorizing access using OAuth:

  1. ClickAuthorize Now to set up your authorization settings and create a verification code.
  2. ClickSign in to open a browser window and sign into your G Suite domain with your super administrator username and password.
  3. Copy the token that is displayed.
  4. Enter the token in theVerification Code field and click Validate.
  • Proxy settings: Provide any necessary network proxy settings here. If your server doesn’t require a proxy to connect to the Internet, skip this tab.
  • Exclusion rules: Use exclusion rules to preserve information in your G Suite domain that isn’t in your LDAP system (for example, users that are only in G Suite). See more about using exclusion rules.

Exclusion rules allow you to omit specific users, user profiles, groups, organizational units, calendar resources, and other data from the Google Apps Directory Sync (GADS) process. For example, you can add a user profile exclusion rule to exclude specific user profile information that you don’t want to sync in your G Suite domain.

gads-3
GADS-3
gads-4
GADS-4

Define your LDAP settings:

On the LDAP Configuration page of Configuration Manager, enter your LDAP server information. After you configure the LDAP authentication settings, click Test Connection. Configuration Manager connects to your LDAP server and attempts to sign in to verify the settings you entered.

If you selected Open LDAP or Active Directory® as your LDAP server, click Use defaults at the bottom of every configuration page to quickly set up the sync with default parameter. You can then customize them to your needs.

For detail on the LDAP Configuration fields in Configuration Manager, see LDAP connection settings.

gads-5
GADS-5

Click on Test Connection

gads-6
GADS-6

Leave the Org Units settings and move to User Accounts

User Accounts

Specify what attributes GADS uses when generating the LDAP user list on the User accounts page -> User Attributes:

Email address attribute The LDAP attribute that contains a user’s primary email address. The default is mail.
(Optional) Unique identifier attribute An LDAP attribute that contains a unique identifier for every user entity on your LDAP server. Providing this value enables GADS to detect when users are renamed on your LDAP server and sync those changes to the G Suite domain. This field is optional, but recommended.

Example: objectGUID

Under Google Apps Users deletion/Suspension policy

Select -> Suspend Google Apps users not found in LDAP, instead of deleting them: Active users in G Suite will be suspended if they are not in your LDAP server. Suspended users are not altered.

Select -> Don’t suspend or delete Google Apps admins not found in LDAP

gads-7
GADS-7

Additional user attributes: Additional user attributes are optional LDAP attributes that you can use to import additional information about your G Suite users, including passwords. Enter your additional user attributes on the User accounts page.

gads-8
GADS-8

A brief look at how to create a user in Active Directory and then use Google Apps Directory Sync (GADS) to provision the user in your Google Apps domain.

Leave the remaining Settings like Groups, user profiles, Shared Contacts, Calendar Resources as it is.Go to

 Notification:

gads-9
GADS-9

Logging: Enter the directory and file name to use for the log file or click Browse to browse your file system.

Example: sync.log

Sync:

Click Simulate sync to test your settings. During simulation, Configuration Manager will:

  • Connect to your G Suite domain and generate a list of users, groups, and shared contacts.
  • Connect to your LDAP directory server and generate a list of users, groups, and shared contacts.
  • Generate a list of differences.
  • Log all events.

If the simulation is successful, Configuration Manager generates a Proposed Change Report that shows what changes would have been made to your G Suite user list.

gads-10
GADS-10

Note: Running a simulated synchronization does not update or change your LDAP server data or your users accounts in G Suite. The simulation is only for checking and testing purposes.

When you are confident that the configuration is correct, click Sync & apply changes to initiate the synchronization.

http://commondatastorage.googleapis.com/enterprisetraining/gapps/admin/DirSync_GoogleApps/en/DirSync_GoogleApps.html

Source: G Suite

 

 

 

G Suite (Google Apps): How to send reply mail from Alias eMail ID?

Every Google Apps user has a primary address for signing in to their account and receiving mail. If a user wants another address for receiving mail, you can give them an email alias.

For example, if mail@lakkireddymadhu.com wants to also receive the email sent to sales@lakkireddymadhu.com, create the alias sales@lakkireddymadhu.com. Mail sent to either address then appears in mail@lakkireddymadhu’s Gmail inbox.

You can add up to 30 email aliases for each user.

Through Admin login to G Suite will add alias email ID to the original user email ID.

Log on to your domain in G Suite -> Users -> Click on which user ID you want to add alias Account -> Aliases -> Add an alias -> click on Save ( Same sequence given below images

 

gsuite-1
                                                                                                                  G Suite -1
g-suite-2
                                                                                                          G Suite-2
g-suite-3
                                                                                                                    G Suite-3

 

Mail sent to either address then appears in mail@lakkimadhu’s Gmail inbox.

If you received any mail to the alias ID sales@lakkireddymadhu.com and you want to reply to that from sales@lakkireddymadhu.com instead of mail@lakkireddymadhu.com , then follow the below given procedure.

Sign into your Google Apps email (email@lakkimadhu.com)

Click the gear in the top right gear

  1. Click on the -> Settings -> Accounts -> Add another email address you own
g-suite-4
                                          G Suite-4
g-suite-5
                                                                                                                           G Suite-5
  1. click on Add alias email address.
  1. In the Email address field, enter your name and alternate email address.
  2. Click on Next Step. It saves automatically.
g-suite-6
                                                                                                             G Suite-6

5. You can view both ( primary and alias email IDs) in the Settings. Image is given below

g-suite-7
                                                                                                                 G Suite-7

Now Click on Compose, below given pop-up opens.

Click on the From tab ( arrow mark shown- drop down)

g-suite-8
                                                                                    G Suite-8

You can view both the Ids, select sales@lakkireddymadhu.com to send mail from the Alias email ID / reply mail.

Happy computing 🙂

Source: Google

Great Google Secrets

Finding useful information on the ­World Wide Web is something many of us do. We can find information about anything by searching online. Google is the most popular search engine available, but navigating it can sometimes be tricky.

But most people don’t use it to its best advantage. Do you just plug in a keyword or two and hope for the best? That may be the quickest way to search, but with more than 30 trillion pages in Google’s index, it’s still a struggle to pare results to a manageable number.

Google’s algorithm keeps improving, and without context, it’s hard for Google to know exactly what you’re looking for, especially if your inquiry is highly specific. But there are a few tricks for searching that can help you quickly find the results you’re looking for. Tricks like formatting and punctuation can really help narrow down your search.

So learn some of these tricks on how to be effective at “Googling”:

How-to-be-a-google-power-user-1 (more…)

Google’s new privacy policy: The good, bad, scary:

Google  knows more about you than your wife :

 Google has updated its privacy policy in a way that breaks down product silos, but allows the search giant to mine data across all of its services.

In a blog post, Google outlined the changes. These changes are the enterprise Holy Grail in many respects. Companies everywhere want to break down product walls to get a 360 degree view of customers. The difference with Google is reach and it is actually succeeding. In a nutshell, Google is:

  • Making its privacy policies easier to read.
  • Aggregating data across products for Google and user experience.
  • And arguing that it’s easier to take your data and go somewhere else.

Here’s how this boils down for this Google user between work and personal uses.

The good: Anything that simplifies privacy policies makes sense—even if you may not agree with them. Google has 70 privacy documents today. That will be boiled down to one privacy policy.

google-logo-drawn-by-kids

The bad: Unified user experience aside, it was kind of nice to have my YouTube personas different from say, Gmail and Google+. Philosophically it makes sense. Emotionally I’m not so sure I’m on board the one for all approach.

The scary: Google will know more about you than your wife does. Everything across your screens will be integrated and tracked. Google noted that it collects information you provide, data from your usage, device information and location. Unique applications are also noted. Sure you can use Google’s dashboard and ad manager to cut things out, but this policy feels Big Brother-ish. Google is watching you as long as you are logged in. It’s also unclear whether this privacy policy move will be considered bundling in some way by regulators. This unified experience hook appears to be at least partially aimed at juicing Google+. Google responded with clarification: Google noted that it already has all that data, but it’s now integrating that information across products. It’s a change in how Google will use the data not what it collects. In other words, Google already knows more about you than your wife.

The bottom line here is that you should start perusing Google’s terms of service and privacy policies pronto.

 changes will take effect on March 1, and Google already  started to notify users , including via email and a notice on Google homepage.

source: zednet,Google