Category: ChromeBook

Jun 19 2017

How to install Linux on a Chromebook (and why you should)

Enlarge

Chromebooks are one of the most secure devices you can give a non-technical end user, and at a price point few can argue with, but that security comes with a privacy trade off: you have to trust Google, which is part of the NSA's Prism programme, with your data in the cloud.

Even those who put their faith in the company's rusty "don’t be evil" mantra may find Chromebook functionality limiting—if you want more than Google services, Netflix, some other Web apps, and maybe the Android app store, then you're out of luck.

Geeky users willing to engage in some entry-level hackery, however, can install Linux on their Chromebook and unleash the Power of Torvalds™.

Read 27 remaining paragraphs | Comments

Aug 13 2011

SSCC 70 – Patch Tuesday, insulin pump hacking, Android patching, ChromeOS hacking, archiving our digital past

Sophos Security Chet Chat logoVanja Svajcer from SophosLabs Croatia joined me this week to discuss the presentations we were able to attend at this year’s Black Hat and DEFCON security conferences in Las Vegas, Nevada.

This Tuesday was the monthly patch day for Microsoft and Adobe, as usual, I briefly highlighted the most important updates for August.

Vanja and I attended some sessions together and others independently and we shared our thoughts from the most interesting of the sessions we were able to attend.

We began by discussing research into the security of Google’s recently released ChromeOS. Vanja pointed out how hacking ChromeOS is less about the operating system and much more about how you can take advantage of flaws in the Chrome browser itself.

Both of us had the pleasure of seeing Moxie Marlinspike speak at DEFCON on SSL insecurity and his proposed solutions. We both appreciated the in-depth look Marlinspike presented and found his proposed solution, Convergence, an interesting way of solving the authenticity problem.

Android logoVanja attended a session by the team from Lookout Security about the patch life cycle on the Android OS.

The Lookout team reviewed the average time from discovery of a vulnerability until when Google provided a patch, then looked at the average amount of time each OEM took to integrate that patch into their Android distribution for each handset, and how long each carrier took to make that available to their customers.

I discussed my thoughts on the research done by Jay Radcliffe on hacking insulin pumps through their RF interface.

Radcliffe uncovered some rather disturbing findings as to the security implemented to protect users of these devices which will hopefully spur on the manufacturers to improve their implementations in future devices.

The last talk we discussed was given by Jason Scott on the work of archiveteam.org whose slogan is “We are going to rescue your sh*t”. Scott talked about what Archive Team does, why they do it and he presented his case with a lot of panache.

(11 August 2011, duration 23:42 minutes, size 16.3 MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 70 or subscribe to our RSS.



Aug 03 2011

BH 2011: Hacking Google ChromeOS

Chrome web storeMatt Johansen and Kyle Osborn presented their paper at Black Hat this morning titled “Hacking Google ChromeOS”.

Google’s netbook operating system has been touted as the first platform that has been designed to be malware free from the start. Users are not able to download/install/execute code on a ChromeBook, they are only allowed to download Chrome extensions.

Johansen and Osborn didn’t bother to try and prove Google wrong, they simply looked into the implications of having everything “running” as an extension in the browser.

Their research impacts all users of Google Chrome, whether they happen to be using it as an OS or simply as their browser of choice.

They discovered two things… One is that if you are running JavaScript code on the device, your code could be vulnerable to a XSS (cross site scripting) attack.

When a website has a XSS vulnerability, it allows people to attack that specific site, but it does not effect others. What happens when you have a XSS vulnerability in an application in your browser?

Well, considering the API that Chrome provides for extension development, it allows an attacker to exploit any web site operating within that browser (including all other tabs).

They did point out that Google has been very responsive and has been working with them on solutions to mitigate the risks.

While it is easy to write a malicious application and upload it to the Chrome Web Store, you would have a difficult time getting a large number of people to install it.

Samsung ChromeBookThe worrying part is that any existing popular extensions which contain vulnerabilities could allow for an attacker to arbitrarily hijack everything that occurs in your browser session. Scary.

Many extensions available on the Chrome Web Store were not exactly designed with security in mind, which not only makes them potentially vulnerable, but also means they ask for more permissions than they may need to work properly.

If you’re a Chrome user, or have a ChromeBook you may wish to think twice before installing those random plugins and keep your eyes open for developments on how Google will work to better protect you.