
The Advanced Persistent Threat You Have: Google Chrome [pdf] - epsylon
http://www.netsq.com/Documents/GoogleAPT.pdf
======
skybrian
This seems like a good paper that isn't actually about something wrong with
Chrome. It's about what security tools need to do to track auto-updating
software.

------
epsylon
"Making of" paper is here:
[http://www.netsq.com/Documents/MakingOfGoogleAPT.pdf](http://www.netsq.com/Documents/MakingOfGoogleAPT.pdf)

------
dkokelley
I found the paper very eye-opening, but perhaps I missed the "moral" of the
story. I understand that Google's auto updater can behave similarly to a
malicious utility by an APT, but what recourse or mitigation techniques are
available? According to the paper, each step individually is indistinguishable
from benign activity. Techniques for identifying the end result of the
activity and flagging it as suspicious are omitted (or perhaps I missed them).

------
sjg007
Presumably Chrome and its updater are digitally signed... not that that stops
malware but at least it is another layer.

------
RachelF
Others are dumping Chrome for similar reasons:
[http://www.extremetech.com/computing/210576-why-im-
dumping-g...](http://www.extremetech.com/computing/210576-why-im-dumping-
google-chrome)

------
irickt
The paper is dated 18-Apr-2012

------
NickHaflinger
total FUD .. nothing gets updated here unless I want it to. And why isn't the
Microsoft software updater or your AV updater considered an equal threat. Who
paid for this 'study'.

------
xpaulbettsx
I can't read through the pages and pages of grandstanding in this PDF, does
this at all have some sort of escape of a security boundary, or is it just "I
found a weird way to hack myself"?

~~~
exelius
It's not about hacking; it's about threat modeling using a widespread and
well-understood implementation that behaves similarly in many ways to a real
threat. Basically, if your APT identification tech can't detect Google Chrome
updates being pushed out over your network, you won't be able to detect real
malicious actors. A true threat would act in a very similar way, except the
payload would be more malicious than Chrome updates.

It's an interesting thought experiment; but no, there are no concrete
conclusions.

