Billions of passwords, files and cookies were leaked

June 12, 2021GeneralEdward Kiledjian

I have written about general user security several times over the last years, and the recipe is always the same:

Install a good anti-malware product
Make sure your applications and operating systems are patched
Don't click or open unexpected or unknown links/attachments.

Even with the best practices, there is malware that is stealthy enough to avoid detection.

Recently security researchers from Nerdlocker followed a trail left by sloppy hackers. To everyone's surprise, they found 1.2TB of files, cookies, 900K images, 600K word files and credentials stolen from over 3M computers. The data was obtained through malware that stole data from user desktops and downloads folders.

The data is relatively fresh, and ~30% of the cookies were still valid.
1M website logins (including the 4 horsemen of the internet) Amazon, Facebook, Twitter and Gmail.

So what next

The malware is stealthy and cannot be easily detected by antivirus products.

However, the information has been added to the HaveIBeenPwnd service.

As previously described, you visit the site, enter your email address, and it will tell you if you are part of this breach (or any other).

How do you protect yourself in the future?

Use long unique passwords for each site with the credentials stored in a good password manager (like 1Password and BitWarden)
Use a good reputable antivirus, update your software and operating system.
Make sure you regularly delete your cookies. I have written about extensions that automate this in the past.
Install a good anti-malware product
Make sure your applications and operating systems are patched
Don't click or open unexpected or unknown links/attachments.

Links:

Nerdlocker blog post
Ed's favourite things - Best Password Manager
Downloaded over a billion email addresses and passwords this weekend

Arvin Club darknet showcase site

May 18, 2021GeneralEdward Kiledjian

Screen Shot 2021-05-18 at 9.52.18 AM.png

Chrome extensions for the security conscious

April 14, 2021GeneralEdward Kiledjian

Extensions are interesting little technical widgets. Most assume they are simply tools but some see it as art. I can learn a lot about a computer user by the browser extensions they have installed and use. As a security professional, I have a handful of security oriented extensions (in addition to the ones that make the web more usable or that save me money).

I regularly receive requests from readers to list my extensions and to be honest, they often change. I remove extensions I don’t use, deactivate extensions I sometimes use and add new ones that I learn about. So right now, here are the extensions I think you will find the most useful .They are Google Chrome extensions but they work in any Chromium browser (like MS Edge).

builtwith technology profiler

It shows the tech stack a website is built on

chaff

Generate random web browsing traffic to obfuscate actual browsing behavior to avoid profiling through 3rd party observation. Think of this as data poisoning for the companies that track you.

ClearURLs

This extension will automatically remove tracking elements from URLs to help protect your privacy when browsing the Internet.

Click&Clean

A tool that lets you clean browser tracking tools.

Disconnect

Let’s use block invisible web trackers

Distill

A tool that allows you to monitor a webpage and alert you when it changes.

DuckDuckGo Privacy Essentials

This is a swiss army knife of internet privacy. Here are the feature this extension offers

Escape Advertising Tracker Networks — Our Privacy Protection will block all the hidden third-party trackers we can find, exposing the major advertising networks tracking you over time, so that you can track who's trying to track you.

Increase Encryption Protection — We force sites to use an encrypted connection where available, protecting your data from prying eyes, like Internet Service Providers.
Search Privately — You share your most personal information with your search engine, like your financial, medical, and political questions. What you search for is your own business, which is why DuckDuckGo search doesn't track you. Ever.
Decode Privacy Policies — We’ve partnered with Terms of Service Didn't Read to include their scores and labels of website terms of service and privacy policies, where available.

DuckDuckGo has said “DuckDuckGo has announced that its Chrome browser extension has been updated to block Google's new tracking technology.” You can test if your browser currently supports flock using this EFF AmIFloced website.

EFF Chrome extensions

https everywhere Switches you to a secure https connection when available
Privacy Badget Privacy Badger automatically learns to block invisible trackers.

Robots Exclusion Checker

Robots Exclusion Checker is designed to visually indicate whether any robots exclusions are preventing your page from being crawled or indexed by Search Engines. But a security person could then take those robot files, manually check those pages and find out why the organization doesn’t them indexed. Sometimes the exclusion is because they don’t want Google indexing active pages, other times it’s because those pages contain information the organization doesn’t want outsiders to easily find (pricing, org info, etc).

Social Disconnect Plus

Social Disconnect Plus is a browser extension that removes all sorts of Social Media content on webpages (i.e. the Facebook like button and other widgets).

uBlock Origin

uBlock Origin is the best ad blocker available but it does so much more. It is a powerful HTML firewall to protect you from several web attacks.

UA Spoofer for Chrome

With this extension, you can quickly and easily switch between user-agent strings. Also, you can set up specific URLs that you want to spoof every time.

Wayback machine

Easily determine if the Internet Archive has previous versions of the webpage you are on.

More Ransomware gang tor darknet sites

April 7, 2021GeneralEdward Kiledjian

I wrote a blog post about popular ransomware group TOR (darknet) showcase sites (here).

The purpose of this entry is to add additional sites to the list (so you should check that one out first).

Astro Tream

anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onion

CUBA FREE

cuba4mp6ximo2zlo.onion

Babuk Ransomware

wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion

Ragnarok ransomware

wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Everest Ransomware

ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion

Ransomex ransomware

rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion

Android vulnerabilities are more vulnerable than IOS ones

April 2, 2021GeneralEdward Kiledjian

Screen Shot 2021-04-02 at 4.32.55 PM.png

The free market determines pricing based on the intersection of supply and demand. For the longest time, an IOS Full Chain Compromise with Persistence (FCP) demanded a significantly higher payout from vulnerability vendors than Android ones. This was a simple question of economics: Android had more easily exploitable vulnerabilities thus each one was worth less. On the other hand IOS was built like Fort Knox. Vulnerabilities were few and far apart and dictatorial regimes and evil doers were willing to write much bigger checks to buy those rarer exploits.

The chart above shows the pricing as of April 2 2021 and clearly shows that an Android FCP demands a $500,000 bonus over an IOS one. We know demand for these has not dropped so the only possible explanation is that there are more IOS vulnerabilities in the market than Android ones.

Although Google doesn’t use security to market its smartphone OS, it has a best-in-class security team that is making Android more secure with every release. IOS is improving as well but not as fast as Android.

Before you start throwing things at me, remember that privacy and security are two very distinct qualities. There is no question that IOS offers a fairly secure computing environment and world class privacy.
Android on the other hand asks you to trade in some privacy in exchange for a super functional assistant but has done a fantastic job making it’s operating system more secure.

Speaking with a security consultant buddy that advises many large companies and special interest private organizations about operational security, he confirms that the “underground” demand for FCP android vulnerabilities is skyrocketing. He mentioned that patched Android vulnerabilities are becoming harder to find but that the demand is skyrocketing (because so many of his customer targets use the lower cost android platforms"). Zerodium isn’t the only vulnerability broker in the market but it is the only one that publicly publishes its payout tables.

My contact said Android’s open source nature is yielding many of these security benefits (e.g. Google regularly upstreams security improvements made by AOSP fork operators like the GrapheneOS).

The bottom line is that these operating systems are typically weakened by bad user decisions (configurations, app choices, etc), but out of the box, Android running on a Pixel device is probably more secure (but less private) than IOS.

The challenge on Android is the fact many phone vendors do not offer timely upgrades (if ever) which makes these phones super vulnerable. That is why if you use Android, stick with a Pixel device with guaranteed security upgrades for 3 years and OS upgrades for 2 years.

We know Apple invests heavily in security so we’ll have to see what security improvements, if anything, Apple implement in IOS 15.