Category: Security & Privacy

Don’t wait for Google to end third-party cookies

Posted on by Martin Brinkmann

Google plans to eliminate third-party cookies in its Chrome web browser. An updated schedule, published on Wednesday, confirms that testing begins in the first quarter of 2024.

A total of 1% of Chrome users will join the test, which disables third-party cookies in their browsers. Google plans to push the change to the entire Chrome population by the third quarter of 2024.

The main purpose of this type of cookies is tracking on today’s Internet. While it is up for debate whether the disabling will have a positive effect on tracking, it is clear that it does eliminate a widely used form of tracking.

Google, being an advertising company first and foremost, has already created a system that it believes is better for the privacy of Internet users. Called Privacy Sandbox, it integrates the tracking directly into the Chrome browser.

Chrome analyzes the browsing data and assigns the user to interests groups. Websites and web advertising companies may use the information to display targeted ads. There is also an option for websites to assign certain interests to users. The system runs in the local browser, which, Google believes, is reason enough to use the term privacy to describe it.

You can disable these ad systems in Chrome for desktop systems and on Android; check out the linked guides to find out how.

Disable third-party cookies in Chrome

Block third-party cookies in Google Chrome

Most Internet users have no benefit from keeping third-party cookies enabled in their browsers. Very few may use services that require third-party cookies for functionality. The vast majority of websites and services works fine without third-party cookies.

It is therefore a good idea to test disabling third-party cookies in the web browser. If you run into problems, you can still enable the feature again to resolve it, or create exceptions for these rare cases.

Here is how that is done in Chrome:

  1. Load this page in Chrome’s address bar: chrome://settings/cookies. It opens the Cookies and other site data preferences.
  2. Select “block third-party cookies” under general. Chrome displays information about this when the option is set.

It states:

Sites can use cookies to improve your browsing experience, for example, to keep you signed in or to remember items in your shopping cart

Sites can’t use your cookies to see your browsing activity across different sites, for example, to personalize ads. Features on some sites may not work.

This is all that is required to block the use of cookies for tracking across different sites. Note that the change does not affect first-party cookies, which remain supported. These serve an important purpose, as they are often used to keep user’s signed in among other things.

All major browsers support options to turn off cookies entirely or only third-party ones. Most Internet users may want to block these cookies or configure their browsers to delete them regularly to limit tracking. Firefox users may want to check out this cookie banners article, as it explains how to do so in the browser.

Closing Words

Google’s crusade against cookies is self-preserving. The company makes most of its money from advertising and a lot of that money relies on tracking. The euphemistically called Privacy Sandbox is a continuation of that, albeit under different conditions.

The main danger of Privacy Sandbox is not that it continues to track users using a different system, but that it is an advertising system that is now integrated into a web browser. Google controls this web browser and also the open source core Chromium. Several developers of Chromium-based browsers announced that they won’t go along with Google, which is good for users of these browsers.

Problem is, Chrome has a commanding usage share and that means that the majority of Internet users will be enrolled automatically into the new system.

Now You: how do you handle third-party cookies on your devices?

Firefox 120 will block cookie banners, but only in Germany

Posted on by Martin Brinkmann

Mozilla plans to enable cookie banner blocking in Firefox 120, but initially only in Germany. Other regions will follow at later point in time. Firefox users may, however, enable the blocking already.

Many websites display cookie consent banners to users. These banners give website visitors a choice regarding the use of cookies.

Cookies are data that websites may save on the local system. The sites may read the data in future visits. Cookies are useful, as they may keep the user signed-in or store preferences. Cookies are also used for tracking purposes.

The rise of cookie banners coincided with new regulatory laws in the European Union, California and some other regions. The main idea was to put users in control again in regards to cookies.

What was once thought of as a good idea turned into a huge annoyance for users. More or less all websites display cookie banners to users now, which often means that users have to interact with these banners frequently.

It is an annoyance, especially since there is no “don’t allow” default option that the browser sends automatically. Users who delete cookies regularly will get these banners in each browsing session.

Firefox 120: cookie banners be gone

Mozilla plans to introduce automation in Firefox 120 in Germany to block cookie banners and select “decline” whenever possible. The web browser will block cookie banners that include an option to refuse all but necessary cookies.

It should be clear that users will continue to see cookie banners. There is no standard for showing them to users and sites may use third-party scripts or custom scripts for the functionality.

Still, Firefox 120 will block common cookie banners, which should reduce the number of banners that users see while using the browser.

How to enable cookie banner blocking in Firefox

Firefox Cookie Banner blocking preferences

Mozilla plans to launch the feature in Germany only, but all Firefox users may configure the browser to block banners. I mentioned this back in 2022 on Ghacks.

  1. Load about:config in the Firefox address bar.
  2. Use the search field at the top to find cookiebanners.service.mode.
  3. Change the value of the preference to 1.
  4. Change the value of cookiebanners.service.mode.privateBrowsing to 1 as well. This enables the functionality in the private browsing mode.
  5. Restart Firefox.

The preference supports three values:

  • 0 — disables the feature. In other words, no cookie banners are blocked.
  • 1 — blocks all known cookie banners and does nothing otherwise.
  • 2 — blocks all known cookie banners and accepts any cookie banner otherwise.

Dealing with cookies

Tracking is severely limited if third-party cookies are blocked in the browser. Other options include deleting cookies and site data regularly.

Firefox ships with tracking protection functionality. While not as good as a true content blocker, such as uBlock Origin, it is better than nothing.

Blocking third-party cookies is a good idea to reduce tracking. Firefox makes this a bit complicated, as it does not offer a simple switch to turn off third-party cookies like Chromium-based browsers do.

  1. Load about:preferences#privacy in the browser’s address bar.
  2. Select the Custom option under Enhanced Tracking Protection.
  3. In the cookies menu, select “All cross-site cookies (may cause websites to break)”.

This blocks third-party cookies in the browser. Note that some, very few, sites may not work properly with this setting.

Closing Words

Several browsers deal with cookie banners automatically. Brave Browser has a cookie consent blocking feature and so does Vivaldi Browser.

Mozilla is a bit late to the party, but better late than never, especially if the feature improves usability. Firefox 120 will be released on November 21, 2023.

Now You: how do you deal with cookie banners? (via Sören Hentzschel)

Why you should make use of Virtual LAN (Guest Wi-Fi)

Posted on by Martin Brinkmann

Guest Wi-Fi, or more precisely virtual LAN, is a feature of many Internet routers. It adds another wireless networking option, which is fully separated from the main local network.

The term Guest Wi-Fi refers to one of its primary purposes: to allow guests to connect their devices to the Internet using a wireless connection. There is more to virtual LAN than that, however.

Many modern devices ask for Internet connectivity. Some work perfectly well without, but others require this connectivity to be of any use. Basic examples of devices that fall into the latter category include Amazon Fire TV and Alexa, most Google Home devices and most virtual assistant services.

Many devices support Internet connectivity; these can be printers, scanners or web cameras, but also a growing assortment of, often, perplexing devices that include toaster ovens, toothbrushes or refrigerators.

All of these devices are on the same local network by default, which is bad.

A story of a Printer, Amazon and Printer Ink emails

A user posted an interesting story on Hacker News the other day. They revealed that they have been receiving emails from Amazon about printer ink reorders frequently. Amazon knew about the printer and ink consumption, but the user did not know how.

The user had an Amazon Echo device connected to the local network. It turned out that Amazon’s device was picking up information that the printer provided to any device of the local network. In other words, Amazon knew when and what the user printed. It used the information to estimate printer ink use to send printer ink offers to the user.

Guest Wi-Fi may prevent this

Guest Wi-Fi connection on Android

The use of a virtual LAN might prevent this data leakage from happening. You would have to enable the guest Wi-Fi option in the router and connect one of the two devices to it.

Not all routers support virtual LAN functionality and some only with limited functionality. You may open the router’s dashboard on the local network to check if you find Guest Wi-Fi or a similarly named feature there.

The only step left is to connect the devices that you want to isolate to the new wireless network, effectively cutting it off from the local one.

These devices retain Internet connectivity, but they can’t communicate with devices that are not connected to the Guest Wi-fi anymore.

There may be other solutions, depending on setup. Some devices can be connected using cables. If you don’t require Internet connectivity for a device, say a printer, you could connect it using cables only. This would remove an attack vector as well.

The advantages and disadvantages of Guest Wi-Fi

Virtual networks offer several advantages over connecting all devices to a single network:

  • Connected devices are isolated from the rest of the network, which means that they are blocked from interacting with the home network. This offers several advantages:
    • The devices can’t collect personal data anymore from the main network.
    • Attacks that exploit issues in Guest Wi-Fi devices can’t penetrate the local network anymore.
  • Another key point is that you don’t need to share the main wireless LAN password with guests.
  • Last but not least, you may turn off wireless access for these devices at any time.

Even though Guest Wi-fi offers advantages, it is equally important to understand certain disadvantages.

  • Most routers support just a single virtual network. If you connect multiple devices to it, these devices may share information. Ideally, you’d put all IoT devices on a separate VLAN.
  • Some devices may require access to local data or other devices. If you want to cast from your PC to your TV, you need them on the same network. Others may flat out refuse to work without home network connection.
  • The configuration options of virtual networks may be limited.

Closing Words

It is a good idea to enable Guest Wi-Fi, if supported by the router. Some IoT device connections may be switched to improve security and privacy. While it may not be possible to migrate every device, it may also be a good idea to assess the status quo of all devices with Internet connectivity. Do all of these require an active Internet connection?

Now You: do you use Guest Wi-Fi on your network?

Stream-jacking Attacks are on the rise

Posted on by Martin Brinkmann

Stream-jacking attacks have gained some traction this year. These attacks hijack streaming accounts on popular sites to impersonate known brands and push crypto-scams.

BitDefender published an analysis of one of the larger attacks on its blog this week. The security company discovered a large operation that hijacked more than 1100 streaming video channels.

The hijacked channels had a median view count of more than 200000 views and a median subscriber count of more than 2200. The largest hijacked channel had a subscriber count of 9.9 million. The three largest hijacked channels view counts of more than 1 billion.

The attacker changed several of the channel names and handles to mimic official Tesla channels. Livestreams with officially sounding titles were streamed then to subscribers and others using old Tesla footage. The attacker displayed links to users to promote scams.

BitDefender writes:

Links propagated via hijacked YouTube channels promote a similar and well-known scam. The ruse involves sending any amount of cryptocurrency (Bitcoin, Ethereum, USDT, Dogecoin, BNB, Shiba Inu, etc.) and promises to send double the amount back to the scammed person. In rare cases, phishing links are written directly in the video.

BitDefender did not find any “old” videos of the channel, and the company suggests that these were either set to private ore deleted entirely by the attacker.

How the attack starts

Most attacks start with targeted phishing emails. The attacker creates well crafted emails, that often look like business opportunities. It could include information about a sponsorship deal or other form of collaboration.

Another popular email type informs the channel owner about copyright notices, which are fake.

The attackers try to use emails and email addresses that look legitimate to the untrained eye. It mimics “communications from trusted third-party vendors” or uses “email addresses that don’t raise immediate suspicion”, says BitDefender.

The goal of the attacker is to get the recipient of the email to download and execute a malicious file. Since security software may stop these before they are downloaded by the user, it is often inflated in size to prevent the scanning.

The software scans the system for valuable information, including cookies and session tokens. These may allow the attacker to take over the channel without knowing the account password.

How to protect yourself against Stream-jacking attacks

Stream-jacking attacks start like any other phishing attack. It is therefor essential to be able to identify phishing attacks.

Here are the essentials:

  • Emails that use non-personal greetings, e.g., without a name.
  • Emails that include attachments, especially if the file format looks dubious, e.g., .exe or .scv.
  • If the email address imitates that of a legitimate company, but not fully. Examples include using a different country extension or a slightly wrong spelling of the company name in the email address.

Other factors include spelling or grammar mistakes, prompts to take urgent action or offers that sound too good to be true.

One of the best protections is to avoid interacting with the email directly. Never open attachments if the sender is not trusted or you aren’t expecting an email with an attachment.

A good starting point is to do some research using a search engine. Try to find out if a company is legitimate or if others have worked with it in the past already.

Sometimes, all it may take is to sign-in to the account to check if an official notification is available. At other times, contacting a support representative of the streaming service may also help in the matter.