Category: Security & Privacy

enter password

Password Managers that restrict passwords should not exist

Posted on by Martin Brinkmann

Password service Dashlane announced restrictions for free account users this week that limit passwords to 25. Starting November 7, 2023, all Dashlane Free users are restricted to 25 passwords instead of unlimited passwords, the previous limit.

Those with more than 25 passwords keep access to them but they face the same restrictions in regards to adding new passwords. In short: once the 25 passwords limit is reached or crossed, new passwords can only be added if enough old passwords are deleted. Dashlane will also limit support access to paying customers.

The company explains that it made the decision to “focus resources on providing the highest level of service, support, and security”. This is marketing speak.

Dashlane Free remains a product, which means that it requires development resources. Limiting passwords won’t change that. This leaves pushing Free users to paid plans by artificially worsening the experience for many of them as a plausible reason.

Restricting passwords is not right

Dashlane Free users could and can store as many passwords as they want using the password manager. This won’t change until November 7, 2023.

The new artificial limit puts many Free users in a precarious position. Those with more than 25 stored passwords can’t continue using the service, as new passwords need to be stored eventually. They have just a few options:

  • Delete passwords regularly to stay under the 25 passwords limit.
  • Upgrade to a paid account and give in to Dashlane’s pressuring.
  • Migrate to another password manager.

The first option is only feasible for users who don’t have many passwords in Dashlane. Upgrading is the quickest option to deal with the issue, but it also means paying for the password manager.

Migration is another option. Dashlane supports exporting all passwords to CSV files, which most password managers can import.

Password storage is a core feature of every password manager. Restricting the feature limits the password manager significantly. With the artificial limit in place, what is keeping Dashlane from introducing another restriction in the future that limits password storage even further or ends Dashlane Free altogether?

A short term boost to subscriptions

Bitwarden Password Manager

Dashlane will likely notice a short term boost to subscriptions. As users hit the new limit in November, part of the affected group will sign-up for a paid account, especially since a discount is offered.

Others will migrate to a different password manager. Plenty are also free and most do not limit password storage.

My recommendation is Bitwarden. It is open source, does not restrict passwords and is considered one of the best password managers out there. If you don’t need cloud syncing, you could also check out KeePass, another excellent password manager.

Dashlane sign-ups will slow down after the change lands. Users who look for a password manager may not pick the one that is limiting a core feature of a password manager. Less Free signups will also lead to less free to paid upgrades, as fewer users may choose that path. This will impact revenue.

Closing Words

Dashlane could have selected a different path. It could make old user accounts grandfathered accounts. This would have allowed existing free users to continue using the password service as well, at least in regards to passwords storage. This, on the other hand, would not have pushed sales as much, as only new users would be subject to the passwords limit.

It remains to be seen if Dashlane is going to reverse the limit eventually. This is not totally out of the question.

This uBlock Origin filter blocks IDN attacks in browsers

Posted on by Martin Brinkmann

IDN attacks are a common threat on today’s Internet. IDN stands for Internationalized Domain Name. It refers to domain names that contain one or multiple characters in “non-Latin script or alphabet, or in the Latin alphabet-based characters with diacritics or ligatures”.

This enables support for domain names in all languages. German-speaking organizations and users may for instance use the letter Ö in domain names.

One problem associated with this is that it is sometimes impossible for users to distinguish between different characters. The Latin letters e and a, for instance, look identical to the Cyrillic letters e and a. The strings ghacks and ghаcks are not identical, for example, even though they are not distinguishable from just looking at them.

IDN homograph attacks

IDN homograph attacks take advantage of this. Threat actors create domain names that look like a legitimate domain. Links are then pushed via online advertising, comments, chats, email or other forms of communication.

Ars Technica published a story just yesterday about an online ad on Google Search that impersonated the official KeePass website. A search for KeePass listed a sponsored result at the top. This sponsored result pointed to the same domain as the legitimate KeePass website, at least on visual inspection.

It is not uncommon for organizations to place ads for key search terms, even if their domain is the first organic result.

In this particular case, it turned out that the sponsored ad was malicious. It used an IDN to look like the official KeePass website. The fake site pushed a malware family known as FakeBat according to Ars Technica’s research.

Protection against IDN attacks

blocked IDN attacks example

Ars Technica writer Dan Goodin concluded that there is no 100% protection against IDN attacks. All major browsers load IDN URLs without issues.

Chromium-based browsers copy the punycode version of the domain, which offers a quick way to find out if it is an IDN.

Raymond Hill, creator of uBlock Origin, disagreed with Goodin’s conclusion as well. He published a single filter line for use in uBlock Origin, which blocks access to all IDN URLs by default. Users still have the option to proceed and to add an exception for the site, if it is legitimate.

Here is a step-by-step guide to add the filter to uBlock Origin:

  • Open the web browser.
  • Activate the uBlock Origin icon and select Settings.
  • Switch to the My Filters tab.
  • Paste the following string into an empy line: ||xn--$doc,frame
  • Select Apply changes.

That’s all there is to it. Any attempt to load an IDN in the browser is now met with uBlock Origin’s “blocked” window.

Don’t wait for Google to end third-party cookies

Posted on by Martin Brinkmann

Google plans to eliminate third-party cookies in its Chrome web browser. An updated schedule, published on Wednesday, confirms that testing begins in the first quarter of 2024.

A total of 1% of Chrome users will join the test, which disables third-party cookies in their browsers. Google plans to push the change to the entire Chrome population by the third quarter of 2024.

The main purpose of this type of cookies is tracking on today’s Internet. While it is up for debate whether the disabling will have a positive effect on tracking, it is clear that it does eliminate a widely used form of tracking.

Google, being an advertising company first and foremost, has already created a system that it believes is better for the privacy of Internet users. Called Privacy Sandbox, it integrates the tracking directly into the Chrome browser.

Chrome analyzes the browsing data and assigns the user to interests groups. Websites and web advertising companies may use the information to display targeted ads. There is also an option for websites to assign certain interests to users. The system runs in the local browser, which, Google believes, is reason enough to use the term privacy to describe it.

You can disable these ad systems in Chrome for desktop systems and on Android; check out the linked guides to find out how.

Disable third-party cookies in Chrome

Block third-party cookies in Google Chrome

Most Internet users have no benefit from keeping third-party cookies enabled in their browsers. Very few may use services that require third-party cookies for functionality. The vast majority of websites and services works fine without third-party cookies.

It is therefore a good idea to test disabling third-party cookies in the web browser. If you run into problems, you can still enable the feature again to resolve it, or create exceptions for these rare cases.

Here is how that is done in Chrome:

  1. Load this page in Chrome’s address bar: chrome://settings/cookies. It opens the Cookies and other site data preferences.
  2. Select “block third-party cookies” under general. Chrome displays information about this when the option is set.

It states:

Sites can use cookies to improve your browsing experience, for example, to keep you signed in or to remember items in your shopping cart

Sites can’t use your cookies to see your browsing activity across different sites, for example, to personalize ads. Features on some sites may not work.

This is all that is required to block the use of cookies for tracking across different sites. Note that the change does not affect first-party cookies, which remain supported. These serve an important purpose, as they are often used to keep user’s signed in among other things.

All major browsers support options to turn off cookies entirely or only third-party ones. Most Internet users may want to block these cookies or configure their browsers to delete them regularly to limit tracking. Firefox users may want to check out this cookie banners article, as it explains how to do so in the browser.

Closing Words

Google’s crusade against cookies is self-preserving. The company makes most of its money from advertising and a lot of that money relies on tracking. The euphemistically called Privacy Sandbox is a continuation of that, albeit under different conditions.

The main danger of Privacy Sandbox is not that it continues to track users using a different system, but that it is an advertising system that is now integrated into a web browser. Google controls this web browser and also the open source core Chromium. Several developers of Chromium-based browsers announced that they won’t go along with Google, which is good for users of these browsers.

Problem is, Chrome has a commanding usage share and that means that the majority of Internet users will be enrolled automatically into the new system.

Now You: how do you handle third-party cookies on your devices?

Firefox 120 will block cookie banners, but only in Germany

Posted on by Martin Brinkmann

Mozilla plans to enable cookie banner blocking in Firefox 120, but initially only in Germany. Other regions will follow at later point in time. Firefox users may, however, enable the blocking already.

Many websites display cookie consent banners to users. These banners give website visitors a choice regarding the use of cookies.

Cookies are data that websites may save on the local system. The sites may read the data in future visits. Cookies are useful, as they may keep the user signed-in or store preferences. Cookies are also used for tracking purposes.

The rise of cookie banners coincided with new regulatory laws in the European Union, California and some other regions. The main idea was to put users in control again in regards to cookies.

What was once thought of as a good idea turned into a huge annoyance for users. More or less all websites display cookie banners to users now, which often means that users have to interact with these banners frequently.

It is an annoyance, especially since there is no “don’t allow” default option that the browser sends automatically. Users who delete cookies regularly will get these banners in each browsing session.

Firefox 120: cookie banners be gone

Mozilla plans to introduce automation in Firefox 120 in Germany to block cookie banners and select “decline” whenever possible. The web browser will block cookie banners that include an option to refuse all but necessary cookies.

It should be clear that users will continue to see cookie banners. There is no standard for showing them to users and sites may use third-party scripts or custom scripts for the functionality.

Still, Firefox 120 will block common cookie banners, which should reduce the number of banners that users see while using the browser.

How to enable cookie banner blocking in Firefox

Firefox Cookie Banner blocking preferences

Mozilla plans to launch the feature in Germany only, but all Firefox users may configure the browser to block banners. I mentioned this back in 2022 on Ghacks.

  1. Load about:config in the Firefox address bar.
  2. Use the search field at the top to find cookiebanners.service.mode.
  3. Change the value of the preference to 1.
  4. Change the value of cookiebanners.service.mode.privateBrowsing to 1 as well. This enables the functionality in the private browsing mode.
  5. Restart Firefox.

The preference supports three values:

  • 0 — disables the feature. In other words, no cookie banners are blocked.
  • 1 — blocks all known cookie banners and does nothing otherwise.
  • 2 — blocks all known cookie banners and accepts any cookie banner otherwise.

Dealing with cookies

Tracking is severely limited if third-party cookies are blocked in the browser. Other options include deleting cookies and site data regularly.

Firefox ships with tracking protection functionality. While not as good as a true content blocker, such as uBlock Origin, it is better than nothing.

Blocking third-party cookies is a good idea to reduce tracking. Firefox makes this a bit complicated, as it does not offer a simple switch to turn off third-party cookies like Chromium-based browsers do.

  1. Load about:preferences#privacy in the browser’s address bar.
  2. Select the Custom option under Enhanced Tracking Protection.
  3. In the cookies menu, select “All cross-site cookies (may cause websites to break)”.

This blocks third-party cookies in the browser. Note that some, very few, sites may not work properly with this setting.

Closing Words

Several browsers deal with cookie banners automatically. Brave Browser has a cookie consent blocking feature and so does Vivaldi Browser.

Mozilla is a bit late to the party, but better late than never, especially if the feature improves usability. Firefox 120 will be released on November 21, 2023.

Now You: how do you deal with cookie banners? (via Sören Hentzschel)

Why you should make use of Virtual LAN (Guest Wi-Fi)

Posted on by Martin Brinkmann

Guest Wi-Fi, or more precisely virtual LAN, is a feature of many Internet routers. It adds another wireless networking option, which is fully separated from the main local network.

The term Guest Wi-Fi refers to one of its primary purposes: to allow guests to connect their devices to the Internet using a wireless connection. There is more to virtual LAN than that, however.

Many modern devices ask for Internet connectivity. Some work perfectly well without, but others require this connectivity to be of any use. Basic examples of devices that fall into the latter category include Amazon Fire TV and Alexa, most Google Home devices and most virtual assistant services.

Many devices support Internet connectivity; these can be printers, scanners or web cameras, but also a growing assortment of, often, perplexing devices that include toaster ovens, toothbrushes or refrigerators.

All of these devices are on the same local network by default, which is bad.

A story of a Printer, Amazon and Printer Ink emails

A user posted an interesting story on Hacker News the other day. They revealed that they have been receiving emails from Amazon about printer ink reorders frequently. Amazon knew about the printer and ink consumption, but the user did not know how.

The user had an Amazon Echo device connected to the local network. It turned out that Amazon’s device was picking up information that the printer provided to any device of the local network. In other words, Amazon knew when and what the user printed. It used the information to estimate printer ink use to send printer ink offers to the user.

Guest Wi-Fi may prevent this

Guest Wi-Fi connection on Android

The use of a virtual LAN might prevent this data leakage from happening. You would have to enable the guest Wi-Fi option in the router and connect one of the two devices to it.

Not all routers support virtual LAN functionality and some only with limited functionality. You may open the router’s dashboard on the local network to check if you find Guest Wi-Fi or a similarly named feature there.

The only step left is to connect the devices that you want to isolate to the new wireless network, effectively cutting it off from the local one.

These devices retain Internet connectivity, but they can’t communicate with devices that are not connected to the Guest Wi-fi anymore.

There may be other solutions, depending on setup. Some devices can be connected using cables. If you don’t require Internet connectivity for a device, say a printer, you could connect it using cables only. This would remove an attack vector as well.

The advantages and disadvantages of Guest Wi-Fi

Virtual networks offer several advantages over connecting all devices to a single network:

  • Connected devices are isolated from the rest of the network, which means that they are blocked from interacting with the home network. This offers several advantages:
    • The devices can’t collect personal data anymore from the main network.
    • Attacks that exploit issues in Guest Wi-Fi devices can’t penetrate the local network anymore.
  • Another key point is that you don’t need to share the main wireless LAN password with guests.
  • Last but not least, you may turn off wireless access for these devices at any time.

Even though Guest Wi-fi offers advantages, it is equally important to understand certain disadvantages.

  • Most routers support just a single virtual network. If you connect multiple devices to it, these devices may share information. Ideally, you’d put all IoT devices on a separate VLAN.
  • Some devices may require access to local data or other devices. If you want to cast from your PC to your TV, you need them on the same network. Others may flat out refuse to work without home network connection.
  • The configuration options of virtual networks may be limited.

Closing Words

It is a good idea to enable Guest Wi-Fi, if supported by the router. Some IoT device connections may be switched to improve security and privacy. While it may not be possible to migrate every device, it may also be a good idea to assess the status quo of all devices with Internet connectivity. Do all of these require an active Internet connection?

Now You: do you use Guest Wi-Fi on your network?

Stream-jacking Attacks are on the rise

Posted on by Martin Brinkmann

Stream-jacking attacks have gained some traction this year. These attacks hijack streaming accounts on popular sites to impersonate known brands and push crypto-scams.

BitDefender published an analysis of one of the larger attacks on its blog this week. The security company discovered a large operation that hijacked more than 1100 streaming video channels.

The hijacked channels had a median view count of more than 200000 views and a median subscriber count of more than 2200. The largest hijacked channel had a subscriber count of 9.9 million. The three largest hijacked channels view counts of more than 1 billion.

The attacker changed several of the channel names and handles to mimic official Tesla channels. Livestreams with officially sounding titles were streamed then to subscribers and others using old Tesla footage. The attacker displayed links to users to promote scams.

BitDefender writes:

Links propagated via hijacked YouTube channels promote a similar and well-known scam. The ruse involves sending any amount of cryptocurrency (Bitcoin, Ethereum, USDT, Dogecoin, BNB, Shiba Inu, etc.) and promises to send double the amount back to the scammed person. In rare cases, phishing links are written directly in the video.

BitDefender did not find any “old” videos of the channel, and the company suggests that these were either set to private ore deleted entirely by the attacker.

How the attack starts

Most attacks start with targeted phishing emails. The attacker creates well crafted emails, that often look like business opportunities. It could include information about a sponsorship deal or other form of collaboration.

Another popular email type informs the channel owner about copyright notices, which are fake.

The attackers try to use emails and email addresses that look legitimate to the untrained eye. It mimics “communications from trusted third-party vendors” or uses “email addresses that don’t raise immediate suspicion”, says BitDefender.

The goal of the attacker is to get the recipient of the email to download and execute a malicious file. Since security software may stop these before they are downloaded by the user, it is often inflated in size to prevent the scanning.

The software scans the system for valuable information, including cookies and session tokens. These may allow the attacker to take over the channel without knowing the account password.

How to protect yourself against Stream-jacking attacks

Stream-jacking attacks start like any other phishing attack. It is therefor essential to be able to identify phishing attacks.

Here are the essentials:

  • Emails that use non-personal greetings, e.g., without a name.
  • Emails that include attachments, especially if the file format looks dubious, e.g., .exe or .scv.
  • If the email address imitates that of a legitimate company, but not fully. Examples include using a different country extension or a slightly wrong spelling of the company name in the email address.

Other factors include spelling or grammar mistakes, prompts to take urgent action or offers that sound too good to be true.

One of the best protections is to avoid interacting with the email directly. Never open attachments if the sender is not trusted or you aren’t expecting an email with an attachment.

A good starting point is to do some research using a search engine. Try to find out if a company is legitimate or if others have worked with it in the past already.

Sometimes, all it may take is to sign-in to the account to check if an official notification is available. At other times, contacting a support representative of the streaming service may also help in the matter.