Category: Security & Privacy

Google removes Kaspersky antivirus from Google Play

Posted on by Martin Brinkmann

Things are heating up for the Russia-based cybersecurity company Kaspersky. After the company’s antivirus desktop version was hit by a ban in the United States, it is facing a second major drawback.

The details:

  • Google removed Kaspersky’s antivirus app from Google Play worldwide.
  • Google confirmed the removal.
  • Kaspersky apps remain available on the Apple App Store, third-party Android stores, and direct downloads.

Related content

Google services dominated web tracking last year

Google confirmed the removal of Kaspersky apps from Google Play in a statement to Bleeping Computer:

The U.S. Department of Commerce’s Bureau of Industry and Security recently announced a variety of restrictions on Kaspersky. As a result, we have removed Kaspersky’s apps from Google Play.

A search for Kaspersky or any Kaspersky app comes up empty on Google Play. Other antivirus apps are highlighted instead.

Kaspersky says that users may download their apps from third-party sources or from Kaspersky directly.

Kaspersky representatives say that the company is investigating the removal of its apps from the Play Store. It seems unlikely that the apps will be reinstated any time soon.

The removal is another heavy blow for the cybersecurity company. While alternatives remain available, the bulk of Android users rely on the Play Store for all-things app related.

Closing Words

Whether you truly need an antivirus solution for Android is up for debate. A good trusted VPN on the other hand is a recommended addition, if you happen to connect your device to public or third-party wireless networks at times.

What is your take on all of this? Do yo use extra security apps on Android or iOS? If so, which do you use and for what purpose? Feel free to leave a comment down below.

Cookies

Google services dominated web tracking last year

Posted on by Martin Brinkmann

When it comes to user tracking on the Internet, Google continues to have a firm hold on the top positions. Kaspersky released its annual web tracking report for the past year.

The data comes from a Do Not Track plugin that Kaspersky uses in its software products. It is designed to prevent different forms of tracking, but is disabled by default.

The key findings:

  • Google dominates tracking on the Internet.
  • Other companies that track users are Microsoft, Amazon, and Yahoo.

Note: The data comes from products from a single company. It may not reflect the monitoring landscape as accurately as possible because of that.

Google’s dominance becomes clear when you look at regional tracking. Here in Europe, Google Display & Video 360, and Google Analytics are the dominating trackers with an exposure of 17.27% and 11.93%. Third-placed Amazon sits at 9.13% and fourth placed Criteo at 6.80.

Then it is Google again with YouTube Analytics (5.65%), Microsoft with Bing (5.33%) and Google again with Adsense (5.23%).

In North America, it is again Google Display & Video 360 (16.84%) that dominates. Amazon is second this time (9.08%), but then it is Google again with Analytics (8.42%). Google is also placed fifth and sixth in North America.

The situation is similar in other regions. In Latin America, Google holds the first three spots and the fifth. In the Middle East, Google holds the first four spots. In Africa, it is the top three and the sixth.

It is interesting to note that some Google services lost eyes on users compared to the year before in many regions. Growth was limited to East Asia and Commonwealth of independent states. Google’s monitoring declined in all other regions, but it still dominates by a large margin.

Google Adsense and YouTube Analytics are the two exceptions. They managed to increase significantly in nearly every region.

You can check out the entire report on the Secure List website.

How do you protect yourself from tracking? Do you run content blockers? Other options? Feel free to leave a comment down below.

Defender Teaser

ConfigureDefender: open source tool to manage Microsoft Defender settings

Posted on by Martin Brinkmann

Microsoft Defender is the default security solutions on all modern versions of Windows. Users have to become active to replace it with another security solution. It is probably a safe bet that Defender is the tool on most Windows 10 and 11 systems.

It is different from tools like SuperMSConfig, which provide broader tweaking options.

The operating system offers several options to configure Microsoft Defender. The most common for home users is to use Windows Security. It divides settings on multiple pages and subpages, and may leave out some settings depending on certain factors.

ConfigureDefender is a long-standing open source tool to improve this. Just launch the small app after you have downloaded it from its GitHub repository to get started.

The app displays all settings on a single page.

You have two main options now:

  • Change individual settings directly.
  • Use a preset to change the status of multiple settings at once.

Presets offer a quick way to change settings, but it is rather difficult to understand what each setting does. Max, for example, looks like it would set everything to the highest values, but you still do not know what that actually means.

ConfigureDefender supports four presets: default, high, interactive and max. Default is handy, as it resets all settings to their default values.

A click on the info-button opens a readme with the information. There you find information about each preset. It will take some time to go through the listing though.

The second option gives you full control over the settings. Some users may have difficulties understanding what some of the settings do. While experienced users may understand that PUA Protection refers to “potentially unwanted applications”, inexperienced users may not.

It may be necessary to search for specific terms on the Internet to find out what they do.

The program supports a large number of settings. These are divided into basic, admin and exploit guard settings. Each preference is modified through a simple menu. Click on the menu and ConfigureDefender displays the available options. Pick one and hit the refresh button. The program reminds you that a restart of the Windows PC is required to apply the change.

Closing Words

ConfigureDefender speeds up the configuration of Microsoft Defender on non-managed systems. It is easy to use, especially for users who know what each of the settings do. New users may need to spend time in the beginning researching some of the preferences to understand what they do.

All in all, it is a useful helper app for Windows users.

Which security solution(s) do you use? Is Microsoft Defender one of them? Feel free to write a comment about this.

Bitdefender launches security product promising 24/7 YouTube account protection

Posted on by Martin Brinkmann

Bitdefender Security For Creators is a new security product that the company says helps creators focus on content creation and growing their communities instead of the management of security tasks.

So, what do you get when you sign-up for the product?

  • YouTube channel and account monitoring, alerts for “alerts for mass deletion of videos, alterations to account name, profile picture changes, descriptions and more”.
  • Phishing protection that flags “phishing and scam emails” automatically.
  • Hacking prevention that protects logins and sensitive data against “infostealers, online threats, and hidden malware designed to steal your information”.
  • Account recovery assistance that provides users with step-by-step guides to recover account access or data.

Some of these features are unique. This includes the YouTube channel and account monitoring feature. Others, not so much. Most antivirus solutions offer phishing protections. Unless BitDefender has found a unique way to handle those, you best bet is to stay alert regardless of that. Some phishing emails will bypass protections.

The price is quite hefty for the product. Bitdefender Security for Creators is available for $15 per month or $180 yearly, and that is already 50% off the regular price.

While that may not be much for content creators who have millions of followers, it is a sizeable sum, especially when compared to regular security services and products.

Also, YouTube is the only service that it monitors right now. That leaves plenty of other services, Twitch, Instagram, Facebook, TikTok, and others. Whether these will be added in a future update is unclear. Bitdefender confirms that it is working on adding other platforms soon. It mentions Instagram and TikTok specifically.

There is a 30-day money back guarantee and also versions for teams of up to three or five. These cost $18 or $21 respectively.

Closing words

Bitdefender Security For Creators is a product for content creators who want to protect their accounts. The monitoring is the key feature that separates it from regular antivirus solutions.

This is limited to receiving alerts, however. When someone mass deletes your videos, you should know. But you receive the alert once the software detects the mass deletion. This also means that someone got access to the account.

I can see this becoming popular with a specific breed of creators, especially once new services do get added to the monitoring and alerting functionality.

What is your take on this? Would you say this is a product designed for a specific audience that could do well, because of that? Feel free to leave a comment down below.

VeraCrypt interface

VeraCrypt: first update of the year improves security and fixes bugs

Posted on by Martin Brinkmann

The developers of the open source encryption software VeraCrypt have released VeraCrypt 1.26.14 for all supported platforms. The new version adds a notification if volumes are affected by the XTS master key vulnerability.

The issue was fixed last year in VeraCrypt 1.26.7, but only for newly created volumes. While unlikely even then, the newly added notification ensures that users are informed if one of their encrypted volumes are still affected by the vulnerability.

Installation or upgrade

The new release installs over existing installations. This should not be problematic for most users. A system restore point is created by default during the installation. Note that a restart is required to complete the process. You cannot mount volumes until the final restart.

VeraCrypt 1.26.24 does not mount TrueCrypt volumes anymore. This was the case for last year’s release as well, but is still noteworthy.

If you still have an old TrueCrypt volume, e.g., on a removable drive you have not touched for years, you may want to use an earlier version of VeraCrypt to decrypt the encrypted volume before you encrypt it again using the software.

Note that you may download older VeraCrypt versions from the official project website. VeraCrypt 1.25.9 was the last to support TrueCrypt volumes.

An overview of the changes of VeraCrypt 1.26.14

The update is a bug fix release for the most part. It does come with updated translations and documentation as well as some compatibility improvements on non-Windows systems.

Here is a short list of the most important changes and fixes:

  • Windows: VeraCrypt Expander: Fix expansion of volumes on disks with a sector size different from 512.
  • Linux: Enhance ASLR security of generic installer binaries by adding linked flag for old GCC version.
  • macOS: Fix near zero width PIM input box and simplify wxTextValidator logic.
  • FreeBSD: Support automatic detection and mounting of ext2/3/4, exFAT, NTFS filesystems.

You can check out the full changelog here. As you can see, it is mostly maintenance related changes and a fix bug fixes.

Closing Words

Still, it is a good idea to upgrade to the new version because of these fixes and the notification if one of the volumes has a vulnerable XTS master key.

Now You: do you use encryption software? Maybe even VeraCrypt? Or do you swear on a different software? Feel free to leave a comment down below!

Firefox

Mozilla removes Adjust marketing integration from Firefox Mobile

Posted on by Martin Brinkmann

Mozilla has used Adjust in Firefox for mobile products for years for a very specific purpose: to determine if the installation of the mobile browser originated from an advertising campaign.

In other words, Adjust helped Mozilla track conversions of its advertising campaigns. It also send anonymous usage summaries occasionally, according to Mozilla.

Starting in Firefox 129.0.2 for Android and iOS, Adjust appears no longer integrated in the Firefox browser.

When you check Settings > Data Collection after upgrading to the latest version, you will notice that the Adjust option is no longer listed.

Firefox Mobile Adjust Marketing
Left side: Firefox with Adjust. Right side: Latest Firefox without Adjust

The Marketing data option is no longer available. It allowed Firefox users to enable or disable the sharing of usage data with Mozilla.

Mozilla did not mention the removal in the official release notes. It is therefore unclear why it has been removed, if you just look at the changelog.

Bugzilla listings confirm that this has not been done in error. Bug 1913363, for example, confirms the removal of the “metric service” and the toggle in Firefox. (via Sören Hentzschel)

Closing words

The removal addresses a major issue that some users have with Firefox: that the browser’s defaults are not ideal for a browser that strives to protect the privacy of users.

With Adjust gone, there is one less thing to worry about in this regard.

Which browser do you use on your mobile devices? Why do you use that browser and not another? Feel free to leave a comment down below.

Advertising

Oh look, Google ads are again used to scam Google Search users

Posted on by Martin Brinkmann

Threat actors have launched another malvertising campaign on Google Search. While that is not really anything to write about anymore in this day and age, this time is special.

Not only did the threat actors manage to plant scam ads on Google, they did furthermore impersonate Google’s entire product line and used Google domains for the scams. If that is not something to write about.

The story comes from Malwarebytes. Security researchers at Malwarebytes discovered the campaign.

Here are the details:

  • The campaign was run on Google Search.
  • The threat actor used Google’s Looker Studio service to show the google.com domain as the address.
  • The ads targeted Google {product}, e.g., Google Translate or Google Flights.

Even after Malwarebytes reported the ads to Google, ads that impersonated official Google products continued to show up on Google Search.

Locker Studio is a service by Google that creates “interactive dashboards and beautiful reports” from data.

The scammers used the service to display a copy of the Google Search homepage. The homepage is just an image with a hidden link. When the victim clicks on the image, the link is triggered.

The user is then redirected to fake Microsoft or Apple alert pages. These go into full screen mode and play a recording according to Malwarebytes. The alerts suggest that something is not right.

They display a number to call for support and also a form to type the Microsoft account name and password.

Calls land in overseas call centers that try to scam the callers into purchasing gift cards or logging into their bank accounts to pay for the support.

The URL used in this case is on a Microsoft Azure domain, which is designed to instill further trust.

Closing Words

There is not much to like about ads nowadays. They slow down web browsing, use additional bandwidth, collect data about users, and may be distracting. If that is not enough, they may also push ads, as seen over and over again.

The only thing that is positive about ads is, in my opinion, that they allow certain services or publications to exist. There are not viable alternatives. While subscriptions are picking up, this won’t work for everyone as users seem to be fed up already with the ever increasing list of services that is asking for a monthly or yearly payments.

More safeguards need to be in place to prevent blatant abuses like the one discovered by Malwarebytes.

What is your take on this? Feel free to leave a comment down below.

Encryption

Windows 11: Device Encryption will be enabled automatically in these cases

Posted on by Martin Brinkmann

The next feature update for Windows 11 enables automatic device encryption for users of the operating system. This happens automatically in the background and for most users, but there are exceptions.

What is Device Encryption and how does it differ from BitLocker Drive Encryption?

Device Encryption is based on BitLocker, Microsoft’s encryption technology. It is an automatic system that will encrypt the Windows partition and other fixed drives.

In other words: most drives that are internal will be encrypted by Device Encryption.

Encryption protects data on the drives to prevent unauthorized access.

BitLocker Drive Encryption on the other hand is only available for Pro, Enterprise, and Education editions of Windows. It gives administrators control over the technology and needs to be enabled manually.

The change in Windows 11 24H2

Starting with the release of Windows 11, version 24H2, Windows 11 will encrypt drives automatically using Device Encryption in the following cases:

  • During first sign-in with a Microsoft account, or work or school account.
  • During first set up of the device, if a Microsoft account is used.

Windows 11 will start the encrypting of the drives immediately in the background.

Windows users who create a local account during set up won’t have their drives encrypted. Microsoft notes here that it is possible to do that manually though.

Note: Microsoft is making it harder and harder to set up Windows without a Microsoft account. It is still possible, but most users are probably unaware of this.

Enabling or disabling Device Encryption manually

Device Encryption setting in Windows 11
Device Encryption setting in Windows 11

You need to sign-in with an administrator account to manage Device Encryption. Also, it is possible that the feature is not supported on the device.

Here is how to find out and manage it:

  1. Select Start and then Settings to open the Settings app.
  2. Go to Privacy & security > Device Encryption.

If you do not see Device Encryption on the page, it is either unavailable on the device or you are signed-in with a standard user account.

Device Encryption offers a simple toggle to turn the feature on or off.

How to find out why Device Encryption is now available

Here is a step-by-step guide on finding out why Device Encryption is not supported.

  1. Open the Start menu.
  2. Type System Information.
  3. Select Run as adminstrator.
  4. Scroll down to Automatic Device Encryption Support or Device Encryption support.
  5. Hover over the entry to see the reason why it is not supported.

What is your take on Device Encryption? Do you use BitLocker encryption on your devices? Let us know in the comments below.

Malware

Three year old Malvertising Campaign is still going strong

Posted on by Martin Brinkmann

One of the most important skills of any Internet user is the ability to distinguish between advertising and organic links. A core reason for that is that advertising is regularly abused for malvertising campaigns.

Malvertising refers to ads that in one way or another attack the user or the user’s device. A simple example is a download ad that pushes a malicious file onto the user’s system.

Security researchers at ReasonLabs have discovered a malvertising campaign that has been around for at least three years.

The details:

  • Polymorphic campaign that installs Chrome and Edge extensions on endpoints.
  • Uses multiple attacks, including search hijacking, stealing private data, or executing commands on the user’s device.
  • At least 300,000 users fell victim to the campaign until now.

How the attack works

The attackers use advertising to push malicious downloads. They use fake download sites for legitimate applications such as YouTube, VLC, or Roblox FPS Unblocker.

Users who fall for this, you guessed it, download a malicious payload to their systems. Here is what happens next:

  1. The executable creates a scheduled task, which is designed to run a PowerShell script.
  2. The PowerShell script downloads a payload from a remote server and runs it on the user’s machine.
  3. It then begins to make changes to the user’s system:
    • Adds policies to enforce the installation of Chrome and Edge installations from the Store (which are malicious).
    • Some versions of the script uninstall browser updates.
    • Tampers with browser .lnk file to load another extension for communication with a control server and stealing search queries.
    • Communicate with command center for status reports and the next stage of execution.

The script blocks uninstallation of the installed extensions, even when Developer Mode of the browser is set to on. Users will also see the “your browser is managed by your organization” message.

The blog post offers a deep dive, which interested or affected users may check out. There is also a section on removing the malware from infected hosts.

This involves:

  • Removing the scheduled tasks.
  • Removing the planted Registry keys.
  • Deleting the malicious files.

Closing Words

The security researchers note that many of the used domains, extensions, and scripts are not detected as malicious at the time of writing. Google and Microsoft were notified according to the blog post.

Which brings us right back to the beginning. Ads are not easily distinguishable from organic results in many cases. Google, for instance, displays a simple “sponsored” text above ads. They look exactly like organic results in any other way.

While experienced users may not have any problems differentiating between the two, less tech-savvy users fall for these.

So, if you want to improve security, you better take a good look at links before you click. If you want to be safer, do not click on ads 🙂

0.0.0.0 Day: decade-old vulnerability affects all browsers

Posted on by Martin Brinkmann

Security researchers have disclosed a vulnerability that affects all modern browsers. What makes it particularly worrisome is that it has been known for 18 years; that goes back to a time before Google even thought of creating Chrome.

The details:

  • The researchers call the issue 0.0.0.0 Day.
  • It allows malicious websites to interact with services that run on the local network.
  • This could lead to unauthorized access or remote code execution attacks on local services from outside the local network.

In other words: the security issue allows the circumvention of security protections by malicious websites. Chromium’s Private Network protection does not protect against this, neither does Firefox. Apple’s Safari browser was also vulnerable, but the company has released a patch that blocks access to 0.0.0.0.

The blog post provides a technical description of the vulnerability. It also explains why it took this long to react on it.

The researchers found a Mozilla bug listing that dates back 18 years. It shows that the developers were not sure whether the reported bug was a security issue, a bug, or no flaw at all.

How Google, Mozilla, and Apple plan to react

Researchers at Oligo disclosed the vulnerability to security teams of major browsers in April 2024.

  • Google: plans to block access starting in Chrome 128 and finalize the rollout by Chrome 133. Other Chromium-based browsers will get this as well.
  • Apple: has implemented a change that blocks destination host IP addresses, if the IP is all zeroes.
  • Mozilla: fix is in progress. Firefox is special, as it never restricted Private Network Access in first place. Will implement Private Network Access, but no ETA on this one.

The fixes are important, but so is standardization of the issue. HTTP requests to 0.0.0.0 should be added to security standards according to the security researchers.

Closing Words

The security researchers note that use of 0.0.0.0 on the Web is on the rise. They use counters provided by Chromium for this. According to those, it is used by 0.015% of all websites. While that may not sound like much, it equates to roughly 100,000 public websites that may communicate with 0.0.0.0.

Malicious actors may exploit the issue in their attacks. Oligo points out that ShadowRay, a recent attack that targets AI workloads, could be executed from browsers using 0.0.0.0 as the attack vector.

It is unclear if browser extensions such as Port Authority for Firefox provide protection against this kind of attack.

What is your take on this new vulnerability? Seems that there is always something new, or shall I say old, that is affecting the security of browsers. (via Born)