Category: Security & Privacy

Chrome

Keep on blocking in a free world: how to switch from Chrome to Firefox

Posted on by Martin Brinkmann

Google Chrome users who have extensions installed may soon have some or even all of their installed extensions disabled by Google.

While all browser extensions may be impacted, it is ad blockers and privacy extensions that are impacted the most.

One example: uBlock Origin, arguably the most loved and powerful content blocker available for browsers, will not be offered anymore for Chrome and all other Chromium-based browsers.

This means that you cannot install the browser extension anymore in Chrome, Microsoft Edge, Vivaldi, Opera, and myriads others.

One exemption: Brave Software revealed recently that it plans to continue support for uBlock Origin. This would be the one exemption at the time of writing.

The developer of uBlock Origin has created a lite-version of the extension. Called uBlock Origin Lite, it remains available for Chrome. Its functionality is reduced, however.

Furthermore, users of Chrome who use uBlock Origin need to download and install uBlock Origin Lite manually. A click on the “find alternative” button in Chrome

How to find out if you are impacted by the change

Chrome Extensions Support
Google Chrome highlights extensions that will soon no longer be compatible with the browser

Do the following to find out if extensions that you have installed in Chrome are impacted:

  • Load chrome://extensions/ in the browser’s address bar. You may also open the page manually by going to Menu > Extensions > Manage Extensions.
  • If you see “These extensions may soon no longer be supported” at the top, you are affected by the change.

Tip: you can check out a detailed guide about this here.

Google lists all incompatible extensions. Each features a “find alternative” button, which opens a special page on the Chrome Web Store that highlights extensions that continue to remain compatible with Chrome in the future.

For uBlock Origin, Google suggests the following options:

  • uBlock Origin Lite
  • Adblock Plus
  • Stands Adblocker
  • Ghostery Tracker & Adblocker

While all block ads, none offers the functionality of uBlock Origin.

What you can do about it

You have just a few options at this point:

  1. Keep on using Chrome until Google disables the extensions. You may then extend support for about a year using Enterprise policies.
  2. Keep on using Chrome and use a different browser extension that works for you, hoping that Google does not introduce any other changes in the future that may impact it.
  3. Switch to Brave Browser. This is a valid option only if you want to keep on using uBlock Origin, AdGuard, uMatrix, or NoScript.
  4. Switch to Firefox or a Firefox-based browser. The extensions, including uBlock Origin, remain available and maintained for Firefox.

The first option is valid for all Chromium-based browsers, but it is temporary only. Google will remove the Enterprise policy next year, and that marks the end of support in Chrome.

As you see, you have a few options only. While you could keep on using a Chromium-based browser, Brave Browser, it is unclear for how long Brave will support the four special extensions.

Admittedly, it is also unclear for how long Mozilla will support the old extensions system. If it sees an uptick in users, as some Chrome users may migrate to Firefox because of the changes Google implements, it could very well be for a long time.

Are you affected by the change? Do you have any extensions that you rely on that would make you switch browsers, if your current favorite would not support them anymore? Feel free to leave a comment down below.

Windows 11: Microsoft bundling controls for recommendations and offers

Posted on by Martin Brinkmann

One of the main points of criticism in regards to the ever increasing number of recommendations and offers in Microsoft’s Windows 11 operating system is that they cannot be managed from a central location.

If you want to turn them all off elegantly, you either have to go through various sections, or use a third-party application like WinAero Tweaker, or O&O’s ShutUp10++, or one of the many other tools that help users do that.

Recommendations & offers in Windows 11 Settings

Windows 11 Recommendations & Offers Setting
New group of Settings to control ads and promotions in Windows 11. Image source: Phantom of Earth

Microsoft is working on introducing a central location for recommendations and offers. While it is doubtful that this will cover all promotions that Microsoft throws at users nowadays, it at least merges related settings from various locations into a single group in the Settings app.

Discovered by Phantom of Earth and published on X, Recommendations & offers provides the following options at the time of writing:

  • Personalized offers — Get personalized tips, ads, and recommendations based on Windows activity.
  • Allow websites to access my language list.
  • Improve Start and search results — By tracking which apps get opened.
  • Show notifications in Settings.
  • Recommendations and offers in Settings — Allow Windows to show product recommendations and offers in Settings.
  • Advertising ID.

The new group is found under Settings > Privacy & Security. You do need to run the latest Beta of Windows 11 and may need to enable it by running the command .\vivetool /enable /id:49666228,48433719 from an elevated PowerShell prompt.

Closing Words

Clearly, this new group of Settings is still inferior to what tweaking apps offer. It may still expose more of these settings to users who do not use the tweakers or configure their systems using Registry tweaks or policies.

What is your take on this new group of settings? Move in the right direction? Feel free to leave a comment down below.

7-Eleven

Adding the number 7 to your password might make it stronger

Posted on by Martin Brinkmann

Most computer users should know by now that unique and stronger passwords are better. But what exactly means stronger? Most say that adding a mix of characters, including upper- and lower-case letters, numbers, and special characters will do the trick. Combine that with a decent length, say 16 or more characters, and your password should be hard to crack.

ProxyScrape, a service for scraping websites using proxies, says that using the number 7 in your password makes it stronger than any other number that you may pick.

Here is why: while many pick 7 as their preferred one-digit number, most computer users pick other numbers when they set passwords.

This is not a problem for users who use password generators, but those who pick passwords manually tend to prefer 0, 1, and 2 over other numbers.

Password Generator of KeePass
Password generation in the KeePass password manager

It happens that 7 is the last choice when it comes to numbers, according to ProxyScrape CEP Thibeau Maerevoet (via Betanews).

So, if you pick 7, or if your password generator picks it for you, then you throw a wrench into the tires of the brute forcing machine.

This is especially true for dictionary attacks. These use preset words and sometimes words with characters added to them. It is, for instance, common, to test words, and then the same array of words but with the character 1 added to them.

Similarly, dictionary attacks may replace the character I with 1, or E with 3.

Tip: find out if yo should save passwords in browsers.

This does not really affect users who use very strong auto-generated passwords. It does not really matter if a 20 character password that is randomly generated has a 7 in it or not. But passwords that users pick, like dallascowboys1, may have a better chance at surviving the first wave of attacks when you replace that 1 with a 7. Even better, put the 7 somewhere in the middle, say dall7ascowboys.

What is your take on the observation? Will you start adding 7s to your passwords in the future?

Advertising

How to disable Firefox’s built-in ad-tracking feature

Posted on by Martin Brinkmann

With the release of Firefox 128 came the integration of a new experimental feature that Mozilla calls Privacy-Preserving Attribution.

The feature is turned on by default, which means that users of the browser need to become active, if they want to disable it.

Mozilla published a support webpage that explains that Privacy-Preserving Attribution is.

Here is the main quote:

Mozilla is prototyping this feature in order to inform an emerging Web standard designed to help sites understand how their ads perform without collecting data about individual people. By offering sites a non-invasive alternative to cross-site tracking, we hope to achieve a significant reduction in this harmful practice across the web.

In other words: sites and advertisers may use the built-in feature for tracking.

Like Google Chrome’s Ad Privacy feature, it is using the term privacy loosely, some would say disingenuously.

Both systems change how users are tracked and call it an improvement to privacy. In the end, it still means that users are tracked. The fundamental difference is that users are no longer tracked on an individual level.

Mozilla says that its new system can only be used by a small number of sites in Firefox 128. The organization does not mention these sites.

How to disable Ad-Tracking in Firefox

Firefox Website Advertising Preferences

For privacy, disabling these features is better than keeping them enabled or enabling them.

Here is how you do that in Firefox:

  1. Select the Firefox Menu and then Settings when the menu opens.
  2. Switch to Privacy & Security on the main Settings page.
  3. Scroll down until you come to Website Advertising Preferences.
  4. Uncheck the box “Allow websites to perform privacy-preserving ad measurement”.

That is all there is to it.

Pro tip: The user preference dom.private-attribution.submission.enabled determines whether this feature is turned on or off. Set it to false to disable it.

Closing Words

It is not without irony that Mozilla’s implementation in Firefox is in fact worse from a user’s point of view than Google’s. Google is prompting users, using euphemistic words, about the ad tracking feature. Mozilla has just enabled the feature without prompting users about it.

Mozilla has recently bought an ad-tech startup called Anonym, which it says is working on privacy-preserving ad technology.

Are you a Firefox user? What is your take on this? Feel free to leave a comment down below!

Security

Should you save passwords in a browser?

Posted on by Martin Brinkmann

All modern web browsers include password management functionality. It makes sense on first glance to integrate the functionality; most users sign-in to services on the Internet regularly.

One of the main advantages of password managers in browsers is convenience. The browser recognizes new logins and prompts users to save the information. Similarly, it proposes to sign-in using saved data whenever a website is found in the password manager’s database.

It is handy and that is the reason why it is widely used.

Disadvantages exist as well:

  • Functionality is limited to a specific browser – Synchronization support may extend the reach, but it is still a limiting factor.
  • Automatic login functionality is limited to a browser – It cannot be used to sign-in to apps and other services that are not opened in the browser.
  • Protective features are limited — Usually to the device password or Pin.

Limited functionality

When you save a password in a browser, it is stored by it in a database on the local device.

If synchronization is enabled, the database will be synced across all devices on which the browser is installed and synchronization is enabled.

Still, it is limited to that browser. If you use multiple browsers, then you won’t be able to use the functionality there as well, unless you use import features.

The saving of passwords and automatic logins are also limited to the browser. If you need to log in to an application on the device, then you need to do so manually by copying the username and password from the browser’s password manager.

Security is limited

Security and protective features are another. Depending on the password manager, passwords may not be saved with a password. Some browsers support setting a primary password to protect the password database, but in many cases, it is not enabled by default.

Anyone with access to the PC may get access to the stored passwords of browsers. While that requires the account password for the PC in question, it may open up a can of worms in some cases.

The browser may prompt for a password or a pin when the password manager is opened and entries are inspected there. However, there is no such protection when visiting saved websites. Browsers like Chrome will fill out the passwords on the sites and sign-in users automatically.

It is even possible to show passwords in plain text by manipulating the HTML code of the website. This is not a problem if the account password is strong and you never leave the PC unattended.

Synchronization is convenient, but it moves the password database into the cloud. It is encrypted, but it adds another attack vector that would not exist if the database would be stored locally only.

How dedicated password managers compare

Here are the main differences:

  • A password is required to create a new password database — This means that it is protected by the device password and also the password the user selects during creation.
  • Additional protective features are available — This may include two-factor authentication for extra protection, customizing security features, such as the number of iterations.
  • Password managers run system-wide — You can use them to sign into apps or other services on the device, independent of any browser or program.
  • Self-hosting may be supported — Instead of relying on a server by a company, you can self-host the cloud space.
  • Open source and audits — Many browsers are not open source. Good password managers are audited regularly.

Some of the features depend on the password manager. My recommendation goes to Bitwarden and KeePass. There are numerous others that you can try.

Granted, password managers are not perfect. They cannot help you if you need to sign-in to a service on your Smart TV, but neither can browser password managers.

Closing Words

Using a password manager is highly recommended. If you use a browser password manager, make sure you configure extra security features, if needed. This may include setting up a primary password, enabling operating system protections, or using a strong device password or pin.

Standalone password managers offer more functionality. Good ones offer better security right away, more customization options, and a lot more that browser password managers do not support.

To answer the question of this article: a dedicated password manager is better in many regards, but it is still better using a browser password manager than none at all.

What about you? Do you use a password manager? If so, what is the program that you use currently and why?

Nord Security launches File Checker online tool

Posted on by Martin Brinkmann

Nord Security, maker of the popular VPN service NordVPN, has published a new online tool. File Checker is a free online security tool to check files for malware.

Online virus scanners are useful to check a small number of files for viruses and other unwanted code. Google-owned Virustotal is probably the uncrowned king of these types of tools.

Here is what you need to know about the new File Checker tool:

  • It is free to use on the NordVPN website; an account is not required.
  • File Checker works on any platform.
  • Recommended file size is 50 megabytes or less, but it works with larger files. There is a limit though, as it would not scan a 160 megabytes file.

File Checker is also integrated into NordVPN’s Threat Protection feature. I did not give the feature a recommendation back then as it installed a certificate on the system that gave it a high level of control.

Threat Protection back then supported the scanning of files, but limited this to files of a size of up to 20 megabytes.

File Checker

The website provides little information on the File Checker technology. Most of the information is basic, explaining that you can get viruses through infected phishing emails or that PDF files can contain viruses.

In fact, the only information about File Checker is that it was created by NordVPN.

File Checker was developed by NordVPN, a global leader in cybersecurity with over 10 years of experience. Our experts curate a massive real-time database of threats and use advanced technologies, including artificial intelligence and machine learning, to continuously improve File Checker.

Nord Security maintains a list of threats and uses technology, including AI and machine learning, to improve it. This does not tell us anything about how good or bad the product is.

File Checker does have a few disadvantages when compared to Virustotal:

  • You can only scan individual files that are on the local device already and links. Virustotal supports this and it includes a Search for finding already scanned files.
  • Virustotal furthermore displays information about the scanned file, including details, behavioral information, and also community comments.
  • File Checker uses a single service, Nord Security’s own, to scan files for malware. Virustotal checks dozens of antivirus engines, which provides a clearer picture.

Should you use the standalone File Checker tool?

While it is commendable that File Checker is free, it is held back by the fact that it relies on a single threat database. Virustotal is the better option, as it provides results from dozens of antivirus services.

Furthermore, it is integrated in NordVPN, which means that all customers may enable this to get automatic file checking. Still, most antivirus applications support this as well.

What about you? Do you use online file scanning services to check downloaded files before you open them on your devices?

Facebook Instagram

Meta gives Europeans a pass – won’t use data for AI training

Posted on by Martin Brinkmann

European Facebook and Instagram users may breathe a sigh of relief, as their public data won’t be used by Meta for AI training for the time being.

Meta published an update regarding the use of data from European users on Facebook.

Here are the highlights:

  • Meta will pause plans to train its large language models using publicly shared content from European users on Facebook or Instagram.
  • Data protection agencies from 11 countries from the EU have filed complaints against Meta.
  • Meta calls it a “step backwards for European innovation”.

The decision does not change the handling of data from users outside of the European Union. Meta will use public data from these users to train its AI systems.

Meta said that it hopes that the data protection authorities chance their stance on the issue. The company said previously that it would use public posts and comments from users over the age of 18 only for AI training. European users were the only ones to get an opt-out option.

While Meta said that it remains committed to bringing AI functionality to users from the European Union, it added that the lack of local information would make it a “second-rate experience”.

Here is an interesting idea: how about making the training opt-in? Giving Facebook and Instagram users the option to give Meta permission to use their data for AI training.

The main issue here, at least for Meta, is that it would gain access to a fraction of the data only. Opt-in systems are favored by users, as they give them full control over a feature. They are disliked by companies, as it limits the reach significantly.

Meta could counter this by giving users incentives to share their data. It will be interesting to see how this will turn out in the end. Meta said that it will “continue to work collaboratively” with the Irish Data Protection Commission.

Would you allow companies to use your public data for AI training?

AI

AI is now capable of exploiting 0-Day vulnerabilities without description

Posted on by Martin Brinkmann

A team of security researchers at the University of Illinois published a study back in April 2024 that demonstrated the hacking capabilities of AI.

Using OpenAI’s GPT-4 model, they discovered that exploit code could be generated for 87% of the tested 0-day vulnerabilities.

This figure dropped to 7% if the CVE description was not provided.

Good to known: 0-day vulnerabilities refer to security issues that are very recent. Patches may not be available in all cases, and systems that are not updated are vulnerable to attacks that target these vulnerabilities.

The same research team has now published a new research document: Teams of LLM Agents can Exploit Zero-Day Vulnerabilities

It builds on the previous research. This time, the researchers wanted to find a way to improve the exploiting capabilities of AI if no description of 0-day vulnerabilities was provided.

They managed to create a system that bumped the success rate to 53% using real-world 0-day vulnerabilities that were discovered after the AI model’s data cut-off date.

Using GPT-4, the researchers switched to a team-based approach to compartmentalize attacks. Instead of relying on a single GPT-4 instance for attacks, they developed an architecture that assigned AI agents with different tasks.

The tasks are assigned by a planner AI and controlled by a manager AI. The planner AI launches other AI instances, including the manager AI and AIs for specific tasks.

This approach worked well, as it improved the the capabilities of the AI attacker. The chance of success rose from 7% when using a single AI instance to 53% under the new team-based approach.

Closing Words

AI research that focuses on security is important. Besides demonstrating the capabilities of different AI models, it may also highlight future dangers. Well-funded hackers and criminals may use AI models for illegal activities. These may range from finding new exploits to creating exploits for existing vulnerabilities.

Web-based and App-based AI interactions prevent certain activities, including hacking. This is not the case, however, for self-hosted or created AI models.

What is your take on this? Will we see more exploits that are more widely used in attacks in the future? Or will we see the rise of AI-based Anti-hacking solutions that try to counter their breathren?

Facebook

Facebook will use your data for AI training, unless you opt-out

Posted on by Martin Brinkmann

Meta is notifying its users currently on Facebook about a privacy-impacting change that will to into effect on June 26, 2024.

The company says that it is expanding “AI at Meta experiences” to the user’s region. AI refers to the “collection of generative AI features and experiences” at Meta. It includes Meta AI and AI Creative Tools according to the notification.

All Facebook users are opted-in automatically. Those who do not want their data to be used for AI training need to opt-out. This opt-out is not straightforward and it appears to be a deliberate decision by Meta.

Meta Facebook AI use of data for AI training

A click on the right to object link in the notification opens the Object to Your Information Being Used for AI at Meta page.

The page offers information on the data that Meta plans to use for AI training and the data that it won’t use. In a nutshell, public data, for instance posts or photos, will be used. Private data, including private messages, won’t be used.

For the opt-out, it is necessary to provide the following information:

  • Country of residence.
  • Email address.
  • Writing an essay on “how this processing impacts you”.

There is also one optional text field that users can fill out to provide additional information.

Meta processes the information and the notification sounds as it if can accept or decline the request. Meta writes:

If your objection is honored, it will be applied going forward.

This is not the end of it though. Meta sends a confirmation code to the email address. This code needs to be entered into a form on the Facebook website to confirm the email address.

Meta then says that it will review the submission as soon as possible. It took less than a minute to receive the answer:

Hi Martin,

We’ve reviewed your request and will honor your objection. This means your request will be applied going forward.

If you want to learn more about generative AI, and our privacy work in this new space, please review the information we have in Privacy Center.

facebook.com/privacy/genai

This inbox cannot accept incoming messages. If you send us a reply, it won’t be received.

Thanks,
Privacy Operations

In case you are wondering what I wrote in the required text field. It was “I object to the use of my data for the training of AI at Meta”

Whether Meta is analyzing user requests with AI is unclear, but it seems very unlikely that a human processed the request in less than a minute after sending it.

If someone could try and write nonsense in the field, we’d know for sure.

What about you? Do you mind if your public data is used for AI training?

Google

Latest Chrome 125 security update fixes 11 unique issues

Posted on by Martin Brinkmann

Google has released a new security update for its Chrome web browser for all supported platforms. The update patches 11 unique security issues in the browser. It comes days after an out-of-bounds security update for Chrome to address a 0-day security vulnerability.

While the issues do not appear to be exploited at the time of writing, it is recommended to update Chrome immediately.

This is done by loading chrome://settings/help in the browser’s address bar or selecting Menu > Help > About Google Chrome manually.

Chrome lists the installed version and will download a new version that it finds automatically on desktop systems.

Pro Tip: open a command prompt window on Windows and run winget upgrade google.chrome.exe to update Chrome without opening it.

Chrome should display one of the following versions after installation of the update:

  • Chrome for Mac or Windows: 125.0.6422.141 or 125.0.6422.142
  • Chrome for Linux: 125.0.6422.141
  • Chrome Extended Channel for Mac or Windows: 124.0.6367.243
  • Chrome for Android: 125.0.6422.146 or 125.0.6422.147

The security fixes

Google lists seven of the eleven security issues that it fixed in the Chrome update on the official releases site.

All seven have a severity rating of high. Google does not publish information about security issues that it discovered internally. The severity of the four unmentioned security issues is unknown as a consequence.

Here is what Google reveals about the listed security issues:

  • [$7000][339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
  • [TBD][338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [TBD][338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [TBD][338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
  • [TBD][339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
  • [TBD][339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
  • [TBD][339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11

The security issues affect several components of the browser, including APIs, keyboard inputs, media session, WebRTC, and Dawn. Dawn is an “open-source and cross-platform implementation of the WebGPU standard” according to Google Source.