I'm using Ghostery right now. Is UBlock Origin much better?
Ghostery has experimented with some controversial business models in the past, including informing advertisers when blocking ads. uBlock Origin is just a really good open source project; I don’t feel like it’s going to start doing something crazy some update if I’m not paying attention.
Slightly annoying on first load (and holy shit, let's not talk about payment flows) but once trained it works rather nicely.
I use this, plus UBlock Origin on top of it all.
It's a right pain in the ass on sites you've never visited before, but honestly at this point I'll take that over the alternative. It's nice knowing that you can block scripts from sites you've never been on before.
Occasionally I have to disable no script in order to get some site to work properly. Like I was adding Fortnite money to my son's Xbox and had to go through Epics store and then sign into Xbox live and the pop up was just a blank page until I disabled no script. For the most part though it is the way and the light.
Slightly annoying on first load (and holy shit, let's not talk about payment flows) but once trained it works rather nicely.
I use this, plus UBlock Origin on top of it all.
It's a right pain in the ass on sites you've never visited before, but honestly at this point I'll take that over the alternative. It's nice knowing that you can block scripts from sites you've never been on before.
I think you can probably remove Privacy Badger and NoScript, unless there’s something really specific about them you like. uBlock Origin can block/allow JS similar to NoScript, and it’s better at syncing the list between browsers. Privacy Badger no longer learns what is tracking you (the bespoke filters it built turned out to be a new fingerprinting vector), and now just operates on filter lists, same as uBO. I’m 99% sure you can just import the filters into uBO.
It’s not necessarily that I love uBO (although I do) so much as it’s good to use as few browser add-ons as possible. Mitigate fingerprinting, reduce the attack surface if one of them gets replaced with a malicious version, run less JS on every webpage, etc.
NoScript is whitelist-only which is why I use it in addition to uBlock Origin.
Can't get hit by a fly-by-night just-registered site that way. If uBlock Origin has this feature, I'm not aware of it.
You can enable blocking javascript by default in the ublock settings:
+3
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
So this is weird, and I don't know how to troubleshoot this. Not even sure if it's a security issue, but it feels like a security issue, so I'm asking here:
Basically, I have multiple Gmail accounts that I access via browser. I log out after checking them. They're all protected by 2FA.
One of them - and ONLY one of them - has been showing two concurrent connections EVERY TIME I log in. If I go to recent sessions in the bottom right, there are always *two* sessions connected, and GMail says that there is a session open in another location simultaneously.
They both have the same IP origin. One of them is attributed to my browser, the other session is attributed to "unknown". GMail has for some reason removed the ability to log out other sessions, so I cannot do that.
If I log in on the same computer using the same browser into a different GMail account, I don't see this behavior.
I'm highly suspicious that something untoward is happening with the affected GMail account. I can't see any other devices logged in beyond the one I'm using, but the "unknown" session still remains, attributed to my IP, in the concurrent session window.
Anyone know what might be going on, or how to approach figuring out if something's amiss with the account?
So this is weird, and I don't know how to troubleshoot this. Not even sure if it's a security issue, but it feels like a security issue, so I'm asking here:
Basically, I have multiple Gmail accounts that I access via browser. I log out after checking them. They're all protected by 2FA.
One of them - and ONLY one of them - has been showing two concurrent connections EVERY TIME I log in. If I go to recent sessions in the bottom right, there are always *two* sessions connected, and GMail says that there is a session open in another location simultaneously.
They both have the same IP origin. One of them is attributed to my browser, the other session is attributed to "unknown". GMail has for some reason removed the ability to log out other sessions, so I cannot do that.
If I log in on the same computer using the same browser into a different GMail account, I don't see this behavior.
I'm highly suspicious that something untoward is happening with the affected GMail account. I can't see any other devices logged in beyond the one I'm using, but the "unknown" session still remains, attributed to my IP, in the concurrent session window.
Anyone know what might be going on, or how to approach figuring out if something's amiss with the account?
Do you have settings open or plugins running under just that one account? Using that account as a login for something else at your house or on other device? That could be from some background process making a connection to Google. With 2FA and it reporting the same IP as the other connection it's either something like that or simply a bug. I would find it unlikely there's any actual security issue there.
SiliconStew on
Just remember that half the people you meet are below average intelligence.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Do you have settings open or plugins running under just that one account? Using that account as a login for something else at your house or on other device? That could be from some background process making a connection to Google. With 2FA and it reporting the same IP as the other connection it's either something like that or simply a bug. I would find it unlikely there's any actual security issue there.
No plugins or processes running that I can tell (that's what worries me - something I DON'T know about could be hooking in without my permission), and I don't use that account as a login on any other device. Even the device list in my account settings only shows one computer.
I did run a test last night where I logged in with only my laptop, and saw the same behavior, though. So at this point, I think I am just going to chalk it up to being a weird bug.
Intel has confirmed that a source code leak for the UEFI BIOS of Alder Lake CPUs is authentic, raising cybersecurity concerns with researchers.
Alder Lake is the name of Intel's 12th generation Intel Core processors, released in November 2021.
On Friday, a Twitter user named 'freak' posted links to what was said to be the source code for Intel Alder Lake's UEFI firmware, which they claim was released by 4chan.
The leak contains 5.97 GB of files, source code, private keys, change logs, and compilation tools, with the latest timestamp on the files being 9/30/22, likely when a hacker or insider copied the data.
While it is not clear if the leaked private key is used in production, if it is, hackers could potentially use it to modify the boot policy in Intel firmware and bypass hardware security.
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here's how we found it, and how it works:
After finding individual vulnerabilities affecting different car companies, we became interested in finding out who exactly was providing the auto manufacturers telematic services.
We thought it was likely there was a company who provided multiple automakers telematic solutions.
While exploring this avenue, we kept seeing SiriusXM referenced in source code and documentation relating to vehicle telematics.
This was super interesting to us, because we didn't know SiriusXM offered any remote vehicle management functionality, but it turns out, they do!
We found the SiriusXM Connected Vehicle website and noticed the following quote:
"[SiriusXM] is a leading provider of connected vehicles services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota."
So many brands under one roof!
At this point, we kicked off scans and scoured the internet trying to find as many domains we could owned by SiriusXM, and additionally reverse engineered all of the mobile apps of SiriusXM customers to see how the remote management actually worked.
During this process, we found the domain "telematics.net" and began investigating. From what we found, it appeared to handle services for enrolling vehicles in the SiriusXM remote management functionality.
After pivoting to this domain in particular, we found a large number of references to it in the NissanConnect app and decided to dig as deep as we could.
We reached out to someone who owned a Nissan, signed into their account, then began inspecting the HTTP traffic.
There was one HTTP request in particular that was interesting: the "exchangeToken" endpoint would return an authorization bearer dependent on the provided "customerId".
While fuzzing, we removed the "vin" parameter and it still worked. It seemed to only care about "customerId".
The format of the "customerId" parameter was interesting as there was a "nissancust" prefix to the identifier along with the "Cv-Tsp" header which specified "NISSAN_17MY".
When we changed either of these inputs, this request failed.
Trying to be cheeky, we went for an obvious IDOR and changed it the "customerId" parameter to another users customer ID. This failed and gave us an authorization error.
Not entirely satisfied, we left this endpoint to rest and began looking at other endpoints.
Hours later, in one of the HTTP responses we saw the following format of a VIN number:
vin:5FNRL6H82NB044273
This vin format looked eerily similar to the "nissancust" prefix from the earlier HTTP request. What if we tried sending the VIN prefixed ID as the customerId?
It returned "200 OK" and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier.
To make sure this wasn't related to our session JWT, we completely dropped the Authorization parameter and it still worked!
We took the authorization bearer and used it in an HTTP request to fetch the user profile. It worked!
The response contained the victim's name, phone number, address, and car details.
At this point, we made a simple python script to fetch the customer details of any VIN number.
We continued to escalate this and found the HTTP request to run vehicle commands.
This also worked!
We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield.
At this point, we identified that it was also possible to access customer information and run vehicle commands on Honda, Infiniti, and Acura vehicles in addition to Nissan.
If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad. Guess what just happened to Samsung.
Guess what has happened! Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.
These companies somehow had their signing keys leaked to outsiders, and now you can't trust that apps that claim to be from these companies are really from them. To make matters worse, the "platform certificate keys" that they lost have some serious permissions.
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked this month.
According to a 'confidential' email notification sent by Okta and seen by BleepingComputer, the security incident involves threat actors stealing Okta's source code.
+9
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
LastPass users: Your info and password vault data are now in hackers’ hands
Password manager says breach it disclosed in August was much worse than thought.
LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.
The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager's development environment and "took portions of source code and some proprietary LastPass technical information." The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren't affected.
Orca on
+3
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Yep, already moved off LastPass, but still going through them via paranoia, etc. Already hit the major stuff, will go through various forum accounts and shit later.
I think I deleted my LastPass account when I quit in 2021....
0
Options
jungleroomxIt's never too many graves, it's always not enough shovelsRegistered Userregular
edited December 2022
I had been just using it stubbornly but this threw me over the edge. Doing the financial and work-related password swaps after deleting my Lastpass.
I will say, Bitwarden has a bit of work to do when it comes to usability. The prompt for asking to update passwords is laughably short, but that's a small price to pay.
It is certainly a holy shit practical test of their encryption methods. Theoretically, it should take an impractical amount of time to crack even one of the separately encrypted vaults. And cracking one login wouldn't give decrypted access to any others and there is no master key to decrypt the whole thing at once so, again theoretically speaking, the practical risks should be low. Not that you shouldn't change all your passwords regardless, but I have a feeling more damage will ultimately be done through phishing attacks tailored from the unencrypted info, not from cracking the encrypted passwords.
From an academic curiosity standpoint I'd love for someone to leave some of their own compromised accounts as a honeypot to track potential success at gaining access to this stuff so we might learn how secure it really was.
Just remember that half the people you meet are below average intelligence.
+1
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
I just don't understand why there were unencrypted bits
That's just pointing out the target and saying: "here! Right here!"
Posts
Mike Lindell and his ilk, sorry.
Not Adblock. Not Ublock. Not Adblock Plus. Not Adblocker Ur Mom Ultimate Edition.
UBlock Origin.
Ghostery has experimented with some controversial business models in the past, including informing advertisers when blocking ads. uBlock Origin is just a really good open source project; I don’t feel like it’s going to start doing something crazy some update if I’m not paying attention.
Slightly annoying on first load (and holy shit, let's not talk about payment flows) but once trained it works rather nicely.
I use this, plus UBlock Origin on top of it all.
It's a right pain in the ass on sites you've never visited before, but honestly at this point I'll take that over the alternative. It's nice knowing that you can block scripts from sites you've never been on before.
PSN:Furlion
I think you can probably remove Privacy Badger and NoScript, unless there’s something really specific about them you like. uBlock Origin can block/allow JS similar to NoScript, and it’s better at syncing the list between browsers. Privacy Badger no longer learns what is tracking you (the bespoke filters it built turned out to be a new fingerprinting vector), and now just operates on filter lists, same as uBO. I’m 99% sure you can just import the filters into uBO.
It’s not necessarily that I love uBO (although I do) so much as it’s good to use as few browser add-ons as possible. Mitigate fingerprinting, reduce the attack surface if one of them gets replaced with a malicious version, run less JS on every webpage, etc.
Can't get hit by a fly-by-night just-registered site that way. If uBlock Origin has this feature, I'm not aware of it.
You can enable blocking javascript by default in the ublock settings:
Basically, I have multiple Gmail accounts that I access via browser. I log out after checking them. They're all protected by 2FA.
One of them - and ONLY one of them - has been showing two concurrent connections EVERY TIME I log in. If I go to recent sessions in the bottom right, there are always *two* sessions connected, and GMail says that there is a session open in another location simultaneously.
They both have the same IP origin. One of them is attributed to my browser, the other session is attributed to "unknown". GMail has for some reason removed the ability to log out other sessions, so I cannot do that.
If I log in on the same computer using the same browser into a different GMail account, I don't see this behavior.
I'm highly suspicious that something untoward is happening with the affected GMail account. I can't see any other devices logged in beyond the one I'm using, but the "unknown" session still remains, attributed to my IP, in the concurrent session window.
Anyone know what might be going on, or how to approach figuring out if something's amiss with the account?
Do you have settings open or plugins running under just that one account? Using that account as a login for something else at your house or on other device? That could be from some background process making a connection to Google. With 2FA and it reporting the same IP as the other connection it's either something like that or simply a bug. I would find it unlikely there's any actual security issue there.
No plugins or processes running that I can tell (that's what worries me - something I DON'T know about could be hooking in without my permission), and I don't use that account as a login on any other device. Even the device list in my account settings only shows one computer.
I did run a test last night where I logged in with only my laptop, and saw the same behavior, though. So at this point, I think I am just going to chalk it up to being a weird bug.
Internet-connected cars are stupid, change my mind.
I was appliance shopping today and saw an oven that connected to the internet….
Why? Who needs this?
That doesn't even feel like it'll be the far future. That feels like next Tuesday.
People who need Russian script-kiddies to give them a £2000 electricity bill!
sounds like samsung has known they lost their key since 2016 and thinks they have mitigated it somehow without changing the key?
Thread title stays relevant..
https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
I was overdue for changing passwords, anyway.
I will say, Bitwarden has a bit of work to do when it comes to usability. The prompt for asking to update passwords is laughably short, but that's a small price to pay.
It is certainly a holy shit practical test of their encryption methods. Theoretically, it should take an impractical amount of time to crack even one of the separately encrypted vaults. And cracking one login wouldn't give decrypted access to any others and there is no master key to decrypt the whole thing at once so, again theoretically speaking, the practical risks should be low. Not that you shouldn't change all your passwords regardless, but I have a feeling more damage will ultimately be done through phishing attacks tailored from the unencrypted info, not from cracking the encrypted passwords.
From an academic curiosity standpoint I'd love for someone to leave some of their own compromised accounts as a honeypot to track potential success at gaining access to this stuff so we might learn how secure it really was.
That's just pointing out the target and saying: "here! Right here!"