<![CDATA[Geeks for your information - Security Discussions & Tips]]>

<![CDATA[Geeks for your information - Security Discussions & Tips]]> https://www.geeks.fyi/ Fri, 15 May 2026 06:59:34 +0000 MyBB <![CDATA[That weird CAPTCHA could be a malware trap - here's how to protect yourself]]> https://www.geeks.fyi/showthread.php?tid=20687 Thu, 13 Mar 2025 12:26:20 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=20687 Quote:Follow the 'I'm not a robot' CAPTCHA, and you might just end up with malware on your PC.

A persistent malware campaign is exploiting the ubiquitous CAPTCHA process to try to steal data from unsuspecting victims.

As described by security firm Malwarebytes in a new report, this scheme relies on the ease with which people often follow the steps in a CAPTCHA prompt without thinking.

How the attack worksYou land on a website that promises movies, music, pictures, news articles, or some other interesting content. A CAPTCHA prompt pops up, asking you to prove that you're not a robot. As we're all so used to these types of requests, many of us wouldn't think twice about accepting it.

But instead of the usual CAPTCHA challenge that asks you to choose certain images in a picture or identify distorted characters, this one serves up the instructions seen in the image below:

[Image: malwarebytes-campaign-clipboard-hijacker...width=1280]

[Image: malwarebytes-campaign-clipboard-hijacker...width=1280]

At this point, most savvy users would realize that something is off here and exit the site. But remember that cybercriminals aren't targeting savvy users; they're trying to hit people who are less knowledgeable and more easily tricked. Even sophisticated users in a rush or on autopilot could fall prey to the trap.

If you follow the steps, the website copies a text string to your Windows clipboard. Normally, you'd have to grant your permission for such an action, but you already did so by checking a checkbox on the first screen of the CAPTCHA prompt.

Continue Reading... ]]> <![CDATA[Google ends support for less secure passwords in third-party apps (workaround)]]> https://www.geeks.fyi/showthread.php?tid=19685 Sat, 20 Jan 2024 10:11:23 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=19685 Quote:If you use an application or service that requires a Google username and password, then you may not be able to use it anymore after September 30, 2024. This may impact third-party app access to Google, e.g. in email clients or Calendar apps.

There is a Google suggested option and another that still works, so read on to find out all about the change and how to deal with it.

Google announced that it is ending support for Less Secure Apps. This authentication method may be used by apps to integrate a Google account. Basic examples include email clients that accept the Google username and password, or Calendar apps that integrate the Google Calendar after authentication.

Google planned to introduce the change in 2020 already but postponed it because of the "impact of COVID-19".

The company is dropping support for Less Secure Apps, but that does not mean that third-party apps and services can't be used anymore. Google supports OAuth for authentication. If affected apps and services do support OAuth as well, users may switch to this authentication method to continue using their Google account.

The email client Thunderbird, for instance, switched to Oauth authentication for Google Mail (Gmail) accounts back in 2022. Users were either migrated automatically or asked to complete the authentication process to regain access to their Gmail account in the email client.

One downside of using OAuth in Thunderbird is that it requires cookies to store the token on the user's device. This led to issues if cookies were not enabled in Thunderbird. Google is also ending support for Google Sync.
... Continue Reading]]> Quote:If you use an application or service that requires a Google username and password, then you may not be able to use it anymore after September 30, 2024. This may impact third-party app access to Google, e.g. in email clients or Calendar apps.

There is a Google suggested option and another that still works, so read on to find out all about the change and how to deal with it.

Google announced that it is ending support for Less Secure Apps. This authentication method may be used by apps to integrate a Google account. Basic examples include email clients that accept the Google username and password, or Calendar apps that integrate the Google Calendar after authentication.

Google planned to introduce the change in 2020 already but postponed it because of the "impact of COVID-19".

The company is dropping support for Less Secure Apps, but that does not mean that third-party apps and services can't be used anymore. Google supports OAuth for authentication. If affected apps and services do support OAuth as well, users may switch to this authentication method to continue using their Google account.

The email client Thunderbird, for instance, switched to Oauth authentication for Google Mail (Gmail) accounts back in 2022. Users were either migrated automatically or asked to complete the authentication process to regain access to their Gmail account in the email client.

One downside of using OAuth in Thunderbird is that it requires cookies to store the token on the user's device. This led to issues if cookies were not enabled in Thunderbird. Google is also ending support for Google Sync.
... Continue Reading]]> <![CDATA[What is your preferred VPN application?]]> https://www.geeks.fyi/showthread.php?tid=19274 Mon, 21 Aug 2023 06:55:28 +0000 jasonX]]> https://www.geeks.fyi/showthread.php?tid=19274
What is your preferred VPN application?

I mean the one you have used or currently using.

I myself am using AirVPN and Surfshark VPN (paid VPN). These are the two that I use almost always (slightly leaning more on Surfshark VPN due to more features offered and well I guess, popularity). For free VPN I am using ProtonVPN, Hide.me and Windiscribe VPN.

What's yours?]]>
What is your preferred VPN application?

I mean the one you have used or currently using.

I myself am using AirVPN and Surfshark VPN (paid VPN). These are the two that I use almost always (slightly leaning more on Surfshark VPN due to more features offered and well I guess, popularity). For free VPN I am using ProtonVPN, Hide.me and Windiscribe VPN.

What's yours?]]> <![CDATA[Your KeePass Master Password may be at risk, but a fix is coming]]> https://www.geeks.fyi/showthread.php?tid=19049 Thu, 18 May 2023 09:36:23 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=19049 Quote: [Image: security.jpg]

A recently disclosed vulnerability in the KeePass password manager may be exploited to retrieve the master password. The vulnerability, CVE-2023-32784. indicates that the master password may be recovered from system memory dumps, even if the system is not running or locked.

Dominik Reichl, the developer of KeePass, will release a patch in the upcoming KeePass 2.54 release, which is scheduled for a release in the coming 2 months.

The security researcher who discovered the vulnerability has published a proof of concept on GitHub. The tool, KeePass 2.X Master Password Dumper, analyzes memory dumps, for instance pagefile.sys, hiberfil.sys, or the KeePass process dump to return the master password in clear text. To be precise, the vulnerability may return all characters of the master password except for the first one. It is trivial, however, to run tests to find the single missing character.

[Image: keepass.png]

The researcher goes on to explain that the issue is caused by SecureTextBoxEx, which causes leftover strings.

While the vulnerability may allow threat actors to retrieve the master password of the password manager, but it seems unlikely that it will be exploited on scale.

A likely scenario is a forensic investigation of a computer, as this may return the master password of the password manager. One of the best protections against this is to use full disk encryption and a strong password. Windows users may use the open source encryption software Vera Crypt for that. A password is required during system start to decrypt the system drive and boot the operating system.

The researcher suggests that users of KeePass may also delete hibernation, pagefiles and swapfiles regularly, but it is only a temporary recourse. Changing the master password helps as well, but also only temporarily.

KeePass 2.54 will address the issue. While it may be a month or two away, it is possible that it will be released faster, if reporting about the vulnerability is picking up pace.

Dominik Reichl describes the fix on the project's Sourceforge discussion forum. The updated version " calls Windows API functions for getting/setting the text of the text box directly, in order to avoid the creation of managed strings". This takes care of most of the leaks. To address the remaining ones, KeePass 2.54 will create dummy fragments in process memory.

The researcher tested the fix and confirmed that it is no longer possible to reproduce the attack on the fixed version. While there is a development build available that includes the fix, it is not recommended to run it, as it is beta software.

Certain KeePass forks, like KeePassXC, are not affected by the issue.
... Continue Reading]]> Quote: [Image: security.jpg]

[Image: Google-now-lets-you-create-Passkeys-for-...counts.jpg]

Last week, Google unlocked the ability to create passkeys to protect Google Accounts and to switch to using passkeys instead of passwords for protection. The question that Google customers may have is whether they should take the plunge and start using passkeys instead of the account password, or if they should wait a bit longer before they consider doing so.

This guide explains the benefits and disadvantages of both authentication options so that all Google customers can make an educated decisions

Protecting your Google Account with a password

[Image: google-password.png]

Passwords are the dominating authentication option today. Users are allowed to select the passwords that they want to use and while there are some limitations usually, such as a minimum length or certain character requirements, users are free when it comes to selecting a password.

This freedom is one of the greatest strengths but also issues when it comes to passwords. Easy to remember passwords are not secure, usually, while hard to remember passwords are secure, but not practicable, unless a password manager is used. There is also password reuse, the reusing of passwords at multiple services, and attacks that try to steal passwords or use brute-force methods to reveal them.

Passwords, or their hashes, are stored by the service, as this is the only way to verify them when they are entered by the user during the login process.
Companies have started to implement two-factor authentication options to improve the security. A second code needs to be provided by the user to gain access to the account. Codes may be created using apps or may be send to users via email or messages.

While two-factor authentication improves the security of accounts, it makes things complicated for the user as it adds another step to the login process.

Protecting your Google Account with Passkeys

[Image: create-a-gmail-passkey.jpg]

Passkeys is a passwordless authentication standard. Passkeys are created automatically on the user's device during setup and some of the information never leaves the device.

Sign-ins to services and apps require confirmation by the user; this is done using the device's PIN or other means, including biometrics. A password is never used, and all forms of verification happen locally.

The entire process of signing-in to accounts is fast and it does not require a second verification step anymore. One of the main benefits of passkeys is that it renders attacks against passwords useless. Phishing, brute forcing or server break-ins can't be used anymore to uncover passwords, as these are not entered nor stored remotely.

There are a few downsides as well. Support may be limited to certain operating system versions, web browsers or applications. Google passkeys, for example, require Windows 10 or higher, macOS Ventura, Chrome OS, iOS 16 or Android 9 on the operating system side. Browser support is limited to Chrome 109 or newer, Microsoft Edge 109 or newer, and Safari 16 or newer officially.

Other browsers may work also, including Firefox, but these are not supported officially.

The second issue is that passkeys are device specific. While syncing is possible in theory, most services and apps do not support this yet. Google account passkeys are device-specific, which means that you need to create them on any device that you use to totally switch from using passwords to passkeys.

The Google account password is not removed, however.

Passwords or Passkeys?

Some Google users may not be able to use passkeys at all or only on some devices, because of the requirements.

Protecting the Google account with a passkey improves security in several ways, and it is the upcoming standard that many online services will switch to.

Most Google users benefit from switching to passkeys. Some may want to wait until syncing becomes available, especially if they use lots of devices.

A Google password may still (need to) be used, for instance on devices that don't support passkeys or on public machines.

Most Google customers may need to juggle between using password and passkeys for a while because of that.

Secure passwords along with two-factor authentication, a good password manager, and the use of common sense protect the Google account sufficiently.

Passkeys are an upcoming standard which promises to do even better, but it is in its early stages at this point.

There is no definitive answer at this point. Google customers who use a single device are in the best position to switch to using passkeys. Those with multiple devices, browsers and maybe even accounts less so.

Most password managers do not support passkeys yet, but many will introduce support in the coming months and years. NordPass, Dashlane, Bitwarden, 1Password and even LastPass have added support for passwordless authentication or are about to. Support may vary, as some services added support for the password management service itself, while others plans to add options to store password data of other accounts using the password manager.

Now You: have you switched to using passkeys already?
... Continue Reading]]> Quote: [Image: Google-now-lets-you-create-Passkeys-for-...counts.jpg]

Passkeys is a passwordless authentication standard. Passkeys are created automatically on the user's device during setup and some of the information never leaves the device.

Sign-ins to services and apps require confirmation by the user; this is done using the device's PIN or other means, including biometrics. A password is never used, and all forms of verification happen locally.

The entire process of signing-in to accounts is fast and it does not require a second verification step anymore. One of the main benefits of passkeys is that it renders attacks against passwords useless. Phishing, brute forcing or server break-ins can't be used anymore to uncover passwords, as these are not entered nor stored remotely.

There are a few downsides as well. Support may be limited to certain operating system versions, web browsers or applications. Google passkeys, for example, require Windows 10 or higher, macOS Ventura, Chrome OS, iOS 16 or Android 9 on the operating system side. Browser support is limited to Chrome 109 or newer, Microsoft Edge 109 or newer, and Safari 16 or newer officially.

Other browsers may work also, including Firefox, but these are not supported officially.

The second issue is that passkeys are device specific. While syncing is possible in theory, most services and apps do not support this yet. Google account passkeys are device-specific, which means that you need to create them on any device that you use to totally switch from using passwords to passkeys.

The Google account password is not removed, however.

Passwords or Passkeys?

Some Google users may not be able to use passkeys at all or only on some devices, because of the requirements.

Protecting the Google account with a passkey improves security in several ways, and it is the upcoming standard that many online services will switch to.

Most Google users benefit from switching to passkeys. Some may want to wait until syncing becomes available, especially if they use lots of devices.

A Google password may still (need to) be used, for instance on devices that don't support passkeys or on public machines.

Most Google customers may need to juggle between using password and passkeys for a while because of that.

Secure passwords along with two-factor authentication, a good password manager, and the use of common sense protect the Google account sufficiently.

Passkeys are an upcoming standard which promises to do even better, but it is in its early stages at this point.

There is no definitive answer at this point. Google customers who use a single device are in the best position to switch to using passkeys. Those with multiple devices, browsers and maybe even accounts less so.

Most password managers do not support passkeys yet, but many will introduce support in the coming months and years. NordPass, Dashlane, Bitwarden, 1Password and even LastPass have added support for passwordless authentication or are about to. Support may vary, as some services added support for the password management service itself, while others plans to add options to store password data of other accounts using the password manager.

Now You: have you switched to using passkeys already?
... Continue Reading]]> <![CDATA[Google now lets you create Passkeys for your accounts, here's how to set it up]]> https://www.geeks.fyi/showthread.php?tid=18989 Thu, 04 May 2023 08:52:30 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=18989 Quote: [Image: Google-now-lets-you-create-Passkeys-for-...counts.jpg]

Google has announced support for Passkeys for user accounts. You can now log in to your Gmail account, or any other Google service, without typing your password.

The Mountain View company had worked with Apple, Microsoft and FIDO Alliance to co-create a platform for Passkeys. Apple already supports the feature on macOS 13 Ventura and iOS 16.

What is a passkey, and is it safe?

A passkey allows you to sign in to your online accounts without using your password. Instead, it uses your device's screen lock, i.e. PIN or device password, or your biometric data such as a fingerprint scanner used by Windows Hello or macOS TouchID, to authenticate the ownership of the account. The same applies to your Android mobile or iPhone's screen lock methods.

The passkey is created and stored locally on your device, i.e. a mobile phone or a computer. The data is encrypted to prevent unauthorized access. When you try to log in to your account, the server asks the device to verify the credentials associated with that account. The device in turn prompts you to enter your screen lock code to approve the request, and once you enter the code or use your biometric sensor, the device checks it with the data stored locally, and gives the green signal to the server to grant access to the account.

Passkeys provide a quick and easy way to log in to your account, you just have to enter your username, you don't have to key in your password. The fact that it completely negates passwords is what makes it special. Passkeys will bypass authenticator apps or other 2FA methods that you may have enabled on your account. Does that mean that your Google account is no longer protected by 2-step verification? No, your account is still protected by 2FA, you may continue using your username and password along with your authenticator app to log in to your account, the Passkey is just an extra option that you can enable.

You could say that a passkey acts as a combination of your password and two-factor authentication, rolled into one feature. And since the passkey never leaves your device, it is a secure way to log in to your account. Google says that passkeys are more resistant to phishing attacks, and are more secure than one-time codes that are sent over SMS text messages.

How to set up a Passkey for your Google account

1. Visit Google's Passkey creation page.
2. The website will prompt you to enter the password for your Google account.
3. Click on the Create a Passkey button.

[Image: How-to-set-up-a-Passkey-for-your-Google-account.jpg]

[Image: How-to-set-up-a-Passkey-for-your-Google-account.jpg]

4. Google will ask you to choose the device that you want to use for creating the Passkey. You can use your computer or mobile phone to create a passkey with your fingerprint, face, or screen lock.

[Image: create-a-gmail-passkey.jpg]

5. Hit the continue button to proceed. Google will ask you to confirm the process by entering your device's screen lock code, or biometric data. That's it, you've set up a passkey.

Try it now. Log out of the account in your browser and sign in again with your passkey. No password required, that's pretty cool.

[Image: sign-in-to-google-by-verifying-your-passkey.jpg]

[Image: sign-in-to-google-by-verifying-your-passkey.jpg]

Though the steps to set up a passkey are identical across all platforms, there are some differences in the way the feature works on computers and phones. The important thing to note here is that your passkey is not synchronized across your devices. Google doesn't support passkey sync, unlike Apple does with iCloud Keychain.

[Image: login-to-google-with-passkey.jpg]

[Image: login-to-google-with-passkey.jpg]

But when you sign in to your Google account on a secondary device, i.e. one that does not have a passkey stored on it, the web page will offer to create a passkey on that device. You may choose to add it by confirming the device's screen lock code. Adding a secondary device is optional, Google advises users not to create passkeys on shared devices.

[Image: create-a-google-passkey-on-a-secondary-device.jpg]

[Image: create-a-google-passkey-on-a-secondary-device.jpg]

Wait, how do you log in on a desktop browser if you created a passkey on a phone? Google's login page will display an option that lets you "add a new phone". Select it and the site will display a QR code on the screen. Use your mobile's camera app to scan it, and approve the login process.

A few things to note

Google Passkeys are supported on devices that run on Windows 10, macOS Ventura, ChromeOS 109, iOS 16, Android 9 or above. It is also compatible with hardware security key that supports the FIDO2 protocol. A support page on the company's website claims that Passkeys are only supported on the following browsers: Chrome 109 or above, Safari 16 or up, Edge 109 or later. In truth, it works perfectly fine on all modern browsers, I actually created the Passkey using Firefox. I was also able to use it on Vivaldi, so it should work fine with other Chromium-based browsers.

[Image: verifying-a-sign-in-using-passkey-on-windows.jpg]

[Image: verifying-a-sign-in-using-passkey-on-windows.jpg]

The Passkey login page that I mentioned above displays options to sign in with an external security key (like Yubikey) or a fingerprint sensor, or to add a new Android phone. The third option can be a little confusing, as you're not adding a new device. Don't worry, it works with iPhones too, just point your camera app at the QR code on the screen and an option to "sign in with passkey" will appear on the screen. Tap on it, and it will authenticate the process using Face ID.

What if you lose your device? A thief wouldn't be able to access the passkey without the device's screen lock code/biometric authentication. You can remove the passkey from the device remotely via your Google account on another device. Please refer to the official support page for more details.

To opt out of signing with passkeys, go to your Google Account's Security page, and disable "Skip password when possible".

[Image: disable-google-passkey-sign-in-turn-off-...ssword.jpg]

[Image: disable-google-passkey-sign-in-turn-off-...ssword.jpg]

Note: Google says that Android devices will automatically create passkeys when you sign in to your Google Account. You have to opt out of it, by removing the device from your account from the Manage Devices page.

A few websites, such as PayPal have already added support for passkeys, and so have some password managers, it is only a matter of time before more of them adopt the protocol. I guess the passwordless future is here.

Have you tried Passkeys?
... Continue Reading]]> Quote: [Image: Google-now-lets-you-create-Passkeys-for-...counts.jpg]

Note: Google says that Android devices will automatically create passkeys when you sign in to your Google Account. You have to opt out of it, by removing the device from your account from the Manage Devices page.

A few websites, such as PayPal have already added support for passkeys, and so have some password managers, it is only a matter of time before more of them adopt the protocol. I guess the passwordless future is here.

Have you tried Passkeys?
... Continue Reading]]> <![CDATA[How to secure your data in the Cloud]]> https://www.geeks.fyi/showthread.php?tid=18856 Mon, 03 Apr 2023 10:10:56 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=18856 Quote: [Image: markus-spiske-hL8slYnc-bM-unsplash.jpg]

[Image: markus-spiske-hL8slYnc-bM-unsplash.jpg]

Storing data in the cloud is often useful to users: from syncing data between devices to cloud-based backups and sharing options. While local storage still dominates, the use of cloud storage has grown considerable in the past decade.

It should not come as a surprise that cloud storage solutions are offered on every corner of the Internet. Companies like Google, Apple and Microsoft have created solutions that are used by millions, if not billions, of users. Even while these large players dominate the market, there are thousands of other options to choose from.

While all offer free or paid storage in the cloud, what they offer next to that may differ significantly. When users select a cloud storage provider, they need to make sure that their data is safe and secure. Unauthorized access to data can lead to leaks and all kinds of troubles.

The following tips help making sure that cloud data is well protected.

Tip 1: Encryption is key

[Image: mauro-sbicego-4hfpVsi-gSg-unsplash.jpg]

[Image: mauro-sbicego-4hfpVsi-gSg-unsplash.jpg]

The cloud provider should support end-to-end encryption. Most storage providers protect data when it is transferred, but end-to-end encryption is a level up as it prevents anyone, even the cloud provider, from accessing files.

Proton Drive and pCloud are two providers that support end-to-end encryption. Both offer free accounts, with 1 gigabyte and 10 gigabyte of storage, and paid plans to get more storage. There are more, and Internet searches will reveal those providers.

Another option is to encrypt data right on the local device before sending it to cloud storage; this does not work with some data, e.g., browser data that is synced so that bookmarks and tabs are accessible across all devices, but it works with static files.

Most file archivers, WinRAR or 7-Zip for example, support encryption, and there are dedicated applications available, like Cryptomator, which automate the process for the user.

Tip 2: Protect the account properly

[Image: markus-winkler-3LVhSjCXRKc-unsplash.jpg]

[Image: markus-winkler-3LVhSjCXRKc-unsplash.jpg]

Encryption is key, but the key to unlock the data is the user's account password. Users who set up accounts with weak passwords and no additional security protections may have their accounts cracked in a matter of minutes.

Therefore, it is essential to select a unique strong password for the account and add additional protection to it. Most cloud providers support two-factor authentication at the very least, requiring that a second code is entered, which is generated in real-time using authentication apps or other means.

Passwordless authentication is on the rise, but many providers do not support it at the time.

Tip 3: Consider what to upload and what to keep local

[Image: wesley-tingey-snNHKZ-mGfE-unsplash.jpg]

[Image: wesley-tingey-snNHKZ-mGfE-unsplash.jpg]

Not all files need to be pushed to the cloud. Cloud storage may make certain operations more convenient, may act as a backup for important data, and may also help when it comes to syncing passwords, browser data or other data that is in use regularly.

Whether other types of data, say the entire family photo library, a mp3 collection, or fan fiction collection, need to be placed is up for debate. Some users like the idea of having access to the data anywhere. You may want to avoid uploading sensitive data to the cloud, or use extra encryption to protect this data even more.

Tip 4: Keep local copies of cloud files

[Image: markus-spiske-hL8slYnc-bM-unsplash.jpg]

Cloud access is tied to an account and if access to the account is lost, e.g., password and password recovery can't be used anymore, or if a cloud provider decides to close the account, then data access is no longer possible. A local copy of files ensures that data is still accessible in those cases.

Consider buying an external hard drive for backups, if local drives are not large enough to hold regular backups.

Tip 5: Control access to the cloud

[Image: viktor-forgacs-LNwIJHUtED4-unsplash.jpg]

[Image: viktor-forgacs-LNwIJHUtED4-unsplash.jpg]

One of the main advantages of storing files in the cloud is that they can be accessed from anywhere. Users may use their own devices for that, but they can also log in from public computers or devices that someone else owns.

While it is certainly better not to sign-in to cloud storage on public computers, it is essential to make sure that you sign-out when you do. Others may access the data if you do not sign-out, which would torpedo the entire security setup.

Now You: do you use Cloud storage?
... Continue Reading]]> Quote: [Image: markus-spiske-hL8slYnc-bM-unsplash.jpg]

One of the main advantages of storing files in the cloud is that they can be accessed from anywhere. Users may use their own devices for that, but they can also log in from public computers or devices that someone else owns.

While it is certainly better not to sign-in to cloud storage on public computers, it is essential to make sure that you sign-out when you do. Others may access the data if you do not sign-out, which would torpedo the entire security setup.

Now You: do you use Cloud storage?
... Continue Reading]]> <![CDATA[How to stay safe while using public Wi-Fi]]> https://www.geeks.fyi/showthread.php?tid=18846 Fri, 31 Mar 2023 08:05:51 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=18846 Quote: [Image: paul-hanaoka-KRAk_61pgTo-unsplash.jpg]

[Image: paul-hanaoka-KRAk_61pgTo-unsplash.jpg]

Whether you are traveling frequently or a remote worker, relying on public Wi-Fi may not be ideal, but it may be the only option to get work done sometimes. Many may not even be aware of the dangers of public wireless connections, but there are also precautions available to improve security and privacy.

Public Wi-Fi is a common option in many places, including at airports, libraries, hotels, cafes or restaurants. Just connect to the wireless network and use the available Internet connection for work or leisure.

The following guide helps users stay safe while their devices are connected to public wireless networks. There are several risks, including the following ones:

Network Snooping -- Someone else is monitoring network connections and what users do on the network.
Infections -- Hackers may infect public Wi-Fi networks to spread malware or monitor what connected users do.

There are other forms of attacks, including session hijacking, creating rogue access points or attacking devices that are in the same network.

Use a VPN

[Image: vpn-google-one.png]

The best protection against any form of public Wi-Fi attack or risk is to use a VPN, Virtual Private Network. One of the main features of VPNs is that they encrypt your device's traffic. This prevents others, including the network operator, other connected users or hackers, from spying on your network traffic.

Some browsers include basic free VPNs, but most VPNs cost about a Starbuck Coffee per month. To name a few options: Mullvad or ProtonVPN. Even Google has its own VPN called VPN by Google One now, which is available for all paying customers.

With a VPN connection in place, some include options to auto-connect to the VPN whenever a connection to a public wireless network is established, risks are reduced significantly. It allows you to act freely on your devices, without having to worry about network sniffing or manipulation of Internet traffic.

Other Tips regarding public Wi-Fi connections

If a VPN connection is not available, for whatever reason, then users may follow these suggestions to improve security and privacy:

Turn off automatic connectivity features. Some devices may connect to public wireless networks automatically, especially if no other mobile connection is available. Disable this option to gain control over the feature and avoid unwanted connections.
Turn off file sharing. File Sharing should also be turned off, as it may give others access to files on your devices, especially if access is not protected properly.
Don't share or use sensitive information or data. It is recommended to avoid using sensitive data, e.g., logging into a bank account, making online purchases or uploading sensitive data while connected to a public Wi-fi network.
Make sure software and the operating system are up to date. Keeping software up to date prevents attacks against known security issues.

Network Snooping -- Someone else is monitoring network connections and what users do on the network.
Infections -- Hackers may infect public Wi-Fi networks to spread malware or monitor what connected users do.

There are other forms of attacks, including session hijacking, creating rogue access points or attacking devices that are in the same network.

Use a VPN

[Image: vpn-google-one.png]

Turn off automatic connectivity features. Some devices may connect to public wireless networks automatically, especially if no other mobile connection is available. Disable this option to gain control over the feature and avoid unwanted connections.
Turn off file sharing. File Sharing should also be turned off, as it may give others access to files on your devices, especially if access is not protected properly.
Don't share or use sensitive information or data. It is recommended to avoid using sensitive data, e.g., logging into a bank account, making online purchases or uploading sensitive data while connected to a public Wi-fi network.
Make sure software and the operating system are up to date. Keeping software up to date prevents attacks against known security issues.

Closing Words

All in all, it is recommended to use a VPN all the time when connecting to public Wi-Fi networks. Skip one coffee per month and get a good VPN instead to protect your data and improve security significantly.

Now You: do you connect your devices to public Wi-Fi networks?
... Continue Reading]]> <![CDATA[How to protect your Windows PC from the attack that led to the Linus Tech Tips hack]]> https://www.geeks.fyi/showthread.php?tid=18841 Wed, 29 Mar 2023 08:05:19 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=18841 Quote: [Image: ed-hardie-Y5PSyMm8nMk-unsplash.jpg]

[Image: ed-hardie-Y5PSyMm8nMk-unsplash.jpg]

One of the world's most popular tech YouTube channels was hacked recently. Linus Tech Tips has over 15 million subscribers on YouTube, but all of the company's technical expertise has not prevented it from being hacked.

It appears that Linus Tech Tips was not the first company that fell for the attack. It started with an email inquiry regarding sponsorship. It is unclear if there was more than one email, as a common strategy of threat actors is to send a harmless email in the beginning, wait for the potential victim to respond, and then include the malware in the next email.

Linus Tech Tips received an email with a zip file, which supposedly contained a sponsorship offer. One of the company's employees extracted the zip archive, and discovered that it contained the promised PDF document.

Only problem was, it was not a PDF document, but a Windows screensaver file. One of Windows' biggest issues regarding security is that it hides certain common file extensions in File Explorer. An attacker can rename the file SuperOffer.scr to SuperOffer.pdf.scr, and Windows, in all its glory, displays only the SuperOffer.pdf part by default in File Explorer. It looks like a PDF document, and since it is possible to give it a PDF icon, it makes it even more believable.

Execution of the file does not load the system's PDF viewer, but runs the executable. At this stage, if no security software kicks in, the PC should be considered infected.

Protecting your Windows PC from this attack

[Image: hide-extensions-known-file-types.png]

[Image: hide-extensions-known-file-types.png]

Protecting Windows PCs from this double file extension security issue is quite easy, as it takes just a few clicks. The main issue here is that Microsoft decided to favor a cleaner look of files on the system over security.

The change forces Windows to always display the file extensions of files. The malicious file example from above would be displayed as SuperOffer.pdf.scr by Windows, which would increase the chance of the user to identify the file as potentially malicious.

The following step-by-step instructions explain how the change is made on Windows 10 and 11 devices:

Windows 10

Open a File Explorer instance, for example, by clicking on the File Explorer icon in the Windows 10 taskbar.
Select File > Change folder and search options.
Switch to the View tab.
Scroll down until you see "Hide extensions for known file types".
Remove the checkmark from the setting.
Click on OK.

Windows 10 will display all file extensions all the time now.

Windows 11

Open File Explorer on the operating system, it is pinned on the taskbar.
Select Menu (three-dots) and then Options.
Switch to the View tab in the Folder Options window.
Uncheck the "Hide extensions for known file types" options.
Select OK.

Windows 11 displays all file extensions now for all file types.

Closing Words

The change improves the chance of spotting files that try to disguise their real type by adding a fake file extensions to the filename. While that does not guarantee that users do not execute the file accidentally, it does give inexperienced users a better chance at spotting that something is wrong.

Another option that may work wonders is to always execute certain files, for instance all email attachments, in sandboxes or virtual machines.

Now You: have another tip on how these attacks can be prevented?
... Continue Reading]]> Quote: [Image: ed-hardie-Y5PSyMm8nMk-unsplash.jpg]

Open a File Explorer instance, for example, by clicking on the File Explorer icon in the Windows 10 taskbar.
Select File > Change folder and search options.
Switch to the View tab.
Scroll down until you see "Hide extensions for known file types".
Remove the checkmark from the setting.
Click on OK.

Windows 10 will display all file extensions all the time now.

Windows 11

Open File Explorer on the operating system, it is pinned on the taskbar.
Select Menu (three-dots) and then Options.
Switch to the View tab in the Folder Options window.
Uncheck the "Hide extensions for known file types" options.
Select OK.

[Image: How-To-Secure-Your-Twitter-Account-Witho...scaled.jpg]

Twitter has gotten wild over the last few months. Ever since Elon Musk took over, Twitter has not been able to stay out of the news. From data leaks to bans on third-party clients, Twitter may implode at any time. Now, Twitter has introduced another controversial rule. If you don’t pay a monthly subscription service (Twitter Blue), your two-factor authentication will be turned off by the site after 20th March. This article will help you understand how to secure your account without paying for the Blue subscription.

[Image: How-To-Secure-Your-Twitter-Account-Witho...lue-02.jpg]

What Is Two-Factor (2FA) Authentication?

Most online accounts have implemented 2FA to protect users. The first factor is a password that the user must enter and the second factor is a random code sent to the user through an app or text. This is one of the best ways to keep hackers away. However, Twitter is now taking away 2FA without a Blue subscription and we’re here to tell you how to protect your account.

Without 2FA, there are other methods to authenticate your account. You can use authentication apps or use the Google authenticator. If you’re unsure how to use this with Twitter, continue reading.

Adding An Authenticator App To Twitter

It’s very simple to add an authenticator app to Twitter. You can try the Google Authenticator app that is free for iOS and Android users. The app generates a random code every 30 seconds and reduces the likelihood of your account being hacked. You can add as many accounts as you want to this app. However, you should remember that this works on a desktop only and not your mobile.

To begin with, sign in to Twitter and go to your Profile. Click on more that will appear on the left of the screen. On the next screen, click on Settings and Support, then on Settings and Privacy, and then Security and account access. You must then click on Security and then Two Factor Authentication. You will see the authentication app box. Check the box and you will receive a pop up.

Follow the on-screen instructions and then open the authenticator app that you want. Scan the code on your screen through the app. The app will then generate a code. Enter the confirmation code in the box on the screen and then press confirm. Your Twitter account will now be added to your authenticator app. You can follow these steps for any other account you want to add to the app.
... Continue Reading]]> Quote:

Twitter users have two weeks left to make sure that their account on the popular social messaging site remains protected with two-factor authentication (2FA).

The company announced back in February that it will remove the SMS-based message from the available options for all free users.

Two-factor authentication is a security feature that adds a second authentication step to the sign-in process. Instead of just having to enter username and password to log in, users need to supply a code before the sign-in is authorized.

Twitter supported three methods: SMS, authenticator application and security key. SMS, or text message, is considered an insecure method, as the code is transferred as plain text to the user's mobile device. Certain attacks may be used to intercept these codes. Additionally, these codes are never generated on the user device, but by the service itself, in this case Twitter.

While Twitter's motivation behind the change may be cost-cutting more than improved security for its users, most security experts advice against text messages for two-factor authentication.

The main appeal that text messages have, regardless of whether they use SMS or Email, is that it is the easiest to set up. For SMS, all a user needs to do is add a mobile phone number to the Twitter account. Email is even easier, as most services require an email address during setup.

The two-factor authentication options on TwitterFree Twitter users are left with two methods for two-factor authentication on Twitter: authenticator app or security key. Authenticator app is a secure application, which users may run on their mobile devices or desktop systems, to generate codes locally. While it requires installation of an app on devices, setup is not overly complicated and codes will be generated locally on the device, which means that any attack that tries to intercept the codes fails, as these are no longer transferred from the service to the user's device.

Security key requires hardware solutions, like a Yubikey, which are linked to services. The physical key needs to be present and the second verification step is usually done with a tap or touch. Codes do not need to be entered.

Both options are available, but security keys do come with a cost. Authenticator apps on the other hand are freely available. You can check out Ashwin's list of the best authenticator apps, or check out Aegis Authenticator as a starting point, which is an open source app that is on Ashwin's list.

Switching from one verification method to another is not all that different from setting up two-factor authentication on Twitter for the first time. Twitter will disable the Text Message method for all free users on March 20, 2023 anyway.

I have published a guide on setting up two-factor authentication using an authenticator app on Twitter. It requires just a few steps and improves account security significantly, even compared to the text message method.
... Continue Reading]]> Quote:

[Image: twitter-two-factor-authentication-1.png]

Two-factor authentication is a powerful security feature that improves the security of online accounts significantly when set up. It will be replaced with passkeys eventually, but this is not going to happen overnight.

Two-factor authentication adds a second security layer to the sign-in process. Users receive or generate a code, which they enter on the site or in the app.

Several of the most popular two-factor authentication methods require a mobile device. There is the option to receive text messages with the code or authenticator apps, which users need to install and set up on their mobile devices.

While most Internet users do have access to a smartphone for that, there are situations where using a phone may not be an option.

The smartphone is not available, e.g., it has been misplaced or was stolen.
Regulations may require "more secure" methods.

Using 2FA without a mobile device

There are two main options when it comes to using two-factor authentication without mobile devices. Assuming that a computer is used, as two-factor authentication without a mobile device and computer would make little sense, the following two options are available:

Installing an authenticator app directly on the desktop computer or notebook.
Using a security key.

The selection of authenticator apps for desktop operating systems is limited when compared to the abundance of authenticator apps for mobile devices. Still, there are some that users may install.

There is a selection of Authenticator apps available on the Microsoft Store, and several password managers, like Bitwarden, include authenticator support, which may be used as well.

Most solutions target businesses and not individual users, though.

The second option that is available is provided via security keys. These are physical devices that are either connected to the device directly, e.g., via USB, or via methods such as NFC or Bluetooth.

Yubico's Yubikey 5 series alone comes in several different flavors, from basic options that are connected to a device using USB to devices that support multiple connection options and work on desktop and mobile devices alike. The company has a short quiz on its website that suggests a product based on a few answers.

Yubico is not the only manufacturer of security key solutions. Google has its Titan Security Keys, which also come in different flavors, and Thetis maintains a range of security key solutions as well.

Security keys for individuals come at a cost, while authenticator apps are free to use. Most security keys offer more options than authenticator apps, as they may support more services and protocols besides creating one-time passwords for services.

Closing Words

Whether a desktop authenticator app or a security key is the right choice depends on individual requirements. It depends on the operating system, the number of devices, and several other factors.

If just a desktop or notebook is used, authenticator apps may be fully sufficient when it comes to two-factor authentication. Security keys are the sophisticated solution, they may be carried around, and support additional protocols and options, including the ability to use them with smartphones.

Now You: authenticator apps or security keys, which do you use and why?
... Continue Reading]]> Quote:

The smartphone is not available, e.g., it has been misplaced or was stolen.
Regulations may require "more secure" methods.

Installing an authenticator app directly on the desktop computer or notebook.
Using a security key.

[Image: Should-You-Use-Google-Password-Manager-main.png]

Google password manager is a feature that is built into the Google account system and allows you to manage your passwords and securely store them on your device for different websites and applications. With Google password manager, your password will be encrypted and stored on the Google servers, so you really don't have pressure to remember them. When you sign into your Google account, the password manager offers you to automatically fill in your login credentials for the website and applications as long as they're saved on your Google account.

This means logging in is a breeze. In addition, the password manager could also assist with generating some secure passwords while storing them securely. Remember, the pressure of remembering your password is eased with Google password manager. Stick with us as we give you the 411 on whether you should use Google password manager.

How to Safely Use Google Password Manager?

Simplicity is the name of the game when it comes to using Google password manager. One of the things I love about having a Google account is that all important information can be attached to your account and easily accessed when you sign into your Google account. Well, the big question now could be, what if somebody gets a hold of my device and I'm already signed into my Google account? Don't worry; Google password manager has got you covered.

For many years the one thing that kept me from using the password manager was the fear of storing all of my passwords in one place. Actually, using a password manager to manage passwords has been deemed safer than using a password that you can easily remember. Google password manager comes well equipped with tools such as two-factor authentication that prevents anyone from accessing your Google account on a new device even though they have your password.

If you aren't sure how to access your Google password manager here, we go:

Sign into your Google account.
Access the password manager by clicking the Security tab.
Here you can view all the accounts with saved passwords. You’ll get access either to add a new password and edit or delete an old password. Remember you have the automatic generator to assist with that.

[Image: Should-You-Use-Google-Password-Manager-2.png]

The only negatives I drew from using Google password manager were that:

It lacks a few features when compared with other password managers such as Dashlane and OnePassword.
You also have to be careful if you leave your computer unattended. Although most password managers can be automatically set to sign out after a certain amount of time when your computer sleeps or is locked.

So to answer the golden question. Yes, you can use Google password manager. Just remember to use the security features.
... Continue Reading]]> Quote:I don't know about you, but when it comes to creating a password, I like for it to be strong, secure, and unique. For years I used the same password for everything to avoid forgetting it. As tempting as it may be to use the same password for all your apps, you're always advised to have different passwords for the different apps on your devices. This is where Google password manager comes in.

[Image: Should-You-Use-Google-Password-Manager-main.png]

Sign into your Google account.
Access the password manager by clicking the Security tab.
Here you can view all the accounts with saved passwords. You’ll get access either to add a new password and edit or delete an old password. Remember you have the automatic generator to assist with that.

The only negatives I drew from using Google password manager were that:

It lacks a few features when compared with other password managers such as Dashlane and OnePassword.
You also have to be careful if you leave your computer unattended. Although most password managers can be automatically set to sign out after a certain amount of time when your computer sleeps or is locked.

So to answer the golden question. Yes, you can use Google password manager. Just remember to use the security features.
... Continue Reading]]> <![CDATA[Improve KeePass security with this simple configuration change]]> https://www.geeks.fyi/showthread.php?tid=18634 Sun, 05 Feb 2023 09:34:50 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=18634 Quote:KeePass, like many other password managers, relies on a primary password that protects the entire database of passwords and information. If an attacker manages to obtain that single password, all other passwords and information is unlocked.

[Image: keepass.jpg]

The password manager stores its database locally, which means that users do not have to worry about server breaches that steal password vaults, like the recent LastPass incident. Some KeePass users host their password files in the cloud, which opens up the possibility of the password database being copied again through server-side attacks.

Brute force attacks are still very common when it comes to cracking encrypted password databases. Most attackers use dictionaries for that, which contain hundreds of thousands or even millions of common passwords. Real brute force attacks are expensive, as every combination of characters needs to be tested.

Considering that passwords may consist of uppercase and lowercase letters, digits and symbols, this soon gets way to expensive in most cases.

Increasing KeePass security

[Image: keepass-change-password-masterkey.png]

[Image: keepass-change-password-masterkey.png]

The primary key that unlocks the KeePass database is of utmost importance. If it is weak, chance is high that a potential attacker may be able to brute force or even guess it.

KeePass users have two main options at their disposal to increase the security of the account. The first is the master password itself. Increasing the length of the password improves the security exponentially.

While that means having to memorize a new password, it is the best option to improve the security of the password database.

To do so in KeePass Password Safe, unlock the password database with the master password and select File > Change Master Key using the menu at the top.
Type the new primary password in the master password and repeat password field and select OK to complete the process.

Note that it needs to be longer than the old to improve security. Also, using a combination of letters, digits and symbols is recommended.

The Key Derivation settings

[Image: keepass-key-derivation.png]

The second option that KeePass users have is to change the key derivation function and make changes to its number of iterations.

KeePass supports several, including Argon2d, Argon 2id and the classic AES-KDF.

If AES-KDF is selected, KeePass users may either want to increase the number of iterations from the default 60,000 to a higher value, or switch the function to Argon2d instead.

Higher iterations extend the time it takes to enter the password linear. While that may add a small delay to the user's own opening of the password database, it makes brute forcing attacks more expensive as it takes longer to test each password.

Select File > Database Setting and then Security to display the current configuration of the database that is open in KeePass.

The key derivation function lists the function that is used. AES-KDF displays just the number of iterations below, which users may want to increase to 600,000.

KeePass users may also switch to using Argon2d instead, which promises even better protection against brute force attacks.
... Continue Reading]]> Quote:KeePass, like many other password managers, relies on a primary password that protects the entire database of passwords and information. If an attacker manages to obtain that single password, all other passwords and information is unlocked.

[Image: keepass.jpg]

The second option that KeePass users have is to change the key derivation function and make changes to its number of iterations.

KeePass supports several, including Argon2d, Argon 2id and the classic AES-KDF.

If AES-KDF is selected, KeePass users may either want to increase the number of iterations from the default 60,000 to a higher value, or switch the function to Argon2d instead.

Higher iterations extend the time it takes to enter the password linear. While that may add a small delay to the user's own opening of the password database, it makes brute forcing attacks more expensive as it takes longer to test each password.

Select File > Database Setting and then Security to display the current configuration of the database that is open in KeePass.

The key derivation function lists the function that is used. AES-KDF displays just the number of iterations below, which users may want to increase to 600,000.

KeePass users may also switch to using Argon2d instead, which promises even better protection against brute force attacks.
... Continue Reading]]> <![CDATA[First look at NordVPN's Threat Protection feature]]> https://www.geeks.fyi/showthread.php?tid=17235 Sun, 01 May 2022 17:49:10 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=17235 Quote:NordVPN is a popular VPN provider. The company releases new features for its VPN clients regularly, and one of the latest features that it introduced is Threat Protection.

[Image: nordvpn-threat-protection.png]

Threat Protection is a beta feature right now. The client may notify customers of the feature, but it is turned off by default. A click on the Shield icon in the Nord VPN client displays the available options.

Threat Protection blocks "ads, trackers, malicious websites and files" according to NordVPN; this is a core difference to the previously supported CyberSec feature of the NordVPN client, which blocked ads and malicious websites only using DNS filtering.

The CyberSec preference is no longer available under General in the Settings, and some customers may wonder whether it has been removed completely in favor of Threat Protection.

It appears, that NordVPN moved the feature to the Threat Protection preferences page. There, users find two options that they may enable. The full Threat Protection feature, or a Lite version; the description of the Lite version sounds similar to what CyberSec offered.

[Image: thread-protection-turn-on.png]

The full Threat Protection feature goes beyond the blocking of resources on the DNS level. It blocks ads and tracking on the web, but also malicious websites and files:

Quote:Block malware-ridden websites -- browse without a fear of accidentally catching malware.
Avoid malicious ads -- elevated your browsing experience and enjoy a cleaner web.
Stop web tracking -- experience a whole next level of privacy.
Protect your device from infected files -- get rid of malicious files before they do damage.

According to NordVPN's description on its website, Threat Protection protects a user's browsers even without active VPN connections. NordVPN achieves this by installing certificates in the browsers. The current version supports Chrome, Safari, Edge and Firefox. For Firefox, it is necessary to restart the browser before it can be used after the certificate has been installed.

The installation of certificates gives NordVPN a high level of control of the supported browsers and activity.

Threat Protection will scan executable files that do get downloaded automatically. These may be uploaded to the cloud for checking, but only if they have a size of 20 Megabytes or less.

Closing Words

Threat Protection is a beta feature at the time of writing. NordVPN needs to provide additional information on the inner workings of the feature, as the two setup pages in the client and the informational page on the NordVPN website lack details, for instance, whether it is using its own scanning capabilities for uploaded files or using third-party services.

The client does not explain how Threat Protection is installed, only what it does once it is enabled. Installing certificates in browsers gives NordVPN a lot of control over data in the browser, and users should at least be aware of this before they hit the turn on button in the interface.

Most NordVPN customers may want to stick with the lite mode feature, or keep everything disabled in the client and use other solutions, e.g., content blockers such as uBlock Origin and antivirus solutions, to keep their devices secure.

Now You: Would you use Threat Protection on your devices?
... Continue Reading]]> Quote:NordVPN is a popular VPN provider. The company releases new features for its VPN clients regularly, and one of the latest features that it introduced is Threat Protection.

[Image: nordvpn-threat-protection.png]

The full Threat Protection feature goes beyond the blocking of resources on the DNS level. It blocks ads and tracking on the web, but also malicious websites and files:

Quote:Block malware-ridden websites -- browse without a fear of accidentally catching malware.
Avoid malicious ads -- elevated your browsing experience and enjoy a cleaner web.
Stop web tracking -- experience a whole next level of privacy.
Protect your device from infected files -- get rid of malicious files before they do damage.