According to Check Point, whose analysts discovered the malicious extensions and reported them to Microsoft, the malware enabled the threat actors to steal credentials, system information, and establish a remote shell on the victim's machine.

The extensions were discovered and reported on May 4, 2023, and they were subsequently removed from the VSCode marketplace on May 14, 2023.

However, any software developers still using the malicious extensions must manually remove them from their systems and run a complete scan to detect any remnants of the infection.

Malicious cases on the VSCode Marketplace

Visual Studio Code (VSC) is a source-code editor published by Microsoft and used by a significant percentage of professional software developers worldwide.

Microsoft also operates an extensions market for the IDE called the VSCode Marketplace, which offers over 50,000 add-ons that extend the application's functionality and provide more customization options.

The malicious extensions discovered by Check Point researchers are the following:

'Theme Darcula dark' – Described as "an attempt to improve Dracula colors consistency on VS Code," this extension was used to steal basic information about the developer's system, including hostname, operating system, CPU platform, total memory, and information about the CPU.

 

While the extension did not contain other malicious activity, it is not typical behavior associated with a theme pack.

 

This extension had the most circulation by far, downloaded over 45,000 times.

 

Darcula extension on the VSCode Marketplace (Check Point)

 

'python-vscode' – This extension was downloaded 1,384 times despite its empty description and uploader name of 'testUseracc1111,' showcasing that having a good name is enough to garner some interest. 

 

Analysis of its code showed that it is a C# shell injector that can execute code or commands on the victim's machine.

 

Obfuscated C# code injector (Check Point)

 

'prettiest java' – Based on the extension's name and description, it was likely created to mimic the popular 'prettier-java' code formatting tool.

 

In reality, it stole saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser, which were then sent to the attackers over a Discord webhook.

 

The extension has had 278 installations.

 

Searching for local secrets (Check Point)

 

Check Point also found multiple suspicious extensions, which could not be characterized as malicious with certainty, but demonstrated unsafe behavior, such as fetching code from private repositories or downloading files.

Software repositories come with risk

Software repositories allowing user contributions, such as NPM and PyPi, have proven time and time again to be risky to use as they have become a popular target for threat actors.

While VSCode Marketplace is just starting to be targeted, AquaSec demonstrated in January that it was fairly easy to upload malicious extensions to the VSCode Marketplace and presented some highly suspicious cases. However, they were not able to find any malware.

The cases discovered by Check Point demonstrate that threat actors are now actively attempting to infect Windows developers with malicious submissions, precisely like they do in other software repositories such as the NPM and PyPI.

Users of the VSCode Marketplace, and all user-supported repositories, are advised to only install extensions from trusted publishers with many downloads and community ratings, read user reviews, and always inspect the extension's source code before installing it.

Source

LSA Protection helps safeguard Windows users from credential theft attempts by thwarting LSASS process memory dumping and the injection of untrusted code into the LSASS.exe process, which would otherwise allow the extraction of sensitive information.

Microsoft acknowledged the issue on March 21, after widespread user reports regarding Windows 11 systems warning that LSA protection was off. However, it was being shown in the settings user interface as being toggled on.

Redmond says the persistent restart alerts triggered by this known issue will only appear on Windows 11 21H2 and 22H2 systems.

A subsequent Microsoft Defender update issued weeks later replaced the LSA Protection feature's user interface setting with a new feature called Kernel-mode Hardware-enforced Stack Protection. Unfortunately, Microsoft has not documented this change, leading to user confusion.

"LSA Protection has not been removed – it is still built in and on by default on Windows 11 machines. In the latest Windows Insider Preview, there was an update that changed the appearance of the user interface (UI) for this feature," Microsoft told BleepingComputer, mistakenly saying it was only in Windows 11 Insider builds when it was already available in Windows 11 22H2.

One week later, on April 26, Redmond announced they fixed the LSA Protection UI issue, however, this was just done by removing the setting in the KB5007651 Defender update to ensure that the confusing alerts would no longer be displayed in the Windows Settings app.

Defender update causing blue screens and random reboots

Today, Redmond revealed that it decided to stop pushing the KB5007651 Defender update due to blue screens or unexpected system restarts when gaming affecting Windows 11 systems where the Defender update was deployed.

"This known issue was previously resolved with an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001) but issues were found, and that update is no longer being offered to devices," Microsoft said.

"If you have installed Version 1.0.2303.27001 and receive an error with a blue screen, or if your device restarts when attempting to open some games or apps, you will need to disable Kernel-mode Hardware-enforced Stack Protection."

To disable Kernel-mode HSP, you will have to go to Device Security > Core Isolation in the Windows Security app and toggle the "Kernel-mode Hardware-enforced Stack Protection" feature.

However, Microsoft doesn'tdoesn't provide any information on what affected users who already installed KB5007651 should do to address the system restarts and blue screens caused by this buggy Defender update other than to disable the Kernel-mode Hardware-enforced Stack Protection feature.

Some of the conflicting game anti-cheat drivers causing Windows crashes or conflicts when Kernel-mode HSP is enabled include PUBG, Valorant (Riot Vanguard), Bloodhunt, Destiny 2, Genshin Impact, Phantasy Star Online 2 (Game Guard), and Dayz.

Workaround available until a fix is released

Microsoft says it'sit's working on another fix for the relentless LSA Protection warnings affecting Windows 11 systems and will provide more details as soon as possible.

Redmond also shared a workaround for customers who haven't installed KB5007651 and are still seeing restart warnings, asking them to ignore the reboot notifications.

"If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart," the company says.

You can check if the feature is enabled on your computer using the Windows Event Viewer by looking for a Wininit event saying that "LSASS.exe was started as a protected process with level:4," indicating that the process is isolated and protected by LSA Protection.

While BleepingComputer has previously reported that these warnings can be prevented by adding two registry entries, Microsoft does "not recommend any other workaround for this issue."

Two months ago, Microsoft announced that LSA Protection would be enabled default for Windows 11 Insiders in the Canary channel if their systems passed an incompatibility audit check.

A confusing mess

Microsoft continues to confusingly discuss Kernel-mode Hardware-enforced Stack Protection in troubleshooting steps regarding LSA Protection.

In the past, Microsoft specifically told BleepingComputer that the two features are unrelated, yet they continue to conflate the two features in support bulletins.

"LSA and Kernel-mode hardware-enforced stack protection are separate settings. In the latest Windows Insider Preview build, the kernel-mode HSP setting was added. It is not a replacement for LSA protection," Microsoft told BleepingComputer.

However, even this information is incorrect, as Kernel-mode HSP is in production builds already and not just Windows Insider previews, causing even more confusion.

Microsoft has still not released any official documentation on Kernel-mode Hardware-enforced Stack Protection, although it's been available in Windows 11 for almost a month.

Source

Windows 11 users may get a "Local Security protection is off. Your device may be vulnerable" security warning or notification on their devices after installing the Update for Microsoft Defender Antivirus antimalware platform (KB5007651).

Enabling of the feature on the Windows 11 device removed the notifications, but it might lead to persistent prompts to restart the operating system.

Microsoft published an update for Microsoft Defender Antivirus, which increased the build of the security tool to 1.0.2303.27001. The company admits now that this update was also causing issues, but did not go into details regarding these issues. They appear to have been serious, as Microsoft pulled the update so that it is not offered anymore to Windows 11 devices.

This meant, that systems would once again face the issues regarding the Local Security Authority protection. The original workaround, released in March 2021, is still the only recommended solution by Microsoft. The company notes: "If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart. "

Windows devices with the new Microsoft Defender Antivirus antimalware platform update installed, the one that Microsoft pulled, may receive blue screen errors or automatic restarts of the system when certain games or apps are opened.

Microsoft recommends that administrators disable the Kernel-mode Hardware-enforced Stack Protection feature of the operating system. Administrators find the option under Start > Settings > Privacy & Security > Windows Security > Device Security > Core Isolation > Kernel-mode Hardware-enforced Stack Protection.

Another workaround that should resolve these issues is to uninstall the latest Microsoft Defender Antivirus update on the device.

Microsoft continues to work on a resolution for the issue and plans to release an update "in an upcoming release".

Source

A data breach has leaked 237,000 federal government workers' personal information, who are related to the United States Department of Transportation (USDOT). According to Reuters, the data breach didn't affect any safety measures of the transportation system, but it also didn't reveal the group or the person behind this cyberattack.

The United States Department of Transportation has begun an investigation into the hack and has stopped access to the transit benefit system until it is secured and restored, according to the agency. In an email obtained by Reuters on Friday, the USDOT informed Congress that its first investigation into the data breach had "isolated the breach to certain systems at the department used for administrative functions, such as employee transit benefits processing."

USDOT didn't mention what data was stolen, whether there was enough to launch identity theft attacks, or whether any payment information was exposed. We also don't know if the stolen data was already used to perform malicious activities.

"The maximum benefit allowance is $280 per month for federal employee mass transit commuting costs. The breach impacted 114,000 current employees and 123,000 former employees," said Reuters.

The United States Department of Transportation (USDOT)

Data breaches increased recently

This is the third big data breach this week. Recently, Intel revealed that its systems also got affected after MSI got hacked a while ago. Around two months ago, the Money Message gang targeted MSI and stole sensitive information, including the firmware source code of MSI motherboards. Other organizations were also impacted by the attack, including Intel, which discovered a leak of Boot Guard keys.

After that, Toyota unveiled the shocking truth. Toyota Japan reported that the personal and car information of 2.15 million customers was released on the internet because of a cloud misconfiguration. Furthermore, the information has been available on the internet for almost a decade, but the corporation only recently found it in April.

Source

Apple makes sure transactions and shopping on the App Store is safe and smooth with its anti-fraud measures. According to a Newsroom post by the company, these measures have helped prevent over $2 billion worth of "potentially fraudulent transactions" in 2022 and also rejected nearly 1.7 million app submissions for failing to meet "the App Store’s high standards for privacy, security, and content." Apple's blog post talks about the security benefits of both the App Store and Apple Pay.

The Cupertino-based company started with precautions taken against account fraud. According to the blog post, Apple "rooted out 428,000 developer accounts and 282 million customer accounts for fraud and abuse last year. Over the years, the systems were improved to detect fraudulent activities easily, and thanks to that, 802,000 developer accounts were terminated in 2021. Last year, that number went down to 428,000 because of Apple's latest measures to keep the community safe. The company has also rejected the enrollments of 15,000 Apple Developer Program candidates.

App Store's safety check methods have helped to reject nearly 1.7 million app submissions. Nearly 400,000 app submissions rejected for privacy violations, over 153,000 were rejected for spam, copycats, or misleading users, and almost 29,000 of them were contained hidden or undocumented features. Besides, over 1 billion ratings and reviews were processed, and more than 147 million of them were blocked and reviewed.

The company added that it "blocked a record $2 billion in fraudulent transactions in 2022, banning 714,000 fraudulent accounts from transacting again." There were nearly 3.9 million stolen credit cards blocked from being used, 714,000 accounts were banned from transacting again, and more than $2 billion in potentially fraudulent transactions were prevented.

Apple

App Store is a popular app

The company also said that the App Store has over 650 million average weekly visitors worldwide. There are more than 36 million registered Apple developers, and the company's global distribution ecosystem supports over 195 local payment methods and 44 currencies.

"Apple’s work to keep the App Store a safe and trusted place for users and developers is never done. As bad actors evolve their dishonest tactics and methods of deception, Apple supplements its antifraud initiatives with feedback gleaned from a myriad of channels — from news stories to social media to AppleCare calls — and will continue to develop new approaches and tools designed to prevent fraud from harming App Store users and developers," the company said.

Source

However, Microsoft may have been too quick to close the bug report. Neowin forum member kiddingguy, among others, noticed that the problem continued to persist even after they installed the latest Patch Tuesday. In fact, the latest update also apparently has other bugs according to various user reports online.

Image via kiddingguy (Neowin forum)

Microsoft has hence been forced to re-open the issue on its Windows Health dashboard. A new section has been updated that says affected users will need to use the workaround previously published.

The Redmond company has also recommended disabling kernel-mode hardware-enforced Stack protection in case users were encountering blue screen or system restarts.

Updated May 16, 2023: This known issue was previously resolved with an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001) but issues were found, and that update is no longer being offered to devices.

If you encounter this issue, you will need to use the above workaround until the issue is resolved. If you have installed Version 1.0.2303.27001 and receive an error with a blue screen or if your device restarts when attempting to open some games or apps, you will need to disable Kernel-mode Hardware-enforced Stack Protection. To do this, select the Start button, type Windows Security and select it, select Device Security then select Core Isolation then disable Kernel-mode Hardware-enforced Stack Protection.

You may find more details on Microsoft's official Windows health dashboard site.

Microsoft admits it couldn't really fix Windows 11 Security and Defender LSA issues

Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses.

The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.

While the ZIP and MOV TLDs have been available since 2014, it wasn't until this month that they became generally available, allowing anyone to purchase a domain, like bleepingcomputer.zip, for a website.

However, these domains could be perceived as risky as the TLDs are also extensions of files commonly shared in forum posts, messages, and online discussions, which will now be automatically converted into URLs by some online platforms or applications.

The concern

Two common file types seen online are ZIP archives and MPEG 4 videos, whose file names end in .zip (ZIP archive) or .mov (video file).

Therefore, it's very common for people to post instructions containing filenames with the .zip and .mov extensions.

However, now that they are TLDs, some messaging platforms and social media sites will automatically convert file names with .zip and .mov extensions into URLs.

For example, on Twitter, if you send someone instructions on opening a zip file and accessing a MOV file, the innocuous filenames are converted into an URL, as shown below.

When people see URLs in instructions, they commonly think that the URL can be used to download the associated file and may click on the link. For example, linking filenames to downloads is how we usually provide instructions on BleepingComputer in our articles, tutorials, and discussion forums.

However, if a threat actor owned a .zip domain with the same name as a linkified filename, a person may mistakenly visit the site and fall for a phishing scam or download malware, thinking the URL is safe because it came from a trusted source.

While it's very unlikely that threat actors will register thousands of domains to capture a few victims, you only need one corporate employee to mistakenly install malware for an entire network to be affected.

Abuse of these domains is not theoretical, with cyber intel firm Silent Push Labs already discovering what appears to be a phishing page at microsoft-office[.]zip attempting to steal Microsoft Account credentials.

Cybersecurity researchers have also started to play with the domains, with Bobby Rauch publishing research on developing convincing phishing links using Unicode characters and the userinfo delimiter (@) in URLs.

Rauch's research shows how threat actors can make phishing URLs that look like legitimate file download URLs at GitHub but actually take you to a website at v1.27.1[.]zip when clicked, as illustrated below.

https://github.com/kubernetes/kubernetes/archive/refs/tags/@v1.27.1.zip

Conflicting opinions

These developments have sparked a debate among developers, security researchers, and IT admins, with some feeling the fears are not warranted and others feeling that the ZIP and MOV TLDs add unnecessary risk to an already risky online environment.

People have begun registering .zip domains that are associated with common ZIP archives, such as update.zip, financialstatement.zip, setup.zip, attachment.zip, officeupdate.zip, and backup.zip, to display information about the risks of ZIP domains, to RickRoll you, or to share harmless information.

Open source developer Matt Holt also requested that the ZIP TLD be removed from Mozilla's Public Suffix List, a list of all public top-level domains to be incorporated in applications and browsers.

However, the PSL community quickly explained that while there may be a slight risk associated with these TLDs, they are still valid and should not be removed from the PSL as it would affect the operation of legitimate sites.

"Removing existing TLDs from the PSL for this reason would just be wrong. This list is used for many different reasons, and just because these entries are bad for one very specific use-case, they are still needed for (almost) all others," explained software engineer Felix Fontein.

"These are legit TLDs in the ICP3 root. This will not proceed," further shared PSL maintainer Jothan Frakes.

"Really, the expressed concerns are more of a glaring example of a disconnect between the developer and security community and domain name governance, where they would benefit from more engagement within ICANN."

At the same time, other security researchers and developers have expressed that they believe the fears regarding these new domains are overblown.

When BleepingComputer contacted Google about these concerns, they said that the risk of confusion between file and domain names is not new, and browser mitigations are in place to protect users from abuse.

"The risk of confusion between domain names and file names is not a new one.  For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows.  Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip. 

At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip.  Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip.  We will continue to monitor the usage of .zip and other TLDs and if new threats emerge we will take appropriate action to protect users." - Google.

What should you do?

The reality is that you do not need to do anything extra than you are already doing to protect yourself from phishing sites.

As everyone should already know, it is never safe to click on links from people or download files from sites you do not trust.

Like any link, if you see a .zip or .mov link in a message, research it before clicking on it. If you are still unsure if the link is safe, do not click on it.

By following these simple steps, the impact of the new TLDs will be minimal and not significantly increase your risk.

However, the exposure to these links will likely increase as more applications automatically turn ZIP and MOV filenames into links, giving you one more thing to be careful about when online.

New ZIP domains spark debate among cybersecurity experts

Business is very good for affiliates of the Qilin ransomware-as-a-service (RaaS) group, which is very bad for the rest of us.

Researchers with cybersecurity firm Group-IB infiltrated the Qilin gang in March and this week analyzed its operations in a report that detailed its inner workings and the economic model that keeps it churning.

That model mirrors those of other RaaS groups and illustrates why slowing the ransomware scourge is so hard - affiliates who help to spread the evil code make lots of money.

According to Group-IB's report, Qilin affiliates – those who pay to use Qilin's ransomware for their own attacks – can take home 80 percent of the ransom paid (if the ransom paid is $3 million or less). For ransoms over $3 million an affiliate's cut can rise to 85 percent.

That's a good payoff for miscreants who don't have to develop their own ransomware and can instead concentrate on finding victims. It also explains why ransomware and RaaS remain prevalent.

"The financial mechanics of ransomware-as-a-service uncover a chilling truth about today's digital peril environment," Craig Jones, vice president of security operations at managed detection and response provider Ontinue, told The Register. "Astoundingly high profit margins, epitomized by the 80 to 85 percent share pocketed by Qilin affiliates, spawn a prosperous underworld of cybercrime, exploiting the weak points in global enterprises."

The money will continue to flow

The industry should expect those high payouts to continue, according to Heath Renfrow, co-founder of disaster recovery and restoration service Fenix24.

"We are seeing RaaS affiliate actors getting paid higher shares of the ransoms than previously," Renfrow told The Register, noting that these days, the high cut for Qilin affiliates is not unusual. "The BlackCat ransomware affiliates have also allegedly been earning 80 to 90 percent of the take versus 65 to 75 percent for affiliates in years prior."

RaaS came on the scene several years ago and boosted the flourishing ransomware scene. A previous report by Group-IB found that in 2020, almost two-thirds of ransomware attacks it analyzed involved organizations with RaaS models.

Ransomware-flinging affiliates are often large organizations with upwards of 100 employees, among them developers, managers, negotiators, and other staff. Some affiliates are among the world's more notorious threat groups, such as LockBit, BlackCat, Hive, and BlackBasta, according to Malwarebytes.

Ransomware developers' affiliate operations resemble legitimate SaaS models. The organizations sell or rent their RaaS kits to affiliates who use it to carry out their own attacks. The RaaS groups also offer other services, such as support, bundled offers, reviews, and forums, CrowdStrike wrote in a report.

The affiliates are responsible for gaining access to target organizations and running the attacks. They pay from tens to thousands of dollars for the RaaS kits, which is a good deal given that the average ransom demand in 2021 was $6 million, according to CrowdStrike.

Varying revenue models

RaaS revenue models include monthly flat fee subscriptions, one-time license fees with no profit sharing, or pure profit sharing.

For affiliates, the RaaS model lowers the barrier to entry, enabling players with little coding experience to deploy the malware. Matthew Psencik, director of endpoint security at converged endpoint management vendor Tanium, told The Register that some affiliates pay as little as $40 a month for access to the attack code.

While RaaS operators could find their own targets and keep all of a ransom, their affiliates give them useful cover, Fenix24's Renfrow said.

"It is difficult to attribute the activity [of an affiliate] to a specific country of origin, so it's similarly difficult to place this activity on a 'do not pay' prohibition list," he said. "By offering higher cuts of the pie, these [RaaS] organizations can both evade the payment bans and inspire more criminals to start new affiliates, adding to larger overall profits."

Qilin gives a view into the RaaS world

Group-IB's report on Qilin – also known as Agenda – explains that the group has operated since at least August 2022. It initially preferred to code in Go, but recently adopted the Rust programming language.

Rust is increasingly popular among cybercriminals because it's more difficult to analyze and detect and it's easier to customize to particular operating systems.

Like many groups, Qilin uses double-extortion by both encrypting a victim's data and stealing it, then demanding payment for a decryptor as well as not leaking the data. Phishing schemes are the group's usual point of entry, allowing its operatives to move laterally through victim networks searching for data.

The group advertises its malware on the dark web and has its own dedicated leak site that includes company IDs and leaked account details, according to Group-IB's researchers.

Affiliates who use that portal see an administrative panel for managing attacks that includes a dashboard for everything from targets to payments to changing passwords as well as blogs and an FAQ.

How to slow down ransomware attacks?

Cybersecurity experts and governments around the world are using many tactics to reduce the number of ransomware attacks, from improving security to cutting off the money.

The US, along with other countries, is reportedly debating whether to ban ransom payments outright in hopes of choking the profits of operators. At present, the US advises against paying ransoms.

However, the idea of a ban raises concerns that those who fall victim to ransomware would not report their plight to authorities to avoid punishments if they decide to pay the extortion fee.

In the meantime, ransomware attacks will continue, with the RaaS market, the growing numbers of affiliate programs, and the publication of stolen data on leak sites as a threat being key drivers, the Group-IB researchers wrote.

"Additionally, ransomware strains are proliferating quicker than the improves in cyber defenses to detect and contain them, rendering organizations underprepared in facing what's coming," they wrote. ®

Source

In its statement, the Treasury Department launched a blistering attack on Russia, calling the country “a haven for ransomware actors, enabling cybercriminals like Matveev”. It said that Hive, LockBit, and Babuk were all Russia-linked ransomware variants that Matveev helped to develop and deploy and have collectively been responsible for the loss of millions of dollars. Hive, it said, targeted more than 1,500 victims in over 80 countries. Targets included hospitals, school districts, financial firms, and other critical infrastructure.

“The United States will not tolerate ransomware attacks against our people and our institutions,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats.”

As a result of the sanctions placed on Matveev, “all property and interests in property of the designated individual that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.” Also, anyone who engages in certain transactions with Matveev may also face sanctions from the Treasury Department, it said.

Source

In the summer of 2016, WhatsApp made an unprecedented change. The Meta-owned company turned on end-to-end encryption by default for all of the billion-plus people using it—becoming, in the process, the world's largest encrypted messenger. Since then, that number has topped 2 billion.

Being end-to-end encrypted by default means nobody at Meta can read, or mine data from, the content of the messages you send. All texts, photos, videos, voice messages, documents, status updates, and calls are encrypted on WhatsApp, and only the people you send them to can access them. Devices decoding encrypted content must verify and exchange security codes as messages are transferred.

The encryption that WhatsApp uses was originally developed by Open Whisper Systems, the group behind the encrypted messaging app rival Signal. In recent years, WhatsApp has introduced additional privacy and security features you can turn on. But even though WhatsApp’s end-to-end encryption does protect your communications, that doesn’t mean the service is as private as it could be by default. In fact, when it comes to WhatsApp versus Signal, we recommend the latter for people wanting the maximum security and privacy options.

However, with more than a third of the world using WhatsApp, its popularity is unrivaled, and you may not be able to drag all of your friends, family, and groups across to Signal. If that milestone is still some way off, here are some tips to make WhatsApp as private as possible.

Updated May 2023: WhatsApp has introduced new privacy features since this story was first published in 2020. These changes are reflected below.

Understand What Data WhatsApp Collects

WhatsApp can collect a lot more information about you than you might think. Much of what it collects is similar to many other apps and can be found in its privacy policies. There are separate privacy policies for the US, Europe, and the UK. There are some differences in what WhatsApp collects, based on Europe’s privacy rules. But the app is also part of Meta’s machine, which also includes Facebook and Instagram, and some information is shared with the parent company. The association alone can put people off using WhatsApp.

The data WhatsApp has about you can come from multiple different sources: the information you provide (such as your phone number to sign up, or your location when you give it permission to share it with a friend), information that is collected automatically (for instance, when you’re online, or when you made a phone call), and information that others share about you (if a friend uploads your phone number, for example).

Automatically collected, WhatsApp says, is information about how you use its services, how often and for how long you are on WhatsApp, and the features you use—including “group name, group picture, group description,” your profile photo, “about information,” and when you were last online. (Some of this information is used for safety features.) On top of that, WhatsApp may also collect information about your phone’s battery level, signal strength, and mobile operator.

In the US, WhatsApp shares your phone number, phone information, IP address, and more with Meta’s other companies, although it says it does not “keep logs of who everyone’s messaging or calling” and doesn’t share contacts with Meta. In Europe, WhatsApp details how it works with Meta’s other companies and the information that is shared more explicitly. However, it’s worth stressing that the content of the messages you send isn’t shared, as Meta doesn’t have access to them due to WhatsApp’s end-to-end encryption.

Location information, when you turn it on, is also collected, and there are cookies that track your activity within the desktop and web versions of the app.

Use Encrypted-to-End Encrypted Backups

WhatsApp allows you to back up your chats and data as a way to move all your information to a new phone. These backups work by storing your data in Google Drive or Apple’s iCloud, depending on which operating system you use. Backups can be handy if you’re moving to a new phone or lose your old device.

If you’re going to use WhatsApp’s backups, you should use the version that is end-to-end encrypted. The company introduced these in 2021 after years of the option being unavailable. In WhatsApp, go to Settings, Chats, Chat Backup, and then once you have turned backups on, tap on End-to-end Encrypted Backup and toggle the option on. This backup requires a separate password, which you should ideally create and store in a password manager. If you lose this password, you won’t be able to get into your encrypted backup.

Turn On Two-Factor Authentication

You should be using two-factor authentication as much as possible—it’s even more important on accounts that hold your sensitive personal information, such as photos and messages. The security method involves adding an extra step to the process when you log in to an account. In most cases, this involves using a security code generated by an app, a code sent via SMS, or a physical security key. (The last of these is the most secure way to protect your accounts with two-factor authentication—and SMS is arguably the least secure of the three options.)

Using WhatsApp is different from logging in to your email. It’s likely that you’ll access the app multiple times a day—on average, I open the app between 50 and 80 times per day. Entering a security code every time this happens would be impractical and frustrating. So instead, WhatsApp’s two-factor authentication, which can be turned on through the Settings menu and then by tapping on Account, uses a PIN.

WhatsApp will semi-regularly ask you to reenter the six-digit PIN you create to access the app. It doesn’t say how often these prompts happen, but they’re irregular enough not to be a barrier to using the app. The PIN will also be required anytime there is an attempt to add your number to a new phone or device. When you’re setting the PIN, there’s also the option to add an email address that can be used to reset the code if you forget it.

Use Disappearing Messages

Your messages don’t have to live forever. It’s possible to turn on disappearing messages for when you want additional privacy or just don’t need to keep what you’re sent for years. There are two ways within WhatsApp to use self-destructing messages: for every new chat you have, or on an individual conversation basis. 

To run on disappearing messages by default for new conversations, go to Settings, Privacy, Default Message Timer, and pick how long you want messages to last for. There are three options if you turn the setting on: 24 hours, 7 days, or 90 days. For an existing individual conversation or group chat, open that chat, tap the person’s name at the top of the screen, select Disappearing Messages, and then pick 24 hours, 7 days, 90 days, or Off. You may then have to tap to confirm this.

While turning on disappearing messages will give you some more privacy, it’s worth remembering that whoever you message could still screenshot or take a photograph of what’s on the screen.

In addition to disappearing messages, you can also set photos and views to View Once. This—rather unsurprisingly—behaves exactly how it is described: The message can only opened one time and you can't go back to it once it's closed. When sending a photo or video, tap the icon that is contained within a partial circle. If you send a one-time image or video, people cannot screenshot it.

Lock Down WhatsApp Messages

There are inevitably times when you need to hand your phone to someone else—so your children can play games, for instance, or to show a friend a photo. WhatsApp has two features that can help protect your message if your phone falls into someone else’s hands. First, you can turn on Screen Lock, which keeps the app locked unless you open it with Apple’s Face ID or other biometrics on Android devices. To turn it on, go to Settings, Privacy, and select Screen Lock. You’ll need to set up the biometric options before you turn the app lock on.

You can also lock down individual chats on your phone. This means that to send messages to locked chats, you’ll need to use your phone’s passcode, or your face or fingerprint to open up the chats and even see notifications from them. To turn it on, tap on a chat and the person’s name, go to Chat lock, and select the option to lock the chat. This will move the chat into a new folder that can be accessed by swiping down on the Chats tab.

If you’re going for the most private approach, it’s also worth considering that any message that pops up could reveal private information. New message notifications can include the entire message or just some of its content when they flash up on your screen. If these notifications also sit unread, anyone picking up your device may be able to read them without having to unlock the phone. These options can be tweaked in Settings, Notifications, and Show Preview.

Stop People From Seeing Your Personal Info

While WhatsApp’s end-to-end encryption stops law enforcement, internet providers, and even Meta from seeing what you are sending, there are still some additional steps you can take to increase your privacy on your phone and reduce the chances of your number being targeted by spammers or scammers. Because WhatsApp is so popular, it’s regularly the target of social engineering attacks, devised to steal your personal information. 

The ways to limit the ways people can interact with your account are all found through Settings, followed by tapping on Privacy. At the most simple, you can tap to turn off read receipts, the two blue ticks that show when someone has seen your message. 

More effective are the steps that stop people from adding you to groups. Under the Groups setting, there is the option to limit who can add you to a group. By default, this is set as “everyone.” However, it can be changed to My Contacts, or My Contacts Except…, allowing some exceptions. Deciding to limit who can add you to groups doesn’t mean that you can’t join groups when people aren’t in your contacts. Instead, people wanting to add you to groups can request to do so via a separate message.

Within Privacy, you can also turn off who can see when you last looked at WhatsApp and when you were last online, who can see your profile photo, the About section, and WhatsApp Status. While in the privacy settings, you should also check whether you are sharing your live location with anyone.

Switch to Signal

If you’re looking for more privacy, switching messaging apps is a big upheaval but could be worth the time and effort. As mentioned earlier, our preference for combining end-to-end encryption with greater levels of privacy is Signal. A full rundown of its privacy options is here.

How to Boost WhatsApp’s Privacy and Better Protect Your Data

(May require free registration to view)

PharMerica is a pharmacy services provider in 50 U.S. states, operating 180 local and 70,000 backup pharmacies, and serving 3,100 medical facilities nationwide.

According to a data breach notification submitted to the Office of the Maine Attorney General, hackers breached PharMerica's system on March 12th, 2023, stealing the full names, addresses, dates of birth, social security numbers (SSNs), medications, and health insurance information of 5,815,591 people.

The firm discovered the intrusion on March 14th, 2023, and its investigation determined on March 21st that client data had been stolen. However, notices of a data breach were sent to impacted individuals only last Friday, May 12th, 2023.

PharMerica offers one year of identity protection fraud monitoring services through Experian, so affected individuals are recommended to take up the offer to minimize the risk and impact of malicious attacks.

Data leaked by hackers

Although PharMerica does not mention the type of hacking incident, the Money Message ransomware gang claimed the attack on March 28th, 2023, when they began publishing stolen data.

Money Message listing PharMerica as its latest victim 
Source: BleepingComputer

 

Along with PharMerica, the threat actors listed BrightSpring, a health service provider that merged with PharMerica in March 2019.

Money Message claimed to have stolen 4.7 TB of data during their attack on PharMerica, stating that it consisted of at least 1.6 million unique records of personal information.

On April 9th, 2023, the timer ran out, and the threat actors published what they claim is all of the stolen data on their extortion site. Unfortunately, the files are still available for download at this time.

To make matters even worse, a threat actor has already posted the entire data dump on a clearnet hacking forum, breaking the file into 13 parts for easier downloading.

Hacker forum user reposting the PharMerica data leak
Source: KELA

 

Money Message is a new ransomware operation that launched around March 2023, gaining media attention for its breach against Taiwanese PC parts maker MSI (Micro-Star International).

Source

While launched only with support for analyzing a subset of PowerShell files, Code Insight can now also spot malicious Batch (BAT), Command Prompt (CMD), Shell (SH), and VBScript (VBS) scripts.

Besides the list of additions included in Google's announcement, BleepingComputer was also able to discover that the company added support for AutoHotkey (AHK) and Python (PY) scripting languages.

"Code Insight has broadened its support for script formats, moving beyond PowerShell to offer analysis for a variety of scripting languages," VirusTotal founder Bernardo Quintero said.

To facilitate the analysis of larger files, Code Insight has also been updated to have an increased maximum file size limit, doubling the capacity for processing.

"Code Insight can now handle files twice the size it could before, and we're not stopping there. We're going to keep working on improving this aspect in the coming months," Quintero added.

Additionally, the model has been improved to provide clearer and more specific high-level explanations, emphasizing the code's behavior.

A revamped user interface now showcases only the start of the report (the first several sentences) by default, allowing users to expand the description if needed. This ensures the default view is not inundated with lengthy AI-powered analysis reports.

ESXiArgs sample analysis by VirusTotal Code Insight (VirusTotal)

 

VirusTotal announced the launch of Code Insight last month as an AI-based code analysis feature powered by the Google Cloud Security AI Workbench, which uses the Sec-PaLM large language model (LLM) fine-tuned for security use cases.

As Google explained, it analyzes potentially harmful files to describe their (malicious) behavior, making identifying which pose actual threats easier.

Code Insight is currently in its early stages of development, marking the beginning of a continuous and evolving process.

The roadmap ahead encompasses the following improvements:

1. Expanding support for additional file types and sizes.
2. Enabling analysis of binary and executable files.
3. Enriching analysis by incorporating contextual information beyond the code itself.

VirusTotal is a web-based malware-scanning platform with over 500,000 registered users, owned by Google's Chronicle security subsidiary.

It helps scan suspicious files and URLs for malicious content, such as viruses, worms, and trojans, by harnessing the power of more than 70 antivirus scanners and domain blocklisting services.

Source

The attack also disrupted operations, with newspaper circulation halting while Inquirer.com is only slightly affected, with publishing and updating stories being impacted by intermittent delays.

"The incident was the greatest publication disruption to Pennsylvania's largest news organization since the blizzard of Jan. 7-8, 1996, and it came just days before Tuesday's mayoral primary election," the Inquirer's Jonathan Lai said.

"We appreciate everyone's patience and understanding as we work to fully restore systems and complete this investigation as soon as possible," a spokesperson for Inquirer publisher Lisa Hughes said.

"We will keep our employees and readers informed as we learn more."

The news organization detected the attack after the content management system went down on Saturday morning, days after it was alerted of "anomalous activity" by Cynet Systems, a cybersecurity company that manages the Inquirer's network security.

After the incident was detected, the Inquirer's publisher said the newspaper had taken down some computer systems due to "anomalous activity."

The regular Sunday edition couldn't be printed following the attack and was only released online as an e-edition.

While the Monday editions were expected to get printed and distributed to subscribers, some classified ads will get delayed "out of an abundance of caution." 

Newspaper to notify potentially affected subscribers

The Inquirer also notified the Federal Bureau of Investigation and hired the services of Kroll to investigate and respond to the cyber incident.

Hughes couldn't provide information regarding who the attackers were and if they gained access to customers' or employees' sensitive information but said that the newspaper would notify those who might have had their data impacted in the incident.

The Philadelphia Inquirer is now reaching a growing audience of over 13 million people monthly through its newspaper, website, and other platforms, almost 200 years after it was first published in 1829.

News Corporation, a mass media and publishing giant that owns New York Post, The Wall Street Journal, Dow Jones, MarketWatch, Fox News, Barron's, The Sun, and the News UK, also disclosed in February 2023 that Chinese-linked attackers had access to its network between February 2020 and January 2022.

The threat actors had access to an email and document storage system used by several News Corp businesses, which gave them access to business documents and emails containing sensitive data, including employees' personal information.

In 2022, a compromised video content and advertising provider was used to push malware through the websites of hundreds of newspapers across the U.S., while dozens of U.S. news sites were hacked by the Evil Corp gang to infect Fortune 500 firms' employees with malware.

Source

On their Mastodon profile, Brandt wrote:

Well, apparently #microsoft #Sharepoint now has the ability to scan inside of password-protected zip archives.

How do I know? Because I have a lot of Zips (encrypted with a password) that contain malware, and my typical method of sharing those is to upload those passworded Zips into a Sharepoint directory.

This morning, I discovered that a couple of password-protected Zips are flagged as "Malware detected" which limits what I can do with those files - they are basically dead space now.

While Brandt acknowledges that this move is not at all a bad thing as it is targeted at threat actors who are looking to get away using this bypass, they appear to be a bit annoyed at the change as sharing malware samples with other threat researchers can be, at least, somewhat slightly hampered by this.

While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples. The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.

The official Microsoft documentation for Built-in virus protection in SharePoint Online explains:

The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. All file types are not automatically scanned. Heuristics determine the files to scan.

Meanwhile, Microsoft also has the option to enable Safe Attachments in SharePoint. The support article says:

When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and identifies a file as malicious, the file is locked using direct integration with the file stores.

Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can't open, copy, move, or share the file. But, they can delete the blocked file.

However, neither of the articles seem to mention anything related to scanning encrypted or password-protected files. This means it could be something Microsoft quietly rolled out recently.

Microsoft apparently now scanning password-protected ZIP files for malware and virus

As spotted by Deskmodder, the latest MSN Weather app update replaced banners with a widget for sunrise/sunset and moonrise/moonset. Integration with MSN News is also gone—the only thing you see when scrolling down to the bottom of the home page is a set of recommended weather maps, such as 3D Earth View, 3D Cloud View, 3D Rain View, temperature, winds, and more.

Interestingly, this is not the first time Microsoft tried to earn some cash by placing ad banners in the Weather app. In the early days of Windows 10, one of the updates added a similar block for ads that were later removed. The second attempt in 2023 did not work either, so maybe this time, Microsoft will remember that displaying ads in stock apps is not something users will tolerate.

You can download the MSN Weather app from the Microsoft Store.

Microsoft removes ads and news from the Weather app, adds a useful widget instead

To use the WhatsApp chat lock feature, you can tap on the name of the user or group on their respective chat page, then tap on the Chat Lock option. You can find the password-protected folder carrying all the hidden chats at the top of the WhatsApp inbox screen. However, you need to pull down from the top of the inbox screen first to reveal the folder.

As of now, Chat Lock doesn't require a separate password and relies on your phone's built-in authentication such as biometrics or a PIN. WhatsApp said it will roll out updates to the Chat Lock feature in the coming months, including the ability to create a custom password for the folder which will be separate from the device password. It will bring the chat lock feature to companion devices as well.

In related news, WhatsApp recently added the ability to edit messages on Android devices. The company is also testing a version of its instant messaging app for smartwatches running Wear OS. Furthermore, in an attempt to curb spam calls on the app, WhatsApp is working with Truecaller on a feature that will help users identify unknown callers.

WhatsApp launches password-protected folder to hide confidential chats

AV-Comparatives, which is another major anti-virus testing firm, also released its Real-World Protection Test and Malware Protection Test recently. We covered the former yesterday. In case you missed it, Microsoft did really well as it was one of the best performers alongside the likes of Kaspersky, Bitdefender, and Total Defense.

Today we take a look at the Malware Protection test. The difference between the two sets of tests is that the Malware Protection deals with malware executed on the system itself, whereas Real-World Protection is about web threats.

The test procedure has been explained by AV-Comparatives:

The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The methodology used for each product tested is as follows.

Prior to execution, all the test samples are subjected to on-access and on-demand scans by the security program, with each of these being done both offline and online. Any samples that have not been detected by any of these scans are then executed on the test system, with Internet/cloud access available, to allow e.g. behavioural detection features to come into play. If a product does not prevent or reverse all the changes made by a particular malware sample within a given time period, that test case is considered to be a miss. If the user is asked to decide whether a malware sample should be allowed to run, and in the case of the worst user decision system changes are observed, the test case is rated as “user-dependent”.

 

Like in the case of Real-World Protection Test, Microsoft Defender has done quite well in the Online Detection and Protection categories. However, its Offline Detection rate, which is at 83%, still falls behind several other competitors, though it is not the worst as it has beaten others like Trend Micro and Panda. The thing to celebrate however is the continuous improvement Defender has shown over the months. Last year, Microsoft was at just 60.3%, and it improved to 69.8% six months later.

You can view the full chart below. In total there were 10,015 malicious sample test cases:

The image below further breaks down the online protection rates and shows the number of compromised cases. Microsoft suffered two casualties, only behind McAfee and Norton, which had only a single compromised case. Meanwhile, Trend Micro was the worst with 281 which is quite appalling relatively.

The chart below summarizes the test results into one:

You can find the full test data on AV-Comparatives' website.

Source

This time around, they’ve embedded malware into illegal downloads of The Super Mario Bros. Movie, according to a new blog post(opens in new tab) from the cybersecurity firm ReasonLabs. As reported by Axios(opens in new tab), the hackers began targeting Illumination’s latest film on April 30 after it was leaked on Twitter in its entirety and then quickly taken down.

Like similar campaigns, this one begins with free, illegal copies of The Super Mario Bros. Movie. While users think they’ve managed to download the film for free without any consequences, a trojan arrives on their computer alongside the movie.

ReasonLabs says that the malware used in this new campaign has actually been used more than 150,000 times in the past to steal data and other sensitive information from pirates. While it often arrives alongside pirated films, the malware has also been distributed with pirated software as well.

Hijacking browser sessions

 (Image credit: Shutterstock)

Once downloaded onto a user’s system, the malware installs a malicious extension that’s used to hijack the user's browser. It does this by giving itself sensitive browser permissions, allowing it to take over a browser’s default search bar.

Although it may appear like nothing has changed from an end user’s perspective, the malicious extension can collect all sorts of sensitive information including what you search for along with any passwords entered in your browser.

When malicious extensions accidentally end up on the Chrome Web Store, they’re quickly taken down by Google. However, in this case, the malicious extension is actually a local extension, which means the search giant has no control over it. Instead, it’s up to you to remove it from your computer.

You can do this by clicking on the three dots menu in Chrome, heading to More tools and clicking on Extensions. This will show you a list of all the extensions that are installed on your browser — you can remove any you don’t remember installing yourself.

How to stay safe from malware hiding in downloaded files

(Image credit: Shutterstock)

The first thing you should do to prevent your computer or smartphone from being infected with malware is to avoid downloading films and software illegally. Besides hurting the companies behind these products, doing so puts you and your data at risk.

Malware can also hide in legitimate-looking files, which is why you should be using the best antivirus software with your Windows PC, the best Mac antivirus with your Mac and one of the best Android antivirus apps with your Android smartphone. Antivirus software scans all of the files you download for malware and warns you when one of them could put your security at risk.

As for how to watch The Super Mario Bros. Movie legally, it will actually be available to stream tomorrow (May 16) on Amazon for $29. While this might seem a bit expensive at first, it sure beats having to deal with identity theft and all of the other problems that can occur after a nasty malware infection.

Source

The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs.

While the extortion portal was launched on April 22nd, 2023, the first batch of victimized organizations was published on April 27th, including sample files, a description of the type of content that was stolen, and links to stolen data.

Victim entry on RA Group's extortion site
Source: BleepingComputer

 

In a new report by Cisco Talos, researchers explain that RA Group uses an encryptor based on the leaked source code for the Babuk ransomware, a ransomware operation that shut down in 2021.

Last week, Sentinel Labs reported that at least nine distinct ransomware operations are using the Babuk source code that was leaked on a Russian-speaking hacker forum in September 2021, as it gives threat actors an easy way to expand their broaden their scope to cover Linux and VMware ESXi.

In addition to the ransomware groups cited in the Sentinel Labs report as users of Babuk, Cisco Talos also mentions Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, and ESXiArgs.

Ransomware groups using the leaked Babuk code (Cisco)

RA Group attack details

A notable characteristic of RA Group is that each attack features a custom ransom note written specifically for the targeted organization, while the executable is also named after the victim.

The ransomware targets all logical drives on the victim's machine and network shares and attempts to encrypt specific folders, excluding those related to the Windows system, boot, Program Files, etc.

This is to avoid rendering the victim's system unusable, making it unlikely to receive a ransom payment.

RA Group's encryptor uses intermittent encryption, which is to alternative between encrypting and not encrypting sections of a file to speed up the encryption of a file. However, this approach can be risky as it allows some data to be partially recovered from files.

When encrypting data, the encryptor will use curve25519 and eSTREAM cipher hc-128 algorithms.

Encrypted files are appended the filename extension ".GAGUP" while all volume shadow copies and Recycle Bin contents are wiped to prevent easy data restoration.

Deleting shadow copies (Cisco)

 

The ransom note dropped on the victim's system is named 'How To Restore Your Files.txt' and requires the victim to use qTox messenger to contact the threat actors and negotiate a ransom.

The note also includes a link to a repository containing files stolen from the victim as proof of the data breach.

A sample of RA Group's ransom note (Cisco)

 

The threat actors claim to give victims three days before a sample of stolen data is published on extortion sites, but like other ransomware operations, this is likely open to negotiation.

As this is a relatively new ransomware operation, with only a few victims, it is unclear how they breach systems and spread laterally on a network.

Source

This new feature will clear not only cookies at the sites you specify but also data in local storage and the cache when you close a website. While this will also automatically log users out of sites, it also prevents re-identification when they return to the site at a future time.

Users can enable "Forgetful Browsing" from the software's settings menu, either for all websites (global default) or for a specified list of sites.

"When this option is set, Brave will clear first-party storage for the site a few seconds after there are no more open tabs for the site," explains Brave Software's announcement.

"Forgetful Browsing clears both explicitly stored values (e.g. cookies, localStorage, or indexedDB) and indirectly stored values (e.g. HTTP cache or DNS cache)."

The Brave Software team explained that although its browser offers robust protections against third-party tracking, the privacy issues that arise from first-party tracking remain somewhat unaddressed.

Focusing on first-party tracking

First-party tracking has taken the back seat in the privacy-protection considerations of browser engineers because users consciously choose what websites they visit and naturally have better control and a clearer understanding of where their data goes.

While first-party cookies are important for a good website experience, such as staying logged into a site or keeping track of read content, several risks are still associated with letting a website re-identify visitors indefinitely.

These risks include building rich user profiles for targeted advertising by aggregating more data, and associating multiple visitor accounts with the same person or same household, thus breaking privacy-proofing barriers.

Brave says that most modern web browsers already offer features or tools to deal with this problem. However, they're either too fragmented, cumbersome to use, either too generic or too specific, or entirely hidden from the user.

Hence, the team decided to develop Forgetful Browsing as an integrated tool that will be easy to enable and disable and won't require any user vigilance or specific intervention after setting up.

To set the global default setting for 'Forgetful Browsing,' head to Settings → Shields → Click "Forget me when I close a site."

Website-specific situations like adding an entry or an exclusion from the global default will be as simple as navigating to the site, clicking on the shields icon on the right side of the URL bar, clicking "Advanced controls," and then switching the toggle of the feature to the "on" position.

Site-specific option on the URL bar
(Brave)

 

Brave clarifies that 'Forgetful Browsing' will apply to sites and not domains, contrary to how most settings in Shields work.

The new feature will be made available on Brave browser for the desktop version 1.53 (current stable is v1.51), while Android users will get 'Forgetful Browsing' a bit later, with version 1.54.

Source

AV-Comparatives, which is another major anti-malware testing firm, released its Real-World Protection report of February-March 2023 recently. The Real-Wold Protection test deals with web threats and is different from the company's Malware Protection Test which is about malware executed on the system.

The results are extremely favorable for Microsoft as Defender managed to block 100% of the tested samples and only had two false positive cases. In total, there were 260 live test cases which means the false positive percentage is almost zero.

Only Kaspersky had a completely flawless run in this evaluation as the Russian anti-virus provider blocked 100% of all threats and there were also no false positives. Other vendors like Bitdefender and Total Defense also performed exceptionally well. Both the products were able to block 100% of threats and each had only a single false positive alert.

You can view the results in the image below:

The worst performer in terms of false positive detections was Trend Micro with 27. However, Panda was also pretty close behind with 19, and it also failed to block 0.4% of the test cases. In case you want to read more, you can find more details on AV-Comparatives' website here.

AV-Comparatives: Microsoft Defender, Kaspersky, Bitdefender some of the best for web threats

Your Apple ID password is a key that unlocks many features and services on your Apple devices. If you forget your password, you won't be able to access your iCloud account, App Store purchases, Apple Music subscription, and more. That's why you need to reset your Apple ID password as soon as possible if you can't remember it.

How to reset Apple ID password?

If you have forgotten your Apple ID password, don't worry. You can easily reset it using one of the methods below.

Use your iPhone or other trusted Apple device

This is the fastest and easiest way to reset your password, as long as you have a device that you are already signed in to with your Apple ID.

• Go to Settings and tap your name.
• Tap Password & Security and then Change Password.
• Follow the onscreen instructions to create a new password.

You can also use this method on a trusted iPad, iPod touch, or Apple Watch.

Use the Apple Support app

If you don't have an Apple device, but you have access to your trusted phone number, you can borrow an Apple device from a friend or family member or use one at an Apple Store.

• Download and open the Apple Support app on the borrowed device.
• Under Topic, tap Passwords & Security.
• Click Reset Apple ID password.
• Hit Get Started, then tap a different Apple ID and enter your Apple ID.
• Tap Next and follow the onscreen instructions to reset your password.

Any information that you enter will not be stored on the borrowed device.

Use iForgot

If you don't have a trusted device or a trusted phone number, you can still reset your password on the web, but it may take longer.

• Go to iforgot.apple.com and enter your Apple ID.
• Choose how to reset your password: by email, by security questions, or by two-factor authentication.
• Follow the onscreen instructions to complete the process.

If you have trouble resetting your password, contact Apple Support for help.

Check out the new Apple Watch Pride Edition bands.

Apple ID password is needed for...

Your Apple ID is the account that you use to access all Apple services and make all of your devices work together seamlessly. You can use your Apple ID to:

• Sign in to iCloud to keep your personal content up to date on all your devices.
• Sign in to the App Store and iTunes Store to buy and download apps, music, movies, TV shows and more.
• Sign in to iMessage and FaceTime to chat with friends and family across all of your devices.
• Sign in to Find My to locate your devices and protect your data if they are lost or stolen.
• Sign in to Apple Pay to make secure and convenient purchases in stores, apps, and on the web.
• Sign in to Apple Music to stream over 75 million songs and download your favorites.
• Sign in to Apple TV+ to watch original shows and movies from the world's best storytellers.
• Sign in to Apple Arcade to play over 200 ad-free games across your devices.
• Sign in to Apple News+ to read hundreds of magazines and leading newspapers.
• Sign in to Apple Fitness+ to get personalised workouts from world-class trainers.

How to reset Apple ID password?

Forgetful Browsing configures the web browser to delete cookies and other site data automatically when a website is closed in the browser. Brave users may configure the feature for individual sites or for all sites in the browser.

The privacy feature gives Brave users control over first-party site data and cookies. First-party refers to the actual site that users are on.

Using the feature is quite simple. Brave has added it to its Shield feature, which powers the content blocker as well as other privacy and security protections.

To apply it to a single site, you'd activate the Shield icon in Brave, select advanced controls to expand these options, and check the "Forget me when I close the site" toggle.

Brave will delete cookies and other site data of that website automatically when the last instance of it is closed in the browser.

Brave explains in a new blog post on its site: "When this option is set, Brave will clear first-party storage for the site a few seconds after there are no more open tabs for the site."

The Forgetful Browsing feature of Brave browser deletes explicitly and indirectly stored values in the browser according to Brave Software: "Forgetful Browsing clears both explicitly stored values (e.g. cookies, localStorage, or indexedDB) and indirectly stored values (e.g. HTTP cache or DNS cache)."

Brave users need to be aware that the deletion of the data will log them out automatically, as session data will be removed when websites are closed.

Brave Software points out the following advantages of the feature for some use cases:

• Users are logged out automatically of sites configured for Forgetful Browsing.
• Rate limiting may be circumvented; some sites allow users to view only a specific number of articles, and keep track of this through cookies or site data.
• Sites may not be able to identify users who visited them previously.

Forgetful Browsing was created by Brave Software to further strengthen user privacy. The company believes that the "Web has the wrong defaults for privacy", as browsers "let sites reidentify users indefinitely" even though users benefit from this only on some sites that they visit.

While reidentification is useful, e.g., to check emails or messages, or to manage personal sites, it is often not necessary.

Most web browsers have improved protection against third-party tracking in the past years. Most include options to clear third-party cookies and site data on exist, or support extensions that prevent the setting in first place. There is also support for private browsing modes, which are limited to deleting local data, and features such as Firefox's Total Cookie Protection,

First-party tracking on the other hand has been largely neglected up until now. Browser users may delete data manually or use extensions that help them.

Brave Browser's Forgetful Browsing feature integrates a built-in tool to address this. Most Brave users may want to configure the feature for individual sites, e.g., to always reset the number of articles they read on a site, or to make sure that they are signed-out of a service whenever they close the browser.

Some may go a step further and enable it for all sites. This is done by loading brave://settings/shields in the browser's address bar and enabling the Forget me when I close a site option on the page that opens.

There are a handful of potential downsides to enabling this for all sites visited in the browser. Besides needing to sign-in to sites each time they are loaded, most sites may also display cookie prompts on each visit.

A click on the Shields icon in Brave after enabling the global feature allows Brave users to turn it off for specific sites. This way, you could disable the forgetfulness feature for sites that you want to stay signed in or be remembered, while having improved privacy protections for all other sites visited.

Forgetful Browsing applies to the entire site and not domains; this means that all subdomains of the site and all folders of it, are affected by the feature.

Brave 1.53 and Brave 1.54 will be released in the coming months.

Source