dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2356
share rss forum feed

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

Chrome users at risk for Identity Theft

"Researchers at New York-based security firm Identity Finder recently conducted a search for personally identifiable information (PII) found on typical business users' computers.

The Identity Finder researchers revealed that Chrome created several files on a computer's hard drive that stored sensitive information useful to spies and identity thieves — including names, email addresses and bank-account numbers.

Even if users were to type such information into a secure website, Chrome would save the data in an unsecure manner.

"Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system or [by] simple malware," said a posting on the Identity Finder blog. "There are dozens of well-known exploits to access payload data and locally stored files."

Other browsers store this user information but in a secure manner. IE stores in the registry of the user's computer and Firefox and SeaMonkey store it in an encrypted file.

»www.tomsguide.com/us/google-chro···957.html
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

4 recommendations

Just another BS article...here is the real world...
..
»blog.chron.com/techblog/2013/08/···-secure/
Website settings
»support.google.com/chrome/answer···hl=en-GB

Delete your cache and other browser data
»support.google.com/chrome/answer···ic=14666
Chrome's privacy settings

»support.google.com/chrome/answer···ic=14666

and from your link this info was posted....

"It's common. I'm surprised they discovered this, this late.
I've been using it as a function from a long time (since syncing wasn't available once upon a time.)
For FF, it's very simple, all you have to do is copy all data from appData/local&roming/mozilla to another computer. Just configure profile.ini with correct names etc. And Voila you have all password, personal info replicated to another computer."
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to Mele20

duh never use a browser to store passwords.. at least it doesn't seem like a good idea to me..



SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1
reply to Mele20

I have NEVER stored passwords in a browser. I do use 1Password now, and so far I've been pretty happy with it.

Apple is now using Keychain to sync passwords across devices, but I'm leery of leaving a copy of my passwords on a cloud server- encryption be darned. 1Password can sync that way as well, but I don't use it. I have read that 1Password can sync from a Mac to an iPhone using USB… I've never done it, but that would be my choice if I needed to have all my passwords on the road.

Expand your moderator at work

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to redwolfe_98

Re: Chrome users at risk for Identity Theft

said by redwolfe_98:

duh never use a browser to store passwords.. at least it doesn't seem like a good idea to me..

I never have either. It's a risky thing I would never do and using Chrome is a very risky thing I will never do both for security and privacy reasons. Plus, screw youtube for telling me a few minutes ago that they are about to stop supporting Fx 17.0.11 ESR. (I'll upgrade Fx when I have the time to do all the crap I'll have to do to make it secure and NOT leaking my privacy. It is a HUGE upgrade to Fx 24. The nerve of youtube as Fx 17.0.11 ESR only stops being supported today...youtube couldn't wait a bit? Geez. In the meantime, I have current IE, SeaMonkey and the odd thing is Fx 4 works just fine on youtube so I don't know what they are babbling about).

It's the average user who lets browsers save passwords. Plus, the really SCARY thing here is that Chrome saves the information in an INSECURE manner EVEN WHEN THE USER TYPES IT IN EACH TIME ON A SECURE WEBSITE. This fact should make everyone using Chrome uninstall it immediately. There is NO WAY to use Chrome on secure sites and be secure. So, your and my not allowing browsers to save passwords and other information does not matter if Chrome is used. That's SHOCKING.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

Insecure Manner..you're a real trip...you can read how to secure your favorite... Chrome does it just fine.

Browser Security Settings for Chrome, Firefox and Internet Explorer: Cybersecurity 101

Tips for Secure Browsing with Google Chrome

These settings can be accessed through Chrome’s “Advanced Settings” menu or by navigating to “chrome://settings/.”
Enable phishing and malware protection: Make sure that Chrome’s phishing and malware protection feature is enabled under the “Privacy” section. This feature will warn you if a site you’re trying to visit may be phishing or contain malware.
Turn off instant search: The Instant search feature should be turned off for optimal security. While it offers some convenience in searching, having this feature enabled means that anything you type in the address bar is instantly sent to Google.
Don’t sync: Disconnect your email account from your browser under the “Personal Stuff” tab. Syncing your email account with your Chrome browser means that personal information such as passwords, autofill data, preferences, and more is stored on Google’s servers. If you must use sync, select the “Encrypt all synced data” option and create a unique passphrase for encryption.
Configure content settings: Click “Content settings” under the “Privacy” section and do the following:
Cookies: Select “Keep local data only until I quit my browser” and “Block third-party cookies and site data.” These options ensure that your cookies will be deleted upon quitting Chrome and that advertisers will not be able to track you using third-party cookies.
JavaScript: Select “Do not allow any site to run JavaScript.” It is widely recommended that JavaScript be disabled whenever possible to protect users from its security vulnerabilities.
Pop-ups: Select “Do not allow any site to show pop-ups.
Location: Select “Do not allow any site to track my physical location.”
Configure passwords and forms settings: Disable Autofill and deselect “Offer to save passwords I enter on the web” under the “Passwords and forms” section. Doing so will prevent Chrome from saving your logins, passwords, and other sensitive information that you enter into forms.

Tips for Secure Browsing with Mozilla Firefox

Tips for Secure Browsing with Microsoft Internet Explorer 10

Which is the Most Secure Browser?
Nominating one browser as the most secure is difficult. Since each browser is regularly updated with security patches, the rankings for most secure browser could change at any time. As of today, Veracode recommends Google Chrome as the most secure browser.


»www.veracode.com/blog/2013/03/br···xplorer/

Chrome saves Nothing when you secure it..just like FF if you secure it.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

3 recommendations

reply to Mele20

said by Mele20:

"Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system or [by] simple malware," said a posting on the Identity Finder blog. "There are dozens of well-known exploits to access payload data and locally stored files."

Once someone has physical access to your machine all bets are off and your security no longer exists. The fact that your browser data is not encrypted is the absolute least of your worries.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein


SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1

said by Kilroy:

said by Mele20:

"Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system or [by] simple malware," said a posting on the Identity Finder blog. "There are dozens of well-known exploits to access payload data and locally stored files."

Once someone has physical access to your machine all bets are off and your security no longer exists. The fact that your browser data is not encrypted is the absolute least of your worries.

What if I used FileVault 2 to encrypt my Mac's drive and the physical machine was out of my possession? I'm not being sarcastic, I am considering using it to secure my Mac and kicking around the idea in another thread.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

2 recommendations

reply to Mele20

said by Mele20:

It's the average user who lets browsers save passwords.

A site can allow or disallow password caching in the browser.
It's the average site that allows password caching.

btw, I allow Firefox 23.0.1 to store my passwords on any site that allows it.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Kilroy

said by Kilroy:

Once someone has physical access to your machine all bets are off and your security no longer exists.

I hope I'm not splitting hairs with the definition of "physical" but remote access is a game ender too.


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

2 recommendations

reply to SwedishRider

said by SwedishRider:

What if I used FileVault 2 to encrypt my Mac's drive and the physical machine was out of my possession?

Would you trust it with the NSA? Any time someone has physical access they have a larger tool chest to work with. As Snowy See Profile points out, remote access is pretty much the same as the remote person has the same rights you have.

I will tell you that encryption of any type is a double edged sword. Many things can happen to prevent you from accessing your own data. Then you have to have a back up plan in place to protect your data, then do you encrypt your backup? Then comes the big question do you trust all of the companies involved?

Security isn't convenient. Closely followed by usability is the enemy of security. It is easy to make something secure, if you want it usable you have to give up some security.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

said by Kilroy:

said by SwedishRider:

What if I used FileVault 2 to encrypt my Mac's drive and the physical machine was out of my possession?

Would you trust it with the NSA? Any time someone has physical access they have a larger tool chest to work with. As Snowy See Profile points out, remote access is pretty much the same as the remote person has the same rights you have.

So what is your recommendation? Don't bother to encrypt a laptop drive simply because there is potential the NSA may be able to decrypt it? Do you not see value in protection from all the rest of the use cases? Your point is not very clear here.

I am sometimes baffled at the direction these discussions take from a simple question.

And no, making the assumption that
said by Kilroy:

remote access is pretty much the same as the remote person has the same rights you have

is not correct. If someone has remote access it may be with more or less privilege than the user logged in on the console. This applies to windows-based OSs, unix/linux based OSs, and most other multi-user OSs. This applies to both authorized and unauthorized acess. This also has nothing to do with full disk encryption.


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

said by Shady Bimmer:

So what is your recommendation?

Implement the security that makes you comfortable and that you feel like dealing with. There is no perfect solution, so pick the bad that you can live with. Perfect security has zero usability. An encrypted computer locked in a safe with no power, keyboard, mouse, monitor or network connection is very secure and very useless.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Shady Bimmer

said by Shady Bimmer:

And no, making the assumption that

said by Kilroy:

remote access is pretty much the same as the remote person has the same rights you have

is not correct. If someone has remote access it may be with more or less privilege than the user logged in on the console.

I was going to mention that but thought the general point of being aware of remote access in addition to physical access had been made.

A small edit corrects the statement.
Remote access can be the same (as physical access) as the remote session can have the same rights you have.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 edit

1 recommendation

reply to Kilroy

said by Kilroy:

An encrypted computer locked in a safe with no power, keyboard, mouse, monitor or network connection is very secure and very useless.

That sounds like an excellent storage plan for a (backup) system containing sensitive data

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to Kilroy

said by Kilroy:

Implement the security that makes you comfortable and that you feel like dealing with.

That still doesn't help answer the question. I had already provided my suggestion to SwedishRider See Profile in another forum here.

Full disk encryption is to protect the data from unauthorized physical access. This would include the case of a lost or stolen laptop. It could also include the case of returned a failed drive to a vendor under warranty, or giving/selling the drive to another individual. Yes, secure erasing would help in that last case, but it is far easier to recover data from an erased drive (even "secure" erase that is not secure enough) than from an encrypted drive.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to Snowy

said by Snowy:

said by Kilroy:

An encrypted computer locked in a safe with no power, keyboard, mouse, monitor or network connection is very secure and very useless.

That sounds like an excellent storage plan for a (backup) system containing sensitive data

it would not be entirely useless and indeed is an in-use option for secure backups. The entire computer is not kept in a vault, however removable storage that is fully encrypted, itself in a protective case (EMF & RF resistance along with physical protection), is then securely transported to such a vault and kept in such a scenario.


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12
reply to Mele20

Thank you Mele.... CHROME is the worst browser to use!!! (For privacy)



DownTheShore
Mr. Putin, meet SEAL Team 6
Premium
join:2003-12-02
Beautiful NJ
kudos:13
reply to Mele20

Re: Chrome users at risk for Identity Theft

I only let my browser store passwords for forums and the like - sites that contain no financial information and no real ID info.



Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12
reply to Mele20

My browser (MyIE2) stores stuff IN A LOCAL FILE which is scrambled.. (I believe the browser can only read it)



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 recommendation

said by Dude111:

My browser (MyIE2) stores stuff IN A LOCAL FILE which is scrambled.. (I believe the browser can only read it)

Since I seem to be on the technical side today...
The site the password is good at can also read it


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Dude111

Just who is telling you that this MYIE2 of yours has that stuff encrypted (scrambled ? ) and can be had ???? »www.nirsoft.net/utils/web_browse···ord.html

»www.wilderssecurity.com/archive/···042.html



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Name Game:

Just who is telling you that this MYIE2 of yours has that stuff encrypted (scrambled ? ) and can be had ???? »www.nirsoft.net/utils/web_browse···ord.html

Maybe the dude is on to something running MYIE2 & W98?

System Requirements And Limitations
This utility works on any version of Windows, starting from Windows 2000, and up to Windows 8, including 64-bit systems. Older versions of Windows (Windows 98/ME) are not supported, because this utility is a Unicode application


Just wonderin'


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8

I'm thinking of using Lynx and dumping Google for Veronica.
--
»www.flickr.com/photos/egeezer/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to Snowy

Stop wondering

»www.nirsoft.net/utils/internet_e···ord.html

»www.afterdawn.com/software/secur···view.cfm

and many more others out there..As I recall it is a MYIE2 running as a shell for IE6..not a good idea..too many unpatched vulnerabilities in anycase.

»www.cvedetails.com/vulnerability···r-6.html

»en.wikipedia.org/wiki/Internet_Explorer_6
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to EGeezer

Click for full size
Click for full size
said by EGeezer:

I'm thinking of using Lynx and dumping Google for Veronica.

Lynx supports browsing histories and page caching so be careful out there. Veronica is too fast for old farts and act like a gopher..But to stick with Jughead and you will get there in one piece.

They have just found out where all those Servers are hidden world wide..

»www.dailymail.co.uk/news/article···ARS.html

So you are very vulnerable to the Gopher Hackers
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 recommendations

reply to EGeezer

Click for full size
I keep all my sensitive data on file cards in this box...works for me.


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Shady Bimmer

Re: Chrome users at risk for Identity Theft

It does answer the question. Only you can decide the security that makes you comfortable and that you are willing to deal with. I can create a very secure security plan, including back ups, but the trouble required is not worth the data being secured.

said by Shady Bimmer:

it is far easier to recover data from an erased drive (even "secure" erase that is not secure enough) than from an encrypted drive.

And you can provide documentation of a successful recovery of securely erased drive? I have real world experience of entire drives of encrypted data being lost due to a few bad sectors. I also have real world experience of users who back up their encrypted data to a portable hard drive unencrpyted and store said hard drive with their laptop. Security may make you feel safe and secure, but the reality is you are probably neither from someone determined to access your data. Users will make every attempt to weaken your security while following your security policies.

Personally I have sufficient security in place to thwart the passerby, but do not go overboard to prevent a determined party.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state
reply to Shady Bimmer

Relying on encryption for security is a flawed assumption in itself. The location where the data is stored (physical location) is more important then whatever type of encryption you use. The most valuable data is stored on servers in a well secured area, locked, with security on site, and perhaps a few mean guard dogs, all of this in front of a well secured door.

My suggestion is "don't bother encrypting a laptop" because a laptop is portable, it makes it easier to be stolen, confiscated, os just plain lost. Instead, DO NOT STORE ANY TYPE OF PERSONAL, IMPORTANT, OR VALUEABLE INFORMATION on a laptop.

that means, don't log into your bank from a laptop, don't pay any bills, do not store anything of important on your laptop.

Instead, store everything of importance on a PC or server that is located in your house, behind locked doors, with family around, and preferable with 1-2 dogs that would bite a stranger and make a heck of a lot of noise if someone broke in..this will ensure your neighbors call the cops if they hear all the racket coming from your house and your not home.

this is the best security you can ask for...because your not relying on software and encryption, your relying on secure physical location, and on premise security and guidelines (locks on your doors, family members, and dogs) to secure your data.

Of course this won't protect you from the government, but its not intended to. Encryption really won't either. A determined party with enough resources can find a way to get past your encryption....its always about resources...

The best practice is not to store anything of value on a laptop or portable device to begin with in the 1st place...portable devices are small, things that very easily could end up missing for sometime before someone notices...your going to notice someone lugging your PC or server out of your house.

If you MUST access important data through a laptop, then you should do so via a VPN tunnel to a server located on your property that has the data stored their...in the event your laptop is ever stolen or whatever, you can quickly revoke the keys on your server....

in otherwords, turn your laptop into a thin client that doesn't save diddly poo, and all files exist on a server in a secure location (your house) that never moves, is locked behidn closed doors, has a few dogs on the premise, and family members are around frequently...problem solved....in the event your thin client gets taken, just revoke the VPN keys...its a fairly simple process.

its what I would do, if i needed to access anything of importannce from a laptop...oh and I would use something like Deepfreeze to nuke the system on shutdown....
--
Tech Tips