you get important news and warnings about security and privacy on internet, plus a bonus for investors!
(Be patient – loading of this page takes few seconds.)
On the PRIVACY page, you will find my recommendations for a broad strategy to protect your computer from hackers.
On this page, I give you the latest news and advice on this subject. You alone can take care of your own security and privacy and this requires some knowledge, strategy and constant vigilance.
If you know of any security news sources in German or Polish, send me their web addresses and I will try to add them to this page.
* Copyrights belong to each article's respective author.
** Although this page should be free from tracking and other hazards, I can't guarantee that, of course.
If you keep an eye on security headlines, you may have seen the news that up to one in five work passwords include the company name.
This is according to new research by data protection specialists Acronis, which also suggests that around 80 percent of companies don’t have an established password policy. Both stats are concerning from the point of view of businesses’ online security – but they are trivial to fix if you use an enterprise password manager.
People use the name of the company they work for as part of their password to make it memorable. When people are forced to remember passwords, especially those that they need to change regularly, it carries the unintended consequence of making passwords less secure.
People rotate through minor variations of the same base password, such as using their company name with a few extra characters on the end, to check off password policy requirements while still being able to remember their password.
The problem is that hackers can guess the company part of the password, while the remaining characters are easy to crack through computational brute force compared to a truly random password of sufficient length. To put it more simply: Lack of effective password policy puts company data at risk.
You can implement a better password policy in 24 hours by requiring that everyone in the company use 1Password to create the passwords they use at work. Out of the box, 1Password generates strong, unique passwords, and remembers and fills them in for you.
1Password makes the problem of weak passwords go away; because 1Password remembers passwords for everyone in your company, they’re no longer tempted into using the kind of weak, memorable password this research describes. And, after you’re set up with 1Password, you can use Watchtower to find and update weak passwords to stronger ones.
1Password Business includes Advanced Protection, which lets you set stricter Master Password requirements for your team to make sure their logins and other important information is safely protected. It also lets you manage two-factor authentication and create rules for how and where your team can use 1Password – for example, preventing logins from countries where no team members are present, and requiring up-to-date apps.
Even if you’re using an identity provider, take note. The prevalence of shadow IT makes it almost inevitable that people in your organization – with the absolute best intentions – are using software and services you’re not aware of to get things done. In the process, they’re very possibly putting company data on external services behind weak passwords (because, hey, they’ve already gone to the trouble of memorizing one work password they can reuse).
Our hearts sink when we see headlines like these because we know there’s a better way. Time and again we see businesses choose against prioritizing their security, and it’s a mistake that can cost businesses eight- or even nine-figure sums.
You can try 1Password Business for free today. When you sign up, your whole team can use 1Password Families at home for free – a great perk that encourages better online security practices both at home and at work.
Sign up for 1Password Business today and get your first 14 days free.Try 1Password free
Right now at 1Password, we’re in the process of a large-scale development effort focused on the apps that our customers use every day on macOS, iOS, Windows, Android, and in the browser.
We kicked off this effort with the addition of a new platform where we’ve never had a desktop app before: Linux. At the genesis of this project we had a lot of internal discussions about programming languages, tech stacks, toolkits, and more. However, one thing we never disagreed on was our commitment to continue building great apps.
We’ve been developing native apps since 2004 so we understand the value they bring to our customers – things like offline access, deep integration with system features, and the ability to manage more than passwords. With every new platform we support, we strive to deliver an experience that feels like the 1Password you know and love, but also feels right at home on the platform you’re using.
If you’re a 1Password customer there’s a good chance you’re using it on two or three platforms. Maybe you’ve got it installed on your phone or tablet and have set up Password AutoFill on iOS or Android.
On your computer, you might be using 1Password in your browser every day to quickly and easily sign in to websites.
You might have also installed our desktop app for Mac or Windows (or even jumped on the Linux beta I mentioned earlier!).
No matter where you use 1Password, I can guarantee there’s a great experience waiting for you. And that’s not by accident. Every app in the 1Password ecosystem was built with express purpose:
We don’t believe in a one-app-fits-all approach – there is no single solution that fits the bill for all the different ways our customers can and want to use 1Password.
Flexibility, performance, and security are crucial when it comes to keeping your most important information safe, whether that’s for you, your family, or your team. With the 1Password apps you can access your data whenever and wherever you need to:
Our approach to building software has enabled us to create some fantastic features over the years, and all our apps work together to create a seamless experience, whatever your platform. But we’re really excited about what’s to come, which is why we’re working hard on new features that you’ll find in our upcoming betas.
Ultimately, our goal at 1Password is to make it easy to stay safe online. The simplest way to do that is to give our customers complete control over how they store and use their data. We’re continuing our efforts to bring the best possible experience to all our customers – whether that’s families, businesses, power users, or novices. Keep your eyes peeled for more stories on how and why we build the 1Password apps, coming soon.
Using another password manager? Make the switch and we'll give you six months free when you sign up.Try 1Password free
2020 is over – we can finally say it out loud. While we may not be able to put everything behind us, there are a few things we can pack up and wave a cheery goodbye to. The first one that comes to mind? Bad online security.
While it might not be the most obvious new year’s resolution, scrubbing up online habits can be a little more exciting than ushering in a reduced Netflix schedule.
Internet use changed dramatically over the past year, as companies moved to remote work and families opted for virtual gatherings. This shift in online activity comes with an increase in vulnerabilities due to careless online habits, like weak passwords and reusing the same password for multiple accounts (hint: Changing the number at the end just isn’t good enough).
The good news is that, with a few simple changes, you can set yourself up for security success this year.
Think of your email as the gateway to each of your other accounts. That said, it’s a logical first step when buttoning up your online security.
Use a password manager with a random password generator to create a strong, unique password – at least 20 characters with a mix of numbers, symbols, and uppercase and lowercase letters. That means no personal information like your birthday, address, or phone number.
If you think your email may have been compromised, head to Have I Been Pwned to confirm. Founded by Troy Hunt, a leader in the security development space, HIBP keeps an updated list of websites that have been “pwned”, and can also alert you if a future breach occurs.
And if you really want to make sure you aren’t affected by a data breach, we’ve built this functionality right into 1Password. Watchtower alerts you to security problems with the websites you use, so you can update any compromised passwords right away.
You can also follow @1PWatchtower on Twitter for regular updates.
Multi-factor authentication (MFA) adds a second layer of protection and should be used wherever it is available. It doubles down on identity verification and requires an authentication code after the correct password has been entered.
MFA can be managed digitally on your phone or by using hardware-based authentication, which relies on a physical device such as a YubiKey. YubiKey is easily integrated with 1Password and provides a range of authentication options including two-factor, multi-factor, and passwordless.
Certain sites only offer MFA through text messages, or SMS, which actually presents its own security risks. We only recommend using SMS for MFA if it’s the only option available.
If there’s ever a case where your password has been compromised, two-step authentication makes it more difficult for hackers to access the account. Don’t overthink this extra step; you can set up 1Password as an authenticator and make it easy to sign into sites where MFA is turned on.
Here’s another easy one: Stop snoozing the update notifications on your devices and turn on automatic updates. That goes for browsers and apps as well – turning on automatic updates is one of the easiest ways to defend against security vulnerabilities and takes care of the pesky notifications at the same time.
Your router (along with smart home devices) can be an entryway for hackers. Many routers are shipped with the default password and username “admin”, which is essentially a welcome mat for privacy breaches. It’s a good idea to update these default settings as soon as possible. Use a password generator (like the one built in to 1Password) to generate a strong, random password and lock down your home network.
Don’t be a victim of passwords past. Have an old blog or untouched social media account? Or maybe you don’t use PayPal anymore since Venmo took over. Old accounts can still hold valuable data and sometimes be more vulnerable to attack. Back in 2013, a simple security flaw compromised millions of MySpace accounts, but the details around this weren’t disclosed until three years later.
Lesson learned. Delete any inactive accounts (only after removing personal information like credit card details, date of birth, or your home address) or update them with a strong password that isn’t used anywhere else.
Prioritizing online safety in the new year doesn’t have to be complicated. Any new devices you may have acquired over the holidays are a great place to start. Make 1Password your first download to secure your apps and accounts, and if your device supports biometric unlock, set it up with 1Password.
Ready to take it to the next step? If you purchase a $50 gift card you’ll get $10 towards any YubiKey 5 Series by Yubico – the security key that provides strong two-factor authentication with a simple touch.
When we started these 1Password for Good initiatives at the beginning of 2020, we had no idea just how much “good” the year ahead was going to need.
For the 1Password team, the project has become an important reminder that helping others connects us to a wider, more diverse community. And despite 2020 being an incredibly difficult year for us all, there were still a lot of positive things happening around the world.
We embarked on a mission to aid people and communities who needed a helping hand around the world. No, we didn’t get on a plane, but we did manage to help build a well in Malawi, plant 100,000 trees for global reforestation, and feed over 30,000 people in Canada. Here’s a look at some of the good we’ve put out into the world over the last year.
Hand-washing became – and continues to be – one of the strongest defenses against the spread of COVID-19. But while many of us were busy stockpiling toilet paper, yeast, and hand sanitizer, other communities were facing the very real danger of not having access to clean water.
Clean water is not only vital for good health, but it is also essential to live. We donated to charity: water to help bring clean water to Malawi. Our donation goes towards building a new well in the country to provide communities with potable water.
Anthony Marinos of charity: water said it best: “With this newfound access to clean and safe water, communities can improve health, increase education rates, empower women, and grow their local economies”.
As the pandemic took root, clean water wasn’t the only challenge impoverished communities faced – food insecurity grew in Canada by 39 percent. With a hard-hit economy and record unemployment, many Canadians were faced with the difficulty of consistently putting food on their table.
Enter FeedON, a team working to end poverty and hunger by supporting local communities and food banks. We contributed to FeedON’s mission and were able to provide over 30,000 healthy meals to children, adults, and seniors. At a time when people need help more than ever, we are proud to help combat food insecurity in Canada.
Eden Reforestation Projects is a nonprofit that helps reduce extreme poverty by employing local villagers at a fair wage to grow, plant, and guard forests. Combatting the effects of deforestation through tree-planting has the positive benefits of providing habitats for animals, controlling flooding and erosion, and replenishing soil with nutrients.
Eden Reforestation Projects has planted more than 443 million trees to date, and last year we were able to help plant over 100,000 trees in areas severely affected by deforestation. Eden Reforestation Projects is considered one of the most cost-effective reforestation projects in the world, and we’re excited about the work they’re doing to reduce poverty through reforestation.
Traditionally, in Canada and the United States, Thanksgiving is a holiday that invites people to reflect on what they are thankful for. In 2020 we decided to show our gratitude for groups contributing to their communities by helping support the work they do.
From October 12 - November 26, the time spanning between Canadian Thanksgiving and Thanksgiving in the United States, we pledged to donate $1 to charity for every 1Password family account created during that time frame.
Thank you to the over 66,500 people who signed up during that time – we’ll be donating $70,000 USD to our three chosen charities: Big Brothers Big Sisters of Canada, Food Banks Canada, and the Canadian Mental Health Association. Thank you to everyone who signed up during our campaign – you’ve really helped make a difference.
While donations are an important part of doing good, we also wanted to help protect those who are making significant, positive impacts in our world. The 1Password for Good initiative allows us to support nonprofit and non-governmental organizations, and individual families making remarkable contributions, by offering them a monthly discount or a completely free account.
One such organization is an international non-governmental relief agency that operates in nearly 100 countries worldwide, managing logistics and infrastructure on a massive scale.
“Like all large enterprises, we depend on a central directory for authentication and authorization, but unlike many other enterprises our work takes place in conflict-affected countries. We cannot stop operating if an office or entire country is isolated from the network – which happens a lot in our working environment. Thus, using 1Password is the best way for us to handle disaster recovery and emergency access to our resources when everything else is broken. Thanks to 1Password for Good we are able to continue our mission securely”.
– Joel Snyder
2020 was a difficult year for so many people, and we’re glad we’re in a position to be generous to a variety of causes.
Thank you to our chosen programs – charity: water, Eden Reforestation, FoodON, Big Brothers Big Sisters of Canada, Food Banks Canada, and the Canadian Mental Health Association – for the great work they do making the world a better place to live for everyone. If you’re in a position to do good, do good.
Today we’re publishing a new report which has some great insights into the state of online security, password use, and password sharing in the home.
It’s a must-read for anyone interested in improving their family’s online security, or with a professional interest in consumer-level security. Please feel free to download the report right away, but I did also want to take a moment to share a few highlights and thoughts.
Kicking off on a note of optimism, I’m personally delighted to see that, according to our survey, 40% of parents talk about online security with their preschool children. Yes, that number could be higher, but it still amounts to a huge number of parents talking about online safety with young children. The idea that 40% of little ones are budding security and privacy advocates is very heartening indeed.
Perhaps inevitably, though, points of concern do arise – particularly when we dig into the areas of password use and password sharing. One remarkable stat for me was that, of the people that have kept their first ever password for an online service, 12% cite nostalgia as the reason.
Now, we don’t recommend changing a perfectly good password for no reason, but I’m somewhat concerned that people may be clutching on to insecure passwords out of emotional attachment. If a password is short, non-random, or reused elsewhere, we can’t recommend changing it strongly enough.
I’d also like to highlight one of the insights we’ve seen into how passwords are shared inside of families. I say inside – turns out that, apparently, 55% of dads are OK with their kids sharing their video streaming password with friends.
We recommend password sharing, as long as it’s done securely. For things like family streaming media accounts it makes total sense, and we’ve built both 1Password Business and 1Password Families with the means to share passwords in a safe and controlled way. That said, we don’t recommend letting the kids WhatsApp your Netflix login to all and sundry.
The insights into working from home gave rise to further surprises. These include the insight that 51% of parents let their children access work accounts.
I hope the implications for data security don’t need to be explained, but one quote from a parent brings home why this can be a bad idea at a level we can all relate to: “Once my boy accessed my work laptop. He accidentally deleted my presentation”. And that’s the worst kind of deleted: the irretrievable, start all over again kind.
Please do take a look at the full report for many more data points on these and other areas. In particular, there’s a section on end-of-life planning I haven’t touched on here that tacitly poses some tough questions for the security and technology industries to grapple with.
And suffice to say our talented team of designers and illustrators have gone to town to create some charts for you to pore over. We created this report, in part, to stimulate conversation – so if there’s anything you’d like to discuss with us as a result, please do let us know. Happy reading! ☕️
Sign up for 1Password Families today and get your first 14 days free.Try 1Password Families free
So…that was 2020, huh? Ouch. This past year, we witnessed a massive shift in how we live our daily lives — we moved to at-home work, and online everything. Now, more than ever, an emphasis must be placed on security.
But there’s more to it. As we introduce more layers of security to our lives, we need to be aware (and wary) of what comes with them.
As I wrote in a previous post, the most fundamental (also, very unofficial) security principle is to think backwards. How much do you know about the ‘security’ products in your home? That question came up in a discussion last week, and something else struck me.
People trust 1Password with everything.
They store their identities, access to their money, personal documents, and so much more in our product because they believe in us. That’s an honour and a privilege. It’s also a responsibility — one we don’t take lightly.
We’ve made a commitment to you, and part of that commitment is full transparency. So, with this From the Security Desk blog post, the team and I will reveal what we (don’t) know about you.
We don’t have access to anything you enter in 1Password. We do store what we’ve dubbed service data, which is used to provide you with our service, and to support you when needed.
When you sign up for 1Password, we ask for your name and email address. We like to know your name, so we know how to greet you, but the information you provide is entirely up to you. We use your email address to register and locate your account on the server. We can view the language in which you use 1Password, your account picture (look at that face!), the devices you use, and the names you’ve given those devices (some people get very creative).
We can see the type of account you have, when it was created, and when it was last accessed. We can view your subscription status and your payment method. And, as an identifier, we have the first eight non-secret characters of your Secret Key.
We can view the total number of vaults, items, and files in your account. We also log the IP address from which you access 1Password. The location information we store is restricted to a few employees, and only accessed when necessary.
The only thing we see about your 1Password usage comes in the form of Universally Unique Identifiers (UUID), which are generated completely at random. UUIDs contain no information about you, your device, your items, or anything else. I’ll provide a UUID from my account as an example:
We also believe everyone has equivalent rights to privacy, and honour all access requests to the personal information we’ve stored. These requests aren’t limited to EU citizens. If you want to see your own service data, reach out to us — it’s yours, after all.
Our commitment to you.
Your trust in us is paramount, and we cherish it. On behalf of every single one of us here at 1Password, thank you. We’re incredibly humbled and proud to be something you count on.
And, to 2021, you’ve got a (ridiculously) low bar to reach. Go ahead. Impress us.
* Copyrights belong to each article's respective author.
** Although this page should be free from tracking and other hazards, I can't guarantee that, of course.
If you're a Google Chrome user, you might be surprised to learn that you may soon be automatically entered into Google's new tracking and ad targeting methods called Topics and FLEDGE. Topics uses your Chrome browsing history to automatically collect information about your interests to share with other businesses, tracking companies and websites without your knowledge. FLEDGE enables your Chrome browser to target you with ads based on your browsing history. These new methods enable creepy advertising and other content targeting without third-party cookies. While Google is positioning this as more privacy respecting, the simple fact is tracking, targeting, and profiling, still is tracking, targeting, and profiling, no matter what you want to call it.
1. Don't use Google Chrome! Google Topics and FLEDGE will only exsist in Google Chrome. On iOS or Android we suggest you use our DuckDuckGo mobile browser, which offers best-in-class privacy protection by default when searching and browsing. Plus, we recently launched more app features into beta that will better protect your online privacy, like Email Protection and App Tracking Protection for Android. On desktop, we just launched the DuckDuckGo app for Mac into beta (Windows coming soon) so you can skip the Chrome headache completely and use ours by joining our waitlist (which is moving quickly).
2. Install the DuckDuckGo Chrome extension. In response to Google automatically turning on Topics and FLEDGE in Chrome, we've enhanced our Chrome extension to block Topics and FLEDGE interactions on websites, stopping these new forms of targeting. This is in addition to the all-in-one privacy protection that our extension offers, including private search, tracker blocking, Smarter Encryption, and Global Privacy Control. The Topics and FLEDGE blocking addition is included as of version 2022.4.18 which should auto-update, though you can also check the version you have installed from the extensions list within Chrome. For non-Chrome desktop browsers, you can get our extension here.
3. Change your Chrome and Google settings, which we recommend you do regardless if you continue to use Chrome or Google.
Note that even if you change these settings, we also recommend installing the DuckDuckGo Chrome extension to get more privacy protection than possible using Chrome settings alone.
In 2021, Google reluctantly signaled it would follow other browsers to forbid the use of third-party cookies by default, though it recently delayed doing so to at least 2023. Unlike other browsers, however, instead of just dropping third-party cookies, they are trying to replace them with alternative tracking mechanisms that are just as creepy and privacy invasive.
They first implemented a new tracking method in Chrome called Federated Learning of Cohorts (FLoC). FLoC was automatically turned on for millions of Google users who were not even given the chance to opt-out. This was understandably met with widespread criticism from privacy experts. To address the situation, we voiced our concerns and immediately enhanced our tracker blocking so that our Chrome extension would protect you from FLoC.
In response, Google announced it's ending FLoC and replacing it with yet another tracking method called Topics. Like FLoC, Topics will automatically use your browsing history to infer your interests in topics (e.g., “Child Internet Safety”, “Personal Loans”, etc.). While FLoC automatically shared a cohort identifier (for a group of people with correlated interests or demographics) with websites and tracking companies, Topics will automatically share a subset of your inferred interests, which these companies can then use to target ads and content at you.
While some suggest that Topics is a less invasive way of ad targeting, we don't agree. Why not? Fundamentally it’s because, by default, Google Chrome will still be automatically surveilling your online activity and sharing information about you with advertisers and other parties so they can behaviorally target you without your consent. This targeting, regardless of how it's done, enables manipulation (ex. exploiting personal vulnerabilities), discrimination (ex. people not seeing job opportunities based on personal profiles), and filter bubbles (ex. creating echo chambers that can divide people) that many people would like to avoid. Google says that users will be able to go in and delete “Topics” they don’t want shared, but Google knows full well that people rarely change default settings, plus the company routinely puts “dark patterns” in the way of users changing these settings, and is therefore making it needlessly difficult for people to take control over their privacy. Privacy should be the default.
In addition, the implementation of Topics presents a bunch of other privacy problems, including:
You know those ads that seem to follow you around onto every website you visit, long after looking something up online? Known as “re-targeting”, these ads are shown to you based on your browsing history from other websites, stored in third-party cookies. With the planned removal of third-party cookies Google decided to also introduce FLEDGE, a new method of re-targeting that similarly moves Google ad technology directly into the Chrome browser.
When you visit a website where the advertiser may want to later follow you with an ad, the advertiser can tell your Chrome browser to put you into an interest group. Then, when you visit another website which displays ads, your Chrome browser will run an ad auction based on your interest groups and target specific ads at you. So much for your browser working for you!
People are, by and large, vehemently against ad re-targeting and find it invasive and creepy. Because your browsing history is used to target you, just like Topics it opens you up to the same type of manipulation, discrimination, and potential embarrassment from highly personal ads being shown via your browser, and also operates without your consent.
For all of the above reasons and more, DuckDuckGo has enhanced the tracker blocking for our Privacy Essentials Chrome extension to block Google Topics and FLEDGE. This is directly in line with the extension's purpose of protecting your privacy holistically as you use Chrome, without any of the complicated settings. It's privacy, simplified.
Privacy isn’t something you only need in certain situations or in partial amounts, and it’s a myth that you can’t have the same Internet you like and need, but with more privacy. At DuckDuckGo, we make privacy simple.
For example, our mobile apps make
Privacy isn’t something you only need in certain situations or in partial amounts, and it’s a myth that you can’t have the same Internet you like and need, but with more privacy. At DuckDuckGo, we make privacy simple.
For example, our mobile apps make privacy the default, with no complicated settings, no need to understand the ins and outs of the technology, just built-in privacy protections that work, like private search, tracker blocking, website encryption (HTTPS upgrading), and email protection. You've downloaded them over 150M times since their launch in 2018, and we’ve heard your feedback that you want this same “privacy, simplified” experience on your desktops and laptops.
So today we’re excited to announce the beta launch of DuckDuckGo for Mac, with DuckDuckGo for Windows coming soon. Like our mobile app, DuckDuckGo for Mac is an all-in-one privacy solution for everyday browsing with no complicated settings, just a seamless private experience. Plus, we’re excited to share some new features we think you’ll love.
Using an app designed to protect your privacy by default not only reduces invasive tracking, it also speeds up browsing and eliminates many everyday annoyances like cookie consent pop-ups. Here’s what you need to know:
DuckDuckGo for Mac isn't simply a replacement for “Incognito mode” (which isn't actually private!) – instead DuckDuckGo for Mac is designed to be used as an everyday browser that truly protects your privacy. We have the features you expect from a browser like password management, tab management, bookmarks, and more, plus privacy features you’ll love.
Our initial testers love it!
To get access to the beta of DuckDuckGo for Mac, all you need to do is join the private waitlist. We're letting new people off the waitlist today, maybe even as you read this sentence, so the sooner you join, the sooner you'll get it. Please be patient with us though! We'll be inviting people in waves and improving the app as feedback comes in.
You won’t need to share any personal information to join. Instead, you’ll secure your place in line with a date and time that exists solely on your device, and we’ll notify you when we’re ready for you to join.
Here’s how you can join the private waitlist:
Mac only please! Windows is coming -- Follow us on Twitter for updates.
If you try the new app, we’d love to hear from you! You can submit feedback and report issues by clicking on the settings menu in the top right corner of the window and selecting “Send Feedback”.
Note that during this beta period, DuckDuckGo for Mac is not available in the Mac App Store and is not to be confused with our DuckDuckGo Privacy Essentials Safari Extension that is currently available in the Mac App Store.
DuckDuckGo for Mac being in beta means that the experience is still evolving.
For example, you may notice we don't yet support extensions. Turns out the most popular extensions are password managers and those that protect you from creepy ads. So, we built these features right into our app, which has benefits for privacy, security, speed, and simplicity. We're working on how to provide additional extension functionality without compromising those critical elements, but in the meantime we’re confident our built-in features can meet your needs.
Blocking Creepy Ads
Our built-in tracker blocker isn’t a general “ad blocker”, but it does have the effect of blocking most creepy ads. Let me explain. Using our best-in-class tracker data set we block invasive trackers, which then typically blocks the invasive ads themselves. In other words, if you use an ad blocker to avoid creepy ads and tracking, you should like DuckDuckGo for Mac.
Using a new browsing app doesn’t mean you have to lose your saved usernames and passwords. Our built-in password manager helps you import passwords from other browsers and browser extensions like 1Password or LastPass. We’re still in the process of building password management into our mobile apps and plan to offer private sync of passwords and bookmarks for a cohesive cross-device experience.
At DuckDuckGo our mission is to show the world that protecting privacy is simple. We know that in order to do this we must build apps that are a pleasure to use and provide as comprehensive privacy protection as possible, whether you're on your phone, at your desk, in a hammock, or somewhere else that is even nicer than a hammock, DuckDuckGo for Mac is a major step in this direction, and we thank you in advance for helping us make it even better!
What makes DuckDuckGo for Mac unique is more than just what you see, it’s also how it is built. A traditional browser is made up of two parts: a rendering engine that translates web code into the websites you see, and then everything else that surrounds and supports that interface like bookmarks, tabs, settings, password management, tracker blocking, etc.
Over the past decade, the most common way new browsers have been developed is through a process known as “forking”. Developers copy (“fork”) a browser like Chrome (technically the project they fork is called Chromium) – and start with both the rendering engine and all the pieces that surround it. Then they build new stuff on top of it (and/or delete/change some of the Chromium code) to create the new browser.
DuckDuckGo for Mac does not fork Chromium (or anything else). Instead, we use the rendering engine that comes with macOS, which is created by Apple and the same rendering engine Safari uses. By building off the macOS rendering engine, our browser should also be most compatible with the Mac system (the same as Safari). Technically, we don’t have to “fork” any code to do this – we just call an API provided by macOS.
We are building everything else from scratch. So beyond rendering, all the code is ours – written by DuckDuckGo engineers with privacy, security, and simplicity front of mind. This means we don’t have the cruft and clutter that has accumulated in browsers over the years, both in code and design, giving you a modern look and feel and a faster speed. We plan to open source our Mac app after the beta period, like we’ve done for our iOS & Android app, and many of our built-in privacy protections are already open sourced.
We are taking a similar approach to Windows (more on that later this year). Ultimately, we’d love to support Linux as well, but we are focused on Mac and Windows for now. Follow us on Twitter if you'd like to stay up to date on our latest product announcements and how we're continuing to make "Privacy, simplified" a reality.
We believe online privacy should be simple and accessible to everyone. That’s why we spent 2021 strengthening our all-in-one privacy solution and helping people take back their privacy with one easy download.
From improvements to search, tracker blocking, and our mobile app, to new features like Email Protection and App Tracking Protection, we're building a simple privacy layer for how people use the Internet today, without any tradeoffs. It’s privacy, simplified.
As our product becomes even easier to use and more comprehensive, we’ve seen a tremendous response from users. We’re now the most downloaded browsing app on Android in our major markets (and #2 on iOS behind Chrome), we’re averaging more than 100 million searches a day, and our most recent survey showed 27 million Americans (9%) use DuckDuckGo.
Worldwide we’ve had over 150 million downloads of our all-in-one privacy apps and extensions since we moved beyond just private search in 2018. Check out a recap of some of the progress we made in 2021, and a first look at our desktop app, now in closed beta.
Email Protection: Ducking Email Trackers in Your Inbox
We announced the beta release of Email Protection, our free email forwarding service that removes trackers in your email and protects the privacy of your personal email address without asking you to change email providers. Join the waitlist through the DuckDuckGo mobile app today!
App Tracking Protection: Extending Privacy to Your Android Apps
Last month we released App Tracking Protection into beta, a new feature in our Android app that blocks third-party trackers like Google and Facebook lurking in other apps. Users trying out the new feature are already surprised by how much tracking normally happens on their devices. Join the waitlist through the DuckDuckGo Android app to give it a try!
Private Search: Better Results, Updated Design, Same Privacy.
This year we made a lot of improvements to our search results. If you tried our search engine a few years ago, but could only go part-time then, you should really give us another shot in 2022. We revamped our search results page to give it a more simple and modern design, and continued to refine and improve our local, maps, and directions results.
Some other improvements we made include a new translations instant answer, revamped definitions and weather answers, custom date range filtering, more filters on images, and improvements to advanced search. You can expect even more search improvements in the coming year.
Tracker Blocking: Extending Blocking to Embedded Facebook Content
Unlike tracking protection from the major browsers, we block hidden trackers before they load. Most tracking protection just restricts trackers after they load, which can still leak your information.
Sometimes trackers aren’t exactly hidden though: they can also be associated with embedded content on pages, like posts, comments, and other content from Facebook. This year our browser extension got a new feature that identifies this content from Facebook, blocks it on websites before it loads, and gives users the choice to load the content if they want to. Extension users have loved this update since it gives them more privacy and transparency at the same time, and we plan to both expand on it and bring it to our mobile app in 2022.
We also spent a lot of time this year ensuring our tracker blocking doesn’t break sites by setting up and launching a continuous process to receive and react to breakage feedback from users in real-time. In addition, we continued to strengthen our core Tracker Radar data set through more crawling and testing, including looking out for CNAME cloaking (where third-parties pretend they are first-parties). We also rolled out Global Privacy Control across all platforms and maintained our best-in-class Smarter Encryption data set.
Mobile App: Burn, Flush, or Blow Private Data Away
According to our conversations with users, one of the things they love most about our mobile app for iOS and Android is our Fire Button. Who wouldn’t love the feeling of clearing all your tabs and browsing data with one fiery tap? This year we added new animation options to the Fire Button so now instead of burning your data, you can choose to flush it down a virtual drain or watch it get blown away!
In addition, some other app improvements we made this year include adding a “Fireproofing” prompt so you have the choice to keep certain sites logged in between burns, a new setting to change font sizes on web content, simplifying the search bar (so there aren’t two search bars when on our search pages), and speeding up loading time on Android.
Desktop App: The Privacy, Speed, and Simplicity of our Mobile App Comes to Desktop
Like we’ve done on mobile, DuckDuckGo for desktop will redefine user expectations of everyday online privacy. No complicated settings, no misleading warnings, no “levels” of privacy protection – just robust privacy protection that works by default, across search, browsing, email, and more. It's not a "privacy browser"; it's an everyday browsing app that respects your privacy because there's never a bad time to stop companies from spying on your search and browsing history.
Instead of forking Chromium or anything else, we’re building our desktop app around the OS-provided rendering engines (like on mobile), allowing us to strip away a lot of the unnecessary cruft and clutter that’s accumulated over the years in major browsers. With our clean and simple interface combined with the beloved Fire Button from our mobile app, DuckDuckGo for desktop will be ready to become your new everyday browsing app. Compared to Chrome, the DuckDuckGo app for desktop is cleaner, way more private, and early tests have found it significantly faster too!
You’ve probably heard about companies tracking you behind the scenes on smartphone apps they don’t own (like Google hiding in the Nike app). These hidden app trackers are super creepy because they can track everything you do in an app and also can continue to track you even when you’re not using the app. Many of these trackers are designed to record your activity in real time: where you are, what you’re doing, where you’ve been, and even how many hours you sleep at night.
Across all your apps, your personal data is being sent to dozens of third-party companies, thousands of times per week. This data enables tracking networks like Facebook and Google to create even more detailed digital profiles on you. With those profiles, tracking networks can manipulate what you see online, target you with ads based on your behavior, and even sell your data to other companies like data brokers, advertisers, and governments.
Over 96% of the popular free Android apps we tested (based on AndroidRank.org rankings) contained hidden third-party trackers. Of those, 87% sent data to Google and 68% sent data to Facebook. A report by AppCensus found similar results.
Recently Apple introduced App Tracking Transparency, a feature for iPhones and iPads that asks users in each app whether they want to allow third-party app tracking or not, with the vast majority of people opting-out. However, most smartphone users worldwide use Android, where no similar feature exists. In fact, advertisers are now spending more money on Android apparently because it’s now easier to track you there. That’s why we’re excited to announce the beta of App Tracking Protection for Android!
App Tracking Protection for Android is free and blocks most trackers it identifies in other apps from third-party companies (those different from the company that owns each app). It is now built right into the DuckDuckGo Android app.
After enabling App Tracking Protection, the DuckDuckGo app will detect when your Android apps are about to send data to third-party tracking companies found in our app tracker dataset, and block most of those requests. You can enjoy your apps as you normally would and App Tracking Protection will run in the background and continue to block the detected trackers throughout your apps, even while you sleep. We are continually working to identify and protect against new trackers, so you can rest easy knowing you’re getting the most up-to-date protection.
App Tracking Protection is not a virtual private network (VPN), though your device will recognize it as one. This is because App Tracking Protection uses a local “VPN connection” which means that it works its magic right on your smartphone. However, App Tracking Protection is different from VPNs because it never routes app data through an external server.
Directly from the DuckDuckGo app, you can see a real time view of App Tracking Protection blocking trackers as well as which tracking networks they tried to send data to. If you have notifications on, you’ll also get automatic summaries.
To get access to the beta of App Tracking Protection, join the private waitlist! We're letting new people in every week, so the sooner you join, the sooner you'll be protecting your app privacy.
You won’t need to share any personal information to join the private waitlist. Instead, you’ll secure your place in line with a date and time that exists solely on your device, and we’ll notify you when we’re ready for you to join.
We decided to release App Tracking Protection in beta while we work on getting the experience just right. While it’s in beta, there are a small number of apps being excluded because they rely on tracking to work properly. A small number of trackers are also being excluded because they cause critical breakage like not being able to login to apps. We hope to reduce these lists even further over time. Browsing apps and apps with prominent in-app browsers are also currently excluded by default because App Tracking Protection breaks them. For more private browsing, we suggest using our browsing app instead.
For general feedback or issues with the DuckDuckGo app: open Settings > Share Feedback (in the Other section). If you run into issues with another app on your smartphone as a result of App Tracking Protection (e.g., videos don’t load properly, you cannot upload/send files, you experience download problems, the app feels sluggish, etc.), you can disable protection for just that app under Manage Protections for Your Apps. You'll then be asked to give details of the problem you experienced.
If you’re an Android user who has been waiting for a feature to block most hidden third-party trackers in your apps, the wait is almost over! With one download of the DuckDuckGo app you’ll soon be able to block app trackers via App Tracking Protection while also getting the other protections available from our all-in-one privacy app: private search, website protection, email protection, and more. These multiple layers of protection enable you to go about your daily online activities with more peace of mind, knowing you’re more protected.
Note: This blog post has been edited since initial publication to stay up to date with our evolving product offerings.
2021 marks DuckDuckGo's eleventh year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. This year we're proud to donate to a diverse selection of organizations across the globe that strive for better privacy, digital
2021 marks DuckDuckGo's eleventh year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. This year we're proud to donate to a diverse selection of organizations across the globe that strive for better privacy, digital rights, greater competition in online markets, and access to information free from algorithmic bias.
Thanks to our continued growth, we've been able to increase the donation amount this year to $1,000,000, bringing the total over the past decade to $3,650,000. Below are details of how the funds were allocated this year and we encourage you to check out the valuable work of each recipient. Everyone using the Internet deserves simple and accessible online protection. These organizations are all pushing to make that a reality.
$200,000 to the Center for Information Technology Policy (CITP)
"The Center for Information Technology Policy's [...] research, teaching, and events address digital technologies as they interact with society."
$150,000 to the Electronic Frontier Foundation (EFF)
"Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development."
$75,000 to European Digital Rights (EDRi)
"We defend rights and freedoms in the digital environment. EDRi's key priorities for the next years are privacy, surveillance, platform power and artificial intelligence."
$75,000 to The Markup
"The Markup is a nonprofit newsroom that investigates how powerful institutions are using technology to change our society."
$75,000 to Public Knowledge
"Public Knowledge promotes freedom of expression, an open internet, and access to affordable communications tools and creative works. We work to shape policy on behalf of the public interest."
$25,000 to Access Now
"Access Now defends and extends the digital rights of users at risk around the world. By combining direct technical support, comprehensive policy engagement, global advocacy, grassroots grantmaking, and convenings such as RightsCon, we fight for human rights in the digital age."
$25,000 to the Algorithmic Justice League
"AJL’s mission is to raise public awareness about the impacts of AI, equip advocates with empirical research to bolster campaigns, build the voice and choice of most impacted communities, and galvanize researchers, policymakers, and industry practitioners to mitigate AI bias and harms."
$25,000 to American Compass
"American Compass publishes research and commentary exploring how the technology sector's evolution and its effects on markets and competition pose novel regulatory challenges, and how policymakers should respond."
$25,000 to the Australia Institute's Centre for Responsible Technology
"The Australia Institute’s Centre for Responsible Technology develops public policy and research that advocate for a fairer and healthier online experience and gives back agency to individuals in our networked world."
$25,000 to Bits of Freedom
"Bits of Freedom strives to influence legislation and self-regulation, and empower citizens and users by advancing the awareness, use, and development of freedom-enhancing technologies."
$25,000 to Center for Critical Internet Inquiry (C2i2)
"UCLA Center for Critical Internet Inquiry (C2i2) is an intersectional research community committed to reimagining technology, championing racial justice, and strengthening democracy through a mix of research, culture, and policy."
$25,000 to CERRE
"CERRE is the European think tank dedicated to ever better regulation for the energy, tech, media, telecom, mobility and water sectors."
$25,000 to the British Institute for International and Comparative Law
"The Competition Law Forum is a centre of excellence for European competition and antitrust policy and law at the British Institute of International and Comparative Law (BIICL)."
$25,000 to the Detroit Community Technology Project (DCTP)
"Detroit Community Technology Project builds healthy digital ecosystems by training Digital Stewards and supporting the development of community governed internet networks."
$25,000 to Fight for the Future
"Founded in 2011, Fight for the Future works to ensure that technology is a force for empowerment, free expression, and liberation rather than tyranny, corruption, and structural inequality."
$25,000 to Freiheitsrechte (GFF)
"The GFF (Gesellschaft für Freiheitsrechte / Society for Civil Rights) is a Berlin-based non-profit NGO founded in 2015. Its mission is to establish a sustainable structure for successful strategic litigation in the area of human and civil rights in Germany and Europe."
$25,000 to the Open Rights Group
"Open Rights Group protects the digital rights of people in the UK including privacy and free speech online."
$25,000 to the Open Source Technology Improvement Fund (OSTIF)
"The Open Source Technology Improvement Fund, or OSTIF for short, is a corporate non-profit dedicated to securing critical open-source projects. This is done mainly by facilitating and managing security reviews and associated work for projects and organizations."
$25,000 to Privacy Rights Clearinghouse
"Privacy Rights Clearinghouse works to make data privacy more accessible to all by empowering people and advocating for positive change."
$25,000 to Restore the Fourth
"Opposing unconstitutional mass government surveillance."
$25,000 to the Surveillance Technology Oversight Project (STOP)
"The Surveillance Technology Oversight Project (S.T.O.P.) advocates and litigates for privacy, working to abolish local governments’ systems of discriminatory mass surveillance."
$25,000 to the Tor Project
"We believe everyone should be able to explore the internet with privacy. We advance human rights and defend your privacy online through free software and open networks."
At DuckDuckGo our vision is to raise the standard of trust online. We do of course also care about our impact offline, and so we've stepped up to do our part in the climate crisis. We have already been doing what we can to minimize our carbon footprint including using sustainable energy to power our servers and being a fully distributed company.
Today, we’re proud to announce DuckDuckGo is now carbon negative dating back to our founding in 2008 through 2020, and we are committed to being carbon negative in perpetuity.
When we set out to do this, we quickly realized there isn't much guidance for companies like ours that have 100% distributed teams and provide non-physical goods and services. We hope our experience figuring this out can be a reference guide for similar organizations. Here’s the summary:
We will use this blueprint for 2021 and beyond.
We set out to calculate our carbon footprint using the commonly used Greenhouse Gas Protocol. The Protocol groups emissions into three “scopes” and additional activities:
Many companies who claim they are “carbon neutral” are often only looking at their Scope 1 or Scope 1 & 2 emissions, even though Scope 3 and Full Upstream/Downstream Activities are often where the vast majority of emissions take place, especially for organizations not producing or processing physical goods.
In addition, many organizations only look at activities where clear guidelines have been defined (e.g., air travel), but ignore areas where there are no guidelines (e.g., impact of marketing, home offices, etc.), even if much of the organization’s carbon emissions are the result of these activities.
At DuckDuckGo we didn't think the standard went far enough, so we redefined our approach to make us responsible for all emissions we cause that are not already net zero, regardless of their categorization (or lack thereof).
To estimate our emissions, we pulled together leading source material from environmental agencies around the world including the UK DEFRA / DEEC 2012 GHG Conversion Factors for Company Reporting, the EPA's 2018 Emission Factors for Greenhouse Gas Inventories Report, the BEIS' 2019 Government Greenhouse Gas Conversion Factors for Company Reporting Methodology Paper, and the Environmental Commission of Ontario's 2019 Climate Pollution Report. From here, we mapped out the carbon footprint of every single transaction on our books for the entire 2019 calendar year (since we started working on this in mid-2020), and used that to build a model to estimate category emissions per accounting transaction. That means every vendor bill and credit card purchase by a team member.
While some transactions fit into standard models developed by government agencies (e.g., air travel), it turns out that to our knowledge, no one in government has ever calculated the carbon emissions of an online display advertisement. So, in cases where there was no standard model, or we felt a standard model clearly under-estimated the actual carbon footprint, we developed our own formulas.
This led to us estimating some currently unorthodox emissions including:
We then surveyed our team to better understand their home-office/co-working situations, including the hardware and software they use, their work-related transit, and recorded all this usage as if it were regular direct Scope 1 emissions.
Lastly, we checked for the sustainability programs of every single vendor we used or had made a corporate purchase from in any capacity. Where one couldn't be identified, or where the program clearly failed to account for 100% of their carbon emissions, we recorded the full CO2e emissions from those transactions as our own.
In the end, our estimate for our 2019 emissions — including Scope 1, 2, 3, and Full Upstream/Downstream Activities — totaled 1,075T of CO2e. That works out to 14.33T of CO2e/per year/per full-time team member on average, which we used to calculate a total of 5,875T of CO2e for the entire existence of DuckDuckGo back to our 2008 founding through 2020.
Once we felt our carbon emissions were properly estimated, we set out to understand how we could properly achieve net zero emissions in a way that would:
After an extensive review of our options, we ended up partnering with GoldStandard.org, an international non-profit foundation that is focused on reducing carbon emissions through sustainable investment in carbon reduction projects that also help improve the lives of those involved. In their words these projects "make a net-positive contribution to the economic, environmental and social welfare of the local population that hosts it, in the form of contributions to a minimum of three Sustainable Development Goals (SDGs).”
We are funding Gold Standard projects to account for 125% of our estimated emissions, which through 2020 amounted to 7,343T. These projects included:
The full list of these projects and credits can be validated on the GoldStandard.org Impact Registry. We're proud that DuckDuckGo is not only achieving net zero emissions, but doing so in a way that we hope will have a transformative and on-going impact around the world, creating jobs and improving the health and quality of life for many.
“We applaud DuckDuckGo for taking full responsibility for their climate impact, including harder-to-measure Scope 3 emissions, by supporting high-impact, community-based Gold Standard projects. Beyond that, DuckDuckGo is financing climate mitigation that’s more expensive today in a bid to bring down the cost curve for future scaling – this is in the spirit of the WWF Blueprint for Climate and Nature, and a model for others to follow.”
– Gold Standard Chief Executive Officer, Margaret Kim
Addressing the climate crisis requires us to collectively get to net zero global emissions. We believe doing so will require the use of new technologies at scale such as physically removing carbon from the atmosphere and sequestering it permanently. Unfortunately, this technology is too expensive right now to make an impact at scale.
That's why we are proud we were one of the first companies to join Stripe's Climate Program to bring down the cost of this technology by making commitments to fund this new type of carbon reduction. Unlike other carbon reduction methods, Stripe's program requires that all carbon removal has a permanence of greater than a thousand years, is directly measured and verifiable, and has a net-negative lifecycle ratio of less than one.
While the program is normally only available for Stripe customers, DuckDuckGo is pleased to work directly with Stripe and has committed that every year, whatever amount of money we spend on Gold Standard projects, we will make an equal dollar contribution to Stripe's climate program to help directly remove carbon from the air, and more importantly, help pull this technology forward.
“We launched Stripe Climate to make it easy for any business to support high-potential carbon removal technologies. DuckDuckGo was one of the earliest Stripe Climate users—we’re grateful for their partnership and we hope their ongoing commitment can serve as a powerful example to other businesses who want to join the growing coalition of companies working to mitigate climate change.”
— Nan Ransohoff, Head of Climate at Stripe.
As a DuckDuckGo user, we hope you can rest assured that we are doing our part in the climate crisis. In creating our sustainability program, we researched extensively to understand the true scope of our emissions.
We're now achieving net zero emissions through programs that not only are rigorously measured, but also continue to have a positive environmental and societal impact year after year. After all that, we're going carbon negative by funding projects to account for 125% of our emissions, and then doubling that total amount to invest in physically removing carbon from the air to advance this important technology for our future.
At DuckDuckGo, we're committed to doing our part, both online and off.
Note: This blog post has been edited since initial publication with additional information about our sustainability commitments.
Reading your email should be a private activity. You may be surprised to learn that 70% of emails contain trackers that can detect when you’ve opened a message, where you were when you opened it, and what device you were using. If that isn’t creepy enough, this email data can be used to profile you, including to target you with ads, and influence the content you see online. Ever open an email and see a related ad about it soon thereafter? Yup, blame email trackers. This data about you is also usually sent directly to third parties, most likely without your consent.
We’re excited to announce the beta release of DuckDuckGo’s Email Protection. Our free email forwarding service removes email trackers we can find and protects the privacy of your personal email address without asking you to change email services or apps. Most existing email privacy solutions come with significant tradeoffs. You either have to switch email services or apps entirely, or degrade your email experience by hiding all images. We believe protecting your personal information from leaking to third parties should be simple and seamless, like the rest of DuckDuckGo’s privacy protection bundle.
Choose your Duck Email Address (email@example.com) and start giving it out. We remove most hidden trackers from incoming emails sent to this address, then forward them to your regular inbox for safer reading. This means if you use an email service like Gmail or Yahoo, it’s no problem! Emails sent to your Personal Duck Address will arrive there as usual so you can read your email like normal, in any app or on the web, worry-free.
Get automatic Email Protection in the app. The DuckDuckGo app and extension provide easy access to your Personal Duck Address when browsing the web and also give you the option to generate new Private Duck Addresses on demand.
On sites you think could spam you or share your email address, a Private Duck Address will protect you. Since it’s common for sites to upload your email address to Google and Facebook for ad targeting, or for your email to be leaked in a data breach, this extra level of identity protection is now unfortunately necessary. You can think of it as similar to not reusing the same password everywhere. We’ve also made Private Duck Addresses easy to deactivate, so there’s no stress if you start receiving too much spam.
We believe the content of your emails is none of our business, so DuckDuckGo will never save your emails for this service. We don't need to! When we receive an email, we immediately apply our tracker protections and then forward it to you, never saving it on our systems. We don’t even save the headers (e.g., to/from). Read more in our Privacy Guarantees.
We’re releasing our Email Protection feature into beta while we’re ironing out the wrinkles. To get access to the beta, just join the private waitlist! We're letting new people in every day, but the sooner you join, the sooner you'll be protecting your email privacy.
You won’t need to share any personal information to join the waitlist. You’ll secure your place in line with a timestamp that exists solely on your device, and we’ll notify you when we’re ready for you to join. Once you have a Personal Duck Address, you can expect DuckDuckGo to support it long-term so you can confidently share it from day one.
Having control over your privacy shouldn't be complicated or require tradeoffs. Our mission is to make it simple and stress free, for email and everything else you do online. It’s privacy, simplified.
Note: This blog post has been edited since initial publication to stay up to date with our evolving product offerings
Will people take action to protect their online privacy? Duck yes.
Privacy skeptics have dominated the discussion about online privacy for too long. “Sure people care about privacy, but they’ll never do anything about it.” It’s time to lay this bad take to rest.
Not only will consumers act to protect their privacy – they already are. Since the launch of iOS 14.5 in April, 84% of people in the U.S. have actively opted-out of tracking after seeing the new prompt being shown on Apple devices.
When made simple and without sacrifice, most people will choose privacy.
DuckDuckGo is the “easy button” for online privacy. That’s why our apps have been downloaded more than 50 million times over the last 12 months, more than all prior years combined.
Over our 13-year history, people have been introduced to DuckDuckGo in a few different ways depending on how and when they first heard about us: as a private search engine replacement for Google search, as a mobile privacy browser replacement for Chrome, or as a desktop browser extension that protects your browsing through top-of-the-line tracker blocking and the most HTTPS coverage.
What users love about DuckDuckGo is that we combine all these essential privacy features into one simple download on every major web platform (iOS, Android, Chrome, Safari, Firefox, Edge, etc.) with no complicated settings and privacy set as the default. There is no other place where users can get an all-in-one privacy bundle active by default, for free. We believe in simple privacy protection with no tradeoffs, so we explicitly designed our app to focus on not breaking your web experience while getting faster load times with less data transferred.
Spurred by the increase in DuckDuckGo app usage, over the last 12 months our monthly search traffic increased 55% and we grew to become the #2 search engine on mobile in many countries including in the U.S., Canada, Australia, and the Netherlands. (StatCounter/Wikipedia). We don’t track our users so we can’t say for sure how many we have, but based on market share estimates, download numbers, and national surveys, we believe there are between 70-100 million DuckDuckGo users.
We’re excited to start rolling out additional privacy features to our all-in-one privacy bundle. In a few weeks, DuckDuckGo Email Protection will be available in beta which will give users more privacy without having to get a new inbox. Later this summer, app tracker blocking will be available in beta for Android devices, allowing users to block app trackers and providing more transparency on what’s happening behind the scenes on their device. Before the end of the year, we also plan to release a brand-new desktop version of our existing mobile app which people can use as a primary browser.
By continuing to expand our simple and seamless privacy bundle, we continue to make our product vision, “Privacy, simplified.” a reality.
Becoming a household name for simple privacy protection.
DuckDuckGo has been profitable since 2014 and today our revenue exceeds $100 million a year, giving us the financial resources to continue growing rapidly. At the end of 2020, we completed a mainly secondary investment of over $100 million from new and existing investors, creating an early liquidity moment for employees and early investors while strengthening our financial position. Investors included OMERS Ventures, Thrive, GP Bullhound, Impact America Fund, Brian Acton, Tim Berners-Lee, Freada Kapor Klein, Mitch Kapor, and others.
Our thriving business also gives us the resources to tell more people there is a simple solution for online privacy they can use right now. Over the last month, we’ve rolled out billboard, radio, and TV ads in 175 metro areas across the U.S., with additional efforts planned for Europe and other countries around the world.
We believe getting privacy online should be simple and accessible to everyone, period.
Privacy is freedom. It treats people like people, not data points, and empowers anyone online to escape manipulation from online profiling. On a societal scale, reducing data collection and targeting helps curb systemic online problems such as the rapid spread of misinformation, political polarization through filter bubbles, ad exploitation, and more.
When users install DuckDuckGo, not only are they reclaiming their online privacy, but they’re also raising the standard of trust online. Everyone at DuckDuckGo is working hard every day to make privacy the default, not the exception.
This is the ninth in our series of posts about search preference menus.
Today it takes over 15 clicks to change your search engine across an Android device, including downloading a new app, updating the search widget on your home screen to the widget that comes with the app, and then changing the search default in your default browser.
Consumers deserve a better method where alternative search engines are actually “just one click away.” To accomplish this, we have been proposing a search preference menu that empowers consumers to easily switch search engines, significantly increasing competition. This series has focused on many aspects of a properly designed search preference menu such as visual design, including all eligible search engines, and not charging search engines to appear.
Another key aspect is that competing search engines should have an easy way to guide consumers to the search preference menu.
Right now, for example, Google’s search preference menu in Europe is shown to consumers just once, on initial device setup. Believe or not, the only way to get back to it thereafter is to erase all data on the device through a hard “factory reset,” returning the device to an initial device setup state.
That means, for all practical purposes, if you want to change your default device search engine again easily, you can’t. You’re back to the over-15-clicks method, which we know from experience trips up almost everyone. In other words, one click competition becomes in fact "one factory reset away." The only reasons we can think of for setting up a preference menu this way are anti-competitive ones.
The sensible approach is to give users an easy pathway to the search preference menu by letting them tap a link from a search engine app or website within the default browser (e.g., Chrome). With that simple tap, the user is whisked directly to the search preference menu.
Not allowing competing search engines to easily guide consumers back to the search preference menu is a pretty big dark pattern because it is requiring users to make an important choice when they often aren’t ready to do so, and then not giving them the option to easily change their mind later while using a competing search engine.
When setting up a device, a user goes through over a dozen screens and may not be in the frame of mind to change their search engine. By contrast, they are much more likely to select an alternative after they just downloaded a search engine’s app or navigated to their website.
So, to anyone considering implementing a search preference menu, or drafting regulations covering search preference menus, please ensure that consumers can access it at any time, especially after a consumer has just chosen to use a competing search engine. That is, just showing it during onboarding and including additional access via device settings is not enough because of the power of defaults, and, from our experience, it is difficult for consumers to navigate the many layers of device setting menus.
Functionality that allows competing search engines to guide consumers directly to the preference menu is necessary for consumer empowerment and search market competition.
When using the DuckDuckGo all-in-one privacy browser extension for desktop Firefox, Chrome, or Edge, or our own mobile browser for iOS and Android, one of the ways we protect your browsing is through our Smarter Encryption technology. It detects unencrypted (HTTP) connections to websites and automatically upgrades them to encrypted (HTTPS) connections when possible, keeping your personal data like your search terms, the exact pages you visit, and anything you type into a website private from possible network snoopers.
Today, we’re proud to announce another milestone bringing our best-in-class privacy protection technology to millions more people: The Electronic Frontier Foundation (EFF) is incorporating data from Smarter Encryption into their HTTPS Everywhere browser extension. EFF has been defending digital rights and privacy for over 30 years and Smarter Encryption itself was inspired by their pioneering work.
When Smarter Encryption launched, out of the gate it was far more comprehensive than similar technologies because it is automatically generated by crawling the web, and re-crawling continuously to ensure that users don't face any breakage when websites change. This automated process has enabled us to keep up with the growing number of websites adopting HTTPS solutions such as Let’s Encrypt (co-founded by EFF, Mozilla and University of Michigan) – something that has become increasingly difficult for maintainers of crowd-sourced approaches. On DuckDuckGo Search, for example, the full Smarter Encryption dataset derived from our automatic crawling now covers around 90% of all website clicks from search results.
If you have the HTTPS Everywhere extension installed in your browser, you don’t need to do anything and shouldn't notice anything different other than seamlessly enjoying even greater encryption protection. You can of course also make use of the technology by using the DuckDuckGo app/extension or by simply starting your web searches on DuckDuckGo Search.
If you’d like to use the Smarter Encryption code or dataset yourself, non-commercial users are free to do so under the Creative Commons CC BY-NC-SA 4.0 license. For commercial use, please reach out directly to our Partnerships team.
“We're delighted that DuckDuckGo's Smarter Encryption is now available in HTTPS Everywhere. When we started the project, the vast majority of the internet was not protected. Now it is, and preserving and completing that work is vital for us all. There is no group better suited to do this than DuckDuckGo.”
– Jon Callas, EFF Director of Technology Projects
We think everyone deserves simple privacy protection, which is why we build privacy technology like Smarter Encryption and Tracker Radar, making it easy for people to take back their privacy without sacrifice. We’re delighted we are now more closely working with EFF to further this mission.
Note: Google recently announced their plan to use HTTPS by default in Chrome for direct navigation. That means it only affects website addresses (URLs) typed directly into the address bar that do not have an "http://" or "https://" prefix. It should not be confused with the greater protection Smarter Encryption provides, which covers all clicks and interactions as you browse the web, including clicks from social media, search engines, and other websites.
* Copyrights belong to each article's respective author.
** Although this page should be free from tracking and other hazards, I can't guarantee that, of course.
* Copyrights belong to each article's respective author.
** Although this page should be free from tracking and other hazards, I can't guarantee that, of course.
On December 7, 2021, Google announced it was suing two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy’s founder is one of the men being sued by Google.
Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at Kaspersky Lab showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by TDSS (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.
In March 2011, security researchers at ESET found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.
Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.
In a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example —to the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for download via the web or from file-sharing networks.
Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.
There is also ample evidence to suggest that Glupteba may have spawned Meris, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.
But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxy’s online storefront disappeared that same day.
AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.
Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “RSOCKS” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.
Shortly after last week’s story on the RSOCKS founder, I heard from Riley Kilmer, co-founder of Spur.us, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.
“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.”
Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.
“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP were the same as from AWM.”
In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.
Supporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in AD1[.]ru, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.
Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (UA-3816536).
That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar Domenadom[.]ru, and the website web-site[.]ru, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.
Two other domains connected to that Google Analytics code — Russian plastics manufacturers techplast[.]ru and tekhplast.ru — also shared a different Google Analytics code (UA-1838317) with web-site[.]ru and with the domain “starovikov[.]ru.”
The name on the WHOIS registration records for the plastics domains is an “Alexander I. Ukraincki,” whose personal information also is included in the domains tpos[.]ru and alphadisplay[.]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.
Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of “uai@” followed by a domain from one of the many Russian email providers (e.g., yandex.ru, mail.ru). [Full disclosure: Constella is currently an advertiser on this website].
But Constella also shows those different email addresses all relied on a handful of passwords — most commonly “2222den” and “2222DEN.” Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username “dennstr.”
The dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.
Things began looking brighter after I ran a search in DomainTools for web-site[.]ru’s original WHOIS records, which shows it was assigned in 2005 to a “private person” who used the email address firstname.lastname@example.org. A search in Constella on that email address says it was used to register nearly two dozen domains, including starovikov.ru and starovikov[.]com.
A cached copy of the contact page for Starovikov[.]com shows that in 2008 it displayed the personal information for a Dmitry Starovikov, who listed his Skype username as “lycefer.”
Finally, Russian incorporation documents show the company LLC Website (web-site[.]ru)was registered in 2005 to two men, one of whom was named Dmitry Sergeevich Starovikov.
Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:
Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.
Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.
Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.
Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.
While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.
Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “RSOCKS” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top spam forum.
According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:
“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”
The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.
The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.
Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.
“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”
RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.
Stanx said he was a longtime member of several major forums, including the Russian hacker forum Antichat (since 2005), and the Russian crime forum Exploit (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from Omsk, a large city in the Siberian region of Russia.
According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address email@example.com, and the ICQ number 399611. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a Denis “Neo” Kloster, from Omsk, Russia.
Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address firstname.lastname@example.org registered at the Russian freelancer job site fl.ru with the profile name of “Denis Kloster” and the Omsk phone number of 79136334444. Another record indexed by Constella suggests Denis’s real surname may in fact be “Emilyantsev” [Емельянцев].
That phone number is tied to the WHOIS registration records for multiple domain names over the years, including proxy[.]info, allproxy[.]info, kloster.pro and deniskloster.com.
The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.
According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called Internet Advertising Omsk (“riOmsk“), and that he even lived in New York City for a while.
“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”
The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “SL MobPartners.”
In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, most of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).
“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”
Mr. Kloster did not respond to repeated requests for comment.
It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. Based on the RSOCKS owner’s posts, that is exactly what they intend to do.
“RSocks ceases to exist,” wrote the Rsocks account on the BlackHatWorld forum on June 17. “But don’t worry. All the active plans and fund balances will be transferred to another service. Stay tuned. We will inform you about its name and all the details later.”
Malware-based proxy services like RSOCKS have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features. The demise of RSOCKS follows closely on the heels of VIP72[.]com, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.
Check out this handmade sign posted to the front door of a shuttered Jimmy John’s sandwich chain shop in Missouri last week. See if you can tell from the store owner’s message what happened.
If you guessed that someone in the Jimmy John’s store might have fallen victim to a Business Email Compromise (BEC) or “CEO fraud” scheme — wherein the scammers impersonate company executives to steal money — you’d be in good company.
In fact, that was my initial assumption when a reader in Missouri shared this photo after being turned away from his favorite local sub shop. But a conversation with the store’s owner Steve Saladin brought home the truth that some of the best solutions to fighting fraud are even more low-tech than BEC scams.
Visit any random fast-casual dining establishment and there’s a good chance you’ll see a sign somewhere from the management telling customers their next meal is free if they don’t receive a receipt with their food. While it may not be obvious, such policies are meant to deter employee theft.
The idea is to force employees to finalize all sales and create a transaction that gets logged by the company’s systems. The offer also incentivizes customers to help keep employees honest by reporting when they don’t get a receipt with their food, because employees can often conceal transactions by canceling them before they’re completed. In that scenario, the employee gives the customer their food and any change, and then pockets the rest.
You can probably guess by now that this particular Jimmy John’s franchise — in Sunset Hills, Mo. — was among those that chose not to incentivize its customers to insist upon receiving receipts. Thanks to that oversight, Saladin was forced to close the store last week and fire the husband-and-wife managers for allegedly embezzling nearly $100,000 in cash payments from customers.
Saladin said he began to suspect something was amiss after he agreed to take over the Monday and Tuesday shifts for the couple so they could have two consecutive days off together. He said he noticed that cash receipts at the end of the nights on Mondays and Tuesdays were “substantially larger” than when he wasn’t manning the till, and that this was consistent over several weeks.
Then he had friends proceed through his restaurant’s drive-thru, to see if they received receipts for cash payments.
“One of [the managers] would take an order at the drive-thru, and when they determined the customer was going to pay with cash the other would make the customer’s change for it, but then delete the order before the system could complete it and print a receipt,” Saladin said.
Saladin said his attorneys and local law enforcement are now involved, and he estimates the former employees stole close to $100,000 in cash receipts. That was on top of the $115,000 in salaries he paid in total each year to the two employees. Saladin also has to figure out a way to pay his franchisor a fee for each of the stolen transactions.
Now Saladin sees the wisdom of adding the receipt sign, and says all of his stores will soon carry a sign offering $10 in cash to any customers who report not receiving a receipt with their food.
Many business owners are reluctant to involve the authorities when they discover that a current or former employee has stolen from them. Too often, organizations victimized by employee theft shy away from reporting it because they’re worried that any resulting media coverage of the crime will do more harm than good.
But there are quiet ways to ensure embezzlers get their due. A few years back, I attended a presentation by an investigator with the criminal division of the U.S. Internal Revenue Service (IRS) who suggested that any embezzling victims seeking a discreet law enforcement response should simply contact the IRS.
The agent said the IRS is obligated to investigate all notifications it receives from employers about unreported income, but that embezzling victims often neglect to even notify the agency. That’s a shame, he said, because under U.S. federal law, anyone who willfully attempts to evade or defeat taxes can be charged with a felony, with penalties including up to $100,000 in fines, up to five years in prison, and the costs of prosecution.
Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that’s seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.
Three of the bugs tackled this month earned Microsoft’s most dire “critical” label, meaning they can be exploited remotely by malware or miscreants to seize complete control over a vulnerable system. On top of the critical heap this month is CVE-2022-30190, a vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows.
Dubbed “Follina,” the flaw became public knowledge on May 27, when a security researcher tweeted about a malicious Word document that had surprisingly low detection rates by antivirus products. Researchers soon learned that the malicious document was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.
“What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack,” writes Mayuresh Dani, manager of threat research at Qualys. “Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.”
Kevin Beaumont, the researcher who gave Follina its name, penned a fairly damning account and timeline of Microsoft’s response to being alerted about the weakness. Beaumont says researchers in March 2021 told Microsoft they were able achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.
Beaumont said other researchers on April 12, 2022 told Microsoft about active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it wasn’t a security issue. Microsoft finally issued a CVE for the problem on May 30, the same day it released recommendations on how to mitigate the threat from the vulnerability.
Microsoft also is taking flak from security experts regarding a different set of flaws in its Azure cloud hosting platform. Orca Security said that back on January 4 it told Microsoft about a critical bug in Azure’s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure.
In an update to their research published Tuesday, Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.
“In previous cases, vulnerabilities were fixed by the cloud providers within a few days of our disclosure to the affected vendor,” wrote Orca’s Avi Shua. “Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”
Amit Yoran, CEO of Tenable and a former U.S. cybersecurity czar, took Microsoft to task for silently patching an issue Tenable reported in the same Azure Synapse service.
“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” Yoran wrote in a post on LinkedIn. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”
Also in the critical and notable stack this month is CVE-2022-30136, which is a remote code execution flaw in the Windows Network File System (NFS version 4.1) that earned a CVSS score of 9.8 (10 being the worst). Microsoft issued a very similar patch last month for vulnerabilities in NFS versions 2 and 3.
“This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0,” wrote Trend Micro’s Zero Day Initiative. “It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.”
Beginning today, Microsoft will officially stop supporting most versions of its Internet Explorer Web browser, which was launched in August 1995. The IE desktop application will be disabled, and Windows users who wish to stick with a Microsoft browser are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the dirt on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Cybercrime groups that specialize in stealing corporate data and demanding a ransom not to publish it have tried countless approaches to shaming their victims into paying. The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form.
ALPHV recently announced on its victim shaming and extortion website that it had hacked a luxury spa and resort in the western United States. Sometime in the last 24 hours, ALPHV published a website with the same victim’s name in the domain, and their logo on the homepage.
The website claims to list the personal information of 1,500 resort employees, and more than 2,500 residents at the facility. At the top of the page are two “Check Yourself” buttons, one for employees, and another for guests.
Brett Callow, a threat analyst with security firm Emsisoft, called the move by ALPHV “a cunning tactic” that will most certainly worry their other victims.
Callow said most of the victim shaming blogs maintained by the major ransomware and data ransom groups exist on obscure, slow-loading sites on the Darknet, reachable only through the use of third-party software like Tor. But the website erected by ALPHV as part of this new pressure tactic is available on the open Internet.
“Companies will likely be more concerned about the prospect of their data being shared in this way than of simply being posted to an obscure Tor site for which barely anyone knows the URL,” Callow said. “It’ll piss people off and make class actions more likely.”
It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.
“We are not going to stop, our leak distribution department will do their best to bury your business,” the victim website reads. “At this point, you still have a chance to keep your hotel’s security and reputation. We strongly advise you to be proactive in your negotiations; you do not have much time.”
Emerging in November 2021, ALPHV is perhaps most notable for its programming language (it is written in Rust). ALPHV has been actively recruiting operators from several ransomware organizations — including REvil, BlackMatter and DarkSide — offering affiliates up to 90 percent of any ransom paid by a victim organization.
Many security experts believe ALPHV/BlackCat is simply a rebrand of another ransomware group — “Darkside” a.k.a. “BlackMatter,” the same gang responsible for the 2021 attack on Colonial Pipeline that caused fuel shortages and price spikes for several days last summer.
Callow said there may be an upside to this ALPHV innovation, noting that his wife recently heard directly from a different ransomware group — Cl0p.
“On a positive note, stunts like this mean people may actually find out that their PI has been compromised,” he said. “Cl0p emailed my wife last year. The company that lost her data still hasn’t made any public disclosure or notified the people who were impacted (at least, she hasn’t heard from the company.)”
A 33-year-old Illinois man was sentenced to two years in prison today following his conviction last year for operating services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against hundreds of thousands of Internet users and websites.
Matthew Gatrel of St. Charles, Ill. was found guilty for violations of the Computer Fraud and Abuse Act (CFAA) related to his operation of downthem[.]org and ampnode[.]com, two DDoS-for-hire services that had thousands of customers who paid to launch more than 200,000 attacks.
Despite admitting to FBI agents that he ran these so-called “booter” services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by public defenders. Gatrel’s co-defendant and partner in the business, Juan “Severon” Martinez of Pasadena, Calif., pleaded guilty just before the trial.
After a nine-day trial in the Central District of California, Gatrel was convicted on all three counts, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.
Prosecutors said Downthem sold subscriptions allowing customers to launch DDoS attacks, while AmpNode provided “bulletproof” server hosting to customers — with an emphasis on “spoofing” servers that could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” used to launch simultaneous cyberattacks on victims.
Booter and stresser services let customers pick from among a variety of attack methods, but almost universally the most powerful of these methods involves what’s known as a “reflective amplification attack.” In such assaults, the perpetrators leverage unmanaged Domain Name Servers (DNS) or other devices on the Web to create huge traffic floods.
Ideally, DNS servers only provide services to machines within a trusted domain — such as translating an Internet address from a series of numbers into a domain name, like example.com. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web.
Attackers can send spoofed DNS queries to these DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.
The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.
The government charged that Gatrel and Martinez constantly scanned the Internet for these misconfigured devices, and then sold lists of Internet addresses tied to these devices to other booter service operators.
“Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyber-attacks on behalf of hundreds of customers,” prosecutors wrote in a memorandum submitted in advance of his sentencing. “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”
The U.S. and United Kingdom have been trying to impress on would-be customers of these booter services that hiring them for DDoS attacks is illegal. The U.K. has even taken out Google ads to remind U.K. residents when they search online for terms common to booter services.
The case against Gatrel and Martinez was brought as part of a widespread crackdown on booter services in 2018, when the FBI joined law enforcement partners overseas to seize 15 different booter service domains.
Those actions have prompted a flurry of prosecutions, with wildly varying sentences when the booter service owners are invariably found guilty. However, DDoS experts say booter and stresser services that remain in operation continue to account for the vast majority of DDoS attacks launched daily around the globe.
At the outset of their federal criminal trial for hijacking vast swaths of Internet addresses for use in large-scale email spam campaigns, three current or former executives at online advertising firm Adconion Direct (now Amobee) have pleaded guilty to lesser misdemeanor charges of fraud and misrepresentation via email.
In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob Bychak, Mark Manoogian, Petr Pacas, and Mohammed Abdul Qayyum — in a ten-count indictment (PDF) on felony charges of conspiracy, wire fraud, and electronic mail fraud.
The government alleged that between December 2010 and September 2014, the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.
Prosecutors said the men also sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.
All four defendants pleaded not guilty when they were charged back in 2018, but this week Bychak, Manoogian and Qayyum each entered a plea deal.
“The defendants’ jobs with Adconion were to acquire fresh IP addresses and employ other measures to circumvent the spam filters,” reads a statement released today by the U.S. Attorney for the Southern District of California, which said the defendants would pay $100,000 in fines each and perform 100 hours of community service.
“To conceal Adconion’s ties to the stolen IP addresses and the spam sent from these IP addresses, the defendants used a host of DBAs, virtual addresses, and fake names provided by the company,” the statement continues. “While defendants touted ties to well-known name brands, the email marketing campaigns associated with the hijacked IP addresses included advertisements such as ‘BigBeautifulWomen,’ ‘iPhone4S Promos,’ and ‘LatinLove[Cost-per-Click].'”
None of the three plea agreements are currently available on PACER, the online federal court document clearinghouse. However, PACER does show that on June 7 — the same day the pleas were entered by the defendants — the government submitted to the court a superseding set of just two misdemeanor charges (PDF) of fraud in connection with email.
Another document filed in the case says the fourth defendant — Pacas — accepted a deferred prosecution deal, which includes a probationary period and a required $50,000 “donation” to a federal “crime victims fund.”
There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market.
This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.
In May, prosecutors published information about the source of some IP address ranges from which the Adconion employees allegedly spammed. For example, the government found the men leased some of their IP address ranges from a Dutch company that’s been tied to a scandal involving more than four million addresses siphoned from the African Network Information Centre (AFRINIC), the nonprofit responsible for overseeing IP address allocation for African organizations.
In 2019, AFRINIC fired a top employee after it emerged that in 2013 he quietly commandeered millions of IPs from defunct African entities or from those that were long ago acquired by other firms, and then conspired to sell an estimated $50 million worth of the IPs to marketers based outside Africa.
“Exhibit A” in a recent government court filing shows that in 2013 Adconion leased more than 65,000 IP addresses from Inspiring Networks, a Dutch network services company. In 2020, Inspiring Networks and its director Maikel Uerlings were named in a dogged, multi-part investigation by South African news outlet MyBroadband.co.za and researcher Ron Guilmette as one of two major beneficiaries of the four million IP addresses looted from AFRINIC by its former employee.
The address block in the above image — 22.214.171.124/16 — was reportedly later reclaimed by AFRINIC following an investigation. Inspiring Networks has not responded to requests for comment.
Prosecutors allege the Adconion employees also obtained hijacked IP address blocks from Daniel Dye, another man tied to this case who was charged separately. For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra. In 2018, Dye pleaded guilty to violations of the CAN-SPAM Act.
Optinrealbig’s CEO was the spam king Scott Richter, who changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, Microsoft, MySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.
The last-minute plea deals by the Adconion employees were reminiscent of another recent federal criminal prosecution for IP address sleight-of-hand. In November 2021, the CEO of South Carolina technology firm Micfo pleaded guilty just two days into his trial, admitting 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 700,000 IPs from the American Registry for Internet Numbers (ARIN) — AFRINIC’s counterpart in North America.
Adconion was acquired in June 2014 by Amobee, a Redwood City, Calif. online ad platform that has catered to some of the world’s biggest brands. Amobee’s parent firm — Singapore-based communications giant Singtel — bought Amobee for $321 million in March 2012.
But as Reuters reported in 2021, Amobee cost Singtel nearly twice as much in the last year alone — $589 million — in a “non-cash impairment charge” Singtel disclosed to investors. Marketing industry blog Digiday.com reported in February that Singtel was seeking to part ways with its ad tech subsidiary.
One final note about Amobee: In response to my 2019 story on the criminal charges against the Adconion executives, Amobee issued a statement saying “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”
Yet as the government’s indictment points out, the alleged hijacking activities took place up until September 2014, which was after Amobee’s acquisition of Adconion Direct in June 2014. Also, the IP address ranges that the Adconion executives were prosecuted for hijacking were all related to incidents in 2013 and 2014, which is hardly “years prior to Amobee’s acquisition of the company.”
Amobee has not yet responded to requests for comment.
Netflix has a new documentary series airing next week — “Web of Make Believe: Death, Lies & the Internet” — in which Yours Truly apparently has a decent amount of screen time. The debut episode explores the far-too-common harassment tactic of “swatting” — wherein fake bomb threats or hostage situations are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.
The producers of the Netflix show said footage from an interview I sat for in early 2020 on swatting and other threats should appear in the first episode. They didn’t specify what additional topics the series would scrutinize, but Netflix’s teaser for the show suggests it concerns cybercrimes that result in deadly, real-world kinetic attacks.
“Conspiracy. Fraud. Violence. Murder,” reads the Netflix short description for the series. “What starts out virtual can get real all too quickly — and when the web is worldwide, so are the consequences.”
Our family has been victimized by multiple swatting attacks over the past decade. Our first swatting, in March 2013, resulted in Fairfax County, Va. police surrounding our home and forcing me into handcuffs at gunpoint. For an excruciating two minutes, I had multiple police officers pointing rifles, shotguns and pistols directly at me.
More recently, our family was subjected to swatting attacks by a neo-Nazi group that targeted journalists, judges and corporate executives. We’ve been fortunate that none of our swatting events ended in physical harm, and that our assailants have all faced justice.
But these dangerous hoaxes can quickly turn deadly: In March 2019, 26-year-old serial swatter Tyler Barriss was sentenced to 20 years in prison for making a phony emergency call to police in late 2017 that resulted in the shooting death of an innocent Kansas resident.
In 2021, an 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that led to the death of a 60-year-old grandfather in was sentenced to five years in prison.
The first season of the new documentary series will be available on Netflix starting June 15. See you on TV!
The U.S. Department of Justice (DOJ) recently revised its policy on charging violations of the Computer Fraud and Abuse Act (CFAA), a 1986 law that remains the primary statute by which federal prosecutors pursue cybercrime cases. The new guidelines state that prosecutors should avoid charging security researchers who operate in “good faith” when finding and reporting vulnerabilities. But legal experts continue to advise researchers to proceed with caution, noting the new guidelines can’t be used as a defense in court, nor are they any kind of shield against civil prosecution.
In a statement about the changes, Deputy Attorney General Lisa O. Monaco said the DOJ “has never been interested in prosecuting good-faith computer security research as a crime,” and that the new guidelines “promote cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
What constitutes “good faith security research?” The DOJ’s new policy (PDF) borrows language from a Library of Congress rulemaking (PDF) on the Digital Millennium Copyright Act (DMCA), a similarly controversial law that criminalizes production and dissemination of technologies or services designed to circumvent measures that control access to copyrighted works. According to the government, good faith security research means:
“…accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
“Security research not conducted in good faith — for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services — might be called ‘research,’ but is not in good faith.”
The new DOJ policy comes in response to a Supreme Court ruling last year in Van Buren v. United States (PDF), a case involving a former police sergeant in Florida who was convicted of CFAA violations after a friend paid him to use police resources to look up information on a private citizen.
But in an opinion authored by Justice Amy Coney Barrett, the Supreme Court held that the CFAA does not apply to a person who obtains electronic information that they are otherwise authorized to access and then misuses that information.
Orin Kerr, a law professor at University of California, Berkeley, said the DOJ’s updated policy was expected given the Supreme Court ruling in the Van Buren case. Kerr noted that while the new policy says one measure of “good faith” involves researchers taking steps to prevent harm to third parties, what exactly those steps might constitute is another matter.
“The DOJ is making clear they’re not going to prosecute good faith security researchers, but be really careful before you rely on that,” Kerr said. “First, because you could still get sued [civilly, by the party to whom the vulnerability is being reported], but also the line as to what is legitimate security research and what isn’t is still murky.”
Kerr said the new policy also gives CFAA defendants no additional cause for action.
“A lawyer for the defendant can make the pitch that something is good faith security research, but it’s not enforceable,” Kerr said. “Meaning, if the DOJ does bring a CFAA charge, the defendant can’t move to dismiss it on the grounds that it’s good faith security research.”
Kerr added that he can’t think of a CFAA case where this policy would have made a substantive difference.
“I don’t think the DOJ is giving up much, but there’s a lot of hacking that could be covered under good faith security research that they’re saying they won’t prosecute, and it will be interesting to see what happens there,” he said.
The new policy also clarifies other types of potential CFAA violations that are not to be charged. Most of these include violations of a technology provider’s terms of service, and here the DOJ says “violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.” Some examples include:
-Embellishing an online dating profile contrary to the terms of service of the dating website;
-Creating fictional accounts on hiring, housing, or rental websites;
-Using a pseudonym on a social networking site that prohibits them;
-Checking sports scores or paying bills at work.
Kerr’s warning about the dangers that security researchers face from civil prosecution is well-founded. KrebsOnSecurity regularly hears from security researchers seeking advice on how to handle reporting a security vulnerability or data exposure. In most of these cases, the researcher isn’t worried that the government is going to come after them: It’s that they’re going to get sued by the company responsible for the security vulnerability or data leak.
Often these conversations center around the researcher’s desire to weigh the rewards of gaining recognition for their discoveries with the risk of being targeted with costly civil lawsuits. And almost just as often, the source of the researcher’s unease is that they recognize they might have taken their discovery just a tad too far.
Here’s a common example: A researcher finds a vulnerability in a website that allows them to individually retrieve every customer record in a database. But instead of simply polling a few records that could be used as a proof-of-concept and shared with the vulnerable website, the researcher decides to download every single file on the server.
Not infrequently, there is also concern because at some point the researcher suspected that their automated activities might have actually caused stability or uptime issues with certain services they were testing. Here, the researcher is usually concerned about approaching the vulnerable website or vendor because they worry their activities may already have been identified internally as some sort of external cyberattack.
What do I take away from these conversations? Some of the most trusted and feared security researchers in the industry today gained that esteem not by constantly taking things to extremes and skirting the law, but rather by publicly exercising restraint in the use of their powers and knowledge — and by being effective at communicating their findings in a way that maximizes the help and minimizes the potential harm.
If you believe you’ve discovered a security vulnerability or data exposure, try to consider first how you might defend your actions to the vulnerable website or vendor before embarking on any automated or semi-automated activity that the organization might reasonably misconstrue as a cyberattack. In other words, try as best you can to minimize the potential harm to the vulnerable site or vendor in question, and don’t go further than you need to prove your point.
Costa Rica’s national health service was hacked sometime earlier this morning by a Russian ransomware group known as Hive. The intrusion comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in response to a data ransom attack from a different Russian ransomware gang — Conti. Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia.
The Costa Rican publication CRprensa.com reports that affected systems at the Costa Rican Social Security Fund (CCSS) were taken offline on the morning of May 31, but that the extent of the breach was still unclear. The CCSS is responsible for Costa Rica’s public health sector, and worker and employer contributions are mandated by law.
A hand-written sign posted outside a public health center in Costa Rica today explained that all systems are down until further notice (thanks to @Xyb3rb3nd3r for sharing this photo).
Esteban Jimenez, founder of the Costa Rican cybersecurity consultancy ATTI Cyber, told KrebsOnSecurity the CCSS suffered a cyber attack that compromised the Unique Digital Medical File (EDUS) and the National Prescriptions System for the public pharmacies, and as a result medical centers have turned to paper forms and manual contingencies.
“Many smaller health centers located in rural areas have been forced to close due to not having the required equipment or communication with their respective central health areas and the National Retirement Fund (IVM) was completely blocked,” Jimenez said. “Taking into account that salaries of around fifty thousand employees and deposits for retired citizens were due today, so now the payments are in danger.”
Jimenez said the head of the CCSS has addressed the local media, confirming that the Hive ransomware was deployed on at least 30 out of 1,500 government servers, and that any estimation of time to recovery remains unknown. He added that many printers within the government agency this morning began churning out copies of the Hive ransom note.
“HIVE has not yet released their ransom fee but attacks are expected to follow, other organizations are trying to get a hold on the emergency declaration to obtain additional funds to purchase new pieces of infrastructure, improve their backup structure amongst others,” Jimenez said.
A copy of the ransom note left behind by the intruders and subsequently uploaded to Virustotal.com indicates the CCSS intrusion was the work of Hive, which typically demands payment for a digital key needed to unlock files and servers compromised by the group’s ransomware.
On May 8, President Chaves used his first day in office to declare a national state of emergency after the Conti ransomware group threatened to publish gigabytes of sensitive data stolen from Costa Rica’s Ministry of Finance and other government agencies. Conti initially demanded $10 million, and later doubled the amount when Costa Rica refused to pay. On May 20, Conti leaked more than 670 gigabytes of data taken from Costa Rican government servers.
As CyberScoop reported on May 17, Chaves told local media he believed that collaborators within Costa Rica were helping Conti extort the government. Chaves offered no information to support this claim, but the timeline of Conti’s descent on Costa Rica is worth examining.
Most of Conti’s public communications about the Costa Rica attack have very clearly assigned credit for the intrusion to an individual or group calling itself “unc1756.” In March 2022, a new user by the same name registered on the Russian language crime forum Exploit.
On the evening of April 18, Costa Rica’s Ministry of Finance disclosed the Conti intrusion via Twitter. Earlier that same day, the user unc1756 posted a help wanted ad on Exploit saying they were looking to buy access to “special networks” in Costa Rica.
“By special networks I mean something like Haciendas,” unc1756 wrote on Exploit. Costa Rica’s Ministry of Finance is known in Spanish as the “Ministerio Hacienda de Costa Rica.” Unc1756 said they would pay $USD 500 or more for such access, and would work only with Russian-speaking people.
Experts say there are clues to suggest Conti and Hive are working together in their attacks on Costa Rica, and that the intrusions are tied to a rebranding effort by Conti. Shortly after Russia invaded Ukraine at the end of February, Conti declared its full support, aligning itself directly with Russia and against anyone who would stand against the motherland.
Conti quickly deleted the declaration from its website, but the damage had already been done, and any favor or esteem that Conti had earned among the Ukrainian cybercriminal underground effectively evaporated overnight.
Shortly thereafter, a Ukrainian security expert leaked many months worth of internal chat records between Conti personnel as they plotted and executed attacks against hundreds of victim organizations. Those candid messages exposed what it’s like to work for Conti, how they undermined the security of their targets, as well as how the group’s leaders strategized for the upper hand in ransom negotiations.
But Conti’s declaration of solidarity with the Kremlin also made it increasingly ineffective as an instrument of financial extortion. According to cyber intelligence firm ADVIntel, Conti’s alliance with the Russian state soon left it largely unable to receive ransom payments because victim companies are being advised that paying a Conti ransom demand could mean violating U.S. economic sanctions on Russia.
“Conti as a brand became associated with the Russian state — a state that is currently undergoing extreme sanctions,” ADVIntel wrote in a lengthy analysis (PDF). “In the eyes of the state, each ransom payment going to Conti may have potentially gone to an individual under sanction, turning simple data extortion into a violation of OFAC regulation and sanction policies against Russia.”
ADVIntel says it first learned of Conti’s intrusion into Costa Rican government systems on April 14, and that it has seen internal Conti communications indicating that getting paid in the Costa Rica attack was not the goal.
Rather, ADVIntel argues, Conti was simply using it as a way to appear publicly that it was still operating as the world’s most lucrative ransomware collective, when in reality the core Conti leadership was busy dismantling the crime group and folding themselves and top affiliates into other ransomware groups that are already on friendly terms with Conti.
“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” ADVIntel concluded.
ADVIntel says Conti’s leaders and core affiliates are dispersing to several Conti-loyal crime collectives that use either ransomware lockers or strictly engage in data theft for ransom, including AlphV/BlackCat, AvosLocker, BlackByte, HelloKitty, Hive, and Karakurt.
Still, Hive appears to be perhaps the biggest beneficiary of any attrition from Conti: Twice over the past week, both Conti and Hive claimed responsibility for hacking the same companies. When the discrepancy was called out on Twitter, Hive updated its website to claim it was not affiliated with Conti.
Conti and Hive’s Costa Rican exploits mark the latest in a string of recent cyberattacks against government targets across Latin America. Around the same time it hacked Costa Rica in April, Conti announced it had hacked Peru’s National Directorate of Intelligence, threatening to publish sensitive stolen data if the government did not pay a ransom.
But Conti and Hive are not alone in targeting Latin American victims of late. According to data gathered from the victim shaming blogs maintained by multiple ransomware groups, over the past 90 days ransom actors have hacked and sought to extort 15 government agencies in Brazil, nine in Argentina, six in Colombia, four in Ecuador and three in Chile.
A recent report (PDF) by the Inter-American Development Bank suggests many Latin American countries lack the technical expertise or cybercrime laws to deal with today’s threats and threat actors.
“This study shows that the Latin American and Caribbean (LAC) region is not sufficiently prepared to handle cyberattacks,” the IADB document explains. “Only 7 of the 32 countries studied have a critical infrastructure protection plan, while 20 have established cybersecurity incident response teams, often called CERTs or CSIRTs. This limits their ability to identify and respond to attacks.”
* Copyrights belong to each article's respective author.
** Although this page should be free from tracking and other hazards, I can't guarantee that, of course.
* Copyrights belong to each article's respective author.
** Although this page should be free from tracking and other hazards, I can't guarantee that, of course.