you get important news and warnings about security and privacy on internet!
(Be patient – loading of this page takes few seconds.)
On this page, I give you the latest news, warnings and advice on the subject of security and privacy on the internet. You alone can take care of your own security and privacy and this requires some knowledge, strategy and constant vigilance.
(On the PRIVACY POLICY page, you will find my recommendations for a broad strategy to protect your computer from hackers.)
DISCLAIMER:
* Copyrights belong to each article's respective author.
** Article links lead to external websites, where you will be tracked, most likely.
Businesses can now automate threat detection for 1Password and their broader work environment with Obsidian Security, a security platform for software as a service (SaaS) tools.
Keeping your organization secure online is a never-ending challenge, especially when you have hundreds or thousands of employees. People are great at many things but following ever-changing cybersecurity best practices often isn’t one of them. That’s why 1Password focuses on human-centric security and making sure you don’t have to choose between convenience and security.
Even so, people don’t always make the right choices, which is why we’re excited to introduce a new integration by Obsidian Security that can give you extra peace of mind. Obsidian Security provides automated threat detection capabilities for your entire SaaS environment, including 1Password, utilizing advanced machine learning to detect impossible travel, successful logins from unusual locations, spikes in failed login attempts, and more.
By tapping into the 1Password Events API, Obsidian can continuously aggregate and analyze activity data from your organization’s 1Password deployment, including sign-in attempts, item usage, and vault changes. This information is tied to specific users and automatically monitored for potential problems based on policies you set.
You can integrate Obsidian Security with many of the SaaS apps you use in addition to 1Password. That allows Obsidian Security to look at the bigger picture and detect what might seem like innocuous anomalies, enabling you to identify, investigate, and mitigate threats faster.
Obsidian Security’s platform adapts to your organization’s needs, too. You can use out of the box policies or build custom alerts as needed to fit your specific requirements.
Let’s say an employee called Jim logs into your organization’s 1Password account at 9AM from Cupertino, California. There’s nothing unusual about that. Then, at 9:15AM, Jim accesses a different corporate app from Jakarta, Indonesia. Now we have a problem.
The two sign-ins are an example of “impossible travel” because it’s impossible for Jim to go from California to Jakarta in such a short timeframe. It’s therefore a good signal that something is wrong.
Thankfully, your organization is using Obsidian Security to monitor its SaaS environment. So your security team is instantly alerted to potential issues based on policies you set. You can quickly investigate the “impossible travel” sign-ins and filter all activity based on the IP addresses involved or other relevant data.
In situations like the one we just described, a quick response can make a huge difference.
1Password helps your workforce protect sensitive information by bringing security and convenience together. But with the Obsidian Security integration, you can get even more peace of mind that everything is safe and sound with round-the-clock monitoring.
The 1Password integration with Obsidian Security is available now to customers with a 1Password Business or 1Password Enterprise account.
Learn more about Obsidian Security by visiting the company’s website. Interested in becoming an integration partner with 1Password? Email tech-partnerships@1password.com to find out more.
Keep your team secure without slowing them down. Choose 1Password Business to gain complete control over passwords and other sensitive business information.
Try free for 14 daysGenerative AI, large language models, and ChatGPT are dominating the headlines and people’s imaginations at the moment. While the incoming AI revolution may have some drawbacks, it also has the power to transform the way we learn, work, and play.
Clint Bodungen, author of the upcoming ChatGPT for Cybersecurity Cookbook: Learn practical generative AI recipes to supercharge your cyber skills, joined Matt Davey, Chief Experience Officer at 1Password, on the Random but Memorable podcast to discuss:
Read the interview below or listen to the full episode on your podcast app of choice.
Editor’s note: The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Matt Davey: What will the book cover and who’s it for?
Clint Bodungen: I focused on content for those who are already in cybersecurity and want to make their skillset more efficient and to augment the skills that they already have.
But more importantly, I’m a huge proponent into trying to usher in the next generation of talent into cybersecurity.
There are a lot of people who don’t know how to get into cybersecurity, or can’t afford [the relevant] certifications. I wanted to make sure I touched an audience that could really utilize this new, literally revolutionary technology to enhance and augment their skill set.
The book primarily covers ChatGPT but also the OpenAI API. Right now everybody’s writing an ebook or doing YouTube videos on ChatGPT prompt engineering. This book goes beyond prompt engineering. It’s talking about how to use the OpenAI API with Python code, and some JavaScript.
“This book will help you get under the hood of what’s going on."
You can build your own apps and extend the capabilities of just ChatGPT. This book will help you get under the hood of what’s going on to build your own plugin-like functionality, to build your own code interpreter functionality, and to get ahead of the next feature set that might be within ChatGPT.
The later chapters talk about other frameworks, like how to use other large language models such as open source rather than just GPT and OpenAI-branded large language models.
MD: What are some of the most exciting and practical AI recipes in your book?
CB: The most exciting recipes teach you how to turn ChatGPT or Claude 2 into a cybersecurity-themed role-playing game.
You might be familiar with old school text-based role-play games like Hitchhiker’s Guide to the Galaxy or Zork. Those sorts of games. I teach readers how to turn ChatGPT into a text-based role-playing game where it acts as the game master. It will instantly create an entire scenario. It’s a “choose your own adventure” basically which you can go through and it will train you on cybersecurity.
For companies that do incident response tabletop exercises, I have recipes in the book that show you how to create and run those exercises using ChatGPT.
I have simple GPT recipes from the web interface where you can just get help with GRC cybersecurity standards. You don’t understand what a standard is saying? You can feed it excerpts or entire standards and then get your questions answered. You can have it create entire vulnerability assessment plans. You can actually have it create a cybersecurity policy, an entire 80-page cybersecurity policy.
"[ChatGPT] is not meant to replace human work. It’s not meant to be ‘set it and forget it’ like an easy bake oven."
This is not meant to replace human work. This is not meant to be ‘set it and forget it’ like an easy bake oven. This is literally meant to give you a first draft. This is meant to make things more efficient and optimize your time, and then you become the editor and fine-tune it to your liking.
There are recipes in there to make all aspects of your cybersecurity job more efficient or more productive, like helping you with pen testing.
MD: How do we trust AI to generate what it says it’s generating?
CB: I don’t recommend sending anything confidential or private out to the internet when you’re using the API, whether that’s the cloud ChatGPT or something else. That’s why we’re developing an open source cybersecurity model that is intended to be used locally without any connection to the internet. This way you can do these things privately on your own without risking exposure.
In later parts of the book, I teach people how to use local open source models on their own if they’re concerned about privacy and security. In the meantime, if you do want to experiment with the API version – the online version and ChatGPT – then you can sanitize or anonymize your requests.
How do you trust what ChatGPT is giving you? I would highly recommend that for anything you’re doing in terms of testing or penetration testing, you do it on a trusted or secured network, or a sandbox network, before you put it on a customer’s network or your own network.
“The same caveats that apply to any cybersecurity operation or testing, such as making sure what you’re doing is tested and verified before you put it on a production network, stand true here as well."
The same caveats that apply to any cybersecurity operation or testing, such as making sure what you’re doing is tested and verified before you put it on a production network, stand true here as well.
And then in terms of writing code, I don’t recommend that you just take any code that it generates at face value. If you’re not a programmer you should try it out in a sandbox environment to make sure it works first.
MD: Are you writing the book, or is ChatGPT writing the book?
CB: I’m writing the book.
Am I using ChatGPT at all to help with this book? Yes. Am I using it to help me write better code? Absolutely. But I’m the primary author and I double check everything.
I use ChatGPT in my everyday life for everything now.
MD: Do you think AI and ChatGPT give you a competitive edge in security? Are there downfalls in that? What do you think people need to take into consideration?
CB: AI absolutely gives you a competitive edge because it makes you more efficient and makes you able to work faster.
Anything that you do, ChatGPT can help you do better or faster. For example, it’s better than Google search in a lot of instances. If I use Google, I have to search through the links and then click on each one and then see if those have relevant information. ChatGPT gives me the answer right away.
You could use it for anything. If you want a meal plan, it’ll generate meal plans. If you want an exercise routine, it’ll generate exercise routines. It’ll literally do and enhance just about anything you can think of.
“If you’re asking it for factual information, you do need to do your fact checking like you should do for anything."
The caveat is you still need to be cautious about facts. If you’re asking it for factual information, you do need to do your fact checking like you should do for anything.
The nature of a large language model and the way it works is that if it doesn’t know something, it can sometimes make stuff up. Or, worse, say things that sound realistic but aren’t true. So you have to be careful.
If you’re using this to enhance your knowledge, or to try to get a job, you have to be careful about using this to enhance your own skills, but then not furthering your skills to learn more.
For example, you can use it as a tutor to educate you and enhance the productivity and knowledge you already have. But if you use it to share knowledge that you don’t have, or use it to pretend you have knowledge that you don’t really have, it’s going to get you in trouble.
MD: Where can people learn more about you or pre-order this book?
CB: You can pre-order the book on Packt Publishing’s website and on Amazon.
I’m also the founder of Thread Gen, a cybersecurity startup with a cybersecurity training game simulation platform.
You can visit cybersuperhuman.ai and threadgen.com to find out more about me and my other works.
Editor’s note: This interview has been lightly edited for clarity and brevity.
Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community.
Subscribe to our podcastOkay, so you’ve just landed an interview at 1Password. It’s natural to feel a bit nervous about what you’ll be asked and what you should say. Here’s our advice: share your experiences from the perspective of our company values.
At 1Password, our company values are woven into everything we do. They inform how we show up to work, how we treat our colleagues and customers, and how we connect with our company mission. Through recognition programs such as Bonusly, which lets team members thank each other with redeemable points, and our newly formalized Values Awards, team members are empowered to live our values in ways that feel meaningful to them.
Below, we share our best pieces of advice to help you succeed in your interview and embrace our three company values: keep it simple, lead with honesty, and put people first.
“Keep it simple” reflects how 1Password employees strive to focus on what’s most important. It prompts us to stay solutions-oriented and communicate with each other clearly, concisely, and intentionally.
As you prepare for your interview, identify specific examples from your previous experiences that demonstrate your abilities and accomplishments. Try to adopt the perspective of the interviewer and structure your story in a way that makes it easy for them to understand the significance of your contributions. Some of our Talent Partners at 1Password recommend using the STAR (Situation, Task, Action, Result) framework to help you lay out your narrative.
Does preparing written questions in advance help you to feel at ease? Then we encourage you to do just that. Our interviewers love a two-way conversation, and this way, you’ll be able to focus on the conversation knowing you won’t forget the questions you had in mind.
Our hiring managers enjoy answering questions about their team, their management style, their vision for the role, and where they see the team moving in the future.
“Lead with honesty” helps us hold ourselves accountable and reminds us of the role we play in others’ growth. It encourages us to stay curious, ask questions that challenge the status quo, and continuously seek growth opportunities.
During your interview, don’t be afraid to own all that you’ve accomplished and learned along your professional journey. And don’t shy away from telling us about mistakes that turned into growth opportunities! Instead, demonstrate how you leaned into those opportunities and took them as a chance to be curious, adaptable, or resilient. This will help illustrate how you’d thrive and develop in your career at 1Password.
We hope that you’ll feel comfortable showing up to the interview as your authentic self. We’re eager to learn more about you as a person and the life experiences you bring with you. As you describe your past experiences as well as your goals for the future, we encourage you to share what drives you, what matters to you, and what you value.
To combat interview nerves and ground yourself in the moment, focus on practicing active listening, take the time to respond thoughtfully and honestly, and stay positive.
“Put people first” helps 1Password employees actively create a safe and inclusive space where everyone can thrive. It inspires us to celebrate each others’ contributions, make space for diverse voices, and work together to deliver results.
The interview is a chance to build a one-on-one connection with a potential future teammate. We encourage you to prepare questions specific about their experience: what it’s like to be on their team, the challenges they’re currently facing, what they’re excited to be working on, or what it’s like to be a part of our remote-first work environment.
Beyond the screening call, we conduct interviews on Zoom. We highly recommend practicing using Zoom if you haven’t before, and reviewing your settings ahead of time. If you’re comfortable doing so, we encourage you to add your pronouns to your Zoom profile so that our interviewers can refer to you using your pronouns.
On the day of your interview, an easy way to show respect for the interviewer’s time is to arrive promptly and aim to wrap up the conversation before the end of the allotted time.
The interview is an opportunity to contribute to a safe and inclusive space, as well as demonstrate how you’d continue to do so as a potential future member on the team. You can lead by example by sharing your pronouns when you introduce yourself if you are comfortable doing so, asking the interviewer to clarify the pronunciation of their name, and using inclusive language throughout the interview.
At 1Password, we take pride in our Diversity, Equity, Inclusion, and Belonging (DEIB) initiatives, so we invite you to ask questions about our DEIB programming or take some time to share what you’re passionate about.
We hope these tips help you to feel confident as you prepare for your interview. Ultimately, we want to make sure that you and 1Password are a great fit for each other. That’s not only for our benefit – it’s also for yours! We want you to work somewhere that’s going to make you feel fulfilled. We hope that you find these insights valuable as you continue on your journey towards applying and becoming a part of the 1Password team.
Visit our careers page to see our current openings and follow us on LinkedIn to stay updated on how we’re growing our teams.
The moment you’ve been waiting for has finally arrived. Passkey support is now available in 1Password, letting you create, manage, and sign in with passkeys on a growing number of websites and apps.
Starting today, you can save and sign in with passkeys using the desktop version of 1Password in the browser, as well as your iOS 17 and iPadOS 17 devices. You can also use 1Password on any device to view, organize, and share your saved passkeys.
It’s the most convenient and complete passkey experience.
There’s no better time to get started with Google, Nintendo, GitHub, and others turning on capabilities for passkeys this summer.
Visit our online passkey directory or open Watchtower in 1Password to discover which of your logins can be upgraded with a passkey.
Need a refresher on what passkeys are, and how they work? No problem. Passkeys are the future of account security and how we protect our private data. And they’re here to stay.
You can use passkeys to sign in to compatible websites and apps without entering a password. No magic links. No two-factor authentication codes. Just passwordless bliss.
Passkeys are secure, convenient to use, and backed by the largest companies in the world. Here are just a few reasons why you should start using passkeys in 1Password:
Signing in with passkeys is quick and hassle-free. You don’t have to memorize or type out anything when you sign in with a passkey. Find the login page or button and, if prompted, choose the passkey option. 1Password will then handle the rest.
Passkeys are secure. Unlike passwords, every passkey has two parts: a public key and private key. The private key isn’t shared with the service you’re signing in to. That’s why passkeys are resistant to phishing and can’t be stolen in data breaches.
You can sync your passkeys between devices. Passkeys are synced just like any other item saved in your password manager. You can access them on any device and any major web browser, and organize them using tags and vaults.
Ready to start using passkeys? Download the 1Password extension for one of the following browsers:
Next, find a site that supports passkeys. You can do this by browsing our passkey directory, or by opening Watchtower in 1Password, which now flags all of your existing logins that could be updated with a passkey.
Locate the site’s sign in page or button and follow the prompts to create a passkey. 1Password will ask which account and vault you’d like to save it in.
Here’s what you need to start using passkeys on your iPhone or iPad:
Google is working on Android 14 and APIs that will enable password managers like 1Password to create and use passkeys inside Chrome and any other app that has added passkey support.
1Password is ready and will support these APIs as soon as they’re available, giving you the option to save and sign in with passkeys on your Android 14 phones and tablets.
We know that every business is different. That’s why we’re letting 1Password Business admins choose when their team can start saving and using passkeys. To make your choice, sign in to 1Password.com and select Policies from the sidebar. Here, you’ll find an option that lets you enable and disable passkey support.
We’re proud to be at the forefront of passwordless authentication and offering the industry’s most complete passkey solution.
For years, 1Password has given you a safe place to store not only your passwords but everything else that’s important in your life, like credit cards, addresses, and medical records. Now, 1Password is the perfect home for your passkeys too. You can access your new login credentials anytime, anywhere. It’s the passwordless experience done right.
We’ll be keeping our ears to the ground to understand how we can build on what we’ve released today. Our goal is to go above and beyond your expectations, and we’re just getting started. Thank you for using 1Password during this exciting time.
Ready to create some passkeys? Learn how to get started with the desktop version of 1Password in the browser and 1Password for iOS.
Get started with passkeys in 1PasswordUnderstanding how passkeys fit into the existing landscape of security and authentication is what our ‘versus’ series is all about. The goal of authentication is to verify that the person trying to gain access to a secret (e.g. an account) has permission to access it.
In previous posts, we’ve compared passkeys to passwords, magic links, and 2FA and TOTP – now we’re going to dive into single sign-on (SSO).
Single sign-on authentication allows users to sign in to accounts using a single identity provider rather than individual credentials for each account. This means people don’t need to remember unique credentials for every account. Instead, they just have to log in to their SSO provider.
To learn more about a topic we could discuss for hours, check out our blog post on the differences between SSO and password managers, and why they make a great pair.
Passkeys are the cool new authentication kid on the block. They’re the next serious contender to shift people toward a simpler, safer authentication experience, one that traditional passwords could never provide.
Passkeys don’t require a password, magic link, or one-time code. Instead, you only need your biometric information or device passcode to access your passkey-protected accounts. Passkeys are quick and easy to use, and more secure than other authentication methods.
Now that we’ve got some basic definitions out of the way, let’s compare passkeys to SSO so you can better understand when and why you might choose one authentication method over another.
The purpose of authentication is to verify your identity to keep your accounts and data secure. But for most people, going through the sign-in process is just a necessary nuisance that slows them down. After all, no one actually enjoys the login process – it’s just a means to an end. That’s why improving the sign-in flow, especially the speed at which we sign in, is so valuable to workers and businesses alike.
The SSO process makes it so you only need to log in to one account – your SSO provider – in order to access the tools you need. This means you’re able to start working quickly since all your accounts are now accessible with a single sign on.
Passkeys are just as fast, in a different way.
While you still have to sign in to each account you’ve protected with a passkey, the process is quick, easy, and seamless. Scanning your fingerprint or face, or entering your device passcode, authorizes your passkey for use. The rest of the sign-in process takes place in milliseconds and entirely behind the scenes – you’ll be too busy getting on with your day to even notice how smooth the experience was. Passkeys are both seamless and passwordless.
But with signing in feeling so simple, there can be a feeling that your accounts aren’t as secure. That’s simply not the case. Both SSO and passkeys are secure authentication methods and also do a great job at reducing your risk of attack.
SSO reduces the total number of usernames and passwords required for each employee. That means there are fewer entry points to be targeted, and thus exploited. The biggest risk for SSO security is that it has a single point of failure. If your SSO account is compromised, then all the accounts within that system are also compromised. That’s why choosing a strong, unique password and storing it somewhere safe is crucial to keeping your secrets secure.
SSO reduces the total number of usernames and passwords required for each employee.
Passkeys, on the other hand, are created unique for each account, meaning a breach on one website won’t expose anything useful that can be used for that website or any other. That’s because passkeys use public-key cryptography, which means that each passkey is made up of two parts: a public key and a private key.
When you opt to protect an account with a passkey, the website or app stores your public key. When you return to sign in, you authorize the use of your private key, which is only ever stored on your device – unless you securely sync or share your passkeys.
For someone to sign in using your passkey, they would need access to your device to steal your private key (unless you’ve shared it) – something not easily achieved. This makes you a more complicated target than someone using traditional passwords.
No solution is without limitations.
Losing access to your saved secrets could be detrimental to your entire day, even if it is only temporary. From logging in to work applications to joining meetings, authentication is at the core of our workdays.
If your SSO provider experiences an outage, that means access to all connected sites is lost. Since SSO is used to sign in to multiple sites, your team won’t have access to the tools they need to complete their jobs. That’s lost productivity and lost business depending on how long it takes to get back up and running.
But if your team’s accounts are protected by passkeys, a provider outage might not be a problem. Of course, depending on how you choose to store your passkeys, you would have to create a plan should your storage solution experience an outage. And with passkeys you still need to consider storage, secure syncing across devices, and access control.
Whether it’s an SSO provider or the service you use to store your passkeys, losing access means a loss of productivity and business.
Now that we know what the differences and benefits of the two options are from security to usability, the question is: what’s easier to implement – SSO or passkeys? Well, it depends.
Different SSO providers have unique workflows that need to be considered with your own internal systems. Implementing SSO is complex and can be expensive.
Passkeys were designed to be both easy to use and secure. Employees can start using passkeys relatively quickly. All they have to do is set up passkeys to work with their biometrics or device passcode, and the login process will work seamlessly – and securely – in the background.
Not all websites and apps support passkeys at the moment. But the number that do is quickly growing, giving you more places to use this new, safer sign-in option.
The cost to your business to have employees start using passkeys rather than SSO would be minimal to none — especially if you’re already using 1Password. Passkeys you create and save in 1Password and are like any other items in your vaults. You can view, edit, move, and even share them with other people.
If your business is considering implementing passkey login for your own website, that can also be simple, since developers don’t have to start from scratch. Just as with passwords, off-the-shelf solutions exist for passkeys as well. Passage by 1Password has two options to help developers add passkey support to any website or app.
Why not both?
Ever heard the saying that too much of a good thing is bad? That’s not the case when it comes to SSO and passkeys!
While passkeys are leading the charge to a passwordless future, SSO still has a necessary part to play in business and enterprise security. We would even argue that businesses will be more secure if they use both methods in tandem.
SSO gives admins a high degree of access control. For example, you can choose exactly which employees are able to create a Google Workspace account with their work email address. Passkeys are unlikely to replace SSO in a business setting but will be a secure way to protect everything not covered by SSO.
Protect the majority of accounts with SSO, and the others – including the SSO accounts – with strong passkeys.
Speaking of things that work well together, many SSO providers allow you to sign in with a passkey rather than the traditional username/password combination. This means organizations keep the administrative powers of SSO while reducing the risk of employees using weak or reused passwords.
The two systems work well in tandem to make securing your entire business less stressful. Protect the majority of accounts with SSO, and the others – including the SSO accounts – with strong passkeys.
Unlock 1Password with SSO, then create, save, and sign in to accounts with passkeys using 1Password (currently in beta).
Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology.
Subscribe to Beyond PasswordsData. Breach. We see these two words all the time in the news, on social media, and in company emails notifying us that our information might have been affected.
(You may have read about one affecting a password manager recently.)
Data breaches occur so frequently that it’s easy to tune out or convince yourself they’re not worth paying attention to. “Are these breaches really all that bad?” “Is anything really going to happen if I ignore a breach that might have affected one of my personal accounts?”
It’s never been more important to be proactive when you hear about a data breach that affects one of your online accounts. To do this, you don’t need to be a security professional or devour the news every day. You simply need to know the potential impacts of data breaches, and how the right tools can help you quickly and effectively respond to them.
Let’s start with a quick data breach definition. The term refers to any security incident where a criminal gains access to sensitive data, such as financial information or social security numbers. Data obtained via a data breach can be sold on the dark web, held under ransom for payment, or leaked to the public. Attackers utilize many different techniques to sneak past their target’s digital defenses, such as social engineering.
Now, let’s dig into how a data breach can affect you.
Some services protect their users’ login details better than others. If a company is breached and they haven’t been following best security practices, it’s possible that an attacker could obtain your login credentials and try to sign in to your personal account.
If the thief gains access to your account, they could try to change the password. This would be like someone running inside your house while you’re on vacation and changing the locks on your doors. People have been locked out of accounts before this way.
Many people use the same password, or just a handful or different passwords, for all of their online accounts. While convenient, it’s also a security risk.
If a company is breached and your password is exposed, an attacker might use a technique called credential stuffing to test whether they can use that same login credential to sign in to any of your other online accounts.
For example, imagine an attacker obtains a password for one of your less important accounts, like a shopping website. A thief might wonder whether that same password can grant them access to higher-value accounts, like your online banking.
To get the most out of the internet, we often have to share some of our sensitive personal information. You might have shared your full name with a social media platform, your home address with an e-commerce company, or your date of birth with a streaming service.
If one of these services is breached, it’s possible that some of the information you shared with them will be exposed. Attackers want these personal details because they can help them access your other accounts and effectively impersonate you (more on that later).
Some of your accounts will likely be tied to paid services. In these situations, you’ll likely be asked to enter a credit or debit card. That could be for a subscription, to complete individual orders, or for services like OpenAI, which charge based on your usage.
Companies should take appropriate measures to safeguard your financial information. Unfortunately, this isn’t always the case. Some breaches have exposed customers' financial information before, allowing attackers to make fraudulent transactions.
A knock-on effect of a data breach can be impersonation. If an attacker obtains one of your passwords and successfully signs in to the associated account, they might try to use that access to manipulate someone else. A criminal could pose as you and ask someone you know to transfer them money, or share a password for a work-related account.
Similarly, if a criminal obtains some of your personal details, like your full name, current address, and date of birth, they can use this to impersonate you. Many companies will ask security questions, for example, that can be answered correctly using this information.
1Password makes security simple. Here’s how our password manager helps you minimize and avoid the impact of a data breach:
No-one can keep track of every breach happening around the world. With Watchtower, you don’t have to. 1Password’s digital lookout monitors the world-renowned Have I Been Pwned database and will alert you if any of your saved passwords appear in a known data breach.
These notifications ensure you know about relevant breaches as soon as possible. Armed with this information, you can update the exposed password to something new, strong and unique, shutting attackers out of the account before they can cause any trouble.
Okay, but what happens if your password manager has been breached? It’s an understandable concern, especially if you’ve read recent headlines. The good news is that if you’re a 1Password customer, there’s nothing you need to do and no reason to worry.
If there was an attack on 1Password’s servers, the best an attacker could hope to find is an encrypted copy of your vault data. The criminal wouldn’t be able to read this data without two pieces of information:
Some password managers only rely on an account password to encrypt your data. 1Password goes a step further by utilizing…
Together, your account password and Secret Key form an incredibly strong encryption key that’s challenging – and in practical terms, virtually impossible – for a hacker to crack.
Breaches do occur, and are likely to continue occurring for the foreseeable future. No defense is perfect, which is why security incidents can happen to companies large and small, including those that develop password managers.
If you don’t work in security, it can be tempting to bury your head in the sand. But there’s a better choice: be proactive and update exposed passwords before they’re exploited by criminals.
With a password manager like 1Password, you can create strong passwords and use two-factor authentication everywhere it’s offered. Our security model also ensures your vault data is effectively useless to attackers, even if they somehow got their hands on it.
1Password’s built-in Watchtower also helps you respond to any data breach so you can lock down your accounts before attackers have a chance to do any damage.
Don’t wait for a breach to impact your data. Instead, stay secure with just a few simple steps.
Using another password manager and concerned about the security of your data? Switch to 1Password and protect your online accounts with best-in-class security.
Start your switchDISCLAIMER:
* Copyrights belong to each article's respective author.
** Article links lead to external websites, where you will be tracked, most likely.
DISCLAIMER:
* Copyrights belong to each article's respective author.
** Article links lead to external websites, where you will be tracked, most likely.
Founder and CEO, Gabriel Weinberg, celebrates DuckDuckGo's past, present, and future:
Fifteen years ago, I launched DuckDuckGo from my basement in Valley Forge, Pennsylvania, hoping to offer a user-centric alternative to Google. This was 2008 – years before Snowden, a decade before Cambridge Analytica, and more broadly before the world had started to realize the scary power and creepy surveillance of companies like Google and Facebook.
Growth was very slow at first. It was just me behind the scenes for quite a while, putting together the search engine and asking people for feedback. I realized DuckDuckGo was resonating with people when things really started to pick up in 2011, so I started building out the team (many of whom are still at the company today) and we established our company vision to raise the standard of trust online.
Today, that vision remains the same. Fifteen years later we've built something truly rare in tech: a healthy, profitable company that protects user privacy, instead of exploiting it.
People care about their online privacy. That's what fuels our growth. According to a recent Forrester study, 87% of US online adults “use at least one privacy- or security-protecting tool online.”
While our product started as a search engine, today it’s a free, mobile and desktop browser with our private search engine built-in, along with more than a dozen other tracking protections, many that are unique to DuckDuckGo (if you want to know more about them, I’ve added a list below). This is combined with the simple promise laid out in our Privacy Policy: we don’t track you.
We design our product so that this uniquely comprehensive and overlapping set of privacy protections is seamless to users: it just works without having to know anything about the technical details or deal with complicated settings. All you have to do is switch your browser to DuckDuckGo across all your devices and you get privacy by default.
I’ve always believed that the easier we can make getting online privacy, the more people will switch to DuckDuckGo. That’s why our browser and browser extensions have been downloaded more than 250 million times. This has propelled our search engine to hold the #2 position in mobile market share and #3 overall in the U.S. and over 20 other major markets including the UK, Germany, France, India, Australia, and Canada. Over the past three years alone, people have made more than 100 billion private searches on DuckDuckGo.
I want to thank everyone who has and continues to use and support DuckDuckGo. We appreciate you!
And, to those who aren't users, we'd love for you to give us a try, or another try if it’s been a while since the last time. We’ve been continually improving our core search, browse, and email experiences. Looking forward, you’ll see DuckDuckGo introduce new product experiences that similarly work together to help you protect even more of what you do online.
I continue to believe there remains huge, pent-up demand for privacy-respecting alternatives to Google if it were easier to switch search and browser defaults across devices. That is, I believe we’d be much bigger, perhaps as much as ten times bigger, if it wasn’t for Google’s anticompetitive tactics.
In any case, with ever-increasing exploitation of personal data by Google, Facebook, and others, we believe our work is as important as ever. That’s why we’ll remain laser-focused on our product vision of being the “easy button” for privacy.
Now that you know more about what we do and why we do it, I thought I’d also share some things you might not know from our past 15 years:
Your privacy is constantly under threat by companies using your personal data, leaking it, or even selling it to others and then using it to try to manipulate you with creepy ads, discriminate against you, and more. To help prevent this from happening, DuckDuckGo browsers offer the most comprehensive privacy protection by default without breaking your online experience. Because trackers are always working to get around privacy protections, we’ve layered on many types of unique and innovative protections by default that don’t exist in most browsers or browser extensions. We’re continually working to improve these protections while also introducing new protections to address emerging threats.
For those interested, here’s some more info on our various privacy protections:
You get all of this with one download, and more is coming – stay tuned!
DuckDuckGo for Windows is available now at duckduckgo.com/windows! Making the switch is easy; new users can import bookmarks and passwords from other browsers and password managers.
Banish cookie consent pop-ups with Cookie Pop-up Management.
Windows users, this one’s for you! Starting today, our desktop browser for Windows is officially in public beta – no invite codes, no waiting list, just a fast, lightweight browser that makes the Internet less creepy and less cluttered. DuckDuckGo for Windows is already equipped with nearly all the privacy protections and everyday features that users know and trust from our iOS, Mac, and Android browsers – and it’s getting closer to parity with those browsers every day. (More info in the “What’s Next” section below.)
DuckDuckGo for Windows comes with these best-in-class privacy protections switched on by default, leading to a better everyday user experience. By blocking trackers before they load, for example, our desktop browsers use about 60% less data than Chrome. Switching is easy, too; you can import passwords and bookmarks from another browser or password manager in just a few clicks.
Relative to Mac users, Windows users work across a wider variety of hardware and software configurations. During our brief closed beta period, we’ve been gathering testers’ feedback and making improvements to meet as many of those needs as possible, but we haven’t tested every configuration yet, so if you do see any issues, please send feedback!
The browser doesn’t have extension support yet, but we plan to add it in the future. In the meantime, we’ve built the browser to include features that meet the same needs as the most popular extensions: ad-blocking and secure password management.
“This is fast and smooth for performance. It appears to be light on resources—well done!”
“For a beta version, I am extremely impressed thus far with everything about the Windows app. I often forget it is a beta at times, given how well it performs and how protected I feel.”
“I love the cookie manager. It is a wow moment. Keep up the good work, buddies!”
“Wow, this is incredible! Very, very smooth. Excellent browsing experience.”
“Want to know the best feature in DuckDuckGo browsers? It is Duck Player. Install the browser and open a YouTube video. No ads...it plays the video directly. Bye bye, YouTube ads.”
DuckDuckGo for Windows was built with your privacy, security, and ease of use in mind. It’s not a “fork” of any other browser code; all the code, from tab and bookmark management to our new tab page to our password manager, is written by our own engineers. For web page rendering, the browser uses the underlying operating system rendering API. (In this case, it's a Windows WebView2 call that utilizes the Blink rendering engine underneath.)
Our default privacy protections are stronger than what Chrome and most other browsers offer, and our engineers have spent lots of time addressing any privacy issues specific to WebView2, such as ensuring that crash reports are not sent to Microsoft. (For a more private Windows experience overall, we recommend that you disable optional diagnostic data in Windows under Settings > Privacy & security > Diagnostics & feedback > Send optional diagnostic data.)
DuckDuckGo for Windows has come a long way in this short time, and it will only keep improving from here. We’re hard at work right now on achieving full parity with the Mac browser, including improvements like faster startup performance, the ability to pin tabs, HTML bookmark import, more options for the Fire Button, and additional privacy features like Fingerprinting Protection, Link Tracking Protection, and Referrer Tracking Protection. As mentioned above, private password and bookmark syncing is also coming soon.
In the meantime, please keep the feedback coming; it helps a lot! There’s an anonymous feedback form in the app's three-dot menu, right under the Fire Button. DuckDuckGo believes in open sourcing our apps and extensions whenever possible; we ultimately plan to do so for DuckDuckGo for Windows, too.
Visit duckduckgo.com/windows to get the browser today, and stay tuned for more!
Update April 12, 2023: We're very proud of DuckAssist and the great feedback it received from users. Unfortunately, DuckAssist is no longer available on DuckDuckGo Private Search.
Generative artificial intelligence is hitting the world of search and browsing in a big way. At DuckDuckGo, we’ve been trying to understand the difference between what it could do well in the future and what it can do well right now. But no matter how we decide to use this new technology, we want it to add clear value to our private search and browsing experience.
Today, we’re giving all users of DuckDuckGo’s browsing apps and browser extensions the first public look at DuckAssist, a new beta Instant Answer in our search results. If you enter a question that can be answered by Wikipedia into our search box, DuckAssist may appear and use AI natural language technology to anonymously generate a brief, sourced summary of what it finds in Wikipedia — right above our regular private search results. It’s completely free and private itself, with no sign-up required, and it’s available right now.
This is the first in a series of generative AI-assisted features we hope to roll out in the coming months. We wanted DuckAssist to be the first because we think it can immediately help users find answers to what they are looking for faster. And, if this DuckAssist trial goes well, we will roll it out to all DuckDuckGo search users in the coming weeks.
DuckAssist is available to try right now through our browsing apps and browser extensions
DuckAssist is a new type of Instant Answer in our search results, just like News, Maps, Weather, and many others we already have. We designed DuckAssist to be fully integrated into DuckDuckGo Private Search, mirroring the look and feel of our traditional search results, so while the AI-generated content is new, we hope using DuckAssist feels second nature.
DuckAssist answers questions by scanning a specific set of sources — for now that’s usually Wikipedia, and occasionally related sites like Britannica — using DuckDuckGo’s active indexing. Because we’re using natural language technology from OpenAI and Anthropic to summarize what we find in Wikipedia, these answers should be more directly responsive to your actual question than traditional search results or other Instant Answers.
For this initial trial, DuckAssist is most likely to appear in our search results when users search for questions that have straightforward answers in Wikipedia. Think questions like “what is a search engine index?” rather than more subjective questions like “what is the best search engine?”. We are using the most recent full Wikipedia download available, which is at most a few weeks old. This means DuckAssist will not appear for questions more recent than that, at least for the time being. For those questions, our existing search results page does a better job of surfacing helpful information.
As a result, you shouldn’t expect to see DuckAssist on many of your searches yet. But the combination of generative AI and Wikipedia in DuckAssist means we can vastly increase the number of Instant Answers we can provide, and when it does pop up, it will likely help you find the information you want faster than ever.
DuckAssist joins many other Instant Answers on DuckDuckGo’s private search results
Generative AI technology is designed to generate text in response to any prompt, regardless of whether it “knows” the answer or not. However, by asking DuckAssist to only summarize information from Wikipedia and related sources, the probability that it will “hallucinate” — that is, just make something up — is greatly diminished. In all cases though, a source link, usually a Wikipedia article, will be linked below the summary, often pointing you to a specific section within that article so you can learn more.
Nonetheless, DuckAssist won’t generate accurate answers all of the time. We fully expect it to make mistakes. Because there’s a limit to the amount of information the feature can summarize, we use the specific sentences in Wikipedia we think are the most relevant; inaccuracies can happen if our relevancy function is off, unintentionally omitting key sentences, or if there’s an underlying error in the source material given. DuckAssist may also make mistakes when answering especially complex questions, simply because it would be difficult for any tool to summarize answers in those instances. That’s why it’s so important for our users to share feedback during this beta phase: there’s an anonymous feedback link next to all DuckAssist answers where you can let us know about any problems, so we can identify where things aren’t working well and take quick steps to make improvements.
DuckAssist is anonymous, with no logging in required. It’s a fully integrated part of DuckDuckGo Private Search, which is also free and anonymous. We don’t save or share your search or browsing history when you search on DuckDuckGo or use our browsing apps or browser extensions, and searches with DuckAssist are no exception. We also keep your search and browsing history anonymous to our search content partners — in this case, OpenAI and Anthropic, used for summarizing the Wikipedia sentences we identify. As with all other third parties we work with, we do not share any personally identifiable information like your IP address. Additionally, our anonymous queries will not be used to train their AI models. And anything you share via the anonymous feedback link goes to us and us alone.
If DuckAssist has already answered a question on the same topic, its response will appear automatically
We’ve used Wikipedia for many years as the primary source for our “knowledge graph” Instant Answers, and, while we know it isn’t perfect, Wikipedia is relatively reliable across a wide variety of subjects. Because it’s a public resource with a transparent editorial process that cites all the sources used in an article, you can easily trace exactly where its information is coming from. Finally, since Wikipedia is always being updated, DuckAssist answers can reflect recent understanding of a given topic: right now our DuckAssist Wikipedia index is at most a few weeks old, and we have plans to make it even more recent. We also have plans to add more sources soon; you may already see some signs of that in your results!
• Phrasing your search query as a question makes DuckAssist more likely to appear in search results.
• If you’re fairly confident that Wikipedia has the answer to your query, adding the word “wiki” to your search also makes DuckAssist more likely to appear in search results.
• For now, the DuckAssist beta is only available in English in our browsing apps (iOS, Android, and Mac) and browser extensions (Firefox, Chrome, and Safari). If the trial goes well, we plan to roll it out to all DuckDuckGo search users soon.
• If you don’t want DuckAssist to appear in search results, you can disable “Instant Answers” in search settings. (Note: this will disable all Instant Answers, not just DuckAssist.)
• If DuckAssist has generated an answer for a given topic before, the answer will appear automatically. Otherwise, you can click the ‘Ask’ button to have an answer generated for you in real time.
2022 marks DuckDuckGo's twelfth year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. This year, we're proud to donate to a diverse selection of organizations across the globe that strive for better privacy, digital
2022 marks DuckDuckGo's twelfth year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. This year, we're proud to donate to a diverse selection of organizations across the globe that strive for better privacy, digital rights, greater competition in online markets, and access to information free from algorithmic bias.
This year, we've been able to increase our donation amount to $1,100,000, bringing the total over the past decade to $4,750,000. Everyone using the Internet deserves simple and accessible online protection; these organizations are all pushing to make that a reality. We encourage you to check out their valuable work below, alongside details about how our funds were allocated this year.
$125,000 to the Electronic Frontier Foundation (EFF)
"EFF is an essential champion of user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development--and has been since our founding in 1990."
$125,000 to Fight for the Future
"Fight for the Future harnesses the power of the Internet to channel outrage into action, defending our most basic rights in the digital age. They fight to ensure that technology is a force for empowerment, free expression, and liberation rather than tyranny, corruption, and structural inequality."
$125,000 to The Markup
"The Markup is a nonprofit newsroom that investigates how powerful institutions are using technology to change our society."
$125,000 to Public Knowledge
"Public Knowledge promotes freedom of expression, an open internet, and access to affordable communications tools and creative works. We work to shape policy on behalf of the public interest."
$125,000 to Signal
"Signal Technology Foundation develops open source privacy technology that protects free expression and enables secure global communication."
$25,000 to Access Now
"Access Now defends and extends the digital rights of people and communities at risk by combining direct technical support, strategic advocacy, grassroots grantmaking, and convenings such as RightsCon."
$25,000 to Algorithmic Justice League
"AJL's current mission is to raise public awareness about the impacts of AI, equip advocates with resources to bolster campaigns, build the voice and choice of the most impacted communities, and galvanize researchers, policymakers, and industry practitioners to prevent AI harms."
$25,000 to Article19
"Established in 1987, ARTICLE 19 is an international think-do organization that defends freedom of expression, fights against censorship, protects dissenting voices, and advocates against laws and practices that silence individuals, both online and offline."
$25,000 to the Australia Institute's Centre for Responsible Technology
"The Australia Institute’s Centre for Responsible Technology develops public policy and research that advocate for a fairer and healthier online experience and gives back agency to individuals in our networked world."
$25,000 to Bits of Freedom
"Bits of Freedom shapes internet policy in the Netherlands and Brussels through advocacy, campaigning and litigation, because we believe in an open and just society, in which people can hold power accountable and effectively question the status quo."
$25,000 to the British Institute for International and Comparative Law
"The Competition Law Forum is a centre of excellence for European competition and antitrust policy and law at the British Institute of International and Comparative Law (BIICL)."
$25,000 to the Center for Critical Internet Inquiry
“C2i2 is a critical internet studies research center and community, committed to social justice, policy and human rights.”
$25,000 to the Detroit Community Technology Project (DCTP)
"Detroit Community Technology Project builds healthy digital ecosystems by training Digital Stewards and supporting the development of community governed internet networks."
$25,000 to European Digital Rights (EDRi)
"The EDRi network is a dynamic and resilient collective of NGOs, experts, advocates and academics working to defend and advance digital rights across the continent - for almost two decades, it has served as the backbone of the digital rights movement in Europe."
$25,000 to Freiheitsrechte (GFF)
"The GFF (Gesellschaft für Freiheitsrechte / Society for Civil Rights) is a Berlin-based non-profit NGO founded in 2015. Its mission is to establish a sustainable structure for successful strategic litigation in the area of human and civil rights in Germany and Europe."
$25,000 to the Internet Economy Foundation (IE.F)
"The IE.F is an independent think-tank based in Berlin that is dedicated to ensuring fair competition in the Internet economy and fostering a vibrant European digital ecosystem."
$25,000 to OpenMedia
"OpenMedia works to keep the Internet open, affordable, and surveillance-free. We create community-driven campaigns to engage, educate, and empower people to safeguard the Internet."
$25,000 to the Open Rights Group
"Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect our rights to privacy and free speech online."
$25,000 to the Open Source Technology Improvement Fund (OSTIF)
"OSTIF, or The Open Source Technology Improvement Fund, is a corporate non-profit dedicated to improving the security of critical open-source projects. This is done mainly by facilitating and managing security reviews and associated work for projects and organizations. In the last year, OSTIF was responsible for the identifying and fixing of more than 50 critical and high severity vulnerabilities and 250 more bug fixes in widely adopted projects."
$25,000 to Privacy Rights Clearinghouse
"Privacy Rights Clearinghouse works to make data privacy more accessible to all by empowering people and advocating for positive change."
$25,000 to Restore the Fourth
"Restore the Fourth is a grassroots, volunteer-run, nonpartisan civil liberties group that opposes mass government surveillance, protects privacy, and promotes the Fourth Amendment."
$25,000 to the Surveillance Technology Oversight Project (STOP)
"The Surveillance Technology Oversight Project (S.T.O.P.) advocates and litigates for privacy, working to abolish local governments’ systems of discriminatory mass surveillance."
$25,000 to the Technology Oversight Project
"Through engaging with lawmakers, exposing false narratives and bad actors, and pushing for landmark legislation, The Tech Oversight Project seeks to hold tech giants accountable for their anti-competitive, corrupting, and corrosive influence on our society and the levers of power."
$25,000 to the Tor Project
"At the Tor Project, we believe everyone should be able to explore the internet with privacy. We advance human rights and defend your privacy online through free, open source software and the decentralized Tor network."
App Tracking Protection for Android is launching into open beta today. It's a free feature in the DuckDuckGo Android app that helps block 3rd-party trackers in the apps on your phone (like Google snooping in your weather app) – meaning more comprehensive privacy and less creepy targeting.
With the App Tracking Protection 'Activity Report', you can see which 3rd-parties are trying to track you.
You may have heard of Apple’s App Tracking Transparency (ATT), a feature for iPhones and iPads that asks users whether they want to allow third-party app tracking or not in each of their apps (with the majority of people choosing “not”). But most smartphone users worldwide actually use Android. So, we’re offering Android users something even more powerful: enable our App Tracking Protection and we'll automatically block all the hidden trackers we can identify as blockable across your apps.
App Tracking Protection beta users have been surprised to see how many tracking attempts the feature is blocking.
The Trouble with App Trackers
The average Android user has 35 apps on their phone. Through our testing, we’ve found that a phone with 35 apps can experience between 1,000-2,000 tracking attempts every day and contact 70+ different tracking companies.
Imagine you’re spending a lazy Sunday afternoon playing around with apps on your phone; keeping an eye on flight prices for a getaway (Southwest Airlines app), checking out a house your friend has been raving about (Zillow app), seeing if those concert tickets have gone on sale yet (SeatGeek app), and checking the weather (Weather Network app).
Within these four apps alone, 45+ tracking companies are known to collect personal data like your precise location, email address, phone number, time zone, and a fingerprint of your device (like screen resolution, device make and model, language, local internet provider, etc.) that can be used to identify you. With App Tracking Protection, you can now see exactly what the trackers are typically trying to collect, which we're helping block from happening.
In the Android app, when you use App Tracking Protection, you can see the personal data we're blocking 3rd-party trackers from getting.
But what are they doing with all that information? Personal data companies like Facebook and Google use that information to build a profile that advertisers and content-targeting companies use to influence what you see online.
You could get ads about your mom’s toothpaste brand after spending time at her house (no, not a coincidence – check out this thread), be bombarded with pregnancy-related ads and content after pregnancy loss or see drug-related ads or articles about diseases you learned about on WebMD. The examples are endless. It can feel like you're being listened to, but in reality it’s not that someone is listening to your conversations, it's that your activity is being relentlessly tracked and analyzed!
The problems with all this information collection go way beyond so-called “relevant” (aka creepy) advertising and targeting. Tracking networks can sell your data to other companies like data brokers, advertisers, and governments, resulting in more substantial harms like ideological manipulation, discrimination, personal price manipulation, polarization, and more.
DuckDuckGo for Android, our all-in-one privacy solution, can help. Our app was already protecting you across search, browsing, and email. Now, with App Tracking Protection, you’re getting a lot of protection from 3rd-party app trackers, too.
How App Tracking Protection for Android Works
When App Tracking Protection is enabled, it will detect when other apps on your phone are about to send data to any of the 3rd-party tracking companies in our app tracker dataset, and block most of those requests. And that’s it! You can continue to use your apps as usual, and App Tracking Protection works in the background to block trackers whenever it finds them, even while you sleep.
The DuckDuckGo app on Android also offers a real-time view of App Tracking Protection’s results, including which tracking network is associated with each app and what data they're known to collect. If you have notifications on, you’ll also get automatic summaries if you want them.
To keep you up-to-date, we send automatic summaries about the app tracker blocking happening behind the scenes.
App Tracking Protection uses a local “VPN connection,” which means that it works its magic right on your smartphone and without sending app data to DuckDuckGo or other remote servers. That is, App Tracking Protection does not route your app data through external companies (including ours).
We Still Want to Hear from You!
As we work through the beta phase, there are a small number of apps being excluded because they rely on tracking to work properly, like browsers and apps with in-app browsers. Throughout the waitlist period, we've reduced this number by half and also dropped the exclusion for games. We look forward to reducing this list even more.
To send us general feedback or report issues with the DuckDuckGo app: open Settings > Share Feedback (in the Other section). If you run into issues with another app on your smartphone as a result of App Tracking Protection, you can disable protection for just that app under "Having Problems With An App". You'll then be asked to give details of the problem you experienced. Your feedback greatly helps our team continue improving App Tracking Protection and we appreciate it!
Get Started:
To get access to the beta of App Tracking Protection, find it in your settings.
Signing up is easy! Here are four of the simple steps to automatic app tracker blocking.
Forget going “incognito” with other browsers that don’t actually deliver substantive web tracking protection; you deserve privacy all the time, with built-in protections that make the Internet less creepy and less cluttered. Equipped with new and improved features for everyday use, DuckDuckGo for Mac is here to clean up the web as you browse. (And yes, you can import all your passwords and bookmarks from other browsers and password managers – so switching is quick and easy!)
The privacy protections built into DuckDuckGo for Mac add up to a better user experience; by blocking trackers before they load, for example, DuckDuckGo for Mac uses about 60% less data than Chrome. The desktop app includes the built-in privacy protections you know and trust from our mobile apps – which now see over 50M downloads a year – including multiple layers of defense against third-party trackers, secure link upgrading with Smarter Encryption, and our Fire Button to instantly clear recent browsing data. An all-in-one app that aims to be the “easy button” for privacy, DuckDuckGo for Mac has no fiddly privacy settings to adjust – our foundational protections are on by default, so you can get back to browsing.
Since announcing the waitlist beta in April, we’ve been listening to beta testers’ feedback and making even more improvements to meet your needs. We added a bookmarks bar, pinned tabs, and a way to view your locally stored browsing history. Our Cookie Consent Pop-Up Manager can now handle cookie pop-ups on significantly more sites, automatically choosing the most private option and sparing you from annoying interruptions.
Keep pop-ups at bay with our automatic cookie consent manager
The app also lets you activate DuckDuckGo Email Protection on desktop, protecting your inbox with email tracker blocking and private @duck.com addresses. While we work on browser extension support that meets our high standards of privacy and quality, we’re building in more features that meet the same needs as the most popular extensions: ad-blocking and secure password management. These new features will become available across our other platforms in the near future.
Cleaning up YouTube with Duck Player – fewer creepy ads, fewer distractions: Want a more-private way to watch YouTube videos in peace? Duck Player protects you from targeted ads and cookies with a distraction-free interface that incorporates YouTube’s strictest privacy settings for embedded video. Any ads you see within Duck Player will not be personalized; in our testing, this prevented ads on most videos altogether. YouTube still registers your views, so it’s not totally anonymous, but none of the videos you watch in Duck Player contribute to your YouTube advertising profile or suggest distracting personalized recommendations. The feature can be always-on, ready to go whenever you click a YouTube link, or you can opt in on specific videos – perfect for when you’re sharing your screen, using a shared device, or just trying to stay focused. It’s equally easy to get back to the default version of YouTube whenever you want.
Open YouTube links in Duck Player for more-private viewing
Eliminating invasive ads as you browse: DuckDuckGo for Mac has always blocked invasive trackers before they load, effectively eliminating the ads that rely on that creepy tracking. (Because so many ads work that way, you’ll see way fewer ads.) Today, we’ve made another big improvement: we’re cleaning up the whitespace left behind by those ads for an efficient, distraction-free look without the need for a separate ad blocker.
More choices for secure password management: Our browser includes our own secure and easy-to-use password manager that can automatically remember and fill in login credentials and suggest random passwords for new logins. (It can also securely save addresses and payment methods.) Our autofill experience is continually improving and will roll out on our mobile apps soon.
This works for most users, especially since you can import passwords. But we understand some folks want to continue using third-party password management across browsers and devices. So, we’ve teamed up with Bitwarden, the accessible open-source password manager, in the first of what we hope to be several similar integrations. In the coming weeks, Bitwarden users will be able to activate this seamless two-way integration in their browser settings. DuckDuckGo for Mac is also compatible with 1Password’s new universal autofill feature.
Easily autofill your Bitwarden passwords in DuckDuckGo for Mac
“The DuckDuckGo browser has been a breath of fresh air, a lightweight and snappy browser that isn't a gamified gimmick and doesn’t sell my browsing history to advertisers. Its clean and familiar UI allowed me to switch with no hassle. I would definitely recommend more people switching as soon as they can.”
“The automatic cookie settings feature is awesome!!!”
“I love the UI of this app! Very clean and minimalist. Also, it really is blazing fast. I appreciate the careful consideration into design and performance with the use of the internal rendering engine. Thank you for all your work!”
“DuckDuckGo is replacing Google Chrome on my Mac and I love it.”
“I’ve been using [DuckDuckGo for Mac] for several months and I have to say, I love the simplicity and privacy. We’ve tossed a lot of stuff into browsers over the years to get privacy and speed. This achieves both with much less.”
We built DuckDuckGo for Mac with privacy, security, and simplicity in mind. Our default privacy settings are stronger than what most other browsers offer, and you don’t need to sift through obscure menus to turn them on. DuckDuckGo for Mac is not a “fork” of Chromium, or any other browser code. All the app code – tab and bookmark management, our new tab page, our password manager, etc. – is written by our own engineers. For rendering, it uses a public macOS API, making it super compatible with Mac devices. DuckDuckGo believes in open sourcing our apps and extensions whenever possible, and we plan to do so for DuckDuckGo for Mac before it moves out of beta.
We’re proud of how far DuckDuckGo for Mac has come in this short time, and it will only get better from here! Users will soon be able to sync DuckDuckGo bookmarks and passwords across devices. We’ll also be adding more built-in features that offer native alternatives to more popular extensions. Please keep the feedback coming; we're listening! (You can find the feedback form in the app's three-dot menu, right under the Fire Button.)
Before you ask, yes, our Windows browser is still on the way! DuckDuckGo for Windows is in an early friends and family beta, with a private waitlist beta expected in the coming months. (Right now, Mac and Windows are the only desktop platforms we’re focusing on.) Stay tuned for updates. And if you’re interested in working on our desktop apps, we’re hiring remotely, worldwide.
On Tuesday September 13th, 13 privacy-focused technology companies representing more than 100 million users in the United States published a letter to U.S. Congressional Leadership imploring them to support the American Innovation and Choice Online Act (AICOA) and bring it to a floor vote as soon as possible.
Incessant data collection and tech monopolies are inherently linked: the more data they collect and use to influence user decision making, the stronger their grip on industry becomes, leaving users feeling like they have no option but to accept a lack of privacy to use the Internet. However, users do have choices when it comes to the services they use, and they do not have to accept services that have made it their business to abuse user privacy. If the American Innovation and Choice Online Act (AICOA) becomes law, millions of Americans will have better access to Internet services with more privacy and less data-driven targeting and manipulation.
U.S. Senator Chuck Schumer U.S. Senator Mitch McConnell
Senate Majority Leader Senate Minority Leader
U.S. Senator Dick Durbin U.S. Senator John Thune
Senate Majority Whip Senate Minority Whip
U.S. Representative Nancy Pelosi U.S. Representative Kevin McCarthy
Speaker of the House House Minority Leader
U.S. Representative Steny Hoyer U.S. Representative Steve Scalise
House Majority Leader House Minority Whip
RE: Support for S. 2992/H.R. 3816, The American Innovation and Choice Online Act.
Dear U.S. Congressional Leadership:
We, the undersigned privacy companies and organizations, urge Congress to schedule floor votes for the American Innovation and Choice Online Act (AICOA) as soon as possible. This bill has been delayed for far too long and the American public deserves the kind of innovative online ecosystem it would create.
Our companies and organizations offer privacy protective alternatives to the services provided by dominant technology companies. While more and more Americans are embracing privacy-first technologies, some dominant firms still use their gatekeeper power to limit competition and restrict user choice. We implore you to pass AICOA as it would remove barriers for consumers to freely select privacy protective services.
Massive tech platforms can exert influence over society and the digital economy because they ultimately have the power to collect, analyze, and monetize exorbitant amounts of personal information. This is not by accident, as some of the tech giants have intentionally abused their gatekeeper positions to lock users into perpetual surveillance while simultaneously making it difficult to switch to privacy-protective alternatives. These monopolist firms: use manipulative design tactics to steer individuals away from rival services; restrict the ability of competitors to interoperate on the platform; use non-public data to benefit their services or products; and make it impossible or complicated for users to change their default settings or uninstall apps. Such tactics deprive consumers of the innovative offerings an open and vibrant market would yield.
Passage of AICOA is critical to protecting the privacy of American consumers. These self-preferencing tactics keep consumers stuck in an ecosystem of constant tracking by making it needlessly difficult for users to choose alternative privacy-respecting products and services. This is not how a truly free market operates, which is why commonsense reforms are necessary to combat the most egregious anticompetitive tactics and spur innovation that will increase the options available to American consumers. That’s why we support the AICOA and ask that it be scheduled for a vote. The AICOA will improve the internet in many ways and, most importantly, remove barriers that have been erected to block Americans from enjoying more privacy online.
Sincerely,
Andi
Brave
Disconnect
DuckDuckGo
Efani Secure Mobile
Fathom Analytics
Malloc
Mozilla
Neeva
Proton
Skiff
Thexyz Inc.
Tutanota
You.com
[Post updated December 19th, 2022 to reflect the addition of Skiff.]
Why Block Email Trackers or Hide Your Email Address?
Have you ever entered your email for a loyalty program or coupon and started getting emails from companies you didn’t subscribe to? Or noticed ads following you around after clicking on an email link? You’re not alone! There are multiple ways companies can use your email to track you, target you with ads, and influence what you see online. They can even share your personal information with third parties – all without your knowledge.
Companies embed trackers in images and links within email messages, letting them collect information like when you’ve opened a message, where you were when you opened it, and what device you were using. In our closed Email Protection beta, we found that approximately 85% of beta testers’ emails contained hidden email trackers! Very sneaky. Companies can use this information to build a profile about you.
And because your email addresses are connected to so much of what you do online – making purchases, using social media, and more – tracking companies can also effectively use your personal email address as a profiling identifier. In fact, many companies are so hungry for your personal email address that they’ll actually pull it from online forms you haven’t even submitted yet! Beyond sending you more emails, companies often upload your email address to Facebook and Google to target you with creepy ads across apps and websites.
Reintroducing DuckDuckGo Email Protection (Beta)
DuckDuckGo Email Protection is a free email forwarding service that removes multiple types of hidden email trackers and lets you create unlimited unique private email addresses on the fly. You can use Email Protection with your current email provider and app – no need to update your contacts or juggle multiple accounts. Email Protection works seamlessly in the background to deliver your more-private emails right to your inbox.
Signing up for Email Protection gives you the ability to create Duck Addresses. There are two types that help protect your email privacy:
Many users have loved the Email Protection beta so far, with millions of more-private emails being forwarded weekly. It’s email privacy, simplified – and we’re thrilled to open the beta for everyone to try it out!
Updates to DuckDuckGo Email Protection
Since launching DuckDuckGo Email Protection into private waitlist beta, we’ve been continuously making improvements based on feedback.
Link Tracking Protection: In addition to blocking trackers in images, scripts, and other media directly embedded in emails, we can now detect and remove a growing number of the trackers embedded in email links.
Smarter Encryption: We’ve started using the same Smarter Encryption (HTTPS Upgrading) that’s at work in our search engine and apps to upgrade insecure (unencrypted, HTTP) links in emails to secure (encrypted, HTTPS) links when they’re on our upgradable list.
Replying from your Duck Addresses: You can now reply to emails from all your Duck Addresses. When you get an email to a Duck Address, you can just hit ‘Reply,’ type your message, and send it off. Your email will then be delivered from your Duck Address instead of your personal address.
Self-Service Dashboard: Want to update your forwarding address? Or even delete your account? You can now make changes to your Duck account whenever you want, saving you time and effort.
How People are Using Email Protection
Wondering how this feature works in the real world? Here’s what our beta testers had to say:
Getting Started
Email Protection is supported in the DuckDuckGo Privacy Browser for iOS and Android, DuckDuckGo for Mac (beta), and DuckDuckGo Privacy Essentials browser extensions for Firefox, Chrome, Edge, and Brave.
Once you follow the steps to create your personal Duck Address, you’re all set to start using it right away! And while browsing, look for Dax the Duck (our mascot) to help you autofill your personal Duck Address or generate a private Duck Address for you on the fly.
Like all our features, DuckDuckGo Email Protection will never track you. We believe that your emails are none of our business! When your Duck Addresses receive an email, we immediately apply our tracking protections and then forward it to you, never saving it on our systems. Sender information, subject lines...we don’t track any of it. (Learn more in our Email Protection Privacy Policy and Terms of Service.)
Additionally, we are committed to Email Protection for the long term, so you can feel confident about using your Duck Addresses. During the private beta, we’ve been shoring up our backend systems to support millions of users. And as we move out of beta, we'll also be incorporating our email tracker dataset into our open source Tracker Radar.
So give Email Protection a try and let us know what you think! We look forward to helping you protect your inbox.
Our vision at DuckDuckGo is to raise the standard of trust online. Raising that standard means maximizing the privacy we offer by default, being transparent about how our privacy protections work, and doing our best to make the Internet less creepy. Recently, I’ve heard from a number of users and understand that we didn’t meet their expectations around one of our browser’s web tracking protections. So today we are announcing more privacy and transparency around DuckDuckGo’s web tracking protections.
Over the next week, we will expand the third-party tracking scripts we block from loading on websites to include scripts from Microsoft in our browsing apps (iOS and Android) and our browser extensions (Chrome, Firefox, Safari, Edge and Opera), with beta apps to follow in the coming month. This expands our 3rd-Party Tracker Loading Protection, which blocks identified tracking scripts from Facebook, Google, and other companies from loading on third-party websites, to now include third-party Microsoft tracking scripts. This web tracking protection is not offered by most other popular browsers by default and sits on top of many other DuckDuckGo protections. We explain how this works differently with DuckDuckGo advertising below.
Websites often embed scripts from other companies (commonly called “third-party scripts”) that automatically load when you visit their site. For example, the most prevalent third-party script is Google Analytics, which helps websites understand how their sites are being used. But typically Google can also use this information to profile you outside of the site where the information originated. Most browsers’ default tracking protection focuses on cookie and fingerprinting protections that only restrict third-party tracking scripts after they load in your browser. Unfortunately, that level of protection leaves information like your IP address and other identifiers sent with loading requests vulnerable to profiling. Our 3rd-Party Tracker Loading Protection helps address this vulnerability, by stopping most 3rd-party trackers from loading in the first place, providing significantly more protection.
Previously, we were limited in how we could apply our 3rd-Party Tracker Loading Protection on Microsoft tracking scripts due to a policy requirement related to our use of Bing as a source for our private search results. We’re glad this is no longer the case. We have not had, and do not have, any similar limitation with any other company.
Microsoft scripts were never embedded in our search engine or apps, which do not track you. Websites insert these scripts for their own purposes, and so they never sent any information to DuckDuckGo. Since we were already restricting Microsoft tracking through our other web tracking protections, like blocking Microsoft’s third-party cookies in our browsers, this update means we’re now doing much more to block trackers than most other browsers.
Advertising on DuckDuckGo is done in partnership with Microsoft. Viewing ads on DuckDuckGo is anonymous, and Microsoft has committed to not profile our users on ad clicks: “when you click on a Microsoft-provided ad that appears on DuckDuckGo, Microsoft Advertising does not associate your ad-click behavior with a user profile. It also does not store or share that information other than for accounting purposes.”
To evaluate whether an ad on DuckDuckGo is effective, advertisers want to know if their ad clicks turn into purchases (conversions). To see this within Microsoft Advertising, they use Microsoft scripts from the bat.bing.com domain. Currently, if an advertiser wants to detect conversions for their own ads that are shown on DuckDuckGo, 3rd-Party Tracker Loading Protection will not block bat.bing.com requests from loading on the advertiser’s website following DuckDuckGo ad clicks, but these requests are blocked in all other contexts. For anyone who wants to avoid this, it's possible to disable ads in DuckDuckGo search settings.
To eventually replace the reliance on bat.bing.com for evaluating ad effectiveness, we’ve started working on an architecture for private ad conversions that can be externally validated as non-profiling. DuckDuckGo isn’t alone in trying to solve this issue; Safari is working on Private Click Measurement (PCM) and Firefox is working on Interoperable Private Attribution (IPA). We hope these efforts can help move the entire digital ad industry forward to making privacy the default. We think this work is important because it means we can improve the advertising-based business model that countless companies rely on to provide free services, making it more private instead of throwing it out entirely.
Our browser extensions and non-beta apps are already open source, as is our Tracker Radar – the data set of trackers and other third-party web activity we identify through crawling. We’ve now also made our tracker protection list publicly available, so folks can see for themselves what we’re blocking and report any issues. We’ve also updated the Privacy Dashboard within our apps and extensions to show more information about third-party requests. Using the updated Privacy Dashboard, users can see which third-party requests have been blocked from loading and which other third-party requests have loaded, with reasons for both when available.
To further deliver on our commitment to transparency, we’ve posted a new help page that offers a comprehensive explanation of all the web tracking protections we provide across platforms. Users now have one place to look if they want to understand the different kinds of web privacy protections we offer on the platforms they use. This page also explains how different web tracking protections are offered based on what is technically possible on each platform, as well as what’s in development for this part of our product roadmap.
I’ve been building DuckDuckGo as an independent company for almost 15 years. After all this time, I believe more than ever that the majority of people online would choose to be more private if they could press a privacy “easy button.” That’s why our product vision is to pack as much privacy as we can into one package. We’re committed for the long haul to make simple privacy protection available to all, and will continue striving to strengthen the quality, understanding, and confidence in our product.
Governments, researchers, and policy makers need accurate market share data to evaluate search engine market diversity (or lack thereof). As explained by our series of posts on search engine choice screens (also known as preference menus), a well-designed choice screen could significantly increase competition and give users meaningful choice and control. However, without accurate search market share data, it is difficult to assess whether a particular choice screen is effective overall or to ensure consumers are presented with the search engines they want to use.
Common sources of search market share data, like the often-cited comScore and Statcounter, vary significantly for non-Google search engines which creates confusion around search engine market share. Additionally, both these and other commonly cited sources have significant methodological deficiencies. In short, comScore suffers from panel selection bias, e.g., privacy-conscious users are unlikely to agree to be surveilled by comScore and Statcounter’s core flaw is that it uses trackers, which are often blocked by tracker-blocking tools, either by search engine apps and extensions (like ours) or by other common apps and browser extensions. And both comScore and Statcounter reports are further flawed because they either do not report and/or do not have a sufficiently large and representative sample of users across all major markets and platforms.
Recently, two new market share reports were released by Cloudflare and Wikipedia respectively. Unlike comScore, Cloudflare’s and Wikipedia’s reports do not suffer from panel selection bias since they are not based on panels but instead based on traffic referred to Cloudflare-hosted websites and Wikipedia, respectively. And unlike Statcounter, this method also means Cloudflare’s and Wikipedia’s data is not affected by tracker-blocking tools. While Wikipedia is just one site, Cloudflare’s report is based on a large swath of the global Internet (25% of the top million websites use Cloudflare) so sample size isn’t a problem.
For these reasons, we recommend Cloudflare's report as currently the best source for baseline assessments of search engine market share and for assessing the effect of competition interventions like search preference menus. Wikipedia’s report is also useful because it can be analyzed in unique ways (more on both reports below). However, despite the methodological differences between all these reports, all still show that Google dominates the search engine market.
Cloudflare’s search market share report
Cloudflare's report is based on referrer data from search engine link clicks. When you click on a link from a search engine and visit that website, the site will know which search engine domain the user came from (using referrer information, e.g., duckduckgo.com). This report is made possible through Cloudflare Radar, a free public tool that lets anyone view global traffic as well as security trends and insights across the Internet as they happen. Cloudflare Radar is powered by the aggregated traffic flowing through the Cloudflare network. Radar insights like these are created by looking at patterns derived from aggregated data that has been anonymized, and so does not contain any search queries or personal information. (To be clear, that means that if you click on a link for a Cloudflare-supported site from DuckDuckGo, your referrer information does not reveal your search query or any personal information about you.)
Cloudflare’s report is updated quarterly, and the report can be split by operating system, device type, country, and month.
Wikipedia’s search market report
Wikipedia also recently published their search engine traffic data using a similar methodology. Every day Wikipedia counts link clicks from search engines and aggregates them into the search market share dashboard (also using direct referral data in a private manner).
We recommend Wikipedia’s data for more granular insights because their dashboard can be split in more ways, including by language, operating system, device type, and country, down to the day.
However, we recommend Cloudflare’s data to support higher-impact decisions because Wikipedia is just one site, whereas Cloudflare is based on millions of sites. While Wikipedia’s data is dependent on to what extent search engines include Wikipedia in their knowledge panels and in their search engine results, Cloudflare’s sample is so large that per-site effects are minimized.
In fact, we now believe Cloudflare’s report is by far the most accurate one of all search engine market share reports out there. With it, governments, researchers, and policy makers can better understand the search engine market and the effect of tools like search choice screens.
The search engine and browser you use should be a personal choice, but right now it's often too complicated to switch away from gatekeeper defaults. So in an open letter to the companies, consumer organizations, and regulators with the power to create effective user choice screens, the CEOs of DuckDuckGo and Ecosia, and Qwant's President published a set of common-sense principles to improve this user experience online. This letter coincides with the final adoption of the EU's Digital Markets Act by the European Parliament this week.
Open Letter from DuckDuckGo, Ecosia, and Qwant
Choice screens and effective switching mechanisms are crucial tools that empower users and enable competition in the search engine and browser markets. The European Union (EU) has taken an important first step by adopting the Digital Markets Act (DMA), which includes obligations to implement such tools. However, the effectiveness of the EU’s mandates and related regulatory efforts across the globe will depend on how gatekeepers implement changes to comply with these new rules.
Without strict adherence to both clear rules and principles for fair choice screens and effective switching mechanisms, gatekeeping firms could choose to circumvent their legal obligations. We suggest regulators make clear their enforcement should adhere to the following ten essential principles for fair choice screens and effective switching mechanisms:
Gatekeeping firms should globally roll out fair choice screens and effective switching mechanisms now, using these principles. We are ready to work collaboratively towards this end, honoring the users‘ desire to choose the services they want to use, and not having those choices decided for them by default.
SIGNATORIES
In case you missed it: Find our series of blogs on search choice here.
If you're a Google Chrome user, you might be surprised to learn that you may soon be automatically entered into Google's new tracking and ad targeting methods called Topics and FLEDGE. Topics uses your Chrome browsing history to automatically collect information about your interests to share with other businesses, tracking companies and websites without your knowledge. FLEDGE enables your Chrome browser to target you with ads based on your browsing history. These new methods enable creepy advertising and other content targeting without third-party cookies. While Google is positioning this as more privacy respecting, the simple fact is tracking, targeting, and profiling, still is tracking, targeting, and profiling, no matter what you want to call it.
1. Don't use Google Chrome! Google Topics and FLEDGE will only exsist in Google Chrome. On iOS or Android we suggest you use our DuckDuckGo mobile browser, which offers best-in-class privacy protection by default when searching and browsing. Plus, we recently launched more app features into beta that will better protect your online privacy, like Email Protection and App Tracking Protection for Android. On desktop, we just launched the DuckDuckGo app for Mac into beta (Windows coming soon) so you can skip the Chrome headache completely and use ours by joining our waitlist (which is moving quickly).
2. Install the DuckDuckGo Chrome extension. In response to Google automatically turning on Topics and FLEDGE in Chrome, we've enhanced our Chrome extension to block Topics and FLEDGE interactions on websites, stopping these new forms of targeting. This is in addition to the all-in-one privacy protection that our extension offers, including private search, tracker blocking, Smarter Encryption, and Global Privacy Control. The Topics and FLEDGE blocking addition is included as of version 2022.4.18 which should auto-update, though you can also check the version you have installed from the extensions list within Chrome. For non-Chrome desktop browsers, you can get our extension here.
3. Change your Chrome and Google settings, which we recommend you do regardless if you continue to use Chrome or Google.
Note that even if you change these settings, we also recommend installing the DuckDuckGo Chrome extension to get more privacy protection than possible using Chrome settings alone.
In 2021, Google reluctantly signaled it would follow other browsers to forbid the use of third-party cookies by default, though it recently delayed doing so to at least 2023. Unlike other browsers, however, instead of just dropping third-party cookies, they are trying to replace them with alternative tracking mechanisms that are just as creepy and privacy invasive.
They first implemented a new tracking method in Chrome called Federated Learning of Cohorts (FLoC). FLoC was automatically turned on for millions of Google users who were not even given the chance to opt-out. This was understandably met with widespread criticism from privacy experts. To address the situation, we voiced our concerns and immediately enhanced our tracker blocking so that our Chrome extension would protect you from FLoC.
In response, Google announced it's ending FLoC and replacing it with yet another tracking method called Topics. Like FLoC, Topics will automatically use your browsing history to infer your interests in topics (e.g., “Child Internet Safety”, “Personal Loans”, etc.). While FLoC automatically shared a cohort identifier (for a group of people with correlated interests or demographics) with websites and tracking companies, Topics will automatically share a subset of your inferred interests, which these companies can then use to target ads and content at you.
While some suggest that Topics is a less invasive way of ad targeting, we don't agree. Why not? Fundamentally it’s because, by default, Google Chrome will still be automatically surveilling your online activity and sharing information about you with advertisers and other parties so they can behaviorally target you without your consent. This targeting, regardless of how it's done, enables manipulation (ex. exploiting personal vulnerabilities), discrimination (ex. people not seeing job opportunities based on personal profiles), and filter bubbles (ex. creating echo chambers that can divide people) that many people would like to avoid. Google says that users will be able to go in and delete “Topics” they don’t want shared, but Google knows full well that people rarely change default settings, plus the company routinely puts “dark patterns” in the way of users changing these settings, and is therefore making it needlessly difficult for people to take control over their privacy. Privacy should be the default.
In addition, the implementation of Topics presents a bunch of other privacy problems, including:
You know those ads that seem to follow you around onto every website you visit, long after looking something up online? Known as “re-targeting”, these ads are shown to you based on your browsing history from other websites, stored in third-party cookies. With the planned removal of third-party cookies Google decided to also introduce FLEDGE, a new method of re-targeting that similarly moves Google ad technology directly into the Chrome browser.
When you visit a website where the advertiser may want to later follow you with an ad, the advertiser can tell your Chrome browser to put you into an interest group. Then, when you visit another website which displays ads, your Chrome browser will run an ad auction based on your interest groups and target specific ads at you. So much for your browser working for you!
People are, by and large, vehemently against ad re-targeting and find it invasive and creepy. Because your browsing history is used to target you, just like Topics it opens you up to the same type of manipulation, discrimination, and potential embarrassment from highly personal ads being shown via your browser, and also operates without your consent.
For all of the above reasons and more, DuckDuckGo has enhanced the tracker blocking for our Privacy Essentials Chrome extension to block Google Topics and FLEDGE. This is directly in line with the extension's purpose of protecting your privacy holistically as you use Chrome, without any of the complicated settings. It's privacy, simplified.
Privacy isn’t something you only need in certain situations or in partial amounts, and it’s a myth that you can’t have the same Internet you like and need, but with more privacy. At DuckDuckGo, we make privacy simple.
For example, our mobile apps make
Privacy isn’t something you only need in certain situations or in partial amounts, and it’s a myth that you can’t have the same Internet you like and need, but with more privacy. At DuckDuckGo, we make privacy simple.
For example, our mobile apps make privacy the default, with no complicated settings, no need to understand the ins and outs of the technology, just built-in privacy protections that work, like private search, tracker blocking, website encryption (HTTPS upgrading), and email protection. You've downloaded them over 150M times since their launch in 2018, and we’ve heard your feedback that you want this same “privacy, simplified” experience on your desktops and laptops.
So today we’re excited to announce the beta launch of DuckDuckGo for Mac, with DuckDuckGo for Windows coming soon. Like our mobile app, DuckDuckGo for Mac is an all-in-one privacy solution for everyday browsing with no complicated settings, just a seamless private experience. Plus, we’re excited to share some new features we think you’ll love.
Using an app designed to protect your privacy by default not only reduces invasive tracking, it also speeds up browsing and eliminates many everyday annoyances like cookie consent pop-ups. Here’s what you need to know:
DuckDuckGo for Mac isn't simply a replacement for “Incognito mode” (which isn't actually private!) – instead DuckDuckGo for Mac is designed to be used as an everyday browser that truly protects your privacy. We have the features you expect from a browser like password management, tab management, bookmarks, and more, plus privacy features you’ll love.
Our initial testers love it!
To get access to the beta of DuckDuckGo for Mac, all you need to do is join the private waitlist. We're letting new people off the waitlist today, maybe even as you read this sentence, so the sooner you join, the sooner you'll get it. Please be patient with us though! We'll be inviting people in waves and improving the app as feedback comes in.
You won’t need to share any personal information to join. Instead, you’ll secure your place in line with a date and time that exists solely on your device, and we’ll notify you when we’re ready for you to join.
Here’s how you can join the private waitlist:
Mac only please! Windows is coming -- Follow us on Twitter for updates.
If you try the new app, we’d love to hear from you! You can submit feedback and report issues by clicking on the settings menu in the top right corner of the window and selecting “Send Feedback”.
Note that during this beta period, DuckDuckGo for Mac is not available in the Mac App Store and is not to be confused with our DuckDuckGo Privacy Essentials Safari Extension that is currently available in the Mac App Store.
DuckDuckGo for Mac being in beta means that the experience is still evolving.
For example, you may notice we don't yet support extensions. Turns out the most popular extensions are password managers and those that protect you from creepy ads. So, we built these features right into our app, which has benefits for privacy, security, speed, and simplicity. We're working on how to provide additional extension functionality without compromising those critical elements, but in the meantime we’re confident our built-in features can meet your needs.
Blocking Creepy Ads
Our built-in tracker blocker isn’t a general “ad blocker”, but it does have the effect of blocking most creepy ads. Let me explain. Using our best-in-class tracker data set we block invasive trackers, which then typically blocks the invasive ads themselves. In other words, if you use an ad blocker to avoid creepy ads and tracking, you should like DuckDuckGo for Mac.
Password Manager
Using a new browsing app doesn’t mean you have to lose your saved usernames and passwords. Our built-in password manager helps you import passwords from other browsers and browser extensions like 1Password or LastPass. We’re still in the process of building password management into our mobile apps and plan to offer private sync of passwords and bookmarks for a cohesive cross-device experience.
At DuckDuckGo our mission is to show the world that protecting privacy is simple. We know that in order to do this we must build apps that are a pleasure to use and provide as comprehensive privacy protection as possible, whether you're on your phone, at your desk, in a hammock, or somewhere else that is even nicer than a hammock, DuckDuckGo for Mac is a major step in this direction, and we thank you in advance for helping us make it even better!
What makes DuckDuckGo for Mac unique is more than just what you see, it’s also how it is built. A traditional browser is made up of two parts: a rendering engine that translates web code into the websites you see, and then everything else that surrounds and supports that interface like bookmarks, tabs, settings, password management, tracker blocking, etc.
Over the past decade, the most common way new browsers have been developed is through a process known as “forking”. Developers copy (“fork”) a browser like Chrome (technically the project they fork is called Chromium) – and start with both the rendering engine and all the pieces that surround it. Then they build new stuff on top of it (and/or delete/change some of the Chromium code) to create the new browser.
DuckDuckGo for Mac does not fork Chromium (or anything else). Instead, we use the rendering engine that comes with macOS, which is created by Apple and the same rendering engine Safari uses. By building off the macOS rendering engine, our browser should also be most compatible with the Mac system (the same as Safari). Technically, we don’t have to “fork” any code to do this – we just call an API provided by macOS.
We are building everything else from scratch. So beyond rendering, all the code is ours – written by DuckDuckGo engineers with privacy, security, and simplicity front of mind. This means we don’t have the cruft and clutter that has accumulated in browsers over the years, both in code and design, giving you a modern look and feel and a faster speed. We plan to open source our Mac app after the beta period, like we’ve done for our iOS & Android app, and many of our built-in privacy protections are already open sourced.
We are taking a similar approach to Windows (more on that later this year). Ultimately, we’d love to support Linux as well, but we are focused on Mac and Windows for now. Follow us on Twitter if you'd like to stay up to date on our latest product announcements and how we're continuing to make "Privacy, simplified" a reality.
Yes! We clearly think DuckDuckGo is a great search engine – and so much more.
If you’re unfamiliar with DuckDuckGo, we're the leading provider of simple privacy protection tools to help you seamlessly take back control of your personal information online. We’ve been providing a private, encrypted alternative to Google Search at duckduckgo.com for over a decade. We offer the DuckDuckGo Private Browser, which comes equipped with our full lineup of privacy features, for iOS, Android, Mac and Windows; we’ve also got browser extensions for Firefox, Chrome, Edge and Safari (DuckDuckGo Privacy Essentials) to help protect your privacy in other browsers.
Searching the web with DuckDuckGo Search is completely anonymous; we simply never save or share any personal information that could tie you back to your searches, as explained in our strict privacy policy. For example, we don’t store IP addresses or any other unique identifiers in search logs. As a result, we don’t even have the ability to create search histories or data profiles for any individual. It’s privacy by design.
We think that’s awesome, and we hope you do too…but are the search results any good? Again, yes – and we’re not alone in saying so!
DuckDuckGo Search gives you truly private search results without tradeoffs in result quality. We have everything you’ve come to expect in your online search experience, plus a few bonus features that make searching the Internet not only more private, but faster and a bit more fun, too.
DuckDuckGo Search features include...
Maps
Weather
Local business information (e.g. addresses, phone numbers, and business hours)
News
Images
Videos
Shopping
Definitions
Sports scores
Wikipedia reference
Currency conversions
Song lyrics
Calculator
Timer
StackOverflow reference for computer programming
DuckDuckGo Search Bonus Features
We also have a couple of bonus features that you might have never seen before. There may be times when you want to search on other websites, and we make that very easy with a feature we call "bangs" – shortcuts that take you directly to one of over 12,000 websites. (For example, searching for "!w duck" will take you directly to Wikipedia's article about our feathered friends.) Remember, though: because your search is actually taking place on that other site, you are subject to that site’s policies, including its data collection practices.
With DuckDuckGo, you can even customize the way the search results look and feel including a popular dark theme, which even triggers dark mode maps.
It's also important to be able to customize the search experience, so we have many settings such as language and region localization.
Back to Privacy
We've tried to make it as easy as possible to switch to DuckDuckGo Search from other search engines. But why should you bother? Privacy.
You share your most intimate secrets with your search engine without even thinking: medical, financial, and personal issues, along with all the day-to-day things that make you, well, you. All of that personal information should be private, but – on Google – it’s not. On Google, your searches are tracked, stored, and packaged up into a data profile for advertisers to follow you around the Internet through those intrusive and annoying banner ads, using Google’s massive ad networks embedded across millions of sites and apps.
If you do switch to DuckDuckGo Search, keep in mind that some of the results you're used to getting when you search will be different. And different isn’t a bad thing!
One way our search results are different is that, unlike other search engines, we don’t alter results based on someone’s previous search history. In fact, since we don’t track our users, we don’t have access to search histories at all! Those other search engines show you results based on a data profile about you and your online activity, including your search history; based on this profiling, your results can be slanted towards what they think you're most likely to click on. This effect is commonly known as the search filter bubble. Using DuckDuckGo can help you escape it.
This doesn't mean our search results are generally “unfiltered,” because, for every search you make online, a search engine’s job is to filter millions of possible results down to a ranked list of just a handful. In other words, a search engine has to use algorithms programmed by people to determine what shows up first in the list of results, what shows up second, and so on. Otherwise, you’d just get a completely random set of results for every search, which wouldn’t be very useful.
So, give DuckDuckGo Search a try! The results are not just private, they're accurate and fast. To go one step further, we’d recommend making the DuckDuckGo Private Browser (iOS/Android/Mac/Windows) your everyday browser, too – it’s like Google Search and Chrome in one app, but without all the tracking.
Note: This blog post has been edited since initial publication to stay up to date with our evolving product offerings.
We believe online privacy should be simple and accessible to everyone. That’s why we spent 2021 strengthening our all-in-one privacy solution and helping people take back their privacy with one easy download.
From improvements to search, tracker blocking, and our mobile app, to new features like Email Protection and App Tracking Protection, we're building a simple privacy layer for how people use the Internet today, without any tradeoffs. It’s privacy, simplified.
As our product becomes even easier to use and more comprehensive, we’ve seen a tremendous response from users. We’re now the most downloaded browsing app on Android in our major markets (and #2 on iOS behind Chrome), we’re averaging more than 100 million searches a day, and our most recent survey showed 27 million Americans (9%) use DuckDuckGo.
Worldwide we’ve had over 150 million downloads of our all-in-one privacy apps and extensions since we moved beyond just private search in 2018. Check out a recap of some of the progress we made in 2021, and a first look at our desktop app, now in closed beta.
Email Protection: Ducking Email Trackers in Your Inbox
We announced the beta release of Email Protection, our free email forwarding service that removes trackers in your email and protects the privacy of your personal email address without asking you to change email providers. Join the waitlist through the DuckDuckGo mobile app today!
App Tracking Protection: Extending Privacy to Your Android Apps
Last month we released App Tracking Protection into beta, a new feature in our Android app that blocks third-party trackers like Google and Facebook lurking in other apps. Users trying out the new feature are already surprised by how much tracking normally happens on their devices. Join the waitlist through the DuckDuckGo Android app to give it a try!
Private Search: Better Results, Updated Design, Same Privacy.
This year we made a lot of improvements to our search results. If you tried our search engine a few years ago, but could only go part-time then, you should really give us another shot in 2022. We revamped our search results page to give it a more simple and modern design, and continued to refine and improve our local, maps, and directions results.
Some other improvements we made include a new translations instant answer, revamped definitions and weather answers, custom date range filtering, more filters on images, and improvements to advanced search. You can expect even more search improvements in the coming year.
Tracker Blocking: Extending Blocking to Embedded Facebook Content
Unlike tracking protection from the major browsers, we block hidden trackers before they load. Most tracking protection just restricts trackers after they load, which can still leak your information.
Sometimes trackers aren’t exactly hidden though: they can also be associated with embedded content on pages, like posts, comments, and other content from Facebook. This year our browser extension got a new feature that identifies this content from Facebook, blocks it on websites before it loads, and gives users the choice to load the content if they want to. Extension users have loved this update since it gives them more privacy and transparency at the same time, and we plan to both expand on it and bring it to our mobile app in 2022.
We also spent a lot of time this year ensuring our tracker blocking doesn’t break sites by setting up and launching a continuous process to receive and react to breakage feedback from users in real-time. In addition, we continued to strengthen our core Tracker Radar data set through more crawling and testing, including looking out for CNAME cloaking (where third-parties pretend they are first-parties). We also rolled out Global Privacy Control across all platforms and maintained our best-in-class Smarter Encryption data set.
Mobile App: Burn, Flush, or Blow Private Data Away
According to our conversations with users, one of the things they love most about our mobile app for iOS and Android is our Fire Button. Who wouldn’t love the feeling of clearing all your tabs and browsing data with one fiery tap? This year we added new animation options to the Fire Button so now instead of burning your data, you can choose to flush it down a virtual drain or watch it get blown away!
In addition, some other app improvements we made this year include adding a “Fireproofing” prompt so you have the choice to keep certain sites logged in between burns, a new setting to change font sizes on web content, simplifying the search bar (so there aren’t two search bars when on our search pages), and speeding up loading time on Android.
Desktop App: The Privacy, Speed, and Simplicity of our Mobile App Comes to Desktop
Like we’ve done on mobile, DuckDuckGo for desktop will redefine user expectations of everyday online privacy. No complicated settings, no misleading warnings, no “levels” of privacy protection – just robust privacy protection that works by default, across search, browsing, email, and more. It's not a "privacy browser"; it's an everyday browsing app that respects your privacy because there's never a bad time to stop companies from spying on your search and browsing history.
Instead of forking Chromium or anything else, we’re building our desktop app around the OS-provided rendering engines (like on mobile), allowing us to strip away a lot of the unnecessary cruft and clutter that’s accumulated over the years in major browsers. With our clean and simple interface combined with the beloved Fire Button from our mobile app, DuckDuckGo for desktop will be ready to become your new everyday browsing app. Compared to Chrome, the DuckDuckGo app for desktop is cleaner, way more private, and early tests have found it significantly faster too!
DISCLAIMER:
* Copyrights belong to each article's respective author.
** Article links lead to external websites, where you will be tracked, most likely.
DISCLAIMER:
* Copyrights belong to each article's respective author.
** Article links lead to external websites, where you will be tracked, most likely.
The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.
First spotted in 2018, the Snatch ransomware group has published data stolen from hundreds of organizations that refused to pay a ransom demand. Snatch publishes its stolen data at a website on the open Internet, and that content is mirrored on the Snatch team’s darknet site, which is only reachable using the global anonymity network Tor.
KrebsOnSecurity has learned that Snatch’s darknet site exposes its “server status” page, which includes information about the true Internet addresses of users accessing the website.
Refreshing this page every few seconds shows that the Snatch darknet site generates a decent amount of traffic, often attracting thousands of visitors each day. But by far the most frequent repeat visitors are coming from Internet addresses in Russia that either currently host Snatch’s clear web domain names or recently did.
The Snatch ransomware gang’s victim shaming site on the darknet is leaking data about its visitors. This “server status” page says that Snatch’s website is on Central European Summer Time (CEST) and is powered by OpenSSL/1.1.1f, which is no longer supported by security updates.
Probably the most active Internet address accessing Snatch’s darknet site is 193.108.114[.]41, which is a server in Yekaterinburg, Russia that hosts several Snatch domains, including snatchteam[.]top, sntech2ch[.]top, dwhyj2[.]top and sn76930193ch[.]top. It could well be that this Internet address is showing up frequently because Snatch’s clear-web site features a toggle button at the top that lets visitors switch over to accessing the site via Tor.
Another Internet address that showed up frequently in the Snatch server status page was 194.168.175[.]226, currently assigned to Matrix Telekom in Russia. According to DomainTools.com, this address also hosts or else recently hosted the usual coterie of Snatch domains, as well as quite a few domains phishing known brands such as Amazon and Cashapp.
The Moscow Internet address 80.66.64[.]15 accessed the Snatch darknet site all day long, and that address also housed the appropriate Snatch clear-web domains. More interestingly, that address is home to multiple recent domains that appear confusingly similar to known software companies, including libreoff1ce[.]com and www-discord[.]com.
This is interesting because the phishing domains associated with the Snatch ransomware gang were all registered to the same Russian name — Mihail Kolesnikov, a name that is somewhat synonymous with recent phishing domains tied to malicious Google ads.
Kolesnikov could be a nod to a Russian general made famous during Boris Yeltsin’s reign. Either way, it’s clearly a pseudonym, but there are some other commonalities among these domains that may provide insight into how Snatch and other ransomware groups are sourcing their victims.
DomainTools says there are more than 1,300 current and former domain names registered to Mihail Kolesnikov between 2013 and July 2023. About half of the domains appear to be older websites advertising female escort services in major cities around the United States (e.g. the now-defunct pittsburghcitygirls[.]com).
The other half of the Kolesnikov websites are far more recent phishing domains mostly ending in “.top” and “.app” that appear designed to mimic the domains of major software companies, including www-citrix[.]top, www-microsofteams[.]top, www-fortinet[.]top, ibreoffice[.]top, www-docker[.]top, www-basecamp[.]top, ccleaner-cdn[.]top, adobeusa[.]top, and www.real-vnc[.]top.
In August 2023, researchers with Trustwave Spiderlabs said they encountered domains registered to Mihail Kolesnikov being used to disseminate the Rilide information stealer trojan.
But it appears multiple crime groups may be using these domains to phish people and disseminate all kinds of information-stealing malware. In February 2023, Spamhaus warned of a huge surge in malicious ads that were hijacking search results in Google.com, and being used to distribute at least five different families of information stealing trojans, including AuroraStealer, IcedID/Bokbot, Meta Stealer, RedLine Stealer and Vidar.
For example, Spamhaus said victims of these malicious ads would search for Microsoft Teams in Google.com, and the search engine would often return a paid ad spoofing Microsoft or Microsoft Teams as the first result — above all other results. The malicious ad would include a logo for Microsoft and at first glance appear to be a safe and trusted place to download the Microsoft Teams client.
However, anyone who clicked on the result was whisked away instead to mlcrosofteams-us[.]top — yet another malicious domain registered to Mr. Kolesnikov. And while visitors to this website may believe they are only downloading the Microsoft Teams client, the installer file includes a copy of the IcedID malware, which is really good at stealing passwords and authentication tokens from the victim’s web browser.
The founder of the Swiss anti-abuse website abuse.ch told Spamhaus it is likely that some cybercriminals have started to sell “malvertising as a service” on the dark web, and that there is a great deal of demand for this service.
In other words, someone appears to have built a very profitable business churning out and promoting new software-themed phishing domains and selling that as a service to other cybercriminals. Or perhaps they are simply selling any stolen data (and any corporate access) to active and hungry ransomware group affiliates.
The tip about the exposed “server status” page on the Snatch darkweb site came from @htmalgae, the same security researcher who alerted KrebsOnSecurity earlier this month that the darknet victim shaming site run by the 8Base ransomware gang was inadvertently left in development mode.
That oversight revealed not only the true Internet address of the hidden 8Base site (in Russia, naturally), but also the identity of a programmer in Moldova who apparently helped to develop the 8Base code.
@htmalgae said the idea of a ransomware group’s victim shaming site leaking data that they did not intend to expose is deliciously ironic.
“This is a criminal group that shames others for not protecting user data,” @htmalgae said. “And here they are leaking their user data.”
All of the malware mentioned in this story is designed to run on Microsoft Windows devices. But Malwarebytes recently covered the emergence of a Mac-based information stealer trojan called AtomicStealer that was being advertised through malicious Google ads and domains that were confusingly similar to software brands.
Please be extra careful when you are searching online for popular software titles. Cracked, pirated copies of major software titles are a frequent source of infostealer infections, as are these rogue ads masquerading as search results. Make sure to double-check you are actually at the domain you believe you’re visiting *before* you download and install anything.
Stay tuned for Part II of this post, which includes a closer look at the Snatch ransomware group and their founder.
Further reading:
@HTMalgae’s list of the top Internet addresses seen accessing Snatch’s darknet site
Ars Technica: Until Further Notice Think Twice Before Using Google to Download Software
Bleeping Computer: Hackers Abuse Google Ads to Spread Malware in Legit Software
The password manager service LastPass is now forcing some of its users to pick longer master passwords. LastPass says the changes are needed to ensure all customers are protected by their latest security improvements. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.
LastPass sent this notification to users earlier this week.
LastPass told customers this week they would be forced to update their master password if it was less than 12 characters. LastPass officially instituted this change back in 2018, but some undisclosed number of the company’s earlier customers were never required to increase the length of their master passwords.
This is significant because in November 2022, LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.
Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
KrebsOnSecurity last month interviewed a victim who recently saw more than three million dollars worth of cryptocurrency siphoned from his account. That user signed up with LastPass nearly a decade ago, stored their cryptocurrency seed phrase there, and yet never changed his master password — which was just eight characters. Nor was he ever forced to improve his master password.
That story cited research from Adblock Plus creator Wladimir Palant, who said LastPass failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years.
For example, another important default setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.
Palant said that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000. Still, Palant and others impacted by the 2022 breach at LastPass say their account security settings were never forcibly upgraded.
Palant called this latest action by LastPass a PR stunt.
“They sent this message to everyone, whether they have a weak master password or not – this way they can again blame the users for not respecting their policies,” Palant said. “But I just logged in with my weak password, and I am not forced to change it. Sending emails is cheap, but they once again didn’t implement any technical measures to enforce this policy change.”
Either way, Palant said, the changes won’t help people affected by the 2022 breach.
“These people need to change all their passwords, something that LastPass still won’t recommend,” Palant said. “But it will somewhat help with the breaches to come.”
LastPass CEO Karim Toubba said changing master password length (or even the master password itself) is not designed to address already stolen vaults that are offline.
“This is meant to better protect customers’ online vaults and encourage them to bring their accounts up to the 2018 LastPass standard default setting of a 12-character minimum (but could opt out from),” Toubba said in an emailed statement. “We know that some customers may have chosen convenience over security and utilized less complex master passwords despite encouragement to use our (or others) password generator to do otherwise.”
A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.
LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.
But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.
A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single high-powered graphics card about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.
Image: palant.info
However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.
Meaning, LastPass users whose vaults were never upgraded to higher iterations and whose master passwords were weak (less than 12 characters) likely have been a primary target of distributed password-cracking attacks ever since the LastPass user vaults were stolen late last year.
Asked why some LastPass users were left behind on older security minimums, Toubba said a “small percentage” of customers had corrupted items in their password vaults that prevented those accounts from properly upgrading to the new requirements and settings.
“We have been able to determine that a small percentage of customers have items in their vaults that are corrupt and when we previously utilized automated scripts designed to re-encrypt vaults when the master password or iteration count is changed, they did not complete,” Toubba said. “These errors were not originally apparent as part of these efforts and, as we have discovered them, we have been working to be able to remedy this and finish the re-encryption.”
Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis, said LastPass made a huge mistake years ago by not force-upgrading the iteration count for existing users.
“And now this is blaming the users — ‘you should have used a longer passphrase’ — not them for having weak defaults that were never upgraded for existing users,” Weaver said. “LastPass in my book is one step above snake-oil. I used to be, ‘Pick whichever password manager you want,’ but now I am very much, ‘Pick any password manager but LastPass.'”
Asked why LastPass isn’t recommending that users change all of the passwords secured by the encrypted master password that was stolen when the company got hacked last year, Toubba said it’s because “the data demonstrates that the majority of our customers follow our recommendations (or greater), and the probability of successfully brute forcing vault encryption is greatly reduced accordingly.”
“We’ve been telling customers since December of 2022 that they should be following recommended guidelines,” Toubba continued. “And if they haven’t followed the guidelines we recommended that they change their downstream passwords.”
The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.
The 8Base ransomware group’s victim shaming website on the darknet.
8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.
The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fine as long as you are *sending* information to the site (i.e., by making a “POST” request).
However, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the website until quite recently generated an extremely verbose error message:
The verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of this image, which is generated when one hovers over the “View commit” message under the “Git” heading.
That error page revealed the true Internet address of the Tor hidden service that houses the 8Base website: 95.216.51[.]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based hosting giant Hetzner.
But that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab server called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab account, we can find some curious data points available in the JCube Group’s public code repository.
For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month ago, includes code that makes several mentions of the term “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).
This is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and reporters,” which says the crime group is open to interviews but that journalists will need to prove their identity before any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically stands for “Know Your Customer.”
“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”
The 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a commercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”
The login page on the 8Base ransomware group’s darknet website.
Right-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository roughly three weeks ago.
It appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s currently looking for work. The homepage for Jcubegroup[.]com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev.
The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro[.]ru.
Reached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code from the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even included.
“I [don’t have] a clue, I don’t have that project in my repo,” Kolev explained. “They [aren’t] my clients. Actually we currently have just our own projects.”
Mr. Kolev shared a screenshot of his current projects, but very quickly after that deleted it. However, KrebsOnSecurity captured a copy of the image before it was removed:
A screenshot of Mr. Kolev’s current projects that he quickly deleted.
Within minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of finding this connection, the 8Base website was changed, and the error message that linked to the JCube Group private Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the 8Base website to return a “405 Method Not Allowed” error page:
Mr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his private Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private information.
Ransomware groups are known to remotely hire developers for specific projects without disclosing exactly who they are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is merely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists, KrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.
The tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a legitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that whoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site to be so verbose with its error messages.
“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” @htmalgae said.
A recent blog post from VMware/Carbon Black called the 8Base ransomware group “a heavy hitter” that has remained relatively unknown despite the massive spike in activity in Summer of 2023.
“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” Carbon Black researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”
According to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage that is strikingly familiar to another known cybercriminal group: RansomHouse.
“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”
Update, Sept. 21, 10:43 a.m. ET: The author of Databreaches.net was lurking in the 8Base Telegram channel when I popped in to ask the crime group a question, and reports that 8Base did eventually reply: ““hi at the moment we r not doing interviews. we have nothing to say. we r a little busy.”
In December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle “USDoD” had infiltrated the FBI‘s vetted information sharing network InfraGard, and was selling the contact information for all 80,000 members. The FBI responded by reverifying InfraGard members and by seizing the cybercrime forum where the data was being sold. But on Sept. 11, 2023, USDoD resurfaced after a lengthy absence to leak sensitive employee data stolen from the aerospace giant Airbus, while promising to visit the same treatment on top U.S. defense contractors.
In a post on the English language cybercrime forum BreachForums, USDoD leaked information on roughly 3,200 Airbus vendors, including names, addresses, phone numbers, and email addresses. USDoD claimed they grabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems.
USDoD didn’t say why they decided to leak the data on the 22nd anniversary of the 9/11 attacks, but there was definitely an aircraft theme to the message that accompanied the leak, which concluded with the words, “Lockheed martin, Raytheon and the entire defense contractos [sic], I’m coming for you [expletive].”
Airbus has apparently confirmed the cybercriminal’s account to the threat intelligence firm Hudson Rock, which determined that the Airbus credentials were stolen after a Turkish airline employee infected their computer with a prevalent and powerful info-stealing trojan called RedLine.
Info-stealers like RedLine typically are deployed via opportunistic email malware campaigns, and by secretly bundling the trojans with cracked versions of popular software titles made available online. Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal).
Hudson Rock said it recovered the log files created by a RedLine infection on the Turkish airline employee’s system, and found the employee likely infected their machine after downloading pirated and secretly backdoored software for Microsoft Windows.
Hudson Rock says info-stealer infections from RedLine and a host of similar trojans have surged in recent years, and that they remain “a primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.”
The prevalence of RedLine and other info-stealers means that a great many consequential security breaches begin with cybercriminals abusing stolen employee credentials. In this scenario, the attacker temporarily assumes the identity and online privileges assigned to a hacked employee, and the onus is on the employer to tell the difference.
In addition to snarfing any passwords stored on or transmitted through an infected system, info-stealers also siphon authentication cookies or tokens that allow one to remain signed-in to online services for long periods of time without having to resupply one’s password and multi-factor authentication code. By stealing these tokens, attackers can often reuse them in their own web browser, and bypass any authentication normally required for that account.
Microsoft Corp. this week acknowledged that a China-backed hacking group was able to steal one of the keys to its email kingdom that granted near-unfettered access to U.S. government inboxes. Microsoft’s detailed post-mortem cum mea culpa explained that a secret signing key was stolen from an employee in an unlucky series of unfortunate events, and thanks to TechCrunch we now know that the culprit once again was “token-stealing malware” on the employee’s system.
In April 2023, the FBI seized Genesis Market, a bustling, fully automated cybercrime store that was continuously restocked with freshly hacked passwords and authentication tokens stolen by a network of contractors who deployed RedLine and other info-stealer malware.
In March 2023, the FBI arrested and charged the alleged administrator of BreachForums (aka Breached), the same cybercrime community where USDoD leaked the Airbus data. In June 2023, the FBI seized the BreachForums domain name, but the forum has since migrated to a new domain.
Unsolicited email continues to be a huge vector for info-stealing malware, but lately the crooks behind these schemes have been gaming the search engines so that their malicious sites impersonating popular software vendors actually appear before the legitimate vendor’s website. So take special care when downloading software to ensure that you are in fact getting the program from the original, legitimate source whenever possible.
Also, unless you really know what you’re doing, please don’t download and install pirated software. Sure, the cracked program might do exactly what you expect it to do, but the chances are good that it is also laced with something nasty. And when all of your passwords are stolen and your important accounts have been hijacked or sold, you will wish you had simply paid for the real thing.
Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.
On Sept. 7, researchers at Citizen Lab warned they were seeing active exploitation of a “zero-click,” zero-day flaw to install spyware on iOS devices without any interaction from the victim.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the researchers wrote.
According to Citizen Lab, the exploit uses malicious images sent via iMessage, an embedded component of Apple’s iOS that has been the source of previous zero-click flaws in iPhones and iPads.
Apple says the iOS flaw (CVE-2023-41064) does not seem to work against devices that have its ultra-paranoid “Lockdown Mode” enabled. This feature restricts non-essential iOS features to reduce the device’s overall attack surface, and it was designed for users concerned that they may be subject to targeted attacks. Citizen Lab says the bug it discovered was being exploited to install spyware made by the Israeli cyber surveillance company NSO Group.
This vulnerability is fixed in iOS 16.6.1 and iPadOS 16.6.1. To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode.
Not to be left out of the zero-day fun, Google acknowledged on Sept. 11 that an exploit for a heap overflow bug in Chrome is being exploited in the wild. Google says it is releasing updates to fix the flaw, and that restarting Chrome is the way to apply any pending updates. Interestingly, Google says this bug was reported by Apple and Citizen Lab.
On the Microsoft front, a zero-day in Microsoft Word is among the more concerning bugs fixed today. Tracked as CVE-2023-36761, it is flagged as an “information disclosure” vulnerability. But that description hardly grasps at the sensitivity of the information potentially exposed here.
Tom Bowyer, manager of product security at Automox, said exploiting this vulnerability could lead to the disclosure of Net-NTLMv2 hashes, which are used for authentication in Windows environments.
“If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems,” Bowyer said, noting that CVE-2023-36761 can be exploited just by viewing a malicious document in the Windows preview pane. “They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it.”
The other Windows zero-day fixed this month is CVE-2023-36802. This is an “elevation of privilege” flaw in the “Microsoft Streaming Service Proxy,” which is built into Windows 10, 11 and Windows Server versions. Microsoft says an attacker who successfully exploits the bug can gain SYSTEM level privileges on a Windows computer.
Five of the flaws Microsoft fixed this month earned its “critical” rating, which the software giant reserves for vulnerabilities that can be exploited by malware or malcontents with little or no interaction by Windows users.
According to the SANS Internet Storm Center, the most serious critical bug in September’s Patch Tuesday is CVE-2023-38148, which is a weakness in the Internet Connection Sharing service on Windows. Microsoft says an unauthenticated attacker could leverage the flaw to install malware just sending a specially crafted data packet to a vulnerable Windows system.
Finally, Adobe has released critical security updates for its Adobe Reader and Acrobat software that also fixes a zero-day vulnerability (CVE-2023-26369). More details are at Adobe’s advisory.
For a more granular breakdown of the Windows updates pushed out today, check out Microsoft Patch Tuesday by Morphus Labs. In the meantime, consider backing up your data before updating Windows, and keep an eye on AskWoody.com for reports of any widespread problems with any of the updates released as part of September’s Patch Tuesday.
Update: Mozilla also has fixed zero-day flaw in Firefox and Thunderbird, and the Brave browser was updated as well. It appears the common theme here is any software that uses a code library called “libwebp,” and that this vulnerability is being tracked as CVE-2023-4863.
“This includes Electron-based applications, for example – Signal,” writes StackDiary.com. “Electron patched the vulnerability yesterday. Also, software like Honeyview (from Bandisoft) released an update to fix the issue. CVE-2023-4863 was falsely marked as Chrome-only by Mitre and other organizations that track CVE’s and 100% of media reported this issue as “Chrome only”, when it’s not.”
In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people. Collectively, these individuals have been robbed of more than $35 million worth of crypto.
Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts.
“The victim profile remains the most striking thing,” Monahan wrote. “They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”
Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.
MetaMask owner Taylor Monahan on Twitter. Image: twitter.com/tayvano_
Armed with your secret seed phrase, anyone can instantly access all of the cryptocurrency holdings tied to that cryptographic key, and move the funds to anywhere they like.
Which is why the best practice for many cybersecurity enthusiasts has long been to store their seed phrases either in some type of encrypted container — such as a password manager — or else inside an offline, special-purpose hardware encryption device, such as a Trezor or Ledger wallet.
“The seed phrase is literally the money,” said Nick Bax, director of analytics at Unciphered, a cryptocurrency wallet recovery company. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. And you can transfer my funds.”
Bax said he closely reviewed the massive trove of cryptocurrency theft data that Taylor Monahan and others have collected and linked together.
“It’s one of the broadest and most complex cryptocurrency investigations I’ve ever seen,” Bax said. “I ran my own analysis on top of their data and reached the same conclusion that Taylor reported. The threat actor moved stolen funds from multiple victims to the same blockchain addresses, making it possible to strongly link those victims.”
Bax, Monahan and others interviewed for this story say they’ve identified a unique signature that links the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022.
KrebsOnSecurity has reviewed this signature but is not publishing it at the request of Monahan and other researchers, who say doing so could cause the attackers to alter their operations in ways that make their criminal activity more difficult to track.
But the researchers have published findings about the dramatic similarities in the ways that victim funds were stolen and laundered through specific cryptocurrency exchanges. They also learned the attackers frequently grouped together victims by sending their cryptocurrencies to the same destination crypto wallet.
A graphic published by @tayvano_ on Twitter depicting the movement of stolen cryptocurrencies from victims who used LastPass to store their crypto seed phrases.
By identifying points of overlap in these destination addresses, the researchers were then able to track down and interview new victims. For example, the researchers said their methodology identified a recent multi-million dollar crypto heist victim as an employee at Chainalysis, a blockchain analysis firm that works closely with law enforcement agencies to help track down cybercriminals and money launderers.
Chainalysis confirmed that the employee had suffered a high-dollar cryptocurrency heist late last month, but otherwise declined to comment for this story.
Bax said the only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass.
“On top of the overlapping indicators of compromise, there are more circumstantial behavioral patterns and tradecraft which are also consistent between different thefts and support the conclusion,” Bax told KrebsOnSecuirty. “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach.
“Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” LastPass said in a written statement provided to KrebsOnSecurity. “Since last year’s attack on LastPass, we have remained in contact with law enforcement and continue to do so.”
Their statement continues:
“We have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting securitydisclosure@lastpass.com.”
On August 25, 2022, LastPass CEO Karim Toubba wrote to users that the company had detected unusual activity in its software development environment, and that the intruders stole some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.
But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.
In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against a DevOps engineer who was one of only four LastPass employees with access to the corporate vault.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
Dan Goodin at Ars Technica reported and then confirmed that the attackers exploited a known vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.
As it happens, Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.
A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.
LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.
But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.
“It does leave things vulnerable to brute force when the vaults are stolen en masse, especially if info about the vault HOLDER is available,” said Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis. “So you just crunch and crunch and crunch with GPUs, with a priority list of vaults you target.”
How hard would it be for well-resourced criminals to crack the master passwords securing LastPass user vaults? Perhaps the best answer to this question comes from Wladimir Palant, a security researcher and the original developer behind the Adblock Plus browser plugin.
In a December 2022 blog post, Palant explained that the crackability of a LastPass master password depends largely on two things: The complexity of the master password, and the default settings for LastPass users, which appear to have varied quite a bit based on when those users began patronizing the service.
LastPass says that since 2018 it has required a twelve-character minimum for master passwords, which the company said “greatly minimizes the ability for successful brute force password guessing.”
But Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.
“If you are a LastPass customer, chances are that you are completely unaware of this requirement,” Palant wrote. “That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.”
Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years. One important setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.
Palant noted last year that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000.
Palant said the 2018 change was in response to a security bug report he filed about some users having dangerously low iterations in their LastPass settings.
“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”
A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single GPU about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.
Image: palant.info
However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.
Weaver said a password or passphrase with average complexity — such as “Correct Horse Battery Staple” is only secure against online attacks, and that its roughly 40 bits of randomness or “entropy” means a graphics card can blow through it in no time.
“An Nvidia 3090 can do roughly 4 million [password guesses] per second with 1000 iterations, but that would go down to 8 thousand per second with 500,000 iterations, which is why iteration count matters so much,” Weaver said. “So a combination of ‘not THAT strong of a password’ and ‘old vault’ and ‘low iteration count’ would make it theoretically crackable but real work, but the work is worth it given the targets.”
Reached by KrebsOnSecurity, Palant said he never received a response from LastPass about why the company apparently failed to migrate some number of customers to more secure account settings.
“I know exactly as much as everyone else,” Palant wrote in reply. “LastPass published some additional information in March. This finally answered the questions about the timeline of their breach – meaning which users are affected. It also made obvious that business customers are very much at risk here, Federated Login Services being highly compromised in this breach (LastPass downplaying as usual of course).”
Palant said upon logging into his LastPass account a few days ago, he found his master password was still set at 5,000 iterations.
KrebsOnSecurity interviewed one of the victims tracked down by Monahan, a software engineer and startup founder who recently was robbed of approximately $3.4 million worth of different cryptocurrencies. The victim agreed to tell his story in exchange for anonymity because he is still trying to claw back his losses. We’ll refer to him here as “Connor” (not his real name).
Connor said he began using LastPass roughly a decade ago, and that he also stored the seed phrase for his primary cryptocurrency wallet inside of LastPass. Connor chose to protect his LastPass password vault with an eight character master password that included numbers and symbols (~50 bits of entropy).
“I thought at the time that the bigger risk was losing a piece of paper with my seed phrase on it,” Connor said. “I had it in a bank security deposit box before that, but then I started thinking, ‘Hey, the bank might close or burn down and I could lose my seed phrase.'”
Those seed phrases sat in his LastPass vault for years. Then, early on the morning of Sunday, Aug. 27, 2023, Connor was awoken by a service he’d set up to monitor his cryptocurrency addresses for any unusual activity: Someone was draining funds from his accounts, and fast.
Like other victims interviewed for this story, Connor didn’t suffer the usual indignities that typically presage a cryptocurrency robbery, such as account takeovers of his email inbox or mobile phone number.
Connor said he doesn’t know the number of iterations his master password was given originally, or what it was set at when the LastPass user vault data was stolen last year. But he said he recently logged into his LastPass account and the system forced him to upgrade to the new 600,000 iterations setting.
“Because I set up my LastPass account so early, I’m pretty sure I had whatever weak settings or iterations it originally had,” he said.
Connor said he’s kicking himself because he recently started the process of migrating his cryptocurrency to a new wallet protected by a new seed phrase. But he never finished that migration process. And then he got hacked.
“I’d set up a brand new wallet with new keys,” he said. “I had that ready to go two months ago, but have been procrastinating moving things to the new wallet.”
Connor has been exceedingly lucky in regaining access to some of his stolen millions in cryptocurrency. The Internet is swimming with con artists masquerading as legitimate cryptocurrency recovery experts. To make matters worse, because time is so critical in these crypto heists, many victims turn to the first quasi-believable expert who offers help.
Instead, several friends steered Connor to Flashbots.net, a cryptocurrency recovery firm that employs several custom techniques to help clients claw back stolen funds — particularly those on the Ethereum blockchain.
According to Connor, Flashbots helped rescue approximately $1.5 million worth of the $3.4 million in cryptocurrency value that was suddenly swept out of his account roughly a week ago. Lucky for him, Connor had some of his assets tied up in a type of digital loan that allowed him to borrow against his various cryptocurrency assets.
Without giving away too many details about how they clawed back the funds, here’s a high level summary: When the crooks who stole Connor’s seed phrase sought to extract value from these loans, they were borrowing the maximum amount of credit that he hadn’t already used. But Connor said that left open an avenue for some of that value to be recaptured, basically by repaying the loan in many small, rapid chunks.
According to MetaMask’s Monahan, users who stored any important passwords with LastPass — particularly those related to cryptocurrency accounts — should change those credentials immediately, and migrate any crypto holdings to new offline hardware wallets.
“Really the ONLY thing you need to read is this,” Monahan pleaded to her 70,000 followers on Twitter/X: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a hw [hardware] wallet. Migrate. Now.”
If you also had passwords tied to banking or retirement accounts, or even just important email accounts — now would be a good time to change those credentials as well.
I’ve never been comfortable recommending password managers, because I’ve never seriously used them myself. Something about putting all your eggs in one basket. Heck, I’m so old-fashioned that most of my important passwords are written down and tucked away in safe places.
But I recognize this antiquated approach to password management is not for everyone. Connor says he now uses 1Password, a competing password manager that recently earned the best overall marks from Wired and The New York Times.
1Password says that three things are needed to decrypt your information: The encrypted data itself, your account password, and your Secret Key. Only you know your account password, and your Secret Key is generated locally during setup.
“The two are combined on-device to encrypt your vault data and are never sent to 1Password,” explains a 1Password blog post ‘What If 1Password Gets Hacked?‘ “Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who somehow manages to guess or steal your account password would be able to access your vaults – or what’s inside them.
Weaver said that Secret Key adds an extra level of randomness to all user master passwords that LastPass didn’t have.
“With LastPass, the idea is the user’s password vault is encrypted with a cryptographic hash (H) of the user’s passphrase,” Weaver said. “The problem is a hash of the user’s passphrase is remarkably weak on older LastPass vaults with master passwords that do not have many iterations. 1Password uses H(random-key||password) to generate the password, and it is why you have the QR code business when adding a new device.”
Weaver said LastPass deserves blame for not having upgraded iteration counts for all users a long time ago, and called the latest forced upgrades “a stunning indictment of the negligence on the part of LastPass.”
“That they never even notified all those with iteration counts of less than 100,000 — who are really vulnerable to brute force even with 8-character random passwords or ‘correct horse battery staple’ type passphrases — is outright negligence,” Weaver said. “I would personally advocate that nobody ever uses LastPass again: Not because they were hacked. Not because they had an architecture (unlike 1Password) that makes such hacking a problem. But because of their consistent refusal to address how they screwed up and take proactive efforts to protect their customers.”
Bax and Monahan both acknowledged that their research alone can probably never conclusively tie dozens of high-dollar crypto heists over the past year to the LastPass breach. But Bax says at this point he doesn’t see any other possible explanation.
“Some might say it’s dangerous to assert a strong connection here, but I’d say it’s dangerous to assert there isn’t one,” he said. “I was arguing with my fiance about this last night. She’s waiting for LastPass to tell her to change everything. Meanwhile, I’m telling her to do it now.”
Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.
That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains.
.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.
Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working.
“The .US ‘nexus’ requirement theoretically limits registrations to parties with a national connection, but .US had very high numbers of phishing domains,” Interisle wrote. “This indicates a possible problem with the administration or application of the nexus requirements.”
Dean Marks is emeritus executive director for a group called the Coalition for Online Accountability, which has been critical of the NTIA’s stewardship of .US. Marks says virtually all European Union member state ccTLDs that enforce nexus restrictions also have massively lower levels of abuse due to their policies and oversight.
“Even very large ccTLDs, like .de for Germany — which has a far larger market share of domain name registrations than .US — have very low levels of abuse, including phishing and malware,” Marks told KrebsOnSecurity. “In my view, this situation with .US should not be acceptable to the U.S. government overall, nor to the US public.”
Marks said there are very few phishing domains ever registered in other ccTLDs that also restrict registrations to their citizens, such as .HU (Hungary), .NZ (New Zealand), and .FI (Finland), where a connection to the country, a proof of identity, or evidence of incorporation are required.
“Or .LK (Sri Lanka), where the acceptable use policy includes a ‘lock and suspend’ if domains are reported for suspicious activity,” Marks said. “These ccTLDs make a strong case for validating domain registrants in the interest of public safety.”
Sadly, .US has been a cesspool of phishing activity for many years. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content. Back then, .US was being operated by a different contractor.
In response to questions from KrebsOnSecurity, GoDaddy said all .US registrants must certify that they meet the NTIA’s nexus requirements. But this appears to be little more than an affirmative response that is already pre-selected for all new registrants.
Attempting to register a .US domain through GoDaddy, for example, leads to a U.S. Registration Information page that auto-populates the nexus attestation field with the response, “I am a citizen of the US.” Other options include, “I am a permanent resident of the US,” and “My primary domicile is in the US.” It currently costs just $4.99 to obtain a .US domain through GoDaddy.
GoDaddy said it also conducts a scan of selected registration request information, and conducts “spot checks” on registrant information.
“We conduct regular reviews, per policy, of registration data within the Registry database to determine Nexus compliance with ongoing communications to registrars and registrants,” the company said in a written statement.
GoDaddy says it “is committed to supporting a safer online environment and proactively addressing this issue by assessing it against our own anti-abuse mitigation system.”
“We stand against DNS abuse in any form and maintain multiple systems and protocols to protect all the TLDs we operate,” the statement continued. “We will continue to work with registrars, cybersecurity firms and other stakeholders to make progress with this complex challenge.”
Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target.
“Ironically, at least 109 of the .US domains in our data were used to attack the United States government, specifically the United States Postal Service and its customers,” Interisle wrote. “.US domains were also used to attack foreign government operations: six .US domains were used to attack Australian government services, six attacked Great’s Britain’s Royal Mail, one attacked Canada Post, and one attacked the Denmark Tax Authority.”
The NTIA recently published a proposal that would allow GoDaddy to redact registrant data from WHOIS registration records. The current charter for .US specifies that all .US registration records be public.
Interisle argues that without more stringent efforts to verify a United States nexus for new .US domain registrants, the NTIA’s proposal will make it even more difficult to identify phishers and verify registrants’ identities and nexus qualifications.
In a written statement, the NTIA said DNS abuse is a priority issue for the agency, and that NTIA supports “evidence-based policymaking.”
“We look forward to reviewing the report and will engage with our contractor for the .US domain on steps that we can take not only to address phishing, but the other forms of DNS abuse as well,” the statement reads.
Interisle sources its phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. For more phishing facts, see Interisle’s 2023 Phishing Landscape report (PDF).’
Update, Sept. 5, 1:44 p.m. ET: Updated story with statement provided today by the NTIA.
The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers.
Dutch authorities inside a data center with servers tied to the botnet. Image: Dutch National Police.
In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.
“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.
Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.
Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.
Don Alway, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect themselves from the botnet, Alway said.
The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.
Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.
According to recent figures from the managed security firm Reliaquest, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.
Qakbot/Qbot was once again the top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.
Researchers at AT&T Alien Labs say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.
Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In May 2023, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to Russian intelligence agencies.
Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.
“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”
The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.
Further reading:
–The DOJ’s application for a search warrant application tied to Qakbot uninstall file (PDF)
–The search warrant application connected to QakBot server infrastructure in the United States (PDF)
–The government’s application for a warrant to seize virtual currency from the QakBot operators (PDF)
–A technical breakdown from SecureWorks
Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks.
Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll — the company handling both firms’ bankruptcy restructuring.
In a statement released today, New York City-based Kroll said it was informed that on Aug. 19, 2023, someone targeted a T-Mobile phone number belonging to a Kroll employee “in a highly sophisticated ‘SIM swapping’ attack.”
“Specifically, T-Mobile, without any authority from or contact with Kroll or its employees, transferred that employee’s phone number to the threat actor’s phone at their request,” the statement continues. “As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.”
T-Mobile has not yet responded to requests for comment.
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.
SIM-swapping groups will often call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the employee to visit a phishing website that mimics the company’s login page.
Multiple SIM-swapping gangs have had great success using this method to target T-Mobile employees for the purposes of reselling a cybercrime service that can be hired to divert any T-Mobile user’s text messages and phone calls to another device.
In February 2023, KrebsOnSecurity chronicled SIM-swapping attacks claimed by these groups against T-Mobile employees in more than 100 separate incidents in the second half of 2022. The average cost to SIM swap any T-Mobile phone number was approximately $1,500.
The unfortunate result of the SIM-swap against the Kroll employee is that people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.
And there is some indication this is already happening. Multiple readers who said they got breach notices from Kroll today also shared phishing emails they received this morning that spoofed FTX and claimed, “You have been identified as an eligible client to begin withdrawing digital assets from your FTX account.”
A phishing message targeting FTX users that went out en masse today.
A major portion of Kroll’s business comes from helping organizations manage cyber risk. Kroll is often called in to investigate data breaches, and it also sells identity protection services to companies that recently experienced a breach and are grasping at ways to demonstrate that they doing something to protect their customers from further harm.
Kroll did not respond to questions. But it’s a good bet that BlockFi, FTX and Genesis customers will soon enjoy yet another offering of free credit monitoring as a result of the T-Mobile SIM swap.
Kroll’s website says it employs “elite cyber risk leaders uniquely positioned to deliver end-to-end cyber security services worldwide.” Apparently, these elite cyber risk leaders did not consider the increased attack surface presented by their employees using T-Mobile for wireless service.
The SIM-swapping attack against Kroll is a timely reminder that you should do whatever you can to minimize your reliance on mobile phone companies for your security. For example, many online services require you to provide a phone number upon registering an account, but that number can often be removed from your profile afterwards.
Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.
If you haven’t done so lately, take a moment to inventory your most important online accounts, and see how many of them can still have their password reset by receiving an SMS at the phone number on file. This may require stepping through the website’s account recovery or lost password flow.
If the account that stores your mobile phone number does not allow you to delete your number, check to see whether there is an option to disallow SMS or phone calls for authentication and account recovery. If more secure options are available, such as a security key or a one-time code from a mobile authentication app, please take advantage of those instead. The website 2fa.directory is a good starting point for this analysis.
Now, you might think that the mobile providers would share some culpability when a customer suffers a financial loss because a mobile store employee got tricked into transferring that customer’s phone number to criminals. But earlier this year, a California judge dismissed a lawsuit against AT&T that stemmed from a 2017 SIM-swapping attack which netted the thieves more than $24 million in cryptocurrency.
In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.
In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.
But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.
“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”
Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.
It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?
The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.
These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.
This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.
“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”
These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.
The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries.
“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”
Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.
“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”
The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.
One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:
-a web bug / URL token, designed to alert when a particular URL is visited;
-a DNS token, which alerts when a hostname is requested;
-an AWS token, which alerts when a specific Amazon Web Services key is used;
-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;
-a “sensitive command” token, to alert when a suspicious Windows command is run.
-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.
Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.
“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”
Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.
“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”
Thinkst makes money by selling Canary Tools, which are honeypots that emulate full blown systems like Windows servers or IBM mainframes. They deploy in minutes and include a personalized, private Canarytoken server.
“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”
Further reading:
Dark Reading: Credential Canaries Create Minefield for Attackers
NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot
Cruise Automation’s experience deploying canary tokens
DISCLAIMER:
* Copyrights belong to each article's respective author.
** Article links lead to external websites, where you will be tracked, most likely.
DISCLAIMER:
* Copyrights belong to each article's respective author.
** Article links lead to external websites, where you will be tracked, most likely.
DISCLAIMER:
* Copyrights belong to each article's respective author.
** Article links lead to external websites, where you will be tracked, most likely.