Avast blog: Why is eBay port scanning my PC?

Every week brings more security news and this week is  about an interesting piece of Javascript that can run in your browser if you happen to use eBay under a particular set of circumstances. The code can scan your computer and send information back to a security vendor, which could be used to track your movements across the Internet.

You can read my column for the Avast blog where I explain what is port scanning, what information is being collected, why an eBay contractor is doing it — supposedly to reduce fraud — and how security researchers figured out what was going on.

Avast blog: The latest security trends from Verizon’s annual breach report

Today Verizon published the latest 2020 Data Breach Investigations Report (DBIR). What sets the DBIR apart is that it combines breach data from multiple sources using the common industry collection, VERIS, a third-party repository where threat data is uploaded and made anonymous. This gives the report a solid authoritative voice, which is one reason why it’s frequently quoted by the security community. Report citations also come from vendor telemetry sources, so it is also a bit self-referential.

I look at overall SMB and ransomware trends, along with the declining popularity of malware in favor of more web app exploits. You can read more about these trends in my blog for Avast.

CIO.com webinar: Managing third-party risk in uncertain times

The world of risk management is undergoing some important changes. Security has become everyone’s concern and is not just the province of the IT department any longer. As our businesses become more dependent upon digital technologies, they become bigger targets for attackers to invade our networks and our endpoints. Understanding where our weakest links are located and how to remove them will become essential to ensure the future health and cybersecurity of our enterprises.

The world of risk management is undergoing big changes, some due to uncertain times with the COVID-19 pandemic. In this webinar done on behalf of Security Scorecard for CIO.com, I explore some of these best practices to assess these risks.

You can sign up to view the webinar here.

Tracking your browsing using HTML canvas fingerprinting

Every time you fire up your web browser your movements and browser history are being leaked to various websites. No, I am not talking about cookies, but about a technology that you may not have heard much about. It is called canvas fingerprinting.

In this post, I will tell you what it does and how you can try to stop it from happening. Beware that the journey to do this isn’t easy.

The concept refers to coordinating a series of tracking techniques to identify a visitor using what browser, IP address, computer processor and operating system and other details. Canvas is based on the HTML 5 programming interface that is used to draw graphics and other animations using JavaScript. It is a very rich and detailed interface and to give you an idea of the data that the browser collects without your knowledge, take a look at the screenshot below. It shows my computer running Chrome on a Mac OS v.10.13 using Intel hardware. This is just the tip of a large iceberg of other data that can be found quite easily by any web server. 

HTML Canvas has been around for several years, and website builders are getting savvy about how to use it to detect who you are. In the early days of the web, tracking cookies were used to figure out if you had previously visited a particular website. They were small text files that were written to your hard drive. But canvas fingerprinting is more insidious because there is no tracking information that is left behind on your computer: everything is stored in the cloud. What is worse is that your fingerprint can be shared across a variety of other websites without your knowledge. And it is very hard once to eliminate this information, once you start using your browser and spreading yourself around the Internet. Even if you bring up a private or incognito browsing session, you still are dribbling out this kind of data. 

How big an issue is canvas fingerprinting?  In a study done by Ghostery after the 2018 midterm elections, they found trackers on 87% on a large sample of candidate websites. There were 9% of sites having more than 11 different trackers present. Google and Facebook trackers appeared on more than half of the websites and Twitter-based trackers appeared on a third of the candidate webpages.

So what can you do to fight this? You have several options

  1. Make modifications to your browser settings to make yourself more private. The problem with this is that the mods are numerous and keeping track of them is onerous.This post gives you a bunch of FIrefox suggestions.
  2. Use a different browser that gives you more control over your privacy, such as Brave, or even Tor. In that linked post I mention the usability tradeoffs of using a different browser and you will have to expend some effort to tune it to your particular needs. I tolerated Brave for about two days before I went back to using Chrome. It just broke too many things to be useful.
  3. Install a browser extension or additional software, such as PrivacyBadger, Ghostery or Avast’s AntiTrack. I have already written about the first two in a previous post. AntiTrack is a stand-alone $50 per year Windows or MacOS app that works with your browser and hides your digital fingerprint  — including tracking clues from your browser canvas — without breaking too much functionality or having to tweak the browser settings. I just started using it (Avast is a client) and am still taking notes about its use. 
  4. Only run your browser in a virtual machine. This is cumbersome at best, and almost unusable for ordinary humans. Still, it can be a good solution for some circumstances.
  5. Adopt a more cautious browsing lifestyle. This might be the best middle ground between absolute lockdown and burying your head in the sand. Here are a few suggestions:
  • First, see what your HTML Canvas reveals about your configuration so you can get a better understanding of what data is collected about you. There are a number of tools that can be used to analyze your fingerprint, including:

    Each of these tools collects a slightly different boatload of data, and you can easily spend several hours learning more about what web servers can find out about you. 

  • Next, assume that every website that you interact with will use a variety of tracking and fingerprinting technologies
  • Always use a VPN. While a VPN won’t stop websites from fingerprinting your canvas, at least your IP address and geolocation will be hidden.
  • Finally, limit your web browsing on your mobile devices if at all possible. Your mobile is a treasure trove of all sorts of information about you, and even if you are using any of the more private browsers you still can leak this to third parties.


Watch that meme!

Take a look at the image below. It has been reposted thousands of times on social media.
Jon Cooper 🇺🇸 on Twitter: "Yo, Mister White Racist. If I was you ...

Notice anything odd about it? Perhaps if you are good at sight proofreading, you might catch that the words accommodate and illegals are both misspelled. Now let me ask you another question: where do you think this picture would be posted? On accounts from right-wingers? Perhaps, but it was also posted on leftist accounts as well, with words about “look how idiotic these other guys are.” Sad to say, both sides are getting played: according to Internet researcher Renee DiResta, the image was created by the state-sponsored Russian trolls at the Internet Research Agency. It was carefully crafted to inflame both sides of the political spectrum and as a result was very popular a few months ago.

When we receive items like this in our news feeds, the natural reaction is to click and forward it on to a thousand of our closest Internet friends. But what this small example shows you is to stop and think about what you are doing. That meme could travel around the world in a few seconds, and end up more likely hurting your cause. How many of us have gotten some major bombshell (such as Fox News’ John Roberts saying the Covid virus was a hoax), only to find out from Snopes and other fact-checking places that we were misled.

Indeed, if you do an image search on the “foreign language” patch above, you will likely see a number of different versions: some with the correct word spellings, some with corrections with red overlays, and some with different borders and other small differences. What this shows me is how effective this patch was, and how insidious was its purpose at sowing dissent.

I wrote an earlier post about how to vet your news feed earlier this year. Take a moment to re-read it if you need a reminder along with some tips on how to evaluate potentially fake images and other propaganda. Earlier in April, WhatsApp put a limit on how often viral messages can be forwarded: just to a single person (it used to be five people). That helps, but the social platforms could do a lot more to screen for these abuses.

About ten years ago, I ended one of my columns with the following advice. Watch out for those memes, and take a breath before clicking. You might save yourself some embarrassment, and also not get played by some troll. Some things sadly never change.

RSA blog: Renaissance of the OTP hardware token

Few things in infosec can date back to the early 1990s and still be in demand today, but such is the case with  one-time password (OTP) hardware key-fob tokens. Despite numerous security analysts predicting their death, hardware OTPs have withstood the test of time, and lately, are undergoing a renaissance with a newfound interest among security managers. There has been a spate of newer, dare I say smarter, hardware tokens in the past couple of years from Yubico and OneSpan, along with wider support for FIDO standards as well.

In this month’s blog for RSA, I look at this evolution, why the hardware token remains relevant, and some of the current trends in multi-factor authentication (MFA).

Avast blog: Primary update: Voting issues in Los Angeles and Iowa

Last week Super Tuesday brought many of us to the polls to vote for our favorite candidate for President. And while voting went smoothly in most places, there was one major tech failure in Los Angeles, which saw the debut of new voting machines. Let’s compare what went wrong in LA with the earlier problems seen during the Iowa caucuses.

In our earlier blog, I brought you up to date with what happened with the Russians hacking our 2016 and 2018 elections. But the problems witnessed in Iowa and LA are strictly our own fault, the result of a perfect storm of different computing errors. For Iowa, the culprit was a poorly implemented mobile vote count smartphone app from the vendor Shadow Inc. For LA, it was a series of both tech and non-tech circumstances.

I go into details about each situation and what we’ve learned in this post for Avast’s blog.

In search of better browser privacy options

A new browser privacy study by Professor Doug Leith, the Computer Science department chair at Trinity College is worth reading carefully. Leith instruments the Mac versions of six popular browsers (Chrome, Firefox, Safari, Edge, Yandex and Brave) to see what happens when they “phone home.” All six make non-obvious connections to various backend servers, with Brave connecting the least and Edge and Yandex (a Russian language browser) the most. How they connect and what information they transmit is worth understanding, particularly if you are paranoid about your privacy and want to know the details.

If you aren’t familiar with Brave, it is built on the same Chromium engine that Google uses for its browser, but it does have a more logical grouping of privacy settings that can be found under a “Shields” tab as you can see in this screenshot. It also comes with several extensions for an Ethereum wallet and support for Chromecast and Tor. This is why Brave is marketed as a privacy-enhanced browser.

Brave scored the best in Leith’s tests. It didn’t track originating IP addresses and didn’t share any details of its browsing history. The others tagged data with identifiers that could be linked to an enduser’s computer along with sharing browsing history with backend servers. Edge and Yandex also saved data that persisted across a fresh browser installation on the same computer. That isn’t nice, because this correlated data could be used to link different apps running on that computer to build an overall user profile.

One problem is the search bar autocomplete function. This is a big time saver for users, but it also a big privacy invasion depending on what data is transmitted back to the vendor’s own servers. Safari generated 32 requests to search servers and these requests persist across browser restarts. Leith proposed adding a function to both Chrome and Firefox to disable this autocomplete function upon startup for those who have privacy concerns. He also has proposed to Apple that Safari’s default start page be reconfigured and an option to avoid unnecessary network connections. He has not heard back from any of the vendors on his suggestions.

So if you are a privacy-concerned user, what are your options? First, you should probably audit your browser extensions and get rid of ones that you don’t use or that have security issues, as Brian Krebs wrote recently. Second, if you feel like switching browsers, you could experiment with Brave or Authentic8’s Silo browser or Dooble. I reviewed two of them many years ago; here is a more updated review on some other alternative browsers done by the folks at ProtonMail.

If you want to stick with your current browser, you could depend on your laptop vendor’s privacy additions, such as what HP provides. However, those periodically crash and don’t deliver the best experience. I am not picking on HP, it is just what I currently use, and perhaps other vendors may have more reliable privacy add-ons. You could also run a VPN all the time to protect your IP address, but you will still have issues with the leaked backend collections. And if you are using a mobile device, there is Jumbo, which helps you assemble a better privacy profile. What Jumbo illustrates though is that  privacy shouldn’t be this hard. You shouldn’t have to track down numerous menus scattered across your desktop or mobile device.

Sadly, we still have a lot of room to improve our browser privacy.

RSA Blog: The Tried and True Past Cybersecurity Practices Still Relevant Today

Too often we focus on the new and latest infosec darling. But many times, the tried and true is still relevant.

I was thinking about this when a friend recently sent me a copy of , which was published in 2003. Schneier has been around the infosec community for decades: he has written more than a dozen books and has his own blog that publishes interesting links to security-related events, strategies and failures..

His 2003 book contains a surprisingly cogent and relevant series of suggestions that still resonate today. I spent some time re-reading it, and want to share with you what we can learn from the past and how many infosec tropes are still valid after more than 15 years.

You can read my column for RSA’s blog here.