Upgrade Firefox NOW !!! - Mozilla, has identified (and patched) a zero-day vulnerability in Firefox that could allow an attacker to take control of users’ computers.

The vulnerability was detected in exploits seen in-the-wild. United States

Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory


https://www.grahamcluley.com/stop-everything-update-firefox-now/

Congrats Firefox - Firefox 69 now, blocks third-party cookies and cryptominers.

“Enhanced Tracking Protection works behind-the-scenes to keep a company from forming a profile of you based on their tracking of your browsing behavior across websites — often without your knowledge or consent,” said Marissa Wood with Mozilla on Tuesday. “Those profiles and the information they contain may then be sold and used for purposes you never knew or intended.”

Firefox users can see if Enhanced Tracking Protection is working when they visit a website and see a purple shield icon on their address bar. To see which companies Mozilla blocks, Firefox users can also click on that icon, go to the Content Blocking section, then click Cookies, where they can see Blocking Tracking Cookies.

https://threatpost.com/firefox-69-tracking-cookies-flash-support/147931/

Another Good news if you are a Firefox user - Firefox 67, which is planned to be released in May 2019, will have a few exciting features

1. Block cryptocurrency miners
2. Block fingerprinting
3. Mute videos autoplaying.

Cryptominers not only use the CPU’s resources to mine for cryptocurrency but also affects the computer’s performance in the long run. The entire system becomes slow and operations get delayed

Fingerprinting is a technique that can create user profiles for tracking purposes using the information that the connecting device, scripts (if permitted), and browser provide.

https://www.hackread.com/firefox-offers-fingerprinting-cryptomining-protection/

Need a reason to move to Firefox 65? - New Content Blocking controls!!

1. Users can block known trackers in Private Browsing Mode. In the future, this setting will also block third-party tracking cookies
2. Users can also pick from a “strict” setting that blocks all known trackers by Firefox in all windows;  or a “custom” setting that enables users to pick and choose which trackers and cookies they would like to block.
3. A new “Security/ Anti-Tracking policy”

https://threatpost.com/mozilla-firefox-65-anti-tracking/141281/

"Token Binding" - New upcoming RFC Standard - Token binding makes cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens unusable outside of the client-specific TLS context in which they were issued

It turns out that cookies and tokens can be used outside of the original TLS context in all sorts of malicious ways. It could be hijacked session cookies or leaked access tokens, or sophisticated MiTM. This is why the IETF OAuth 2 Security Best Current Practice draft recommends token binding,


Normally  tokens are “bearer” tokens, meaning that whoever possesses the token can exchange the token for resources, but token binding improves on this pattern, by layering in a confirmation mechanism to test cryptographic material collected at time of token issuance against cryptographic material collected at the time of token use. Only the right client, using the right TLS channel, will pass the test. This process of forcing the entity presenting the token to prove itself, is called “proof of possession”.


https://cloudblogs.microsoft.com/enterprisemobility/2018/08/21/its-time-for-token-binding/

Firefox Monitor - A new security tool from Mozilla

Similar to the existing function of HIBP (Have I Been Pwned), Firefox Monitor allows users to enter their email addresses to check if they’re part of hacker databases that have been publicly released.


Firefox Monitor users can see the details on sites and other sources of breaches and the types of personal data exposed in each breach, and receive recommendations on what to do in the case of a data breach.

Mozilla said it is also considering a service to notify people when new breaches include their personal data

Mozilla said currently it is testing initial designs of the Firefox Monitor tool – but beginning next week, the company will invite approximately 250,000 users, mainly U.S.-based, to try it out.

https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/

How to defend against homoglyph attack (Recently happened to Whatsapp users)

Chrome:
Install Phish.ai's extension - Helps by showing a big red window every time the user is attempting to access a domain containing Unicode characters

Firefox:
Firefox users, can enable homograph attack detection by enabling "IDN_show_punycode" inside about:config

https://www.tripwire.com/state-of-security/featured/whatsapp-users-targeted-by-homoglyph-attack-peddling-free-tickets-to-theme-park/

Mozilla has added 2FA for Firefox Account and supports services, such as Authy, Duo, Google Authenticator (No SMS)

If you are saving passwords in your browser and syncing it then you should take advantage of this feature.


users can enable it right now by accessing:

https://accounts.firefox.com/settings?showTwoStepAuthentication=true

When they turn on two-step authentication support, they'll also be provided with a set of recovery codes in case they lose access to the TOTP service.
Users should save these codes in a safe spot (online or offline)


https://www.bleepingcomputer.com/news/security/mozilla-adds-2fa-support-for-firefox-accounts/

Are you storing your passwords in Google Chrome or Firefox? - "Vega Stealer’ can steal any credit card details, passwords or files you have stored

Via, phishing email that tends to have a subject line such as ‘Online store developer required’, and contains a malicious attachment called ‘brief.doc.'

If you open the attachment, it takes you to a fairly innocent looking document - however, in the process you’ll also unwittingly download the Vega Stealer malware.

And once the malware has infected your computer, it can steal your auto-fill details stored on Google Chrome, as well as documents stored on your machine.

https://www.mirror.co.uk/tech/google-chrome-users-beware-malicious-12575800

Firefox 60 - Supports password-free logins

(if websites using Web Authentication API)

"This resolves significant security problems related to phishing, data breaches, and attacks against SMS texts or other second-factor authentication methods while at the same time significantly increasing ease of use." Mozilla wrote.

Some are saying that this will replace passwords entirely, but for now it is being used as an extra layer of protection for users.

“Your credentials could be stored on a device like your phone, laptop, or security key, and services could use WebAuthn to sign in to your account after you scan your fingerprint or input a PIN on the device,” wrote Dropbox programmer Brad Girardeau



http://www.ehackingnews.com/2018/05/firefox-60-worlds-first-browser-to-go.html

Chrome Users - Check if you have installed any of these FAKE MALICIOUS extensions

• AdRemover for Google Chrome™ (10 million+ users)
• uBlock Plus (8 million+ users)
• [Fake] Adblock Pro (2 million+ users)
• HD for YouTube™ (400,000+ users)
• Webutation (30,000+ users)

Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.

The malicious extension then receives commands from the remote server, which are executed in the extension 'background page' and can change your browser's behavior in any way.

https://thehackernews.com/2018/04/adblocker-chrome-extention.html

Did you know - Chrome periodically scans your device to detect potentially unwanted software

“Nobody likes surprises,” Haroon Meer, the founder at security consulting firm Thinkst, told me in an online chat. “When people fear a big brother, and tech behemoths going too far...a browser touching files it has no business to touch is going to set off alarm bells.” 

According to Google, the goal of Chrome Cleanup Tool is to make sure malware doesn’t mess up with Chrome on your computer by installing dangerous extensions, or putting ads where they’re not supposed to be.

The tool only runs weekly, it only has normal user privileges (meaning it can’t go too deep into the system), is “sandboxed” (meaning its code is isolated from other programs), and users have to explicitly click on that box screenshotted above to remove the files and “cleanup.”


https://motherboard.vice.com/en_us/article/wj7x9w/google-chrome-scans-files-on-your-windows-computer-chrome-cleanup-tool

Good news - Firefox to add "Breach Alerts"

Firefox is testing out a warning system that will notify users when they visit breached sites and offer the option to be notified if a site they previously visited becomes breached in the future.

The “Breach Alerts”  will not prevent a user from visiting a site but will give them some soret of idea that the sites security features are less than optimal using data provided by Have I Been Pwned?.

For More:
https://www.scmagazine.com/firefox-browser-tests-notifications-to-alert-users-when-visiting-breached-sites/article/710711/

Good news - Firefox (v58 - Jan 2018) will add a new feature - BLOCK canvas-browser-fingerprinting

Mozilla is testing a new feature in the upcoming version of its Firefox web browser that will grant users the ability to block canvas fingerprinting.


(Canvas fingerprinting is one of a number of browser fingerprinting techniques of tracking online users that allow websites to identify and track visitors using HTML5 canvas element instead of browser cookies or other similar means.)

The permission prompt that Firefox displays reads:

"Will you allow [site] to use your HTML5 canvas image data? This may be used to uniquely identify your computer."


Once you get this message, it's up to you whether you want to allow access to canvas fingerprinting or just block it. You can also check the "always remember my decision" box to remember your choice on future visits as well.

For More:
https://thehackernews.com/2017/10/canvas-browser-fingerprint-blocker.html

Do you know - Chrome is getting built-in basic antivirus protection for your Windows computer.

ESET scanning engine now built in

"Our engine scans for and cleans potentially harmful applications, specifically the types that negatively impact or target the Chrome browsing experience," said Juraj Malcho, chief technology officer at ESET.

For what it's worth, Chrome, by default, automatically tries to stop software nasties from being accidentally downloaded onto a machine, by checking website URLs against lists of known dangerous and unsafe sites. If you surf to a website known for distributing malware, er, unwanted software, a big red warning will appear in the browser urging you to stop and go back the way you came.

For More Info:
https://www.theregister.co.uk/2017/10/16/chrome_for_windows_malware/

Secure Site = Safe Site? - NO

WordFence, a well-regarded WordPress security company, has found that SSL certificates are being issued by certificate authorities (CA) to phishing sites pretending to be other sites. Because the certificates are valid, even though they're operating under false premises, Chrome reports these sites as being secure. They're not.

Even when a "certificate is revoked once a CA realizes they should not have issued it, we show that Chrome still shows the site as 'secure.'" The 'revoked' status is only visible in Chrome developer tools.

For more info:
http://www.zdnet.com/article/the-chrome-browsers-secure-isnt-the-same-thing-as-safe/

Don't forget to upgade Google chrome - 12 high severity flaws have been fixed

My  Philosophy

1.  If you don't patch your PC then it is bad
2.  If you don't patch your Browser then it is worse.

For banking and other important activities. Use a different browser in  a new Private window and NEVER use that browser to access any other sites.





For More info:
https://threatpost.com/google-fixes-12-high-severity-flaws-in-chrome-browser/122223/

If you use Firefox - This article should help you to better secure the browser

I always liked Firefox and I use a bunch of add-ons.
For those who want to securely use Firefox, the following page will be very helpful



https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

Do you use Chromodo Browser - if so you need to read this

I don't use it but I am still shocked



From the article:

“Chromodo is described as ‘highest levels of speed, security and privacy,’ but actually disables all web security. Let me repeat that, they ***disable the same origin policy***…. ?!?..” Ormandy wrote in an advisory published Tuesday by Google’s Project Zero research team.

“They also hijack DNS settings, among other shady practices,” Ormandy wrote.

Chromodo browser installed with Comodo Internet Security disables the same-origin policy by default.

The same-origin policy is a fundamental tenet of web security, ensuring that scripts access data from a second webpage only if the two pages have the same origin.

For More Info
https://threatpost.com/chromodo-browser-disables-same-origin-policy/116131/

"In Private" Mode might not be "Private" - in EDGE Browser

Any vendor who gives away something free will need to get something back.

That they could use to make money.

From the Article:

Somewhat counterintuitively, Edge actually records browsing history in InPrivate mode. More than this, by examining the WebCache file it is a relatively simple task for someone to reconstruct full browsing history, regardless of whether surfing was performed in regular or InPrivate mode.

Microsoft is aware of the problem, and says:

We recently became aware of a report that claims InPrivate tabs are not working as designed, and we are committed to resolving this as quickly as possible.

For More Info:

http://betanews.com/2016/01/30/stop-using-microsoft-edges-inprivate-mode-if-you-value-your-privacy/