Lipani Security LLC

A Security & Privacy Company

Category: blog

Browsers Effected By Google Manifest V3

Posted on by admin

Manifest V3 is the latest version of the Chrome Extensions platform, designed to improve security, privacy, and performance. It replaces Manifest V2 and introduces changes like service workers instead of background pages, and restricts blocking capabilities, which has led to concerns about ad blockers

Google made an addition of Manifest V3’s in Chromium to hurt the security extension platform. To start with Manifest V3 will make it more difficult for adblockers and ad trackers to function effectively. This affects extensions like AdBlock, Ghostery and UBlock Origin, AdGuard, NoScript, and uMatrix to work to protect the user from tracking information.

Since browsers like Chrome, Edge, Opera, and others are based on Chromium all browsers will stop supporting security extensions. At the moment of writing this UBlock origin Lite still works on Chromium-based browsers for now.

Google is pushing Manifest V3 as a security measure in Chrome but what this really is going forward is Google’s ad business. At Google’s core, they are an ad business, and extensions that block tracking and ads are not Google for Google business and that is why Google wants to get rid of all Manifest V2 extensions and push users and developers to Manifest V3.

Browsers like Firefox made by Mozilla and LibreWolf which is a free and open-source fork of Firefox, with an emphasis on privacy and security are not affected. Firefox and LibreWolf are both great browsers based on the Gecko rendering engine which is developed by Mozilla and not affected by this change. Safari which is made and distributed by Apple is not affected by this change as well. Safari is based on the open-source “WebKit” rendering engine, which is a fork of the KHTML browser engine originally developed by KDE.

Brave which is a browser based on Chromium is not affected by this change as Brave Shields block ads and trackers by default, and they’re built natively in the Brave browser—no extensions required. Since Shields are patched directly onto the open-source Chromium codebase, they don’t rely on MV2 or MV3 in any way. Thanks to this independence, Google’s forced removal of MV2 will not weaken Brave Shields.

If you are concerned about privacy and security when browsing and would like to use security extensions I would recommend Firefox, Librewolf, or Brave on any platform. If you are on Mac or iOS Safari might be your safest best with security extensions.

Apple Advanced Data Protection Explained

Posted on by admin

Apple’s Advanced Data Protection (ADP) encrypts most iCloud data end-to-end, meaning it can only be decrypted on your trusted devices, its zero-trust encryption means not even Apple can see the data on the iCloud servers.

I would like to start out by saying I am a huge fan of Apple Products I use an iPhone and Mac almost every day. The iPhone and Mac were both designed with security in mind but there are certain things that Apple does that do not always have security at heart. When your iPhone is locked, and secure Apple can’t get into the device, and they refuse to give out those keys same thing goes for things like iMessage and other end-to-end encrypted messaging services.

However, there is a catch if you back up your phone using your Mac or PC it is encrypted. Most people don’t backup that way anymore they use iCloud. iCloud will flawlessly backup your phone which includes iMessage, email, contacts, and other information to Apple iCloud in case you lose your phone or device. By default, iCloud is not encrypted, and Apple does have a history of working with law enforcement to give them iCloud backups.

You can turn off iCloud backups which would keep data local on your device and not back up to iCloud or you can turn on Apple Advanced Data Protection. The one thing to remember with ADP if you lose your device or your recovery codes you will lose your data entirely and there is nothing that can be done to recover it going forward. Apple has added a few recovery options to try to help but again making it too easy runes the point of the security.

  • A recovery contact is a trusted friend or family member who can use their Apple device to help you regain access to your account and data. They won’t have any access to your account, only the ability to give you a code to help you recover your account.
  • A recovery key is a secret 28-character code that you can use, along with a trusted phone number and an Apple device, to recover your account and data.

Requirements

To turn on ADP you must meet the requirements and have

  • An Apple Account with two-factor authentication.
  • A passcode or password is set for your device.
  • At least one account recovery contact or recovery key. If you don’t already have one, you’ll be guided to set one up when you turn on Advanced Data Protection.
  • Updated software on all the devices where you’re signed in using
    • iOS 16.2 or higher
    • MacOS 13.1 or higher
    • Windows computer with iCloud for Windows 14.1 or higher

Turning On

To Turn on Apple Advanced Data Protection

On iPhone or iPad

Open the Settings app.

Tap your name, then tap iCloud.

Scroll down, tap Advanced Data Protection, then tap Turn on Advanced Data Protection.

Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

To Turn on Apple Advanced Data Protection

On Mac

Choose Apple menu  > System Settings.

Click your name, then click iCloud.

Click Advanced Data Protection, then click Turn On.

Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

Who Should Turn on ADP?

Anyone worried about Apple giving up important information saved on iCloud? This could be anyone from doctors, journalists, lawyers, politicians or anyone worried about what they are saving on their devices.

I would recommend this to anyone worried about data breaches. Remember the data is saved in iCloud encrypted so if Apple should ever get hacked and you do not have Advanced Data Protection turned on your data on iCloud is sitting there for the taking by hackers.

I would recommend if you have questions and are not sure what to do contact Apple, your phone provider or a security consultant.

Using Globaleaks To Protect Sources

Posted on by admin

Many times, Sources (whistleblowers) need to send information anonymously to reports or journalists. Using email or putting files on cloud storage is not safe or secure if you want a free, safe, secure, and anonymous way to allow sources to share information I suggest Globaleaks.

Globaleaks is a free open-source platform that allows sources to anonymously send information and data to reporters. Globaleaks is easy and simple to set up and anyone regardless of technical savvy can do it easily. Globaleaks has great instructions and a simple template that can be done with little or no effort on Docker.

After the installation, I examined the security of this system and was very impressed. To start with when the source or whistleblower submits an incident only the user with the recipient roll can read it. Globaleaks has three roles defined Whistleblower, Recipient, and Administrator.

From Globaleaks Documentation:
“Recipient – The user receiving anonymous reports submitted by Whistleblowers and responsible for their analysis. Recipients act reasonably in good faith and have to be considered in all scenarios described as trusted parties with reference to the protection of Whistleblowers’ and the confidentiality of the information by them communicated.”

I figured as Administrator of the system and the server I would have access but Globaleaks really thought this through. Not even the admin account has access to the encrypted data submitted by the source.

After going through Globaleak’s very well-done documentation I found this:

“Administrator – The users supporting the setup, management and monitoring the security of the platform. Administrator may not represent the same entity running, promoting and managing the whistleblowing initiatives (e.g., hosted solutions, multiple stakeholders projects, etc). The Administrator has to be considered in all scenarios described as a trusted entity. They do not have direct access to reports and they are responsible for advising Recipients on the best practices to be adopted in their work.”

Despite being the admin, you don’t have access to the data. I decided to check even deeper. I went on to the test server I made as admin and examined Globaleaks and all the documents submitted and the databases were encrypted. Even at the server level, the admin does not have access to the data.

The database stores users’ passwords hashed with a random 128-bit salt, unique for each user and hashed using Argon2. This key derivation function was selected as the winner of the Password Hashing Competition in July 2015. The hash involves a per-user salt for each user and a per-system salt for whistleblowers. The system forces users to change their password at their first login and pushes to use 2FA for recipients and admin users.

I then started wondering about the logs I should be able to see what IP address the source used to connect to the server. When I checked the logs, I found something interesting. While the logs are on the server for diagnostics all IP addresses and login information times were all nulled out for additional security of the source. Even metadata is nulled for additional protection.

One thing I did notice during the setup of Globaleaks you can set up the system to work on the regular web which Globaleaks does not recommend even using a VPN. They recommend making the server a .onion domain. A .onion domain is the address of a website that can only be accessed through the Tor anonymity browser. Regular browsers won’t be able to navigate the relay of proxy servers that will take users to this type of website.

Globaleaks recommends accessing the platform via the Tor Browser to allow the best practices for protecting source identity and reducing the possibility that a system involved in the operation has tracked their activities and their IP address.

Reading through documentation Globaleaks software is in adherence with the OWASP Security Guidelines. GlobaLeaks tries to get a security audit done every 2 years and does participate in HackerOne bug bounty.

I found this platform to be very secure and well done through my research and I would recommend it to any company that needs a platform for sources or whistleblowers.

Using Signal for Secure Messaging

Posted on by admin

Signal is an encrypted messaging service for instant messaging, voice, and video calls. The Signal Foundation was launched in February 2018 as a 501 nonprofit with the mission to develop open-source privacy technology that protects free expression and enables secure global communication.

I recommend everyone use an end-to-end encryption type messenger like Signal. End-to-end encryption is a method of secure communication that prevents third parties from accessing data while it’s transferred from one system or device to another. Communications like Snapchat, Facebook Messenger, Skype, Google Chat, and text messaging are not secure and can be viewed by the providers and third parties.

Signal uses verification servers to ensure the phone numbers are real using a third-party service to send a registration code via SMS or voice call to verify that the person in possession of a given phone number intended to sign up for a Signal account. This is a critical step in helping to prevent fake accounts from signing up for the service.

Signal sends messages encrypted so only the sender and receiver are or can read them. Signal uses metadata encryption technology to protect intimate information about who is communicating with whom. Signal can’t read or access any end-to-end encrypted messages because the keys that are required to decrypt messages are on your device, not their servers. If Signal was asked to provide information to authorities they would be unable since they do not have the keys and store very little if any data on their servers for this reason.

Signal is even proactive with storing undelivered messages When you send a message, the Signal service temporarily queues that message for delivery. As soon as your message is delivered, that small bundle of encrypted data (i.e. your message) can be dropped from the queue. The storage of end-to-end encrypted files is temporary too, and any undelivered end-to-end encrypted data is automatically purged after a period of inactivity.

To add an extra layer of security for held messages Signal has server infrastructure from several providers like Amazon AWS, Google Cloud, Microsoft Azure, and others to ensure that not all saved messages are saved in one place in the event of a security breach. Even if there was a breach of these messages Signal can’t access the messages and neither can the companies that provide any of the infrastructure or even the attackers because the keys are on the user’s device, not the server.

Signal added Snapchat-like features with a feature called scheduling messages. Timers may be attached to messages to automatically delete the messages from both the sender’s and the receivers’ devices. The period for keeping the message may be between five seconds and one week and begins for each recipient once they have read their copy of the message. Signal has in addition added a story’s feature which is something available on all messaging platforms.

Since most Apple and Android devices backup to the cloud Signal excludes users’ messages from non-encrypted cloud backups by default. This is a great idea considering by default Android and iOS store backups unencrypted on iCloud and Google Drive.

Signal allows users to blur the faces of people in photos to protect identities automatically. Signal includes a payment and wallet system but only supports the payment method MobileCoin which is a privacy-focused digital currency.

All Signal contacts and contacts lists are stored on your device encrypted and never sent to Signals servers. Group messaging is designed so that the servers do not have access to the membership list, group title, or group icons. Instead, the creation, updating, joining, and leaving of groups is done by the clients, which deliver pairwise messages to the participants in the same way that one-to-one messages are delivered.

Signal is banned in certain countries where governments are allowed to read all citizen communications.  China, Egypt, Cuba, Uzbekistan, and Iran have banned Signal outright. In the U.K., the Signal app warns it will quit the UK if the law weakens end-to-end encryption. The United Nations has recommended the use of Signal in certain countries.

I would rate Signal as the best and most secure app to use at the moment. The company is a non-profit focused on security and not profit. Recently Signal did release a blog post asking for donations as running a worldwide secure message service is not free. If you are using Signal please consider donating to this service which puts people over profit.

zsh command not found msfconsole Metasploit MacOS

Posted on by admin

Once you have installed Metasploit on your mac from the nightly builds

https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

When you go to run the msfconsole command you may get the error command not found

That is because you need to add Metasploit to the paths file

The PATH file is a system-level variable that holds a list of directories. When you enter a command in the terminal, it’s shorthand for a program with the same name. The system looks in each of the PATH directories for the program corresponding to the command. When it finds a matching program, it runs it.

To edit the paths file type

sudo vi /etc/paths

Enter you password to elevate privileges

Note: each entry is separated by a new line

hit i or shift + : + i and hit enter depends on your version of vi

Add on separate lines

/opt/metasploit-framework/bin

/opt/metasploit-framework

/opt/metasploit-framework/framwork

how hit esc

then enter :wq! + enter

you will need to close and reopen the console now type

msfconsole

and

Metasploit will open

Migrating to BitWarden From LastPass For Password Management

Posted on by admin

Why I am leaving LastPass for another password manager?

I have recommended LastPass for years as a password manager after their last few cyberattacks, their handling of the attacks, and the way they have handled password storage and security I cannot recommend them. I myself have decided to all my passwords to BitWarden.

How BitWarden Stores Passwords?

The way BitWarden handles the encryption of passwords is very good. To start with they have a secret key feature so even if someone would get your password database and your master password they still cannot decrypt it without the secret key. If they should get the secret key and your password database, they still cannot decrypt your passwords because they do not have your master password.

BitWarden uses sha-256 to derive the encryption keys from your master password. BitWarden salts and hashes your master password with your email address locally before transmission to our servers once a bit Warden server receives the hashed password it is salted again with a cryptographically secure random value hashed again and stored in their database. The default iteration count used with pbkdf2 is one hundred thousand and one iteration on the client client-side iteration count is configurable from your account settings and then an additional 100,000 iterations when stored on our servers for a total of 201,000 iterations by default.

These two methods make password storage very secure. BitWarden has publicly released its third-party security audit schedule and is registered with the HackerOne bug bounty program making their security constantly tested.

Is BitWarden Free or Paid?

BitWarden has personal and business plans. The business plans are starting at three dollars and go up from there. I personally only focused on personal plans which have three price points.

BitWarden is again open source so they offer a free plan with unlimited passwords, and unlimited devices and will be free forever. Most password managers do not offer a free plan, so this was very impressive.

Their next plan is the one I went with which offers all free features but includes two-factor authentication, BitWarden Authenticator, security reports, and emergency access for ten dollars a year. You will also get 1 gig of encrypted storage on BitWarden with this plan which can be important for personal documents and things like certs or codes if you are like me.

The third tier is a family plan for forty dollars a year, including family sharing, six accounts, and more storage.

Which plan to get?

I personally went with the ten-dollar-a-year plan. I don’t agree with BitWarden charging for 2FA authentication, but I feel this is worth the money plus this is a way of supporting the open-source community. I found out later how cool the BitWarden Authenticator is when you install their software on your Mac and PC. The authenticator is part of the ten-dollar-a-year plan and having a right-click authenticator tool is very handy. I was interested as well in the security reports.

Is migrating from Lastpass to BitWarden hard?

No, it’s very easy I recommend downloading the LastPass app for windows or mac. Then go to advanced options and click export. Make sure to export to a . CSV file. Once that is done go to BitWarden login and click on tools and import select the LastPass .csv option get the file you just exported from LastPass and hit import. Once you have verified all your passwords and notes are in BitWarden delete and empty your trash of the export you did from LastPass you do not want that file on your machine.

Now we need to protect ourselves from any further LastPass attacks go to

https://lastpass.com/delete_account.php

Here you can completely delete your account or reset your account to default either way you should do this once you are sure everything you need is in BitWarden.

How is using BitWarden?

Just like LastPass, BitWarden has extensions for all browsers and has local software you can install as well. When you install the software on your computer you get a right-click menu that allows you to authenticate using the BitWarden Authenticator which was very handy. I would rate BitWarden faster and less bloated than LastPass and the functionality is just as good as well.

Can I use this for business?

One thing I did not know until I started doing research is that you can host your own BitWarden server if you wanted since it’s open source. While this would be fun to do the cost of renting a VPS or even running it on my home server does not seem worth the effort for 10 dollars a year.

I could see this being a solution for a big company with a lot of users as this would cut the cost down for them since they would not be paying three to five dollars a user per month. If I was a larger company I could see this being a good solution and I may recommend this to large corporate customers. For small business customers, I would recommend the business plan or even the family plan might work out with less hassle and ease of use.

Will it work on my smartphone?

BitWarden has an iPhone and Android client that you can you use to store and get passwords. The app does support FaceID unlocking, fingerprint unlocks, passcode unlocking, Apple Watch, and many other features you would expect for an app in the mobile world. The app does have a sync feature so if you save a password on your desktop it will sync to the phone or from the phone to the desktop. The app has a password generator and password autofill feature if you would rather use BitWarden than the built-in Apple or Android password generator. The BitWarden app has a neat feature called send where you can send an encrypted message link and then will delete it in so many days protected by a password. Which could be handy for sharing passwords or personal documents with users.

Final Thoughts

I think BitWarden is a much better replacement and a much more secure option than LastPass. The software has more options seems to be less buggy and is 1/3 the price a year of LastPass.

Managing Chrome In Windows With Group Policy

Posted on by admin

Download the Chrome Group Policy Templates For Windows

Extract the files to a network share or local location

Open Group Policy Management editor or Run gpedit.msc for local install

Open or Create a new policy

Expand Computer Configurations

Right Click on Administrator Templates -> Then Add/Remove Templates -> Click Add

Navigate to the files you extracted and import the Chrome Template

Now under Administrator Templates, you will see a Google folder and a Chrome folder

If you go into the Chrome folder you will see hundreds of options to customize Chrome

Now link the Group Policy Object to a computer’s OU with the customizations you want.

Sh1mmer Exploit Mitigation

Posted on by admin

The Sh1mmer Exploit is a Chromebook unenrollment tool that allows users to unenroll Chromebooks from Google Enterprise Workspace. Google has not released an ETA on a patch for this they have released mitigation practices to help prevent this exploit from working.

  • Turn off enrollment permissions for most users. This will require users to identify themselves in order to properly re-enroll on a device that was unenrolled.
    1. Open your Admin Console at: https://admin.google.com/
    2. On the left panel, expand “Devices” > “Chrome” > “Settings”, then click on “Users & Browsers”.
    3. Select the organizational unit(s) of the users that you wish to remove enrollment permissions.
    4. Under “Enrollment Controls”, change the “Enrollment permissions” setting to “Do not allow users in this organization to enroll new or re-enroll existing devices”.
  • On managed Chromebooks, block access to chrome://net-export so that users cannot capture wireless credentials. This can be achieved with the URL blocklist policy.
  • Additionally, Block access to the following websites that have been used to spread exploit tools and information using URLBlocklist as well as via content filtering products:
    • sh1mmer.me
    • alicesworld.tech
    • luphoria.com
    • bypassi.com

Fix For Error Security settings do not allow external startup disk on Mac

Posted on by admin

If you are trying to reinstall macOS or trying to boot off an external hard drive on Mac for any reason and get the error “Security settings do not allow external startup disk on Mac” there is a way to fix this going forward. To start with this is a security feature to protect your machine called secure boot. Secure Boot is an important security feature designed to prevent malicious software from loading when your Mac starts up or boots. But at times you will need to boot off external media to do that follow the steps below.

Restart your Mac and press and hold Command + R as soon as you see the Apple logo.

You should now see the macOS Utilities window. Select Utilities > Startup Security Utility.

Now enter the macOS password, select an administrator account and enter its password.

In the External Boot section check the Allow booting from external media option.

external disk

Reboot and you will be able to boot off of external media.

Fix For Warning SSL Medium Strength Cipher Suites Supported (SWEET32)

Posted on by admin

I recently ran into an issue where users were getting “SSL Medium Strength Cipher Suites Supported (SWEET32)” looking into the issue I found the following on the Nessus support site.

The remote host supports the use of SSL ciphers that offer medium-strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.

To disable the Three DES ciphers run

https://www.nartac.com/Products/IISCrypto/

Click on best Best Practices

Under Ciphers

Uncheck Triples DES 168

Check Reboot and Hit Apply

The server will reboot and disable this protocol.

You must reboot for the changes to take effect.

I would recommend disabling protocals TLS 1.0 and 1.1 on your devices if you can for security purposes.

Uncheck TLS 1.0 and TLS 1.1 under Server Protocols

Check Reboot and Hit Apply

This will reboot the server for the changes to take effect.

With these 2 protocols disabled and the 3DES ciphers disabled, this warning should go away when you do your next scan.