Lipani Security LLC

A Security & Privacy Company

Category: blog

Windows 11 Registry Key To Block Automatic Download AI Model on Google Chrome

Posted on by admin

Google Chrome was found downloading and installing a local AI model, called Gemini Nano, that can take up 4GB or more of space on a hard drive. This was being done automatically without the consent of users. Microsoft’s Edge, which is also based on Chromium, has a similar feature; both use the same registry key GenAILocalFoundationalModelSettings as found in Microsoft documentation.

1. Open Registry Editor (REGEDIT.msc)

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Google\Chrome

3. In the right window part, create a new DWORD value (32-bit), the name must be GenAILocalFoundationalModelSettings

4. double-clicked the new registry key and made sure the value is 1

You can do the same for Microsoft Edge, just do the same process at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Edge

Microsoft Edge Loads All Your Passwords Into Memory In Plaintext

Posted on by admin

A Security researcher has discovered that Microsoft Edge will load all your stored passwords into memory in plaintext at startup. This makes it easy to scrape passwords via malware, spyware, or a virus.

In 2020, Microsoft moved Edge to Chromium, the same framework that powers browsers such as Chrome, Brave, and Opera. Edge is the only Chromium-based browser that loads all stored passwords into memory in plaintext at startup, so this is not a framework issue.

Cyber security researcher @L1v1ng0ffTh3L4N posted about the vulnerability on X, saying

Edge is the only Chromium‑based browser I’ve tested that behaves this way.

When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials,” the security researcher claims. “If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.

After reporting the issue to Microsoft, the security researcher was told that this behaviour was “by design.” A company spokesperson also shared a more detailed statement with Windows Central:

“Safety and security are foundational to Microsoft Edge. Access to browser data, as described in the reported scenario, would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely – this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.”

So this is a feature, not a very concerning bug, to say the least. Microsoft did this by design. In May 2024, Microsoft said security is its “Top Priority“. If you’re concerned about the security of your saved passwords in Edge, I would recommend moving all of them to a more secure password manager and using a different browser than Microsoft Edge.

Microsoft BitLocker Is Not A Great Solution

Posted on by admin

Microsoft confirmed they receive around 20 requests for BitLocker keys a year and will provide them to governments in response to valid court orders. My issue is not only is Microsoft able to access the key because of the way they store it but if someone would get access to your Microsoft account they could get the key.

Microsoft BitLocker, is supposed to protect your data by encrypting it automatically. On most modern Windows 11 computers this feature is enabled by default to safeguard all the data on the computer’s hard drive. BitLocker encrypts the data so that only those with a key can decode it and read it.

You can store BitLocker keys digitally or on paper which you should for backup in the event your computer crashes and you want the data off your computer. Here where the issue comes in Microsoft during the BitLocker setup recommends users store their keys to your Microsoft account for convenience and ease of use. The issue becomes if you login to your Microsoft account you can get those keys and access the data since they are stored in clear text.

While Apple does offer you the ability to get the key and write it down if you store your password in iCloud Apple can’t see it and neither can you if you login. In iCloud, the recovery key isn’t in plain text anywhere. Instead, the key is tied into behind-the-scenes account information that Apple maintains. It’s fully encrypted so that even Apple doesn’t have access to the unencrypted recovery key. Apple instead can deliver the encrypted recovery key to your Mac if you need to reset your password. The user never sees the recovery key nor have to enter it in this configuration.

Google uses eCryptfs disk encryption on ChromeOS. Keys are stored on disk in an encrypted format within the user’s home directory and are decrypted at login using the user’s login passphrase. The actual working keys are held in the Linux kernel’s memory (keyring) only while the filesystem is mounted. Google does not store these keys on its servers you must provide the key every time you need to access the data. Losing this key means Google cannot recover your data.

The Linux operating system uses a system very similar to a Chromebook using Linux Unified Key Setup (LUKS) as the standard for Linux hard disk encryption, providing a secure, user-friendly way to protect data at rest on partitions, disks, or removable media. It operates at the block level using dm-crypt, creating an encrypted container that requires a password to unlock and access data. If the key is lost the data is as well.

There have been reports of Microsoft engineers even claiming that the U.S. government approached them in 2013 to install a backdoor in the BitLocker encryption system. I would recommend on any operating system if you have data, you want secured that no one else can access use Veracrypt or Cryptomator to secure the files so only you can access them on your device or online. I can’t stress enough true encryption means only you can access the data.

Memory Integrity Enforcement (MIE) On iPhone 17

Posted on by admin

Memory Integrity Enforcement (MIE) is a hardware-level security architecture introduced with the iPhone 17 and iPhone Air using A19 System-on-Chip (SoC) which combines existing memory safety defenses in iOS with ARM’s Memory Tagging Extension (MTE). It is designed to eliminate memory corruption vulnerabilities, the primary tools used by sophisticated spyware like Pegasus.

The new hardware security feature is not widely known. MIE works by attaching cryptographic tags to different sections of the device’s memory. When a program attempts to access a piece of memory, the A19 chip verifies that the tag matches. If a mismatch is detected, which could indicate an unauthorized attempt to access or modify data, the chip immediately blocks the operation. This process helps to prevent common attack vectors such as buffer overflows and use-after-free exploits.

Memory Integrity Enforcement checks memory in real-time. If a program tries to access memory with the wrong tag, the A19 chip instantly terminates the process. Apple dedicated significant areas of the A19 and A19 Pro chips specifically to these security checks to ensure there is minimal impact on device performance. Tag Confidentiality Enforcement (TCE) keeps these randomized tag values hidden to prevent “leak” attacks or side-channel exploits like Spectre.

Apple’s improving memory safety has been an ongoing effort, first with the rollout of Swift, a memory-safe language. In iOS 15, Apple introduced a secure memory allocator for the kernel, followed in iOS 17 by its user-level counterpart. These secure allocators take advantage of knowing the type of allocations so that memory can be organized in a way that makes exploiting most memory corruption vulnerabilities inherently difficult. In 2018, Apple released Pointer Authentication Codes (PAC) in the A12 Bionic chip to protect code flow integrity in the presence of memory corruption.

Memory Integrity Enforcement (MIE) is only on A19 and A19 Pro chips, included with the iPhone 17 series and the iPhone Air. It is always on by default for the kernel and core system processes users do not need to enable it. Apple has provided an “Enhanced Security” option in Xcode, so third-party developers can opt-in and test their own apps with EMTE protections.

I know Apple will build this into iPads eventually, and I hope they build this into M-series Macs as well in the future.

SSL_ERROR_UNSUPPORTED_VERSION Work Around Firefox

Posted on by admin

The SSL_ERROR_UNSUPPORTED_VERSION error indicates that the website you are trying to visit uses an outdated and insecure version of the Transport Layer Security (TLS) protocol, which Chrome and Edge no longer support by default.

Firefox enforces a minimum of TLS 1.2 or higher for security, but you can use Firefox to get around this if you need to move forward.

If you understand the security risks and need to access the site, you can temporarily lower Firefox’s minimum required TLS version:

  1. In the Firefox address bar, type about:config and press Enter.
  2. Click Accept the Risk and Continue on the warning page.
  3. In the “Search preference name” box, type security.tls.version.min.
  4. Click the pencil icon next to the search result.
  5. Change the value from the default (which is likely 3 for TLS 1.2) to 1 (for TLS 1.0).
  6. Open the website in a new tab.

Revert this change by setting the value back to 3 as soon as you are done accessing the insecure website to ensure your browser remains secure for general browsing.

Browsers Effected By Google Manifest V3

Posted on by admin

Manifest V3 is the latest version of the Chrome Extensions platform, designed to improve security, privacy, and performance. It replaces Manifest V2 and introduces changes like service workers instead of background pages, and restricts blocking capabilities, which has led to concerns about ad blockers

Google made an addition of Manifest V3’s in Chromium to hurt the security extension platform. To start with Manifest V3 will make it more difficult for adblockers and ad trackers to function effectively. This affects extensions like AdBlock, Ghostery and UBlock Origin, AdGuard, NoScript, and uMatrix to work to protect the user from tracking information.

Since browsers like Chrome, Edge, Opera, and others are based on Chromium all browsers will stop supporting security extensions. At the moment of writing this UBlock origin Lite still works on Chromium-based browsers for now.

Google is pushing Manifest V3 as a security measure in Chrome but what this really is going forward is Google’s ad business. At Google’s core, they are an ad business, and extensions that block tracking and ads are not Google for Google business and that is why Google wants to get rid of all Manifest V2 extensions and push users and developers to Manifest V3.

Browsers like Firefox made by Mozilla and LibreWolf which is a free and open-source fork of Firefox, with an emphasis on privacy and security are not affected. Firefox and LibreWolf are both great browsers based on the Gecko rendering engine which is developed by Mozilla and not affected by this change. Safari which is made and distributed by Apple is not affected by this change as well. Safari is based on the open-source “WebKit” rendering engine, which is a fork of the KHTML browser engine originally developed by KDE.

Brave which is a browser based on Chromium is not affected by this change as Brave Shields block ads and trackers by default, and they’re built natively in the Brave browser—no extensions required. Since Shields are patched directly onto the open-source Chromium codebase, they don’t rely on MV2 or MV3 in any way. Thanks to this independence, Google’s forced removal of MV2 will not weaken Brave Shields.

If you are concerned about privacy and security when browsing and would like to use security extensions I would recommend Firefox, Librewolf, or Brave on any platform. If you are on Mac or iOS Safari might be your safest best with security extensions.

Apple Advanced Data Protection Explained

Posted on by admin

Apple’s Advanced Data Protection (ADP) encrypts most iCloud data end-to-end, meaning it can only be decrypted on your trusted devices, its zero-trust encryption means not even Apple can see the data on the iCloud servers.

I would like to start out by saying I am a huge fan of Apple Products I use an iPhone and Mac almost every day. The iPhone and Mac were both designed with security in mind but there are certain things that Apple does that do not always have security at heart. When your iPhone is locked, and secure Apple can’t get into the device, and they refuse to give out those keys same thing goes for things like iMessage and other end-to-end encrypted messaging services.

However, there is a catch if you back up your phone using your Mac or PC it is encrypted. Most people don’t backup that way anymore they use iCloud. iCloud will flawlessly backup your phone which includes iMessage, email, contacts, and other information to Apple iCloud in case you lose your phone or device. By default, iCloud is not encrypted, and Apple does have a history of working with law enforcement to give them iCloud backups.

You can turn off iCloud backups which would keep data local on your device and not back up to iCloud or you can turn on Apple Advanced Data Protection. The one thing to remember with ADP if you lose your device or your recovery codes you will lose your data entirely and there is nothing that can be done to recover it going forward. Apple has added a few recovery options to try to help but again making it too easy runes the point of the security.

  • A recovery contact is a trusted friend or family member who can use their Apple device to help you regain access to your account and data. They won’t have any access to your account, only the ability to give you a code to help you recover your account.
  • A recovery key is a secret 28-character code that you can use, along with a trusted phone number and an Apple device, to recover your account and data.

Requirements

To turn on ADP you must meet the requirements and have

  • An Apple Account with two-factor authentication.
  • A passcode or password is set for your device.
  • At least one account recovery contact or recovery key. If you don’t already have one, you’ll be guided to set one up when you turn on Advanced Data Protection.
  • Updated software on all the devices where you’re signed in using
    • iOS 16.2 or higher
    • MacOS 13.1 or higher
    • Windows computer with iCloud for Windows 14.1 or higher

Turning On

To Turn on Apple Advanced Data Protection

On iPhone or iPad

Open the Settings app.

Tap your name, then tap iCloud.

Scroll down, tap Advanced Data Protection, then tap Turn on Advanced Data Protection.

Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

To Turn on Apple Advanced Data Protection

On Mac

Choose Apple menu  > System Settings.

Click your name, then click iCloud.

Click Advanced Data Protection, then click Turn On.

Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

Who Should Turn on ADP?

Anyone worried about Apple giving up important information saved on iCloud? This could be anyone from doctors, journalists, lawyers, politicians or anyone worried about what they are saving on their devices.

I would recommend this to anyone worried about data breaches. Remember the data is saved in iCloud encrypted so if Apple should ever get hacked and you do not have Advanced Data Protection turned on your data on iCloud is sitting there for the taking by hackers.

I would recommend if you have questions and are not sure what to do contact Apple, your phone provider or a security consultant.

Using Globaleaks To Protect Sources

Posted on by admin

Many times, Sources (whistleblowers) need to send information anonymously to reports or journalists. Using email or putting files on cloud storage is not safe or secure if you want a free, safe, secure, and anonymous way to allow sources to share information I suggest Globaleaks.

Globaleaks is a free open-source platform that allows sources to anonymously send information and data to reporters. Globaleaks is easy and simple to set up and anyone regardless of technical savvy can do it easily. Globaleaks has great instructions and a simple template that can be done with little or no effort on Docker.

After the installation, I examined the security of this system and was very impressed. To start with when the source or whistleblower submits an incident only the user with the recipient roll can read it. Globaleaks has three roles defined Whistleblower, Recipient, and Administrator.

From Globaleaks Documentation:
“Recipient – The user receiving anonymous reports submitted by Whistleblowers and responsible for their analysis. Recipients act reasonably in good faith and have to be considered in all scenarios described as trusted parties with reference to the protection of Whistleblowers’ and the confidentiality of the information by them communicated.”

I figured as Administrator of the system and the server I would have access but Globaleaks really thought this through. Not even the admin account has access to the encrypted data submitted by the source.

After going through Globaleak’s very well-done documentation I found this:

“Administrator – The users supporting the setup, management and monitoring the security of the platform. Administrator may not represent the same entity running, promoting and managing the whistleblowing initiatives (e.g., hosted solutions, multiple stakeholders projects, etc). The Administrator has to be considered in all scenarios described as a trusted entity. They do not have direct access to reports and they are responsible for advising Recipients on the best practices to be adopted in their work.”

Despite being the admin, you don’t have access to the data. I decided to check even deeper. I went on to the test server I made as admin and examined Globaleaks and all the documents submitted and the databases were encrypted. Even at the server level, the admin does not have access to the data.

The database stores users’ passwords hashed with a random 128-bit salt, unique for each user and hashed using Argon2. This key derivation function was selected as the winner of the Password Hashing Competition in July 2015. The hash involves a per-user salt for each user and a per-system salt for whistleblowers. The system forces users to change their password at their first login and pushes to use 2FA for recipients and admin users.

I then started wondering about the logs I should be able to see what IP address the source used to connect to the server. When I checked the logs, I found something interesting. While the logs are on the server for diagnostics all IP addresses and login information times were all nulled out for additional security of the source. Even metadata is nulled for additional protection.

One thing I did notice during the setup of Globaleaks you can set up the system to work on the regular web which Globaleaks does not recommend even using a VPN. They recommend making the server a .onion domain. A .onion domain is the address of a website that can only be accessed through the Tor anonymity browser. Regular browsers won’t be able to navigate the relay of proxy servers that will take users to this type of website.

Globaleaks recommends accessing the platform via the Tor Browser to allow the best practices for protecting source identity and reducing the possibility that a system involved in the operation has tracked their activities and their IP address.

Reading through documentation Globaleaks software is in adherence with the OWASP Security Guidelines. GlobaLeaks tries to get a security audit done every 2 years and does participate in HackerOne bug bounty.

I found this platform to be very secure and well done through my research and I would recommend it to any company that needs a platform for sources or whistleblowers.

Using Signal for Secure Messaging

Posted on by admin

Signal is an encrypted messaging service for instant messaging, voice, and video calls. The Signal Foundation was launched in February 2018 as a 501 nonprofit with the mission to develop open-source privacy technology that protects free expression and enables secure global communication.

I recommend everyone use an end-to-end encryption type messenger like Signal. End-to-end encryption is a method of secure communication that prevents third parties from accessing data while it’s transferred from one system or device to another. Communications like Snapchat, Facebook Messenger, Skype, Google Chat, and text messaging are not secure and can be viewed by the providers and third parties.

Signal uses verification servers to ensure the phone numbers are real using a third-party service to send a registration code via SMS or voice call to verify that the person in possession of a given phone number intended to sign up for a Signal account. This is a critical step in helping to prevent fake accounts from signing up for the service.

Signal sends messages encrypted so only the sender and receiver are or can read them. Signal uses metadata encryption technology to protect intimate information about who is communicating with whom. Signal can’t read or access any end-to-end encrypted messages because the keys that are required to decrypt messages are on your device, not their servers. If Signal was asked to provide information to authorities they would be unable since they do not have the keys and store very little if any data on their servers for this reason.

Signal is even proactive with storing undelivered messages When you send a message, the Signal service temporarily queues that message for delivery. As soon as your message is delivered, that small bundle of encrypted data (i.e. your message) can be dropped from the queue. The storage of end-to-end encrypted files is temporary too, and any undelivered end-to-end encrypted data is automatically purged after a period of inactivity.

To add an extra layer of security for held messages Signal has server infrastructure from several providers like Amazon AWS, Google Cloud, Microsoft Azure, and others to ensure that not all saved messages are saved in one place in the event of a security breach. Even if there was a breach of these messages Signal can’t access the messages and neither can the companies that provide any of the infrastructure or even the attackers because the keys are on the user’s device, not the server.

Signal added Snapchat-like features with a feature called scheduling messages. Timers may be attached to messages to automatically delete the messages from both the sender’s and the receivers’ devices. The period for keeping the message may be between five seconds and one week and begins for each recipient once they have read their copy of the message. Signal has in addition added a story’s feature which is something available on all messaging platforms.

Since most Apple and Android devices backup to the cloud Signal excludes users’ messages from non-encrypted cloud backups by default. This is a great idea considering by default Android and iOS store backups unencrypted on iCloud and Google Drive.

Signal allows users to blur the faces of people in photos to protect identities automatically. Signal includes a payment and wallet system but only supports the payment method MobileCoin which is a privacy-focused digital currency.

All Signal contacts and contacts lists are stored on your device encrypted and never sent to Signals servers. Group messaging is designed so that the servers do not have access to the membership list, group title, or group icons. Instead, the creation, updating, joining, and leaving of groups is done by the clients, which deliver pairwise messages to the participants in the same way that one-to-one messages are delivered.

Signal is banned in certain countries where governments are allowed to read all citizen communications.  China, Egypt, Cuba, Uzbekistan, and Iran have banned Signal outright. In the U.K., the Signal app warns it will quit the UK if the law weakens end-to-end encryption. The United Nations has recommended the use of Signal in certain countries.

I would rate Signal as the best and most secure app to use at the moment. The company is a non-profit focused on security and not profit. Recently Signal did release a blog post asking for donations as running a worldwide secure message service is not free. If you are using Signal please consider donating to this service which puts people over profit.

zsh command not found msfconsole Metasploit MacOS

Posted on by admin

Once you have installed Metasploit on your mac from the nightly builds

https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

When you go to run the msfconsole command you may get the error command not found

That is because you need to add Metasploit to the paths file

The PATH file is a system-level variable that holds a list of directories. When you enter a command in the terminal, it’s shorthand for a program with the same name. The system looks in each of the PATH directories for the program corresponding to the command. When it finds a matching program, it runs it.

To edit the paths file type

sudo vi /etc/paths

Enter you password to elevate privileges

Note: each entry is separated by a new line

hit i or shift + : + i and hit enter depends on your version of vi

Add on separate lines

/opt/metasploit-framework/bin

/opt/metasploit-framework

/opt/metasploit-framework/framwork

how hit esc

then enter :wq! + enter

you will need to close and reopen the console now type

msfconsole

and

Metasploit will open