Insights For Success

Strategy, Innovation, Leadership and Security

General

Mozilla Firefox 67 will allow letterboxing to protect your online identity

GeneralEdward Kiledjian2 Comments
fingerprint-2904774.jpg

September 2016 I wrote an article entitles “Your browser will betray your identity” that discussed the various techniques legitimate (marketers) and illegitimate (threat actors) use to keep track of your identity even if you aren’t logged into any of their sites.

The purpose-built TOR version of the Mozilla Firefox browser has (for a while) implemented a technique called letterboxing to protect users from this type of nefarious identification through browser fingerprinting.

Most browsers allow a site to send client-side javascript code that detects the display size of the browser. This technique is used to create dynamically generated webpages that are optimized for the device size you are using. This is why modern well-designed websites render correctly on large 24" desktop screens and 6" smartphones.

Would you be surprised to learn that this can be one dimension threat actors or marketers can use to start deanonymizing you?

The privacy team behind the TOR project goes to great lengths to maximize your privacy while using their anonymizing network by minimizing your data exhaust while browsing the web. We have seen the Firefox team backport some of these privacy enhancements back into the mainstream Firefox. This backport initiative is called TOR Uplift and started in 2016.

In release 67, expected in May, Firefox will bring letterboxing into the mainstream version (from the TOR one). Letterboxing is a technique of rounding the actual size of the browser window (height and width) down to a multiple of 200 pixels for width and 100 pixels for height. This means more users will have the same window size value making deanonymizing more complicated. Firefox will add grey bars on a side that needs to be padded if the rendered page isn't a perfect fit. If you are more concerned about looks, you will be able to turn off this additional protection technique using a Firefox flag.

In the Bugzilla tracker, Mozilla wrote "Window dimensions are a big source of fingerprintable entropy on the web" & "Maximized windows reveal available screen width and height, excluding toolbars; and full-screen windows reveal screen width and height. Non-maximized windows can allow a strong correlation between two tabs".

Here is a demo of letterboxing while resizing the browser window. Notice the grey added around the rendered page.

The letterboxing feature won’t be turned on by default. Users wanting this extra layer of protection will have to open about:config and enter “privacy.resistFingerprinting” in the config search box and change the setting to “true”.

Smartphone chargers just got a powerful upgrade

GeneralEdward KiledjianComment
technology-2752109.jpg

This is NOT a sponsored post.

Anker Atom PD-1

Capture.PNG

At first glance, the Anker PD-1 may seem unremarkably normal looking. After all, it looks like the small wall charger that came included with your iPhone. It is almost the same size as that iPhone charger, but it delivers a full 30 watts of USBC power (it’s 35-40% smaller than the equivalent MacBook charger).

Ravpower 45W PD Charger

Capture2.PNG

Ravpower have taken the same technology to greater heights by designing a slim (14mm) 45 watt USBC charger .

Tell me how this is possible

The go to foundation for many electronic components is silicon. Silicon is in everything from computer processors to chargers, but we needed something better to improve charging speed and efficiency.

This is where gallium nitride (GaN) is making an entrance.

  • GaN has a theoretical ability to conduct electricity 1000x more quickly than traditional silicon.

  • GaN also doesn’t get as hot as silicon which means the electricity, not being lost to heat, is used to charge your device faster. It also means we can save 15-20% of worldwide power consumption if all electronic devices switched to GaN.

  • Since GaN chargers are smaller, they require less material, less packaging and are therefore cheaper to ship.

Why Anker and Ravpower?

What makes the Anker and Ravpower so remarkable is that they are the first major brands to release GaN-based chargers. These are first-generation products so we can expect much power powerful GaN chargers in the future, at a much lower price. Anker and Ravpower are charging a premium for these smaller and lighter devices. As the technology becomes more widely available, expect prices to drop dramatically.

Other uses

2019 should be the year where GaN chargers become commonplace. An optimized iPhone and a GaN charger could charge your device 6x faster than today, in a package the same size.

Like many of you, I travel a lot, and a battery backup is critical. Charging a traditional 9000 mAh battery can take 3-5 hours. I recently started testing the Apollo Pro from Elecjet which is a graphene-infused battery that is capable of fully charging in 20 minutes with a 60W USBC charger. Being able to charge your backup battery while you enjoy a coffee is incredibly freeing. Now imagine what will happen when smartphone manufacturers adopt faster charging graphene batteries paired with faster charging GaN chargers. It will be an unbeatable combo.

We likely won’t see any major brands adopting these two techs for their 2019 models, but I am willing to bet you will see a bunch in 2020, probably starting with the Samsung Galaxy S11.

GrandCrab Ransomware As A Service (RaaS)

GeneralEdward KiledjianComment
Capture.PNG

What is GrandCrab?

GrandCrab is a successful ransomware that encrypts files on the infected machine and demands payment to decrypt them.

Easy Money

What is you are a horrible human being willing to make gains from the suffering of others but you are lazy. You want to screw other people but don’t want to spend the time setup your own Command and control server? You don’t want to customize the malware to talk to your C2 server?

This is where Ransomware as a Service comes in.

Enter GrandCrab as a Service http://gandcr4cponzb2it.onion/

The offering

The GrandCrab RaaS has two tiers:

  • Standard at $230

  • Premium at $600

Standard Service

  • You can change and customize your ransomware

  • Name of the project

  • Change the demand of ransom

  • A description to help the victim in format .HTML, .PHP

  • You can change the logo, Remove GandCrab logo

  • You can choose the extension for example photo.png.gdb

  • Priority support

  • Automatically updated since the category (Ransom Builder)

  • The victim can pay you in Bitcoin or Dash

  • Withdrawal in Bitcoin or Dash

  • We will touch 10% fees ransom

  • You can add 3 users different free

  • You can create 3 ransomware

  • Victims can you contact by chat directly, you can also ban

  • You will have news about the dashboard

  • Geolocation victims infected

  • Show the IP of the victim

  • Manage the keys of decryption

  • You will be able to manage all the victims since the dashboard

  • With several possibilities

  • You can infected in unlimited

  • You can see the blockchain explorer

  • Spreading automatically without providing any effort or you can also spread manually

  • You will have full access to our forum with the rank Platinum (forum under construction soon available)

  • Victim URL automatically generated in .onion customize your own URL

  • View antivirus report in real time

  • Lifetime license !

  • Theme only white

Premium Service

  • The same features different even more fun

  • You receive 100% of the ransom paid by the victims no commission fees

  • Ransomware automatically updated by our support

  • Victims can you contact by chat directly, you can also ban

  • Spreading automatically without providing any effort or you can also spread manually

  • The victim can pay you in Bitcoin or Dash and Monero !

  • Withdrawal in Bitcoin, Dash, Monero

  • Automatically increases the ransom if no payment of the victim

  • Choose your own delete time

  • Create up to 10 different ransomware

  • You can add 8 users different free

  • Make the ransomware in format .pdf

  • bulletproof hosting, server VPN

  • Priority support by ticket since dashboard

  • Change all the logo, An icon in format .ICO, Remove the gandcrab logo, Add an animated logo in .GIF

  • Manage all the victims since the dashboard

  • You will have a fully functional 2019 tutorial to teach you, In format .pdf .mp4

  • Assignment on multiple computers in seconds from the same WIFI network

  • Undetectable by antivirus update regularly

  • Victim URL automatically generated in .onion customize your own URL

  • You can infected in unlimited

  • Manage the keys of decryption

  • Change the theme ransomware

  • You can see the blockchain explorer

  • Geolocation victims infected

  • You can also see the operating system

  • Show the IP of the victim

  • You will have full access to our forum with the rank Gold (forum under construction soon available)

  • You will have the ransomware source code, contact us from the dashboard with your login only for premium members

  • View antivirus report in real time

  • Crypter fud

  • Lifetime license !

  • Theme dashboard white, black

Conclusion

The conclusion is that security is hard and hackers are learning about the benefits of offering “things as a service” and using cloud to reduce costs. Attacking is become cheaper while protecting our organizations is becoming more costly

Exciting new multi-monitor feature coming to Chromebooks

GeneralEdward KiledjianComment
fabian-grohs-693366-unsplash.jpg

Every professional understands the power of a dual screen setup. The additional real estate enables a more fluid and productive work process.

I use a tone of platforms (mainframe & mini to Mac, Windows and Linux) and I find that ChromeOS handles multi-screen setups with ease and grace. Every time I have hooked an external display to a "good" Chromebook (something that costs $500 or more), it has worked flawlessly immediately without having to fiddle or fine tune.

I have successfully connected 2 external monitors to my Pixelbook at work using a Lenovo USB hub but this isn't something most people will have access to and therefore the 3 monitor option normally isn't used.

We know the sultan of search, El Goog, is working on an elegant solution to solve this 2 external monitor issue using a technology called display daisy chaining. This is something that is known in the industry but not currently supported on ChromeOS. The idea is to connect one USBC monitor to your Chromebook and then connect the second USBC monitor to the first one (as long as the monitor supports it).

This means you can connect (eventually) one cable to your device and everything just works. Technically this daisy chaining will be able to go beyond 2 external monitors to a larger number (as long as your device hardware can push the required number of pixels).

This is a request we have regularly seen in the Chromium forums

Capture2.PNG
Capture.PNG

How do we know it is coming? We know it is coming because we can see a commit for Multi-Stream Transport Support or something called Hatch.

The commit enables a chip to support the Multi-Stream flow and there is a good chance this won’t be enabled on existing older Chromebooks. We know that generically Multi-Stream required DisplayPort 1.2 and a handful of Chromebooks already have it so… There is hope for existing customers. We will just have to wait and see.

Many of you know I love my Pixelbook and may be wondering… “Does the Pixelbook support displayport?”

The answer is that the Pixelbook does support Displayport. The USBC ports on the Pixelbook are of type 3.1 Gen1 and support PowerDelivery (PD), DisplayPort (DP) and HDMI.

We don’t know which version of ChromeOS this will be enabled in yet. That’s all for this article dear readers. Stay tuned for more cool tech news as I find them.

Google to protect users from IDN Homograph Attacks

GeneralEdward KiledjianComment
fire-and-water-2354583.jpg

What geeks call an International Domain Name Homograph Attack, the general public calls typo-squatting. This is when threat actors buy domain names that are close to popular ones hoping to trick users, examples:

  • gma1l.com instead of gmail.com

  • paypa1.com instead of paypal


To help protect users from these tricksters, Google is launching Navigation suggestions for lookalike URLs. Think of this as an AI powered auto-correct for URLs. This feature is in active experimentation in Canary 70 and should enter the mainstream version in the coming months. A google engineer even spoke about it at the Usenix conference.

usenix.PNG

If you are one of the courageous experimenters running Canary, you can enable this feature now using this flag:

chrome://flags/#enable-lookalike-url-navigation-suggestions