SECURITY WARNINGS & Notices - Please post them here

[polonus]

Most internet anonymity software leaks users’ details -
VPN Services are secure is a myth!
Read: http://www.qmul.ac.uk/media/news/items/se/158459.html
Research paper: http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

See survey attached.

polonus

[bob3160]

Most internet anonymity software leaks users’ details -
VPN Services are secure is a myth!
Read: http://www.qmul.ac.uk/media/news/items/se/158459.html
Research paper: http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

See survey attached.

polonus

It's nice to see that Avast's SecureLine isn't on that list.

[merckxist]

Most internet anonymity software leaks users’ details -
VPN Services are secure is a myth!
Read: http://www.qmul.ac.uk/media/news/items/se/158459.html
Research paper: http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

See survey attached.

polonus

It's nice to see that Avast's SecureLine isn't on that list.

I believe the absence of Avast SecureLine means that it wasn't part of the test as indicated by the subtitle of the attachment. It would have been "nicer" to see that it WAS on the list with a green "N" in each column. Since it apparently wasn't tested there's no way to know whether its absence is a good or bad thing.

[polonus]

You can test yourself here: https://ipleak.net/
dnsleaktest seems down - https://downornotworking.com/dnsleaktest.com/

polonus

Also read here: https://forum.avast.com/index.php?topic=123059.0
And a review here: http://www.expertreviews.co.uk/software/internet-security/1400543/avast-secureline-vpn-review
Mixed feelings expressed here: http://www.reddit.com/r/VPN/comments/1zgj84/avast_secureline_vpn/
Further measures to be taken by users (interesting): http://lifehacker.com/5902397/how-to-make-vpns-even-more-secure

pol

[polonus]

The NoScript extension in firefox can be circumvented via Google cloud and whitelisted by default googleapis dot com.
Read: http://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/
link article author = Matthew Bryant
Code to bypass noscript: https://twitter.com/avlidienbrunn/status/615659880788193280 (Mathias Karlsson).
The original idea: http://labs.detectify.com/post/122837757551/using-google-cloud-to-bypass-noscript
by Linus Särud, junior security researcher.

polonus

[Gopher John]

The NoScript extension in firefox can be circumvented via Google cloud and whitelisted by default googleapis dot com.
Read: http://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/
link article author = Matthew Bryant
Code to bypass noscript: https://twitter.com/avlidienbrunn/status/615659880788193280 (Mathias Karlsson).
The original idea: http://labs.detectify.com/post/122837757551/using-google-cloud-to-bypass-noscript
by Linus Särud, junior security researcher.

polonus

I wiped NoScript's default whitelist long ago.  This is actually old news, since any whitelisted site (even by the user) can execute scripts and other content on the page.

Edit: Took my reply out of the quote.  Sorry

[DavidR]

The NoScript extension in firefox can be circumvented via Google cloud and whitelisted by default googleapis dot com.
Read: http://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/
link article author = Matthew Bryant
Code to bypass noscript: https://twitter.com/avlidienbrunn/status/615659880788193280 (Mathias Karlsson).
The original idea: http://labs.detectify.com/post/122837757551/using-google-cloud-to-bypass-noscript
by Linus Särud, junior security researcher.

polonus

Generally I allow googleapis.com in noscript - But another blocking function could be to use RequestPolicy to specifically block *.googleapis if required.

[Para-Noid]

Fake Twitter Verification Profile leads to Phishing, Credit Card Theft

https://blog.malwarebytes.org/fraud-scam/2015/06/fake-twitter-verification-profile-leads-to-phishing-credit-card-theft/?utm_source=Gplus&utm_medium=social

Driver Updaters: Digital Snake Oil, Part 2

https://blog.malwarebytes.org/social-engineering/2015/06/driver-updaters-digital-snake-oil-part-2/?utm_source=Gplus&utm_medium=social

WhatsApp Elegant Gold Hits the Digital Catwalk

https://blog.malwarebytes.org/fraud-scam/2015/07/whatsapp-elegant-gold-hits-the-digital-catwalk/?utm_source=Gplus&utm_medium=social

[polonus]

Not only snakeoil but snakeoil that normally comes free as free driver downloads on the Interwebs while these services come to charge you for similar driver downloads, an outright scam. Scammers always on the look-out to rip off an extra buck from the backs of the unaware and the meek. We won't be fooled again! (same goes for registry vacuum cleaners also added to PUP detection by MBAM, (good action, folks, good action).

pol

[bob3160]

Driver Updaters: Digital Snake Oil, Part 2

https://blog.malwarebytes.org/social-engineering/2015/06/driver-updaters-digital-snake-oil-part-2/?utm_source=Gplus&utm_medium=social

Everything would seem to indicate that updating drivers should be a good thing, and there are several reputable driver updater programs in existence.[/font][/size]

The secret is in eliminating the crap and picking out a good one.

[polonus]

Hi bob3160,

The bad thing is the user has to fend for himself more and more now.
You are no longer protected, you are out on your own.
You have to block, you have to take the crap from downloads.
You have become both product and often also become a victim of cheap tricks.
How can you trust anything online as an unaware user finding yourself in such a situation,
Users are had big time when not from the one side then from the other.
It is a dangerous digital world out there and one is out on one's own.

Conclusion.

Good we have the Avast support forums to provide users with a bit of honest guidelines,
Here we still say - a man a man - a word a word - rare to be found nowadays a place to trust,
let cherish that, bob3160, let us cherish that. It is so rare these days.

polonus

P.S. Updating drivers is not always and under all circumstances a good thing or needed, it might sometimes add to your problems, forewarned is forearmed/.

D

[bob3160]

Hi bob3160,

The bad thing is the user has to fend for himself more and more now.
You are no longer protected, you are out on your own.
You have to block, you have to take the crap from downloads.
You have become both product and often also become a victim of cheap tricks.
How can you trust anything online as an unaware user finding yourself in such a situation,
Users are had big time when not from the one side then from the other.
It is a dangerous digital world out there and one is out on one's own.

Conclusion.

Good we have the Avast support forums to provide users with a bit of honest guidelines,
Here we still say - a man a man - a word a word - rare to be found nowadays a place to trust,
let cherish that, bob3160, let us cherish that. It is so rare these days.

polonus

P.S. Updating drivers is not always and under all circumstances a good thing or needed, it might sometimes add to your problems, forewarned is forearmed/.

D

I've never had an outdated driver replaced with a newer signed driver that presented a problem.
Legitimate programs also don't request that you pay to update. You'll find a recommendation  at:
https://forum.avast.com/index.php?topic=19387.msg1205358#msg1205358
(I don't allow it to run at system start. I start it manually when I want to check for updates; both program and driver updates.)

[Asyn]

The NoScript extension in firefox can be circumvented via Google cloud and whitelisted by default googleapis dot com.
Read: http://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/
link article author = Matthew Bryant
Code to bypass noscript: https://twitter.com/avlidienbrunn/status/615659880788193280 (Mathias Karlsson).
The original idea: http://labs.detectify.com/post/122837757551/using-google-cloud-to-bypass-noscript
by Linus Särud, junior security researcher.

polonus

Fixed in V2.6.9.29 -> https://noscript.net/changelog

[polonus]

Is your Google Chrome browser hooked into BeEF? Protect with Vegan, read: http://blog.cylance.com/vegan-chrome-extension-to-defeat-beef

polonus

[polonus]

You want to share Wifi access with all of your Outlook-, Skype - and Facebook contacts within reach of your local network access point?
You have second thoughts also, then read on.
Wifi Sense does just that and has been introduced for the first time as it  sneaked into Windows Phone 8.1. and no-one reacted, but now that this feature comes to Windows 10 security experts make some really deep frowns. Windows stores your password encrypted in the cloud and then shares it with all your acquantances (contacts) within the reach of your local network. This feature is on by default and the user has to disable it actively (only for that particular device) For the network an adaptation of the SSID is necessary by adding the string "_optout". Security experts call the feature "a cheap hack" and a security breach of Wifi networking as such! Certainly a risk for the not so technically adept user. Modern OS gets more and more one way invasive and one has to go into technical trouble to get at the settings that one really prefers. It is almost like "we will decide what is good for you whether you share your access, whether we will show you personalised ads that are very difficult to block etc. etc. and all these "handy features whether you like it or not are slowly creeping in so young users do not know of an alrternative situation as where we came from to land here.

polonus