Chrome 97 lets you erase all data and information a website stored on your visit

I don’t use Chrome but I know a lot of Mac users do use Chrome or a Chromium-based browser. Chrome 97 released yesterday comes with a significant Security & Privacy improvement that I want to bring to your attention.

Joe Fedewa, writing at How-To Geek

Chrome 97 makes some changes to the Privacy and Security settings. You can now delete all the data stored by a website. Previously, you could only delete individual cookies. This new setting can be found at Settings > Security and Privacy > Site Settings > View Permissions and Data Stored Across Sites.​

🖇 The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Most major US Banks offer Zelle so I read this article in order to understand how the scam works. After reading it I realized that this scam would be very easy to fall for if you’re not aware of it. Please take a few minutes to read this article.

Brian Krebs, writing at Krebs on Security

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it.

Goodbye 1Password

I stopped using 1Password in July 2019 when it stopped working with Safari 13 in macOS Catalina. At that time, I tried Enpass but eventually settled on Bitwarden which I’ve been happily using since. I went Premium about a year ago.

Even though I switched to Bitwarden, I didn’t delete 1Password from my devices, thinking that if Bitwarden didn’t work out that I might want to switch back. I never found a reason to switch back, and I’m glad I didn’t because now with 1Password 8 standalone vaults will no longer be supported.

Since standalone vaults are no longer supported with 1Password 8 I didn’t see any reason to keep it installed on my Mac, iPhone, and iPad. If you’re searching for an alternative, I can highly recommend Bitwarden.

PSA: What Is Amazon Sidewalk and Why Should I Disable It Before June 8?

Brendan Hesse writing for Lifehacker:

On June 8, Amazon will launch a new feature called Sidewalk that creates small, public internet networks powered by Echo smart speakers and Ring home security products in your neighborhood. Yes, including yours—unless you disable the setting, which is turned on by default. That means if you don’t want your devices included in this particular tech experiment, you only have a week left to opt out.

New from Bitwarden: Send

Secure one-to-one information sharing

Bitwarden has been my password manager since 1Password went subscription a few years ago. Don’t get me wrong I love 1Password but by comparison, it’s pricey. Bitwarden is free to use with Premium features for $10 a year. The free version will do everything most people need from a password manager.

This week Bitwarden introduced a cool new feature. Send for secure one-to-one information sharing. “Bitwarden Send is a lightweight utility used to share information with another person for a limited period of time. Bitwarden users can easily transmit a file or text, and rest easy knowing the sent information is protected with end-to-end encryption, and will not live forever. Users choose an expiration date for the Send link, after which it no longer works to access the information.”

“This new feature is available on all Bitwarden clients: Web Vault, mobile, browser extensions, and CLI, meaning users will always have a secure way to share sensitive information temporarily.”

About Send | Bitwarden Help & Support

Create a Send | Bitwarden Help & Support

This isn’t something that I will use all that often but it sure is good to know that Send is there for that rare occasion that I need it.

Did the Bitwarden Safari web extension disappear on your Mac?

Bitwarden Safari extension no longer works with the Bitwarden direct download application

Today I needed to login into a website so I opened Safari and went to open the Bitwarden extension and to my surprise, it wasn’t there. WTF!

Here is whats up: “Due to changes by Apple, Safari limits Web Extension use to only those obtained through Mac App Store downloads. As of the 2021-03-11 Release, users will not be able to use a Bitwarden Safari Extension obtained through a .dmg installation from bitwarden.com/download or any other non-App Store source. ”Safari Web Extension | Bitwarden Help & Support

According to Bitwarden Support Release Notes the Safari App Extension has officially been ported to a Web Extension for use with Safari 14 . Due to changes to Safari, Web Extension use is now limited to only those obtained through Mac App Store download. Release Notes | Bitwarden Help & Support

I unistalled the download version of Bitwarden and installed the Mac App Store version and all is good. A little advance notice on this issue would have been nice.

LastPass Free is changing and users aren’t going to be happy

Here’s what you need to know

LastPass is making some changes to LastPass Free that will most likely piss-off users who rely on LastPass as their primary password manager. The big difference is that LastPass Free users will have to choose between mobile or desktop for their unlimited device access, rather than getting the system on both.

Here’s What’s Changing

We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type.

Also

In addition to this change, as of May 17th, 2021, email support will only be available for Premium and Families customers. LastPass Free users will always have access to our Support Center which has a robust library of self-help resources available 24/7 plus access to our LastPass Community, which is actively monitored by LastPass specialists. 

After March 16th, if you want to use LastPass on desktop and mobile you’ll need a Premium account. With this change, you may want to look into a different password manager. Bitwarden offers a Free account that you might want to consider.

Here are the instructions on how to export your vault from LastPass and import it to Bitwarden.

iMessage BlastDoor security

Over the past three years, security researchers and real-world attackers have found iMessage remote code execution (RCE) bugs and abused them to develop exploits that allowed them to take control over an iPhone just by sending a simple text, photo, or video to someone’s device.

As reported January 28, 2021 by ZDNet “With the release of iOS 14 last fall, Apple has added a new security system to iPhones and iPads to protect users against attacks carried out via the iMessage instant messaging client.”

“Named BlastDoor, this new iOS security feature was discovered by Samuel Groß, a security researcher with Project Zero, a Google security team tasked with finding vulnerabilities in commonly-used software.”

“Groß said the new BlastDoor service is a basic sandbox, a type of security service that executes code separately from the rest of the operating system.”

“While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app.”

“Its role is to take incoming messages and unpack and process their content inside a secure and isolated environment, where any malicious code hidden inside a message can’t interact or harm the underlying operating system or retrieve with user data.”

Firefox 85 adds supercookie protection. What about Safari?

In technology news today Mozilla announced that it has added built-in protection from supercookies to Firefox 85. “Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies,” Mozilla explains in a blog post. “By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next.”

With Safari being my main browser and Firefox being secondary I wondered if Safari might have the same protection from supercookie tracking? To my surprise, it does and has since 2018.

“Quietly and without fanfare Apple has rolled out a change to its Safari browser that munches one of the web’s most advanced “super cookies” into crumbs.” Apple burns the HSTS super cookie WebKit blog: Protecting Against HSTS Abuse

Mac security explained

Great show today on Mac Power Users podcast. David and Stephen go into detail explaining Mac security. I walked away from the show with a better understanding of Mac security and a better feeling about the security built into my Mac. I recommend listening to this episode if you would like a better understanding of Mac security.

Episode #570 Mac Power Users – Security Explained

From the beginning, Mac OS X was designed with security and privacy in mind, but over the years Apple has worked to make both the Mac’s software and hardware more even more so. This week, Stephen and David cover what’s what when it comes to Mac security.

Adobe Ends Flash Player Support, Recommends Uninstalling Immediately

Adobe Flash Player has always been a source of malware for Mac and PC users. Now is the time to remove it if you still have it installed. The below article also explains how to remove it.

Adobe Flash Player End of Life

Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.

Bitwarden for Mac browser extension exposing passwords in clipboard managers

While using Alfred’s clipboard manager the other day I noticed passwords in the clipboard history. My first thought was how is this happening. I immediately went into Alfred’s Advanced Clipboard History Settings to make sure that I had added Bitwarden to the Ignore list and yes I had. So I figured this has to be some sort of an issue with Bitwarden.

After doing some testing I discovered that the issue is with the Bitwarden browser extension. When I copied a password in the extension the password was collected by Alfred’s clipboard manager even though I had it set to be ignored. This happened with both the Safari and Firefox extension. I then copied a password in the Bitwarden App and to my surprise, it was ignored. So this only happens with the browser extension.

I contacted both Alfred and Bitwarden regarding the issue. Here’s what they had to say:

Alfred Support:

Could you also take a look at Features > Clipboard History and ensure that the boxes for “Ignore Clipboard data marked as Concealed” and …”as Auto Generated” are checked, which they should be by default?

This ensures that if a password app (or any other app) correctly marks the copied data as concealed, which indicates its potentially sensitive information like a password, this is ignored by Alfred. However, if Bitwarden doesn’t mark the passwords as such, it’s impossible for an app like Alfred to guess what you’ve copied.

First, check whether Bitwarden offers you a setting to identify the data as Concealed, and if not, you may want to contact them to request this.

Cheers,

Vero

Bitwarden Support:

Thank you for supporting Bitwarden! I’d be happy to help.

This has been requested. Unfortunately, due to upstream limitations by our desktop application framework, the ability to mark data as “concealed” is not available at this time.

We have an open issue regarding this here: https://github.com/bitwarden/desktop/issues/90

Please let us know if there is anything else we can help with!

Regards,

Luc

While doing my research on this issue I noticed that others using different clipboard manager apps were having the same issue. So if you’re using a clipboard manager and Bitwarden you might want to check your clipboard manager history for passwords.

My workaround in Alfred is to remember to clear the clipboard history after I copy a password from the extension. Better yet if I need to copy a password I’ll do it from the app instead of the extension.

Results of one of the largest password re-use studies ever

Last month a Turkish student Ata Hakçıl studying computer engineering at the University of Cyprus did one of the largest password re-use studies ever. He analyzed more than 1 billion-plus leaked credentials from data breaches at various companies. These data dumps have been around for several years, and have been piling up as new companies are getting hacked.

Out of the 1 Billion credentials, 168,919,919 were passwords. The most common password 123456 was spotted 7 million times per billion credentials. The average password length was 9.5 characters and 87.96% of passwords didn’t contain special characters. And 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Cool Stats

  • From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts.
  • 1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames.
  • Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion)
  • Most common 1000 passwords cover 6.607% of all the passwords.
  • With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%.
  • Average password length is 9.4822 characters.
  • 12.04% of passwords contain special characters.
  • 28.79% of passwords are letters only.
  • 26.16% of passwords are lowercase only.
  • 13.37% of passwords are numbers only.
  • 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Here’s my takeaway from this:

  1. Massive amounts of people need to start using a password manager. This would allow for longer and more complex passwords and eliminate the need to re-use them.
  2. Only 12.89% of passwords contain special characters and only 4.52% of passwords start with a digit. So pick a password that starts with a number and includes special characters to avoid brute forcers.

If you’re not using a password manager then get started now. I’m using is Bitwarden. Bitwarden is open source, simple to use and best of all it’s FREE.

If you would like to see if any of your passwords have been breached you can check them at HaveIBenPwned.

How Rob lost control of his bank accounts to a phone scammer

I’ve been following Rob’s blog for several years. I enjoy reading what he writes about. He is also the developer of a couple of Mac apps that I use.

I felt bad for Rob after reading his blog post about how he had recently lost control of his bank accounts to a phone scammer. His story is well worth reading. It may save you from falling for the same or similar phone scams.

How I lost control of our bank accounts to a phone scammer | The Robservatory

Holiday Sale: Save 50% on all Enpass password manager plans

This is directed at those of you who are in the market for a password manager. I’ve been using Enpass for several months and am very happy with it.

I’ll mention that Enpass moved to subscription a few weeks ago but they also have a lifetime license and with the sale you, can get a lifetime license for just $24.99.

A special deal for the Holidays: 50% off on all Enpass plans

Enpass will be on sale with a discount of 50% on all app stores – while you can get a lifetime license for only $24.99, you can also get an Enpass Premium subscription starting for as low as $0.49 per month. And, of course, the full-featured desktop versions of Enpass – macOS, Windows, Linux – are completely free.

Note that this is a limited time offer, starting from December 24, 2019 and valid till January 2, 2020. So, don’t wait and unlock the full version of Enpass at this special discounted price. Spread the word to help your friends and family members get started with safe and secure password management.

My choice for a Safari 13 content blocker on Mac

With Safari 13 my favorite Mac ad and tracker blocker uBlock Origin, along with a few other extensions, no longer work. Because of this, I have switched to Firefox as my main browser. That said there will still be times when I will want to use Safari and will want an ad and tracker blocker.

I tried Ghostery Lite but I had two issues with it. It doesn’t block YouTube ads and I didn’t like the way it handles space left behind by blocked ads.

For now, I’ve settled on Wipr. Wipr blocks all ads, trackers, cryptocurrency miners, EU cookie and GDPR notices, and other annoyances. I also switched to Wipr for Safari on my iPhone and iPad in place of BlockBear. BlockerBear was working fine but for consistency, I switched to Wipr.

Day One encryption

I have been using Day One for going on three years now. One concern I’ve had is that journals by default are encrypted but with Day One holding the encryption key. This means that someone at Day One might be able to access my journals. Journals with Standard encryption are also exposed to a data breach or security glitch. This has caused me to limit what I write in them.

Now, after reading Shawn Blanc’s ”Best Journaling App for iPhone, iPad, and Mac” on The Sweet Setup I’ve taken his advice and enabled End-to-end encryption for all my journals.

Shawn Blanc:

End-to-end encryption is not turned on by default for providing the best type of security for your journal entries, as users must maintain their encryption key at all times to unlock journals if necessary. As Day One’s FAQ puts it:

When using end-to-end encryption, it is essential you save your encryption key in a secure location. If you lose your key, you will not be able to decrypt the journal data stored in the Day One Cloud. You’ll need to restore your data from an unencrypted locally-stored backup.

We recommend turning on end-to-end encryption whenever you create a new journal to ensure your data is always kept safe and secure. Save your encryption key in an app like 1Password or a locked note inside Notes.app and never lose the key.

Now no one has access to my journals without the encryption key. I keep it in 1Password.