The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerepβs CEO to admit that he has founded dozens of people-search networks over the years.
Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.
On March 14, KrebsOnSecurity published a story showing that Onerepβs Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.
But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 β around the same time he launched Onerep.
Shelest maintained that Nuwber has βzero cross-over or information-sharing with Onerep,β and said any other old domains that may be found and associated with his name are no longer being operated by him.
βI get it,β Shelest wrote. βMy affiliation with a people search business may look odd from the outside. In truth, if I hadnβt taken that initial path with a deep dive into how people search sites work, Onerep wouldnβt have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and Iβm aiming to do better in the future.β The full statement is availableΒ hereΒ (PDF).
Onerep CEO and founder Dimitri Shelest.
In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product.
βThough customer data was never at risk, the outside financial interests and activities of Onerepβs CEO do not align with our values,β Mozilla wrote. βWeβre working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.β
KrebsOnSecurity also reported that Shelestβs email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.
Shelest denied ever being associated with Spamit. βBetween 2010 and 2014, we put up some web pages and optimize them β a widely used SEO practice β and then ran AdSense banners on them,β Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). βAs we progressed and learned more, we saw that a lot of the inquiries coming in were for people.β
Shelest also acknowledged that Onerep pays to run ads on βon a handful of data broker sites in very specific circumstances.β
βOur ad is served once someone has manually completed an opt-out form on their own,β Shelest wrote. βThe goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep.β
Reached via Twitter/X, HaveIBeenPwned founder Troy Hunt said he knew Mozilla was considering a partnership with Onerep, but that he was previously unaware of the Onerep CEOβs many conflicts of interest.
βI knew Mozilla had this in the works and weβd casually discussed it when talking about Firefox monitor,β Hunt told KrebsOnSecurity. βThe point I made to them was the same as Iβve made to various companies wanting to put data broker removal ads on HIBP: removing your data from legally operating services has minimal impact, and you canβt remove it from the outright illegal ones who are doing the genuine damage.β
Playing both sides β creating and spreading the same digital disease that your medicine is designed to treat β may be highly unethical and wrong. But in the United States itβs not against the law. Nor is collecting and selling data on Americans. Privacy experts say the problem is that data brokers, people-search services like Nuwber and Onerep, and online reputation management firms exist because virtually all U.S. states exempt so-called βpublicβ or βgovernmentβ records from consumer privacy laws.
Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, and bankruptcy filings. Data brokers also can enrich consumer records with additional information, by adding social media data and known associates.
The March 14 story on Onerep was the second in a series of three investigative reports published here this month that examined the data broker and people-search industries, and highlighted the need for more congressional oversight β if not regulation β on consumer data protection and privacy.
On March 8, KrebsOnSecurity published A Close Up Look at the Consumer Data Broker Radaris, which showed that the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.
On March 20, KrebsOnSecurity published The Not-So-True People-Search Network from China, which revealed an elaborate web of phony people-search companies and executives designed to conceal the location of people-search affiliates in China who are earning money promoting U.S. based data brokers that sell personal information on Americans.
Firefox
The Biden administration today issued its vision for beefing up the nationβs collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White Houseβs new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and it names China as the single biggest cyber threat to U.S. interests.
The strategy says the White House will work with Congress and the private sector to develop legislation that would prevent companies from disavowing responsibility for the security of their software products or services.
Coupled with this stick would be a carrot: An as-yet-undefined βsafe harbor frameworkβ that would lay out what these companies could do to demonstrate that they are making cybersecurity a central concern of their design and operations.
βAny such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,β the strategy explains. βTo begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.β
Brian Fox, chief technology officer and founder of the software supply chain security firm Sonatype, called the software liability push a landmark moment for the industry.
βMarket forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability,β Fox said. βRegulations for other industries went through a similar transformation, and we saw a positive result β thereβs now an expectation of appropriate due care, and accountability for those who fail to comply. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.β
In 2012 (approximately three national cyber strategies ago), then director of the U.S. National Security Agency (NSA) Keith Alexander made headlines when he remarked that years of successful cyber espionage campaigns from Chinese state-sponsored hackers represented βthe greatest transfer of wealth in history.β
The document released today says the Peopleβs Republic of China (PRC) βnow presents the broadest, most active, and most persistent threat to both government and private sector networks,β and says China is βthe only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.β
Many of the U.S. governmentβs efforts to restrain Chinaβs technology prowess involve ongoing initiatives like the CHIPS Act, a new law signed by President Biden last year that sets aside more than $50 billion to expand U.S.-based semiconductor manufacturing and research and to make the U.S. less dependent on foreign suppliers; the National Artificial Intelligence Initiative; and the National Strategy to Secure 5G.
As the maker of most consumer gizmos with a computer chip inside, China is also the source of an incredible number of low-cost Internet of Things (IoT) devices that are not only poorly secured, but are probably more accurately described as insecure by design.
The Biden administration said it would continue its previously announced plans to develop a system of labeling that could be applied to various IoT products and give consumers some idea of how secure the products may be. But it remains unclear how those labels might apply to products made by companies outside of the United States.
One could convincingly make the case that the world has witnessed yet another historic transfer of wealth and trade secrets over the past decade β in the form of ransomware and data ransom attacks by Russia-based cybercriminal syndicates, as well as Russian intelligence agency operations like the U.S. government-wide Solar Winds compromise.
On the ransomware front, the White House strategy seems to focus heavily on building the capability to disrupt the digital infrastructure used by adversaries that are threatening vital U.S. cyber interests. The document points to the 2021 takedown of the Emotet botnet β a cybercrime machine that was heavily used by multiple Russian ransomware groups β as a model for this activity, but says those disruptive operations need to happen faster and more often.
To that end, the Biden administration says it will expand the capacity of the National Cyber Investigative Joint Task Force (NCIJTF), the primary federal agency for coordinating cyber threat investigations across law enforcement agencies, the intelligence community, and the Department of Defense.
βTo increase the volume and speed of these integrated disruption campaigns, the Federal Government must further develop technological and organizational platforms that enable continuous, coordinated operations,β the strategy observes. βThe NCIJTF will expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale, and frequency. Similarly, DoD and the Intelligence Community are committed to bringing to bear their full range of complementary authorities to disruption campaigns.β
The strategy anticipates the U.S. government working more closely with cloud and other Internet infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, and make it easier for victims to report abuse of these systems.
βGiven the interest of the cybersecurity community and digital infrastructure owners and operators in continuing this approach, we must sustain and expand upon this model so that collaborative disruption operations can be carried out on a continuous basis,β the strategy argues. βThreat specific collaboration should take the form of nimble, temporary cells, comprised of a small number of trusted operators, hosted and supported by a relevant hub. Using virtual collaboration platforms, members of the cell would share information bidirectionally and work rapidly to disrupt adversaries.β
But here, again, there is a carrot-and-stick approach: The administration said it is taking steps to implement Executive Order (EO) 13984 βissued by the Trump administration in January 2021 β which requires cloud providers to verify the identity of foreign persons using their services.
βAll service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior,β the strategy states. βThe Administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity including through implementation of EO 13984.β
Ted Schlein, founding partner of the cybersecurity venture capital firm Ballistic Ventures, said how this gets implemented will determine whether it can be effective.
βAdversaries know the NSA, which is the elite portion of the nationβs cyber defense, cannot monitor U.S.-based infrastructure, so they just use U.S.-based cloud infrastructure to perpetrate their attacks,β Schlein said. βWe have to fix this. I believe some of this section is a bit pollyannaish, as it assumes a bad actor with a desire to do a bad thing will self-identify themselves, as the major recommendation here is around KYC (βknow your customerβ).β
One brief but interesting section of the strategy titled βExplore a Federal Cyber Insurance Backdropβ contemplates the governmentβs liability and response to a too-big-to-fail scenario or βcatastrophic cyber incident.β
βWe will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur,β the strategy reads.
When the Bush administration released the first U.S. national cybersecurity strategy 20 years ago after the 9/11 attacks, the popular term for that same scenario was a βdigital Pearl Harbor,β and there was a great deal of talk then about how the cyber insurance market would soon help companies shore up their cybersecurity practices.
In the wake of countless ransomware intrusions, many companies now hold cybersecurity insurance to help cover the considerable costs of responding to such intrusions. Leaving aside the question of whether insurance coverage has helped companies improve security, what happens if every one of these companies has to make a claim at the same time?
The notion of a Digital Pearl Harbor incident struck many experts at the time as a hyperbolic justification for expanding the governmentβs digital surveillance capabilities, and an overstatement of the capabilities of our adversaries. But back in 2003, most of the worldβs companies didnβt host their entire business in the cloud.
Today, nobody questions the capabilities, goals and outcomes of dozens of nation-state level cyber adversaries. And these days, a catastrophic cyber incident could be little more than an extended, simultaneous outage at multiple cloud providers.
The full national cybersecurity strategy is available from the White House website (PDF).
Have you ever been browsing online and clicked a link or search result that took you to a site that triggers a βyour connection is not privateβ or βyour connection is not secureβ error code? If youβre not too interested in that particular result, you may simply move on to another result option. But if youβre tempted to visit the site anyway, you should be sure you understand what the warning means, what the risks are, and how to bypass the error if you need to.Β Β Β
A βyour connection is not privateβ error means that your browser cannot determine with certainty that a website has safe encryption protocols in place to protect your device and data. You can bump into this error on any device connected to the internet β computer, smartphone, or tablet.Β Β
So, what exactly is going on when you see the βthis connection is not privateβ error?Β Β
For starters, itβs important to know that seeing the error is just a warning, and it does not mean any of your private information is compromised. A βyour connection is not privateβ error means the website you were trying to visit does not have an up-to-date SSL (secure sockets layer) security certificate.Β
Website owners must maintain the licensing regularly to ensure the site encryption capabilities are up to date. If the websiteβs SSL certificate is outdated, it means the site owners have not kept their encryption licensing current, but it doesnβt necessarily mean they are up to no good. Even major websites like LinkedIn have had momentary lapses that would throw the error. LinkedIn mistakenly let their subdomain SSL certificates lapse.Β Β
In late 2021, a significant provider of SSL certificates, Letβs Encrypt, went out of business. When their root domain officially lapsed, it created issues for many domain names and SSL certificates owned by legitimate companies. The privacy error created problems for unwitting businesses, as many of their website visitors were rightfully concerned about site security.Β Β
While it does not always mean a website is unsafe to browse, it should not be ignored. A secure internet connection is critical to protecting yourself online. Many nefarious websites are dangerous to visit, and this SSL certificate error will protect you from walking into them unaware.Β Β Β
SSL certification standards have helped make the web a safer place to transact. It helps ensure online activities like paying bills online, ordering products, connecting to online banking, or keeping your private email accounts safe and secure. Online security continues to improve with a new Transport Layer Security (TLS) standard, which promises to be the successor protocol to SSL.Β
So be careful whenever visiting sites that trigger the βconnection is not privateβ error, as those sites can potentially make your personal data less secure and make your devices vulnerable to viruses and malware.Β Β
Note: The βyour connection is not privateβ error is Google Chromeβs phrasing. Microsoft Edge or Mozilla Firefox users will instead see a βyour connection is not secureβ error as the warning message.Β Β Β
If you feel confident that a website or page is safe, despite the warning from your web browser, there are a few things you can do to troubleshoot the error.Β Β
Remember, you are taking your chances anytime you ignore an error. As we mentioned, you could leave yourself vulnerable to hackers after your passwords, personal information, and other risks.Β Β
Your data and private information are valuable to hackers, so they will continue to find new ways to try and procure it. Here are some ways to protect yourself and your data when browsing online.Β Β
As we continue to do more critical business online, we must also do our best to address the risks of the internetβs many conveniences.Β Β
A comprehensive cybersecurity tool like McAfee+ Ultimate can help protect you from online scams, identity theft, and phishing attempts, and ensure you always have a secure connection. McAfee helps keep your sensitive information out of the hands of hackers and can help you keep your digital data footprints lighter with personal data cleanup.Β Β
With McAfeeβs experts on your side, you can enjoy everything the web offers with the confidence of total protection.Β
The post βThis Connection Is Not Privateβ β What it Means and How to Protect Your Privacy appeared first on McAfee Blog.
Introduction Browsers have become an inherent part of our virtual life and we all make use of browsers for surfing the internet in some or the other way. Also, browsers can be used not only for surfing, we can make use of browsers for navigating through the file system of the OS. You might have [β¦]
The post Browser Forensics: Firefox appeared first on Infosec Resources.