How to determine if a Google Chrome extension is safe

When it comes to online security, you can never be too careful; this guide isn’t about antivirus programs, firewalls or VPNs though, as it is about Chrome extensions.

Just because an extension is on the Chrome web store doesn’t mean it is safe to use. There have been many cases of malicious add-ons which have been taken down in the past after they were installed by millions of Chrome users in some cases.

Note: The guide provides additional information on checking whether Chrome extensions are (likely) safe to use. You can check out Martin’s guide on verifying Chrome extensions, and there especially the part on looking at the source.

How to determine if a Google Chrome extension is safe

Google Chrome extension reviews

We will focus on steps that you may undertake before installing extensions. It is often easier to determine if an extension is shady or outright malicious if you have installed it as it may be the cause for visible unwanted changes or activity such as hijacking search engines, displaying advertisement or popups, or showing other behavior that was not mentioned in the extension’s description.

Users who known JavaScript may also check the source of the extension. Check out Martin’s guide linked above for information on how to do that.

Web Store page

Analyze the extension’s listing and see if it rings some alarm bells. Broken grammar or English may be seen as warning signs but since developers from all over the world publish extensions on the Store, some may be written by non-English natives. Bad grammar or spelling mistakes may not be used as an indicator. Irrelevant screenshots or very odd descriptions, on the other hand are all tell-tale signs of a malicious extension. These are quite rare though.

Logos

Malware developers resort to all sorts of tricks to infect users, and one of these is to use the logo (icon) of popular brands or applications. Sometimes, people get fooled by these and think it’s from the company which makes the actual software. Pay attention to the developer name and click on it to see their other extensions.

Developer’s Website and Contact

Does the extension have its own web page? Visit it to learn more about it and maybe something about the developer. We recommend using a content blocker when visiting these sites to avoid issues if the site is specifically prepared to attack decvices.

Not all extensions have a web page, but most do, at least for support requests/FAQs.  Is there a contact option on the Chrome web store page which lets you email the developer? If there is one it’s a good sign, but an absence of one doesn’t mean it’s a fake extension.

Google Chrome extension developer website

Privacy Policy

This is perhaps the most overlooked one? Who reads the privacy policy? You should, because unlike website registrations or software agreements, you’re not shown the privacy policy for an extension when you install it. But it may exist as a loophole for the developer to get out of a legal dispute, should one arise. You accept the policy the second you install the extension.

Use Control + F and search for words like data, collect, track, personal, etc, in privacy policies. Your browser should highlight the sentences which contain the word and you should read what it says.

If the policy is upfront about the data they collect, think about if it’s worth using the extension at the cost of privacy. I’ll give you a hint: It’s never acceptable.

Obviously, developers and companies with ill-intent may add whatever they like to the privacy policy.

Permissions

When you click the install button, read the pop-up which lists the permissions the extension requires. Permissions may give important clues; an add-on for a visual enhancement (like a theme) shouldn’t require permissions like “Communicate with cooperating websites”. That means it could be sending data, your personal data, to some server.

Google Chrome extension permissions

Reviews

These are big red flags if you know how to identify legit ones. Does an extension have reviews? Are they all 5-star reviews? That’s suspicious. Look at the publishing date of each review. If you find that they were all posted on the same day it may be fishy. Look at the text as well, if they look more or less the same, or if the usernames only contain random characters, alarm bells should go off and you should look deeper.

Take a look at the screenshot here. What do you see?

How to determine if a Google Chrome extension is safe or not

Did the reviewers copy/pasted the comment? It’s possible, but it wasn’t in this case. The extension had multiple reviews which used the same comments over and over. In fact, there was more than one review left by the same user. Is it possible the extension has hijacked the user to post these reviews? Or were they paid for? Regardless of this, I’d recommend avoiding such extensions to be on the safe side.

It may be a good idea to check whether the developer has commented on any of the user reviews. Go over the next few pages.

Search for similar extensions, watch out for the clones

The screenshot which you saw above is actually not from the original extension. I bet you weren’t expecting that? It was from a clone of another extension which had a similar name, same features, slightly different description, an identical privacy policy.

How to tell if a Google Chrome extension is safe
How to tell if a Google Chrome extension is safe 2

It was alarming. The worst part was that the original add-on was about 2.15 MB in size while the clone was about 4.26 MB. If it was a clone, what’s the extra size for? That is scary. So search the web store using similar keywords  (or the name of the extension), check out the results. Look at the add-on’s published date, the older one is obviously the original.

Again, if you known JavaScript, you could analyze the code to find out why the clone has a size that is nearly double the size of the original. It could be something as simple as an uncompressed image that is used as a logo or additional code that may be used for malicious or invasive practices.

Open Source

If the extension is open source, it is likely that it could be safe. But I wouldn’t take it for granted. You should go to the page where the source code is published to see if it actually exists. You should also check when the last commit was made on the source code page. If the extension was updated recently, but the source code wasn’t, the extension may no longer be open source and possibly open to privacy and security issues.

Search across Social networks

You could try Googling for the extension’s name to see whether any issues, recommendations or reviews were posted by users on social networks. This gives you an idea of real-world usage of the extension.

If you do come across suspicious extensions, do yourself and everyone a favor, and report it to Google.

Some tips I mentioned here aren’t necessarily restricted to Chrome extensions, they apply to extensions for other browsers such as Firefox as well.

Thank you for being a Ghacks reader. The post How to determine if a Google Chrome extension is safe appeared first on gHacks Technology News.

Malwarebytes 4.0 for Windows launches

Malwarebytes released Malwarebytes 4.0, a new version of the company’s security program, for Microsoft Windows systems on November 4, 2019.

The new version of the program includes the company’s new Katana Engine, a new user interface, and other improvements. You may want to check out our first look of Malwarebytes 4.0 which we published in August 2019.

Malwarebytes 4.0 is offered as a Free and Premium version just like previous versions. Premium users, including those with lifetime keys, may upgrade to the new version for free.

The new version can be downloaded from the official Malwarebytes website. The default installer requires an active Internet connection; users who need an offline installer can download it by following the link in the second post on this page.

Note: Malwarebytes 4.0 is not compatible anymore with pre-Windows 7 operating systems. The company recommends that users stay on Malwarebytes 3.x as it will continue to be supported.

The new version has several issues. Users who run Windows Firewall Control (which Malwarebytes acquired some time ago) will notice that Malwarebytes Self-Protection module will prevent the firewall tool from opening. Other issues include that Controlled Folder Access blocks certain advanced installer options on Windows machines and GUI issues with high DPI and certain screen resolutions.

The company’s browser extension, Malwarebytes Browser Guard, exited Beta recently as well.

Malwarebytes 4.0

malwarebytes premium 4.0

The very first thing that Windows users who install the new Malwarebytes 4.0 may notice is not the new interface but that the product registers itself as the system’s main antivirus solution in the Windows Defender Security Center.

Malwarebytes believes that its product is ready for the responsibility thanks to the integration of the new Katana engine in the new program version.

The new Malwarebytes Katana engine provides superior malware detection for zero hour threats in particular while improving performance for faster Scans.

It remains to be seen how good the new engine really is. Malwarebytes promises expanded malware detection, improved zero-hour detection, and improved signature-less behavioral detection.

Users who don’t want the program to be registered as the primary security solution may disable it in the options under Security.

Tip: Malwarebytes collects usage and threat statistics by default. Open the program settings and disable the option under General to disable this.

The new interface puts the focus on protection settings, the detection history, and the scanner. You may change real-time protection settings right then and there by toggling the “Web Protection”, “Malware Protection”, “Ransomware Protection”, and “Exploit Protection options. Note that these are only available in the Premium version of the product.

A click on a section opens it in an overlay on the screen. Scan starts a scan of the system right away while a click anywhere on the Scanner widget opens the scan interface. If you want to run a custom scan you need to do that.

malwarebytes premium scan

A click on “advanced scanners” on the page that opens and on the next page on custom scan displays the available options (including a scan for rootkits).

The Real-time protection section displays the number of threats blocked on the local device and globally. The latest Malwarebytes blog post is highlighted on the page as well.

The new interface looks more streamlined but that comes at the expense of functionality. If you want to check out previous reports and scans, you cannot do that anymore straight from the main interface. You have to click on the scanner widget to access these reports.

Memory use has been quite high on a test system. The three Malwarebytes processes mbam.exe, MBAMService.exe and mbramtray.exe used nearly 450 Megabytes of memory (with MBAMService.exe using 317 Megabytes alone).

Closing Words

Tests will show how good Malwarebytes 4.0 really is. The program has been streamlined but memory usage is still, maybe even more so than before, an issue. It is usually a good idea to wait with the upgrade until known issues are taken care off.

Users who upgraded from version 2.x to the initial version 3.0 may remember that it too had stability and performance issues in the beginning.

Now You: Have you tried version 4.0 of Malwarebytes? What is your take?

Thank you for being a Ghacks reader. The post Malwarebytes 4.0 for Windows launches appeared first on gHacks Technology News.

Microsoft releases emergency Internet Explorer security update

Microsoft released an out-of-band emergency security update for Internet Explorer on September 23, 2019 for all supported versions of Windows.

The emergency update is only available on the Microsoft Update Catalog website at the time of writing and not through Windows Update or WSUS.

Some support articles provide little information. The Windows 10 update description simply states “
Updates to improve security when using Internet Explorer” without going into further detail. The page links to the Security Update Guide which, after some digging, leads to the CVE of the vulnerability.

internet explorer security out of band

The support page for the cumulative update for Internet Explorer offers more information and a direct link to the CVE.

It states:

This security update resolves a vulnerability in Internet Explorer. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could run arbitrary code in the context of the current user. The security update addresses the vulnerability by changing how the scripting engine handles objects in memory.

The same information is provided on the CVE page as well. Microsoft notes that an attacker could take control of the attacked system if the attack succeeds which would allow the attacker to install or remove programs, view, change or delete files, or create new user accounts.

The security issue is exploited actively according to Microsoft; an attacker could create a specifically prepared website to exploit the issue in Internet Explorer.

Microsoft published a workaround to protect systems if the released updates cannot be installed at this point. The workaround may reduce functionality “for components or features that rely on jscript.dll”.

The commands need to be run from an elevated command prompt.

Workaround for 32-bit systems:

  • takeown /f %windir%system32jscript.dll
  • cacls %windir%system32jscript.dll /E /P everyone:N

Workaround for 64-bit systems:

  • takeown /f %windir%syswow64jscript.dll
  • cacls %windir%syswow64jscript.dll /E /P everyone:N
  • takeown /f %windir%system32jscript.dll
  • cacls %windir%system32jscript.dll /E /P everyone:N

The workaround can be undone by running the following commands from an elevated command prompt:

Undo 32-bit:

  • cacls %windir%system32jscript.dll /E /R everyone

Undo 64-bit

  • cacls %windir%system32jscript.dll /E /R everyone
  • cacls %windir%syswow64jscript.dll /E /R everyone

List of updates that fix the vulnerability:

What about Windows Updates?

Microsoft has not released the update via Windows Update or WSUS. Susan Bradley notes that the company could release the update on September 24, 2019 via Windows Update and WSUS but that has not been confirmed by Microsoft.

It is a bit puzzling that Microsoft releases an out-of-band security update that addresses an issue that is exploited in the wild but chooses to release it as an update that needs to be downloaded and installed manually only.

Closing Words

Should or should not you install the update right away? It is a security update but it is only available via the Microsoft Update Catalog website at the time of writing.

I still would recommend installing it but you should create a system backup, e.g. using Macrium Reflect or Paragon Backup & Recover Free, before you do so as one never knows these days updates introduce unwanted side effects or issues of their own.

Now You: install or wait, what is your position?

Ghacks needs you. You can find out how to support us here (https://www.ghacks.net/support/) or support the site directly by becoming a Patreon (https://www.patreon.com/ghacks/). Thank you for being a Ghacks reader. The post Microsoft releases emergency Internet Explorer security update appeared first on gHacks Technology News.

WinOTP Authenticator is an open-source alternative for WinAuth

Some days ago, we told you about Authenticator, an open-source 2-step verification app for iOS. The app generates codes for two-factor authentication use. Many web services support 2FA to add another layer of security to the user authentication process.

Today, it’s the turn of an equally simple Windows app called WinOTP Authenticator. It is a UWP app, and hence exclusive to Windows 10.

A brief history about the app: about a year ago an app called “Authenticator for Windows” was removed from the Windows Store. This was a proprietary app and was one of the few available for Windows Phone/Windows 10. The author open-sourced the app shortly after hoping that someone would resurrect it, and that’s exactly what happened a few months ago.

WinOTP Authenticator is an open source 2-factor verification app for Windows 10

How to add an account to WinOTP Authenticator

This process is slightly different from a phone 2FA app where you’d point the camera at the QR code on the screen and are done with it. The app works by entering the “secret key” manually which is identical to the process on mobile devices if you select the manual way during setup.

Here is how it works:

  1. Enter the name of the account’s website in the Service box (for e.g. Microsoft, Google, Apple, etc). This is just for your reference and you may pick anything you want. It is advised to pick a descriptive name to help with identification.
  2. Type your account’s username in the corresponding field. This can be whatever you want to as well.
  3. Finally, enter the long code from the website’s 2-step authentication settings.
  4. Click on the save button.

WinOTP Authenticator

Note: There is an alternative way. The program says that you can drag the QR-code that is displayed on the screen on to the interface of WinOTP Authenticator and it should read the code. I tried it a couple of dozen times with different services, but it did not work.

TOTP timer bar

Instead of a circle (which fills up or disappears) that you are maybe used to when you use mobile devices to generate the authentication code, WinOTP Authenticator displays a horizontal bar that progresses from the left to the right to indicate when the displayed code will expire.

Copy to clipboard

WinOTP Authenticator displays the TOTP codes for all of your added accounts on the home page. To copy a code to the clipboard just click on it. There is a setting which clears the clipboard when a copied code expires; this is enabled by default and there is little reason to disable it unless you need more time.

Note: The Sync with OneDrive option causes WinOTP Authenticator to crash, at least for me.

You can reorder or delete accounts by clicking on the pencil button on the start bar. Remember to disable 2FA from your account’s settings on the website before deleting it from the app as you may run into authentication issues otherwise. You can toggle the app to sync the time using NTP; this is important since 2-factor codes are time based.

Apart from the QR Code and OneDrive issues (which are on the developer’s roadmap), the app worked without issues. It offers a convenient option to log in to websites with click and paste.

I stumbled upon this app while looking for a WinAuth alternative and it has been a fine replacement. Normally I wouldn’t recommend using a PC app for 2-factor authentication because anyone who has access to the PC will have access to the 2FA codes. But, many people have a PC that is private (at home or work), in which case it can be a pretty secure option especially if you use encryption to further protect it from unauthorized access. I’d still recommend using a phone app/email for 2FAs as a fallback (and don’t forget those recovery/backup codes).

Ghacks needs you. You can find out how to support us here (https://www.ghacks.net/support/) or support the site directly by becoming a Patreon (https://www.patreon.com/ghacks/). Thank you for being a Ghacks reader. The post WinOTP Authenticator is an open-source alternative for WinAuth appeared first on gHacks Technology News.

KeePass 2.43 Password Manager released

A new version of the password manager KeePass was released on September 10, 2019. KeePass Password Safe 2.43 is an update for the 2.x version of the password manager that introduces new features and improvements.

KeePass should notify users that the new version is available if update checks have not been disabled. Users may download the new version from the official repository and install it over the existing installation.

The application is available for Windows officially; ports are available to use the password database on other platforms, e.g. with Strongbox or KeePasssium on iOS, or the cross-platform client KeePassXC.

Tip: if you are new to KeePass, check out our review of KeePass.

KeePass 2.43

keepass password safe 2.43

KeePass 2.43 does not introduce major new features to the application but some may still be of interest to users.

One of those changes improves the password generator. KeePass provides options to create custom passwords by specifying character sets. Some of these sets list only some of the characters that KeePass may pick when the set is selected. While that is not a problem for letters or digits, it may be a problem for special characters.

keepass password generator

You may now hover over these sets to have all supported characters displayed in a popup.

A new intermediate step has been added to the password quality bar; just open any entry in KeePass and you will see the new quality bar. The bar is an estimation of the strength of the password based on certain patterns.

keepass password quality

KeePass users may change the default password options to make sure that certain rules related to size and character sets are always followed.

The password manager is set up to exclude itself from Windows Error Reporting in that new version.

Auto-Type received some love in the new version. The feature sends an automated sequence of keypresses to any open program window. KeePass 2.43 improves the sending of modifier keys, characters that use Ctrl-Alt or AltGr, and improves compatibility with VMware Remote Console and Dameware Mini Remote Control.

Another key-related change is support for setting up function keys without modifiers as system-wide hot keys.

Other than those already mentioned, there is a new option to use Esc to deselect main menu items, the linking of username suggestions to the display of usernames in the main window, and improvements to the automatic scrolling performance.

You can check out the entire KeePass 2.43 changelog here.

Ghacks needs you. You can find out how to support us here (https://www.ghacks.net/support/) or support the site directly by becoming a Patreon (https://www.patreon.com/ghacks/). Thank you for being a Ghacks reader. The post KeePass 2.43 Password Manager released appeared first on gHacks Technology News.