PayPal’s innovative approach to detecting stolen cookies, Avast’s privacy breach scandal, and Apple’s leap into quantum-secure messaging with PQ3. Unpack the implications of these developments for user privacy and the future of secure communication. Learn about the cutting-edge technology aimed at outpacing cyber threats and the importance of vigilance in an increasingly digital world.
Original URLs:
- PayPal’s New Cookie Security Method: Read More
- Avast’s Browsing Data Privacy Breach: Read More
- Apple’s Quantum-Secure iMessage Upgrade: Read More
Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/
Logo Design by https://www.zackgraber.com/
Transcript:
[00:00:30] offsetkeyz: All right. Good morning, everyone. And welcome back to the daily decrypt. Today is February 26th. And today we’re going to unravel PayPal’s latest patent. That’s baking a new layer of security into the cookie jar. Ensuring that cyber thieves can’t take a bite out of your personal data. Meanwhile, apple takes a quantum leap into the future with PQ three. Ensuring that I message.
[00:00:53] offsetkeyz: Doesn’t just send texts, but also sends hackers packing. And finally [00:01:00] Avast finds itself in hot water. As they’re ordered to cease the sale of browser data. Serving. A reminder that in the quest for privacy, not all shields are impenetrable as they seem.
[00:01:12] offsetkeyz: transition
[00:01:16] dogespan: All right.
[00:01:17] dogespan: from Bleeping Computer we have an intriguing development in cyber security. PayPal is stepping up its game against cyber threats. They’ve filed a patent for a method to identify when a super cookie is stolen. This aims to improve cookie based authentication and limit account takeover attacks. So what we talked about before, cookie authentication or cookies in general, if you remember they are Yeah, I guess the best comparison is like a loyalty card.
[00:01:40] dogespan: You go to a coffee shop or something And you have.
[00:01:43] dogespan: that loyalty card, you hand it to the barista, they get your order, and they know your previous preferences, they might have rewards or so on, and then every single time you go you get more rewards, they may be able to make your coffee or whatever without having to go [00:02:00] So, cookies are essentially the same thing.
[00:02:03] dogespan: Your browser stores these cookies so that the website knows who you are, and can easily identify you, authenticate, and give you access to the website. Here’s the issue. Hackers can steal these cookies that contain authentication tokens to access the accounts without needing valid credentials, even bypassing multi factor authentication.
[00:02:22] dogespan: These stolen cookies might include hashed passwords, which also allows attackers to impersonate users. Think of a thief now stealing that loyalty card. They can go to that coffee shop, um, and essentially impersonate you. They know your coffee orders, and hey, maybe they’re going to use your loyalty points. Now the supercookies that we mentioned earlier, they’re a little bit different than standard cookies. They are local shared objects, and they are injected by the internet service provider. as your data goes in transit. A lot of cookies are typically stored on your browser. They’re kind of baked into that network traffic [00:03:00] that’s transmitting across the wire.
[00:03:04] dogespan: And it makes it a little bit more difficult to detect and remove as they’re, well, they’re not stored locally. PayPal’s engineers propose a method to calculate a fraud risk score in cookie based authentication. When a user tries to log in, the system assesses the risk by comparing expected cookie values with actual values in the device’s storage locations. So, what does this all mean? It’s really just about enhancing the security during the login process, and it makes it harder for attackers to steal those cookies. And for this to work, the system sorts cookie storage locations by fraud risk and then compares expected versus actual cookie values to determine if there’s a breach. Based on the risk assessment, PayPal’s system would manage authentication requests by accepting, rejecting, or triggering additional security checks. The cookies are encrypted for safety against tampering. While this isn’t guaranteed technology that will be [00:04:00] implemented, it’s the initiative by PayPal that highlights the evolving landscape of digital security. It’s a proactive step in ensuring that our digital transactions remain secure. And one thing to keep in mind with this is while there are improving methods to enhance the security around authentication, just like everything, we can’t assume that it’s always going to be safe.
[00:04:25] dogespan: A lot of the work that I do involves detecting how cookies get stolen. And it’s only a matter of time. Even if this does get implemented, other websites will start using it. Attackers are going to have to evolve their techniques and they’ll figure out a way around it. So everything that you are currently doing to kind of maintain your passwords or your authentication, keep it the same.
[00:04:49] dogespan: And just know that there are efforts in place to make it more secure, but we still need to be vigilant.
[00:05:00]
[00:05:08] offsetkeyz: So you all know I am an apple nerd. And I love their privacy features while they just stepped up their game today. Bye.
[00:05:17] offsetkeyz: Creating new. Encryption methods. To combat quantum computing.
[00:05:22] offsetkeyz: So apple has taken a monumental step forward with this new encryption method called PQ. Three, which is designed to protect I message users from the potential future threat of quantum computing. Unlike traditional encryption methods, which could eventually be cracked by quantum computers, PQ three employees, post quantum cryptography or PQ SI. To secure messages, both at the initiation of a conversation and throughout the message exchange process.
[00:05:48] offsetkeyz: The protocol employs a hybrid design that combines the new post quantum algorithms with the proven reliability of elliptic curve, cryptography or ECC, ensuring that eye messages encryption cannot [00:06:00] be less secure than its current state. Well, that’s good. We’ve got a little baseline. This dual approach means that breaking PQ three security would require defeating both the new post quantum primitives and the existing classical ECC cryptography, which would be a formidable challenge for any adversary, quantum or otherwise. So for any normal, for any regular day user who’s listening. It’s not much, it’s going to change.
[00:06:25] offsetkeyz: I think as the iPhones advance, so will the computing power. And while this might take a little more computing power, you won’t notice a difference. You’re just going to get to bask. In the safety that is apple. I message. And the nice little blue bubbles. I’m pretty excited about this. Because I recently finished a book by my favorite author, Andy Weir. And Amazon decided they wanted to just suggest a short story he’s written. Which is 30 pages long, which is the exact length of a book.
[00:06:58] offsetkeyz: I want to read 30 pages. [00:07:00] And it was about quantum computing. Cracking Keno. Machines in Las Vegas, they were able to like bind quantum.
[00:07:08] offsetkeyz: Behaviors to the ball, that it was very interesting and it really got my wheels turning about quantum computing and how it’s really going to wreak havoc on. The encryption world, once it becomes more.
[00:07:20] offsetkeyz: Consumer consumerized. Once it becomes more available to consumers. So great work, apple.
[00:07:28] dogespan: Happy I switched.
[00:07:30] offsetkeyz: Oh, you’re here to here. First folks. Former Android user switched to apple happy. He
[00:07:37] dogespan: It’s been three years going now? Yeah, three I plan on going back.
[00:07:49] dogespan: Got another one from Ars Technica. We have Avast, where they are ordered to stop selling browsing data from its browsing privacy [00:08:00] apps. Avast is known for its antivirus applications and privacy tools. They were recently found to be collecting and selling users browsing information through a subsidiary called JumpShot.
[00:08:11] dogespan: Now this contradicts their promise of privacy as they were selling data from 2014 to 2020 to over 100 companies. This is just, if you’re not paying for something, somewhere along the line, the company is making money from you. I used to use Avast a long, long time ago. Way before I switched to primarily using Linux.
[00:08:36] dogespan: And I always wondered in the back of my mind, especially like as Facebook and these other social media companies came out, like who, we were getting more insight into being the product of these companies, more or less. So as I was using like free antivirus, it was always in the back of my mind. Are they, how are they making money off of this? How are they staying afloat? Yeah, they have their premium version, but hmm. The Federal Trade Commission, [00:09:00] or FTC, has stepped in and ordering Avast to pay 16. 5 million and implement a comprehensive privacy program. They must also stop selling browsing data and obtain explicit consent for future data collection.
[00:09:15] dogespan: How clear is that consent going to be? Is it going to be just, your checkbox for terms and conditions?
[00:09:20] offsetkeyz: It’ll be very clear about 30 pages into the terms and conditions. Yeah.
[00:09:25] dogespan: right at the end of your attention
[00:09:26] dogespan: span
[00:09:28] dogespan: The data Avast sold wasn’t just random browsing info. It included detailed insights into online consumer habits, even down to individual user levels. This included data from Google Maps, LinkedIn, YouTube, and more, raising serious privacy concerns. If you used the Avast tools during this period your data might have been sold. Not a whole lot we can do about that at this time. What are we doing to prevent this? We can see that the FTC is finally taking action on this. And, again, just, [00:10:00] as a regular user, pay attention to those sorts of things. If you’re I mean, I’m even guilty of it today. I still go to app stores and, I’ll go hunting for an app that fits the need.
[00:10:11] dogespan: And 5. 99 price tag, I’m like, Ugh, there’s gotta be a free version. I know better!
[00:10:20] offsetkeyz: I’ve already got my data anyways. Ah,
[00:10:23] dogespan: So Avast has closed JumpShot and maintains its commitment to protecting digital lives, despite disagreeing with the FTC’s allegations. So if they maintained its commitment to protecting digital lives, so when did the commitment To protecting start.
[00:10:44] offsetkeyz: Yeah, I don’t. If you’re maintaining your previous commitment that allowed you to sell my data, maintaining it. Isn’t a brag. I’ve asked. Sorry.
[00:10:53] dogespan: Well, this case serves as a reminder of the importance of regulatory [00:11:00] oversight and safeguarding our online privacy. And that, I think, is the staple or biggest takeaway from the FTC stepping in, is that we just need More regulation around a lot of the tech companies. They’re going to consistently find ways to monetize our data, and they’re going to find those loopholes.
[00:11:20] dogespan: So we need the agencies to get involved, to become aware, and we can’t be oblivious to technology.
[00:11:30] offsetkeyz: Well, that’s all we’ve got for you today. Thanks so much to dogespan for joining us. Delivering the sweet tasty news to you guys. We’ll be back tomorrow with your weekly. Who’s been popped updates as well as some other news. So we’ll talk to you then. [00:12:00]