IT NEWS

With experts noting a troubling threefold surge in USB drive malware incidents in early 2023, Device Control has just leveled up with a key addition: the Advanced Auto Scanning & Block Until Scan feature. 

Here’s the breakdown: When a USB device is connected, ThreatDown now doesn’t just control access—it actively scans it. You can also now choose to block the device until the system scans it. This means threats are stopped in their tracks, well before they can do any harm. 

Available for both Nebula and OneView users, the new update also offers detailed device insights on the Quarantine and Detections pages. The interactive “Device” column, for example, reveals comprehensive details like the serial number and volume name. 

Advanced Device Control is designed to make it that much easier for organizations to defend against USB malware, which can cause data breaches and other system compromises. Let’s dive deeper into the update! 

Automated Scanning 

When a USB device is inserted, the new feature automatically initiates a scan for potential threats. This is proactive, as opposed to the more passive nature of traditional device control, which simply controlled access when storage drives were connected via USB. 

Conditional Access Based on Scan Results 

Perhaps the most significant addition is the ability to block access to the device until it has been scanned for threats. This ensures that no potentially harmful files are accessed before they are verified as safe, a capability not present in the original Device Control setting. 

Customizable Alerts 

Users can craft an optional alert message that appears when a USB device is blocked pending a scan. This can help in communicating security protocols to users who might not be aware of why their device access is restricted. 

Quarantine and Detections Pages Update 

Nebula’s Quarantine and Detections pages have been upgraded for improved management of USB-originated threats: 

• “Device” Column: A new clickable column has been added, listing devices associated with threats. 
• Device Details Slideout: Clicking on a device link provides immediate access to details like serial number and volume name. 

These updates streamline the threat analysis process, integrating crucial information directly into your workflow. 

Additional features 

Restoration & Exclusion Enhancements 

Quickly restore false positives from quarantine when the device is reconnected and set exclusions to prevent future unnecessary blocks. 

Detailed Threat Information 

The Endpoint details slide-out has been enhanced. Under the Detections and Quarantine tabs, users can now access comprehensive data on any USB threats discovered. 

Action Taken 

A new “Action taken” column clearly shows the device scan history and status updates.

Try Advanced Device Control today 

Advanced Device Control marks a leap in helping organizations stay ahead of USB malware, featuring proactive scanning, conditional access, and improved visibility to proactively thwart potential breaches.  

Try Advanced Device Control in Nebula and OneView today! 

Not a Nebula or OneView user? Get a free demo.

Since I started Malwarebytes 15 years ago the threat landscape has changed. Our offerings have evolved. And now the next chapter of our journey begins today.  

How did we get here? 

My first cyber “combatant” was an early form of adware running amok on my family’s computer. Removing it was a team effort, and it led to the creation of the first iteration of Malwarebytes, a free tool built to help everyday people find and remove malware from their computers, without needing to scour forums, write code, or run scripts like I had.  

Malwarebytes turned out to be extremely popular. It did what no other product could, find malware and remove every trace. Although designed as a free tool for individuals, IT professionals downloaded it in droves. The vast amount of malware infections that common AV tools missed proved that organizations needed better detection as well as our remediation.  

Malwarebytes for Business was born.  

Organizations today must protect against more than malware. There are ransomware gangs, crypto-scammers, Advanced Persistent Threat groups, data exfiltration and extortion schemes, big-money exploits, disastrous zero-days, brute force attacks, Living-Off-the-Land techniques—that anti-virus detection doesn’t find—and fast evolving social engineering tactics that will only advance with the broad availability of generative AI.  

But with the rapid increase of attack surfaces, security products have multiplied and become increasingly complex to deploy and manage. Many IT organizations are struggling with the number of consoles and increasing costs. Most don’t have enough cybersecurity staff or budget to take down threat levels. 

For more than a decade, Malwarebytes has provided resource constrained IT organizations with the necessary tools to stop cybercriminals across the entire threat spectrum—from attack surface reduction; through prevention, detection, and response; to remediation. Time and time again our products are tested, proven, and recognized, year after year, quarter after quarter. Importantly, we’ve also made security simpler. Delivered in one lightweight agent, using one console, IT organizations can manage thousands of endpoints and vast security capabilities at once.  

Today, we launch a name that reflects the full scope of our business product line, the serious daily battle with adversaries on behalf of organizations, and embodies our mission – security that overpowers threats, not IT.    

I want to personally introduce you to “ThreatDown, powered by Malwarebytes.” The ThreatDown platform is focused on the problem we heard about most from our corporate customers, institutions and partners. No, not securing the software supply chain, cracking down on zero-day vulnerabilities, or stopping the growing spate of ransomware attacks (though all of those also rank high in importance).  

The biggest problem, simply enough, is complexity.  

For too long, even the most well-intentioned cybersecurity vendors and researchers have issued security recommendations in a vacuum, assuming every business has the same budget, staff size, and IT resources. Under this guise, the products our industry has sold are hardly “solutions”—they are proposals.  

We know this isn’t working for most organizations.  

According to IDC, 60 percent of mid-market companies only have 1 – 4 full time IT people, making complex integrations, installations, or management of tech tools formidable. Similar research also shows that a simple configuration change could take IT teams a few hours, while more complex changes can take several days or even weeks, and that companies deploy an average of 55 different cybersecurity tools—each with their own cloud-based console, agent, and management requirements.  

ThreatDown understands that meaningful cybersecurity “solutions” must consider an organization’s ability to implement and embrace a security product and its toolset. This is why the ThreatDown portfolio isn’t a list of individual products for organizations to figure out.  

Today we’re also launching four ThreatDown Bundles that combine award-winning layers of protection, threat intelligence, and human expertise for IT-constrained organizations of all sizes and skill levels. These new bundles help organizations take down threats, while also taking down complexity and cost. Every bundle includes our Security Advisor, which provides a security score to illustrate a company’s current level of protection, offers guidance on how to make improvements and enables IT to take immediate action. 

This is just the beginning.    

Fifteen years ago, with enormous help from around the world, we started something special with Malwarebytes. Today, we are doing that again. 

Join me as we overpower threats and empower IT together.  

Visit www.threatdown.com to learn more.  

November marks a significant shift in our legacy. After 15 years as Malwarebytes, we are proud to introduce our rebranded identity, ThreatDown powered by Malwarebytes.

Building off Malwarebytes’ initial recognition for removing every trace of viruses that others missed, ThreatDown powered by Malwarebytes combines award-winning technologies that cover all stages of an attack, with managed services for teams with limited resources.

To say it’s been quite a journey to this point would be an understatement. From our beginnings as a remediation consumer tool to becoming a titan in business cyber protection, let’s walk through where we’ve come and where we’re headed.

Anti-Malware Small Business Edition (2008 – 2012)

Malwarebytes for Business began its journey in the late 2000s, offering corporate licensing for its consumer anti-malware product. By 2012, our focus intensified as we launched the Anti-Malware Small Business Edition, introducing advanced features to meet the specific demands of businesses.

Malwarebytes Enterprise Edition (September 2012 – 2016)

The introduction of Malwarebytes Enterprise Edition (MEE) in late 2012 solidified our position in the enterprise market. Tailored for businesses, governments, and educational institutions, MEE provided comprehensive threat protection and malware remediation. As the demand for our expertise grew, esteemed institutions such as The University of Alabama and NextGen Healthcare became part of our clientele.

Malwarebytes Endpoint Security (June 2014 – 2016)

2014 saw the birth of the Anti-Malware Remediation Tool, a streamlined malware solution for businesses. Shortly after, Malwarebytes Endpoint Security was launched, merging multiple essential tools into one comprehensive package.

Nebula (2017 – 2018)

Transitioning into cloud security management, 2017 introduced Nebula 1.0, our cloud-based console. This platform brought together our machine learning-backed Malwarebytes Incident Response and Endpoint Protection products.

OneView (2019)

2019 heralded the debut of OneView, a multi-tenant console tailored for Managed Service Providers (MSPs). With OneView, MSPs could efficiently manage multiple clients’ security needs from a unified platform.

Comprehensive Endpoint Detection and Response Offerings (2020 – 2021)

Throughout 2020 and 2021, we fortified our EDR capabilities, including extensions to support Windows servers. With features such as Flight Recorder Search, Threat Hunting Alerts, and Brute Force Protection, we further strengthened our protective measures against cyber threats.

Managed Detection and Response (2022)

Last year, we delved into a multitude of new services and tools, including Device Control, Vulnerability Assessment, Patch Management Modules, and many more. Our crowning achievement was the introduction of Malwarebytes Managed Detection and Response (MDR) service, providing 24×7 monitoring and investigations for resource constrained IT teams.

Securing The Against the Next Generation of Threats (2023 and beyond)

2023 marked our foray into Mobile Protection for iOS, Android, and Chromebook platforms, helping organizations crush mobile threats on iOS, Android, and ChromeOS. The introduction of an Application Blocking Module gave administrators even greater control over app installations on devices.

Further, with the release of Malwarebytes Security Advisor, we transformed the Nebula customer experience to enable organizations to visualize and improve their security posture in just a few minutes. We also released Malwarebytes Managed Threat Hunting (MTH), a 24/7 service that proactively identifies and then alerts EDR customers to potential threats before an active attack begins.

Into The Future With ThreatDown powered by Malwarebytes

Originating from Malwarebytes’ 15-year legacy in combating daily malware threats, ThreatDown powered by Malwarebytes has evolved in tandem with the ever-changing threat landscape.

ThreatDown’s mission for businesses is straightforward: neutralize threats promptly and efficiently, without the need for extensive IT teams, prolonged setup times, or substantial budgets. We combine the technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down complexity and take down costs:

• ThreatDown Core Bundle: Basic malware protection and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
• ThreatDown Advanced Bundle: Everything included in core plus Automated Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
• ThreatDown Elite Bundle: Everything in Advanced plus 24/7 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
• ThreatDown Ultimate Bundle: Everything in Elite plus protection from categories of malicious websites. Perfect for teams looking for a SOC-in-a-box, a one-and-done shortcut to cybersecurity done right.

In short, with ThreatDown, the mission is clear: To take down threats to businesses and reduce attack surfaces immediately, without the need for an IT army or big budgets. Together, we can overpower threats—and empower IT.

Visit www.threatdown.com to learn more.  

Okta has revealed details about a recent breach which exposed files belonging to customers.

As we explained in our article about 1Password being a victim of this breach, it’s normal for Okta support to ask customers to upload a file known as an HTTP Archive (HAR) file. Having this file allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.

After 1Password, BeyondTrust, and Cloudflare detected unauthorized log-in attempts to their in-house Okta administrator accounts, they reported the incidents to Okta who started an investigation.

Okta says it found that from September 28 to October 17, 2023 an attacker had unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.

The attacker gained access using stolen credentials of a service account stored in the system itself, which had permissions to view and update customer support cases.

To gain access to that service account, the attacker compromised an Okta employee. The employee logged into the service account while they were signed in to their personal Google profile in Chrome on their Okta-managed laptop. That meant that the credentials of the service account were stored in the employee’s personal Google account.

How they got from that account into the attacker’s hands is unknown, but likely the attacker compromised that personal account or one of the employee’s devices fell into the attacker’s hands, from where they could accessed the Google account and harvested the credentials.

Once in, the attacker was able to use session tokens in the HAR files to impersonate staff and hijack the legitimate Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare.

Okta says it has now locked down personal Google access on company-managed computers:

“Okta has implemented a specific configuration option within Chrome Enterprise that prevents sign-in to Chrome on their Okta-managed laptop using a personal Google profile.”

In general, it’s hard to strictly separate the use of devices for work purposes— in a 2020 survey by Malwarebytes, we found that the majority of people do use work devices for personal use. When a device gets assigned to an employee, they consider it more or less as “theirs” and there’s a tendency to start using it for personal matters. Okta could have anticipated this behavior and added additional security measures for such an important account.

A remediation task that is important to note for Okta customers is:

“Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal.”

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

This week on the Lock and Code podcast…

A worrying trend is cropping up amongst Americans, particularly within Generation Z—they’re spying on each other more.

Whether reading someone’s DMs, rifling through a partner’s text messages, or even rummaging through the bags and belongings of someone else, Americans enjoy keeping tabs on one another, especially when they’re in a relationship. According to recent research from Malwarebytes, a shocking 49% of Gen Zers agreed or strongly agreed with the statement: “Being able to track my spouse’s/significant other’s location when they are away is extremely important to me.”

On the Lock and Code podcast with host David Ruiz, we’ve repeatedly tackled the issue of surveillance, from the NSA’s mass communications surveillance program exposed by Edward Snowden, to the targeted use of Pegasus spyware against human rights dissidents and political activists, to the purchase of privately-collected location data by state law enforcement agencies across the country. But the type of surveillance we’re talking about today is different. It isn’t so much “Big Brother”—a concept introduced in the socio-dystopian novel 1984 by author George Orwell. It’s “Little Brother.”

As far back as 2010, in a piece titled “Little Brother is Watching,” author Walter Kirn wrote for the New York Times:

 “As the internet proves every day, it isn’t some stern and monolithic Big Brother that we have to reckon with as we go about our daily lives, it’s a vast cohort of prankish Little Brothers equipped with devices that Orwell, writing 60 years ago, never dreamed of and who are loyal to no organized authority. The invasion of privacy — of others’ privacy but also our own, as we turn our lenses on ourselves in the quest for attention by any means — has been democratized.”

Little Brother is us, recording someone else on our phones and then posting it on social media. Little Brother is us, years ago, Facebook stalking someone because they’re a college crush. Little Brother is us, watching a Ring webcam of a delivery driver, including when they are mishandling a package but also when they are doing a stupid little dance that we requested so we could post it online and get little dopamine hits from the Likes. Little Brother is our anxieties being soothed by watching the shiny blue GPS dots that represent our husbands and our wives, driving back from work.

Little Brother isn’t just surveillance. It is increasingly popular, normalized, and accessible surveillance. And it’s creeping its way into more and more relationships every day. 

So, what can stop it? 

Today, we speak with our guests, Malwarebytes security evangelist Mark Stockley and Malwarebytes Labs editor-in-chief Anna Brading, about the apparent “appeal” of Little Brother surveillance, whether the tenets of privacy can ever fully defeat that surveillance, and what the possible merits of this surveillance could be, including, as Stockley suggested, in revealing government abuses of power. 

“My question to you is, as with all forms of technology, there are two very different sides for this. So is it bad? Is it good? Or is it just oxygen now?” 

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Clinical research company Advarra has reportedly been compromised after a SIM swap on one of their executives.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but one of the most common methods involves tricking the target’s phone carrier into porting the phone number to a new SIM which is under the control of the attacker.

In the case of Advarra, the ransomware group ALPHV reportedly managed to transfer the executive’s cellphone number, allowing them access to the company’s resources and copy information that the group is now threatening to sell.

Advarra entry on the ALPHV leak site

However, Advarra isn’t willing to play ball, saying it doesn’t “pay digital terrorists”.

Advarra said it’s business as usual:

“An Advarra colleague was the victim of a compromise of their phone number. The intruder used this to access some of the employee’s accounts, including LinkedIn, as well as their work account.

We have taken containment actions to prevent further access and are investigating with third-party cyber experts. We also notified federal law enforcement. At this time we believe the matter is contained. We further believe that the intruder never had access to our clients’ or partners’ systems and it is safe to connect to Advarra’s systems. Importantly, we have no evidence that the Advarra systems and products that clients use to interface with us were compromised or accessed. At this time, our business operations have not been disrupted as a result of this activity and we continue to operate as normal. In addition, we continue to take steps to enhance the overall security of our systems in line with industry best practices.

Our investigation remains ongoing, and we will provide additional updates as appropriate.”

Octo Tempest

We recently wrote about the growing concern around criminal gang Octo Tempest. In 2022, Octo Tempest began selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals in order to steal their cryptocurrency. Since then the group has expanded its range of activities to include targeting organizations providing cable telecommunications, email, and tech services, and partnering with the ALPHV ransomware group.

So it’s quite possible that here Octo Tempest used their SIM swapping knowledge to compromise the executive’s account and use that leverage to steal information, which is now being used to extort Advarra

Even if the incident didn’t go down exactly as we think, there are a few takeaways:

• Social engineering has shown time and again to be the most reliable tool for cybercriminals. It can even hurt companies with enterprise grade security.
• The security of your private accounts matters to the company you work for. A breach of one of your accounts can provide an entrance to your employer.
• SIM swapping is one of the reasons why some forms of MFA are better than others. Spoiler alert: text messages and call-based verification are not the best options.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

Last week on Malwarebytes Labs:

• Apache ActiveMQ vulnerability used in ransomware attacks
• YouTube launches “global effort” to block ad blockers
• Should you allow your browser to remember your passwords?
• Atlassian: “Take immediate action” to patch your Confluence Data Center and Server instances
• What Gen Z really cares about when it comes to privacy
• SolarWinds and its CISO accused of misleading investors before major cyberattack
• Patch now! BIG-IP Configuration utility is vulnerable for an authentication bypass
• OneView updates: Dive into Report 2.0 & the new Global Site Filter

Stay safe!

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

On the 27 October, the Apache Software Foundation (ASF) announced a very serious vulnerability in Apache ActiveMQ that can be used to achieve remote code execution (RCE). The Cybersecurity and Infrastructure Security Agency has now added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by November 11, 2023 in order to protect their devices against active threats.

The catalog is a list of vulnerabilities criminals are actively using, so everyone else should act swiftly to patch or mitigate the problem. In this case the criminals are, or at least include, the HelloKitty ransomware group, also known as FiveHands ransomware. The group was first seen in November 2020 and typically uses the double extortion method of both stealing and encrypting data.

The ASF describes the vulnerability as follows:

The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Apache ActiveMQ® is “middleware”, a popular open source, multi-protocol, Java-based message broker. Message brokers like this are often found in enterprise systems where they are used to create reliable communication between different applications and system components. OpenWire is a protocol designed to work with message-oriented middleware. It is the native wire format of ActiveMQ.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE in Apache ActiveMQ is listed as:

CVE-2023-46604 (CVSS3 score 10 out of 10): because OpenWire commands are unmarshalled, by manipulating serialized class types in the OpenWire protocol an attacker could cause the broker to instantiate any class on the classpath. The classpath is a parameter in the Java Virtual Machine or the Java compiler that specifies the location of user-defined classes and packages. This caused a deserialization of untrusted data vulnerability. To fix the issue it was necessary to improve the Openwire marshaller validation test.

To successfully exploit this vulnerability, three things are required:

• Network access
• A manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter)
• A class on the classpath which can execute arbitrary code simply by instantiating it with a String parameter.

A security update to patch the vulnerability was available on October 25, 2023, but as of October 30, there were still 3,329 internet-exposed servers using a version vulnerable to exploitation. Users are recommended to upgrade Apache ActiveMQ to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. Users of both “Classic” and “Artemis” are recommended to upgrade.

A lot of Indicators of Compromise (IOCs) can be found in this FBI report.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

At Malwarebytes we’ve been telling people for years not to reuse passwords, and that a password manager is a secure way of remembering all the passwords you need for your online accounts.

But we also know that a password manager can be overwhelming, especially when you’re just getting started. Once you’ve stored your tens or even hundreds of passwords, a password manager is relatively convenient to use and keep updated. But you have to get to that stage first and not everyone is at the same level of computer literacy.

So, you may have wondered if there’s another way. No doubt, you’ll have seen the pop ups in your browser asking if you’d like it to save your password for next time. In fact, many browsers refer to that as their password manager.

It’s very convenient, since your browser is usually the application that needs the password, but is it a good idea?

As usual, there are pros and cons.

Encryption. With a browser password manager, someone with access to your browser could see your passwords in clear text, although Windows can be set to ask for authentication (the same you use at startup of your device).

The “Show password’ option

To see the passwords in an actual password manager, an attacker would need to know the password for the password manager or the recovery phrase, which are usually a lot harder to find out than the Windows authentication (if set).

A word of warning here, some password managers have the option to keep you logged in for hours or even days. If there is any chance that anyone may acquire physical access, such settings defeat the added security of a password manager, since the attacker could open the password manager and look at your passwords in more or less the same way as they could in your browser.

Lookalike phishing sites. Both a standalone password manager and the one in your browser will protect you here. They will not fill out your password if the domain doesn’t match the one you saved the password for, which could indicate a phishing site. This can be very useful and this is where it beats writing down the password on a piece of paper or storing it in a text file. I should add that the domains that are worth setting up a fake site for are usually the ones that we would advise you add multi-factor-authentication (MFA) to.

Syncing. If you’ve stored your passwords in the browser and have chosen to synchronize your browser between devices, your passwords will port over as well. This is obviously very convenient, but it’s also a potential danger if someone gets access to one of your devices. A true password manager doesn’t rely on syncing between the same browser on different devices. Once you have the password manager installed on a device, you have it handy to use in any browser or other apps.

Offline. Many password managers cache your passwords locally, so you still have access when your connection is broken. Browser password storage doesn’t allow for this.

Business devices. It’s hard for the IT department to keep track of which user has which passwords saved in their browser. Password managers for businesses give them a better insight and make it easier to revoke passwords when needed.

Password stealers. There are types of malware that are capable of harvesting passwords from your device. They know exactly where browsers store their passwords and the encryption key, so they can steal and send the credentials to the attacker. Password managers are separate to the browser so they’re not at risk in the same way.

Data breaches. Several password managers will warn you if they find that your credentials are involved in a data breach, so you can change them. Browser storage doesn’t do this.

Complex passwords. Humans are bad at creating and remembering complex passwords. A password manager and some browsers can help you create a password that meets the required complexity and store it so you don’t have to remember it.

Side channel attacks. As we saw with a recent bug in Safari, attackers can use the autofill feature in a browser to harvest login credentials for a site. This only works if you have autofill enabled, so to make things a bit safer you can tell your browser to wait for your OK before it fills out the data. Here’s how…

How to disabled autofill

• Brave: Settings > Autofill and passwords > Password Manager > Settings. Toggle off “Sign in automatically”

• Chrome: Settings > Autofill and passwords > Google Password Manager > Settings. Toggle off “Sign in automatically.”

• Edge: Settings > Profiles > Passwords > Settings. There you can toggle off autofill for passwords and for Personal data separately.

• Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck “Autofill logins and passwords.”

• Opera: Settings > Advanced Settings > Autofill > Password Manager > Settings. Toggle off “Auto Sign-in.”

• Safari: Safari (in the menu bar) > Settings > Autofill. Uncheck “Usernames and passwords” and “Credit cards”.

So should you allow your browser to remember your passwords?

Your browser password manager gives you “ease of use” but that costs you some of your security. Of course, password managers aren’t foolproof either, so it’s important to decide for yourself where you store your passwords.

If you’re confident the website is safe and anyone that can access it under your account will not learn anything new, feel free to store the password in your browser, but disable autofill so you are the one that is in control.

Use MFA where possible. It enormously reduces the risk should someone get hold of your password. And refrain from using the browser password manager to store your credit card details or other sensitive personally identifiable information (e.g. medical information).

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The ongoing struggle between YouTube and ad blockers is turning users into the victims.

YouTube has gone all out in its fight against the use of add-ons, extensions and programs that prevent it from serving ads to viewers around the world. It started out as just a small experiment, but it looks like the company has opened the floodgates for most users now.

A spokesperson for YouTube told Engadget:

“We’ve launched a global effort to urge viewers with ad blockers enabled to allow ads on YouTube or try YouTube Premium for an ad free experience. Ads support a diverse ecosystem of creators globally and allow billions to access their favorite content on YouTube.”

On a support page, YouTube says that if you use ad blockers, you’ll be asked to allow ads on YouTube or sign up for YouTube Premium. If you continue to use ad blockers, YouTube may block you from watching videos at all.

Now, users are flocking to places like Reddit to complain about YouTube’s hardened stance against ad blockers.

Privacy expert Alexander Hanff has filed a complaint with the Irish DPC (Data Protection Commission) about YouTube’s ad block blocking. Hanff says that YouTube needs permission to detect adblockers because by doing so it’s looking at something that is on the visitor’s system. In his complaint, Hanff demands that YouTube stop its anti-ad blocking policy, saying some experts call it “illegal”. 

The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), so any outcome of this complaint might only cause changes for EU residents. We have reported about plans to introduce ad free services by Meta, TikTok, and YouTube as a way to circumvent EU rules that require platforms to get users’ consent in order to show them targeted ads.

Watch out for fakes

With all this going on, users should be extra careful about downloading new ad blockers that claim to circumvent YouTube’s blocking. Oftentimes we’ll see miscreants trying to rip off users by launching non-functional products and promoting potentially unwanted programs (PUPs).

There are many examples of fake ad blocker extensions in the Chrome Web Store that we would advise against installing.

Browser Guard

As you may know, Malwarebytes Browser Guard has a built-in ad blocker. If you still need to access an important site but you’re being asked to disable your ad blocker, you can do this by clicking on the blue M logo in your browser taskbar and set the Ad/Trackers to be disabled for that site.

Browser Guard blocks two entities on www.youtube.com

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.