Go Back  PPRuNe Forums > PPRuNe Social > Jet Blast
Reload this Page >

Security and Google Chrome

Jet Blast Topics that don't fit the other forums. Rules of Engagement apply.

Security and Google Chrome

Old 9th Sep 2020, 10:21
  #1 (permalink)  
Thread Starter
 
Join Date: Jan 2016
Location: Europe
Posts: 94
Security and Google Chrome

I use Chrome as my main browser and I use the auto password feature whereby Chrome remembers my password and fills it in as I logon.
Now there was a data breach in Chrome many months back and I had to go through many websites changing passwords but once again I am getting alarms that Chrome has leaked all of my passwords less than a month ago.

Perhaps worth checking your password security if you use Chrome, I can't remember seeing much about this on the mainstream media.

Anyone recommend a good password manager for iOS.
DroneDog is offline  
Old 9th Sep 2020, 10:24
  #2 (permalink)  
 
Join Date: Jan 2010
Location: France
Posts: 437
Anyone recommend a good password manager for iOS?
Not sure about the iOS bit ... but you might like to have a gander at Keepass.
Alsacienne is offline  
Old 9th Sep 2020, 11:22
  #3 (permalink)  
 
Join Date: Nov 2004
Location: Schierbrok / Germany
Age: 65
Posts: 15
RoboForm

"Anyone recommend a good password manager for iOS?"
I use RoboForm, syncs over browsers on PC and Smartphone. It does have a subscription though.
Bazzo is offline  
Old 9th Sep 2020, 11:23
  #4 (permalink)  
 
Join Date: Oct 2002
Location: West Wiltshire, UK
Age: 68
Posts: 390
I'm slightly cautious about Chrome, as I used to use Chromium, the true open source browser that was effectively taken over by Google to create Chrome (although Chromium still exists). My concern was that, as they did with taking the open source operating system Linux and using it to create Android, Google inherently made Chrome less secure, as a consequence of their commercially driven elements buried deep within both.

There is a lot of criticism of Chinese companies possibly burying code in their software/firmware that might not be in the best interest of the customer, but the reality is that Google, in particular, have built much of their business by doing exactly this. It's the buried stuff that tracks and categorises every person that uses a Google product that makes Google money, and is the key as to why they are able to charge premium rates for advertising, and attract premium rates for all the data they sell ("analytics", in Google-speak).

Nothing wrong with this, as I guess everyone that uses any product from Google knows that the price they are paying is the data they freely give Google, but it can present some issues if some of that data is misused in some way. The tendency for browsers to include password management is a step too far for me, I effectively have this turned off for anything other than non-critical web browsing. For example, I don't give a stuff about someone finding out my password to log in here, or to browse the BBC news site, but I never use such an "open" browser for something like online banking, or doing anything that needs security. For that I use a non-synced browser (Palemoon) running in a private window. Not perfect, but it does at least mean that neither my machine, not the browser supplier, can easily store security critical stuff.

It does mean I have to keep a separate record of my log in details, but that's not hard to do. I used to use a small notebook, but recently switched to using a hardware encrypted USB stick, with a fingerprint reader. This hardware encrypts the USB stick contents, and can be easily unlocked with a touch from one of the pre-assigned fingerprints (three of mine from different fingers, two from my wife). All that's on the stick is a text file listing the log in details, so it's not exactly slick, but I guess it's reasonably secure, and easy to carry around. I have it backed up, like a lot of other stuff, in a Veracrypt file on the house NAS, so if the stick failed (as they can) then I should still be able to get at the log in stuff.

I've thought of using a password manager, and may yet choose to go down that route, once I'm confident that they, too, are adequately secure.
VP959 is offline  
Old 9th Sep 2020, 11:33
  #5 (permalink)  
 
Join Date: Aug 2010
Location: UK
Age: 64
Posts: 43
Personally, I'm struggling to reconcile your security fears with the fact that you, by choice, allow the browser to remember your log-in credentials, the two things being (almost) mutually exclusive. I trust you change your password regularly too?
golfbananajam is offline  
Old 9th Sep 2020, 11:34
  #6 (permalink)  
 
Join Date: Feb 2007
Location: England
Posts: 356
I've never trusted password saving in any browser or Google/Yahoo etc.
Have been using Dashlane across Windows and Android. I understand it works in iphone too. Seems to be completely secure.
Sallyann1234 is offline  
Old 9th Sep 2020, 11:39
  #7 (permalink)  
 
Join Date: May 2004
Location: Москва/Ташкент
Age: 51
Posts: 834
I use a Blackberry Passport phone now that has zero connection to the Google infrastructure, it does e-mails well, browses acceptably (with Opera) great for calls, long battery, and battery lasts days (important as I travel a lot and sometimes not near power for lengths of time) it also has the best screen (1440 x 1440 square is fantastic for docs/emails/web pages). As a "newer" Blackberry, it will work long after RIM (Blackberry) have disappeared being it uses standard protocols (POP/SMTP/IMAP)/CALDAV etc).

Scares me that an Android leaks so much (as does any Google product such as Chrome) back to its masters, including for example the wifi access points you use (so even with GPS off they can deduce approximate location), in fact so much leaks from the device that it does become rather worrying for your privacy (suspect Apple is the same) - the amount of personal information siphoned off is nothing short of criminal.
flash8 is offline  
Old 9th Sep 2020, 11:59
  #8 (permalink)  
 
Join Date: Oct 2002
Location: West Wiltshire, UK
Age: 68
Posts: 390
Originally Posted by flash8 View Post
Scares me that an Android leaks so much (as does any Google product such as Chrome) back to its masters, including for example the wifi access points you use (so even with GPS off they can deduce approximate location), in fact so much leaks from the device that it does become rather worrying for your privacy (suspect Apple is the same) - the amount of personal information siphoned off is nothing short of criminal.
Same here, my concern being driven largely by the demonstration of how much data Google were collecting, shown to me by the chap that looked after the security of our IT systems at work. His view was that Google and Microsoft were the worst offenders, and he had access to Microsoft source code, as we needed that for security reasons (we ran locked down Microsoft products, always older versions, within a secure environment). According to him, Apple security was better, and there was little evidence that Apple themselves embedded stuff in their code for the purpose of Apple collecting data on the scale that Google does. His view was that Apple was a bit lax in what it allowed third party app developers to do, though.

Most people seem happy to have all this personal data siphoned off and used by all and sundry, for any purpose they like, though. It's a bit odd, really, as the same people that might complain about indiscreet photos or videos of them being spread around, have no problem about data about them that's far more revealing being spread around. We even have advertises using their ability to use this data in their adverts, like the TV one for Experian, where the whole premise of their advertising is that they know EXACTLY all there is to know about you, a feature that allows them to give an allegedly accurate credit rating. One of their main sources of these data will be data aggregators like Google, who will have probably sold Experian much of the data they are using, data that they will have acquired from covertly siphoning it off from millions of users of Google products.
VP959 is offline  
Old 9th Sep 2020, 12:29
  #9 (permalink)  
 
Join Date: Jan 2016
Location: Uk
Posts: 64
Originally Posted by DroneDog View Post
I use Chrome as my main browser and I use the auto password feature whereby Chrome remembers my password and fills it in as I logon.
Now there was a data breach in Chrome many months back and I had to go through many websites changing passwords but once again I am getting alarms that Chrome has leaked all of my passwords less than a month ago.
I am not aware of any data breach from Chrome itself - I imagine there would be the mother of all kerfuffles if there was and I accept I could have missed it - however chrome has a new(ish) feature that checks your passwords in use against historic OTHER data breaches and alerts you if a password breached elsewhere is still currently used by you.

So most likely

a) you use the same password in several places
b) one of those several places has has a breach where your (typically email address) and password have been leaked, which could therefore allow the bad guys to access this other account using the same details
c) chrome is warning you that this particular username/password is now insecure and should be changed. nothing to do with chrome itself, but your pattern of behaviour

I don't see that as a weakness in Chrome, rather the opposite. However the notification that it gives you could perhaps be more clear that "a data breach" means "not from chrome"...

Snyggapa is offline  
Old 9th Sep 2020, 14:34
  #10 (permalink)  
Thread Starter
 
Join Date: Jan 2016
Location: Europe
Posts: 94
Originally Posted by Snyggapa View Post
I am not aware of any data breach from Chrome itself - I imagine there would be the mother of all kerfuffles if there was and I accept I could have missed it - however chrome has a new(ish) feature that checks your passwords in use against historic OTHER data breaches and alerts you if a password breached elsewhere is still currently used by you.

So most likely

a) you use the same password in several places
b) one of those several places has has a breach where your (typically email address) and password have been leaked, which could therefore allow the bad guys to access this other account using the same details
c) chrome is warning you that this particular username/password is now insecure and should be changed. nothing to do with chrome itself, but your pattern of behaviour

I don't see that as a weakness in Chrome, rather the opposite. However the notification that it gives you could perhaps be more clear that "a data breach" means "not from chrome"...

H Synggapa,

Yes, I made the mistake of trusting Google. Anyhow When I access my password manager some months back it flagged that some passwords had been hacked. So I sat down and changed every password. I use a combination of letters, numbers and special characters and the passwords are not short. So checking my password manager yesterday I notice an alarm icon with the message "57 compromised passwords" These were the new passwords only a few months old. I always update my machines to the latest OS and I run an additional security programme "Hands Off" This software monitors every port and is a border check for data entering and leaving the machine. All my apps are via the app store.

Re my mammoth password change a few months back, I did use the same password for every three sites then I changed to another (60 odd sites to do). The password breach is across many, all with different passwords.
All my banking stuff and sensitive stuff is very secure and not saved, its just passwords to forums or maybe booking a flight somewhere.
I firmly believe Google is leaking like a sieve.

Last edited by DroneDog; 9th Sep 2020 at 15:00.
DroneDog is offline  
Old 9th Sep 2020, 14:55
  #11 (permalink)  
 
Join Date: Oct 2002
Location: West Wiltshire, UK
Age: 68
Posts: 390
Google data has to be an extremely attractive target for any criminals looking for data. They are probably the largest single personal data collection and storage company in the world, and hold so much information about so many people that I'd guess they are under constant attack. Given their size, I suspect there are probably more leaks from their repositories than are ever made public. This isn't intended as a specific criticism of Google, it's just that ANY centralised system that collects and stores a great deal of personal data is going to make itself a target, and it doesn't really matter how good they make their security systems, as there are both people busy trying to find ways around them all the time and their organisation itself will suffer from human error from time to time.

The only way to keep stuff secure, IMHO, is to never allow it out of your own clutches. The less that escapes into the hands of any data collection and storage company, the less will be available to the criminals who want to try and get hold of it.
VP959 is offline  
Old 9th Sep 2020, 17:10
  #12 (permalink)  
 
Join Date: May 2004
Location: Москва/Ташкент
Age: 51
Posts: 834
Obviously the most worrisome aspect is the synthesis of data (and associated AI back-ends) that allows Google (and Apple) to build up a scarily accurate profile of a user that goes I imagine far far beyond what most people suspect. This includes (with GMail) semantic (aka meta) analysis of traffic (much like GCHQ and others perform on network traffic) so the profile becomes increasingly personal, including analysing linking to colleagues/friends and anyone else, as well as auto upload of images.

The allowance of the closed source blob that is "Google Services" on the phone (which is mandatory if the Play Store is installed which pretty much covers 99% of phones) means all sort of trickery is likely abound.

Apple or Google - you are signing away your privacy for life.

Good point VP about the data!
flash8 is offline  
Old 10th Sep 2020, 14:27
  #13 (permalink)  
Cunning Artificer
 
Join Date: Jun 2001
Location: The spiritual home of DeHavilland
Age: 73
Posts: 3,121
I'm wondering what all the folk worrying about their "privacy" are hiding and why, if it's that important, they don't store their data on a separate stand-alone computer that isn't connected to any network? A Hardware Firewall.

I have no banking or other financial data on my laptop or phone. My address is a matter of record on the Electoral Roll. My date of birth is shown incorrectly on my social media accounts.

Last edited by Blacksheep; 10th Sep 2020 at 14:39.
Blacksheep is offline  
Old 10th Sep 2020, 15:08
  #14 (permalink)  
 
Join Date: Oct 2002
Location: West Wiltshire, UK
Age: 68
Posts: 390
Originally Posted by Blacksheep View Post
I'm wondering what all the folk worrying about their "privacy" are hiding and why, if it's that important, they don't store their data on a separate stand-alone computer that isn't connected to any network? A Hardware Firewall.

I have no banking or other financial data on my laptop or phone. My address is a matter of record on the Electoral Roll. My date of birth is shown incorrectly on my social media accounts.
My concern isn't so much about personal information that has always been easy to get hold of, it's about the ease with which lots of small snippets of information that's acquired by these big data collection and storage companies can be collated to deduce information about me that I would very much prefer were kept confidential.

An example, from the time when the NHS decided it was going to digitise all personal medical records and anonymise them, in order to (supposedly) keep them confidential. The idea was that researchers could access the medical records of everyone in the UK, but they shouldn't be able to tie a record to an individual's identity. Lots of researchers and businesses wanted this data, from those studying diseases to insurance companies assessing risk.

I was a bit concerned about this, mainly because we'd had a security briefing at work by a couple of people from GCHQ, highlighting the way that collating seemingly innocent bits of data could often give a very clear picture of what someone was really up to. I did an experiment. I made an FoE request for the anonymised copy of my medical records. Sure enough, this file didn't have my name, NHS number, address or date of birth on it, it was just a record of every treatment I'd received over the years. One treatment was a 4 week stay in a (named in the record) hospital, with details of the injuries sustained and treatment administered following a motorcycle accident. Dates were given for this treatment in the record, so I just spent five minutes doing a web search for local newspaper reports, within the area of the named hospital, for motorcycle accidents at that time. There was only one that matched my record, and the newspaper report gave my name, age and address. The paper followed up some months later with a report of my court appearance, sentence, etc, and that court record contained my date of birth. It was then very easy to get hold of my current address, car registration number, whether my car was currently taxed and MoTd, etc from the internet. Knowing that there is a simple algorithm that creates a driving licence number from my name and date of birth, it was easy to recreate that, too.

In the space of maybe an hour's work, by someone (me) who was fumbling around not knowing for sure how to go about things, I had put my name, date of birth and current address to my full medical record (available to anyone that asks for it, in anonymised form, it seems), plus I'd got the registration number, make and model of my car, it's current tax and MoT status, my driving licence number and my full criminal record. All this, from one, seemingly innocent, anonymised medical record. I could have spent more time on it and collated a lot more data, I'm sure, but I pretty much had enough information from just this short session to set up a fake bank account, I suspect, or set about one of the many forms of identity fraud that seem to abound. I'm sure there are automated tools that will do all this data correlation available. If GCHQ have had tools to do this for decades, I'm sure that the criminal fraternity also have them.

In my case I had nothing to hide, so wasn't that bothered. However, when I mentioned this to an old friend of my mother's when I was around there, she went as white as a sheet, burst into tears, and ran out of the house. My mother later told me (in confidence at the time, but they are both long dead now) that her friend had been raped when she was younger, had an abortion, been thrown out of the church for doing this, lost most of her friends and tried to take her own life. All this was decades earlier, but she realised from my story that anyone could do as I had done, collate her supposedly anonymous medical record with other information that was already in the public domain, and bring up the whole traumatic part of her life again, even though she'd made a new life hundreds of miles away.

This sort of data collection and correlation is how companies like Google (and they are far from being alone) add value to their customers. Snippets of personal data on their own don't tell much of a story, but when combined with lots of other snippets they can reconstruct a pretty comprehensive picture of someone's private life. Some might not be too bothered by that, but this process is indiscriminate, and there will be many that would be pretty upset at finding out just how much of their private life could be made public pretty easily.
VP959 is offline  
Old 10th Sep 2020, 19:45
  #15 (permalink)  
 
Join Date: May 2004
Location: Москва/Ташкент
Age: 51
Posts: 834
I'm wondering what all the folk worrying about their "privacy" are hiding and why, if it's that important
Potential for misuse, I'd trust these large corporates as far as I could throw them, as the saying goes.
flash8 is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.