"It's also not clear how any other tool would have detected the long-lived, persistent outbound connection with relatively low bandwidth"
Perhaps, but this extension could have been stealthier. It was using a plaintext web socket on port 6332. If the extension author had instead gotten a Google analytics account, and exfiltrated data via encrypted https GETS to Google servers, it might have never been spotted. That kind of traffic likely happens 24/7 in a typical corporate environment.
Totally. This extension was trying to be stealthy about exfiltrating data...but it wasn’t trying that hard. As noted in the article, the same developer had at least one other extension using the same code to obfuscate and exfiltrate data. Seems like sort of a spray and pray approach
The blog post was moderately informative/useful and interesting, marketing brochure website behind it next to useless and can't find anything meaningful about what they actually sell or do. Frustrating follow-up experience for me that reminds me of most enterprise ISVs.
It is a network traffic analysis product. You send it traffic via port mirror and it analyzes for shady behavior. Here’s the main overview of what it is https://www.extrahop.com/products/security/
If you want more than the marketing pages, there is a good set of "concept" courses available for free on ExtraHop's training site https://customer.training.extrahop.com/
This is a serious issue with Chrome Store. Google doesn't properly warn users that the store is not premoderated and can contain malware. Instead, they have made a colourful positively looking site without necessary warnings.
Yep that’s a great point. That deprecation probably contributed to the gap that the malware uploader exploited. People expect an extension called postman, and they find it. Their guard is down and they download the fake one. I don’t know the solution but there has to be a better way for App/extension stores to handle this relatively common scenario.
Because the visibility of the Arc Welder extension (the one that lets you use Android apps on desktop chrome) is set to hidden, which hides it from both Web Store and Google Searches, there are malicious extensions that take advantage of this and will become the top search result for Arc Welder. And if you don't know where to look, it can be very hard to find the real link for Arc Welder. So as a result, these malicious Arc Welders often get many thousands of installs before being taken down. Very frustrating because even if you report them immediately after they are added, it takes a few days to take them down.
Yeah, that is incredibly frustrating. It seems to me that many of these types of scams target general consumers, piggybacking on legitimate app's names to get a few thousand people to pay a buck or give you some personal info, etc. These instances that target developer tools have the potential to do a different kind of damage to peoples' livelihoods.
As of this writing, the malicious "Postman" extension is still available in the Google Chrome extension store and has been downloaded over 27,000 times.
This is pretty much par for the course, unfortunately.
It's not a "necessity," it's a personal preference.
I started out programming on a dark theme (the emacs default) but I've used a light theme professionally for about 15 years (and no other dark applications). I prefer the light theme and I don't find it hard on my eyes one bit and I have astigmatism.
Probably because all true hackers sit all day long in a dark underground room, lit only by the dim glow of their monitor refracting through puffs of cigarette smoke.
It was sending off URLs visited by the host machine. Browsing history, essentially, which could be benign except that when your machine is inside a corp network you might be visiting all kinds of internal resources with URLs that shouldn’t be public/with sensitive info included in the resource locator, GET/POST contents, etc
Generally speaking anyone can create malicious software disguised in various way, so FOSS project included.
However instead of creating a "antivirus" vs "virus" classic scenario, that we all know it doesn't work my lines is: all must be open (hw, sw) and developed in a FOSS way from the start.
For instance if you are an hw OEM who want to produce a new GNU/Linux phone? Ok, start work on it in a public repo. If your project interest others, many with valuable skills came to help. Perhaps including some bad one. But the community will protect you, because you publish from the start the rate of benevolent and interested individuals that follow your project from the start will likely detect any bad guys, far better than any software, heuristic and even "AI" in general terms. After you know that community give credit so if the project will be successful people will buy your product, paying you back for your part of work and physical production. Other, of course, may use your schematics and software for free but if they add competitive features you get them back for free because of FOSS licensing, if they do not respect licenses you'll get backed by FSF&c that have a firepower and advertising capability normally superior to any new company/startup. Otherwise if there is only a price competition many will go for the cheap, many, not all. And if you and the community keep innovate the project you keep gaining money, no different than pharmaceutical industry that do research vs pharmaceutical "generic" industry.
Long story short: I can't trust closed sources extensions nor more nor less than closed source security software, I can't trust a company no more than another (only reputation can lead to small percentage variations). So I do my best to avoid inoculate in my systems software that I can't trust... Good assessments are still needed but they are IMO not really much valuable without the openness at the base: the need of trust is a weakness, so we need to being able to trust each other with the power of verify trust at the core, not only at the skin.
Perhaps, but this extension could have been stealthier. It was using a plaintext web socket on port 6332. If the extension author had instead gotten a Google analytics account, and exfiltrated data via encrypted https GETS to Google servers, it might have never been spotted. That kind of traffic likely happens 24/7 in a typical corporate environment.