Discover more from hrbrmstr's Daily Drop
Drop #295 (2023-07-13): Self-Control/Self-Worth
Blorp; Webbkoll; What's It Worth?
Today, we focus on you and your online privacy, with tools to help you protect yourself in-browser and on websites (that you visit or build), plus one that shows just how much you are worth (to attackers).
This section is short, as Blorp is an incredibly focused browser extension.
Rather than maintain a giant list of URL patterns to block, Blorp puts you in control of what you want to block. The filtering capabilities are surprisingly robust, and you load it from source, so it's way less risky (provided you audit the code) than installing a random extension from the store, even the popular ones.
Webbkoll is an online tool developed by Dataskydd.net, a Swedish non-governmental organization, that helps users check the privacy-enhancing features of websites. It aims to provide users with information about how websites handle their privacy and to what extent they monitor user behavior and share this information with third parties. It's primarily intended to be used as a starting point for web developers to improve their websites' privacy features.
When analyzing a website, the app simulates a typical user visit using Chromium, the browser that Google Chrome is based on, without any addons/extensions installed and with Do Not Track (DNT) disabled. It collects data such as requests/responses, cookies, and other information to present an analysis of the website's privacy features. Other checks include:
Content Security Policy (CSP): Ensuring that the website has a proper CSP in place to protect against cross-site scripting (XSS) and other code injection attacks.
Referrer Policy: Checking if the website has a referrer policy set to prevent leaking referrer information in various situations.
Subresource Integrity (SRI): Verifying if the website implements SRI for resources loaded from similar origins to ensure the integrity of external scripts and stylesheets.
HTTP headers: Analyzing various HTTP headers related to security and privacy, such as X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection.
The results can also help web developers identify areas where their websites may be lacking in privacy protection and provide recommendations for improvements. By using the service to analyze and improve their websites, developers can help protect users' privacy and ensure compliance with data protection regulations, such as the (ugh) European Union's General Data Protection Regulation (GDPR) .
I feel compelled to note that Webbkoll is not a comprehensive privacy analysis tool (most similar tools are also not comprehensive). As such, it should be used in conjunction with other tools and best practices to ensure a website's privacy features are robust and effective.
What's It Worth?
When I talk to folks outside cybersecurity, many are still surprised to learn that their data is valuable to attackers. Just how valuable is it?
Privacy Affairs has released its Dark Web Price Index for 2023, which provides insights into the supply and prices of various illegal goods and services sold by cybercriminals on the (sigh) "dark web".
The research was conducted in 2022 and Q1 2023, during which dark web markets continued to flourish despite the seizure of many major darknet markets by law enforcement in the latter half of 2022.
Some of the findings from the research include:
Credit card data: The average dark web price for credit card details with an account balance of up to 5,000 is5,000is110, while details with an account balance of up to $1,000 cost $70.
Hacked accounts: A hacked Card.com account is priced at $75, and stolen online banking logins with a minimum of $2,000 on the account are sold for $60.
United Arab Emirates credit card with CVV: These cards are sold for an average price of $35.
DDoS attacks: The price for a DDoS attack on a premium protected website with 20-50k requests per second and multiple elite proxies for 24 hours is $170, while an unprotected website with 10-50k requests per second for 24 hours costs $35.
There are lots more record/account types listed, as well as prices for malware, forged documents, hacking services, and more.
If you manage to read past the table, their research also highlights the ongoing growth and resilience of dark web markets, despite law enforcement efforts to shut them down.
Looks like ChatGPT might get dinged for their own privacy violations. ☮