Updates Yandex browser discussion (Split Thread)

Will you use the Yandex browser after reading this article?

  • Yes

    Votes: 1 11.1%
  • No

    Votes: 7 77.8%
  • Maybe

    Votes: 1 11.1%

  • Total voters
    9
  • Poll closed .
Status
Not open for further replies.

Slyguy

Level 44
Jan 27, 2017
3,328
That was a quick U-turn.

I've been using Chrome since 2010 and have not had a single issue about not trusting Google. Likewise with Microsoft and Apple, these giants have nothing to hide, well mostly nothing.

Watch video: Why Enthusiast Brands will Betray You
-https://www.youtube.com/watch?v=FJgTKx-rg18

I've always been cautious about enthusiast brands. It's been confirmed some of those de-googled Chromium builds are backdoored and/or redirectors.

Yandex is clean, fast and exceedingly sexy for a browser but 100% untrustworthy now IMO. Similar to Opera, I do not trust Opera at all anymore either after my last tests with them and it backend pinging phishing domains on a fresh install. But Yandex, still connecting to Yandex domains even without Yandex on the system is hilarious and bordering on malware activity.

I still feel dirty from Yandex and feel like I need to format machines that were tainted by it. But after going over everything they appear to have been removed properly (with some manual work)
 

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,686
Last edited:
  • Like
Reactions: Prorootect

Slyguy

Level 44
Jan 27, 2017
3,328
I've resolved to use Chrome, then do some extra work to lock it down and reduce telemetry. Chrome just works.. Everywhere.

1) I found most 'forks' to have their own problems, own security holes, or even their own redirects. Which I trust WAY less than Google.
2) I found most non-Chrome products to have issues. Vivaldi gathers it's own telemetry and is slow. Firefox doesn't work with multiple extensions correctly. Opera has it's own telemetry, pulls up phishing sites on launch and hits Ukrainian banks. Yandex, well..

Tired of playing musical browsers. So are people in the house. Chromebooks use Chrome, everyone is used to it, it works everywhere, and has no issues that I know of. It's not perfect, but it's what seems to eliminate the games I need to play constantly monitoring forks and fixing crap. So I disable a lot in flags, turn off a bunch of stuff and use the command line of: -disable-background-networking --disable-component-extensions-with-background-pages --dns-prefetch-disable --no-pings --disable-logging

Then leave it at that..
 
D

Deleted member 65228

If you would put documents in ProgramFiles, ransomware should not be able to touch them.
Unless the ransomware is elevated.

told me the App data is not a safe place for the browser!but why? Idk the reason
It's because you can access the directory (and also perform modifications to it) without administrator rights.

However, that neither means that storing under Program Files (or other protected directories) is always 100% safe because to do that it would mean a component has additional privileges which could be potentially abused for privilege escalation exploitation should the component have unknown vulnerabilities which are then found and can be abused.

Therefore, if data is stored in a protected directory and your system becomes infected with non-elevated malicious software, then the data within the protected directory is likely safe.

It's in the best interest for a web-browser not to have administrator rights, because it assists to reduce damage in the case of exploitation. Standard rights + built-in security mechanisms such as sandbox containment all work together to make the browser secure, and sensitive content stored on-disk is usually encrypted/locked (but like everything it isn't going to be full-proof).
 
D

Deleted member 65228

Luckily ransomware uses SYSTEM rights (SeTcbPrivilege), deny SYSTEM and ransomware is harmless.
Ransomware cannot spawn under the NT Authority Account (aka. SYSTEM) post Windows XP without a zero-day exploit unless it already has administrative rights to register a Windows Service which will then steal the SYSTEM token (e.g. NtOpenProcessToken, NtDuplicateToken) from an existent SYSTEM process and then spawns the process containing the ransomware payload using the stolen token (e.g. via CreateProcessAsUser), although that wouldn't make much sense other than to display a UI from a SYSTEM process given that it could just contain the payload within the initial Windows Service -> that is unless of course an exploit is deployed to abuse a vulnerability in a component in another software's package on the environment for privilege escalation, then it'd make perfect sense.

You used to be able to steal the SYSTEM token and spawn a process with it outside of already being in session 0 back in Windows 2000 and Windows XP days, but that all changed with the introduction to administrative rights/User Account Control among many other changes introduced into Windows Vista.

On that note, standard rights is more than enough to do damage with a file encryption payload in most scenarios, because average users tend to keep their data in average locations, such as: Documents, Photos, Music, Downloads and Desktop, or on removable media left plugged into the machine.

Standard rights processes can neither adjust their privileges via NtAdjustTokenPrivileges.
 
Last edited by a moderator:

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,076
Ransomware always tries to get the highest privileges (and that is its weakness), since the user can have a limited access, but SYSTEM does not.

Code:
https://youtu.be/hZKLEw-Our4?t=5m23s
 
  • Like
Reactions: Andy Ful
D

Deleted member 65228

Ransomware always tries to get the highest privileges
No, it depends on the ransomware.

The video you linked to is about the NotPetya variant. The dropped perfc.dat file is actually a Portable Executable (*.dll to be precise) and the payload contained within this module will check it's current privileges and will attempt to enable others -> rundll32.exe executes the module's code.

This doesn't mean all ransomware will attempt to enable as many privileges as it can though.
 
Last edited by a moderator:
D

Deleted member 65228

On that note, NotPetya has support for credential theft, use of PsExec (from SysInternals), and exploitation with EternalBlue and EternalRomance (leaked government exploits, the vulnerabilities exploited have since been patched now of course).

On top of all of that, the MBR destruction was just nasty of them.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,886
Ransomware always tries to get the highest privileges (and that is its weakness), since the user can have a limited access, but SYSTEM does not.

Code:
https://youtu.be/hZKLEw-Our4?t=5m23s
Most dangerous ransomware will try to get the highest possible privileges, but as in the case of NotPetya, they will continue to work as standard user if elevation would fail.
 

yitworths

Level 10
Verified
May 31, 2015
476
I do use Yandex browser on a daily basis. & I haven't come across this kinda issues ever.Btw, i've disabled its auto-update service & some other features.I do update it manually. i keep using it because of its security features.Yandex collaborates with Sophos & kaspersky. That's dope. I do use it for all of my online transactions & never find anything suspicious. One thing which nags me is whenever I launch Yandex it asks for usage statistics permission as I've disabled it. In case of telemetry, I don't believe any browser is trustworthy. I do use opera,firefox most of the time, chrome only for youtube ( when logged in). I do check Vivaldi time to time. One thing I'm convinced of is that they do use different tactics to gather same kinda infos.
 
  • Like
Reactions: ChoiceVoice

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,076
Just updated the browser and this showed. It might be a useless info for most, but it is a nice touch, considering everything.

Link in the picture: Sending data to the server by the browser

Everything is nicely described, some features act the same way, like sending data (like Cortana search). I am impressed.
 

Attachments

  • capture_05182018_130345.jpg
    capture_05182018_130345.jpg
    107 KB · Views: 538
  • Like
Reactions: CyberTech

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,076
I have just noticed, that Yandex company is sure proud to be Russian. :emoji_v:

capture_07082018_141520.jpg

On the side note, dnscrypt.nl has been updated to dnscrypt v2 and stopped working within Yandex, so I assume, that Yandex still uses version 1.

capture_07082018_141843.jpg
If it continues this way, there will be no DNS servers left, half of them already do not work (DoH sure does not). :cautious:
 

LDogg

Level 33
Verified
May 4, 2018
2,196
Is this browser any good? I'd be worried of data harvesting from this browser though. On the outset it does look quite the browser.

~LDogg
 

LDogg

Level 33
Verified
May 4, 2018
2,196
Bit worrying when looking on their site.

~LDogg
 

Attachments

  • yandex.png
    yandex.png
    82.2 KB · Views: 667

military

Level 4
Verified
Aug 13, 2012
166
You can read the agreement. In General, yes, the situation is similar to Google, the data is sent at least to improve your personal search results.
I am from Russia, we are also worried about the safety of our data, but this browser (and the company) was not seen in something bad.
They use very interesting protection technologies: Protect: protecting the browser against malware
 
  • Like
Reactions: Handsome Recluse

LDogg

Level 33
Verified
May 4, 2018
2,196
You can read the agreement. In General, yes, the situation is similar to Google, the data is sent at least to improve your personal search results.
I am from Russia, we are also worried about the safety of our data, but this browser (and the company) was not seen in something bad.
They use very interesting protection technologies: Protect: protecting the browser against malware
Makes for an interesting read.

~LDogg
 
Status
Not open for further replies.
Top