Stein Solutions

11/22/2025

https://www.malwarebytes.com/blog/news/2025/11/gmail-is-reading-your-emails-and-attachments-to-train-its-ai-unless-you-turn-it-off

A new Gmail update may allow Google to use your private messages and attachments for AI training. Here's how to turn it off.

09/15/2025

I have been teaching people to stay away from most extensions in the Edge/Chrome store (I no longer support Edge). One of my heroes is Wladimir Palant and I posted on his web page a very informative article, IMO.

The body of the message is included here:
*************************************************************
If someone copies this the link back to this page is

https://palant.info/2025/01/13/chrome-web-store-is-a-mess/

First, if anyone reads this, know and understand that Vladimir is a tireless and dedicated professional genius who 100% understands the dangers of the Chrome Web Store. I am a bonafide DFIR engineer and malware hunter and my credentials are below. This is not a self-promotion. I am a senior citizen and exhausted from the tireless work of the only way to stop the bad guys: teach people, one person at a time, to “run to the hills” away from (most) extensions. I have taught over 1,100 people over the last 12 years.

No matter what Google tells you about their efforts to build in security or redesign how extensions must be architected and whatever guardrails they put in, the old adage applies: “the bad guys will always be a step or two ahead of the good guys”. I could make a very strong case for this but I could not evangelize and run the experiments that Vladmir does. However, he does precisely what I would do, given enough time. So kudos and gratitude to Vladmir.

Every warning Vladmir gives I have been giving people for years. Vladmir, as former developer of AdBlock, establishes my credibility but my clients already trust my judgement.

I have written simple PowerShell scripts that set the policy in the registry to never allow any extension to be added to Chrome, Edge or Firefox and a few customers gladly take this code. It’s doing well. If it was extremely widespread bad guys would code around it. That’s the beauty of teaching people one at a time, quietly. Each one is one less target the perps can go after. Making small chinks in the evil criminals armor is better than doing nothing.

I teach extreme vetting and done quickly. There are many red flags to look for and if any, even one, arise, “run to the hills” and give it up. A Fortune 1000 company who writes an extension will not have even one red flag. Anyone else’s extension has a higher chance of being infiltrated, lurking for years and then slipping a pushed update that Chrome misses (and what Vladmir has proven by watching those 1600 extensions daily until bam! one leaps at you and does it’s dirty deeds YEARS LATER. I call that “lurking”. I also use use static analysis tools by AnyRun and Hybrid Analysis. I cannot afford these $5K annual subscription and the free version is limited. But if it doesn’t kill you to use these tools, it will make you stronger. They run it in a sandbox for 60 seconds which is a long way off waiting 5 years for a new version to rear it’s ugly head. And each older version may morph itself in ways that no one has the time to study the JavaScript code to understand what it does.

But Anyrun and Hybrid will at least tell you if it sees any of the patterns from MITRE ATT&CK (see https://d3fend.mitre.org/ ). Some extensions have 100s of files and that exceeds what can be uploaded (even in a single zip file) but you can turn the entire set of code into a single runnable hta or .js file. Not exactly the same as running under the Google extension model but adequate for static MITRE analysis and a 60-second run.

For example, I recently checked out a C**r extension (name omitted but will disclose if you PM me). This code should have been doable in a few hundred lines of .js. But it was 11,000 lines. My PowerShell script produced two lines of non-obfuscated code (whew!) and a web site java script beautifier turned it into those 11,00 lines. It had many MITRE ATT&CK patterns in it. Hybrid said it was SUSPICIOUS at a score of 30/100.

I don’t have the time to ramp up on studying this code (I was an expert C++ and C # programmer for many years). But 11,000 lines and all those MITRE issues is a red flag to ….. “run to the hills”. I am not interested in why there may be a good reason for there to be 11,000 lines of code but I simply will not take the risk nor should you. There was only a simple web site for the tool and it had all my vetting red flags (not address, no phone, not “About Us”, no nothing). Except for the author (gmail) email to contact -- I researched that email and found nothing. I asked him/her a simple question about his/her country of origin and as you might expect, no answer (red flag #2) as come in. Final VERDICT: guilty.
I have thought long and hard, as have some of you and Vladmir, why Google seemingly doesn’t care. The answer is my own opinion: they put some extensions out there of their own to spy on criminals and terrorists and they want not-so-smart criminals to risk using these tools so that they can be caught. There are 100s of things the intelligence agencies will do to get intelligence and Google and Microsoft are going to cooperate in the interest of national security.

That makes ordinary people who add extensions and trust Google, intentional collateral damage.

But not my customers. :-) They have been taught to say “no” to every prompt and block all notifications in the browser. But it’s not easy, without even more work to do, to stop push technology updates both from the Edge/Chrome web stores or the Microsoft Store. There should be an option to prompt to update:

Extension Track-Package-and-give-you-weather :-) wants to update. Select 1 to 4
1. update now
2. do not update right now, check another time
3. review changes made for this version (developer must provide at least 100 words?)|
4. skip this update all together and return to browser
I would teach my clients if it is a not-so-well-known extension, select option 4.

Another suggestion would be for Google to upload to Hybrid Analysis and only permit it if the score is below a certain threshold. Google already has something like this behind the scenes as a super-powerful web app that does 1000x more than VirusTotal. Very cool! But it is ONLY SOLD TO corporations who should (and smart ones do) studying everything.

But small fry consultants like Vladmir or I even begging to able to upload perhaps one file a week is met with a NO. That is saying “we don’t care about how smart you are – don’t mess with our intelligence efforts – we only cater to corporations”.

That just further cements how important it is for Google to get malware in the form of extensions into the everyday non-corporate household. It breaks my heart. Laugh all you want, but there is a long history of the NSA/CIA working this way and an elite Google team can tell you all about it but never will! I draw these conclusions from abductive logic, the hallmark of a very smart person like Vladmir or myself, to understand the criminal mind and spy vs. spy. (Other examples: which VPN companies does CIA own – at least one in the past? Which node(s) do they run in the TOR network to get even scant and incomplete information? Why did Dropbox CEO state fact check that no one in the planet can see any of your cloud files stored on their servers and then admit they lied about it and would show files to certain subpoenas? Etc., etc.

Finally, I have now run into a new sad issue which is this: Norton 360 is very popular and is sold with popular Norton LifeLock. Gen Digital purchased Norton who purchased Avast some time ago and incorporated it into their product and it installs a Norton Secure browser which is really the AVG Secure browser which is really a Chromium based browser that Avast promoted when they purchased AVG. There are many reasons not to use this browser but all of my customers with Norton who rely on Chrome find the icon for the Secure Browser similar to Google Chrome. But the location of extensions is completely different from the well know Edge, Chrome, and Firefox add-ons locations. In fact, depending on whether the customer started/has the AVG, Avast or Norton version determines the path. And all those wonderful tools like Nirsofer’s browseraddsonsview now have to be called from the command line to check those locations and to do so is not documented clearly by Nirsofer but it can be figured out. Shame on Norton. They could atone by making a free tool similar to browseraddsonsview that dumps the addons to a CSV.

Don’t hold your breath.

Thanks and if anyone wants to volunteer to study C**r PM me at misterharrystein and the add the @ and gmail and .com. Identify yourself with a linkedin when you write.

Blessings,

Harry https://www.linkedin.com/in/harrystein https://www.facebook.com/steinsolutions

07/27/2025

This just goes to show you when it comes to greed and criminal behavior, people will go to lengths you can't even imagine until you read about it.

North Korea made millions from the scheme.

06/30/2025

Breaches occur all the time and it's a bad look for the CISO of the company who expects to be fired (a scapegoat is needed) and that CISO gets a better paying job -- not that he is unqualified but because that's how the carousel of CISOs work. It's understood you will be employed and receive bonuses until a breach, no matter whose fault it is and how unavoidable it was. Additionally, they are expected to reduce headcount because of AI -- a mistake but profits and the shareholders always trump over anything else. IMO. I learned this from a highly regard CISO at a conference where he described to the audience how this is normal and how his genius friends all accept that as normal. Thus I expect a change in Krispy Kreme CISO in the next few months. Thoughts?

Krispy Kreme is warning tens of thousands of Americans that they are now at risk of identity theft and fraud following a major cybersecurity incident.

06/30/2025

On this page I have recently slowed down posting my know-how that I feel does not get print in security blogs, linkedin, etc. My focus is elderly people (50s - 100s) getting scammed and needing to understand basics - I try to teach in a simple way that goes against the grain of what they (and many other younger readers) think, namely the myth that your PC, Mac, iPad, iPhone, Android phone is safe. Or about the scams very well documented on the AARP site.
Examples:
1. 95% of extensions you will install are now or in the next few years will be unsafe, not 1/10 of 1%.
2. Same for apps from the Microsoft Store.
3. Just say "NO" to everything. You won't miss out on anything and will be a lot safer - (Nancy Reagan).
4. Bad guys will always be one to two steps ahead of the good guys.
5. Your antivirus is not the weakest link on your computer. Why? Because 50% of all viruses out there today have not even been discovered yet by *ALL* (repeat *ALL*) antiviruses combined.
6. It is easy for the bad guys to write malware.
7. Companies don't care if they have a breach. They expect it. They understand it's not a matter of if, but when. Home consumers don't matter -- revenues come from selling software and services to profitable companies who take security seriously and don't overwork and underpay their security staff. When the breach happens, they report it and let you know the damage and next steps. But don't expect this from companies outside the Fortune 500 -- the lesser profitable companies and startups are usually security illiterate and sell to home users who download their apps that eventually gets breached/infiltrated and pushed out to you with the latest wonderful technology that silently pushed updates to users daily, weekly, etc. - almost impossible to stop a breached product/app. What must you do: self-educate, learn, learn, learn. "Assume the worst because it's even worse than that!"

Now here is a site that posts many recent articles that the editor thinks are relevant. How do I decide if this site is useful for me or you? I read/skim all the articles because I understand them. I ask myself "does this have relevance to the over-1000 humans I have helped in the last 12 years or what I learned when I managed 125 computers in a law firm and discovered over 150 new viruses in less than five years and got most of my gray hairs)." If the answer is yes, I will take note. If the entire page has 1/2 of it's articles with impactful relevance, I will share that with you. If there is only one article, I will share the one article with you.

As you read this, remember: the goal is to self-educate with ways a good mentor deems effective. Many companies or books offer training with the goal of profit in mind. I do this as a ministry to take my God-given skills and share with people who can't afford it (I still charge moderately because I just can't afford to do otherwise).

Now here is an exercise for you before you read the link articles below. Take this entire message and past it as a prompt to chatgpt or Gemini (I have no idea what it will say)...
***************
PROMPT: recently, a so-called security expert Harry Stein posted the following and on a scale of 1-10 where 1 he is an idiot and 10 he knows what he talking about, how would you rate him. No comments. Just a bottom-line rating. I will ask for comments afterwards.

Here is what he said:
[paste everything above the ******** line here]

I did this and my score was 9! I did not ask chatGPT to change my tone or grammar. I did not go back and read what I said. It's raw.

Thoughts?

Here is the shareable link and below is the blog site I am going to investigate this evening.

https://chatgpt.com/share/6862143c-1b4c-8004-941d-78c85e6f1495

https://dailyhodl.com/scams-hacks-breaches/

Shared via ChatGPT

06/30/2025

Using a browser, any browser, requires training in how not to get socially engineered. The bad buys have many interesting ways of getting their malware onto your computer. Train yourself by reading this article and use AI (for example, chatGPT, Gemini, Gronk) and ask it what "such and such" means for any sentence you don't quite understand. You will self-educate immeasurably applying this process. And remember: no matter how bad you think things are out there, they are 10x-1000x worse (I want to say 1000x but it will sound like I am exaggerating but I have lived and experienced 100s of these issues).

Comment here what you take away as the top 3 points. Don't be shy.

Google’s OAuth link is being weaponized to launch dynamic attacks

04/12/2025

As a bona fide security expert I have held CISA in the lowest regard. For example, last year the did a "RFC" (request for comments) on what they should provide in a statement of guidelines for security so as to reduce everyone's risk - a home user, a small business, a corporation. I was stunned at how poorly this was gathered, the quality of the comments, what was glaringly missing, and what the final guideline looked like. Of course I was looking at it *after* the fact - but had I seen the RFC I would not have bothered submitting all my suggestions because I already had the lowest respect for CISA after years of looking at their web site. Note this is just my opinion -- I am rather cynical about how corporate America handles security and I mentor my clients the "Stein Way". Anyway, it got worse when their director Christopher Krebs (no relation as far as I know to my hero Brian Krebs) hired by Joe Biden, did what he did to screw up Donald Trump. So, last week President Trump revoked his security privilege (Yah baby!) and President Trump is investigating how Krebs did his deeds ... here is the statement released by the Whitehouse. Worth reading.

https://www.whitehouse.gov/presidential-actions/2025/04/addressing-risks-from-chris-krebs-and-government-censorship/

Let me just add, that one of Chris Krebs cronies, an key person in Homeland Security by the name of Miles Taylor said this:

[quote]
"The dilemma — which he does not fully grasp — is that many of the senior officials in his own administration are working diligently from within to frustrate parts of his agenda and his worst inclinations.

I would know. I am one of them.

To be clear, ours is not the popular “resistance” of the left. We want the administration to succeed and think that many of its policies have already made America safer and more prosperous.

But we believe our first duty is to this country, and the president continues to act in a manner that is detrimental to the health of our republic."

https://www.nytimes.com/2018/09/05/opinion/trump-white-house-anonymous-resistance.html
[end-quote]

Of course CNN is honoring Taylor and Taylor/Krebs have yet to realize what Krebs facilitated and the attitude he and Taylor had per the above quote, is treason! Plain and simple. Don't let Rachel Madow or anyone else spin it any other way -- they will never mention the Taylor quote and what Krebs did with regarding to censoring factual news important for conservative and independent voters to know (Biden laptop, etc., etc. - just read the presser).

https://www.whitehouse.gov/presidential-actions/2025/04/addressing-risks-from-chris-krebs-and-government-censorship/

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES The Federal Government has a constitutional duty and a moral responsibility to respect and

03/14/2025

I updated my LinkedIn resume with an experience. Apologies for being so cynical.
**********************************
Two week contract for a client who presented two Dell computers that imploded during a Microsoft Windows 11 Pro 23H2 to 24H2 update. The Hello pin stopped working and no workaround and a clean installation was required. The client is now imaging their computers and creating built-in local accounts but those accounts would not have helped a rather ugly issue that is one of these where Dell will point to Microsoft and Microsoft will point to Dell. This one we'll never know but if I were a betting man, I would speculate it is mostly on Dell. We still haven't got a response from their escalation engineer and don't expect to. What are you all hiding this week from your customers? Be careful, they may hire me to point a finger at you. With me, you can run, but you cannot hide. You will be Stein'd! I am a free bird no longer having to grovel and work for corporate America where KPIs and bad service trumps proper root-cause-analysis and modelling the Phil Cosby approach to Zero Defects. Meanwhile, I continue to dream about whistleblowing a company whose security practices threaten our national security but Krebs, the FBI, and other orgs ignore me. Which is just as well -- look what Facebook is doing to the lady who was a key employee there and foolishly signed a severance agreement 8 years ago with Facebook and tried to secretly publish what's going on there (you'll find the podcast on The Free Press). The risks for whistleblowing are absurd in this country. Shame on you all! Did anyone see Hawley grill the corrupt CEO of Boeing? Unbelievable. Thank God I am a Christian and know that Jesus and justice and His judgement always prevails!

Windows 11 24H2 Upgrade Killed PIN Login, Entra ID Mess – Anyone Else? We have two different Dell computers that experienced the exact same failure after Windows 11 24H2 was forced upon them in a s...

02/26/2025

Facebook constantly puts out click-bait ads and everyone is annoyed with them. I posted this explanation a bit ago on an ad from "Kindness Matters" saying Howie Mandel died today (false).
*******************************************************************

READ THIS! 🙂
Someone asked: *“Why does Meta allow fake stories/information like this?”

Feel free to **copy/paste this message** to help educate others. This is my opinion as a **security and digital forensics expert**:

🔹 Facebook/Meta likely allows these fake news ads as part of an internal experiment** on clickbait engagement and security testing.
- They might be tracking **(1) how many people click, (2) how many recognize the obvious date manipulation (2025 over 2024), and (3) whether their security tools can intercept malicious links.**
- Companies like **Proofpoint** perhaps already do this—running suspicious pages clicked on in emails in a virtual machine (VM) before allowing full access to the recipient.
🔹 This could be a security-driven approach, ensuring ads don’t lead to malware, scareware, or browser hijackers.
- If true, it’s a smart move.
- However, if Meta is knowingly allowing malicious clickbait to reach users, that is *unconscionable.*
🔹 Ever notice these ads always appear near the top of your newsfeed and seem impossible to block?
- That’s likely by design.
- Some of these links go to *harmless sites*, while others redirect to *dangerous ones.* We’ll never know how much Meta filters.
🔹 Reporting these ads is deliberately difficult.**
- There’s no “report clickbait” option** when you report them—only vague choices that don’t match the issue.
- That’s no accident IMO.
🔹 What can you do?
- Stay aware. If a post seems too shocking to be true, it probably is.
- Spread awareness. Meta profits from engagement, even if it’s misinformation.
- Follow my page for real security insights:
👉 [https://www.facebook.com/steinsolutions](https://www.facebook.com/steinsolutions)
💡 I'm not looking for business per se (other than complex troubleshooting) —just trying to educate people. Stay safe out there.

Blessings, Harry

02/03/2025

First it was the NSO group and now Paragon, both with zero-click (no click of a link necessary to infect the device) spyware. In the case of Paragon, the WhatsApp message would contain an attachment PDF and I am assuming just receiving the attachment triggered the spyware by way of WhatsApp having to read the PDF to verify it was not an issue -- and the PDF was designed to take advantage of a security deficiency (vulnerability) in the WhatsApp application or the device it is running on. Two links... the article about the Paragon spyware itself and a general article about zero-click so you can better understand. Remember: 50% of security is education!
https://www.theguardian.com/technology/2025/jan/31/whatsapp-israel-spyware
https://www.kaspersky.com/resource-center/definitions/what-is-zero-click-malware

Zero-click spyware is a malicious hack that requires no interaction from the user. Zero-click vulnerabilities, how does a zero-click attack work & how to protect yourself.

01/19/2025

I enjoy reading the CISA web site. The recently published a Bad Software Practices document for software developers and they are trying to get people to understand and pledge to try to do the actionable items in a 9-page document linked below which is the result of incorporating 78 public comments - I haven't been able to find these. The document was a quick read. It strikes me as being simplistic and minimalistic but anything is better than nothing -- SQL injection, stronger passwords, don't publish "secrets" (passwords) in source code, carefully choose and scrutinize open source. The most challenging item, to me, is how to get a voice out there. It's impossible. I have screamed and cried with ultra-important information only for it to fall on deaf ears. I am connected to a few important people but it helps this much: ZERO. I remain persistent, exhausted, and often feel defeated but I understand corporate America reaps what they sow. They never want to look at their empty heart for security practices. They instead focus on profits, KPIs, and producing mediocrity in areas of security - no problem if a breach happens: we have the staff to minimize the damage, show how we call in the troops (for example, the Microsoft Security consultants) to understand exactly what happened, and produce a report. Meanwhile, business as usual. Put pressure on CSOs to reduce staff by using more AI, discriminate against aging professionals who are smarter than all of your staff but "slower" and would even work for a pittance, and politics as usual. I can write a book about what is wrong and what can be done but I'm having too much fun doing what corporate America doesn't do: studying 100s (over 1000) real-world home users, small businesses under siege by criminals in the most complex and unimaginable ways and remaining two steps ahead of the good guys. I write deep-dive best of breed white papers for myself only, I advance custom DFIR tools using methods that only a craftsperson can do but are teachable if anyone would listen. And I do not lament too much and try to stay positive thanks to my Lord and Savior, Jesus Christ. The article is here and the same information is downloadable in a PDF. Have a blessed New Year!

This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs).

12/08/2024

No surprises here for me but good and STARTLING for (most of you) to read.

https://www.tomshardware.com/tech-industry/cyber-security/o-mg-usb-c-cable-ct-scan-reveals-sinister-active-electronics-contains-a-hidden-antenna-and-another-die-embedded-in-the-microcontroller

One of my clients purchased a refurbished desktop computer 2 yrs ago from one of the largest refurb resellers on eBay. He had some network issues and called me and I remoted in and determined the little 802 wifi transceiver plugged into a USB port was causing issues. The part wasn't necessary as the desktop already had a built-in wifi. But the reseller found it cheaper to just put one in every desktop vs. trying to create a process to determine if it really needed it or not. It's understandable as I identified the part as a $1.00 part from China. The Wifi behavior was very suspicious (details omitted) and I asked my friend to ship to me. I still have it.

But one of my expert security friends who has a small hardware company (20 employees) and has wifi hardware expertise was not interested in helping to reverse engineer it. Too busy with for-profit-products. I am so used to everyone rejecting every important potential issue I have discovered that I basically have just given up.

Corporations have to make a living and rather than worry about helping with volunteering experts in the community with submitted security projects they (mostly) decline. I think Google and Microsoft are an exception. The FBI declines almost everything unless there is $1/2M or more involved. Etc., etc.

So pretty good chance the eBay reseller is pushing out several thousand desktops per year spying on people with the $1 part. This, my friends is normal and why nothing should surprise you. Every company and every computer is A BREACH WAITING TO HAPPEN. China has an advantage: the researchers are required to work in a community out of loyalty and the companies they work at are not as profit driven as USA companies. Still, we Americans prefer our freedom so it becomes very challenging and very difficult to fight cybercrime. We will see what ideas President Trump has with help from many security savvy cronies (I hope!)

For now, we as a nation should be grateful for all the people doing a great job with breaking such stories like Brian Krebs, Bleeping Computers, Forbes, etc., etc. I enjoy keeping up with it. Thank you all for your time reading this message and Praise The Lord and Merry Christmas!!!!!!

Harry

A small package with a huge malicious potential.