Feed aggregator

By Dan Collins, Paul Siegel Wandering DMs OSR Level ... 4?

Dan and Paul. the Wandering DMs, set themselves up with the challenge of stocking an entire dungeon in under two hours on their weekly live stream. What you see here is the output – a one page dungeon style adventure through an ancient monestary that has been long neglected and ravaged by nature. It features a sentient extraplanar ooze and a group of deranged warriors who worship it as their slimy overlord!

This four page adventure is actually a “two page’ dungeon with twelve rooms. An exercise in creating a dungeon in an hour, it comes off better than most dungeons, but, mostly, because they are forced to keep things terse and tight. I scoff at the methodology used and the results obtained.

By now we should all be aware that I love people who play with design ideas. Challenging the hows and whys of established design theory and process is always an interesting idea. Sometimes it will work and you’ll gain new insight in to D&D and how it works. And sometimes it doesn’t work. I’m always interested in the new ideas and always ready to tell someone that I appreciate their attempt, but, No. 

A few years ago I got seriously disgusted with the overwrought crp that was coming out. “How hard is it, really, to write an adventure for publication?” I asked myself. So, Criag Pike set out to test that. The goal was to write an adventure in an hour. I created four or five levels of a megadungeon, and, by the end, was doing thirty or so rooms in about ninety minutes. So, not hard. Along come these two dudes, who have a YouTube channel, and they want to design a dungeon on their channel in about an hour. Ok, sure, gimmick for the channel. But, also, buys in to the Bryce core conceit – That this shit ain’t hard and all the crap adventures coming out is because people are fucking idiots who don’t spend any time at all trying to figure out what makes a good adventure.

We’ve got a dyson map, twelve rooms, better than his usual small maps. An underground river runs through the middle of the map, allowing for a few hidden places and some multiple paths to rooms on the other side of the river.

The first issue is the selected format: the one page dungeon. Or, two page dungeon, for this, since the map is on one page and the twelve keys on another, along with a small art piece. This is a bad idea. One page dungeons. Bad idea. The original idea was that the constraint, in the contest, would invite innovation and keep things tight. Which it does. But it also limits the possibilities, especially in true one page design format. I have to ask, why are you limiting yourself to just one page of keys? What if you ran over in to a second page? Is it the end of the fucking world? No? Then why? I get that the format can help to force a terse keying, which is great, but, there are other ways to do this as well.

Looking at the adventure we get a shitty little wandering monster table. Six entries, not doing anything, just lists of monsters. And, while evocative of the monsters in the keyed descriptions, it comes off flat and boring. Have them doing something! Just another couple of words that amount to something other than laying in wait to attack.

The encounters are the real issue though. They run a huge variety of quality. We get a door to the room being boarded up with to giant lizards inside. The boarding up is ok, but there’s nothing more to this, a symptom of the format. We also get four berserkers camped out roasting a giant beetle legs over an open flame next to the underground river. That’s great! A near perfect example of a terse key. Maybe another environmental thing, like smokey room or something, but still very good. Compare that to “Supply closet breached by 3 giant ants.” Just like the boarded up door, it’s boring. Describe the situation, the breach, the moment the party comes in. There’s enough space for this, even in the selected format. One room has prisoners bound ready for sacrifice … one on a +3 shield soaked in flammable oil. Nice!

The adventure does a decent job of telegraphing encounters. In two situations, in particular, there are hints of whats to come. A room with rubble in it betrays an unstable ceiling, while an oily sheen on water hints at the bombardier beatles lurking overhead. Great examples of including a small detail that an observant party can take advantage of … and that cause a careless one to say “oh fuck! Oh course” once they are screwed over. 

I’m not the end all and be all of design advice, but I do think that the one page format, or even the two page format used here, is empty for anything other than performance art purposes. A page for a map, maybe two more for keys, a page of monster stats to get them out of the main text (and the space they therefore take up in it) and a page of intro/wanderers/extra stuff seems to me to be just about the perfect format for a “small” dungeon. You get the tightness that you need to retain focus, but still are not all that limited. 

As a website gimmick, and the first of one also, I can see the value in this … if I squint hard. But, just a little more thought would do this right and produce something good instead of just performance art.

This is $1 at DriveThru. There’s no level range listed anywhere (Bad!) and the preview is too short to get a sense of what’s up. No bueno.

https://www.drivethrurpg.com/product/380067/WDM01-Dungeon-Design-Dash-1–Asymmetric-Monastery-of-the-Deranged-Berserkers?1892600

 

Coming soon ...

Short and to the point. Check it out! 

ATZ How To

How time flies sometimes. Microsoft yesterday released the first patch Tuesday security updates of the year 2022. The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution (RCE) vulnerabilities affecting open source libraries. None of the zero-day flaws are known to have been exploited in the wild, but one of the other vulnerabilities is feared to be a wormable one.

A severe word of warning for those running a network with a domain controller, the side effects this month are extreme. The advice is to hold of on the patch. Microsoft has a technology called Active Directory that allows workstations to authenticate with a “domain controller.” This month’s updates are causing such drastic issues with domain controllers that they can become stuck in a boot loop.

Patches that can cause problems include the following:

• KB5009624 for Server 2012 R2
• KB5009595 for Server 2012 R2
• KB5009546 for Server 2016
• KB5009557 for Server 2019

It’s unclear if Server 2022 is similarly impacted.

Along with the update comes an announcement of a new security update guide notification system.

Let’s start by taking a closer look at the zero-days. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The first two we listed below have previously been fixed by a third party and are now being incorporated into Microsoft products.

Open Source Curl RCE vulnerability

CVE-2021-22947 is regarding a vulnerability in the curl open source library which is used by Windows. The January 2022 Windows Security Updates includes the most recent version of this library which addresses this vulnerability and others. The listed one can lead to a STARTTLS protocol injection via a Man-In-The-Middle attack.

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. More specifically, when curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.

Libarchive RCE vulnerability

CVE-2021-36976 is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. This vulnerability is described as libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

Windows Certificate Spoofing vulnerability

CVE-2022-21836 allows an attacker to bypass a security feature. A successful attacker could bypass the Windows Platform Binary Table (WPBT) verification by using a small number of compromised certificates. Microsoft has added those certificates to the Windows kernel driver block list, driver.stl. The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table. It was introduced by Microsoft to allow its vendors to execute programs every time a device boots. Certificates on the driver.stl will be blocked even if present in the WPBT.

Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability

CVE-2022-21839 does not provide us with a lot of details. Affected is some unknown processing of the component Event Tracing Discretionary Access Control List. The exploitability is said to be easy, and it is possible to launch the attack remotely. Required for exploitation is an authentication. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or resource, making it inaccessible to its intended users.

Windows Security Center API RCE vulnerability

CVE-2022-21874 is a publicly disclosed RCE vulnerability in the Windows Security Center API that received a CVSS score of 7.8. This vulnerability requires user interaction to exploit, and the attack vector is local.

Windows User Profile Service Elevation of Privilege (EoP) vulnerability

CVE-2022-21919 is a publicly disclosed EoP vulnerability in the Windows User Profile Service API that has received a CVSS score of 7.0. The exploitation is known to be difficult, but the attack may be initiated remotely. The requirement for exploitation is a simple authentication.

HTTP Protocol Stack RCE vulnerability

CVE-2022-21907 is not one of the zero-days, but it stands out because it is a critical vulnerability which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. While this is a vulnerability that would mostly affect servers, the fact that it requires no user interaction, there are no privileges required and it targets an elevated service makes experts believe it is wormable. There are also some questions among experts about which Windows versions are vulnerable.

The new security update guide notification system

Notifications are sent when information is added or changed in the Security Update Guide. Based on feedback, Microsoft has been working to make signing up for and receiving Security Update Guide notifications easier. Starting today, you can sign up with any email address that you want and receive notifications at that email address. There is no longer a requirement that the email be a Live ID.

To start off, you will need to create a Security Update Guide profile by clicking “Sign in” at the top right corner of the Security Update Guide. You can use any email and password here. If this is your first time signing in, a validation email will be sent with steps to verify that you have entered a valid email address.

Other security updates

Don’t forget to look at other security updates that you may need. We have seen updates from:

• Adobe
• Android
• Cisco 
• Intel 
• SAP 
• VMWare 

Update January 18

Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2021 Patch Tuesday. For those that were experiencing problems or holding off on the updates, this update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.

Stay safe, everyone!

The post [updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one appeared first on Malwarebytes Labs.

A 32 year-old software engineer has been sentenced to two years and two months in prison for remotely accessing chat logs, photos, videos, and webcams of his female victims.

For nine years, between 2010 to 2019, Robert Davies used malware to infiltrate his targets’ devices and access their data without them knowing. In one incident Davies accessed a schoolgirl’s webcam and secretly filmed her undressing and showering.

Davies is not only a voyeur but also a catfish. He is said to have created multiple accounts on Skype to get close to his targets with the end goal of eventually tricking them into performing sex acts for him. While using one of his Skype personas, he befriended an 11 year-old girl and built a relationship with her over the course of two years. He eventually gained access to her computer and switched on her webcam without her realizing.

Andrew Shorrock of the UK’s National Crime Agency (NCA) is quoted saying: “Davies has amassed what can only be described as a cybercriminal’s toolkit. Not only was he using these tools to break in to people’s devices, he was using them to spy on his unsuspecting victims and to steal naked images of them for his own sexual gratification.”

All in all, Davies victimized 25 individuals.

Davies pleaded guilty to all 25 counts of “causing a computer belonging to another to perform a function with intent to secure unauthorized access”, one count of voyuerism, four counts of making sexual photos of children, and one count of owning extreme pornographic media.

“The extent of the damage you have caused is immeasurable and constitutes a total violation of their privacy, ” said Judge Julie Warburton of Nottingham Crown Court as she carried out the sentence.

How to protect yourself from voyeurs and catfishers

Technology has made it possible for anyone with the right know-how and ill intent to access someone else’s device and spy on them. Thankfully, incidents of voyuerism and catfishing can be avoided. Here are some tips:

Webcams

• If you use a laptop, make sure you put something over the webcam. A simple piece of tape will do, or you can use a specially made webcam protector.
• If you have a webcam that’s not built into your computer, then get into the habit of manually disconnecting your webcam when you’re not using it.
• If your webcam has a password, change it from the default to a long and complicated one

Instant messengers (IMs) and voice-over-IP (VoIP) apps

• Treat your IM or VoIP app chat of choice as you would your online social media account: lock down your security and privacy settings, and make sure your ID/handle is not searchable just by anyone (if at all), which means random strangers cannot just add you as a contact.
• Keep chats and video sessions clean as much as possible. It may be fun for you to try something risque every now and then, but remember that the threat of sextortion, revenge porn, and blackmail are real.

General tips

• It goes without saying that you should make sure you have good security software installed on your device and keep it up to date.
• And talking of updates, make sure you’re applying them as soon as they’re available, whether that’s your phone, your computer’s OS or your browser. Cybercriminals use known flaws to exploit systems so keeping your system up to date is one way of making things harder for them.

If there is one final takeaway we can get from the Davies case, it’s that cybercriminals can be very patient. And sometimes, all it takes is one person to choose to take advantage of our trust. One can never be too careful, especially online.

Stay safe!

The post Software engineer hacked webcams to spy on girls—Here’s how to protect yourself appeared first on Malwarebytes Labs.

Players of smash hit gaming title FIFA 22 have become the target of a wave of attacks focused on account compromise. Up to 50 “high profile” accounts were hijacked by what may have been the same group.

FIFA games are, traditionally, a big draw for scammers and phishers. Many sports titles offer in-game digital items and benefits, paid for with real money. Sometimes you buy specific items via purchases called microtransactions. Other times, it might be a form of lucky dip, where you spend money on boxes which contain random items. They can be worthless, or incredibly valuable, and you don’t know what you’ll receive till you buy the so-called lootboxes. Games like FIFA frequently draw ire for it, and players who buy a lot of lootboxes are popular targets for phishers. Wherever you have players investing large sums of money, you’ll find the sharks circling in the water.

Someone decided to make a big splash with this particular attack. This isn’t supposed to be a stealthy compromise and a slow burn of stolen and plundered accounts, the attackers took over some of the biggest names in the FIFA game space and fired half a dozen flare guns at the same time. As Bleeping Computer notes, targets included actual players, currency traders, and streamers. Someone wanted attention, and they went about it in a way which guaranteed it.

Setting the scene

The problem was so visible that EA published a statement on the attacks. One may have assumed the first point of entry would be phishing gamers with fake logins and stealing their accounts. This is where additional security measures such as 2FA come in. If the attackers gain login details via bogus websites, they still need to login to the real site as the victim. If 2FA (or similar) is active, they won’t be able to do it without the 2FA code.

This potentially gives victims enough time to realise something isn’t right, and change their login details leaving the phisher with nothing.

However, even with 2FA enabled, things can go wrong. Typically this approach again focuses on the victim. A fake login site will ask for username and password, but then also ask the victim to enter their 2FA code on the phishing site. This code will then be automatically entered onto the real thing, or punched in manually (and with haste!) by the attacker. Sometimes they even ask victims to upload files designed to keep attackers from logging in.

However, on this occasion, they set EA customer support agents in their sights instead.

Going head to head with customer support

The statement reads as follows:

Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques. Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts. 

Attacking victims via customer support isn’t a new technique, but it was used to spectacular effect here. It’s not clear from the statement exactly how this played out. However, phishers often steal logins via fake sites first, then go to customer support pretending to be the victim who is “locked out” or has forgotten their details. They use pieces of the already stolen data to convince customer support they’re the real deal, and then take info from customer support to complete the attack.

The other approach is to talk to customer support with no action taken beforehand, and “simply” social engineer their way into full account control. Tricky, but not impossible, and a lot of it comes down to staff training.

Damage done, and further steps

Here’s the next part of the statement:

At this time, we estimate that less than 50 accounts have been taken over using this method…our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.

Whether pre-armed with pilfered data or not, the scam involved altering the registered mails associated with accounts. More training definitely seems to be key here, as they go on to say:

All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.

We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.

Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.

All good moves by EA.

A wide world of 2FA protection

A caveat: phishers bypassing you completely and leapfrogging customer support means your 2FA may not help in that situation. On the other hand, keeping accounts locked down with tools like 2FA may contribute to them having to dream up scams like this in the first place. Making them work harder, and going the extra mile, naturally puts up a bit of a fatigue barrier. Many will also simply move on and target less secure accounts.

I can’t think of many gaming platforms or title specific services involving passwords which don’t also offer 2FA. Playstation has it, Xbox has it, as does Steam and Epic. Many platforms and titles offer bonuses for enabling additional security measures.

All of these forms of protection differ, with varying degrees of security. Some are SMS based, which are better than nothing, but ripe for exploitation via SIM swap. Phishers will come up with inventive ways to bypass apps, especially where some crossover to the desktop exists.

The best combination, if available, is probably a password manager and a hardware security key. Some password managers, for example LastPass, will prefill login details for you, but only if you’re on the genuine website. If you’re sent to a bogus site, nothing will happen and you’ll know you’re in the wrong place.

Meanwhile, the physical security key deals with authentication – no text messages or apps required. There’s a few examples of successful attacks on physical sticks, but they’re pretty rare. Again: this won’t help if the attackers haul themselves over the finish line through customer support. That’s out of your hands. Even so, you’ve locked things down at your end and that can only possibly be a benefit to you and a hindrance to those that matter.

The post FIFA 22 phishers tackle customer support with social engineering appeared first on Malwarebytes Labs.

By Amanda P Hopeful Weird Wonder BX/Cairn/D&D "Low Levels"

Don’t get excited. The Burning Teeth are a mountain range.

A charismatic exiled warrior lord Dakon Lazard drove his followers to an ancient warrior temple in the Burning Teeth mountains, looking for redemption at any cost. It has been a month since any of the warriors have come from their vault. Villagers have begun to go missing, merchants are losing trade goods, and the earth rumbles more furiously than ever. Explore the volcanic mountains and discover what has happened below in the Sunken Grave.

This thirty page adventure describes a 21 room dungeon with a boring disposition. Devoid of most evocative writing, or interactive elements, and slightly generic in the way that system-neutral things can be. I should have gone with the four page two hour dungeon instead.

You get three things here. First, a small town. You get descriptions like “Respite has had to be relatively self sufficient as a border town. As you wander, you can find carpenter’s shops, cobblers, and any other craftspeople you might find in a small village.” So, you know, totally worth the page count to describe a generic small town. Unless you are doing something memorable then there’s not much reason to spend a whole lot of time on the town. The best of the town entries is “Two large, homely men play cards at a table while the other two guards on duty whisper to themselves as you approach, eyes grim and deadly serious.” Note the difference between that description and the previous one I pasted in (which, was another location, as generic as it seemed …) In the guard one you have something going on. They are playing cards. They are glaring. They excuse danger. This is specific information. And in the world of evocative writing specificity rules. Not detailed, but specific. 

Part two is a kind of wilderness journey, I guess? There’s a watchtower on a hill and a side-view map showing a cavern system with around eight rooms. The rooms get descriptions like “The Cavernous Descent is a dank hole with a hidden ladder under a wooden trapdoor.” or “The Fountain of Ignus. A heavy door (locked) leads to an ancient shrine to a forgotten fire deity. A place for dreadful healing, soothsayers and curious sights.” Completely abstracted text. I’m not sure why the designer even bothered? This is not the second adventure I’ve seen recently that has a cavern system as a “front door” to the main dungeon. It’s not a bad idea, but, why provide these descriptions, abstracted as they are? There’s nothing here. Or, perhaps, you’re putting work on to the DM? I don’t understand AT ALL why this section exists.

Finally you’ve got the dungeon proper. The rooms are formatted in a bullet point kind of system, maybe four or so per room sometimes. But, they aren’t really in an order that makes sense. One room starts by telling us that a plaque hangs over the door to the next room. Then it tells us that door is broken and hanging from its hinges. THEN it tells us the room is full of pipes and shower heads pumping out hot steam. With acrid simple and burning cinders. Uh … Hello! Burying the lead! Finally, it tells us that thee is a great eye carved in to the door. Which door I don’t know. The one in to the room? That would make sense in the other room though, the one that leads here? It’s all just blasted out, without any consideration as to what he DM needs when.

But, mostly, there’s a sense that things just don’t work together. One rooms description is “The air singes your lungs and the hair on your arms. Sweat pools on your palms. The steps were carved long ago by a workman’s pickaxe and chisel.” So the workmans pickaxe thing is all padding, but the environmental stuff isn’t. Excet, it really has no purpose. It’s not like the next room is the furnace room or anything. It’s all just window dressing. 

And EVERY room feels like this. Like they are just window dressing. Like nothing in the rooms matters. One tells us that “In the Drywell: a 40’ pit. At the bottom, skeletons forever longing for their lost loved ones or raging at having been deceived.” So, ok. And? I mean, that’s fine, as a kind of side note to a room, but as the whole thing for the room? And for EVERY room to have this sort of window dressing and little else? 

This extends to a “random effects” table. It’s just a table full of things that can happen to you in certain rooms. Like, now you glow green. Great! Why? Because the dungeon is evil. Uh, ok. I guess I’m corrupt now? But it’s all just window dressing. No good or ill effects, really. Grow a small antenna on your head that has no impact. Sure, whatever. Next room?

A room with a bridge, over bubbling acid, is written as the most boring thing in the world. The entirety of the description is “The collapsing bridge. Above the bubbling sulfur boiling acidic water. SUpports one person at a time. You get scalded every turn you are in the water if you all in. A set of bronze armor likes at the bottom of the lake”  The armor thing is good, but, otherwise … thats taking an exciting room concept and making it in to nothing. 

This is $5 at DriveThru, The preview is eleven pages, but it’s the first eleven, so you don’t actually get to see any of the content you are paying for, preventing you from making an informed decision.

https://www.drivethrurpg.com/product/381410/Beyond-the-Burning-Teeth?1892600

Unless you’ve been hiding under a rock for the last twenty years, you’ve probably heard the one about “keeping your software up to date”. Applying software updates promptly is arguably the single most useful thing you can do to keep yourself secure online, and vendors, experts, pundits, and blogs like ours, never let users forget it!

And because it’s good advice that’s easy to follow, cybercriminals like to use fake software updates to con users.

Fake software updates have been a go-to tactic for getting users to download malware for many years. A convincingly-branded message that tells users they need to update their out of date software taps into all the good security messaging users have soaked up, it gives them a reason to install strange software from the Internet, and it carries exactly the right mixture of implied threat and urgency that social engineers like.

For years, fake Flash updates were a fixture of web-based malware campaigns. Flash provided just the right kind of patsy: It was famous for its security holes, and new updates were released almost every month. But with Adobe’s media player a year into its long overdue retirement, criminals have had to look elsewhere for a convincing cover story, and where better than perhaps the most frequently updated software of them all, the web browser? Browsers have an almost frenetic update schedule, and many users understand that installing regular updates is a normal and important part of their everyday use.

Last week, Malwarebytes’ Threat Intelligence worked with nao_sec researchers to investigate a recently-discovered update to the Magnitude Exploit Kit that was duping users with a fake Microsoft Edge browser update.

The Magnitude exploit kit offers users ransomware dressed up as Microsoft Edge

The Magnitude exploit kit uses a grab-bag of social engineering lures and exploits to attack web users and install ransomware on their computers. Although Magnitude has been used to target different geographies and deliver different kinds of ransomware in the past, these days it is strictly focussed on installing Magniber ransomware on targets in South Korea.

The fake Edge update attack flows like this:

1. A user visits an ad-heavy website and encounters a malicious ad.
2. The malicious advert redirects them to a “gate”, known as Magnigate.
3. Magnigate runs IP address and browser checks to determine if the user will be attacked.
4. If the user fits the attackers’ criteria, Magnigate redirects them to the Magnitude exploit kit landing page.
5. Based on information from Magnigate, the exploit kit chooses an attack from its collection.
6. In this case, the exploit determines the best attack is a fake Microsoft Edge update.
7. The “update” is actually a malicious Windows Application package (.appx) file.
8. The .appx file downloads Magniber ransomware from the Internet.
9. Magniber encrypts the user’s files and demands a ransom.

A Magniber ransom demand

Magnitude is regularly updated with fresh attacks, and the fake Edge update appears to have been added in the last few weeks. In the past, Magnitude has made extensive use of Flash and Internet Explorer vulnerabilities, but as the software landscape has changed it has had to adapt. In late 2021, it was seen targeting a sandbox escape vulnerability in the Chrome browser family, for example. That should be no surprise, Chrome is the most popular web browser by far and it suffered from an unprecedented glut of zero-days in 2021.

The number of problems affecting Chrome’s V8 JavaScript engine suggest there may be underlying problems in that part of the browser, and we fully expect that the near-term future of exploit kits will be Chrome exploits. However, that won’t stop exploit kits from taking advantage of other tactics, like fake updates, where they’re more likely to succeed.

Although Edge is based on the same browser as Chrome, uses the same V8 JavaScript engine, and is vulnerable to the same exploits, those exploits will only work on browsers that are out of date. And since browsers are pretty good at installing updates, Magnitude also needs attacks that work against fully updated browsers.

The irony is that the users most likely to run into an attack telling them they need to update their browser are the ones who already have.

If you want to know what version of Edge you’re running and if there are updates available, we suggest you follow the official guidance from Microsoft:

1. Open Edge, select Settings and more, and then select Settings.
2. Scroll down and select About Microsoft Edge.

Malwarebytes blocks Magniber ransomware.

Malwarebytes blocks a Magniber ransomware download

The post Ransomware targets Edge users appeared first on Malwarebytes Labs.

Michael Grime, a British games programmer, has escaped jail after using stolen credentials to access several women’s personal email accounts and social media accounts in order to steal their private and intimate photos.

Grime was caught by the National Crime Agency (NCA) as part of an operation involving several agencies and the FBI. The agencies were able to link his email address to an account in WeLeakInfo[dot]com, a website that sells leaked credentials. Grime is said to have been paying $2 USD a day to access this site before it was taken down by law enforcement in early 2020.

WeLeakInfo[dot]com is marketed as a site that offers access to 12 billion user records collected from more than 10,000 data breaches. These records contain user names, email addresses, IP addresses, passwords, and phone numbers.

This is what WeLeakInfo used to look like, courtesy of the Wayback Machine. This appeared on the WeLeakInfo website from as early as January 2020, courtesy of the Wayback Machine.

In November 2020, law enforcement officers raided Grime’s home and seized a PC tower, three external hard drives, and his mobile phone. Thousands of photos and videos of women either topless or nude were found on his devices, many of which were images that had never been shared publicly.

The NCA primarily identified 11 women in the UK, most of whom went to school with Grime or had known him since childhood. It isn’t specified how many women Grime victimized outside of the UK. Some of his victims are popular figures on YouTube and Only Fans.

During a Preston Crown Court hearing, Grime admitted to having access to “around 50 accounts”. In one incident, Grime, who was described as “geeky, loner, and odd”, hacked the account of one of the women’s boyfriend’s to access private photos shared between the couple.

Lisa Worsley, prosecuting, told the court that his victims “felt betrayed and sad. One woman’s first response was to delete all her social media which she found upsetting.”

“Another said her Snapchat has been unstable and would log her out three or four times a day.” That’s a red flag there.

On the defending side, the lawyer whom outlets only name as “Mr. Forbes” told the court that Grime is “socially awkward” and may be on the autistic spectrum, although Grime has never had an official diagnosis. Forbes also said that his client became obsessed with hacking and “liked the detective work”.

“Many cybercriminals rely on the fact that lots of people use the same password on multiple sites and data breaches create the opportunity for fraudsters to exploit this,” said Detective Inspector Chris McClellan from the North West Regional Organizaed Crime Unit, who carried out the warrant at Grime’s home address in November.

“He knew it was wrong,” Forbes is quoted saying, “He stopped on occassions but [sic] and deleted material and would start again. This was something over which he felt he had little to no control over.” Forbes said Grime’s arrest was a “relief” for the young programmer as Grime didn’t have to rely on his weak will to stop himself from hacking accounts and downloading photos.

Although he wasn’t imprisoned, Michael Grime was given a community order, which orders him to do unpaid community work for 80 hours over two years. He was also ordered to undergo rehabilitation for 30 days and pay £500 as compensation for each of his 11 victims.

DI McClellan advised internet users to check if their credentials and personal data have been part of a data breach by using legitimate websites like haveibeenpwned.com. If users find one or more of their accounts have been compromised due to breaches, they should make new strong passwords for each account.

“Do not reuse passwords and where possible apply Two Factor Authentication (2FA). This will help you prove you are who you say you are when you are logging into your account. Do not share the 2FA code with anyone.”

Sage words.

The post Intimate photo hacker spared from jail, said he “liked the detective work” appeared first on Malwarebytes Labs.

Physical objects as security threats are in the news at the moment. The oft-touched upon tale of rogue USB sticks is a common one. Being wary of random devices found on the floor, or handed out at events is a smart move. You simply don’t know what’s lurking, and it’s hard to find out safely without the right tools available. Even then, something can slip by and cause no end of trouble on your desktop or network.

Sticky situations

Back in 2015, we covered the Dead Drops art project. This involved people hiding their USB stick in public places, and others finding them to join an “anonymous file-sharing network” and see what lurks. Security wise, this is an absolutely terrible idea for most folks.

On the other hand: people absolutely do plug in USB sticks found in the street, and they also happily use freebies at events. Most won’t concern themselves with security worries, but they should. However, it’s one thing to voluntarily grab USB sticks yourself. It’s quite another to be potentially disarmed by someone sending you said device instead.

Postal peril

The FBI has warned that a malware group is sending out infected USB sticks to specific targets. The group is behind major attacks such as the notorious colonial pipeline ransomware incident. Make no mistake, these are heavy hitters (and have been here before, and that time they included gifts such as cuddly toys).

The bogus sticks have been winging their way to potential victims through the post for a number of months. There’s elements of social engineering involved, too. It isn’t just a random stick in an unlabelled baggy, there’s a variety of packaging depending on who the sticks have been sent to. It’s perhaps not quite as visually impressive as rogue teddy bears, but it still gets the job done.

Social engineering their way to USB victory

The attackers use a couple of different postal services to send the USBs into the wide blue yonder: United Parcel Service, and United States Postal Service. The sticks have been sent to “US businesses in the transportation, insurance, and defence industries”. The packages are designed to resemble Amazon gifts, and Covid alerts from the US Department of Health, which are likely to carry a strong pull factor for the unwary.

If the USB stick is inserted into a PC, it launches a BadUSB attack and the malware auto-registers as a keyboard. From there, it uses keystrokes to place malware on the system and, potentially, deposit and fire up additional rogue files. Bleeping Computer notes that the end goal is to deploy ransomware on the compromised network.

Tips for keeping USB access points safe

• It’s not realistic to suggest disabling all USB ports on workplace machines, considering how many USB devices we use on a daily basis. However, you can ensure that only ones in use are functional. You can also buy physical locks which block use of ports with no software required to do it. Similarly, you can buy devices which lock wires into ports and reveal evidence of tampering if one is somehow pulled out.
• Dedicated workstations running virtual machines, or a non Windows OS, can be set up for any “stray” USB sticks.
• Disabling autorun is also helpful should such a thing already be enabled.
• Restricting access to any and all USB sticks to a handful of trained staff may be thought of as time-intensive, but realistically you likely don’t run into dozens of mysterious USB sticks on a daily basis.

We don’t know how many organisations have been affected, nor do we know how successful this campaign has been. Organisations should be cautious if they’re in one of the sectors targeted by this attack. In fact, we should all be cautious where rogue USB sticks are concerned. Get ahead of the curve and ponder this issue now, instead of waiting to find out if your area of business is on the next FBI release a few months down the line.

The post Attackers are mailing USB sticks to drop ransomware on victims’ computers appeared first on Malwarebytes Labs.

The Last Breaths of Ashenport by Ari Marmell D20 Level 6

A special request for a Dungeon 152 review!

This 44 page adventure is the standard Call of Cthulhu scenario, except written for 3e (3.5?)  You’re in an Innsmouth, it’s cut off, freaky shit goes down, you raid the church and then you raid the sea caves. I’ve played and run enough to these that I know how it’s supposed to go down, and you can see the basic outline and what the designer wants to do, but the scenario doesn’t accomplish it.

I like CoC. I think CoC is great. Non delta-green versions of CoC are the perfect one shot/con game. What I do NOT think, though, is that investigation adventures are meant for D&D. D&D has the Divination problem. The players can and will cast Detect Evil/Locate Object, etc. This is because D&D is not an investigation game. D&D is a dungeon exploration game. The spell lists are crafted for a party raiding a dungeon and finding a princess and wanting to know if they are gonna get a kiss and kingdom as a reward or a level drain for their problems. And for every Detect Evil you memorize that’s one less Fireball to toss out. It’s a give and take and resource management game. And I don’t really give a flying fuck how YOU play D&D. That’s irrelevant. The Spell Lists are created for this type of play. It’s built in to the game and WILL be built in to the game until someone reworks the fucking spell lists. 

Until this happens the only possible solution is to gimp the fucking party. I still remember being stone’d by a Medusa who the adventure said was evil “but not enough to register on the spell …” Uh huh. And in this adventure there is a vague evil detected in the village but nothing specific. Because two evil altars are masking the fact that everyone in the village is an evil Dagon cultist. Combine this with the standard “You are trapped in the village by a raging storm” mechanic. I know, I know, it’s a standard trope for these things. Or, rather, it’s a standard fucking trope for a game in which you are normal people facing the terrible unknown. I can teleport without error and he regularly communes with his god and rides the sun chariot around the night sky with him. We don’t get trapped in villages. It’s trying to force a scenario type in to a game that doesn’t support it. Just like you don’t explore dungeons in CoC, you don’t investigate in D&D. That’s not how the game was built.

Ok, so, that’s out of the way. Let’s say something nice. There’s a paragraph of advice up front that is extremely useful advice to the DM: “When describing them [ed: the fish-men], however, don’t use either of those terms. In context of the adventure, they’re not “pseudonatural kuo-toa”; they’re fish-men of Dagon. It may sound like a minor point, but the proper use—and, just as important, the careful avoidance—of particular terms can go a long way toward making the PCs, and indeed the players, feel like they’re truly facing the unknown.” No truer words. This gets to a core point: making the party afraid. You don’t tell them they face a troll. You describe the troll. You don’t say “dragon”, you describe it. You describe eyestalks popping up out of a bit, not say the word “beholder.” The specific advice given is different (they are fish men, not kua-toa) but the concept is in the same neighborhood. Don’t remove the mystery and fear from the game by naming the thing.

There’s also a pretty good in-voice bit from an NPC. If you question a rando townsperson about an inn, when you first arrive in town, you get this little gem: “Might meet you there later to hoist a tankard or two; gods know I’ll not be doing much else ’til the sky stops weepin’.” Pretty good! An NPC acting like a normal person for once! The adventure also let’s you roll, after 24 hours, to determine that the weather is not normal. A nice naturalistic way; it takes time. 

We are now done being nice.

The standard long read-aloud. The read-aloud is in italics, making it hard to read. Nothing new there. The read-aloud has a lot of “you’s” scattered in it: “their eyes glare at you in hatred” and so on. It does solve the “long stat block/enoucnter” issue by removing all encounters and placing them in the rear of the adventure. So a room might say “run encounter ‘from the sea on page 24 now.’” 

The adventure does two things majorly wrong, which would be wrong even in a CoC game. First, it relies A LOT on questioning captives. It fully expects you to knock people out and question them so you can find the next breadcrumb location. Not cool. And if this doesn’t happen then the NPC’s in the inn, the other travelers, will spoon feed info to you. “It looks like everyone is going to the church!” or some such. SO much so that at one point it advises to give the party a story award if you DONT have to have the NPCs do this.  This Adventure Plot extends in to other areas as well; when the party is magic’d to walk in to the sea to drown themselves, if they all fail their save, then an NPC in the inn will save them. IE: This is all just window dressing. It’s meant to be exciting, but not dangerous. You don’t actually have agency and there are not actually any consequences to your actions. Not cool.

It’s also using a standard room/key format for the town. The mayor is in the town hall. The sheriff is in the sheriffs office and so on. But, this isn’t how an adventure gets run. They shouldn’t just be sitting there, waiting for the party. The sheriff is a small town bully. He should be out, harassing the party around town, having goons do things and like. His entry even says this. But, his description is just hidden there, in the sheriffs office entry. There should be a section, up front, describing events and actions and things to happen in the town. The towns vibe. It’s a dynamic, fluid place … or, at least, it should be. This is not an exploratory dungeon. This is a social investigation adventure. Room/key isn’t the right way to present this information in order for the DM to be able to run a smooth and fluid game in which that asshole small town sheriff is out causing trouble. It just comes across as a throw away comment, and too much is left fo rthe DM to infer. The DM is not supported.

I can see exactly HOW this is supposed to be run. I can get the vibe the designer is going for. It’s not the utter garbage that most Dungeon adventures are. But it’s also no where near runnable in order to get the full experience that I think the designer was going for.

Last week on Malwarebytes Labs:

• Ransomware attacks Finalsite, renders 8,000 school sites unreachable for days
• Patchwork APT caught in its own web
• Sophisticated phishing scheme spent years robbing authors of their unpublished work
• Google and Facebook fined $240 million for making cookies hard to refuse
• New iPhone malware spies via camera when device appears off
• Hackers take over 1.1 million accounts by trying reused passwords
• Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected
• Card skimmers strike Sotheby’s in Brightcove supply chain attack
• Careful! Uber flaw allows anyone to send an email from uber.com
• $10m of funds goes missing in what appears to be a cryptocurrency rug-pull
• Customer support scammers take aim at NFT enthusiasts
• Purple Fox rootkit now bundled with Telegram installer
• What angered us most about cybersecurity in 2021: Lock and Code S03E01

Stay safe!

The post A week in security (January 3 – 9) appeared first on Malwarebytes Labs.

Number seven(?) in an eight-part series. 

This is a compilation of the best eight entries from Prince’s recent No ArtPunk contest. Basically, you had to use published monsters, magic items, etc, with one unique allowance allowed in each category. Settle in, I’m reviewing one adventure at a time. Also, I admit that an orgy of women, wine, bread, circuses, and self-absorbed loathing kept me from reading Prince’s commentary earlier. So I’m going in to this blind. Let’s see what “winning” entries look like, shall we?

Fractious Mayhem at Melonath Falls Trent Smith 1e levels 3-5

This eighteen page adventure features four interconnecting cave systems around a waterfall with about forty or so rooms. A monster lair assault ala B2. It’s dense. It makes no apologies. 

Throw a dude a fucking bone Trent. Ok, so, let’s say your write the amazing adventure ever published. But you did it exclusively in iambic pentameter, in Inuit. And when people are like “Dude, can I get a version I can run?” you take a brief moment to glance at them and say quietly “fuck you.”

This is not the worlds greatest adventure. There is no explicit “fuck you” in it by the author. What it is, though, is a good adventure that is plagued by usability issues. And while I can’t be certain, it seems logical to assume that Trent knows about usability issues and has made a conscious choice to not worry too much about them.

This all means that I’m not running this adventure. Hey, this bottle of wine rates a 96 on Wine Review and costs $900/bottle. Or you can have this bottle that rates a 95 and runs $3 at Aldi. Look, that’s not a perfect analogy but you get where I’m going: why put up with X when I can have Y that is almost the same thing? Every adventure ever written is now available to a DM. This isn’t an appeal to the massive production values of the overly laid out monstrosities that haunt certain segments of the hobby. But, presumably, we share out works with others because we’d like them to get some use out of it. If they aren’t going to use it then what’s the purpose? Creation for the sake of creation? Sure. But that’s not an adventure. That’s a personal art project. It’s 2022. It’s time to beef up our formatting/layout/usability skills … just a little. I’m a firm believer that you can get to about 80% in about a week. Spend a week for a big step up.

It should be obvious where this review is going. I like this adventure. It’s a more intelligent B2, with a lot more depth to it. Four interconnecting cave systems with multiple paths through it. The maps have a good deal of variety and depth to them, loops, multiple paths, halls running over or under others. And the verticality of the waterfall itself. 

We’ve got a pretty traditionally lair complex. You’ve got the beast caves, made up of bullywugs and giant catfish/frogs/etc. You’ve got the rando monster cave ala the Owlbear in B2. Hook horrors in a cave cut off from the rest of the system. Then you’ve got the Xvart lair, with a fully fledged Xvart society. Women, kids, MU’s, stevedores, etc.

Who are gonna FUCK. YOUR. SHIT. UP. They busting out of secret doors. They got an order of battle. They ain’t taking no shit from the party. It’s quite the complex environment, replete with wererats doing their conspiracy shit, prisoners, and the like. 

And it’s all wrapped up in what is essentially a wall of text. I’m looking, right now, at a full colum of small text that describes the secret room of the wererat boss. It’s furnished with a bed, lounging chair, brazier, desk, rug, and chest, the text tells us. And then a LONG paragraph about how the assassins guild views him. And then one that starts by telling us that thened, chair rug and brazier are remarkable, though the rug has a resale value of 500gp, it’s encumbrance value. And on and on and on it goes. 

What we have here is minimalistic descriptions. The classic minimal description. Bed, rug, chair, brazier. But then, when something IS remarkable, then EVERYTHING about it needs to come out. Rooms are large, chambers are empty. Descriptions aer not evocative. But the entire thing is DESIGNED. This IS a xvart cave lair. The descriptions are not laundrylists of room contents. It’s not expanded minimalism. It’s a weird mix of minimalism and then picking a topic in the room and expanding on it, hidden depth style. 

It’s fookin DESNSE. And you’re not gonna get ANY help from the designer in running it. It is what it is and you’ll gonna have to live with it. Take it apart. Highlight the fuck out of it. Take copious notes. 

And I don’t do that anymore. That’s not what an adventure is to me. I’ll pick something else, equally good or better, that is easier for me to run.

This is Pay What You Want at DriveThru, with a suggested price of $10. Proceeds are going to the Autism Research Institute.
https://www.drivethrurpg.com/product/379533/No-ArtPunk-Vol-1?1892600

Finalsite, a popular platform for creating school websites, appears to have recovered significant functionality after being attacked by a still-unknown ransomware on Tuesday, January 4, 2022. At least 8,000 schools are said to have been affected by the resulting outage.

An important message from Finalsite: pic.twitter.com/BXW5dzfJS3

— Finalsite (@Finalsite) January 6, 2022

According to an open letter published on its Twitter account:

On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment.

In the time since the incident, our security, infrastructure, and engineering teams have been working around the clock to restore full backup systems and bring our network back to full performance, in a safe and secure manner.

Internet users who are directly or indirectly affected by this ransomware incident took to Reddit to raise some concerns. User /u/flunky_the_majestic writes: “Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol. The impact of this outage is far greater than the attention it has received.” [1]

Some Reddit users also used this thread to complain about K12 schools continuing to use old technology and the challenges they faced on why it has remained this way. This is a notable one from someone who works in K12:

The first good news is the company says it has found no evidence of data theft.

The second good news is, as of Finalsite’s status entry hours ago, “the vast majority of front-facing websites are online.” As a caveat, it added that some of these sites still lack some functionality and content, such as admin log-in, calendar events, and the directory of constituent groups, which the team is working to restore. While the CMS company continues to restore from backups, investigation is ongoing still as of this writing.

The third and final bit of good news is related to the second: Finalsite got it so right by making and keeping backups of all their most important data. Remember that it’s not a matter of “if” but “when” ransomware—or another cyberthreat—strikes. Sometimes, companies who deem themselves secure can still get hit. And when (not if) they do, organizations need a recovery plan and the right kind of backups.

Companies restoring from backup in just a few days after an attack rather than paying the ransom is, by far, the least worst outcome. This is also quite difficult to pull off because of so many questions to consider first before doing anything. On top of that, there are instances where backups could fail us. Malwarebytes Labs’s podcast, Lock and Code, has covered this very dilemma. Listen to the full podcast below:

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

Finalsite also kept it simple and honest, which we greatly applaud. Some (if not most) organizations leave it at “sophisticated cyberattack”—perhaps for fear of ridicule or criticism over “not doing enough”. While this is understandable, Finalsite admitting they have been ransomware victims but are actually doing something about it is somewhat refreshing to see. We can only hope that other organizations, regardless of size, follow their example.

The post Ransomware attacks Finalsite, renders 8,000 school sites unreachable for days appeared first on Malwarebytes Labs.

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT).

What is interesting among victims of this latest campaign, is that the actor has for the first time targeted several faculty members whose research focus is on molecular medicine and biological science.

Instead of focusing entirely on victimology, we decided to shade some light on this APT. Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines.

Ragnatela

We identified what we believe is a new variant of the BADNEWS RAT called Ragnatela being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT.

Figure 1: Patchwork’s Ragnatela panel

Ragnatela RAT was built sometime in late November as seen in its Program Database (PDB) path “E:\new_ops\jlitest __change_ops -29no – Copy\Release\jlitest.pdb”. It features the following capabilities:

• Executing commands via cmd
• Capturing screenshots
• Logging Keystrokes
• Collecting list of all the files in victim’s machine
• Collecting list of the running applications in the victim’s machine at a specific time periods
• Downing addition payloads
• Uploading files

Figure 2: Ragnatela commands

In order to distribute the RAT onto victims, Patchwork lures them with documents impersonating Pakistani authorities. For example, a document called EOIForm.rtf was uploaded by the threat actor onto their own server at karachidha[.]org/docs/.

Figure 3: Threat actor is logged into their web control panel

That file contains an exploit (Microsoft Equation Editor) which is meant to compromise the victim’s computer and execute the final payload (RAT).

Figure 4: Malicious document triggers exploit

That payload is stored within the RTF document as an OLE object. We can deduce the file was created on December 9 2021 based on the source path information.

Figure 5: OLE object containing RAT

Ragnatela RAT communicates with the attacker’s infrastructure via a server located at bgre.kozow[.]com. Prior to launching this campaign (in late November), the threat actor tested that their server was up and running properly.

Figure 6: Log of threat actor typing a ping command

The RAT (jli.dll) was also tested in late November before its final compilation on 2021-12-09, along with MicroScMgmt.exe used to side-load it.

Figure 7: DLL for the RAT being compiled

Also in late November, we can see the threat actor testing the side-loading in a typical victim machine.

Figure 8: Threat actor tests RAT Victims and victim

We were able to gain visibility on the victims that were successfully compromised:

• Ministry of Defense- Government of Pakistan
• National Defense University of Islam Abad
• Faculty of Bio-Science, UVAS University, Lahore, Pakistan
• International center for chemical and biological sciences
• HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
• SHU University, Molecular medicine

Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).

Figure 9: Virtual machine running on top of threat actor’s main computer

Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet. On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.

Figure 10: Threat actor uses VPN-S

Under the VPN they log into their victim’s email and other accounts stolen by the RAT.

Figure 11: Threat actor logs into his victim’s email using CyberGhost VPN Conclusion

This blog gave an overview of the latest campaign from the Patchwork APT. While they continue to use the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers.

Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who sits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs is not as sophisticated as their Russian and North Korean counterparts.

Indicators of Compromise

Lure

karachidha[.]org/docs/EOIForm.rtf
5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6

RAT

jli.dll
3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3

C2

bgre[.]kozow[.]com

The post Patchwork APT caught in its own web appeared first on Malwarebytes Labs.

Three years ago on Quora, someone asked what writers do to keep their manuscripts from being stolen. One of the top answers reads as follows:

You’re joking, right? It’s hard enough to get people to read your novel once it’s out on Amazon, much less reading it before it’s finished…unless you’re George RR Martin, nobody is trying to get your unpublished, unedited manuscript.

That optimistic piece of advice doesn’t really hold true anymore, if it ever did. In a scheme reminiscent of some sort of comic book supervillain, Filippo Bernadini was arrested at JKF International Airport on Wednesday. The reason? He stands accused of allegedly impersonating publishing professionals to obtain unpublished manuscripts. Charges include “wire fraud and aggravated identity theft”. The wire fraud aspect alone carries a potential maximum sentence of 20 years.

Throwing the book at crime

From the FBI indictment:

…an indictment charging FILIPPO BERNARDINI with wire fraud and aggravated identity theft, in connection with a multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novels and other forthcoming books.

This particular scheme had been rumbling along since “at least” 2016, and the accused individual worked in the publishing industry.

According to the FBI, multiple fake email accounts were created, impersonating real people in the publishing space. Not only that, but also publishing houses and talent agencies. Alongside this were “more than 160 internet domains”. The domains copied real entities, with deliberate use of slight typos in email addresses to further replicate the genuine article. These are common phishing tactics used by regular phishers, but here we can see it being deployed in a more targeted fashion.

Nice award. Can I have your next book, please?

There’s at least one example given of a Pulitzer prize-winning author tricked into sending a forthcoming manuscript to an imitation of a real well-known editor and publisher.

“Hundreds” of distinct people were impersonated in order to obtain manuscripts the phisher had no business accessing.

There’s also mention of gaining access to a New York literary scouting company, via bogus mails to employees and a fake domain for them to log into. Once they logged in, credentials were forwarded on to add another string in the “massive scam” bow.

This was all happening up until or around July 2021. It remains to be seen how the case will pan out for the accused, but it doesn’t sound great for him so far. It seems likely that this in-depth account of authors being contacted by fictitious publishers from August of last year is related to the above. If it isn’t, well, I guess we have two separate fake literary agent saboteurs to contend with.

What can writers do to keep their work safe?

A lot of the security issues in this story boil down to phishing, and phishing countermeasures. Most of the tips for authors for keeping their manuscripts safe tend to focus on backing up files. While some do mention security compromise, a few of the tips make me a little nervous. With that in mind:

• The Nathan Bransford article I’ve linked to above invites that the “technically disinclined” to email themselves a copy of their manuscript, but I’d be wary of emailing documents to myself or others in plain text. I also appreciate that there are some situations where you may be left with “email or nothing”. In those situations, you should make use of a tool which can encrypt your files before you attach them, such as WinZip. Be aware though that some forms of encryption are more secure than others.
• It also suggests placing documents in cloud storage. This puts a copy of your work in a different geograhpy than you laptop, which is good if there’s a fire, or you’re hit with ransomware, but it also means there’s another place your work can be stolen from. If someone manages to guess your cloud login, and you don’t have 2FA enabled, they have your documents. To prevent this, I suggest you enable two-factor authentication on your cloud accounts, and consider encrypting your files before uploading them.
• If you really don’t like the idea of leaving documents on your desktop, store them on an external drive. The usual caveats apply: Encrypt, encrypt, encrypt. On the very remote chance someone breaks in and steals it, or more likely, you lose it somewhere, it’ll help keep the files safe from prying eyes.

Again, these tips are really for everyone and all kinds of files. They’re not specific to budding or even professional writers. However, they can still make full use of them. And you don’t even have to be George R.R. Martin to do it.

The post Sophisticated phishing scheme spent years robbing authors of their unpublished work appeared first on Malwarebytes Labs.

French privacy watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL), has hit Google with a 150 million euro fine and Facebook with a 60 million euro fine, because their websites—google.fr, youtube.com, and facebook.com—don’t make refusing cookies as easy as accepting them.

The CNIL carried out an online investigation after receiving complaints from users about the way cookies were handled on these sites. It found that while the sites offered buttons for allowing immediate acceptance of cookies, the sites didn’t implement an equivalent solution to let users refuse them. Several clicks were required to refuse all cookies, against a single one to accept them.

In addition to the fines, the companies have been given three months to provide Internet users in France with a way to refuse cookies that’s as simple as accepting them. If they don’t, the companies will have to pay a penalty of 100,000 euros for each day they delay.

GDPR

EU data protection regulators’ powers have increased significantly since the General Data Protection Regulation (GDPR) took effect in May 2018. This EU law allows watchdogs to levy penalties of as much as 4% of a company’s annual global sales.

The restricted committee, the body in charge of sanctions, considered that the process regarding cookies affects the freedom of consent of Internet users and constitutes an infringement of the French Data Protection Act, which demands that it should be as easy to refuse cookies as to accept them.

Since March 31, 2021, when the deadline set for websites and mobile applications to comply with the new rules on cookies expired, the CNIL has adopted nearly 100 corrective measures (orders and sanctions) related to non-compliance with the legislation on cookies.

Responses

Google said in a statement that “people trust us to respect their right to privacy and keep them safe” and that the company understands its “responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision”.

Facebook said it’s reviewing the authority’s decision. Here it may be important to note that the CNIL fined Facebook Ireland Limited, rather than Facebook France, since the head office in Ireland presents itself as the data controller of the Facebook service in the European region.

The procedure

As an example we’ll follow the cookie management procedure for YouTube, which was one of the sites the CNIL objected against.

A first time visitor (or more precisely, someone without any cookies from a previous visit) is presented with this consent form:

YouTube’s cookie consent popup

The user’s options are to either accept all the cookies by clicking “I AGREE”, or to click “CUSTOMIZE”, which results in a multitude of choices to be made about search customization, YouTube History, ad personalization, managing cookies in your browser, and managing data Google Analytics collects on sites you visit.

The first three entries are simple On/Off settings.

The first three options in YouTube’s cookie customization screen

The last parts however point to instructions or link to other sites, which in general come down to “You can change your browser settings to reject some or all cookies.”

YouTube’s instructions on managing cookies and data

This explains why the French watchdog objects to the skewed balance between accepting or rejecting cookies from these sites—the path to privacy is long and difficult.

The everlasting battle

Internet giants like Meta (Facebook) and Alphabet (Google) depend on advertising. Advertising represented 98% of Facebook’s $86 billion revenue in 2020, and more than 80% of Alphabet’s revenue comes from Google ads, which generated $147 billion in 2020.

Advertisers can bid on specific words and phrases, and target specific demographics, geographies or interests, and this ensures ads show up to relevant users at relavent times, or so the theory goes. To find out who the “relevant users” are ad companies gather massive amounts of information about users, and that is where our privacy comes into play.

The information is stored in giant databases about us, and the link between us and our database entries are the cookies in our browser. The cookie acts like an ID badge, you show it every time you hit a Google or Facebook page, or any time you hit a page that includes a like button, some Google Analytics code, or anything else loaded from a Google or Facebook domain.

Sometimes that’s useful. Logging in to a website would be impossible without a cookie “ID badge”—you’d have to provide your password on each and every page instead. But sometimes the ID badge is doing someting that’s useful to somebody else rather than you, such as allowing them to silently build a personal profile about you.

Luckily, sites rarely use one cookie for everything and typically use different cookies for different features. This is why YouTube customization options are so convoluted, and why adblockers and privacy plugins work at all. With a decent tool it’s possible to block or refuse the cookies you don’t like and keep the ones you do.

If you want to clear out everything and start again, take a look at our quick guide, How to clear cookies”.

Dark patterns

YouTube’s choice between “I agree” and “Customize” rather than “I agree” and “I don’t agree” is an example of a dark pattern, a desgin that subtely and deliberately nudges you in the direction of a choice that benefits the designer. They are everywhere on the web, and they’re a problem.

In June 2021, Malwarebytes Labs’ David Ruiz spoke to dark patterns expert Carey Parker on the Lock and Code podcast. To learn more about dark patterns and how to spot them, listen below.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post Google and Facebook fined $240 million for making cookies hard to refuse appeared first on Malwarebytes Labs.

"Used by both the Stellar Exploration Corps and the Terran UnionSpace Navy, the Polixenes was a design initially commissioned bythe navy to provide fast and efficient fleet communications.With its two parsec jump drive the Polixenes can bridge the averagefive light year gap between most stars and a long range variantsacrifices the cargo space for additional fuel to provide an additionaltwo parsecNeedleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

When removing malware from an iOS device, it is said that users need to restart the device to clear the malware from memory.

That is no longer the case.

Security researchers from ZecOps have created a new proof-of-concept (PoC) iPhone Trojan capable of doing “fun” things. Not only can it fake a device shutting down, it can also let attackers snoop via the device’s built-in microphone and camera, and receive potentially sensitive data due to it still being connected to a live network connection.

Stopping users from manually restarting an infected device by making them believe they have successfully done so is a notable malware persistence technique. On top of that, human deception is involved: Just when you thought it’s gone, it still pretty much there.

The researchers dubbed this overall attack “NoReboot,” and it does not exploit any flaws on the iOS platform. This means Apple cannot patch for it.

How they did it

So how does the malware stop the actual device shutdown from happening while making it look like it did to users? In a nutshell, the researchers hijack the shutdown event on an iOS device. This involves injecting new code to three daemons—programs that run in the background that have their own unique functions: InCallService, SpringBoard, and Backboardd.

The three inherent iOS daemons that the malware has to modify in order to pull a succesful fake out. (Source: ZecOps)

InCallService is responsible for sending the “shutdown” signal to SpringBoard when a user manually turns off the iOS device. The researchers were able to hijack this signal using a hooking process. So instead of InCallService sending the signal to SpringBoard as it’s supposed to, it instead signals SpringBoard and Backboardd to execute the codes injected into them.

The code in SpringBoard tells it to exit, not launch again, and only respond to a long button press. Since SpringBoard responds to user interaction and behavior, the daemon being unresponsive gives the impression that the device is off when, in fact, it’s not.

The code in BackBoardd, on the other hand, tells it to hide the spinning wheel animation, which pops up when SpringBoard ceases to work.

Screenshot of code snippets that are injected into SpringBoard and BackBoardd. (Source: ZecOps)

At this point, the iOS device looks and feels like a brick. But note that it’s still pretty much on, still connected to the internet, and still has functional features readily available for remote exploitation. Note that once an iOS device is infected with NoReboot, it starts its snooping via the camera.

Just as the device shutdown is simulated, NoReboot can also simulate a device to startup. And the BackBoardd daemon plays a huge role in this. Since SpringBoard is no longer functioning, Backboardd takes control of the screen and responds to user inputs, including long button presses. Backboardd is told to show the Apple logo, a known indicator that the iOS device has indeed been turned off, which makes users let go of the button and stop them from truly rebooting the device. Then SpringBoard is relaunched so Backboardd can give back its privilege to control the screen.

You can read more about how NoReboot works in detail in ZecOps’s post here.

Video demonstration of NoReboot. (Source: ZecOps) “Is this thing on?”

Since Apple introduced a feature that allows device owners to track their phones even when they’re turned off, things have never been the same. “On” remains on, while “off” is not-quite-off anymore. And this only gives attackers an opportunity to let their malware persist on affected devices.

NoReboot is a mere PoC at this point, but its code is already public. It’s only a matter of time before iOS attackers start incorporating this into their malware kits. That said, let’s arm ourselves with what we can do as users at this point.

If you suspect that your device is compromised by a NoReboot-like malware, you can keep pressing the force reboot buttons after the the Apple logo appears. Remember that this is a simulated reboot, and keeping the restart buttons depressed would force the infected device to truly reboot. iOS device owners can also use Apple Configurator, which you can download for free.

Stay vigilant!

(Kudos to Thomas Reed for additional helpful insights)

The post New iPhone malware spies via camera when device appears off appeared first on Malwarebytes Labs.

MooglyCAL2022 kicks off our 8th year of crocheting along together! And we couldn’t ask for a better start than this graphic and bold square from Jessie Rayot of Jessie At Home. This lovely block features big blocks of color, post stitches, and tons of texture. Get all the details for this free crochet along, as...

Read More

The post MooglyCAL2022 – Block #1 appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

0