Techie Feeds

Avoid these Doctor Who Series 11 scams

Malwarebytes - Mon, 10/08/2018 - 16:39

The new season of Doctor Who has finally landed on television screens around the world, and we’ve started to see the first few signs of spam and other assorted nonsense lumbering online.

A rash of YouTube accounts claiming to offer up the new series are making the rounds, all of which generally lead to the same final destination: a site that claims to offer free membership, but leaves some actual fees buried in the terms and conditions if you presumably want to access the promised content.

If you go hunting for Doctor Who streams at the moment, you’re liable to see a bunch of results similar to the below, posted from multiple accounts. Here are a few advertising episode 1 of the latest series:

Click to enlarge

Here’s one doing the same thing, but with Peter Capaldi in the promo pic instead, and I can let them off with this, seeing as it’s Peter Capaldi.

Click to enlarge

All of them claim to offer up the upcoming Series 11 (even the ones using pictures from older series), but even from the outset, the videos should make you a little bit wary.

For starters, there’s no preview clips of the content. Instead, the videos pop a blink and you’ll miss it promo shot of Doctor Who which is immediately replaced by random upload content.

Click to enlarge

How random? Well, it’s everything from what sounds like mid 2000’s pop music and video game streams to weird spinning graphics and pulsating lights. Essentially, absolutely nothing to do with Doctor Who and everything to do with a solid hour of cut and paste garbage in a bid to evade YouTube copyright detection and/or pad out the video length. Even Love & Monsters didn’t drag on this long.

Click to enlarge

Depending on which spammy YouTube account you start from, you’ll either be given a direct link to one of the supposed Doctor Who content portals or a Bit(dot)ly link for a second site claiming to do the same thing.

From there, you’ll end up on one of a number of cookie-cutter identikit websites, which offer up more glimpses of the new Doctor with a play now button. Here’s one:

Click to enlarge

Wherever you’ve come from, clicking through the continue buttons pops a “Create free account” box. The shot below is from the other site, bestv(dot)online, at the same stage in the process. It may as well be the same website.

Click to enlarge

Note that although “Create free account” is prominent, it does say off to the side that you can “Try this service for free.” A lot of people might assume there’s no cost here, but trying a service for free generally tends to imply charges down the line, perhaps by having to upgrade an account to be able to access anything remotely worthwhile.

We’ve seen lots of websites that look like our final destination down the years; many claim to offer free books, games, videos, and more. Search for the site names online though, and you’ll often find disgruntled users complaining that after joining, they were simply given lists of third-party download sites to try, or links to pirated content like this author claims in the top comment, or (occasionally) not even that.

This one, called “Basilplay,” follows a similar design format for the template if nothing else with liberal splashings of the word “free” all about the place. “Free and unlimited games, books, movies, and more.” “Sign up for free.” “Please create a free account to access unlimited downloads and streaming.”

Click to enlarge

That all sounds very, well, free. Doesn’t it?

If you check the inevitable T&Cs, however, things become a little unclear. They state that there’s a “standard” account that doesn’t cost any money (they still want some payment information at time of registration either way), and a “premium” account, which gives full access to whatever content they claim to be offering. There’s nothing on site that shows the specifics of what you get versus what you don’t get for paying, so you’re effectively signing up with zero idea of what’s on the other side.

Click to enlarge

The premium rolling subscription, according to the T&Cs, is $89.95 a month. Not so much Doctor Who, as Doctor Whoo-boy. For that sort of money I’d also want to know who said “Silence will fall” in the TARDIS.

Click to enlarge

A few of the landing pages seem to be rotating out sites, so you might end up on Basilplay, or you could find yourself materialising on a similar site located elsewhere:

Click to enlarge

Curiously, we revisited the Basilplay site while putting together this blog, and it seems to have taken on a Time Lord–style regeneration of its own:

Click to enlarge

I’m not sure where Doctor Who series 11 has gone, but I don’t think we’re going to be seeing humorous references to reversing the polarity of the neutron flow on a site suddenly all about video games, do you?

Doctor Who has long since become a global brand at this point, and it’s frankly never been easier to catch it on any number of mainstream, legal channels, including purchasing DVDs, streaming, or even just watching it live. In fact, you could really get into the swing of things and Timeshift, which seems highly appropriate.

However you do it, you don’t need to bother with spammy YouTube videos, clickthrough portals, or landing pages that offer books and TV shows one day, but focus on video games the next.

Now that the new series is up and running, you can expect a lot more antics similar to the above across many corners of the Internet. As always, if it seems too good to be true, then do yourself a favour and jump back into the TARDIS. A crack in time is bad enough, but a crack in your bank balance is even worse. 

The post Avoid these Doctor Who Series 11 scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 1 – 7)

Malwarebytes - Mon, 10/08/2018 - 16:31

Last week, Malwarebytes welcomed National Cybersecurity Awareness Month by renewing our pledge to do what we do best: offer the best protection for our customers and promote security awareness for all.

On Labs, we raised the question of whether it is a good idea to bring your own security or not, talked a little bit more about fileless malware, homed in on a malware campaign targeting Fortnite gamers, and looked into LoJack, a bootkit malware that has been targeting government entities.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (October 1 – 7) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fileless malware: part deux

Malwarebytes - Fri, 10/05/2018 - 15:00

In part one of this series, we focused on an introduction to the concepts fileless malware, providing examples of the problems that we in the security industry face when dealing with these types of attacks. 

In part two, I will be walking through a few demonstrations of fileless malware attacks that I have created. These labs demonstrate the problems we face when trying to detect fileless malware.

I will first start off with a demonstration of malware that is detected strictly with static signatures. The file I will be using is a custom binary, which I created from scratch and does not actually perform malicious activities. It is completely benign.

The reason for using a benign file for the demo is that I do not want any of the other more advanced components of the AV to kick in and try to detect this file. I want to show what happens when we rely purely on static signatures. We have simply created a static signature for this specific binary so that when executed or scanned on any computer running Malwarebytes, it will be detected.

After this test, I will then be testing a legitimate malware via the same fileless methods to illustrate the necessary detection technology that needs to be in place to catch the threat.

Before we begin, I will first cover how static detections work in order to make clear what exactly is being evaded with these fileless methods. Then I will cover some more sophisticated detection methods, which in this modern age of security are the most important components to detect the new and unknown threats.

Static detection

There are a few ways to detect malware statically. The most basic, and frankly, the most useless detection method nowadays is by hashing the file. In this case, there’s a one to one detection rate of signature to malware.

In order to have a single signature cover a lot more ground, modern day static detection engines extract key areas of the binary and allow signatures to be made on specific op-codes or strings within sections of the binary. The best open source example of this would be YARA rules. If you are unfamiliar with YARA, please take a minute to look it up as it is a valuable tool for malware analysis.

Below is an example of a detection using YARA. The example rule is completely random and not made to detect any malware.

rule ExampleDetection { strings: $hex_string = { AA (BB | CC) [3] FF [2-4] 00 }   $string1 = “malString” wide ascii fullword   $hex2 = {CC DD 33 DD}   condition:   $hex_string and #string1 > 3 and $hex2 at entrypoint and filesize > 200KB }

A single rule similar to this, although in the category of static signatures, can detect hundreds or thousands of malware that have similar characteristics. A good static signature still allows you to be dynamic and detect malware even when a writer modifies his code.

But, even though these static detection methods are quite effective in certain cases, there are a few major downfalls. The first and most obvious downfall is if the binary codes and strings are changed beyond what the signature writer took under consideration, the detection will no longer trigger. This is the main reason why antiviruses have added more dynamic methods for detecting sophisticated malware to their solutions. These include behavioral signatures, behavioral detections, heuristics, self-contained emulators, machine learning, and artificial intelligence.

Some of these technologies are included in Malwarebytes’ consumer and business products, and are listed below:

The second downfall to static signatures is what I will be illustrating in this first lab. If there is no binary on disk to run a static signature against, then the static signature has nothing to detect against. So, in short, it fails. This is where the fileless attacks succeed.

In a perfect world, with unlimited computing power, we would theoretically be able to extract every bit of data from memory at all times and run static signatures against then to overcome this downfall. But because performance is always an issue, this is not possible, and static signatures will fail in this scenario. Having said that, I will proceed to the first lab.

Lab 1: Static-only bypass

First, I will run the test detection file manually on a system with Malwarebytes so that we can see the static signatures portion catching the file.

As you can see, the file was detected as Trojan.Vhioureas.POC. Again, this is because I created a test detection on a unique string I made using this simple program. If the program succeeds, it will pop up a calculator application.

Now I will load the same test file using the inception framework: a fileless execution framework.

As you can see, the vhioureasPOC file did not trigger any detection, and Calc popped up. The reason is because the inception framework streamed the malware source completely from a server and executed it purely within memory.

You can see this in the command parameter to UpdateService.exe, which is the inception client loader binary. It pulled the source code of the vhioureasPOC from the server I set up at the address in the URL. The fileless streaming method evaded the static signature engine of the AV.

Inception framework

Before continuing on to Lab 2, I will discuss the inception framework and how it can be used to load any .NET executable in memory. We will start with the server side.

The server side of inception has two main components: the payload generator and the actual malware server. The payload generator takes as an input, a C# source code file, and provides you with a custom URL token for fetching on the client’s side.

After we have generated the payload, when we run the malware server component, we can retrieve the source code in an encoded form via any http request. For example,if we navigate to the URL generated in a browser on our client machine, we will see a long base 64 string in the browser window. This is the payload.

Now moving onto the client side of inception. The client in and of itself is benign. It does not contain any malicious code. It’s simply a command-line tool that takes a URL as input. It fetches whatever is on the end of that URL and attempts to read it in as text, specifically looking for proper formatting of C# source code. It then takes the C# text and, using the operating system’s native compiler, performs run-time compiling purely in memory. It then executes the generated code.

This is how we were able to evade the static detection engine. There is never any point in which the malware code from the server exists on the hard drive. Because of that fact, there is no file for the static engine to scan.

As a side note, I would like to add that in general, no AV detects source code of the compiled language. The reason here is that source code can never run without being compiled, and thus can never cause harm. This is an interesting point because even a network signature, such as snort or any IDS would be unlikely to pick this up. The malicious binary is never streamed, it is only the source code that is streamed. So, it evades all static signatures, even on the network side.

Fighting this threat

Being that we evaded the static engine, modern-day antiviruses as I mentioned earlier must contain technology to dynamically detect malicious activity on the system rather than simply detect malicious signatures.

To test that this technology exists and works properly, we will be running inception once again against the victim machine, only this time it will be with a payload which actually performs malicious functionality to the victim. We should hope that the AV engine has the ability to determine that the execution on the system is malicious based on its activity. This is exactly what we will be testing in Lab 2.

Lab 2: fileless ransomware

For this lab, I will load a source code of a ransomware sample via inception. Essentially, nothing changes from the above steps. Only now, the payload generation on the server side points to a ransomware source code file instead of the POC test.

As you can see, a detection was triggered this time. Although the static engine did not detect the malware, the application behavior portion of the engine stepped in and determined that there was malicious activity on the system that behaved like ransomware, and it triggered the detection. This is why you see it detected as Ransom.Agent.Generic.

Static vs. dynamic

I have created these demonstrations to show some of the problems that fileless malware can cause—mainly that they were able to easily bypass static engines. This doesn’t mean that I believe static signatures do not have their place in malware detection. I am simply showing their weakness when it comes to fileless attack.

Static signatures help researchers properly classify malware families and provide more detailed detections. This is usually because, behind a signature, there is a malware analyst who has spent the time to research and understand the malware’s characteristics. I have seen many situations where a good signature has caught malware that machine learning engine failed to identify. However, when the static detection fails, dynamic detection must take over. This symbiosis is key.

I am of the school of thought that both static and dynamic detection are necessary, and a good mix of both is still extremely valuable. Typically, when an anti-malware vendors uses signatures in addition to next-gen technology in their repertoire, that’s a sign that there are active malware analysts on the other side of the screen.

This gives me a peace of mind—that vendors are not leaving the fight against malware purely up to algorithms and technology. Technology is not quite advanced enough to be left fully in charge, and in the meantime, a mixture of humans and technology, malware analyst and machine, is still the best bet.

Stay tuned for part three of this series, where I will provide a detailed analysis of various fileless malware families.

The post Fileless malware: part deux appeared first on Malwarebytes Labs.

Categories: Techie Feeds

LoJack for computers used to attack European government bodies

Malwarebytes - Thu, 10/04/2018 - 15:00

Security researchers have detected the first known instance of a UEFI bootkit being used in targeted campaigns against government entities across Central and Eastern Europe. The attack focuses on UFEI-enabled computers and relies on a persistence mechanism that has been stolen from a legitimate, but often questioned, software called Computrace that comes by default on many computer systems.

This Computrace agent from Absolute Software is a service designed to recover lost or stolen computers, the underlying technology of which is based on the LoJack Stolen Vehicle Recovery System. In 2005, Absolute Software licensed the LoJack name and subsequent tracking technology to aid in recovery efforts of stolen computers. After negotiations with manufacturers, the Computrace agent from Absolute Software—or LoJack for computers—now comes pre-loaded on a large number of machines.

The Computrace software uses a novel method to maintain persistence on computers. This methodology allows the code to remain through a re-installation of the operating system or replacement of the hard drive. The software does this by tightly integrating into low-level operations that are stored within SPI flash memory modules located on the physical motherboard of the computer. These memory modules are where pertinent system resources, such as BIOS and UFEI procedures, are stored.

An Eset white paper details how Trojanized versions of the Computrace agent have been compromised to allow attackers the ability to execute arbitrary code on vulnerable machines. This code can be stored within the SPI flash modules, which prevents easy detection from many security solutions. This code execution ability, along with the persistence and tracking capabilities of the Computrace software, makes for an extremely effective combination that is difficult to detect or remediate. Eset is calling this threat the LoJax malware.

As of this writing, use of this particular attack methodology appears to be limited in scope. Research indicates that the purpose of this novel attack vector has been to install the XAgent Remote Access Trojan, which others in the security industry have linked to the Russian hacking group that goes by many names including: APT28, Fancy Bear, and Sednit.

The successful execution of the malware payload is dependent upon a computer system that has been configured to disable the Secure Boot protections that come standard on newer Windows computers.

Secure Boot is a security feature of UFEI-enabled computers, and it requires a legitimate digital signature before the system is allowed to execute any code stored within the SPI flash memory module. This is a current limitation of the LoJax malware, as the code does not have a digital signature. This prevents code execution in environments where Secure Boot is enabled, such as Windows 8 and Windows 10.

Users of Linux or other unsupported operating systems will not have the built-in protections of Secure Boot due to incompatibility with those devices. Users who must disable such protections in order to use necessary or desired software will need to remain diligent.

Though currently limited in scope, we anticipate seeing this attack vector employed by other malware families and attackers in the future.

The post LoJack for computers used to attack European government bodies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bring your own security (BYOS): good idea or not?

Malwarebytes - Tue, 10/02/2018 - 15:00

We’ve talked about the concept of Bring Your Own Device, or BYOD, on the blog before. BYOD is a popular policy whereby employees can bring personally-owned devices, such as laptops, tablets, or smartphones, to work and use them to access data and applications. It helps to cut costs and can increase productivity, but it brings with it many security concerns and implications.

Similar in theory to BYOD is BYOS, or Bring Your Own Security. This method allows employees to choose which security solution they would like to run on their devices. Is this theory a natural evolution of BYOD or does it bring with it more concerns? Do those concerns matter if the device that will be submerged in the company network has its own security software installed?

BYOS concerns

Differences in the security software that runs on corporate systems and BYOS devices can give your IT department a headache—especially if said devices have access to company resources like shared drives. Are there any conflicts between the software on the devices and the security solutions running in the corporate environment? It’s certainly possible.

There could be gaps between the devices’ security programs and corporate systems that attackers could take advantage of. In fact, adding security software to an existing setup does not always enhance security—especially if they are of the same type, such as two large antivirus suites or two free remediation tools. Even worse, you could end up weaker than you were before.

In addition, misconceptions may lead device owners into a false sense of security. For example, some may believe they are protected behind the company’s firewall as soon as they connect to the corporate Wi-Fi, or even as soon as they walk in the door. But is that true?

Let’s look at a few scenarios involving both BYOD and BYOS, their pros and their cons, and the security implications that each scenario brings with it.

The scenarios

To begin jumping into the following scenarios, let’s first set the stage by presenting four possible ways the BYOS policy might be implemented, whether devices are personally owned or issued by the organization. They include:

  • The employee owns the device and has his own security software installed.
  • The employee is issued a company device that she may also use for personal purposes. She gets to choose and install whichever security software she wishes.
  • The employee owns the device, but in order to be allowed to use it for company matters, she must install the company’s choice of security software.
  • The company issues a device that came with its choice of security software installed.

Before we talk these scenarios through one by one, let’s first establish one thing up front: An employee running security software that he did not choose, nor is familiar with, is probably a bad idea. Unless it is a cloud-based product that can be administered from a central location, the employee should get some training on how to optimally use the solution. There is no stronger security for workplaces than user awareness. In fact, we would—and do—advise this no matter what the scenario.

Scenario 1: All on the user

In the first scenario, in which the employee uses his own device and security software, you might say that it’s good for the company to stay out of the way and trust its users. However, when it comes to matters of security for proprietary data, it’s never a good idea to let it all blow in the wind.

It’s easy to say that it would be the employee’s problem if anything were to happen to the data on his device, but what good would that do the company? The information would already be out there, and the loss of data, endpoints, productivity, and reputation would cost much more than a single salary.

As for the employee: Would he even come forward about the leak if the company had no control over his device in the first place? Probably not. The company might be able to trace the infection back to his device, but after how long? How long did information-stealing malware sit and propagate in the network? What sort of secrets will it expose to those willing to pay top dollar on the black market?

This scenario would be the single worst BYOS idea if it weren’t for…

Scenario 2: A rare scenario

In this scenario, the organization issues a device to its employee but expects her to choose her own security program.

This is a rare scenario for good reason. Perhaps a company’s own IT department might have its employees test out different vendors. Perhaps a user only makes phone calls or types up documents on her device, and doesn’t need the Internet to do her job. However, in any other case you’d have to have one trusting organization and one extremely security-wise workforce.

Otherwise, employees might go for the cheapest option if they need to spend their own money—or use a free, limited version instead. Or, if billing the company, they may just grab the only name they know without investigating if it’s a good fit for the device or the user. The only other explanation is that the company cares so little about the security of their devices and networks, that they’re willing to throw away money on them.

Scenario 3: Mostly pro, a little con

This situation calls for the employee to select the device, but the company to prescribe the security setup.

Here, the employee gets to either purchase or be reimbursed for the device she likes with the caveat that she must install security software that meets corporate guidelines. This is mostly a win-win scenario, as the employee gets to use the device she prefers, but the company can be reassured that the device is secure and safe to use in the corporate environment. In an ideal situation, the device can even be monitored by the corporate SIEM or cloud console.

One note on this scenario: While it’s an ideal setup for supplementary devices or remote employees, it might not make the most sense for users’ primary machines. This is because managing a fleet of different devices with different operating systems could get tedious for IT teams, even with the same security protocols followed.

Scenario 4: The company’s choice

The fourth scenario, where the company decides on the device and the security software, is the easiest solution for organizations, but decidedly neither BYOD or BYOS. This sounds more like what an HQ worker might expect to receive from the IT department on the first day of employment.

While easiest to control, it’s also costly—whether the company is providing a single laptop or a supplementary smart phone. In this case, businesses should be prepared to defend against threats encountered by employees doing legitimate work or occasionally using the device for personal reasons, such as online shopping or social media. Companies should essentially treat this more or less the same as when an employee occasionally takes a company laptop home to do some work.

Installing security software on a corporate machine

A completely different scenario is one in which no outside device plays a role. Instead, employees bring their own security into the workplace environment. This does sometimes happen—people install their preferred security software on their work computers of their own initiative. For example, our telemetry tells us that our free consumer remediation product is downloaded and run on many corporate machines, used to clean malware that has slipped through the cracks of their workplace’s official security setup.

What we can’t see in our telemetry is whether this is done by users themselves or by someone from the IT team as an impromptu method to deal with an infection. Although using a free consumer product in a business environment is technically against the rules, it doesn’t pose a direct security risk. It does pose a question for the company’s IT department, however, who would probably like to know which threat managed to wriggle through their net and how.

Regardless, there’s a difference between employees installing free remediation tools for clean-up purposes only and those that install paid-for, active protection on top of network security. In the latter case, the active endpoint security conflicts with the active network software that is controlling the corporate environment. Like two dogs fighting over a bone, and no one wins, because the bone (malware) escapes.

Important considerations

The safest, most efficient way to implement workplace security for both the company and its employees is to come up with a corporate policy. When trying to decide on a BYOD security policy, there are a few points that should at least be considered. They include:

  • Which Operating Systems will you allow? Not every software can cover all the OSes, and if you want to go for uniformity or central management, this is an important issue.
  • Which software will you allow? And if you are going to use restrictions, will you be using a blacklist or a whitelist?
  • How detailed do you want your security policy to be? Are you going to give your employees a general outline or are you really going to drill down into details like minimum requirements for passwords or how to identify phishing emails?
  • Do you want to be able to monitor devices that fall under the BYOD setup from your central management console? And does that require the devices to meet certain specifications?
  • What happens to the devices when the employee leaves the company? Or better yet, what happens to the information, software, and other company-related data on the device?
Best practices

The list of best practices to turn any Bring Your Own Security setup into a successful and secure endeavor looks a lot like the list for any security guidelines, but we want to repeat the advise anyway:

  • Train your staff on basic computer hygiene, such as avoiding tech support scams, steering clear of links to unknown sources, and never opening attachments from suspicious emails. In addition, make sure they’re aware of what to do and what not to do in the event of a breach.
  • Create a fair policy that has been clearly communicated so that employees understand what is acceptable and what the consequences might be if they don’t comply.
  • Encrypt file storage and communications to lessen the chances of vital information or data falling into the wrong hands.
  • Ensure timely software updates for all. What’s the use of a system admin rushing to check, verify, and install updates when there are some devices roaming around that are a few patches behind.
  • Use a VPN for off-site communications to rule out eaves-dropping and man-in-the-middle attacks.

There are pros and cons to most BYOS and BYOD scenarios—however, if a company’s IT team and workforce is prepared, many of these situations have a good chance to work out in the best interest of all involved.

Awareness of the possible implications is always a good starting point. Vigilance is security’s better half.

The post Bring your own security (BYOS): good idea or not? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fortnite gamers targeted by data theft malware

Malwarebytes - Tue, 10/02/2018 - 14:00

The new season of the incredibly popular video game Fortnite is upon us, and so too are the scams. It’s no surprise that con artists would jump on this bandwagon, eager to peddle their fakeouts.

Only this time, scammers had something a little more dangerous in mind than your typical low-level surveys and downloads that never actually materialize. Among all the gluttony of scams there hid a malicious file ready to steal data and enumerate Bitcoin wallets, for starters.

How did we find it? First, we sifted through a sizable mish-mash of free season six passes, supposedly “free” Android versions of Fortnite, which were leaked out from under the developer’s noses, the ever-popular blast of “free V-Bucks” used to purchase additional content in the game, and a lot of bogus cheats, wallhacks, and aimbots.

Here’s the current state of YouTube, for example:

Click to enlarge

These videos can drive huge numbers: Here’s one that’s been pulled down, but managed to rack up 120,000 views before the hammer fell:

Click to enlarge

Almost all of the scam tomfoolery followed the typical survey route, as expected. But buried in all of this was a nasty little slice of data theft malware disguised as a cheat tool.

Offering up a malicious file under the pretense of a cheat is as old school as it gets, but that’s never stopped cybercriminals before. In this scenario, would-be cheaters suffer a taste of their own medicine via a daisy chain of clickthroughs and (eventually) some malware as a parting gift. Shall we take a look?

Setting the scene

The YouTube account offering this scam up has a little over 700 subscribers, and the video in question already had more than 2,200 views the day after being uploaded.

Click to enlarge

Clicking the link sends potential victims to a page on Sub2Unlock. This site differs from typical survey pages, where you’d normally click offers or fill in questions to obtain a theoretical reward. Instead, it asks you to hit subscribe on the social portal of the person sending you there in the first place. So there’s one difference, right off the bat.

Click to enlarge

Another interesting difference is that any initial survey page requires you to physically complete a survey before progressing. Without doing this, you can’t gain access to a download link.

Here, we had no validation taking place during our testing. Clicking the subscribe button simply opened up the YouTube channel’s subscribe page but nothing checked to ensure we’d actually subscribed. All we had to do at this point was go back to the Sub2Unlock site and click the download button.

From here, gamers are whisked away to a site located at


Click to enlarge

This site is a fairly good-looking portal claiming to offer up the desired cheat tools, and it stands a fair chance of convincing youngsters of its legitimacy. A little bit more button clicking, and potential victims are taken to a more general download site containing what appears to be an awful lot of files alongside a wide range of adverts.

Click to enlarge

As far as the malicious file in question goes, at time of writing, 1,207 downloads had taken place. That’s 1,207 downloads too many.

File information

Malwarebytes detects this file as Trojan.Malpack, a generic detection given to files packed suspiciously. The actual payload could be anything at all, but it will invariably be up to no good. In this case, a little digging showed us the payload is a data stealer.

Once the initial .EXE (which weighs in at just 168KB) runs on the target system, it performs some basic enumeration on details specific to the infected computer. It then attempts to send data via a POST command to an /index.php file in the Russian Federation, courtesy of the IP address 5(dot)101(dot)78(dot)169.

Some of the most notable things it takes an interest in are browser session information, cookies, Bitcoin wallets, and also Steam sessions.

Click to enlarge

Bizarrely, it also wrote this to our test system:

Click to enlarge

…Grateful Dead, anyone?

The IP address up above has been seen many times in relation to similarly named/themed files.

Lots of the files contained in this download are packed in entirely different ways. One of them has a process called “Stealer.exe.” Many more post the stolen information to /gate.php instead of index.php, which is a common sign of Zbot and a few others.

While this particular file probably isn’t that new, it’s still going to do a fair bit of damage to anyone that runs in. Combining it with the current fever for new Fortnite content is a recipe for stolen data and a lot of cleanup required afterward.

As a final note, we should mention the readme file accompanying the stealer advertises being able to purchase additional Fortnite cheats for “$80 Bitcoin.”

Click to enlarge

Given how things up above panned out, we’d advise anyone tempted to cheat to steer well clear of this one. Winning is great, but it’s absolutely not worth risking a huge slice of personal information to get the job done.

The post Fortnite gamers targeted by data theft malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 24 – 30)

Malwarebytes - Mon, 10/01/2018 - 16:44

Last week on Labs was a busy one. We discussed how SMS phishing attacks target the job market, issued a warning for TV Licensing phishes, commented on how Apple confused Safari users with recent changes to how OSX handles browser extensions, and elaborated on holes found in Mojave’s privacy protection—deep breath! We also showed how a buggy implementation of CVE-2018-8373 vulnerability is used to deliver Quasar RAT, discussed what is needed to fight back in the age of unwanted calls, gave some tips on how to protect your data from Magecart and other e-commerce attacks, and alerted our readers that millions of accounts were affected in the latest Facebook vulnerability.

Other cybersecurity news:
  • Tech firms back US privacy law to negate states. (Source: The Washington Post)
  • Microsoft rolls out confidential computing for Azure. (Source: Bleeping Computer)
  • Google recently made a change to simplify the way Chrome handles sign-in. (Source: The Keyword)
  • VirusTotal announces VirusTotal Enterprise. (Source:
  • 14 years imprisonment for man who helped hackers evade detection by antivirus software. (Source: Hot for Security)
  • Port of San Diego’s information technology systems disrupted by ransomware. (Source: Port of San Diego)
  • LoJax: the first UEFI rootkit found in the wild, courtesy of the Sednit group. (Source: WeLiveSecurity}
  • Telegram leaks public/private IP addresses of end users in desktop. (Source: inputzero)
  • iPhone XS passcode bypass hack exposes contacts and photos. (Source: ThreatPost)
  • Secret Service warns of surge in ATM ‘wiretapping’ attacks. (Source: Krebs on Security)
  • Mutagen Astronomy: Linux kernel ‘give me root, now’ security hole sighted. (Source: TheRegister)

Stay safe, everyone!

The post A week in security (September 24 – 30) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes is a champion of National Cyber Security Awareness Month

Malwarebytes - Mon, 10/01/2018 - 14:00

October is here. For most of us in the US cybersecurity industry, it’s the month when we commemorate National Cybersecurity Awareness Month (NCSAM). For those who are unfamiliar with this campaign, NCSAM generally aims at driving awareness for safe Internet use, whether you’re a regular consumer or top security executive. Protecting the Internet and keeping it safe is our shared responsibility.

And that’s why we at Malwarebytes not only pledge to provide the best protection for our home and business customers. We also commit ourselves to fostering cybersecurity education and awareness for all. Labs security researchers and writers are on the front lines every day, scouring the Internet for threats and reporting them, as well as how you can stay safe against them, here on the blog. We hope you continue to feel safe knowing we will always do our best to stop attacks, stomp out dangerous malware, and swat away annoying scammers.

In its 15th iteration, this year NCSAM will attempt to address current cybersecurity challenges, focusing on securing families and their homes, building a robust, cyber-aware workforce, and securing critical infrastructures. As such, themes assigned for each week of the month have been aligned according to this year’s objectives.

Below are the themes per week, a brief overview of each, and helpful links we recommend you, dear reader, start perusing.

Week 1: October 1–5

Theme: “Make Your Home a Haven for Online Safety”

NCSAM kicks off its campaign by going back to basics. Parents and caregivers, it’s time to brush up on your cybersecurity know-how and get your kids and the entire family involved. Check out these helpful Malwarebytes Labs posts if you need some inspiration:

Week 2: October 8–12

Theme: “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity”

As that song goes, “I believe the children are our future.” And we believe that they can make a difference—for better or for worse—on the state of cybersecurity and the future of the Internet as we know it. Schools and teachers play a significant role in shaping the way our kids view and respond to the world, both in their real and digital lives. By molding young minds to be good citizens of the Internet and encouraging careers that honor that code, you can help clear the way for a better online experience for generations to come. Here are some references you may want to read up on:

Week 3: October 15–19

Theme: “It’s Everyone’s Job to Ensure Online Safety at Work”

The shortage of cybersecurity professionals is a genuine problem, especially for businesses that rely on a tight-running and secure ship to keep profit flowing and customers happy. A way to address this shortage is to change the tide by educating current personnel about the importance of taking cybersecurity seriously and how to respond in the event of a cyberattack. Small, medium, and enterprise-sized businesses can pilfer useful nuggets of wisdom from these blog posts:

Week 4: October 22–26

Theme: “Safeguarding the Nation’s Critical Infrastructure”

The uncovering of Stuxnet nearly a decade ago completely changed the way we see our critical infrastructures. Since then, there has been an active call to secure the 16 sectors that literally keep a nation running—and for a good reason. Lives are at stake.

While protecting our critical infrastructure may seem like a specialized topic dedicated to a particular audience, it’s not. Those working in the financial, health, and communications sectors, as well as in energy, electricity, and other utilities can contribute by taking on the seemingly impossible task of securing their organizations.

Note that good security hygiene is a start, but efforts shouldn’t stop there. We’ll explore this topic in depth come November, when we’ll be looking at election security and commemorating Critical Infrastructure and Resilience Month. For now, you can read through these posts for helpful insights:

If you or your organization want to take part in NCSAM, it’s never too late to register. You can visit the StaySafeOnline website and navigate to the Become a Champion menu link. After registering, you or your organization will be listed in the 2018 Champions page and receive helpful resources to educate yourself and spread awareness to others.

As always: Stay safe, everyone!

See also:

The post Malwarebytes is a champion of National Cyber Security Awareness Month appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Millions of accounts affected in latest Facebook hack

Malwarebytes - Fri, 09/28/2018 - 19:39

Facebook announced earlier today that its social network had been hacked, resulting in 40 million accounts that were directly impacted, while another 50 million were also considered to be potentially affected.

Attackers exploited a feature in Facebook called “View As,” which essentially shows how your profile looks to others. The flaw enabled them to get ahold of so-called Access Tokens, which allowed them to be logged in as genuine Facebook users without having to use their password.

The feature has for now being turned off and the underlying vulnerability fixed. A law enforcement investigation is ongoing to determine the full scope of this hack and identify the eventual perpetrators.

Facebook says they have taken actions and that there is no need for users to reset their passwords, although it is a good opportunity remind users that passwords should be complex and not reused across multiple services.

We recommend people follow the Facebook hack story to get a better idea of what exactly was accessed and take the necessary precautions. We will keep Labs readers informed of further developments.

The post Millions of accounts affected in latest Facebook hack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to protect your data from Magecart and other e-commerce attacks

Malwarebytes - Fri, 09/28/2018 - 15:00

In today’s golden age of online shopping, consumers take to the Internet, punch in a few credit card details, and happily receive products at their doorstep, safe in the knowledge that their online vendor is well-known, vetted, and therefore their website has to be secure, right? Dut did you know that hackers can steal your credit card details with only a few lines of JavaScript?

Attacks on websites with the purpose of collecting user submitted data are hardly new. Magento, the open-source e-commerce platform, has been the target of such hacks for years.

By compromising websites that are also used as payment platforms, harvesting credit card numbers and other private, personally identifiable information (PII) on-the-fly is a surprisingly easy and lucrative process.

In a sense, this is the digital equivalent of credit card skimming, a process of grabbing someone’s credit card details at a physical ATM. In the same fashion that criminals can tamper with the ATM, so too can they with a website’s checkout page.

In recent months, there has been a steady increase of such attacks going after smaller websites and major companies alike. This blog post will review some of the most recent events we’ve witnessed, and offer some mitigation techniques for a threat that intends to fly under the radar.

Third-party compromises

Attackers can compromise a website using many different techniques, often by exploiting vulnerabilities or weak passwords. When that is not possible, they often target a third-party library that the site relies on, which perhaps is not as secure.

An added benefit of third-party compromises is the scalability of the attack. By hacking into one provider, you can affect an entire group of websites that depend on it.

The malicious code below was appended to a legitimate and trusted script in an obfuscated format. This is the work of Magecart, the name given to a group of threat actors responsible for several high profile attacks recently.

After decoding the script, we can see the code responsible for harvesting the data when customers hit the checkout button. At the network level, this looks like a POST request where each field (name, address, credit card number, expiry date, CVV, etc.) is sent in Base64 format to the rogue server (info-stat[.]ws) controlled by the criminals:

This kind of attack happens transparently to both the merchant and customer. In contrast to breaches that involve leaked databases where the information may be encrypted, web skimmers are able to collect your data in clear text and in real-time.

British Airways case

Between August and September 2018, British Airways suffered a Magecart attack for 15 days, which was highly targeted so as not to raise suspicions from site visitors or administrators.

A JavaScript library was tampered with and mixed into the payment flow in a way that blended it seamlessly into the background. In fact, the script itself was loaded in from the baggage claims information page and the attackers even paid for an SSL certificate for the server to which they sent stolen data. They could have used a free certificate like so many other scammers do, but they likely wanted to avoid red flags and make everything look as legitimate as possible. If they hadn’t taken so many precautions, they may well have been discovered a lot earlier.

In terms of data stolen, the attackers managed to claim both PII and payment details. The attack was so comprehensive that Magecart was even able to swipe data from mobile app users, due to portions of the site loading inside the app itself and the attackers ensuring they had a few pieces of mobile-specific code ready and waiting.

That they were able to pull off such an attack, alongside having so much internal access to the British Airways site itself, is deeply alarming. It isn’t just payment information being made available to airlines on a daily basis—it’s passport details, birthdates, and other incredibly personal information. Thankfully, British Airways confirmed that no travel data was taken. But in terms of potential fallout, including the inevitable post-attack data leaks and blackmails attempts—this attack above all others could have been catastrophic.


There is no silver bullet in preventing web-skimming attacks, but there are still measures that can be taken to mitigate the risks.

Merchants (server-side)

Operating an e-commerce website comes with certain responsibilities, especially if payment information is handled through it. It is usually a safer (and easier) practice to outsource the handling of financial transactions to larger, trusted parties. PCI compliance and risks associated with collecting data can be overwhelming, especially for site owners that would rather focus on the business side of things.

There are too many aspects of website security to cover here in how to keep your own site from getting hacked, so instead we will focus on a third-party compromise scenario.

Third-party resource integrity checking is one security aspect that has been overlooked but can provide great benefits when loading external content. The reality is that a website usually cannot host all the content itself, and it makes more sense to rely on CDNs and other providers for speed and cost reasons.

This relationship does not necessarily mean having to weather the issues experience by a third party. While in this post we have focused on credit card stealers, there are a number of other threats that can be disseminated via third-party libraries. For this reason, implementing safeguards such as Content Security Policy (CSP) and Subresource Integrity (SRI) can help to mitigate many issues.

Consumers (Client-side)

One thing to keep in mind as consumers is that we are largely placing our trust in the online stores where we are shopping. For this reason, it may be wise to avoid smaller sites that perhaps do not have the same level of security as larger ones. Of course, with cases like British Airways or Newegg, this piece of advice shows its limitations.

Using browser plugins such as NoScript can prevent JavaScript loading from untrusted sites and therefore reduces the surface of attack. However, it has the same shortcomings when malicious code is embedded in already trusted resources.

Magecart and other web skimmers can be mitigated at the exfiltration layer, by blocking connections to known domains and IPs used by the attackers. It is not full-proof, though, considering how trivial it is to register new properties. But infrastructure reuse is something we still see quite often.

We will continue monitoring these threats and add related indicators of compromise (IOCs) to our database to protect our Malwarebytes customers.

The post How to protect your data from Magecart and other e-commerce attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Dweb: Building Cooperation and Trust into the Web with IPFS

Mozilla Hacks - Wed, 08/29/2018 - 14:43

In this series we are covering projects that explore what is possible when the web becomes decentralized or distributed. These projects aren’t affiliated with Mozilla, and some of them rewrite the rules of how we think about a web browser. What they have in common: These projects are open source, and open for participation, and share Mozilla’s mission to keep the web open and accessible for all.

Some projects start small, aiming for incremental improvements. Others start with a grand vision, leapfrogging today’s problems by architecting an idealized world. The InterPlanetary File System (IPFS) is definitely the latter – attempting to replace HTTP entirely, with a network layer that has scale, trust, and anti-DDOS measures all built into the protocol. It’s our pleasure to have an introduction to IPFS today from Kyle Drake, the founder of Neocities and Marcin Rataj, the creator of IPFS Companion, both on the IPFS team at Protocol Labs -Dietrich Ayala

IPFS – The InterPlanetary File System

We’re a team of people all over the world working on IPFS, an implementation of the distributed web that seeks to replace HTTP with a new protocol that is powered by individuals on the internet. The goal of IPFS is to “re-decentralize” the web by replacing the location-oriented HTTP with a content-oriented protocol that does not require trust of third parties. This allows for websites and web apps to be “served” by any computer on the internet with IPFS support, without requiring servers to be run by the original content creator. IPFS and the distributed web unmoor information from physical location and singular distribution, ultimately creating a more affordable, equal, available, faster, and less censorable web.

IPFS aims for a “distributed” or “logically decentralized” design. IPFS consists of a network of nodes, which help each other find data using a content hash via a Distributed Hash Table (DHT). The result is that all nodes help find and serve web sites, and even if the original provider of the site goes down, you can still load it as long as one other computer in the network has a copy of it. The web becomes empowered by individuals, rather than depending on the large organizations that can afford to build large content delivery networks and serve a lot of traffic.

The IPFS stack is an abstraction built on top of IPLD and libp2p:

Hello World

We have a reference implementation in Go (go-ipfs) and a constantly improving one in Javascript (js-ipfs). There is also a long list of API clients for other languages.

Thanks to the JS implementation, using IPFS in web development is extremely easy. The following code snippet…

  • Starts an IPFS node
  • Adds some data to IPFS
  • Obtains the Content IDentifier (CID) for it
  • Reads that data back from IPFS using the CID

<script src=""></script> Open Console (Ctrl+Shift+K) <script> const ipfs = new Ipfs() const data = 'Hello from IPFS, <YOUR NAME HERE>!' // Once the ipfs node is ready ipfs.once('ready', async () => { console.log('IPFS node is ready! Current version: ' + (await // convert your data to a Buffer and add it to IPFS console.log('Data to be published: ' + data) const files = await ipfs.files.add(ipfs.types.Buffer.from(data)) // 'hash', known as CID, is a string uniquely addressing the data // and can be used to get it again. 'files' is an array because // 'add' supports multiple additions, but we only added one entry const cid = files[0].hash console.log('Published under CID: ' + cid) // read data back from IPFS: CID is the only identifier you need! const dataFromIpfs = await console.log('Read back from IPFS: ' + String(dataFromIpfs)) // Compatibility layer: HTTP gateway console.log('Bonus: open at one of public HTTP gateways:' + cid) }) </script>

That’s it!

Before diving deeper, let’s answer key questions:

Who else can access it?

Everyone with the CID can access it. Sensitive files should be encrypted before publishing.

How long will this content exist? Under what circumstances will it go away? How does one remove it?

The permanence of content-addressed data in IPFS is intrinsically bound to the active participation of peers interested in providing it to others. It is impossible to remove data from other peers but if no peer is keeping it alive, it will be “forgotten” by the swarm.

The public HTTP gateway will keep the data available for a few hours — if you want to ensure long term availability make sure to pin important data at nodes you control. Try IPFS Cluster: a stand-alone application and a CLI client to allocate, replicate and track pins across a cluster of IPFS daemons.

Developer Quick Start

You can experiment with js-ipfs to make simple browser apps. If you want to run an IPFS server you can install go-ipfs, or run a cluster, as we mentioned above.

There is a growing list of examples, and make sure to see the bi-directional file exchange demo built with js-ipfs.

You can add IPFS to the browser by installing the IPFS Companion extension for Firefox.

Learn More

Learn about IPFS concepts by visiting our documentation website at

Readers can participate by improving documentation, visiting, developing distributed web apps and sites with IPFS, and exploring and contributing to our git repos and various things built by the community.

A great place to ask questions is our friendly community forum:
We also have an IRC channel, #ipfs on Freenode (or on Matrix). Join us!

The post Dweb: Building Cooperation and Trust into the Web with IPFS appeared first on Mozilla Hacks - the Web developer blog.

Categories: Techie Feeds

Dweb: Building a Resilient Web with WebTorrent

Mozilla Hacks - Wed, 08/15/2018 - 14:49

In this series we are covering projects that explore what is possible when the web becomes decentralized or distributed. These projects aren’t affiliated with Mozilla, and some of them rewrite the rules of how we think about a web browser. What they have in common: These projects are open source, and open for participation, and share Mozilla’s mission to keep the web open and accessible for all.

The web is healthy when the financial cost of self-expression isn’t a barrier. In this installment of the Dweb series we’ll learn about WebTorrent – an implementation of the BitTorrent protocol that runs in web browsers. This approach to serving files means that websites can scale with as many users as are simultaneously viewing the website – removing the cost of running centralized servers at data centers. The post is written by Feross Aboukhadijeh, the creator of WebTorrent, co-founder of PeerCDN and a prolific NPM module author… 225 modules at last count! –Dietrich Ayala

What is WebTorrent?

WebTorrent is the first torrent client that works in the browser. It’s written completely in JavaScript – the language of the web – and uses WebRTC for true peer-to-peer transport. No browser plugin, extension, or installation is required.

Using open web standards, WebTorrent connects website users together to form a distributed, decentralized browser-to-browser network for efficient file transfer. The more people use a WebTorrent-powered website, the faster and more resilient it becomes.


The WebTorrent protocol works just like BitTorrent protocol, except it uses WebRTC instead of TCP or uTP as the transport protocol.

In order to support WebRTC’s connection model, we made a few changes to the tracker protocol. Therefore, a browser-based WebTorrent client or “web peer” can only connect to other clients that support WebTorrent/WebRTC.

Once peers are connected, the wire protocol used to communicate is exactly the same as in normal BitTorrent. This should make it easy for existing popular torrent clients like Transmission, and uTorrent to add support for WebTorrent. Vuze already has support for WebTorrent!

Getting Started

It only takes a few lines of code to download a torrent in the browser!

To start using WebTorrent, simply include the webtorrent.min.js script on your page. You can download the script from the WebTorrent website or link to the CDN copy.

<script src="webtorrent.min.js"></script>

This provides a WebTorrent function on the window object. There is also an
npm package available.

var client = new WebTorrent() // Sintel, a free, Creative Commons movie var torrentId = 'magnet:...' // Real torrent ids are much longer. var torrent = client.add(torrentId) torrent.on('ready', () => { // Torrents can contain many files. Let's use the .mp4 file var file = torrent.files.find(file =>'.mp4')) // Display the file by adding it to the DOM. // Supports video, audio, image files, and more! file.appendTo('body') })

That’s it! Now you’ll see the torrent streaming into a <video width="300" height="150"> tag in the webpage!

Learn more

You can learn more at, or by asking a question in #webtorrent on Freenode IRC or on Gitter. We’re looking for more people who can answer questions and help people with issues on the GitHub issue tracker. If you’re a friendly, helpful person and want an excuse to dig deeper into the torrent protocol or WebRTC, then this is your chance!



The post Dweb: Building a Resilient Web with WebTorrent appeared first on Mozilla Hacks - the Web developer blog.

Categories: Techie Feeds

Dweb: Social Feeds with Secure Scuttlebutt

Mozilla Hacks - Wed, 08/08/2018 - 16:01

In the series introduction, we highlighted the importance of putting people in control their social interactions online, instead of allowing for-profit companies be the arbiters of hate speech or harassment. Our first installment in the Dweb series introduces Secure Scuttlebutt, which envisions a world where users are in full control of their communities online.

In the weeks ahead we will cover a variety of projects that represent explorations of the decentralized/distributed space. These projects aren’t affiliated with Mozilla, and some of them rewrite the rules of how we think about a web browser. What they have in common: These projects are open source, and open for participation, and share Mozilla’s mission to keep the web open and accessible for all.

This post is written by André Staltz, who has written extensively on the fate of the web in the face of mass digital migration to corporate social networks, and is a core contributor to the Scuttlebutt project. –Dietrich Ayala

Getting started with Scuttlebutt

Scuttlebutt is a free and open source social network with unique offline-first and peer-to-peer properties. As a JavaScript open source programmer, I discovered Scuttlebutt two years ago as a promising foundation for a new “social web” that provides an alternative to proprietary platforms. The social metaphor of mainstream platforms is now a more popular way of creating and consuming content than the Web is. Instead of attempting to adapt existing Web technologies for the mobile social era, Scuttlebutt allows us to start from scratch the construction of a new ecosystem.

A local database, shared with friends

The central idea of the Secure Scuttlebutt (SSB) protocol is simple: your social account is just a cryptographic keypair (your identity) plus a log of messages (your feed) stored in a local database. So far, this has no relation to the Internet, it is just a local database where your posts are stored in an append-only sequence, and allows you to write status updates like you would with a personal diary. SSB becomes a social network when those local feeds are shared among computers through the internet or through local networks. The protocol supports peer-to-peer replication of feeds, so that you can have local (and full) copies of your friends’ feeds, and update them whenever you are online. One implementation of SSB, Scuttlebot, uses Node.js and allows UI applications to interact with the local database and the network stack.

Using Scuttlebot

While SSB is being implemented in multiple languages (Go, Rust, C), its main implementation at the moment is the npm package scuttlebot and Electron desktop apps that use Scuttlebot. To build your own UI application from scratch, you can setup Scuttlebot plus a localhost HTTP server to render the UI in your browser.

Run the following npm command to add Scuttlebot to your Node.js project:

npm install --save scuttlebot

You can use Scuttlebot locally using the command line interface, to post messages, view messages, connect with friends. First, start the server:

$(npm bin)/sbot server

In another terminal you can use the server to publish a message in your local feed:

$(npm bin)/sbot publish --type post --text "Hello world"

You can also consume invite codes to connect with friends and replicate their feeds. Invite codes are generated by pub servers
owned by friends in the community, which act as mirrors of feeds in the community. Using an invite code means the server will allow you to connect to it and will mirror your data too.

$(npm bin)/sbot invite.accept $INSERT_INVITE_CODE_HERE

To create a simple web app to render your local feed, you can start the scuttlebot server in a Node.js script (with dependencies ssb-config and pull-stream), and serve the feed through an HTTP server:

// server.js const fs = require('fs'); const http = require('http'); const pull = require('pull-stream'); const sbot = require('scuttlebot/index').call(null, require('ssb-config')); http .createServer((request, response) => { if (request.url.endsWith('/feed')) { pull( sbot.createFeedStream({live: false, limit: 100}), pull.collect((err, messages) => { response.end(JSON.stringify(messages)); }), ); } else { response.end(fs.readFileSync('./index.html')); } }) .listen(9000);

Start the server with node server.js, and upon opening localhost:9000 in your browser, it should serve the index.html:

<html> <body> <script> fetch('/feed') .then(res => res.json()) .then(messages => { document.body.innerHTML = ` <h1>Feed</h1> <ul>${messages .filter(msg => msg.value.content.type === 'post') .map(msg => `<li>${} said: ${msg.value.content.text}</li>` ) }</ul> `; }); </script> </body> </html> Learn more

SSB applications can accomplish more than social messaging. Secure Scuttlebutt is being used for Git collaboration, chess games, and managing online gatherings.

You build your own applications on top of SSB by creating or using plug-ins for specialized APIs or different ways of querying the database. See secret-stack for details on how to build custom plugins. See flumedb for details on how to create custom indexes in the database. Also there are many useful repositories in our GitHub org.

To learn about the protocol that all of the implementations use, see the protocol guide, which explains the cryptographic primitives used, and data formats agreed on.

Finally, don’t miss the frontpage, which explains the design decisions and principles we value. We highlight the important role that humans have in internet communities, which should not be delegated to computers.

The post Dweb: Social Feeds with Secure Scuttlebutt appeared first on Mozilla Hacks - the Web developer blog.

Categories: Techie Feeds

Introducing the Dweb

Mozilla Hacks - Tue, 07/31/2018 - 14:00
Introducing the Dweb

The web is the most successful programming platform in history, resulting in the largest open and accessible collection of human knowledge ever created. So yeah, it’s pretty great. But there are a set of common problems that the web is not able to address.

Have you ever…

  • Had a website or app you love get updated to a new version, and you wished to go back to the old version?
  • Tried to share a file between your phone and laptop or tv or other device while not connected to the internet? And without using a cloud service?
  • Gone to a website or service that you depend on, only to find it’s been shut down? Whether it got bought and enveloped by some internet giant, or has gone out of business, or whatever, it was critical for you and now it’s gone.

Additionally, the web is facing critical internet health issues, seemingly intractable due to the centralization of power in the hands of a few large companies who have economic interests in not solving these problems:

  • Hate speech, harassment and other attacks on social networks
  • Repeated attacks on Net Neutrality by governments and corporations
  • Mass human communications compromised and manipulated for profit or political gain
  • Censorship and whole internet shutdowns by governments

These are some of the problems and use-cases addressed by a new wave of projects, products and platforms building on or with web technologies but with a twist: They’re using decentralized or distributed network architectures instead of the centralized networks we use now, in order to let the users control their online experience without intermediaries, whether government or corporate. This new structural approach gives rise to the idea of a ‘decentralized web’, often conveniently shortened to ‘dweb’.

You can read a number of perspectives on centralization, and why it’s an important issue for us to tackle, in Mozilla’s Internet Health Report, released earlier this year.

What’s the “D” in Dweb?!

The “d” in “dweb” usually stands for either decentralized or distributed.
What is the difference between distributed vs decentralized architectures? Here’s a visual illustration:

(Image credit:, your best source for technical clip art with animals)

In centralized systems, one entity has control over the participation of all other entities. In decentralized systems, power over participation is divided between more than one entity. In distributed systems, no one entity has control over the participation of any other entity.

Examples of centralization on the web today are the domain name system (DNS), servers run by a single company, and social networks designed for controlled communication.

A few examples of decentralized or distributed projects that became household names are Napster, BitTorrent and Bitcoin.

Some of these new dweb projects are decentralizing identity and social networking. Some are building distributed services in or on top of the existing centralized web, and others are distributed application protocols or platforms that run the web stack (HTML, JavaScript and CSS) on something other than HTTP. Also, there are blockchain-based platforms that run anything as long as it can be compiled into WebAssembly.

Here We Go

Mozilla’s mission is to put users in control of their experiences online. While some of these projects and technologies turn the familiar on its head (no servers! no DNS! no HTTP(S)!), it’s important for us to explore their potential for empowerment.

This is the first post in a series. We’ll introduce projects that cover social communication, online identity, file sharing, new economic models, as well as high-level application platforms. All of this work is either decentralized or distributed, minimizing or entirely removing centralized control.

You’ll meet the people behind these projects, and learn about their values and goals, the technical architectures used, and see basic code examples of using the project or platform.

So leave your assumptions at the door, and get ready to learn what a web more fully in users’ control could look like.

Note: This post is the introduction. The following posts in the series are listed below.

The post Introducing the Dweb appeared first on Mozilla Hacks - the Web developer blog.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds