Malwarebytes

Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 2 days 7 hours ago

IoT cybersecurity bill passed by Senate

Wed, 11/25/2020 - 14:32

Days before taking a week-long Thanksgiving recess, the US Senate passed an almost mundane cybersecurity bill that, if approved by the President, will improve security guidelines and protocols for Internet of Things (IoT) devices purchased and owned by the Federal government.

The bill, called the Internet of Things Cybersecurity Improvement Act of 2020, was actually introduced into the US House of Representatives last year. The Senate agreed to pass the legislation on November 17 under “unanimous consent,” which means that one Senator—in this case Senator Rob Portman of Ohio—asked that the bill be passed without any single objection from any of his colleagues. It does not mean the bill received unanimous votes in its favor. The procedural move is rare when passing legislation in the Senate.

Upon passage, Harley Geiger, director of public policy at cybersecurity company Rapid7, spoke highly of the bill.

“This is arguably the most significant US IoT-specific cybersecurity law to date, as well as the most significant law promoting private sector adoption of coordinated vulnerability disclosure,” Geiger wrote in a company blog post. “IoT security is widely acknowledged as a global priority, and vulnerability disclosure processes are fundamental security practices, so passage of the bill should be seen as a very positive step forward for cybersecurity and the security community.”

The bill focuses primarily on guidelines and procedures.

First, the IoT Improvement Act of 2020, if signed into law, will require the Director of the National Institute of Standards and Technology (NIST) to develop and publish “standards and guidelines for the Federal government on the appropriate use and management by agencies of Internet of Things devices.”

Those standards will apply to IoT devices owned and controlled by Federal government agencies, and they must provide guidance on secure development, identity management, patching, and configuration management.

After the NIST director publishes those guidelines, the bill will require that the Director of the Office of Management and Budget review the current information security policies and principles of Federal civilian agencies, and make sure that those policies line up with the NIST’s newer guidelines. That review will also require coordination with the director of the Cybersecurity and Infrastructure Security Agency, or CISA, which until last week, was a position held by Chris Krebs.

Further, the current Federal acquisition rules for purchasing and owning IoT equipment must be updated in line with the required NIST guidelines to be published after the passage of the bill. As part of these requirements, a government agency will not be allowed to purchase IoT devices if that agency’s Chief Information Officer finds that such a device would fall short of the newly imposed rules.

Finally, the bill will require that NIST also develops guidelines for discovering and disclosing vulnerabilities in IoT devices that it owns or controls.

The IoT Cybersecurity Improvement Act of 2020 marks a significant first step for the Federal government into placing security regulations on IoT devices. As we have repeatedly written aboutand spoken about—IoT security is a nascent landscape, and the lack of standardization across devices means that we are somehow both safer and more at risk to cybercriminals.

As Adam Kujawa said on our podcast about IoT cybersecurity this month, the best advantage we have for IoT security are that there are different platforms, different frameworks, and different protocols, which make it harder for any single group of cybercriminals to launch a wide-scale attack.

At the same time, though, Kujawa said that this scenario “works against us in the sense that developing security tools in order to protect these devices is just as difficult because you can’t create one solution that will necessarily work on every single device.”

The IoT Cybersecurity Improvement Act of 2020 could help usher in a future where IoT device-makers can look to a single set of guidelines for their products. While the bill does not require these standards to be applied to devices purchased by general consumers, the guidance itself could still be helpful in creating agreed-upon security goals.

With unanimous consent from the Senate, there should be little reason for the president not to sign the IoT Cybersecurity Improvement Act of 2020 into law.

The post IoT cybersecurity bill passed by Senate appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Spotify resets some user logins after hacker database found floating online

Wed, 11/25/2020 - 13:24

A team of researchers working for vpnMentor has found a treasure trove in the form of an unsecured Elasticsearch database containing over 380 million records. The trove contained login credentials and other data belonging to Spotify users.

So what’s Spotify doing leaving its user data hanging around on an unsecured database? Answer: It’s not. On investigation, the team found the database didn’t actually belong to Spotify. Instead, the database was in use by a third party to defraud Spotify users.

What happened?

“The vpnMentor research team discovered the database as part of a huge web mapping project.”

After port scanning and examining weaknesses and vulnerabilities, the researchers habitually look for leaked data. This database was unsecured and unencrypted, so it was fully accessible for anyone that found it. After reviewing and confirming what they found, the team informed Spotify. Together they concluded that whoever owned the database had probably obtained the login credentials from an external site and used them on Spotify accounts.

The database builders may have used credential stuffing to verify whether the logins were valid for the Spotify service.  

The origin of the database

How this third party came into possession of, or managed to build, the database is as yet unknown. There is a possibility that it was obtained from vendors on the Dark Web. Either way, it’s clear that it would have taken them a great amount of work and/or money to amass such a huge database with verified accounts. An investment they surely would hope to earn back by defrauding Spotify users.

Trying not to gloat

It is hard not to gloat about someone’s misfortune in a case where the fraudsters’ database gets exposed. It looks as if the threat-actors should have read our blog about backdoors in elastic servers. The problem is that besides the researchers, there may have been others that found this exposed database and their intentions could have been malicious.

The content of the database

Besides the usernames and passwords for Spotify, many of the database records also contained personally identifiable information (PII) like:

  • email addresses
  • country of residence

Besides taking over a victim’s Spotify account, anyone with access to this database could use the PII to connect the data to other accounts of the victim, such as their social media profiles. The PII could also be used for spear phishing or even identity theft.

What do Spotify users need to do?

Spotify initiated an automated reset of passwords for all users affected. So if your credentials were in that database you should have received a notice about this password reset. If you didn’t receive such a notice but you want to reset your password anyway, you can follow this link and find the instructions there.

Unfortunately, and despite many users asking for MFA, Spotify has not yet enabled any kind of multi-factor authentication that we know of.

Re-used credentials

If you have used the same login credentials on other sites, which we advise against, you should change those passwords as well. Then go read our blog about why you don’t need 27 different passwords for some pointers.

Stay safe, everyone!

The post Spotify resets some user logins after hacker database found floating online appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Apple security hampers detection of unwanted programs

Tue, 11/24/2020 - 16:59

Anyone who uses Malwarebytes software is probably familiar with the fact that, in addition to things like malware and adware, Malwarebytes detects potentially unwanted programs (PUPs). These are programs that exhibit a variety of unsavory behaviors, but that, for legal reasons, cannot be called malware.

PUP (n): a program that may include advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs often come bundled with other software that you installed.

https://blog.malwarebytes.com/glossary/pup/

For the entire history of Malwarebytes software on iOS—the system that runs on iPhones, iPads, and iPod Touches—there have been things we would consider to be PUPs on the iOS App Store. However, due to limitations imposed by Apple, we’ve been completely unable to scan or remove PUPs from those devices (iPhones or iPads). This is simply the reality of working within Apple’s ecosystem.

On macOS, however, we’ve always been able to detect and remove PUPs. Unfortunately, we’re seeing the first signs that this is starting to change—not just for Malwarebytes, but for all security companies.

PUPs on the App Store?!

Although PUPs on Mac can be downloaded either from the App Store or the web, the question of why PUPs exist on the App Store at all is a key factor in the problem at hand. The answer is pretty simple: because Apple and Malwarebytes have different tolerance levels.

At Malwarebytes, we have a very low threshold of tolerance for PUP behaviors. We’re very aggressive in our detection of PUPs, and we have an amazing legal team that helps make that possible. It’s not always an easy stance to take, but it’s one we believe strongly in and are willing to spend resources defending.

Apple, on the other hand, is essentially in a monopoly position. It owns the hardware and the systems, and if it decides you shouldn’t run a particular program, you won’t be running that program without some significant efforts. This makes Apple far more vulnerable to lawsuits, and it has to take a more conservative approach towards PUPs.

As much as I’d like Apple to be tougher on PUPs, I understand why it can’t be as aggressive as we are.

This is not to say Apple won’t do anything about PUPs, it just needs more evidence of egregious behavior before it can act. We’ve successfully lobbied Apple in the past to get PUPs removed from the App Store, while other times we’ve been unsuccessful.

A new technology

Starting in macOS 10.15 (Catalina), Apple introduced a couple important new technologies. The first is support for system extensions. These differ from the older kernel extensions in that they are safer and easier for developers to create. Kernel extensions could fairly easily cause catastrophic crashes and other issues if a developer wrote poor kernel code.

The second technology is the EndpointSecurity framework, designed to provide support for all the things that security software used to use kernel extensions for.

These technologies are not open to everyone, however. Developers have to apply for entitlements to be allowed to use them. These entitlements are not easy to get. It took some time for us to get them here at Malwarebytes, and there are people who have a legitimate use case for these entitlements who have been rejected.

Once you have these entitlements, though, there’s a significant advantage to using system extensions in security software: once installed, and approved by the user, they are protected by macOS. This means that they become nearly impossible to remove, except by the software that installed them in the first place.

This is a really great feature for security software that may be targeted for removal by malware in order to not be detected. However, it turns out there’s a problem with this protection.

PUPs protected against removal

One of the common sub-groups of PUPs we detect are antivirus programs that show unwanted behaviors meeting certain criteria. As an example, a program that requires payment, but the antivirus engine it uses is available for free from another company, would be a likely candidate for detection.

Unfortunately, antivirus programs are also candidates for the system extension and EndpointSecurity entitlements. Anyone can apply for these entitlements, but you stand a much better chance of getting them if you are—or appear to be—a security company.

We’ve now seen a case where two different companies with a long history of making PUPs—including junk antivirus programs—have gotten these entitlements. Those programs now have a system extension, which cannot be removed by Malwarebytes or any other software.

In one case, the PUP in question is the most hated PUP by Mac IT admins and Mac tech shops everywhere, and was the subject of two separate class action lawsuits alleging fraudulent behavior.

The fallacy of Apple security

For many years, iOS has existed as a locked-down environment, incapable of being scanned for malware by any app. Antivirus software does not—and cannot—exist on iOS.

Yet iOS is not invulnerable to malware. It is unfortunately possible for an iPhone to get infected. The most famous case involves the Pegasus malware, created by NSO and used to infect journalist Jamal Khashoggi’s iPhone. Khashoggi had no way to determine that his phone was infected, and had to trust that Apple’s system was as secure as claimed. Unfortunately, this may have led to his demise.

This is a dramatic story that by no means embodies the impact of all iOS infections… but it does underscore the fact that they exist, and there’s little that anyone outside Apple can do about it. Since well-written malware shows no symptoms that the average person would be able to identify, an infected iOS device is likely to stay infected.

Apple’s new EndpointSecurity feature was touted as a more stable way for antivirus software to do its job than low-level kernel extensions. However, they are under Apple’s tight control, and this is the first concrete sign that control may push macOS in the direction of iOS.

At this point, it’s hard to say what the future of antivirus on macOS is. It’s obvious that Apple has at least some interest in supporting antivirus software, as evidenced by the creation of the EndpointSecurity framework. This is distinctly different from iOS, where such a framework does not exist.

However, it is starting to look like antivirus developers will have to play by increasingly limiting rules, and that now means not being able to protect users against certain things. Worse, Mac users will be unable to manually remove those things without contortions that the average person will find quite cumbersome.

The post Apple security hampers detection of unwanted programs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Looks like we’re stuck with Zoom: Is it any safer?

Tue, 11/24/2020 - 11:35

Earlier this month, Zoom’s stock price took a dive on news of two promising COVID vaccines offering over 90 percent effectiveness against the virus (a third vaccine was just announced). That’s nice. Glad to know some people think this nightmare is ending soon and we’ll all go back to the office and the classroom.

But our ability to walk into a clinic and get either of these vaccines is still months away and we’re dealing, right now, with a surge of new coronavirus infections. The reality is we’re going to be stuck with Zoom for a while longer.

Earlier in the pandemic we reported on the security risks associated with Zoom. Much of it was pretty juvenile. Think Zoombombers drawing on screen using the annotate function. On the other hand, there are countless stories online of meetings being interrupted by attendees scrawling racial epithets on screen, posting pornographic images, and threatening presenters with acts of violence. It was also revealed that Zoom’s encryption wasn’t as secure as the company claimed.

As you prepare to log in to your next Zoom meeting or class, let’s take another look at Zoom. Has it gotten any safer?

Zoombombing

Zoom has several existing settings that users can leverage against potential meeting interlopers. That’s all well and good, but when you’re in the middle of defending your doctoral dissertation and you’re suddenly staring at a giant phallus someone drew over your Powerpoint (sadly, this actually happened), there’s just no good option short of shutting down your entire meeting—until now.

This month, Zoom debuted three new features that can prevent or stop disruptions like these from happening.

Suspend Participant Activities

The Suspend Participant Activities option acts like a ban hammer for presenters. Hitting this switch pauses all video, audio, chat, annotation, screen sharing, recording, and Breakout Rooms. From there, the meeting organizer can report a user and they’ll be removed from the meeting immediately.

Report users

Zoom has made it easier to report disruptive users on both the web app and the desktop client. There’s also a new setting that admins can flip that allows participants to take the initiative and report users on their own.

At-Risk Meeting Notifier

Zoom has introduced the At-Risk Meeting Notifier which scans social media posts and “other websites” for publicly shared Zoom links. If the notifier finds a meeting link online, it’ll send an automated email to the account owners and admins alerting them to the potential risk. From there, the meeting organizer can delete and reschedule the meeting with a new link.

As a quick reminder, you should require pre-registration before every meeting. Otherwise, use a random meeting ID for every meeting, instead of your Personal Meeting ID, and require a passcode to enter the meeting. And for goodness sake, disable annotation for participants if you’re delivering a presentation that in no-way requires your attendees have the ability to draw on screen.

Encryption

Zoom got busted back in March for its creative definition of “end to end encryption.” As reported by The Intercept, Zoom conference data was being encrypted between the user and Zoom, meaning data was safe from someone spying on your WiFI connection. However, Zoom still had the ability to access unencrypted conference data on its end, which could be a problem if Zoom was involved in a data breach. Zoom could also be forced to hand over conference data at the request of government agencies. Fortunately, Zoom started encrypting meetings for real for both free and paid users in October.

All that being said, you have every right to remain wary given Zoom’s ambiguous language around encryption. One quick fix is to use a virtual private network (VPN) like Malwarebytes Privacy, for example. With a VPN, you’re effectively creating your own secure tunnel between yourself and Zoom. However, you’re still trusting Zoom with your data once it’s on the company’s servers.

Use something else

If this post sounds like a diss on Zoom—it’s not. This reporter happens to like Zoom. You might feel otherwise. However, switching to something else is easier said than done. Your employer or your school likely has a service agreement with Zoom. Going rogue and using the conferencing software of your choosing may not be allowed or it might not be something you can afford out of pocket. If you’re in a position where you can pick whatever web conferencing software you want, here are some important considerations:

  • Does this conferencing software feature true end-to-end encryption?
  • What options are built-in for handling meetings crashers (aka Zoombombers)?
  • Do attendees need to install the application on their computer before attending a conference?

Those are just a few of the questions you should be asking. Whatever you choose, do your due diligence, pick the right conferencing software for your needs, and keep your meetings secure.

The post Looks like we’re stuck with Zoom: Is it any safer? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep20: Tracking the charities that track you online with Chris Boyd

Mon, 11/23/2020 - 15:00

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Chris Boyd, lead malware intelligence analyst for Malwarebytes, about charity organizations and online ad tracking. Though many might assume that these two topics have no overlap, they absolutely do.

Ad tracking itself isn’t anything new—luxury brands used to place their advertisements specifically in newspapers that delivered to high-income zip codes, and medications for age-related illnesses broadcast commercials during daytime television, when retirees are more likely to watch.

But today’s ad tracking supercharges that match-making game with a complex, opaque machinery that can track what you do online, what websites you visit, what browser you use, and even your gender, religion, and political bias.

Tune in to hear about how charity organizations utilize online ad tracking tools—and why that could concern some users—on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:
  • Malsmoke operators abandon exploit kits in favor of social engineering scheme
  • WebNavigator Chromium browser published by search hijackers
  • Chris Krebs, director of Cybersecurity and Infrastructure Security Agency, fired by President
  • IoT forecast: Running antivirus on your smart device?
Other cybersecurity news:
  • Microsoft unveiled Pluton, a new security chip for Windows PCs that the tech giant will deliver through partnerships with Intel, AMD and Qualcomm. (Source: SecurityWeek)
  • The ransomware gang known as DarkSide has announced plans to offer a distributed storage platform for affiliates. (Source: Hot for Security)
  • Facebook fixed a critical flaw in the Facebook Messenger for Android messaging app that allowed callers to listen to other users’ surroundings. (Source: BleepingComputer)
  • A Chinese state-sponsored hacking group has infected more than 200 systems across Southeast Asia with FunnyDream. (Source: ZDNet)
  • Capcom has confirmed that hackers stole customer data and files from its internal network following a ransomware attack. (Source: TechCrunch)

Stay safe, everyone!

The post Lock and Code S1Ep20: Tracking the charities that track you online with Chris Boyd appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Black Friday 2020: How to shop safely online

Fri, 11/20/2020 - 16:00

Black Friday 2020 promises to be somewhat different from years gone by thanks to COVID-19. The annual surge of in-store chaos and trolley dashes isn’t compatible with social distancing, and so retailers will be looking to drive shoppers online.

Friday 27th November is when things kick off this year, and yet some aspects will be radically different. If you intend to go to physical stores, then there’s a few things you’ll need to keep in mind.

Black Friday: Not spared from the lockdown

Some retailers are closing physical stores. Others are looking to extend how long their sales last, with the possibility of fewer sales in-store and more offered online to keep visitors to a minimum. One possible knock-on effect of so many online orders could be a delay in deliveries. Online shopping has increased as much as 75% already due to the pandemic, and Black Friday looms ominously in every retailer’s calendar.

Retailers are usually incredibly pleased about upcoming sales bumps. Now? It’s largely just the promise of in-store problems and offline capacity issues. While this may not concern the biggest retailers too much, small and medium businesses could well feel the pinch depending on what their 2020 Black Friday strategy is.

Sadly, this year’s sales bonanza comes with a possible increase in online scammers hunting for targets. Here are some ways you can beat the double threat of COVID-19 and internet scams this coming Black Friday.

Staying safe on Black Friday: Our tips
  1. Be suspicious of emails claiming to be from stores, especially if they ask for login details and/or supply you with links which look different to the URL you’re most familiar with. Spelling mistakes aren’t always a sign of a scam, but on the other hand, most businesses use proof-read templates, so errors are unusual. Similarly, HTTPS doesn’t mean the site is legitimate; only that data entered can’t be easily snooped by third parties. Pretty much anyone can get a free HTTPS certificate these days, so it’s not a sure-fire sign of legitimacy either way.
  2. Use a credit card if possible, as it’s generally the safer option online. Debit cards tied to your bank account are often more problematic when dealing with a scam situation—the money immediately leaves your account and it can be more difficult to get it back than with a credit card.
  3. Scammers may direct you to malware-laden sites or try to compromise legitimate sites in the run-up to Black Friday. Make sure your operating system is up to date, your security software is running the latest version, and you’ve got all the in-browser plugin protection you need before heading off to the virtual shopping races.
  4. Watch out for shortened links on social media, as they may be hiding nasty surprises.
  5. Don’t fall for “retweet/share to win a prize” tricks. Any giveaway is a tempting prospect but you’ll want to ensure the account running the promotion is legit. Do they have a verified presence on the social media platform? If not, how familiar with the account are you generally? Social etiquette top tip: some of your audience won’t like lots of competitions and raffles dropped into their curated timelines. Do them and yourself a favour, consider running a standalone account just for competitions. They’ll appreciate you not spamming their feed, and if you do end up retweeting something bad, you’ll be massively reducing its reach.
Further resources for keeping yourself secure

Here’s some blogs you may find useful to help with the above tips.

Shop safely in 2020

As has been mentioned, this year’s Black Friday is going to be a bit of an odd one. If you’d rather not venture out into possible crowds, or be stuck in very long distanced lines, that’s great. Stay home and reduce the potential COVID-19 risk. However, you’ll need to ensure your online security is similarly precaution filled. If your devices need a general spring cleaning to get things where they need to be security-wise, this could be the perfect moment to make a start.

Our very own Black Friday discount

It would be remiss in an article about safely shopping on Black Friday, not to mention that Malwarebytes is offering a Black Friday discount itself. You can save 50% on Malwarebytes Premium and 40% on Malwarebytes Premium + Privacy.

Whatever you do this Black Friday, we wish you safe and secure shopping for both Black Friday and beyond.

The post Black Friday 2020: How to shop safely online appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Demystifying two common misconceptions with e-commerce security

Fri, 11/20/2020 - 15:59

Online shopping has seen a dramatic increase in the months following the Covid-19 outbreak as more and more people opt-out of visiting physical stores. Such a phenomenon does not go unnoticed or without additional consequences. During the same time period, we have seen an increase in the usual scams but also digital skimming, the online equivalent of credit card theft.

As a consumer, you may be hearing different tips on how to shop online safely. A common one is to look for the “https” in the site’s URL, but what exactly does that mean in the case of a compromised site?

As a merchant, processing transactions securely is one of the top requirements in order to achieve SAQ-A level PCI DSS compliance. Many businesses choose to work with a Payment Service Provider (PSP) and use iframe containers. Once again, how do those fare when malicious code is at play?

When it comes to online security there is always a caveat, and the important thing is to understand the sometimes subtle nuances of technology concepts and their limitations.

The padlock

When we visit a website, our browser makes a series of requests to a web server via the HTTP protocol. The server will in turn reply with responses that include the text and images displayed on screen.

There was a time not so long ago when most websites were not using encryption and therefore exposed communications between server and browser. In other words, an attacker could capture sensitive data you might be typing into a website because that data was sent in clear text.

With the adoption of HTTPS, HTTP requests and responses are encrypted via the TLS (Transport Layer Security) protocol, the successor of SSL (Secure Sockets Layers). In addition, HTTPS authenticates web servers such that when you browse to https://www.facebook.com, private and public keys using the site’s SSL certificate are matched to guarantee the legitimacy of the server. (Note: we still commonly use the term “SSL certificate”, but the technology behind it is TLS).

Today, there really is no valid reason for a website not to have an SSL certificate anymore. Not only can they be obtained for free, but browsers will display a warning that could deter people from visiting your website.

One recommendation you might hear about when it comes to shopping online is that if the site is secure, its URL should start with “https://” and include a lock icon on the shopping cart page. While technically this is true, the meaning of ‘secure’ needs to be properly defined.

Indeed, a number of people will wrongly assume that a site using HTTPS is secure, and therefore can be trusted to buy from. The SSL certificate guarantees that the connection to the site is secure (meaning, encrypted) and that the site is who it pretends to be, but that’s it.

To drive the point home, at Malwarebytes we detect thousands of websites that all use HTTPS and are yet dangerous or outright malicious. In fact, when it comes to e-commerce, almost all of the sites that have been injected with a credit card skimmer do use HTTPS.

Figure 1: A number of merchant sites using HTTPS that have been hacked

When a website has been compromised, an SSL certificate does little to guarantee your online safety. This is why it’s important to understand the difference between a secure communication protocol and a secure website.

Websites run on software that can have vulnerabilities and be exploited by threat actors. A hacked site may contain malicious code that controls what you see and do within your browser, whether it uses HTTPS or not.

Figure 2: A web skimmer using HTTPS to load malicious code and exfiltrate data

The irony is that online criminals themselves have adopted SSL certificates too. And there’s not much comfort in knowing that your credit card data has been stolen and exfiltrated ‘safely’.

There is no doubt you should stay away from sites that have not adopted the latest secure communication protocols. However, you should not take for granted that a site is secure (in the sense of safe to shop) simply because you see a padlock.

iframe protection

A number of online shopping sites use a Content Management System (CMS) such as Magento where the checkout page relies on third-party forms to handle sensitive data. The integration is meant to be seamless in order to give shoppers the best experience possible.

One popular option is the iframe container, where a merchant site integrates a third-party script within an iframe on the checkout page. In technical terms, the provider script is inserted within an iframe container where the customer will enter their payment details (i.e. credit card number, month and year expiry and CVV). This means that no cardholder data is stored, processed or transmitted by the merchant.

Figure 3: Braintree Hosted Fields isolating payment data

The same-origin policy (SOP) enforced by modern browsers ensures that code contained in one page can only access data in another page if both web pages have the same origin. In other words, if the merchant site gets hacked, SOP prevents malicious code from stealing data within the protected iframe.

Unfortunately, there are many ways to bypass iframe protection and it usually comes down to having control of what is loaded onto a page. The PCI Security Standards Council states in one of its reports that “If an attacker has compromised the merchant’s website, however, they can create alternative content for the frame, which then allows completion of the payment process as well as creation of a copy of the cardholder data for the attacker.”

In an attack we observed recently, threat actors were targeting Braintree Hosted Fields to inject their very own iframe within the same container after disabling the legitimate one.

Figure 4: A rogue iframe takes the place of the Braintree iframe

As you can see in Figure 2, the legitimate Braintree iframe (braintree-hosted-field_number) has its display property set to none while a malicious iframe (fpmt) takes it place.

This means that the attackers now have direct access to the credit card number field and can steal it once the customer types it in, completely bypassing the iframe container protection.

Containers still have value for merchants as they can help them achieve PCI compliance and also generally augment their overall security posture. However, externalizing the payment process does not mean that your platform is secure from hackers.

Security in layers

There is no absolute in the security field, and if one technology claims to solve all problems it probably is too good to be true.

As the threats targeting online shoppers evolve, so must our response too. Credit card skimmers can target just about any platform and business, but there are some higher risk areas and behaviors. When evaluating a shopping site, you need to look well beyond the HTTPS padlock and even security seals.

  • Is the site up to date? While technically this would require scanning the CMS core files to determine their version, some things such as copyright notices showing dates of years past are a giveaway.
  • Is this a small ‘mom and pop’ website? Those are generally at greater risk because the owners have fewer resources to invest in security.
  • Does the site offer payment options that may be more secure such as a separate payment gateway, or token system?
  • Does the checkout page render properly without any odd looking elements? Skimmers often try to inject phishing forms or hijack existing fields, which can sometimes be noticed visually.

After doing due diligence checks on the site, you can still thwart the risk of online skimming by using security software, and in particular browser extensions that can block malicious code from loading. Malwarebytes Browser Guard was designed to filter out ads, scams and malicious content.

As an online merchant, there are a number of security decisions to make when you run a website. It would be difficult to list them all here, but as a general rule it’s good to remember that security is not an end state but a constant process that requires resources. Being proactive to anticipate attacks and have a plan in case of a compromise is also critical.

There are a number of services that provide security hardening and monitoring with varying costs. These can be a good option for a merchant that does not have its own IT team. As a side note, most web developers or web agencies (unless specified otherwise) will only build a website but not provide ongoing security updates and monitoring.

The post Demystifying two common misconceptions with e-commerce security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IoT forecast: Running antivirus on your smart device?

Thu, 11/19/2020 - 17:47

In 2016, threat actors pulled off a basic but devastating botnet attack that harnessed the power of the Internet of Things (IoT).

After gathering a list of 61 default username and password combinations for IoT devices, threat actors scanned the Internet for open Telnet ports and, when they found a vulnerable device, gained entry, eventually amassing an army of IoT devices to launch a massive DDoS attack.

This was the Mirai botnet attack. Though it began as a simple get-rich-quick scheme involving, of all things, the popular video game Minecraft, it led to a widespread Internet outage on the US East Coast.

In terms of ingenuity, the attack was fairly crude. There was no social engineering element and no clever attack machinery.

But if that kind of rudimentary attack destabilized an entire region’s Internet, what would a focused IoT attack do instead? And what types of IoT security are protecting users today?

Last month, for Cybersecurity Awareness Month, Malwarebytes hosted multiple educational webinars and cybersecurity training sessions for its employees, offering advice on strong password creation, two-factor authentication, and how to spot a phishing email. 

In our final week of Cybersecurity Awareness Month, we hosted a live version of our podcast, Lock and Code, for our employees. In the episode, (which you can listen to in full here) we spoke to John Donovan, chief information security officer for Malwarebytes, and Adam Kujawa, security evangelist and a director of Malwarebytes Labs, about the future of cybersecurity for the Internet of Things.

What we learned was interesting enough to present to our audience in both our podcast and, today, as a blog on Malwarebytes Labs.

Crucially, the future of cybersecurity for IoT devices is not separate from the future of cybersecurity for all devices. In fact, as our use and reliance on IoT devices shifts from general convenience to full integration into daily routines, the two concepts may very well merge.

Here’s what is keeping us safe today, and what we can expect to keep us safe tomorrow.

IoT non-standardization: Boon or burden?

Perhaps non-intuitively, IoT devices are currently protected by the exact same infrastructure that leaves them vulnerable—they are not standardized. That means that many IoT devices out there today, from smart fridges to smart speakers to smart watches, are often built on different parts that run different operating systems that rarely, if ever, talk to one another.

From one perspective, that’s good, Kujawa said.

“Right now, the best security we have for IoT devices is that [development] isn’t standardized yet,” Kujawa said. “There are lots of different devices using different platforms, on different frameworks, with different protocols in some cases, and that confusion makes it difficult to do things like develop a serious security threat to these devices.”

From another perspective, though, this same non-standardization presents a threat to effective IoT security solutions.

“It also works against us in the sense that developing security tools in order to protect these devices is just as difficult because you can’t create one solution that will necessarily work on every single device,” Kujawa said.

Until that standardization arrives, Donovan said that a lot of IoT device cybersecurity hygiene falls to the users themselves. Donovan and Kujawa offered several best practices that consumers should be able to implement today, no matter their level of tech proficiency:

  • Change the default password on your IoT devices
  • Do not connect your IoT devices to networks you do not trust
  • Stay informed about any reported vulnerabilities for your devices
  • Update your devices

These four steps will better protect your IoT device from harm because, as we learned from the Mirai attacks, cybercriminals are primarily looking for easy targets. Think of it like actual burglary attempts: Thieves don’t often go looking for padlocks to try and pick, they look for doors that are unlocked.

Beyond these basic steps, Donovan noted that the lack of IoT standardization has created a higher bar for some users to fully secure their own devices and networks.

“All the things you would do to secure a corporate network? Now you have to do it in your house,” Donovan said. That includes several security best practices like segregating individual IoT devices and setting up a virtual LAN—or VLAN—to isolate IoT devices from the rest of a network.

No matter the level of tech proficiency, though, there’s more to cybersecurity than personal responsibility.

Donovan said that IoT developers should include automatic security updates by default. No automatic updates often result in no meaningful cybersecurity, and that goes for any popular device or software.

Where the problems really start to compound, though, is in the corporate world.

Cybersecurity issues for businesses

The Internet of Things is not there solely to help consumers set oven timers while cooking or to play a few rounds of the game show Jeopardy! when bored. In fact, countless manufacturing factories and hospitals utilize devices and equipment that routinely connect to the Internet for communication and operation. So, when one of those devices goes down, or if threat actors discover a vulnerability, the overall threat could be more severe.

Complicating the issue is that some of the companies that actually manufacture this type of equipment are small businesses that can sometimes fail, Kujawa said.

“I’ve heard about this plenty of times for plenty of hospitals, where they’ve got this equipment that’s running on Windows XP, and the company that built it doesn’t exist anymore, and they never released updates for it.” Kujawa said. “It puts the organization in a really tough spot.”

Imagine the many businesses in just this situation, saddled with a now-unsupported IoT device that is crucial to their daily operations. If a vulnerability is discovered, what options can they take? Remove the IoT device and lose days of production time, or risk running the device until a serious cyberattack hits, which would also incur high costs to resolve? 

Either way, relying on specialized IoT devices made by small companies that cannot support their own products is a recipe for disaster, Kujawa said.

“Especially the smaller stuff and the specialized stuff, it’s very unlikely you’ll get security updates for that,” Kujawa said. “This is basically a vulnerability machine you can plug into your network.”

Despite the difficult cybersecurity realities today, the future of IoT devices looks potentially simpler.

The future of IoT cybersecurity

Much like how IoT devices are becoming increasingly crucial to businesses, these devices are also becoming increasingly integrated into our day-to-day lives.

It’s important to remember that our smartphones are not excluded from the IoT conversation, and every extension of our smartphones—tablets, smart watches, even far-away concepts like augmented reality glasses—will present us with more ways to connect to the Internet than ever before. No longer will cyberspace be relegated to the computer screen. 

With that increase in popularity and daily integration, Kujawa predicted that the public would see the rise of about four to five primary IoT developers. It’s not hard to imagine today which companies will be included on that list; already, Apple, Google, and Amazon are cornering the market on smart speakers, smart watches, and, of course, cell phones.

Whatever those four major players will be, Kujawa said, there will also be a narrowing in the number of operating systems available for IoT devices. Once enough people have purchased enough IoT devices running on a limited number of operating systems, then, Kujawa said, the cybercriminals will strike.

“When we get to that point and more folks are using [IoT devices] for things like banking or social media, then that’s when we see the investment by cybercriminals,” Kujawa said.

But, Kujawa said, these cybercriminal waves will demand a cybersecurity response.

“When we see investment by the cybercriminals, that means that all of the security vendors, if they haven’t already been migrating to those platforms, they need to do that,” Kujawa said. “[If] that’s where the focus is going to be by the bad guys, that’s where the focus has to be by us as well.”

When asked if he could ever see a future where Malwarebytes and other similar antivirus tools run on IoT devices, Kujawa spoke matter-of-factly:

“Absolutely. We’re headed in that direction right now.”

The post IoT forecast: Running antivirus on your smart device? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Chris Krebs, director of Cybersecurity and Infrastructure Security Agency, fired by President

Wed, 11/18/2020 - 16:16

On Tuesday evening, President Donald Trump fired Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA), just days after CISA called the recent presidential election the “most secure in American history.”

In a tweet posted the same day, the President justified his removal of Krebs:

“The recent statement by Chris Krebs on the security of the 2020 Election was highly inaccurate, in that there were massive improprieties and fraud – including dead people voting, Poll Watchers not allowed into polling locations, “glitches” in the voting machines which changed…

…votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.”

Donald Trump announces the firing of Chris Krebs on Twitter

Krebs responded cordially to his firing:

“Honored to serve. We did it right. Defend Today, Secure Tomrorow [sic]. #Protect2020”

Chris Krebs responds to his firing on his personal Twitter account

For nearly one month, under Krebs’ direction, CISA has batted away rumors about the US presidential election on a website that the agency officially launched on October 20, dubbed “Rumor Control.” The website has gained enormous popularity, often ranking as the number one most-visited page that is owned and operated by the Department of Homeland Security, where CISA is situated.

Rumor Control provided election fact checks for cybersecurity and non-cybersecurity issues. Some of the website’s recent statements include:

  • Robust safeguards including canvassing and auditing procedures help ensure the accuracy of official election results.
  • Voter registration list maintenance and other election integrity measures protect against voting illegally on behalf of deceased individuals.
  • Election results reporting may occur more slowly than prior years. This does not indicate there is any problem with the counting process or results. Official results are not certified until all validly cast ballots have been counted, including ballots that are counted after election night.

Though Krebs received the brunt of the President’s ire, he and CISA were far from alone in their evaluation of the election’s security.

Earlier this week, 59 election security researchers and computer science experts published a joint letter rejecting the President’s recent claims of election fraud.

“We are aware of alarming assertions being made that the 2020 election was ‘rigged’ by exploiting technical vulnerabilities. However, in every case of which we are aware, these claims either have been unsubstantiated or are technically incoherent,” the group of experts said in a letter published online. “To our collective knowledge, no credible evidence has been put forth that supports a conclusion that the 2020 election outcome in any state has been altered through technical compromise.”

Further, 16 federal prosecutors tasked specifically with catching election tampering told Attorney General William Barr last week that they found no such evidence.

Despite these mounting facts, Krebs’ departure was largely anticipated. According to an exclusive report by Reuters last week, Krebs had told several associates that he expected to be fired after his agency refused to remove factual information from Rumor Control, as requested by The White House:

“In particular, one person said, the White House was angry about a CISA post rejecting a conspiracy theory that falsely claims an intelligence agency supercomputer and program, purportedly named Hammer and Scorecard, could have flipped votes nationally. No such system exists, according to Krebs, election security experts and former US officials.”

A bipartisan selection of Congress members and a handful of cybersecurity researchers lamented the firing of Krebs.

Matt Blaze, election security expert and McDevitt Chair of Computer Science and Law at Georgetown University, said on Twitter that “protecting our national infrastructure is a vitally important and extremely difficult job, one Chris Krebs performed with both extraordinary integrity and exceptional skill.”

“Firing him, especially so abruptly, has made our country less safe,” Blaze said.

Republican US Senator Ben Sasse of Nebraska spoke similarly: “Chris Krebs did a really good job — as state election officials all across the nation will tell you — and he obviously should not be fired.”

Democratic Representatives Bennie Thompson of Mississippi and Lauren Underwood of Illinois—who respectively serve as chairman of the Committee on Homeland Security and chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation—spoke far more harshly.

“The fact is that, since Election Day, President Trump has sought to delegitimize the election results by engaging in a disinformation campaign that could shatter public confidence in our elections for generations,” the two said in a joint statement. “Director Krebs put national security ahead of politics and refused to use his position to do the President’s bidding, so the President fired him.”

The post Chris Krebs, director of Cybersecurity and Infrastructure Security Agency, fired by President appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WebNavigator Chromium browser published by search hijackers

Tue, 11/17/2020 - 17:05

A mystery Chromium browser recently made a sudden appearance, and is certainly proving popular. But what is it, and where did it come from?

Malwarebytes detects the browser as PUP.Optional.WebNavigator, and we found several clues that this browser was brought to you by a notorious family of search hijackers.

That family isn’t new to us—we reported about them before when they changed a Chrome policy to remote administration, and lied about the permissions they asked of their users.

Search hijackers in general

We have written before about the interests of shady developers in the billion-dollar search industry and reported on the different tactics these developers resort to in order to get users to install their extensions or use their search sites.

Every time someone clicks on a sponsored advertisement, the requisite search engine earns money on a pay-per-click basis. They are paid by advertisers, who shell out for beneficial placement in the search results for keyword phrases of their choice.

As a result of the popularity of these search engines—Google in particular—US companies spend an estimated $80 billion on search engine optimization (SEO) alone. And the leading search engines are owned by some of the most valuable technology companies around.

What is WebNavigator?

The WebNavigator Browser is a Chromium-based web-browser that promises to simplify your browsing experience.


Note the pre-ticked checkboxes

The simplification is done by keeping the browser running in the background. I fail to see the advantage of that method over minimizing your normal browser, but at least the authors made an effort to explain why the process remains running even after you closed the browser.

I did not have that many tabs open

Another checkbox that is ticked by default is the “Set as default browser” which is pretty cheeky.

Where do people find WebNavigator?

The websites that promote the WebNavigator browser show up in advertisements and get visitors from redirectors. I found them when I was searching for new variants of the family of search hijackers that have become my “special friends” over the past years. That was my first clue that they might be related.

But using the same advertising networks is no definite proof whatsoever. As many shady website owners, they switch domains a lot so they don’t end up on every blocklist. Another detail they have in common.

What was your second clue?

The second clue was the layout and makeup of their website.

This type of layout is typically used to tell users how to install a Chrome extension, and the hijackers just changed the text in the boxes to make it fit them. Also note the line about Yahoo and other third-party search providers, that reminded me of a few search hijack extensions that were removed from the Webstore a while ago.

So, how is WebNavigator a search hijacker?

That was actually my third and most definitive clue. The WebNavigator Browser adds graphic search recommendations to the user’s search results, labelled “Search Recommendations”.

WebNavigator search recommendations

This ties them to the family of search hijackers which we have written about in detail before. For example, I found this set of search recommendations when I installed an extension called “IStreamingSearch”:

IStreamingSearch search recommendations

The difference in results could be caused by my use of a fresh Virtual Machine and a rotation of the VPN  servers I use in Malwarebytes Privacy. But they sure look similar.

How can I stop and remove WebNavigator Browser?

Malwarebytes Premium users are protected against this PUP, and Malwarebytes will warn them when they try to install the WebNavigator Browser.

Malwarebytes Browser Guard, Premium, and EDR will block the domains promoting WebNavigator Browser.

If you’ve already installed the browser but now want to remove it, I have posted full removal instructions for the WebNavigator Browser on our forums.

IOCs

Domains:

  • webnavigator.co
  • fileleauncher.co
  • tvlauncher.co
  • digitalfileconverter.com
  • fastmaps.net
  • gamelauncher.co
  • officelauncher.com
  • streaminglauncher.com

Filenames:

  • webnavigatorbrowser.exe
  • CLICK HERE TO START THE WEBNAVIGATOR BROWSER INSTALLER_********_.EXE (where ******** are random letters and numbers)

Stay safe, everyone!

The post WebNavigator Chromium browser published by search hijackers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malsmoke operators abandon exploit kits in favor of social engineering scheme

Mon, 11/16/2020 - 18:00

Exploit kits continue to be used as a malware delivery platform. In 2020, we’ve observed a number of different malvertising campaigns leading to RIG, Fallout, Spelevo and Purple Fox, among others.

And, in September, we put out a blog post detailing a surge in malvertising via adult websites. One of those campaigns we dubbed ‘malsmoke’ had been active since the beginning of the year. What made it stand out was the fact it was going after top adult portals and had been continuing unabated for months.

Starting mid-October, the threat actors behind malsmoke appear to have phased out the exploit kit delivery chains in favor of a social engineering scheme instead. The new campaign is tricking visitors to adult websites with a fake Java update.

This change is significant because it drastically increases the target audience, no longer limiting it to Internet Explorer users running outdated software.

Top malvertiser for months

The malsmoke campaign derives its name from the most frequent payload it dropped via the Fallout exploit kit, namely Smoke Loader.

While we see a number of malvertising chains, the majority of them come from low quality traffic and shady ad networks. Malsmoke goes for high traffic adult portals, hoping to yield the maximum number of infections. For example, malsmoke has been present on xhamster[.]com, a site with 974 million monthly visits, on and off for months.

#Malsmoke malvertising campaign continues on xhamster and other top sites.

Also, #FalloutEK seems to have added a new anti-vm check that returns a 404 on the payload session. If your sandbox looks good, that last session should return a 200 and contain the binary. pic.twitter.com/qPaF6z9PKt

— MB Threat Intel (@MBThreatIntel) September 21, 2020 Figure 1: Tweet about continued malvertising attacks on popular adult site

Despite this successful run, malsmoke fell off our radar and we recorded its last activity on October 18. A couple of days prior (October 16), our telemetry registered a new malvertising campaign that uses a decoy page filled with adult images purporting to be movies.

  • Adult site: bravoporn[.]com/v/pop.php
  • Ad network: tsyndicate[.]com
  • BeMob Ad: d8z1u.bemobtrcks[.]com/
  • Decoy adult site: pornguru[.]online/B87F22462FDB2928564CED

A couple of weeks later, this campaign added a new domain as part of its redirect chain, but we can see that they are related (including the. same identifier marker in the URL)

  • Adult site: xhamster[.]com
  • Ad network: tsyndicate[.]com
  • Redirect: landingmonster[.]online
  • Decoy adult site: pornislife[.]online/B87F22462FDB2928564CED

That portal is used as a lure to get people to play adult videos that do not actually exist. Instead, users will be asked to download a fake Java update that is malicious.

Figure 2: Decoy adult template luring users with fake videos

A closer look at the template used and network indicators revealed that this latest malvertising campaign actually belongs to the same malsmoke threat actors that had previously used exploit kits.

Figure 3: Comparing template and traffic sequences between exploit kit and soc. engineering

We notice the same adult movie page template, with one minor fix (the typo in the page title which could have been due to the Russian keyboard layout).

Additionally, the latest domain name pornislife[.]online was registered with the same email address mikami9722@hxqmail[.]com tied to a number of other web properties previously related to malsmoke gates.

Figure 4: Same registrant email address used by malsmoke actors

The malsmoke operators ran successful exploit kit campaigns for several months but in October decided to switch them over to a new social engineering scheme. However, the malvertising chains remained similar as they kept abusing high traffic adult portals and the Traffic Stars ad network.

New social engineering trick

The new scheme works across all browsers, including the one with the largest market share, Google Chrome. Here’s how it works: when clicking to play an adult video clip, a new browser window pops up with what looks a grainy video (black bars are ours):

Figure 5: Adult video clip used as lure

The movies plays for a few seconds with audible sound in the background until an overlay message is displayed telling users that the “Java Plug-in 8.0 was not found”.

The movie file is a 28 second MPEG-4 clip that has been rendered with a pixelated view on purpose. It is meant to let users believe they need to download a missing piece of software even though this will not help in any way at all.

Figure 6: Video clip was customized by the threat actor

The threat actors could have designed this fake plugin update in any shape or form. The choice of Java is a bit odd, though, considering it is not typically associated with video streaming. However, those who click and download the so-called update may not be aware of that, and that’s really all that matters.

Figure 7: Fake Java update dialog

This fake dialog is reminiscent of the missing ‘HoeflerText font’ campaign used in the EITest traffic redirection schemes. EITest was also known for using exploit kits to distribute malware and at some point switched to a similar social engineering trick to target more users, especially those running the Chrome browser.

Payload analysis

The threat actors essentially developed their own utility to download a remote payload that had the advantage of not being easily detected. If you recall, malsmoke previously relied on Smoke Loader to distribute its payloads, whereas now it has its very own loader, thanks a new evasive MSI installer.

Figure 8: Payload installation flow, leading to ZLoader

The fake Java update (JavaPlug-in.msi) is a digitally signed Microsoft installer that contains a number of libraries and executables, most of which are legitimate.

Figure 9: Contents of MSI installer

On installation, lic_service.exe loads HelperDll.dll which is the most important module responsible for deploying the final payload.

Figure 10: Code invoking HelperRun DLL

HelperDll.dll uses the curl library that is present in the MSI archive to download an encrypted payload from moviehunters[.]site.

Figure 11: Request to backend server for actual payload

This is the ZLoader malware, which is then written to disk and ran as:

%AppData%\Roaming\microsoft_shared.tmp

ZLoader injects itself into a new msiexec.exe process to contact its command and control server using a Domain Generation Algorith (DGA). Once it identifies a domain that responds, it starts downloading different modules and optionally an update to ZLoader itself.

Figure 12: Post infection traffic, showing ZLoader gate

On the left of Figure 12, we can see the traffic generated by ZLoader implants injected into msiexec.exe. On the right, we can see those implants dumped from the same process. You can find more information on ZLoader and its implants in our paper The “Silent Night” Zloader/Zbot.

Evolving web threats

Malsmoke was one of the most noticeable distributors of malvertising and exploit kits striking on high profile websites.

While we thought the threat actor had gone silent, they simply changed tactics in order to further grow their operations. Instead of targeting a small fraction of visitors to adult sites that were still running Internet Explorer, they’ve now extended their reach to all browsers.

In the absence of high value software vulnerabilities and exploits, social engineering is an excellent option as it is cost effective and reliable. As far as web threats go, such schemes are here to stay for the foreseeable future.

Malwarebytes Browser Guard already protected users from this malvertising campaign. Additionally, we detect the MSI installer and ZLoader payloads via our Malwarebytes for Windows.

Figure 13: Malwarebytes Browser Guard blocking redirector Indicators of Compromise

Redirector:

landingmonster[.]online

Decoy adult portal:

pornislife[.]online

MSI installer:

87bfbbc345b4f3a59cf90f46b47fc063adcd415614afe4af7afc950a0dfcacc2

First C2:

moviehunters[.]site

ZLoader:

4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab

ZLoader C2s:

iqowijsdakm[.]ru
wiewjdmkfjn[.]ru
dksaoidiakjd[.]su
iweuiqjdakjd[.]su
yuidskadjna[.]su
olksmadnbdj[.]su
odsakmdfnbs[.]com
odsakjmdnhsaj[.]com
odjdnhsaj[.]com
odoishsaj[.]com

The post Malsmoke operators abandon exploit kits in favor of social engineering scheme appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (November 9 – November 15)

Mon, 11/16/2020 - 17:35

Last week on Malwarebytes Labs, we reported on multiple patch releases: from Mozilla’s Firefox and Thunderbird to Google’s Chrome. We also had a chat with our resident experts, Adam Kujawa and John Donovan, about the future of IoT cybersecurity in our latest Lock and Code podcast episode. Lastly, we took a look at a new ransomware called RegretLocker, and guided college students on how they can keep themselves cybersecure while distance learning in the middle of a pandemic.

Other cybersecurity news
  • Pay2Key, a new ransomware family first discovered by Check Point, was found to have ties with Iranian hackers. (Source: The Algemeiner)
  • Doctors were found to be easy targets for hospital-related cyberattacks (Source: MedPage Today)
  • Phishers and scammers were found taking advantage of gaming console players who are looking forward to getting their hands on the new Playstation 5 (Source: Hindustan Times)
  • Speaking of scams: The Better Business Bureau (BBB) warned recipients of text messages offering money to join a “COVID clinical study”. (Source: News Leader)
  • Researchers identified the Google Play Store as “the main distribution vector for most Android malware”. Ouch. (Source: ZDNet)
  • TroubleGrabber, a new family of information stealers, were found to target Discord messaging users by spreading as an attachment. (Source:BleepingComputer)
  • Emotet and TrickBot were deemed “most prolific malware strains”, according to new analysis… (Source: InfoSecurity Magazine)
  • …and targeted spear-phishing attacks are on the uptick, too, according to security experts. (Source: Security Boulevard)
  • With Black Friday just around the corner, be wary of incoming scams and phishing attempts, such as an Amazon scam that is circulating in the wild. (Source: Daily Express)
  • According to KnowBe4, phishing emails purporting to have originated from LinkedIn are the most clicked compared to phishing campaigns on other social media platforms. (Source: MarTech Series)

Stay safe, everyone!

The post A week in security (November 9 – November 15) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Hat trick for Google as it patches two more zero-days in Chrome

Thu, 11/12/2020 - 21:16

Slightly over a week ago we advised you to update your Chrome browser. That warning came only a week or so after we advised you to update your Chrome browser. Things are getting a bit repetitive round here.

Today, we are compelled to repeat that statement as Google has issued patches for two new zero-day vulnerabilities. Someone tipped Google off about them, although the source(s) wish to remain anonymous. Again, the vulnerabilities being zero-days means they are already being used in real life attacks.

Zero-days are a valuable commodity for cybercriminals since there are (until yesterday) no patches for the vulnerability and every unpatched system is another potential victim. Which is exactly why we advise to update your Chrome as soon as possible.

What is the problem that’s being fixed?

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

In this case, the two vulnerabilities were catalogued as:

CVE-2020-16013: Inappropriate implementation in V8. Sound familiar? V8 was also the subject of CVE-2020-16009 where researchers stated it must have something to do with the way the Chrome browser handles Javascript.

CVE-2020-16017: Use after free in site isolation. Site isolation is the feature that makes every website run in a separate process without interaction with each other. Each will be running in a sandbox which provides an additional line of defense. Use after free may indicate that after closing a site the memory location for it may not be freed up properly.

How do I install Chrome patches?

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the zero-day vulnerabilities. My preferred method, which also allows me to keep track, is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

What version do I need?

After the update, your version number should be 86.0.4240.198 or later. You will now be protected against the vulnerabilities. Google states that the stable channel has been updated to 86.0.4240.198 for Windows, Mac, and Linux which will roll out over the coming days/weeks. Also keep an eye on your Chromium based browsers (Opera, Edge, and others) since they may require updates as well.

Stay safe, everyone!

The post Hat trick for Google as it patches two more zero-days in Chrome appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Surviving college distance learning during the pandemic: a cybersecurity guide

Thu, 11/12/2020 - 16:45

Social distancing, the wearing of face masks, practicing hand hygiene, and disinfecting often-touched surfaces have become human necessities during the pandemic era. For schools, they’ve also had to adapt quickly to incorporate distance learning methods that let students continue their studies.

But being in crisis management mode didn’t give higher educational institutions much time to think carefully and plan around issues concerning cybersecurity and privacy, even though it was a struggle for them pre-pandemic. The thing is, cybersecurity and privacy isn’t just a job for the school’s IT department, students and staff have a responsibility to stay secure, too, especially with distance learning in full or partial effect.

So, what’s the TL;DR version?

Wondering how to stay secure while in your online classes, or doing homework? Try a multilayered approach.

What do we mean by this?

In privacy and security, a multilayered approach is about using multiple methods of security. It’s considered the best way of protecting yourself, whether you’re an entity that wants to protect everything important that belongs to you or you’re a person who wants to keep their data safe. A multilayered approach is paramount because a single failure in one layer wouldn’t automatically lead to the complete breakdown of security.

So, how can you create security layers to stay protected while attending classes online and/or doing homework? Before we break that down, remember that these steps not only protect you, your machine, and your data from potential cyberattacks, it also protects others as a consequence, such as your school network and everyone else who connects to it.

Protect your device

Whether you’re using your own computer or one provided by your school, it’s vital that you:

  • Keep your device in a space where it can be physically safe and away from potential theft, or be accessed by other people in your home or flat.
  • When you need to step away from your computer, ensure that you lock your screen. You can do this by setting up a password—or, in some cases, a picture password—and never share it with anyone, so that only you can access your own machine.
  • Enable a firewall on your device.
  • Download and install endpoint protection if your school hasn’t provided this, and confirm it’s running in real time.
  • Ensure that all software installed on your device is up to date. And while you’re at it, uninstall software you don’t use as they could become security risks if you don’t update them.
  • Turn off your device when not in use.
  • Do non-school related browsing or other activities within a virtual environment. Using your personal computer for distance learning shouldn’t hinder you from using your computer like you normally do. But whether you keep school files on your computer or not, it’s best to get used to scrolling the internet within a virtual network in your personal time. This lessens the chances of you getting your computer infected if you encounter online threats.
Protect your Wi-Fi network

Whether you’re using your own internet or the Wi-Fi hotspot your school provided, it is vital that you:

  • Check you are not using your router or hotspot’s default admin credentials. Using them only makes it easier for those with ill intent to hack into your device and network.
  • And, while you’re there, ensure your router or hotspot is secured with a strong password—that’s at least 20 random characters long. These characters shouldn’t follow a pattern. If you don’t want to sweat this out, much less remember a complicated string without writing it down, a password manager can help you with these.
  • Set up a reminder to yourself to change your router or hotspot password. This will help keep potential attacks against these devices at bay. A password manager can come in handy here, too.
  • Turn on your router’s firewall.
  • Enable the highest encryption option available for your Wi-Fi hotspot/router, which could be the WPA2 (Wi-Fi Protected Access 2) or WPA3 (Wi-Fi Protected Access 2) protocol.
  • Change your default SSID (service set identifier), which is the network name broadcasted by your wireless router for your computer and/or device to see and connect to.
  • Keep your router/hotspot firmware updated.
  • Disable features that would allow any device that isn’t your own to connect to the school-provided hotspot. We’re referring to WPS (Wi-Fi Protected Setup) and UPnP (Universal Plug and Play) here.
Protect your school’s network

Infecting your school’s network—whether knowingly or unknowingly—is the last thing we want to happen. Both students and staff alike are expected to adhere to rules, which may look like the following, when connecting to a school network:

  • Whatever computing device you use for distance learning, make sure you scan it first with endpoint protection software before connecting to your school’s network.
  • Never download and run or share files that are of questionable origin. This includes email attachments.
  • Remain informed about the types of online threats students like you might encounter. This includes phishing attempts, scams, and ransomware infections.
Protect your data
  • Back up your data, especially if you’re using your own computer for studying.
  • Use two-factor authentication on your school-related accounts.
  • Use a virtual private network (VPN) when connecting to your school’s network.
  • Avoid reusing passwords.
  • Never share school-related account credentials with anyone.
Protect your virtual class sessions

A number of Zoombombing attacks have happened because students shared their Zoom details with third parties via a public, social space (think Discord, Reddit, Twitter, and even Instagram). And recordings of these Zoombombings have been floating around on YouTube and Twitch.

Please do not share your Zoom or other video communication software details to anyone. It might seem fun and that there’s “no harm done there really”—plus the class gets to be suspended for the day woo!—you’re not only hindering your other classmates from learning, you’re also getting yourself in trouble.

Understand that Zoombombing is a federal offense, and anyone found involved in such an act could be prosecuted and imprisoned. Nowadays, affected schools are encouraged to report any Zoombombing incidents to law enforcement, which may include the local or state police department and the FBI’s Joint Terrorism Task Force, to kickstart investigations. Here’s a great post containing tips on how to curb Zoombombing.

College cybersecurity is a student’s responsibility, too

Schools have the duty and responsibility to physically protect their students and staff from harm, especially during this ongoing pandemic. The same is true for ensuring that students have what they need to continue their studies in the best conceivable way they can. This includes protecting systems that house confidential information and financial data.

Yet some schools are unequipped to address every cybersecurity and privacy challenge they encounter, even before COVID-19 struck. In fact, they can only do so much. Students and staff must start recognizing their part in keeping their school network safe from cyberattacks.

Security is everyone’s responsibility. And there’s no better time than today to take this duty seriously.

The post Surviving college distance learning during the pandemic: a cybersecurity guide appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RegretLocker, new ransomware, can encrypt Windows virtual hard disks

Wed, 11/11/2020 - 20:20

Cybersecurity researchers discovered a new ransomware last month called RegretLocker that, despite a no-frills package, can do serious damage to virtual hard disks on Windows machines.

Through a clever trick, RegretLocker can bypass the often-long encryption times required when encrypting a machine’s virtual hard disks, and it can close any files currently opened by a user to then encrypt those files, too.

Chloé Messdaghi, vice president of strategy at Point3 Security, described RegretLocker as having “broken through the speed-of-execution barrier for encryption [of] virtual files.”

She continued: “[RegretLocker] actually seizes the virtual disk and is much faster in execution than previous ransomware attacking virtual files.”

Despite the ransomware’s state-of-the-art machinery, its appearance remains quite plain.

RegretLocker does not offer its victims a lengthy ransomware note—a common practice for many ransomware types today—and it asks victims to contact threat actors through an email address. That email address is hosted on CTemplar, which, according to Silicon Angle, is an anonymous email hosting service based in Iceland.

The short note that victims receive, titled “HOW TO RESTORE FILES.TXT” contains the following text:

“Hello, friend.

All your files were encrypted.

If you want to restore them, please email us : petro@ctemplar.com”

As of Tuesday, our threat intelligence team only knew of one in-the-wild reported sample, with no known or reported victims. However, this ransomware should still be watched because of its ability to quickly encrypt virtual hard disks, a potential breakthrough in ransomware capabilities.  

Often, ransomware avoids any attempts to encrypt virtual disks found on machines because those virtual disks can be enormous in size, and the time to encrypt those files would simply delay the ransomware’s purpose—to get into a machine and lock it up.

RegretLocker treats virtual disks differently, though. It utilizes the OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks as physical disks on Windows machines. Once the virtual disk has been mounted, RegretLocker encrypts the disk’s files individually, which speeds up the overall process.

RegretLocker’s virtual hard disk mounting capabilities potentially came from research that was recently published on GitHub by the security researcher smelly__vx. The researchers at MalwareHunterTeam also analyzed a sample of RegretLocket and found that it can run offline as well as online.

Further, RegretLocker can tamper with the Windows Restart Manager API to terminate active programs or Windows services that keep files open. According to IT Pro Portal, the same API is utilized by other ransomware types, including Sodinokibi, Ryuk, Conti, Medusa Locker, ThunderX, SamSam, and LockerGoga. Files encrypted with RegretLocker use the .mouse extension.

Malwarebytes users should know that we protect them from this new threat, as shown below.

The post RegretLocker, new ransomware, can encrypt Windows virtual hard disks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mozilla patches critical security issues in Firefox and Thunderbird

Tue, 11/10/2020 - 15:22

Mozilla has issued a critical patch for Firefox, Firefox ESR, and Thunderbird after a security issue was discovered at the Tianfu Cup 2020 International Cybersecurity Contest

The security issue has been assigned CVE-2020-26950 which has the “reserved” status. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

What is the problem that’s being fixed?

The description Mozilla published itself reveals that write side effects in MCallGetProperty opcode were not accounted for. In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition.

Use-after-free is a naming convention for vulnerabilities related to the incorrect use of dynamic memory during an operation by a program. It means that after freeing a memory location, a program does not clear the pointer to that memory, which could allow an attacker to abuse the error and launch a buffer overflow attack. In a “worst case” scenario this could allow for a remote code execution (RCE) attack, but whether that is true in this case is unknown at the moment.

Which versions are vulnerable?

Make sure you are on the latest versions of the following:

  • Firefox should be updated to version 82.0.3 or later
  • Firefox ESR (Extended Support Release) should be updated to version 78.4.1 or later
  • Thunderbird should be updated to 78.4.2

Firefox Extended Support Release (ESR) is a version of the popular browser for large organizations that need to deploy and maintain Firefox at a large scale. It does not have all the latest functions, to limit the number of updates, but it does receive security and stability updates.

How do I check my version and update?

To find out which version you are using on a Windows machine, open the application menu and click on Help > About. On a Mac, look at the top menu and click Firefox > About Firefox. This will show which version you currently have and whether an update is available.

Version screen Firefox

The screens and the way to access are largely the same for all the Mozilla programs, so we will only show the Firefox example.

After the update you should see a screen similar to this:

The next stable version of Firefox will be released on November 17, 2020.

Stay safe, everyone!

The post Mozilla patches critical security issues in Firefox and Thunderbird appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep19: Forecasting IoT cybersecurity with John Donovan and Adam Kujawa

Mon, 11/09/2020 - 18:36

This week on Lock and Code, we offer something special for listeners—a backstage pass to a cybersecurity training that we held for employees during Cybersecurity Awareness Month, which ended in October.

The topic? The future of cybersecurity for the Internet of Things.

Our guests, Chief Information Security Officer John Donovan and Security Evangelist and a Director for Malwarebytes Labs Adam Kujawa guide us through some of the future’s most pressing questions. Will we ever run antivirus software on IoT devices? What predictions can we make for how the cybersecurity industry will respond to the next, possible big IoT attack? And what can we do today to stay safe?

This episode was recorded live in front of our fellow Malwarebytes employees (over Zoom, of course, as is tradition during the coronavirus pandemic). The episode even includes a Q&A with our employees.

Tune in to get a glimpse into how Malwarebytes helped its own employees during Cybersecurity Awareness Month, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on: Other cybersecurity news

Stay safe, everyone!

The post Lock and Code S1Ep19: Forecasting IoT cybersecurity with John Donovan and Adam Kujawa appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Update your iOS now! Apple patches three zero-day vulnerabilities

Fri, 11/06/2020 - 17:28

Apple has patched three vulnerabilities in iOS (and iPadOS) that were actively being exploited in targeted attacks. Vulnerabilities that are being exploited in the wild without a patch being available are referred to as zero-days. The vulnerabilities were found and disclosed by Google’s Project Zero team, and patches were issued yesterday.

What has Apple patched in the update?

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list. CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The zero-days are listed under the ID numbers:

CVE-2020-27930: Affected by this issue is some unknown processing of the component FontParser. Manipulation with an unknown input could lead to a memory corruption vulnerability. This means a font could be created which leads to memory corruption, allowing for a remote code execution (RCE) attack .

CVE-2020-27932: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild. Using such a vulnerability could allow malware to bypass security restrictions on an affected system.

CVE-2020-27950: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild. Disclosed kernel memory may contain sensitive data like encryption keys and memory addresses used to defeat the address space layout randomization.

What is Project Zero?

Formed in 2014, Project Zero is a team of security researchers at Google who find and study zero-day vulnerabilities in hardware and software systems. Their mission is to make the discovery and exploitation of security vulnerabilities more difficult, and to significantly improve the safety and security of the Internet for everyone.

Update your iOS now

Since Apple has flagged that at least two of these vulnerabilities are being exploited in the wild and told us of the possible consequences, users should install the update as soon as possible.

Owners of an iPhone or iPad are advised to update to iOS 14.2 and iPadOS 14.2 or iOS 12.4.9. Apple patched the same vulnerabilities in the Supplementary Update for macOS Catalina 10.15.7. You can always find the latest Apple security updates at its security updates site.

Stay safe, everyone!

The post Update your iOS now! Apple patches three zero-day vulnerabilities appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RegTech explained: a crucial toolset for the financial industry

Fri, 11/06/2020 - 16:30

Every organization in the financial industry needs to meet certain regulatory obligations, even if it’s just filing a tax return or submitting an annual report. In certain industries, such as financial services, they’ve added their own additional sets of rules that must be adhered to. For example, organizations who take and process credit card payments have an obligation to meet the Payment Card Industry Data Security Standard (PCI DSS).

To make keeping up with new regulations easier, financials are turning to RegTech. RegTech is the contraction of the words Regulatory Technology. In the financial word it is one of the hot topics. What is it and why is it so popular? Read on.

What is RegTech?

By definition, RegTech is an innovative technology that enables organizations to effortlessly adjust to the weight of always expanding needs for regulatory reporting. In essence, RegTech providers are an industry within the financial industry that provides other members of the financial world with the technology that helps them to stay current with ever-changing rules and regulations.

The wins for the users of RegTech consist mainly of these elements:

  • Gain efficiency by streamlining and harmonizing processes within the organization.
  • Reporting of compliance and issues is made easier by prefabricated, but often customized, modules.
  • Risk can be identified and countered quicker by using smart technology.

To achieve these goals, RegTech uses 5 different types of technology:

  • Monitoring processes to obtain a real-time objective about what is going on in the organization. This is essential for reporting and risk identification goals.
  • Reporting is often a mandatory part of new regulations and, by constant monitoring, the required reports can be produced at the touch of a button.
  • Data exchange is another part of many new regulations, specifically those that help startups on their way. Technology to enable and monitor the exchange of data helps to comply with these regulations while keeping an eye on data streams.
  • Internal legal departments are supported with tools to make the implementation of new regulations more efficient and thus cheaper.
  • Automation is introduced where possible to avoid human mistakes. The jungle of regulations can easily lead to human error. Monitoring and streamlining can help to avoid such errors. Reporting will have to record them if they should occur, nonetheless. And corrections can be applied where needed.
What makes RegTech so popular?

At one point, the financial industry was under a lot of stress due to new regulations. Depending on the country financials are working from and the regions they plan to do business with, the range of regulations they have to comply with can be challenging. RegTech helps financials to respond in a cost-efficient and versatile way, while maintaining a high standard of quality and security.

How does Regtech work?

This is a very hard question to answer as developments are happening at a fast pace. Every new regulation creates opportunities for the RegTech companies to work on new technology and offer it to banks, financial institutions and FinTech companies. On the other side, RegTech companies supply the supervisory agencies that lay down the rules and regulations with the technology to check compliance by the constituents. This branch is sometimes referred to as SupTech.

For example, by combining Artificial Intelligence (AI) and Big Data it is possible to predict suspicious behavior by monitoring transactions in real-time and scanning for irregularities. This technology will pick up the signals much sooner than any human possibly can, and helps to find patterns indicating money laundering and terrorist funding.

Security implications of RegTech

Many of the regulations are laid down with privacy and security in mind. A correct implementation of these regulations should not pose a problem in this field. On the contrary, if the regulators are accomplishing what they set out to do, these regulations should lift the privacy and security demands to a higher level.

Also, implementation of RegTech gives the in-house security teams at financial organizations the opportunity to focus on other issues as the technology takes over one part of their job. This doesn’t mean internal teams should let go of the process entirely, even though that might sound appealing as they often have a lot of other things on their plate, but it should ease the burden somewhat.

It’s not only necessary to measure the effectiveness of your organization’s security controls against the regulations, but also to check whether new and anticipated legislation does not interfere with your existing security standards. An obligation to offer information to your competitors should not reduce your defenses against a data breach. The Know Your Customer (KYC) documentation not only authenticates the customer’s credentials but also helps maintain a verified record of customers. Regulatory compliance mechanisms like the KYC registry store extremely sensitive personally identifiable information (PII) and elaborate customer data. So, it is important to devise systems that prevent unauthorized access, minimize cyber risks, and limit the possible consequences of a data breach.

Risk and compliance functions use different methods to keep up with regulatory challenges. They use software as a service (SaaS) in the cloud to identify risks, strategize risk tolerance, and facilitate regulatory requirements across various regions and financial services.

How does RegTech provide data security and privacy?

There are some key areas where RegTech contributes to keep our data safe:

  • Fraud prevention. Information provided by criminals can be checked against existing KYC data. This helps to prevent identity theft and abuse of stolen data.
  • Money laundering and terrorist funding are other areas that are monitored by using KYC data.
  • Compliance with national regulations. On top of worldwide and business standards you will often find local standards are applied.
  • Cloud security tools to keep data stored in the cloud at the same safety level as locally stored data.
  • Authentication methods to ensure a high level of security. For example, multi-factor authentication (MFA) methods, cryptography, and encryption.

As more and more business collect PII, customers are concerned about their personal data security and their privacy. And as cybercriminals get more sophisticated, the need for more advanced and effective tools has risen. RegTech companies provide an important part of this new technology for the financial industry.

The post RegTech explained: a crucial toolset for the financial industry appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Prop 24 passes in California, will change data privacy law

Thu, 11/05/2020 - 14:12

First-day returns in California showed voters firmly approving to change their state’s current data privacy law—which already guarantees certain privacy protections that many states do not—through the passage of Prop 24.

As of the morning of November 4, according to The Sacramento Bee, 56.1 percent of California voters said “Yes” to Prop 24. At that time, 65.3 percent of the state’s votes had been counted. Though far from a complete tally, the numbers proved advantageous enough for celebration for the “Yes on 24” campaign.

“With tonight’s historic passage of Prop 24, the California Privacy Rights Act, we are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” said Alastair Mactaggart, chair of Californians for Consumer Privacy and sponsor for Prop 24. “I’m looking forward to the work ahead and the next steps in implementing this law, including setting up a commission that is dedicated to protecting consumers online.”

Proposition 24 represented one of the rarer examples in data privacy law that split advocates in two. The typical roster of data privacy supporters in the state—including Electronic Frontier Foundation, ACLU of Northern California, Consumer Watchdog, Common Sense Media, Color of Change, and Oakland Privacy—divided themselves into three separate categories: Support, oppose, or neither.

The disagreement was well-founded. As we reported, while some groups praised Prop 24 because of its increased protections on data that could reveal race and ethnicity, other groups opposed the proposition because of new loopholes that could disproportionately harm minority communities.  

Adding a potential sense of voter whiplash to the ballot proposition was that its biggest supporter and primary funder Mactaggart actually served as one of the lead architects on the very law that the proposition was trying to amend. Two years ago, after announcing an intention to bring a ballot proposition to Californians to better secure their data privacy rights, Mactaggart instead worked directly with California lawmakers to get a bill drafted, passed, and signed by then-governor Jerry Brown.

That law, called the California Consumer Privacy Act, barely went into effect in January of this year, and details on its enforcement and on how the public could assert their rights were released only this summer.

In the end, though, none of that drama appeared to matter much to California voters. With the passage of Prop 24, Californians can expect additional protections on what the proposition has defined as “sensitive personal information,” as well as the country’s first government agency established entirely to enforce a data privacy law.  

The post Prop 24 passes in California, will change data privacy law appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages