Feed aggregator

Mad Cave Studios is excited to present an early sneak peak of our exciting new title, Over the Ropes!

Writer Jay Sandlin and artist Antonello Cosentino collaborate to explore the world of indie wrestling in the golden age of the sport, the 90’s. Over the Ropes is an underdog story of staying true to oneself in a world where ring personas often time bleed into reality. Sandlin and Cosentino craft a tale in which finding one’s true self may mean crafting a larger than life image inside of the ring.

Set in a fictional world, Over the Ropes dives into sports entertainment’s biggest era. A young high-flyer named Jason Lynn goes off-script in a match to win the world title and sets the southern territory on fire as the face-painted wrestler, Phoenix.

Meet the cast and enjoy your preview!

Over the Ropes, Jason’s battles in the ring are only outperformed by his struggles outside of it. First dates. Crooked promoters. Cage matches. Factions and families. No matter what problems smack him with a steel chair, Jason lives by his catchphrase: “I. Will. Rise.”

“On the surface, Over the Ropes may seem like another Saturday morning wrestling show, but in reality, it’s about the underdog in all of us fighting and clawing for one moment in the spotlight. The characters grew out of my desire to write the kind of wrestling story I gravitated to the most; where the predetermined nature of in-ring action and backstage drama blends with shades of reality until the two are indistinguishable.”

– Jay Sandlin

If you’d like to checkout our other books, head to your local comic shop or order through Amazon or our online Mad Cave store. Also available digitally on Comixology!

Caving by Michael Prescott

Hello friends!

Recently, Luke and I have been discussing the Dungeoneer skill. The skill is great, but our feeling is that we’ve overburdened it. Right now it governs both climbing and trap disarming—two things adventurers are likely to get up to a lot in dungeons.

At the same time, there’s one thing that gets short-shrift in Torchbearer’s skills: digging. It’s covered by the Laborer skill, but there’s not much in the way of diversity of obstacles. Our players are probably unusual in that they absolutely adore digging—a hold-over from our Burning THAC0 days when we had a Burning Wheel dungeon delving campaign. In those days, there was nothing that could earn you MVP faster than coming up with a clever way to use the Ditch Digging skill (in our early, impoverished days we once scraped together enough cash to cover a lifestyle maintenance test by retrenching latrines…). The dwarf, with his magical Excavation skill, was like unto a god.

This is all a roundabout way of saying that we’re toying with adding a new skill to Torchbearer: Sapper.

Sapper

Life underground has its own rules. Sapper are experts in the unpredictable dynamics of digging and defending in the darkness below.

Sappers dig tunnels, collapse them and set traps for the unwary.
Beginner’s Luck: Will
Help: Alchemist, Laborer
Supplies: Sulphur, lumber, grease

Tunneling Factors Tunnel Type+Length+MaterialCrawlway (1)Short (1)Earth (0)Shaft (2)Long (2)Clay (1)Tunnel (3)
Stone (2)

Sand (3) Tunnel Traps Factors Setting Trap TypeDisarming TrapsPit (1) + Material factorsTripwire and open pit (1)Tripwire alarm (2)False floor (2)Deadfall (3)Pressure plate (3)Spear or crossbow mechanism (4)Complex and multipart mechanisms (4)Gas and smoke mechanisms (5)Explosives (5)Explosives (6)Sigils or runes (6)

What do you think? I know there’s been a fair bit of conversation about disarming traps on the forums and the Mordite Press blog, but do your players ever set traps? Do they tunnel? Let’s talk about it!

Start your digging.

A common reframe in the old school landscape is "Combat as War vs. Combat as Sport," often used to negatively contrast elements of 5e and particularly 4e concerned with encounter balance an "the encounter" as a fundamental unit of game action in general with the old school. Without getting into the merits of how this argument is typically framed, I think that even if we accept this as true, there is a way to lean into those elements of modern D&D and come out with something cool. Instead dungeoncrawling for treasure (mainly), maybe the dungeon environment could be the battleground of a big tournament.

X-Crawl deals with some of this territory, I guess, but from what I read of it, it is set in the modern day, and seems very much concerned with the celebrity aspect of things, bringing in a lot of professional athlete cliches. All well and good, but I'm more interested in something more like Dragonball Z. The fighters are in it often for the personal betterment--a personal betterment that is practically apotheosis, which dovetails nicely with D&D advancement. What if the gods or Immortals or whatever design the dungeons as tournament grounds, and foundries to forge new Immortals to join there ranks?

In this context, the lack of XP for gold makes perfect sense. Also, "levels" of dungeons are likes brackets of a tournament. In order to give a good spectacle, you don't want scrubs advancing to take on the contenders too soon. Mainly playing this sort of setting would just mean thinking about the game differently. The only change might be that there would be fewer nameless rabbles or humanoid tribes with young and the like. Everybody in the dungeon is playing the game.

By the Outright Geekery Staff… With pumpkin spice, everything also comes back to school time, but we’re STILL doing the Geek Picks For August 28th, 2019. Some friends down south already have gotten to ship their kids back to school, … Continue reading →

Security leaders in institutions of higher education face unique challenges, as they are charged with keeping data and the network secure, while also allowing for a culture of openness, sharing, and communication—all cornerstones of the academic community. And depending on the college or university, concerns such as tight budgets and staffing shortages can also make running a successful security program difficult. So how do CISOs get their boards to invest in higher education cybersecurity?

In the second part of our series of posts about CISO communication, we look at the considerations and skills required for presenting to the board on higher education cybersecurity, including which tactics will increase their understanding and financial support.

This month, I asked David Escalante, Director of Computer Policy & Security at Boston College and a veteran information security leader, for his perspective on what it takes to advocate for security in this environment.

What unique challenges do CISOs/security managers working in higher education have that differ from their peers in the public sector?

Many large universities are best thought of as small cities. Frequently, an organization is able to focus on a few products, or a range of products in its given industry space. Because of the diversity of things a university does, the variety of software and hardware required to run everything is huge, and this, in turn, means that security teams are stretched thin across all those systems, versus being able to focus on a smaller number of critical systems.

University environments have a culture of openness, and that can conflict culturally with a least privilege or zero trust security model.

Without getting into detail, risk trade-offs in higher education aren’t as well understood as in many other sectors. And because of the diverse systems alluded to above, balancing those trade-offs is complex.

What do education CISOs need to keep in mind when they communicate with either the board or other governing bodies in their organization?

Boards in education, in non-profits, and for state entities don’t tend to have the same makeup as public company boards do. For a non-profit example, think of the opera company whose board members are the big donors. As a result of this, we’ve noted that the “standard” templates for cybersecurity communication with the board tend not to strike the right notes, since they’re pitched for a public company board made up largely of senior corporate officers. So don’t just go “grab a template.” 

The trend we’ve seen, advice-wise, of “tell the board stories” seems to resonate better than, say, a color-coded risk register. The scope of the systems running at a big university that need to be secured, plus the board’s limited detailed knowledge, makes substantive conversations about specific security approaches difficult. It’s better to highlight things both good and bad than to try to be comprehensive.

It’s very hard to balance being technical or not. Use a mix. On the one hand, board members have probably read about ransomware bringing organizations to their knees, and may even have read up on ransomware to prep for the board meeting, and will expect some technical material on the subject. On the other hand, almost all board members will not be technical, so overdoing the technical component will lose them.

Don’t directly contradict your own management chain—if you’ve asked for more staff and haven’t gotten it, don’t ask the board for it.

What other advice would you give higher ed CISOs when it comes to communication?

On the non-board management side, if you aren’t already, it’s time to emphasize that security is everyone’s responsibility. The days when you could “set and forget” antivirus and be secure are long gone. 

Now social engineering and credential theft are rampant, and management is consuming information on personal mobile devices. Non-IT management needs to be clear that securing campuses is a team effort, not just an IT one. 

At BC, we have been having the CIO, versus the security team, communicate personally with senior management a couple times a year on specific cyberattacks we’ve seen to emphasize that they need to be vigilant partners, and not to assume that IT will catch all threats in advance.

The post Making the case: How to get the board to invest in higher education cybersecurity appeared first on Malwarebytes Labs.

Click to embiggen.

Jonathan Hickman has a penchant for "big idea" comics, often with an epic scale and science fictional overtones. All of those things I like, but for me there is a lack of focus on character, and perhaps a Kubrickan coolness that has made it difficult for me to love his Avengers or Fantastic Four runs. Maybe with the X-men, he's finally won me over.

House of X and Powers of X (actually pronounced powers of 10, a reference to its logarithmically remote future stories) tell of an interlocking tale of the world's mutants under Xavier embarking on a radical plan to save the future from....well, yet another mutant-related dystopia, then one takes "Days of Future Past" to a transhuman extreme, with the Nimrod controlled Man-Machine Empire facing off against the surviving mutants under Apocalypse.

I'm not sure how Hickman will bring this all to a satisfying close. It feels so much like an ender, its hard to see how the inevitable return to some sort of superhero status quo won't seem like something of a let down, maybe even a cheat.

So far, though, it's a fun ride.

Clickjacking has been around for a long time, working hand-in-hand with the unwitting person doing the clicking to send them to parts unknown—often at the expense of site owners. Scammers achieve this by hiding the page object the victim thinks they’re clicking on under a layer (or layers) of obfuscation. Invisible page elements like buttons, translucent boxes, invisible frames, and more are some of the ways this attack can take place.

Despite being an old tool, clickjacking is becoming a worsening problem on the web. Let’s explore how clickjacking works, recent research on clickjacking, including the results of a study examining the top 250,000 Alexa-ranked websites, and other ways in which researchers and site owners are trying to better protect users from this type of attack.

Laying the groundwork

There are many targets of clickjacking. 

Cursors, cookies, files, even your social media likes. Traditionally, an awful lot of clickjacking relates to adverts and fraudulent money making. In the early days of online ad programs, certain keywords that brought a big cash return for clicks became popular targets for scammers. Where they couldn’t get people to unintentionally click on an ad, they’d try to automate the process instead.

Here’s an example from 2016, playing on the seemingly never-ending European cookie law messages on every website ever. Pop a legitimate ad, make it invisible, and overlay it across a Cookie pop-up. At that point, it’s unintentional advert time.

This is not to say clickjacking techniques are stagnant; here’s a good example of how these attacks are tough to deal with.

Clickjacking: back in fashion

There’s a lot of clickjack-related activity taking place at the moment, so researchers are publishing their works and helping others take steps to secure browsers.

One of those research pieces is called All your clicks belong to me: investigating click interception on the web, focusing on JavaScript-centric URL access. I was hoping the recording of the talk from USENIX Security Symposium would be available to link in this blog, but it’s not currently online yet—when it is, I’ll add it. The talk is all about building a way to observe possible clickjack activity on some of the most popular websites in the world and reporting back with the findings.

Researchers from a wide variety of locations and organisations pooled resources and came up with something called “Observer,” a customised version of Chromium, the open-source browser. With it, they can essentially see under the hood of web activity and tell at a glance the point of origin of URLs from every link.

As per the research paper, Observer focuses on three actions JavaScript code may perform in order to intercept a click:

• Modifying existing links on a page
• Creating new links on a page
• Registering event handlers to HTML elements to “hook” a click

All such events are identified and tagged with a unique ID for whichever script kicked the process into life, alongside logging page navigation to accurately record where an intercepted click is trying to direct the victim.

Observer logs two states of each webpage tested: the page fully rendered up to a 45-second time limit, and then interaction data, where they essentially see what a site does when used. It also checks if user clicks update the original elements in any way.

Some of the specific techniques Observer looks for:

• Visual deception tricks from third parties, whether considered to be malicious or accidental. This is broken down further into page elements which look as though they’re from the site, but are simply mimicking the content. A bogus navigation bar on a homepage is a good example of this. They also dig into the incredibly common technique of transparent overlays, a perennial favourite of clickjackers the world over.
• Hyperlink interception. Third party scripts can overwrite the href attribute of an original website link and perform a clickjack. They detect this, as well as keeping an eye out for dubious third-party scripts performing this action on legitimate third-party scripts located on the website. Observer also checks for another common trick: large clickable elements on a page, where any interaction with the enclosed element is entirely under its control.
• Event handler interception. Everything you do on a device is an event. Event handlers are routines which exist to deal with those events. As you can imagine, this is a great inroad for scammers to perform some clickjacking shenanigans. Observer looks for specific API calls and a few other things to determine if clickjacking is taking place. As with the large clickable element trick up above, it checks for large elements from third parties.

Study results

Observer crawled the Alexa top 250,000 websites from May 2018, ending up with valid data from 91.45 percent of the sites they checked accounting for timeouts and similar errors. From 228,614 websites, they ended up with 2,065,977 unique third-party navigation URLs corresponding to 427,659 unique domains, with an average of 9.04 third-party navigation URLs pointing to 1.87 domains.

Checking for the three main type of attack listed above, they found no fewer than 437 third-party scripts intercepting user clicks on 613 websites. Collectively, those sites receive about 43 million visitors daily. Additionally, a good slice of the sites were deliberately working with dubious scripts for the purpose of monetizing the stolen clicks, to the tune of 36 percent of interception URLs being related to online advertising.

The full paper is a fascinating read, and well worth digging through [PDF].

Plans for the future

Researchers point out that there’s room for improvement with their analysis—this is more of a “getting to know you” affair than a total deep dive. For example, with so many sites to look at, they only look at the main page for analysis. If there were nasties lurking on subpages, they wouldn’t have seen it.

They also point out that their scripted website interaction quite likely isn’t how actual flesh-and-blood people would use the websites. All the same, this is a phenomenal piece of work and a great building block for further studies.

What else is happening in clickjacking?

Outside of conference talks and research papers, there’s also word that a three-year-old suggestion for combating iFrame clickjacking has been revived and expanded for Chrome. Elsewhere, Facebook is suing app developers for click injection fraud.

As you can see from a casual check of Google/Yahoo news, clickjacking isn’t a topic perhaps covered as often as it should be. Nevertheless, it’s still a huge problem, generates massive profits for people up to no good, and deserves to hog some of the spotlight occasionally.

How can I avoid clickjacking?

This is an interesting one to ponder, as this isn’t just an end-user thing. Website owners need to do their bit, too, to ensure visitors are safe and sound on their travels [1], [2], [3]. As for the people sitting behind their keyboards, the advice is pretty similar to other security precautions.

Given how much of clickjacking is based around bogus advertising cash, consider what level of exposure to ads you’re comfortable with. Deploying a combination of adblockers and script control extensions, especially where JavaScript is concerned, will work wonders.

Those plugins could easily break the functionality of certain websites though, and that’s before we stop to consider that many sites won’t even give you access if ads are blocked entirely. It comes down, as it often does, to ad networks waging war on your desktop. How well you fare against the potential risks of clickjacking could well depend where exactly you plant your flag with regards advertiser access to your system.

Whatever you choose, we wish you safe surfing and a distinct lack of clickjacking. With any luck, we’ll see more research and solutions proposed to combat this problem in the near future.

The post Study explores clickjacking problem across top Alexa-ranked websites appeared first on Malwarebytes Labs.

Dutch police departments and consumer organizations issued warnings about the use of the Nextdoor neighborhood app because people received letters (yes, as in snail-mail) pretending to come from someone in their neighborhood, which the alleged senders did not send or deliver. So, everyone figured there must be some kind of scam going on and decided to warn the public.

Nextdoor is an app that you can use to stay informed about what’s going on in your neighborhood. It can be used to find last-minute babysitters, share safety tips, or simply communicate with neighbors. The app ties people together based on their location, so in this way, it is different from many other apps where people can form their own groups.

We talked to a woman whom we’ll refer to as W.H., as she wishes to remain anonymous. Letters in her neighborhood were delivered with her as the sender. The letters were asking the receivers to install the app and join the community. W.H. did not send those letters, but she was a user of the Nextdoor app. And she remembered receiving an email from Nextdoor asking whether she would like to invite the people in her neighborhood.

“Hi W.

Invite your neighbors to help grow your Nextdoor neighborhood. This are [sic] 100 extra invitations to send to your neighbors!

Click the button below and we will automatically and completely free of charge send 100 personalized invitations to your closest neighbors by mail.

The invitation will have your name and street on them and contain information about Nextdoor.

Kind regards,

Michel on behalf of Nextdoor Netherlands”

W.H. clicked the button expecting to get the option to select a number of her neighbors that she wanted to invite, but all she got was a notice that the link had expired. She didn’t think about it again until one of her neighbors showed her the letter they received and informed her about the warnings that had already started to circulate by then.

This is an example of the letter that was sent out in her name.

“Howdy neighbor,

Our neighborhood uses the free and invitation-only neighborhood app Nextdoor. It is our hope that you will join as well. In this neighborhood app we share local tips and recommendations……

It is 100% free and invitation only – for our neighbors only.

Download the Nextdoor app ….. and enter this invitation code to sign up for our neighborhood.

(this code expires in 7 days)

Your neighbor from [redacted]”

In a blog where Nextdoor explains (in Dutch) how this invitation model came to be, they point out that when you first register with the app, it also asks for your permission to send out invitations to your neighbors. This may indicate that there are members who didn’t even get the email W.H. received to ask whether she wanted to invite 100 extra neighbors. So to these users, a query from their neighbors about the letter may come as an even bigger surprise.   

Privacy policy

One effect that the commotion about the letters has invoked is that the Nextdoor privacy policy was held against the light by consumer organizations. The Dutch “Consumentenbond” finds the policy leaves too much room for privacy infringements and expects it will be a tough battle in court for all those that feel let down or even betrayed by the company. W.H. let us know she finds the app useful and will continue to use it.

To be fair, we should expect an amount of targeted advertising when we sign up for free apps like these. It is important to remember that when it comes to free apps, there is a good possibility that you and your personal data are the commodities.

Not a scam, but…

Neighborhood apps are becoming more popular because people want to be more involved with their communities, and because they provide a feeling of enhanced security.

Although the method used by Nextdoor to reach new customers is questionable, we can’t deny that they did inform their customers and asked for their permission. However, sending out snail mail messages in someone’s name is a bit unorthodox, therefore should have been communicated much more clearly. This method has backfired for Nextdoor, due to negative media attention, and may have scared more customers away than they have gained.

From the reaction on their own blog, where they explain the how and why behind this method, we learned that Nextdoor intends to keep mailing out letters on its users behalf, which is another reason we felt we should raise awareness about this matter.

Like many other apps of this kind, Nextdoor gathers information about their customers and uses it for targeted marketing. Given the type of data—community information, locations, names—this is extremely valuable for marketing purposes, but could also be a security issue.

Sharing your information with people that live in your neighborhood, but that you really don’t know very well could have its drawbacks as well. We advise not to ask everyone to keep an eye out while you share your vacation plans. You may also be informing the resident burglar.

Stay vigilant, everyone!

The post Nextdoor neighborhood app sends letters on its users’ behalf appeared first on Malwarebytes Labs.

TLDR: It's hard to pick a favorite Tunnel Goons hack, but this might be mine: a two-page ghost detective game set in the Meiji Restoration period of Japan (follows the Edo period). 

Yokai Hunter. In format this free game is two tri-folds: one for the player(s), referred to as the "Hunter," and one for the "Grand Master."

Front of the Hunter's Book: woodcut by hokusai, 1834.
Let's start with the latter, the GM tri-fold. It contains a summary of 10 different types of Yokai (supernatural creatures); 2d8 (15 total) missions; a summary of the historical period; further information on how to create Yokai, hunters, and NPCs; and cogent advice on running the game, with questions about the setting the group can/should explore.

The Hunter tri-fold contains a character sheet; d20 table of names, ages, and occupations; an equipment list; and the core rules. I have already talked about Tunnel Goons in previous posts. Yokai Hunter differs quite a bit from the original game, taking Nate Treme's invention and making the system into something with the right bells and whistles for a period ghost hunting thing. Here are some of the highlights.

• Sentence-based character concept: "I'm a [trait][occupation] who [something from your past] and seeks [a goal]. E.g. "I'm Hachiro a nervous smuggler who is hunted by a former patron and seeks anonymity." (Hunters where ritual masks when they hunt so I imagine my character "hiding" in this role, drawing on his family's knowledge of ghost hunting. His dad wanted him to go into the family business, as it were, but Hachiro turned to smuggling to get rich quick – and because ghosts scare the bejeebus out of him.)
• Path-based stats: Courage, Self-Control, and Wisdom. These are somewhat self-explanatory, but they are used in interesting ways. The system describes them as follows: when you roll dice "the GM will indicate which path you should follow: Courage (for actions that involve impetuosity or anger), Self-control (for actions in which it is necessary to remain calm and control one's impulses), or Wisdom (for actions that require certain knowledge or prudent and thoughtful behavior)."
• Special Equipment. When you acquire an item you test Wisdom and, if you pass, the item grants a +1 bonus, situationally. This is a really interesting way to codify magic items into a system in an unexpected and fun way.
• Resolution gradation. Not sure what else to call this. The author Chema González (aka Punkpadour) has essentially worked PbtA resolution categories into Tunnel Goons. 10+ you succeed. 9 = you succeed, but suffer a consequence. 8 or less you fail and the situation escalates.
• Advantage/disadvantage. And Chema throws in this mechanic, which has become really popular in designs since the introduction of D&D 5e. The hunter rolls an extra d6 and discards one – highest if disadvantaged, lowest if advantaged.
• Cursed die. And Chema adds a cursed die that starts at a d8. Basically you roll it "when you want to bet your very soul" in an action. You can't roll it while advantaged. The die, however, works like advantage – you drop the lowest one in your pool which contains 2d6 and the cursed die. If the result of the cursed die (whether you succeed or fail) is higher than your current Curse Resistance you attract bad luck and lose a point from your Curse Resistance tracker. I'm not going to get any further into this mechanic. You can read it for yourself, but you basically have a pool that shrinks as you become more cursed and is replenished only through ritual cleansing at a holy site (at a cost). And the cursed die changes sizes based on your points. It's cool.

So, what's not to like. Well, I do have a small reservation about two things: 1) having both + and advantage mechanics in the same system and 2) having difficulties that exceed 10 when 10 is a success. (What does it mean if you get an 11, but the difficulty is a 12? Did you get a mixed success, as in a 9?) But beyond that – and I don't really know if any of this is a problem without playing the game – there is nothing to not like. Which is to say, everything about this game just sings to me. It looks fantastic. 
BTW, the art, font-choices, and design sensibility are all wonderful as well. The character sheet is really attractive and makes the curse mechanic much easier to grok. 

Back in May, we classified what we believed was just another generic Android/Trojan.Dropper, and moved on. We didn’t give this particular mobile malware much thought until months later, when we started noticing it had climbed onto our top 10 list of most detected mobile malware.

Henceforth, we feel a piece of mobile malware with such a high number of detections prompts a proper name and classification. Therefore, we now call it Android/Trojan.Dropper.xHelper. Furthermore, this prominent piece of malware deserves a closer look. Let’s discuss the finer points of this not-so-helpful xHelper.

Package name stealer

The first noticeable characteristic of xHelper is the use of stolen package names. It isn’t unusual for mobile malware to use the same package name of other legitimate apps. After all, the definition of a Trojan as it relates to mobile malware is pretending to be a legitimate app. However, the package names this Trojan has chosen is unusual.

To demonstrate, xHelper uses package names starting with “com.muf.” This package name is associated with a number of puzzle games found on Google Play, including a puzzle called New2048HD with the package name com.mufc.fireuvw. This simple game only had a little more than 10 installs at the time of this writing. Why this mobile malware is ripping off package names from such low-profile Android apps is a puzzle in itself. In contrast, most mobile Trojans rip off highly-popular package names.

Full-stealth vs semi-stealth

xHelper comes in two variants: full-stealth and semi-stealth.  The semi-stealth version is a bit more intriguing, so we’ll start with this one. On install, the behavior is as follows:

1. Creates an icon in notifications titled “xhelper”
2. Does not create an app icon or a shortcut icon
3. After a couple of minutes, starts adding more icons to notifications: [GameCenter] Free Game
   1. Press on either of these notifications, and it directs you to a website that allows you to play games directly via browser.
   2. These websites seem harmless, but surely the malware authors are collecting pay-for-click profit on each redirect.

The full-stealth version also avoids creating an app icon or shortcut icon, but it hides almost all traces of its existence otherwise. There are no icons created in notifications. The only evidence of its presence is a simple xhelper listing in the app info section.

Digging deeper into the dropper

Mobile Trojan droppers typically contain an APK within the original app that is dropped, or installed, onto the mobile device. The most common place these additional APKs are stored is within the Assets Directory.

In this case, xHelper is not using an APK file stored in the Assets Directory.  Instead, it’s a file that claims to be a JAR file, usually with the filename of xhelperdata.jar or firehelper.jar. However, try to open this JAR file in a Java decompiler/viewer, and you will receive an error.

The error is the result of two reasons: First, it’s actually a DEX file, which is a file that holds Android code unreadable to humans. To clarify, you would need to convert a DEX file to a JAR file to read it. Secondly, this file is encrypted.

Considering that the hidden file is encrypted, we assume that the first step xHelper takes upon opening is decryption. After decryption, it then uses an Android tool known as dex2oat that takes an APK file and generates compilation artifact files that the runtime loads. In other words, it loads or runs this hidden DEX file on the mobile device. This is clever workaround to simply installing another APK and obfuscates its true intentions.

What’s in a DEX

Every variant of xHelper uses this same method of disguising an encrypted file and loading it at runtime onto a mobile device. In order to further analyze xHelper, we needed to grab a decrypted version of the file caught during runtime. In this case, we were able to do so by running xHelper on a mobile device. Once it finished loading, it was easy to export the DEX file from storage. 

However, even the decrypted version is an obfuscated tough nut to crack.  In addition, each variant has slightly different code, making it difficult to pinpoint exactly what is the objective of the mobile malware.

Nevertheless, it’s my belief that its main function is to allow remote commands to be sent to the mobile device, aligning with its behavior of hiding in the background like a backdoor. Regardless of its true intentions, the clever attempt to obfuscate its dropper behavior is enough to classify this as a nasty threat.

High probability of infection

With xHelper being on our top 10 most detected list, there is a good chance Android users might come across it. Since we added the detection in mid-May 2019, it has been removed from nearly 33,000 mobile devices running Malwarebytes for Android. That number continues to rise by the hundreds daily.

The big question: What is the source of infection that is making this Trojan so prominent? Obviously this type of traffic wouldn’t come from carelessly installing third-party apps alone. Further analysis shows that xHelper is being hosted on IP addresses in the United States. One was found in New York City, New York; and another in Dallas, Texas. Therefore, it’s safe to say this is an attack targeting the United States.

We can, for the most part, conclude that this mobile infection is being spread by web redirects, perhaps via the game websites mentioned above, which are hosted in the US as well, or other shady websites.

If confirmed to be true, our theory highlights the need to be cautious of the mobile websites you visit. Also, if your web browser redirects you to another site, be extra cautious about click anything. In most cases, simply backing out of the website using the Android’s back key will keep you safe. 

Stay safe out there!

The post Mobile Menace Monday: Android Trojan raises xHelper appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we reported on the presence of Magecart on a type of poker software; outlined how the Key Negotiation of Bluetooth (KNOB) attack works; followed the money on a Bitcoin sextortion campaign; looked back at DEF CON 27; and reported on continuing ransomware attacks on several US cities.

Other cybersecurity news

• After turning away two vulnerability reports brought about by the same independent security researcher, Valve Corporation, the company behind the Steam video gaming platform admitted its mistake and updated its policies. (Source: Ars Technica)
• The Security Service of Ukraine (SBU) arrested power plant operators after finding cryptominers in Ukraine’s Yuzhnoukrainsk nuclear power plant, which compromised its security. (Source: Coin Telegraph)
• A couple of spyware apps built based on an open-sourced espionage tool called AhMyth were found in the Google Play Store. The company has since removed these apps. (Source: ESET’s WeLiveSecurity Blog)
• Google is the latest company to join Twitter and Facebook to clean up their backyard of hundreds of YouTube channels spreading misinformation about protests in Hong Kong. (Source: CNBC)
• According to a report, Facebook phishing attacks surged in Q2 of this year, and Microsoft remained the most phished brand for five consecutive quarters. (Source: Help Net Security)
• NordVPN, a popular VPN service, was found to be one of the many brands cloned by cybercriminals in a malware campaign to spread the Bolik banking Trojan. (Source: HackRead)
• State-sponsored espionage teams from China, Russia, and Vietnam are now targeting medical research, report says. (Source: Dark Reading)
• Syrk ransomware found to be masquerading as an “aimbot” targeted Fortnite players. (Source: Cyren Blog)
• A fresh Facebook hoax about making private content public flooded the social platform. (Source: Sophos’s Naked Security Blog)
• On the above vein, an old Instagram hoax became known and fooled several celebrities and politicians. (Source: WIRED)

Stay safe!

The post A week in security (August 19 – 25) appeared first on Malwarebytes Labs.

The mad prophets have sentenced me to walk the Eternal Caverns of Urk until I receive a vision from the First God. I fear I will not return, and if I do I may be no longer sane.

[This is a solo play narrative, making use of Nate Treme's Eternal Caverns of Urk zine. My character is Kesh the Domite. HP 10, Brute 0, Skulker 1, Erudite 2. Items: mirror, flask, cloak uneven gray. I tried to stay in first person, but probably messed up some.]

Beneath a merciless noon sun I stare into the dark, cool void of the cavern's mouth. The rock in this region is chalky, formed into great boulders and plates of rainbow hues. Black moss coats the entrance. I remind myself that I have been commanded to enter, but my feet are unwilling for the moment. I check the meager "gifts" I was given when parting from the prophets, the only things I was allowed to bring: a flask of clear liquid (water?), a small mirror, and the strange cloak of striated gray that they insisted I wear despite the heat.

I step inside. The air is cold and mildewy. I will soon be grateful for the cloak I think. And the use of the water seems obvious enough, unless they have given me poison, or more likely some form of dream nectar. What of the mirror? Of what possible use could that be?

I walk for some hours, leaving the light behind me. Moving in total blackness by the touch of my fingers on the wall I begin to think I can see floating lights. At first I am convinced they are random flailing of my optic nerves, but they resolve into softly glowing eyeballs the size of beer barrels.

At first I am too terrified to move, but they keep their distance. Watching. One of them bounces and gyrates in a crazy motion, never breaking its steady gaze upon me. I walk forward, but this seems to displease them and they bar my way. Another takes up the crazy looping antics of its peer, but with a sinuous grace in place of the frenetic hopping of the former. When it stops I start to walk forward again, but quickly see them draw together. So I imitate their ritualistic dancing with some moves of my own. Katas I learned from my youth. Concentrating on my breathing and execution to calm my fears, I go through the 39 stations of the most complicated routine I know.

[This is the first roll I made other than generating random stuff. Turns out these giant eyes were into dance battles. I got by with a 10, including a +1 from Skulker.]

The eyes glisten around me. Then they all weave and bob excitedly, looking at each other as much as me. And for a miracle they arrange themselves in a broken line ahead of me, softly lighting my way.

And I go forward.

The cavern is wide here. Filled with strange yellow fungi of many hard-edged facets. Their geometry seems something more than random and I contemplate them for some time. The air here has grown warm and humid. And glowing drops of water fall form the ceiling in a florescent rain. Parched, and unwilling to drink from my flask, trusting this unnatural water over the unknown liquid in the gifted flask, I point my face toward the cavern ceiling and drink.

My heart freezes as I see a flabby mantis clinging to the ceiling. Inverted over me and frozen in with it's thorny forelimbs reaching toward me. Had I not looked up ... I shudder to think.

I tuck and roll forward into the yellow "trees" as the mantis springs forward and down. [Roll+Skulker, Success - barely] He misses, but quickly recovers and scuttles across the ceiling, hunting me. The cuboid blooms of the trees are between us, giving me cover. The mantis stops, seemingly befuddled, and stares in my direction with that strange pinched face. Suddenly there is a small voice ...

In my head! "Come out little one. Show yourself to me. I am no threat to one such as you. We will be friends."





It's a soothing voice, but something tells me not to trust it. [Roll+Erudite, Success - barely]. I know better than to come out, but I find myself unable to move. I call out loudly. "Help!"

For some minutes the voice keeps trying to coax me from my spot. I bite my cheeks and pinch myself to keep it from soothing me into feeding myself to this psychic monster. After an interminable time, I hear soft, thumping footsteps. Then a loud crack and the mantis drops, almost on top of me, stone dead.

"I say. Come out of there young fellow. You can't go messing around with these Prizing Mantises you know. Dangerous stuff. Luckily I was returning from my hunt and heard your call. Come with me and we'll get you a stiff drink. I expect you could use one!"

I hear the fruity, mellow voice of this rescuer long before I see him. It's a rather nice voice and I stand up, revealing my location. "Thank the prophets that ... Oh, hi there."

I went a bit speechless at this point. Before me is an 8' tall fellow covered in pink fur. He is extremely round and a bit bear-ish, but with two, short horns curving over his fuzzy dome. Despite his fearsome size, he somehow seems a bit comical to me, standing there in a fussily-stitched vest of green and holding the smoking barrel of some metal staff, but something tells me not to laugh. Bad manners I think – but it's more than that. I sense a vague danger. "Thank you for the rescue. And yes, I could use something to drink. How far is it to your home?"

He informs me that he and his people are camped just a few caverns further in. And that they would be welcome of some outside news. So I walk along with him, skipping to keep up at times. His gate is awkward but covers a lot of ground. As we walk, he prattles on endlessly about the flora and fauna of the caverns. As if educating me.

In fact he is telling me things I had no way of knowing ere now, but somehow it rubs me the wrong way. Like he is some pompous professor trying to fill my head with useless facts that he will test me on later. I try to listen, but I spend more time sizing him up than absorbing his words.

When we reach our destination, I am shocked at the level of comfort represented by something so hastily called a camp. Slender lightweight rods support little gaily colored cabins of silk. There is a small fire, hardly needed for warmth here, but the flames are licking at pot of something that smells incredible! A spicy stew of some kind that promises to be both hearty and energizing.

[Took a break here for tonight. I think I'm in trouble as these fellows are into taxidermy.]

It doesn't have a name. Not really. This is intentional; names are power, after all, and power that can be used against you. When whoever instantiated the original version of the city did so, they fixed and compressed its noumenal building blocks into a potent glyph, a sigil. And that is what its inhabitants and its visitors from myriad plane-aware worlds have called it every since.

Only rubes get duped by maps hawked in Sigil markets or the orreries venerated by mundy cargo cults, the city is not at the center of anything physical or even metaphysical. It's just that it embodies the concept of nexus, and so it's the most stable router or gateway for astral bodies shooting through the howling conceptual metric.  From Sigil, you can get to anywhere, whether you should or not.

A lot of travelers get to Sigil and never leave. Some, the trafficked, press-ganged, fearful, or injured, have no choice. Others stay out of business interest, boredom, inertia or laziness. Why endure the vicissitudes of travel when all the worlds will come to you, eventually?

5 minute solo play on a work break using James Hron's Dungeon Builder, which is tricky to use but a very cool format. For rules I used Nate Treme's Tunnel Goons.

Dungeon BuilderI've described Tunnel Goons in a previous entry. Dungeon Builder is an idea generator. You have a two-level map with dungeon rooms. In each rooms is a series of three single-digit numbers, e.g. 211 or 332. Sometimes you see 2--. In the pamphlet is a number of tables with three columns of words each. The numbers in the rooms reference which table to roll on and the position of the number says which column. So 211 means roll for a word in the first column of table 2, then roll on table 1 for a word in the second column and one from the third column of the same table. 2-- means roll once and read all three words straight across, using table 2. Clever, huh?

Dive 1My Goons character is Kravdraa (aardvark backwards): HP 10, Brute 0, Skulker 1, Erudite 2. Carrying: dagger, pizza, midnight blue robe

Underlined stuff was generated randomly.

Kravdraa enters The Grisly Halls of Hell. Snooping around he found a loose stone and pried it free. Upon doing so, however, a poison viper jumped out and bit him (DC 5, rolled a 2, 2 damage, HP 08). Behind the stone was a spellbook.

Taking the left hand door from there, Kravdraa found himself in a courtyard with a strange tree. It's sappy red bark (bloodbark) made Kravdraa uneasy, but just as he decided not to go further into the room, the tree reached for him with it's suddenly animate, leafless branches (vampire, unstable)! Kravdraa scurried this way and that but was trapped. (DC 12, rolled a 4, HP now 0).

The tree hugged K to its bark and slowly drank his blood over several days like a delicious milkshake and converted him into a sapling slave.

Dive 2Oops. Maybe I had better add some reaction rolls. Take two.

Tabmow: HP 10, Brute 1, Skulker 1, Erudite 1. Carrying: mace, leather jack, torch.

Revisits the Grisly Halls of Hell! (I didn't re-roll the name.) In the first room is a sneaky outlaw with a bow was hiding. Tabmow failed to see him, but the outlaw turned out to be friendly. (Reaction roll.) He was scared of this place and decided to team up with Tabmow.

They go right, down a short hall and enter a room in which a unicorn is being overshadowed by a spooky illusion! Tabmow suspects it is an illusion and tries to scatter it with his will but fails. The spooky illusion reaches for the outlaw and the outlaw's heart freezes in his chest, instantly killing him. This makes Tabmow mad and a fight ensues in which Tabmow drives off the illusion but takes damage (HP now 8).

Tabmow sets the unicorn free and heads toward the entrance with the beautiful beast following (reaction 8), but by a different door. This was unfortunate as they ran into a nightmarish "hollow" wizard. The wizard was contemplating reality and didn't become immediately aggressive, but he did tell them to "Turn back!" -- and they did, because this guy looked tough. (He was.)

Going back the way they came however, they were blocked by a set of precious undead teeth – floating fangs of pure gold – chattering madly at them as they danced around the room just out of reach! Tabmow and the unicorn charged the choppers and made short work of them to escape.

FindingsTunnel Goons is quick and fun, but very swingy when it comes to combat. Probably needs more hit points or something. It's very easy to die in 2 failed rolls. I guess, when you think about it, your character is a DC 7, because when you roll 2d6 you would do/take damage 50% of the time against another DC 7, right? You'd be evenly matched. So rating "easy" as an 8 might be a stretch. That's probably average difficulty because you will usually have at least a +1 at your disposal. Easy should be more like 5 or 6.  To Nate's credit, it's hard to set difficulty standards because you don't know how liberal people will be with adding +s from their inventory. If the average bonus is something like +3, then his DCs would be spot on.

Dungeon Builder is a cool start to something better, but a bit rough in its current form. I felt like the columns of text were missing some sort of underlying structure (like adjective, threat-noun, twist) that would have made the results a bit more meaningful and easier to interpret.

TLDR: Shroom Goons is a free and awesome game with cool art. Play tiny shroom people and fight smorks!

"Trama is the loosely woven hyphal tissue in basidiomycetous fungi forming the central substance of the lamellae or other projections of the hymenophore."

Oookay. :) It is also one of the three stats in Shroom Goons, an awesome little hack of Nate Treme's Tunnel Goons. At first I wasn't crazy to see that the concise package of Goons had been expanded to over 2,000 words, but they all count. The page of setting material is outstanding as is the mutations. But I'm getting ahead of myself.

Characters & Canges to the SystemIn form, you are a 3-6" tall sentient fungus.

Mechanically, it is standard Goons with renamed stats, Siblings, cool items, and Traits. Siblings are other mushrooms from your original patch with whom you share a psychic bond. When (ok, if) you die, you carry on in the body of a sibling.

The items work the same as in original Goons but the wild inventiveness of them is to be admired. You may be carrying a Teaspoon Shovel, or d6 Beer Can Tabs, or even an Insect Wing Glider or a few pages from a Car Repair Guide.

But what really makes you special is your Trait – which is a kind of mutant power. There are 24 of them and you get one randomly: Devil Fingers, Witch-Butter Body, Mindtrap Spores, Mimicry ... it's your superpower.


Art by Karl Stjernberg?! I'm sold.

The WorldI'm just going to reproduce the first two paragraphs of the setting as written. Because ... it's just so cool and fun.

Shroomfolk hail from the enchanted wetlands of The Fluorescent Neverglades. Surreal, brightly colored swamps and marshlands that by the light of the Nevermoon looks like the world you see in blacklight posters. The Shrooms tend to build settlements on raised glades and in the mossy trees overlooking their spawning patches. Shroom folk are a relatively pastoral lot -- building small farms of cultivated compost and herding bugs, tame rodents, and other fungus-based animals (such as “Shroom Steeds”). Of course the Neverglades have many inhabitants -- froglorps, banthers, rocodiles, and the dreaded Smorks. Smorks are a species of small, bluish pig- faced imps. They are chaotic, often clumsy, and always dreadful despite their jolly demeanors. They sing cheerful murder songs while raiding the Shroom villages. You can always spot their leader by the blood-red caps they adorn.
Fucking Smorks. Amiright?!

Review by William Pace Strayed #1 Written by Carlos Giffoni Drawn and Colored by Juan Doe Lettered by Matt Krotzer Edited by Chas! Pangburn Cover A by Juan Doe Cover B by Dustin Nguyen Published by Dark Horse Comics ***1st … Continue reading →

Preview by Gaumer Here’s a early and brief look at the next chapter of the amazing Power Rangers saga BOOM! has created. The Omega Rangers Secret Mission Revealed in MIGHTY MORPHIN POWER RANGERS #42 The Power Rangers Face Enemies on … Continue reading →

Preview by Gaumer First is was 1941, now we move a decade into the future as Archie Comics gives us a history lesson with ARCHIE 1955 #1. Here’s a first look. Pre-order this ish by August 26th for the September … Continue reading →

AikiWeb Column: "It Had to be Felt" on Seiichi Sugano by Brian Ericksen
From: Jun Akiyama posted on 24. Aug 2019, 08:15pm
URL: http://www.aikiweb.com/forums/showthread.php?t=25687

A new AikiWeb Column, "It Had to Be Felt #63, Sugano Seiichi: 'Alive Ukemi/Dead Ukemi'" by Brian Ericksen is now available for your reading pleasure. Do you have experience receiving ukemi from Sugano sensei? If so, please write about it in the thread above!

Submit an Aikido News Item