Feed aggregator

Sophisticated threats plague ailing healthcare industry

Malwarebytes - Tue, 04/30/2019 - 15:00

The healthcare industry is no longer circling the drain, but it’s still in critical condition.

While many organizations in healthcare have aimed at or made positive strides toward a more robust cybersecurity and privacy posture, they still have a long way to go.

In 2018, healthcare had the highest number of breaches recorded compared to other industries. This is according to BakerHostetler’s 2019 Data Security Incident Response Report, which is in its fifth annual iteration this year.

Even today, black hat hackers are continuing to go after patient healthcare data, and as such breaches will only intensify, according to Business Insider. The HIPAA Journal, a website dedicated to covering HIPAA-related news, corroborates this intensity after seeing a steady reporting of at least one breach per day from January through March, 2019.

What’s causing these daily breaches?

Hacking and IT incidents, which include malware attacks, have been consistently topping the list.

Malware in healthcare sectors

Healthcare falls short on a lot of security measures: unpartitioned networks, reliance on legacy infrastructure, non-compliance with HIPAA security rules and NIST CSF controls, unmanaged IoT devices, vulnerable medical management apps, the slow implementation of government-recommended IT and cybersecurity practices over the last four years, and the lack of email authentication and low adoption of always-encrypted sessions. For starters.

More importantly, healthcare systems are massively susceptible to malware infection and hijacking, since there are little-to-no protections in place. And when the threats being lobbed at healthcare are more advanced, all that lagging on security takes its toll.

So which types of malware are targeting healthcare organizations? We have collated and analyzed data from our own product telemetry to determine the top malware aiming to infect systems and networks, exfiltrate patient data, and disrupt operations. Here are our results.

Trojans and riskware are common on healthcare systems Malicious and risky files plague healthcare systems worldwide

Among the five types of malware we found affecting healthcare systems, more than three-quarters (79 percent) are Trojans. This is followed by riskware (11 percent)—those pieces of software that are not inherently malicious, but could still pose a risk to systems on which they’re installed. Others are ransomware, spyware, and worms—all with an equal share of 3 percent.

We take a deep dive into each.

Trojans

Based on our data, a sizable chunk of information-stealing Trojans and downloaders, as well as files posing as legitimate Microsoft (MS) files are present on healthcare systems. We detect them as Trojan.Emotet (35 percent) and Trojan.FakeMS (33 percent), respectively.

The top 6 Trojans detected in healthcare, with Trojan.Emotet leading.

Emotet is an information stealer that can target user credentials stored in browsers and listen to network traffic. Known new versions of Emotet act as downloaders, dropping other banking Trojans, such as TrickBot and Qakbot, ransomware, such as Ryuk, and, at times, cryptominers and cryptowallet stealers.

Emotet has had success in penetrating organizations and spreading because of its simple, yet tried-and-true delivery method—phishing emails—as well as its use of an NSA exploit called EternalBlue, which pushes the infection laterally through networks. In addition, Emotet contains its own malspam module, which churns out additional phishing to continue the cycle.

To add insult to injury, once on networks, Emotet is notoriously difficult to remediate.

Information stealers, in general, are particularly dangerous to have in healthcare systems, as they put electronic health records (EHRs) at risk. Staff credentials can also be swiped and re-used by threat actors to gain access to more information and resources they can use, misuse, or sell to the highest bidders in the dark market.

Emotet has widely affected the health insurance, hospital, pharmaceutical, biotechnology, and medical device sectors. In fact, this threat has been consistently gaining ground on all organizations over the last year, increasing in both persistence and volume to the tune of almost 650 percent from the same time last year.

Trojan.FakeMS, on the other hand, is the detection we use for malware posing as legitimate Microsoft files. Healthcare personnel may or may not have been aware of such files ending up on their work systems. Either way, their presence on machines that staff rely on to processes sensitive records or pull up correct patient data at critical times isn’t ideal.

Meanwhile, cryptominer infections, which we sometimes detect as Trojans, often present machine slowdown as a common symptom, and 17 percent of healthcare systems have been showing this sign.

Cryptomining schemers, who may or may not be part of healthcare staff, can manually download miners, which we generically detect as Trojan.BitCoinMiner, from the Internet and discreetly install them onto machines that are used for record keeping. This resource abuse was the case for the Decatur County General Hospital in Tennessee when their electronic medical records (EMR) server has been hijacked in September 2017 to house a miner.

Riskware

As mentioned earlier, riskware is non-malicious; however, we flag it for a number of reasons, one of which is its ability to block other programs from receiving patches. This leaves the user’s machine open for exploitation by a number of threats, including EternalBlue mentioned above.

RiskWare.MicTray makes up 98 percent of our riskware detections in several healthcare sectors, primarily in health insurance and pharmaceuticals. MicTray is the name of our detection for the keylogger component present in the Conexant audio driver set.

The remaining 2 percent of detections are for Riskware.Tool.HCK, the name we use for tools or applications that may be illegal to use in certain countries. Cracked versions of paid software are examples of this.

Ransomware

Ransom.WannaCrypt, otherwise known as WannaCry, is the ransomware responsible for crippling the UK’s National Health Services (NHS) in 2017, costing them a total of £92 million (approximately $120 million) from cancelled appointments due to unusable systems to remediation and IT system upgrades. It’s also the malware that forced the healthcare industry to take cybersecurity and privacy seriously.

More than a year later, WannaCry is still at large and continues to affect organizations across industries and countries, disrupting normal operations and putting patient lives and data at risk.

The Ransom.WannaCrypt ransom note

Our data shows that WannaCry is currently in the top five malware families affecting healthcare. This could also mean that a vast number of systems are still open to the EternalBlue vulnerability, waiting to be exploited.

Spyware

When it comes to spyware in healthcare, Spyware.TrickBot and Spyware.Emotet have dominated the detection count at 45 percent each. Spyware.Agent accounted for 10 percent of our total spyware detections in healthcare.

The top 3 spyware detected in healthcare, with Spyware.TrickBot leading.

As secondary infections to Trojan.TrickBot and Trojan.Emotet, it’s no surprise to see TrickBot and Emotet spyware on healthcare systems. Normal users hardly notice how these information stealer modules work in the background; however, network admins may be able to spot odd connections to blacklisted domains as an attempt to reach command-and-control (C&C) servers to upload stolen data.

Worms

Worm.Parite, a detection name we use for a polymorphic file infector targeting executable programs (files ending in .exe) and screensavers (files ending in .scr) on local and shared networked drives, is the only one of its kind affecting systems within the biotech/medical sector.

One thing to note about Parite is that systems it infects may not show any obvious signs of infection—at least at first. Once a user executes an infected file, the virus code attached to it runs, and then passes back the control to the .exe or .scr file so it executes as normal.

If users don’t address a worm or virus infection, the system is at risk of further infection and exploitation from other malware.

Oh, and one more thing: fileless malware

Fileless malware is one of those new schemes that black hat hackers adopted several years ago, and they continue to do so at an ever-increasing pace.

A fileless infection means that traces of actual malware present on the affected system are so minute that it evades regular antivirus detection and makes the work of grabbing samples a challenge to security analysts.

Our telemetry data has revealed that, although nominal, fileless malware are present in healthcare organization systems, among them the health insurance and pharmaceutical sectors.

We are able to detect fileless infections flagged as Rootkit.Fileless.MTGen. They’re our broad detection for fileless malware that use rootkits to hide their presence on affected systems.

Some examples of fileless malware that we’ve seen through the years include the following, which we have rounded up in a list below:

No better time to act

The healthcare industry is ripe with opportunity. Despite the cybersecurity and privacy challenges it is working to address, it continues to evolve by embracing innovative technologies—such as blockchain, virtual reality, and artificial intelligence—and adopting new models to better serve patients. Of course, adding new technologies can sometimes make protecting systems more complex than it already is.

However healthcare organizations plan to move forward, there are still two simple objectives they must not lose sight of: the security of systems and devices from malware, zero-day vulnerabilities, and hardware hacks, and the protection of patient healthcare data from thieves and malicious insiders.

In mid-April, researchers from the Ben Gurion University released their study on the malicious tampering of CT scans using deep learning AI. According to their paper, they were able to successfully demonstrate how threat actors can remove or add evidence of medical conditions on scans. They used a man-in-the-middle device, which is another computer loaded with malware to gain access to CT scans and feed medical devices with false information. If such a technology would be used in the wild, people’s medical records and treatment plans would be at risk, jeopardizing their overall health.

Indeed, healthcare organizations have a lot of catching up to do to protect themselves from online threats that continue to grow in sophistication. A lot more is at stake within this sector than virtually any other. It’s not just potential earnings or sensitive data at risk if cybersecurity is breached. Patients’ lives are at stake.

To keep the aforementioned objectives in focus, we recommend healthcare organizations visit these guides to shape up their security posture:

Stay safe!

The post Sophisticated threats plague ailing healthcare industry appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Wigurd's Tragic Fall (LSotN Play Report, updated)

The Disoriented Ranger - Tue, 04/30/2019 - 12:44
Third post in April. BAMMM! There is a twist in the rules for Lost Songs of the Nibelungs where characters, true to the classic inspiration, can meet "an end far worse than death" instead of dying. It's when the norns get really nasty and the dice betray a character in a way most DMs would shy away from. I know there's folks out there eager to get an idea how Lost Songs plays out at the table. Here's an exemplary play report of our last session to give you all an idea where the game's at. This is a session in which all the boxes got ticked ...
The campaign so far
I'll keep this short, but you should know a bit of what had happened so far to see how it all ties together. Lost Songs of the Nibelungs is a game of Dark Fantasy in a time right after the decline of the Roman Empire. The setting had been established some time ago. However, time has past since that last foray and this is a new start (different set of play-tests, different things to test, all that jazz).

It is idyllic like that [source]This (for now) is the tale of Wigurd the Entertainer and Sylis "Beastsmell", two young men eager to become full members of their tribe with the coming easter festival. However, the gods play their first evil trick at them when the tribe's holy man announces that there are bad omens if the two of them were to stay with the tribe the coming winter. 
The chief decides with a heavy heart that they have to be sent away. However, not without support and as the tribe held council about the issue, a traveling merchant visiting the tribe for business offers a quest for the young men: he owns a cottage in the woods, a couple of days north, just behind the holy mountain. A place used for charcoal burning. Some evil befell it and the family living there had to flee because of it. If our two young boys were able to free the place of said evil, they could use the cottage to stay the winter.
The chief and the holy man liked the idea and add that if they succeed to prove their meddle, they could return to the tribe as men. Wigurd the Entertainer held a great speech that day, convincing the tribe to support them even more by throwing in some horses and equipment.
They left the tribe the next day. A nice day in September to travel an old Roman road leading North. They started their journey in good spirits as well as accompanied by good omens. And their luck held up, although it really got tested: they escaped ghosts luring them into doom (twice), got beaten half to death while attempting to revenge a killed cousin, but got rescued and cleared of any charge held against them for the murder they did.
Then, their quest got taken away from them as a political decision from another tribe up North, but not without acknowledging the importance it had for the travelers and a promise of reparation after they had healed their wounds. Time passes and they proof capable guests to their new hosts up North. Capable enough to get a new chance to gain a safe haven for the coming winter and proof themselves as adult members of their tribe. The village elder that hosts them welcomed two mysterious hunters that brought not only an opportunity for our heroes to stay as honored guests, the elder would also provide witnesses of their deeds to their tribe if they decided to help and succeeded.

Two mysterious hunters arrive. [source]So a deal was made. A couple of slaves had fled their master and were crafty enough to avoid their hunters so far, even came as far as seeking shelter down south. Unfortunately, with some of the character's clansmen, so the whole thing ended up having a political dimension and they couldn't just force it, fearing it would ruffle some feathers. In come the characters: if they can extract the slaves for the village elder and his mysterious visitors, they'd have earned their stay and their witness.
It was October by then, the first snow had fallen early this year, but it wasn't winter just yet. All the Omens had been good, so they took the offer and after a small feast in their honor they saddled their horses to travel south again.

A long and arduous road

They weren't lucky that first day, or rather lucky enough to stay alive, but not lucky enough to stay unscathed. Before they reached shelter, they ended up in snow storm. Wigurd managed to reach the homestead they'd been told to look for, but Sylis got disoriented in the snow storm and was left behind. Wigurd realized only then that he's lost his friend and headed straight back into the storm, hero that he was. Nearly died with the attempt, too, and had to head back empty handed fearing he'd die of exposure himself.

Both survived the night as their dice turned lucky in the end, but a heavy toll was payed and they really didn't have the time to heal it all at once. They'd already seen ill omens for their next encounter and were wary of it. They had a couple of days to heal, but then misfortune hit the family that gave them shelter: their son had been kidnapped by goblins.

Snow and the Holy Mountain in the distance [source]The bad omens they'd received hanging heavily on them, they nonetheless agreed without hesitation to accompany a rescue party composed of the father, the oldest son and a couple of neighbors. The goblins met them in a fair fight and had been overcome easily, saving the lost child in the process. The father and the oldest son, however, did not survive the encounter.

It was with a heavy heart and two corpses that they came back to the homestead. Funeral preparations were in order and the characters were asked to watch over the dead bodies barred on pyres stacked on a holy hill until the Valkyires got hold of them. So they stood guard with their backs to the corpses and were warned to under no circumstances turn around during their watch.

The cold and the luring temptation to turn around to the melodious voices behind them offering them peace took its toll as well, but they weathered that and lived the night to see the procession come up the hill with the dawning sun to burn the pyres as the sunlight touched them.

They dared not taking more than another night's rest before traveling onward, injured or not. After all, they only had time until the next full moon to solve their quest.

Their first day travel after leaving the homestead went almost without problems. The weather had been nice for a change and they made good progress. It was the gods smiling on them that they realized that someone was following them. From what they could glean, it was another group of goblins circling in on their position. They made a run for it and got away clean, but it was a close call.

When deciding whether to push forward or seek secure shelter, they opted for the second and found a nice little spot with a good view over the white forest below them and only two points of entry. The weather was on their side again that night, as snowfall set in so heavy, they got isolated by a wall of rustling snowflakes illuminated in the warm orange of their fire. They kept watch, but it ended up being a quiet night without incident.

The next day started nice again, good traveling weather and they had hopes to reach their clan territory that day. However, their route took them around their holy mountain and bad weather was bound to get caught on the snowy peaks, as the dice would tell me later. It was around midday that they become aware of a storm brewing up north and closing in. Losing another day wouldn't do them any good and they were pretty sure that their followers from yesterday were still around, so they decided to push their luck and their horses to keep ahead of the storm.

Another snow storm ... [source]It ended up being another close call. Sylis - again - just wasn't fast enough and they got caught in the outliers of the storm. They even saw the silhouettes of their hunters close by, but they managed to pull through, with the goblins left behind in the storm.

Which is where we left it before that last session.

Wigurd's Tragic Fall

They got away from the storm and managed to make some way as well, although their horses definitely felt that one. Anyway, they knew of a nearby homestead and made it there just before the sun had vanished behind the snow-covered firs. At that point they hadn't been sure if they should play it straight and make themselves known or if they kept it incognito.

They knew some of the residents from fairs and Things and such, this already being border territory to their tribe's land, and Wigurd was a famous entertainer within the tribe. A true natural and a real wunderkind, so it stood to reason that someone would at least recognize him. That, and their exile from the tribe was quite the story, sure to be known by the locals.

But they didn't get recognized, probably because they'd changed quite a lot since they'd left their home. New clothes, new scars, longer hair, and the farmer was a known drunk, never sober when Wigurd  was to perform, so who was to say why they didn't get recognized ... Either way, they decided to keep it that way.

It was only when Wigurd sat down with the farmer and offered his name, that they learned why they didn't get recognized immediately: the farmer tells them that his name is good fortune, as they only recently had another guest going by this name, and a famous entertainer at that. They shared a roof for a couple of days and it was something the farmer remembered fondly, so he took it as a good sign that another Wigurd came to visit so shortly after.

However, the revelation shook Wigurd to the core as the dice betrayed him for the first time that session. Not quite a botch, but he had already received severe permanent damage when he had tried to rescue Sylis in that snow storm a week ago and he had rolled bad enough to get to a point where any further damage would result in his demise.

Not right then and there, though. They kept to themselves after that and made it an early night, telling their hosts that their journey here had been quite strenuous. Early next morning they bid their farewell and were on the road again. They knew this area already and if they made good way, they could reach their home town the next day. The story of the imposter had been troubling, though, and they mused about making a detour to hunt the fucker and that troupe down who so shamelessly made a living from their renown.

At least they'd inquire at their next stop, a family of devote Christians living a somewhat isolated life out here. If that would turn up anything, they'd follow up on it, or so they planned.

And while they were heading further south, following an old Roman road leading from the abandoned mines in the mountains now to their left, a weary wanderer crossed their path. An old man, with a staff and a beard and lots of little pouches on his belt. They stop for a chat.

I described him to look like Moondog [source]He introduced himself as a wandering scholar, fallen into disgrace among his fellow disciples for a wrong-doing long past. He was well versed in the art of herbalism, among other, more mystical arts. Or so he told them. However, now he wandered from homestead to homestead, soothing sick cows.

He was reading the bones this morning and deduced from them that he'd meet some friendly travelers down this road that might be able to help him with his troubles. Something that might help him repairing his reputation.

It was just a short little thing, wouldn't bother them at all.

A side-quest! they thought, and asked for details. There was a legend in this region, he told them, about a man made of stone with a magical crystal in his chest animating his evil deeds. It took a circle of holy women to bind the stoneman into an earthen prison, stopping him from terrorizing the area. As the old man traveled from farm to farm, he had pieced the whole story together and even found out where that grave is.

However, the place is protected by wind and earth magic and his old body wasn't able to overcome the resistance. A task the heroes young bodies should be easily able to withstand, on the other hand. Now, if they where to enter the place and retrieve the magical crystal, they'd be well compensated for it. The place was a little down the hill, hidden in a depression just out of sight.

They agreed to the short detour and left the road toward the magical place, not questioning the old man any further. It really wasn't far away. The entrance to the enclosed hollow was marked by two small obelisks that showed traces of strange runes. The old man explained that those are magical runes, binding earth and wind to the place. Then he sat down and told them that this is as far as he dared to go.

Wigurd, on the other hand, stepped forward without hesitation. A strong unnatural wind rose from the hollow and twisted his mantle, but he prevailed and pushed forward. Sylis tried to follow, but the dice decided that the magic was too strong for him. The character had been struggling with his sanity ever since he had fallen for the seduction of a ghost only to be confronted with her mummified corpse early in the campaign. He decided that this was not for him and backed away.

Wigurd, however, was already approaching the obelisks, but stopped as he saw movement below the snow covering the path down the hollow. A strange creature made from roots lifted itself from the path and warned him that if he wanted to enter this place, he had to overcome it.
Something like this, really [source]They engaged in melee and it looked for some time as if Wigurd might be able to overwhelm the beast. However, he fought alone and fate can be fickle in situations like this. He had dealt the creature a fatal blow, but it withstood the damage and kept fighting.

The battle really was on a blades edge, as Wigurd's Wyrd was still hurt pretty badly. There were no favors to be expected from the gods. If not his wounds would kill him, he might meet a fate worse than death. He was just one roll of the dice away from that ending ... and he failed it. He had nothing to defend against a quite effective attack by the guardian.

But it wasn't his wounds that ended him. You might remember me mentioning this in the beginning: there is a rule in Lost Songs of the Nibelungs, a homage, really, to the classic tale of Siegfried's betrayal, by which damage that would end up being permanent will be channeled into Wyrd instead (another attribute). Ideally, this means a character will avoid harm while at the same time risking to offend the gods. However, if a character ends up receiving enough damage to reduce his Wyrd permanently to zero, he'd be finished all the same. Just differently.

So there he was, deadly wounded yet still alive. With his Wyrd already severely hurt, the damage he received from that last blow goes straight through the remaining points and beyond. There's no way out and the table realizes: this is final.

As Wigurd falls to his knees, the creature moves forward to engulf him, whispering in a voice only he can hear about how the gods abandoned him and what eternal torture awaits him when the meat rots from his bones. Although fallen in combat, he will never see Valhalla. The terror overwhelming him makes him going down screaming until the earth swallowed him whole.

And that was the tragic end of Wigurd the Entertainer. His soul will never find rest.[source]ADDENDUM: We began our next session with Sylis seeing his friend die as described above. The screams, the horror of it ... it had to force some dice rolling to see if the character is affected. This was a delicate situation, as the character struggled to keep it together already. One bad roll and he'd be gone as well. I offered him two chances to get out of this: a Stress save to see if he could just shrug it now to digest it later and if that failed, if he was to confront this face on, he'd get one last save to keep his fragile Sanity intact.

It was intense. My girlfriend stopped working on her master thesis to witness the potential end of a campaign.

The first save was difficult. Sylis' Stress value was 8, target was 25, the roll came up with an 11 ... a miss. Nothing tragic and it was a difficult roll. Now all depended on that last roll. A genuine Save or Die moment. The group discussed how to proceed, if a dice cup was to be used and which die to use. Players are a superstitious lot. They decided to use the dice cup, something the player hadn't done for the entirety of the campaign.

That second save was a Sanity value of 12 with a -3 from the damage he had received facing the magic protecting the hollow. Target was a 20. He had a good chance pulling that one off. He shook the cup, everyone was looking in anticipation when the die hit the table, still hidden by the leathery shaker. He lifted it and revealed ... a 1!!! I kid you not. A roll as crucial as it gets and it turns up the worst possible result.

Damn, we play for moments like this, don't we?

Witnessing the horrifying death of his best friend was too much for poor Sylis' mind. He went insane right there on the spot. He rushed forward and tried to claw his way to his friend until his fingers ended up torn bloody. He was denied. After hours of howling, clawing and hysterical laughter, he vanished into the forest ...

Aftermath: this had dire consequences for the tribe. Winter came and both characters where within clan territory, so the bad omens had to come true. An avalanche destroyed most of the village built at the bottom of the mountain, killing almost all denizens and all of the tribes winter stock. The remaining tribesmen and -women had to seek shelter with their neighbors. Many more died. With the end of winter, the tribe was no more.

The End

Analysis

There weren't many compromises possible after those last rolls. Nothing short of deciding against doing the damage or ignoring those last saves, all of which would have rung false, I think. However, that's the game we play and although it was a great campaign with a nicely developing narrative gathering around the characters, it's also a memorable end, underlining the hard truth that we might not end up realizing our full potential. That's a good end to have and true to the Dark Fantasy aspect of the game.

I'm really, completely content with that part of the rules right now. The stories we are able to weave out of the interplay between the sandbox, the narrative generator and the system-feedback from the character's interaction with their surroundings, have a nice epic and magical tone to them without even trying that hard and although it's all random.

Nothing of this had been prepared or planned, it all happened organically from what the game provided and our interaction with that. I hope some of it shines through in my retelling of the parts above. So much more had happened.

What I need to implement with more rigor, though, is the more detailed weather rules I wrote for the game, but actually neglected using, which actually led to characters experiencing two snow storms in short order. I mean, that is why we are play-testing the game and it wasn't that far fetched, but weather carries lots of meaning in the game and should be taken more seriously. It is, after all, nuance that gives a narrative depth. Seasons and Magic need to be done, too.

We had only 3 fights over the course of 12 sessions, yet the game never lacked tension. I'm not sure how much of an audience Lost Songs of the Nibelungs will be able to gather once I get it out there, but I can say in confidence that it'll offer an unique experience to those who'll give it a shot. It's approach is not so much cinematic as it is literary, it's more about immersion and exploration of the human condition as it is about make-believe. It's also as intense, complex and challenging as it is rewarding.

Well, there's still some ways to go before I can call it done. But I'm getting there, ever so slowly. Thanks for reading.

[source]
Categories: Tabletop Gaming Blogs

In 1981 a Troll Named Grimtooth Set a Path for Today’s D&D Books

DM David - Tue, 04/30/2019 - 11:25

Starting in 1981, Flying Buffalo Games published a series of Grimtooth’s Traps books. They featured diagrams of traps that showed heroes on the verge of being folded, spindled, and mutilated. For instance, one sample shows a covered pit trap where the swinging cover severs a rope that drops a stone slab into the pit.

Dungeon Master: “As you advance down the tunnel, a trap door opens at your feet, dropping your rogue, Jasper the 8th, into a pit.”

Player: “Ha! Ring of feather fall!”

DM: “Ha! A two-ton stone slab drops on you, pushing you down the pit and crushing you to jelly! Do you have another character?”

Player: “Sigh. Say hello to Jasper the 9th.”

All the traps were ingenious, but very few could work in play.

In another example, a rope seems to offer an easy way to swing across a chasm, but at the end of the swing, the rope unspools several feet, flinging the victim into the wall, which is rigged to fire a volley of crossbow bolts into the victim’s body, before he drops into the underground river below, which I assume is full of sharks.

What paranoid adventurer would dare use a rope suspiciously ready for swinging across a chasm? And all adventurers in the world of Grimtooth will grow paranoid in a hurry. In practice, this trap gets bypassed without a second thought.

In most cases, even players who survive the traps will never notice the inventive mechanisms that make them function and that make them interesting. The traps could work in a sort of Toon/Dungeons & Dragons collision, where Wile-E-Coyote-like characters blunder into outrageous traps, only to reappear, without explanation, for the next scene.

Despite the traps’ minimal play value, Grimtooth’s Traps became a hit, leading to Traps Too, Traps Four, and Traps Ate. What made collections of useless traps top sellers?

“The traps were sometimes deadly and sometimes silly. They were often Rube Goldberg-esque, and not the sort of thing you could really use in an adventure,” Shannon Appelcline writes in Designers & Dragons. “However they were beautifully diagrammed and often very funny. The book was a joy to read.”

Much of the humor came from the books’ credited author, a troll named Grimtooth who relished inflicting inventive deaths on hapless dungeon delvers. “I feel that you’ll find this the most entertaining collection of traps you’ve ever laid eyes on. Besides, if you don’t like my book, I’ll rip your lungs out.” (Apparently, Grimtooth enjoyed Warren Zevon.) By flaunting the worst impulses of killer DMs, Grimtooth satirized a type familiar to roleplaying gamers in 1981.

Grimtooth first appeared on the cover of the fifth edition of Tunnels & Trolls. Then, in Sorcerer’s Apprentice magazine, editor Liz Danforth drew the troll as an icon for her “Trolltalk” column. Grimtooth gained his name in a reader contest.

While plotting humiliating ways to kill adventurers, Grimtooth offered some good advice. “A few of you numbskulls out there still haven’t caught on what it means to be a Game Master. A GM doesn’t slavishly follow anything—books, manuals, or edict from On High.” So when readers missed the joke and griped that the traps proved too deadly, Grimtooth invited tinkering. “Some of you have twisted ideas about how to administrate a dungeon, newfangled ideas about delvers escaping with their lives and stuff like that. Don’t ask me to to make my traps less deadly…change them yourselves.”

By the fourth volume, Grimtooth’s Traps Ate, the editors had abandoned any pretense that these traps might see play. Now the traps include dungeon basketball courts with mechanical arms that slam dunked characters, and deadly Christmas-themed rooms that killed adventurers pictured in Santa suits. (Why is volume 4 Traps Ate? The numbers 3, 5, 6, and 7 lack homonyms, so they were skipped.)

Grimtooth set the pattern for new Dungeons & Dragons books like Xanathar’s Guide to Everything. A D&D player can buy a Player’s Handbook and never need another book. Only DMs weary of the foes in the Monster Manual need another collection of monsters. But Wizards of the Coast aims to sell every D&D book to every D&D fan, so they lure buyers to books like Mordenkainen’s Tome of Foes by making the text entertaining. Part of the fun comes from humorous notes left by Xanathar and Mordenkainen, characters who owe much to Grimtooth.

As for the troll, his wicked engineering remains amusing. In Grimtooth’s Traps, The Addams Family meets Rube Goldberg.

Categories: Tabletop Gaming Blogs

Electrum DDoS botnet reaches 152,000 infected hosts

Malwarebytes - Mon, 04/29/2019 - 17:00

By Jérôme Segura, Adam Thomas, and S!Ri

We have been closely monitoring the situation involving the continued attacks against users of the popular Electrum Bitcoin wallet. Initially, victims were being tricked to download a fraudulent update that stole their cryptocurrencies. Later on, the threat actors launched a series of Distributed Denial of Service (DDoS) attacks in response to Electrum developers trying to protect their users.

Since our last blog, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing. Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000, according to this online tracker. Since then, it has gone up and down and plateaued at around the 100,000 mark.

New loader identified

We have been able to correlate two distribution campaigns (RIG exploit kit and Smoke Loader) that are fueling this botnet by dropping malware we detect as ElectrumDoSMiner. Now, we have just identified a previously undocumented loader we call Trojan.BeamWinHTTP that is also involved in downloading ElectrumDoSMiner (transactionservices.exe).

New Trojan.BeamWinHTTP connected to ElectrumDoSMiner

As can be seen in the VirusTotal graphs above and below, there are hundreds of malicious binaries that retrieve the ElectrumDoSMiner. We surmise there are probably many more infection vectors beyond the three we’ve uncovered so far.

The main infrastructure hosting ElectrumDoSMiner binaries and configuration files Botnet geographic distribution

By analyzing the IP addresses and mapping them to a country, we are able to have a better idea of where the bots are located. We find the largest concentration in the Asia Pacific region (APAC). For the Americas, most bots are located in Brazil and Peru.

World map showing presence of bots part of the Electrum DDoS botnet

The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks. Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily.

Number of ElectrumDoSMiner infected machines cleaned by Malwarebytes An underreported and yet massively fraudulent scheme

Crooks wasted no time in exploiting a vulnerability in Electrum wallets to phish unsuspecting users. What followed next with retribution attacks on Electrum servers was unexpected but logical, considering what is at stake.

While these DDoS attacks have not been publicized much by mainstream media, they have undoubtedly caused millions of dollars in losses over the span of just a few months.

Indicators of Compromise

ElectrumDoSMiner infrastructure

178.159.37.113
194.63.143.226
217.147.169.179
188.214.135.174

Trojan.BeamWinHTTP

48dcb183ff97a05fd3e466f76f385543480abb62c9adcae24d1bdbbfc26f9e5a

Hashes for the binaries tied to the ElectrumDoSMiner infrastructure can be downloaded here.

The post Electrum DDoS botnet reaches 152,000 infected hosts appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Wall Street Market reported to have exit scammed

Malwarebytes - Mon, 04/29/2019 - 15:54

Around April 20, many users reported that Wall Street Market, a broadly known dark net market, had executed an exit scam, and that any pending orders were unlikely to be completed.

Scamming with enterprises involving Bitcoin is not unheard of, and dark net markets with centralized escrow are particularly vulnerable. As these markets grow in popularity and amass large amounts of transactions, the potential payout of an exit scam can be enormous, as seen with the Evolution market exit scam in 2015, totaling roughly 12 million in stolen Bitcoins.

A common tactic in these types of scams is to initially freeze transactions for “technical difficulties,” followed by taking the entire market offline and grabbing the funds.

What the users say

Wall Street Market appears to have followed a similar trajectory, with frozen transactions leading to side channel messages warning of scams, to a mass vendor exodus. Notable in the saga is that at least one actor appears to have compromised a market admin account to notify users of potential issues.

What the money might say

While now empty, the public address (32Eup1TPADYTAa46wq48c7qmg7AuFwigeM) has been identified
by users of Wall Street Market as being the destination of funds stolen from escrow accounts. A recent series of withdrawals totaling about 2,067 BT— around $11.5 million USD—is being broken down and likely laundered through various means so that thieves can cash out their profits.

Average market traffic patterns

Starting with the transaction on April 14, 2019, at 7:15:35PM, the market admins appear to have modified the process that occurs during the release of escrow funds once an order is completed. Instead of funds
being released to vendors, all the funds were instead diverted to the fraudulent account.

Redirection of traffic to a single address, correlating to user complaints

After moving from this address, funds appear to be following a similar pattern of being grouped into 70 BTC amounts.

At this point, most of the funds currently remain untouched except for a few transactions, which appear to be initial tests to cash out funds. For instance, following the outputs of transaction (8b36afc40700c51941fd4218873fd219a19bd36beeaac2f06082362f5327642c) eventually leads us to the known wallet address for Houbi, a large Crypto exchange originally founded in China.

What does it mean?

While we can’t prove intent to scam, the transaction pattern over the past few days, in addition to admin behavior mirroring that of previous exit scams, suggests the market admins might not have the best of intentions with their customers’ Bitcoin.

Due to a paucity of fraud controls other than reputational built into most marketplace systems, the temptation to exit scam has gotten the best of more than one dark net market. Unfortunately, the best advice available to customers at present time is caveat emptor.

The post Wall Street Market reported to have exit scammed appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 22 – 28)

Malwarebytes - Mon, 04/29/2019 - 15:31

Last week on Labs, we looked at security threats to headphones, privacy options in the world of law, and wandered through the FBI’s 2018 IC3 online crime report. We also explored another MageCart attack, and we released our 2019 Q1 Crime Tactics and Techniques report.

Other cybersecurity news
  • Fooling automated surveillance cameras: Bypassing neural network frameworks with colourful abstract signs. Well, rectangles, to be more accurate. (Source: Arvix)
  • VPN traffic raises concerns: Users of NordVPN query traffic they consider to be unusual related to the popular app. (Source: The Register)
  • Who keeps your data safe? People think banks are best, but a majority still fear identity theft. (Source: Help Net Security) 
  • Microsoft abandons password expiration for Windows 10: MS joins the growing trend for not finding a huge amount of value in needless password changes. (Source: Microsoft)
  • Biometrics take a hit in Danish passports: A glitch is responsible for switching left and right hand prints tied to up to a quarter of a million travel documents. (Source: Copenhagen Post)
  • A primer to credential stuffing: a nice summary of what, exactly, is involved with this most common of bad Internet practices. (Source: ZDNET)
  • Cryptominer targets enterprise, ignores consumers: Beapy almost exclusively targets businesses in Asia, letting consumers temporarily off the hook. (Source: SCMag)
  • Fake social: As bogus social media profiles continue to spread, can end-users tell the difference? (Source: Infosecurity Magazine)
  • Emotet variant up to no good: compromised devices are being turned into proxy command and control servers, in an effort to make the attack slightly less overt. (Source: Bleeping Computer)
  • Avoiding Apple ID phish attacks: They sometimes feel like they’re everywhere, and occasionally look quite convincing. Learn how to spot the signs of a scam. (Source: Heimdal Security)

Stay safe, everyone!

The post A week in security (April 22 – 28) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Modification Monday: The Kind That Likes Flowers

Knitted Bliss - Mon, 04/29/2019 - 11:00

www.knittedbliss.com

Original Patterns: Birkin and Colors for a Cloudy Day Knitter Extraordinaire: Sally (Ravelry Profile and Blog) Mods: Sally combined the yoke and body of Birkin with the hem detail of Colors for a Cloudy Day, and then modified the hem construction as well- great details can be found on her project page, here. What Makes

The post Modification Monday: The Kind That Likes Flowers appeared first on %%www.knittedbliss.com%%.

3
Categories: Knitting Feeds

Azurth Mailbag: Death & Mayhem

Sorcerer's Skull - Mon, 04/29/2019 - 11:00
This may well become a recurring feature here, assuming I get other Land of Azurth-related questions. Jason Sholtis of Pennsylvania asks: "How do you deal with D&D style violence and mayhem in Azurth and how does it support or thwart the tone?"


D&D is often characterized as "killing things and taking their stuff" and old school play at least tends to to pride itself on "high lethality." Neither of these things seem Azurthian at first blush, given the stated inspirations, so I understand why Jason might question how it all fits together.

First off, my Land of Azurth campaign is run in 5e, which is a bit more forgiving and less lethal (for the players) than older editions. This suits our campaign just fine.

Secondly, Azurth is a D&D world with those sorts of inspirations. It doesn't have an Ozian lack of death, for one thing. Azurth isn't a grim or dark world in any sense, but it's a bit like the Land of Ooo from Adventure Time! in that it is not as saccharine as it might appear on the surface. (And unlike the Land of Ooo, it doesn't have to hold the violence to levels acceptable to Broadcast Standards and Practices.)

I think there's fun in juxtaposing the children's book sort of elements with mayhem, but without doing a "dark" take in the traditional sense. So yes, the D&Dish mayhem thwarts the kiddie nature of some seting elements, but the setting keeps the action of the campaign form devolving into just another D&D world. They work well together.

Do you have a question? Leave it in the comments or email me.




Our Elves Are Different

Sorcerer's Skull - Sun, 04/28/2019 - 14:00
Tired of the same old elves? Here are some alternatives takes that can just be used to reskin the fluff in most editions, though 5e might require some slight ability tweaking.


Changelings
Elves are too busy pursuing their own idiosyncratic interests to do things like raise kids or maintain a society, nations or settlements beyond loose associations. They plant their children in households of other species. When they reach a certain age, they are drawn to seek out their own kind who magically impart elven "history" and "culture" to them, then send them off to do their own thing.

Homo Superior
Elves are the next evolutionary step in humankind. At puberty, their elvish breakout occurs, manifesting in one of several basic ways, analogous to elvish "subraces." Sometimes persecuted by human societies, they tend to form outcast communities in out of the way places.


Runners
Elvish civilization is centered around a sealed enclaves where young elves live in hedonistic splendor. Old age is unknown either due to voluntary suicide or voluntary exile at a certain age. All elves encountered in the wider world are older outcasts.

Viral
Elvishness, or rather the idea of elvishness, is a magical virus of a sort. Those infected first began to act "elvish" then develop half-elvish traits followed by full elvish traits. This often causes a radical shift in personality.

Observers
Elves are visitors from another world. They come the campaign setting for scientific observation or perhaps recreation. Their interstellar societies strict rules do not allow them advanced technology, nor does it allow them to describe too much about their place of origin. Th existence of magic and their innate aptitude for it was a surprise.

Probes
Elves are the sensory organs/interface modules (or perhaps drones or robots) of vast nonhuman intelligences. They are craft to explore the world and have experiences their colonial minds cannot. Elves have autonomy and independent thought, but they always know themselves to be parts of a whole.

The Flow of Time in LSotN Part 1: Basics (campaign design post)

The Disoriented Ranger - Sun, 04/28/2019 - 12:42
The second "second" post in April (sorry, just realized my mistake ... not that anyone cared). Maybe you can tell, I have time on my hands right now. And things to do long overdue. For instance: the campaign frame for Lost Songs of the Nibelungs. The seasons, how time is split between mundane living and questing and what the game does when the characters don't do much. It's been years since I last wrote about that. However, the little play-test campaign we got running is at a point right now where I need something to test. I haven't done a post like this in a long time (that is: long and meandering). Here we go.
Necessary Research I: What's already established?
I'd say I had 3 solid approaches at the topic so far. The first one was how the living conditions of a people will shape their culture (here). If nothing else, it's a reminder how the seasons will have an impact on a culture just like anything else would, but I get a little bit more concrete in 2015 when I actually talk about using seasons in role playing games and what I aim to so for Lost Songs, although on very vague terms (here). And finally I wrote one concrete set of rules that illustrates one major aspect of our perception of time and seasons, the weather (here).
The Wild Hunt [source]Some things established over time, but didn't find much use yet in that regard. There's a working system for Status including, for instance (but not limited to) followers and henchmen and all kinds of implementations that I need to consider when talking intermissions. Especially higher level characters should indeed be very busy when not adventuring.
What else, what else ... Permanent damage has a chance of healing somewhat when characters are not questing. I had established 1 point per month (with the fiat that scars like that never heal completely and at least 1 point per scar has to remain). This was supposed to be connected to the way of life characters chose between adventures and should include marriage and politics and religion and research (magical or otherwise) and all that nice stuff.
There's also the idea of advancing a group's tribe in times like this or bringing their host honor by assisting in raids, open war, aiding defense or diplomacy (which is somewhat related to politics named above, but different in as far as I think I'll need/want a system where the game creates short spotlights where direct play becomes necessary or desirable). It's for those reasons that I want to add the Narrative Generator for story twists and the rune oracle I'm working on, as both are reliable tools so far to tell the stories Lost Songs needs to tell. They bring that kind of conflict.
Other than that there's bits and pieces all over the place when I talk about how to set the mood for a game like this or divine magic or how to pay respect to leaders or how magic changes with the seasons because other energies are available ... But it is all over the place, so not of much use, actually, for anything but being a document that I had this on my mind for a long, long time now.
That's about it. Time to look what else is around.
Necessary Research II: What's out there?
Pendragon is one great inspiration here, as is King of Dragon Pass. Both give a pretty good impression of where I want to end up as far as evocative intermissions go: the scope widens to the troubles that surround the community the characters chose to spend some time with. A little magic, some intrigue, little stories that resolve over a longer time. Not so much the rules, but the scope and feel.
Dungeon World comes to mind as well. Although I do not care much about the rules themselves, I think where the game really shines is with it's DM tools. There is a clear sense of distinction between what the designers thought deserves focus at the table and what could be glossed over, while taking the time to include little systems to make those intermissions relevant, if a bit detached. The divide is crucial and rules for situations different to actual play need to be distinct. I dig their approach but lean towards a little more complexity.
A big problem that kept recurring while doing research for that is the lack of advice on the timing needed to manifest spaces for intermissions during and between adventures. It's a tough one, isn't it, as it needs to manifest organically from play.
Situations need to play out and while you for sure don't need to play out how characters do some shopping or carousing or what have you, I at least have a hard time to skip from one mode to the other, so I'd really have appreciated advice on that. Alas, it is hard to find in role playing books other than in very general terms (I could be wrong, but I really haven't seen much of this for as long as I've been looking).
You don't need to play it all out in detail ... [source]It begs the question, of course, how much of a game needs to be ritualized to a point where the transition between modes of play is accounted for. And consequently, how it will impact the story that manifests at the table. My games derive a great deal of tension from the fact that those cut scenes aren't coming easily. Playing scenes out helps evoking depth in a game that equals a more literary experience, while working in cut scenes makes for a more cinematic experience ...
Dammit, I think I just realized something. Anyway, I think we are done here for now. Other than the sources I named, I couldn't summon more than problems and questions by looking for other help. Onward. 
Necessary Research III: Any historical hints?
Now, that's a big one. As always with Lost Songs of the Nibelungs, I'm faced with a plethora of choices, which is just as bad as having none at all. I can't really be arsed to write up calendars for every culture that was around at 550 AD. For one, no one will ever use more than small fragments of it, but far more problematic is the fact that I'd end up having all those little sub-systems for every iteration to do all the intricacies justice.
[source]I had that problem with magic and I'm telling you: it can't be done. Or rather, shouldn't be. Of course I could start with something basic you could use in the game right away and plan on doing little supplement for all the variations. Our little hobby has enough money grabbing like that, and I'm not going to participate. Won't do it.
It's also a shitload of work with almost no benefit. I really don't have time for that.
With magic I decided to go as abstract as possible to give room to individual interpretations of what magic in that time could have been. It's a far better approach, in my opinion, and way more satisfying for players and DM.
That said, I will need a general frame to go with. Not as much a calendar with fixed dates (maybe) but more something like distinct phases within a year that add circumstantial necessities to the game proper. Because abstraction only goes that far, we also want to evoke a sense of how those people back then could have seen and explained the world around them.
Therefore, we have to look at common denominators across cultures: premonitions, weather and gods. People have a way to go about their year because its changes dictate so many necessary behavioral adjustments to ensure survival. People also have a way to explain what they can't understand through gods. Both translate to traditions and oracles that might vary from tribe to tribe, but will also always serve the same principles as described above.
Easy. So I just have to look for this and make it work.
However, as I started to dive deep into this topic, I found it to be a mess. There's almost no reliable data on how the Germanic tribes did any of that and of course you'd have a unholy mess of names or dates or holidays as a result of the Roman occupation and good old Christianisation. Clever Christians, of course, went as far as just assimilating what was already there (Baldr's birthday became Christmas, churches had been build on holy places ... that's just two examples among a huge list of assimilations like that).
There's also a shitload of neo-pagan pseudo-historical humbug, full with half-truths about how our ancestors went about all this. It's so weird and complex and unclear that ... well, that no one will care for any of it in a game, historical or not. It's all very frustrating and reminded me why I avoided doing this for so long (want an example: early translations often were, well, heavy-handed interpretations). There are reasons why they call it a Dark Age. Harrumph.
Well, not all is lost. If nothing else, it'll result in some freedom of interpretation. I need it done and it can be done. Onward.
Synthesis
Now we have all the pieces in place. Somewhat. At least to a degree where we can answer some serious design questions. I'm almost tempted to make this a two-parter and call it a day (okay, yeah, it's going to happen). I shouldn't stop here, though, as I'll lose the momentum this should have gotten by now.
Alright, let's push this a little further. A little note to all the historians reading this (you know who you are): if you haven't already gathered this, I won't (can't) go for historical accuracy here, therefore it will be a hot mess of everything I deem fit. Sorry.
Anyway, we have the Julian calendar we all know as a good base line and we know the very onomatopoeic Old High German, Dutch and West Frisian equivalents. We also know some of the holidays and festivals people most likely held.
Furthermore we know that the year had only two seasons: winter and summer (summer started with Easter as the victory over winter). Their calendar was lunisolar and months began with a full moon and they had an extra month between the seventh and eighth month if there was a new moon to be seen in the 12 days after Yule (Midwinternight). So here's what we got to work with (one wiki-source, I'll translate where appropriate):
JANUARY = After Yule/Second Yule (Old English), Winter Month/Hartung (Old High German), Tanning Month (Dutch)Holiday: Lesser Blessing of ThorFEBRUARY = Mud Month (Old English, either because of the shitty weather or the brown cakes that got sacrifced that month), Hornung (Old High German), Month of Gathering (Dutch), Filthy/Unclean Month (West Frisian, they are funny like that)Holidays: early Valentine's Day (Feast of Vali) and a week long festival where all tribes come together in a great ThingMARCH = Month of Wildness (Old English), Spring Month/Lenz Month (Old High German)
APRIL = Easter Month (Old English), Easter Moon (Old High German), Grass Month (Dutch)Holiday: Easter, the beginning of summer and the victory over the giants of winterMAY =  Month of Three Milkings (Old English), Bliss Moon/Pasture Month (Old High German), Month of Joy/Flower Month (Dutch)Holiday: a celebration of those who have died in battle and are brought to Valhalla (Einherjar)Walhalla [source]JUNE = Before Midsummer/First Summer (Old English), Brachet/Fallow Month (Old High German), Weed Month (Dutch)
Holiday: MidsummerJULY= After Midsummer/Second Summer (Old English), Heuert/Hay Month (Old High German)
LEAP Month = Third Midsummer (Old English), Twimoon (Old High German)
AUGUST =  Plant Month (Old English), Harvest Month (Old High German), Flee Month (West Frisian)Holiday: celebration of the harvestSEPTEMBER = Holy Month (Old English), Wood Month (Old High German), Oats Month (Dutch)
OKTOBER = Winter Full Moon (Old English, because Winter began on the full moon of this month), Gilbhart (Yellowing)/Vine Month (Old High German), Sowing Month (Dutch)Holiday: "Halloween" festival to celebrate the beginning of winterNOVEMBER = Blood Month/ Month of Sacrifice (Old English), Autumn Month (Old High German) Fog Month/Slaughter Month (Dutch)
DECEMBER = Before Yule/First Yule (Old English), Holy Month (Old High German), Wolves' Month (Dutch)Holiday: Yuletide/YuleAnd that's that. At least on the surface. We can already see how real world necessities helped forming those words and using it as-is will create a very specific atmosphere from the get-go. That's a good base to go from.

There's also lots of room for individual holidays that might be different from tribe to tribe (I skipped the ones in the source, but there are precedents). Let's keep that in mind as well.
Days and other designations
Normal years have 360 days, with 30 days a month (390 in Leap Years, one moon cycle more). Days start with the dawn of the day and Sunday is the first day of the week. Germanic people adapted the Roman system for days early on (wiki-source), but gave it their own spin. We use traces of this transition to this day. I would, however, keep it closer to the original usage to give it some authenticity:
  • Day of the Sun/Sun's Day (Sunday, Roman: Dies Solis)
  • Day of the Moon/Moon's Day (Monday Roman: Dies Lunae)
  • Day of Tyr/Tyr's Day (Tuesday, Roman: Dies Martis/Day of Mars)
  • Day of Woden/Woden's Day (Wednesday, Roman: Dies Mercurii/Day of Mercury)
  • Day of Thor/Thor's Day (Thursday, Roman: Dies Iovis/Day of Jupiter)
  • Day of Freya/Freya's Day (Friday, Roman: Dies Veneris/Day of Venus)
  • Day of Saturn/Saturn's Day (Saturday, Roman: Dies Saturni), also Washing Day and Sunday Eve, a day of rest (traditionally so instead of Sunday)
Tacitus had something to say about this as well (source):"They assemble, except in the case of a sudden emergency, on certain fixed days, either at new or at full moon; for this they consider the most auspicious season for the transaction of business. Instead of reckoning by days as we do, they reckon by nights, and in this manner fix both their ordinary and their legal appointments. Night they regard as bringing on day."Stuff like that is fascinating to me. So they'd say "We met three nights ago." instead of days and, very much like language, customs change in a more fluid way, something ripe to randomize, I'd say. And all those little details will obviously enhance the narrative at the table.

What's left?
Next we should talk about how they knew which day was which. Did they use rune calendars? Was it the holy men or women doing all the book keeping? I'll have to tackle that next.
But we should leave it at that for now. This is long enough as it is, to be honest. It's really all in place: all the names and holidays, some logic behind it, some room for individual touches. What's left to do now is devising a system around all that. A system that allows an inclusion of all those nice little differences to how we perceive the world today in way that makes it all come alive in the game. Arguably, the harder part of the whole endeavor.So, stay tuned as I will get to it in the next couple of weeks (as I said, I have to have something presentable for our campaign right now, so I need to get there soon, dammit).
If you guys feel like commenting, I'd ask you to tell me a bit how you use that kind of stuff in your games. Do you have elaborate systems? Do you o by the books (if you use official material)? Or are you not feeling it and think it's too much effort to get involved in? Your thoughts are, as always, appreciated.
[source]

 
Categories: Tabletop Gaming Blogs

STARFINDER BEGINNER BOX LANDS at Stores Near You

Gamer Goggles - Fri, 04/26/2019 - 16:54

FOR IMMEDIATE RELEASE

STARFINDER BEGINNER BOX LANDS at Stores Near You

Begin your journey into science-fantasy adventure!

REDMOND, WASHINGTON (April 24, 2019): The Starfinder Beginner Box is ready to launch players into an exciting universe of science-fantasy roleplaying adventure today. With streamlined rules, a complete set of dice, colorful pawns, and more, this deluxe boxed set is the ideal introduction to the Starfinder Roleplaying Game, an imaginative tabletop roleplaying game for 2-7 players. It is available for purchase at paizo.com, your local gaming store, and anywhere else adventure can be found.

“We’ve designed an easy first step to an adventure in the stars. Players can choose pregenerated characters or create and customize their own futuristic hero to play through challenging scenarios and action-packed battles against dangerous foes. It also serves as the perfect tool for experienced players to quickly bring new crew members onboard their game,” said Robert G. McCreary, Creative Director for the Starfinder RPG.

The Heroes’ Handbook gets players started with everything they need to know to create and play a new character, from classes and themes to alien ancestry, general rules, plus a short solo adventure. The Game Master’s Guide presents a wondrous galaxy, full of new worlds and alien adversaries. Game Masters will learn how to run encounters in the Steel Talon’s Lair adventure, and gain insight into how to create a new world and engage players in the story. Also included in the box are: a set of seven polyhedral dice, 80 pawns depicting diverse heroes and aliens, 24 pawn bases, six pregenerated and six blank character sheets, six player aid cards for quick reference, and a double-sided Flip-Mat.

The Starfinder Beginner Box has everything you need to kickstart a lifetime of pulse-pounding adventure among the stars—the only limit is your imagination. Learn more at paizo.com/starfinder/beginnerbox.

Watch the Character Creation video on YouTube:

Categories: Tabletop Gaming Blogs

Pre-Painted Iconic Heroes, Monsters, and Starships from the Starfinder® Universe Coming Soon!

Gamer Goggles - Fri, 04/26/2019 - 16:11

WIZKIDS ANNOUNCES ENHANCED LICENSING PARTNERSHIP WITH PAIZO

Pre-Painted Iconic Heroes, Monsters, and Starships from the Starfinder® Universe Coming Soon!

Redmond, WA – April 24, 2019 – WizKids, the industry leader in high-quality pre-painted miniatures, today announced a new branch of their licensing partnership with Paizo, makers of the popular Pathfinder® and Starfinder® Roleplaying Games, with plans to bring the company’s latest offering to life on the tabletop with a brand new line of Starfinder Pre-Painted Miniatures.

Starfinder Battles joins the wildly popular Pathfinder Battles line in offering an amazing collection of high-quality miniatures for fans of the game.

“We’re very excited to explore the Starfinder universe with Paizo,” said Justin Ziran, president of WizKids. “We’re confident that our fans will love the new miniatures this line will have to offer.”

The initial Starfinder offerings will include a Booster Set and Premium Set, and product will be available for sale worldwide. The first release is slated to hit shelves in 2020.

“Pathfinder Battles has been a stalwart of the Pathfinder RPG for years, and we’re excited to see WizKids bringing that same expertise to the Starfinder universe,” said Jim Butler, VP of Marketing and Licensing at Paizo. “With hundreds of aliens and scores of player-character races in the Starfinder RPG, the Starfinder Battles line is sure to expand your gaming tabletop for years to come.”

For more information on WizKids and the upcoming Starfinder pre-painted miniatures line, visit: www.WizKids.com.

To learn more about Paizo, visit: paizo.com.

Categories: Tabletop Gaming Blogs

GitHub hosted Magecart skimmer used against hundreds of e-commerce sites

Malwarebytes - Fri, 04/26/2019 - 16:06

Every day, new e-commerce websites fall into the hands of one of the many Magecart skimmers. Unbeknownst to shoppers, criminals are harvesting their personal information, including payment details in the online equivalent of ATM card skimming.

Most often the skimming code—written in JavaScript and obfuscated—is hosted on infrastructure controlled by attackers. Over time, they have created thousands of domain names mimicking Magento, the CMS platform that is by far most targeted.

However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year.

This latest skimmer is a hex-encoded piece of JavaScript code that was uploaded to GitHub on April 20 by user momo33333, who, as it happens, had just joined the platform on that day as well.

In the above and below screenshots, you can see that the threat actor was fine tuning the skimmer, after having done a few tests:

Just like with any other kind of third-party plugins, compromised Magento sites are loading this script within their source code, right after the CDATA script and/or right before the </html> tag:

According to a search on urlscan.io, there are currently over 200 sites that have been injected with this skimmer:

A look at the deobfuscated script reveals the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent to:

It’s worth noting that the compromised Magento sites will remain at risk, even if the GitHub-hosted skimmer is taken down. Indeed, attackers can easily re-infect them in the same manner they initially injected the first one.

It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.

We reported the fraudulent GitHub account which was quickly taken down. We are also protecting our users by blocking the exfiltration domain.

The post GitHub hosted Magecart skimmer used against hundreds of e-commerce sites appeared first on Malwarebytes Labs.

Categories: Techie Feeds

STRUGGLE TO SURVIVE IN THE TYRANT’S GRASP

Gamer Goggles - Fri, 04/26/2019 - 14:11

Use all your wits and s

STRUGGLE TO SURVIVE IN THE TYRANT’S GRASP

kills to make allies, challenge invaders, and make your way back to the lands of the living in the first volume, The Dead Roads.

REDMOND, WASHINGTON (April 22, 2019): Paizo Inc. has released two of six exciting volumes of the Tyrant’s Grasp Adventure Path for the first edition of the Pathfinder Roleplaying Game. Volume one, The Dead Roads, and the second volume, Eulogy for Roslar’s Coffer, are both available for purchase at paizo.com and retailers worldwide at an MSRP of $24.99 for softcover.

This survival horror campaign takes heroic players through both the afterlife and the mortal realm to stand against one of the most ancient threats ever to loom over the world. The heroes awaken already defeated—slain by a super-weapon unlike anything seen before. They must fight their way back to the land of the living and warn the rest of the land of this new threat.

The Dead Roads contains a first edition Pathfinder adventure for 1st-level characters. Additional material includes tips, tools, and tricks drawn from the Boneyard, an exploration of races inevitably linked to death, an extensive timeline of the events, and a bestiary of monsters drawn from the lands and lore of the dead.

Author of The Dead Roads, Ron Lundeen, recalls: “My favorite part of this adventure was building it in multiple parts, like a Netflix miniseries, with the players able to decide what order they tackle the middle pieces in. I wanted to make the middle pieces as different from each other as possible within the ‘horror movie’ theme of the entire adventure, so they range from disturbing whimsy to space-warping nightmares.

The adventures continue with a new volume every month for a total of six months. Volume three, Last Watch, can be preordered today and purchased starting April 24. The Tyrant’s Grasp Poster Map Folio and the fourth volume, Gardens of Gallowspire, can both be preordered today and purchased starting May 29.

The free downloadable Tyrant’s Grasp Player’s Guide is available now is gives players all the spoiler-free background, information, and inspiration they’ll need to create characters ready to hit the ground running. Explore the Pathfinder Roleplaying Game Tyrants Grasp Adventure Path at paizo.com/tyrantsgrasp.

Categories: Tabletop Gaming Blogs

Bring on the magic! (Part II)

Torchbearer RPG - Thu, 04/25/2019 - 13:00
The Magic Circle by John William Waterhouse, 1886

Hello friends!

This week we’re continuing with the theme we started here. It’s time for more magic items!

Chime of Dreams

A set silver chimes and mallet intricately engraved with sigils linked to the Lord of Dreams. When struck, it emits a rich bell tone seemingly too deep and resonant to come from the instrument.
Effect: Those who hear the ring of the chime must make an Ob 3 Will (or Nature) test or fall into a deep, unnatural slumber filled with strange and terrible dreams. Those trapped in this sleep will only awaken if prodded or struck. Otherwise they will slumber forever. The chime can affect a maximum of four creatures of Might 1 or 2, three creatures of Might 3, two creatures of Might 4 or one creature of Might 5. It does not work on beings with the undead descriptor or who are Might 6 or higher.
Charges: 1d3+1
Inventory: Hand/carried 2 or pack 2
Type: Magical equipment

Crystal Egg

A smooth, shimmering crystal the size of a fist that seems to shift colors as one gazes upon it.
Effect: This crystal functions as a matrix that can store known spells, similar to a traveling spell book. A magician may store up to 8 slots of spells in the orb. Adding spells to the orb follows the rules for scribing a known spell into a traveling spell book. When found, the Crystal Egg may already contain spells imprinted by its previous owner. Roll 1d6 and consult the following table:

1d6Result1Empty2One 1st Circle spell31d3 1st Circle spells4One 2nd Circle spell51d3 1st and 2nd Circle spells6One 3rd Circle spell

Inventory: Hand/carried 1 or pack 1
Type: Magical container

Ring of the Frog

A ring of mottled green and brown stone that always appears to be wet.
Effect: The wearer may breathe normally underwater.
Charges: 1d6+3
Inventory: Hand/worn 1
Type: Magical jewelry

Robe of the Thaumaturge

A heavy, exquisitely brocaded robe beaded with pearls.
Effect: The robe acts as armor against combat spells, invocations and other magical effects in kill and drive off conflicts. -1 personal damage from magical effects. After absorbing damage, roll 1d6. On a result of 1-2, one of the robe’s pearls crumbles to dust. When the pearls are all gone, the robe’s magic is destroyed.
Charges (Pearls): 1d6+3
Inventory: Torso/worn 3 or pack 4
Type: Magical clothing

Swan Mantle

A cloak of purest white swan feathers stitched with gold thread.
Effect: The wearer pulls the cloak tightly about them and takes the form of a swan. To transform, make a Will test Ob 3. This test does not take a turn. If successful, your character takes the shape of a swan and assumes its nature descriptors (Preening, Flying, Swimming). You may end the effect at any time by removing the cloak.
Inventory: Torso/worn 1, hand/carried 1 or pack 2
Type: Magical clothing

Categories: Tabletop Gaming Blogs

Heroes of the Outer Planes---FIGHT!

Sorcerer's Skull - Thu, 04/25/2019 - 11:00

I think the Gygaxian Great Wheel, if properly interpreted, could serve as a high-powered fantasy campaign. The planes could be expansive arenas in which martial artists with ever-increasing powers contend for some ultimate prize--like Highlander meets Dragonball Z. Or maybe the planes are just the exotic lands that serve as locales for the high-powered adventures of super-folks, more like the gang in Dreadstar or the Guardians of the Galaxy that a typical D&D adventuring party.

The more I think about it, most cosmic stuff Starlin has written would be good inspiration here.


Exalted and Kill 6 Billion Demons would be good, too, if you've gotta have something besides Starlin.

Labs Cybercrime Tactics and Techniques report finds businesses hit with 235 percent more threats in Q1

Malwarebytes - Thu, 04/25/2019 - 07:01

The Malwarebytes Labs Cybercrime Tactics and Techniques Q1 2019 report found businesses at the butt end of a bad joke. In just one year, threats aimed at corporate targets have increased by 235 percent, with Trojans, such as Emotet, and ransomware in particular revving up in the first quarter.

Included in the report is analysis of sharp declines in consumer cryptomining and other threats, further cementing the shift away from individual targets and toward businesses, with SMBs in particular suffering because of lack of resources.

“Consumers might breathe a sigh of relief seeing that malware targeting them has dropped by nearly 40 percent, but that would be short-sighted,” said Adam Kujawa, director of Malwarebytes Labs. “Consumer data is more easily available in bulk from business targets, who saw a staggering 235 percent increase in detections year-over-year. Cybercriminals are using increasingly clever means of attack to get even more value from targets through the use of sophisticated Trojans, adware and ransomware.”

In addition to analysis of trending threats, broken down by region and segment (consumer vs. business), this quarter the Labs team added a section on data privacy to the report.

Following its March survey on data privacy, in which respondents overwhelmingly showed concern about protecting their data online, the Labs team highlighted some of its key takeaways and discussed ways in which businesses are failing to shore up that data.

Highlights from the report include:

  • Emotet continues to target enterprises. Detections of Trojans (Emotet’s parent category) on business endpoints increased more than 200 percent since Q4 2018, and almost 650 percent from the same time last year.
  • Ransomware has gained rapid momentum, with an increase of 195 percent in business detections from Q4 2018 to Q1 2019. Compared to the same time last year, business detections of ransomware have seen an uptick of over 500 percent, due in large part to a massive attack by the Troldesh ransomware against US organizations in early Q1.
  • Cryptomining against consumers is essentially extinct. Marked by the popular drive-by mining company CoinHive shutting down operations in March, consumer cryptomining has significantly decreased both from the previous quarter and the previous year.
  • Mobile and Mac devices are increasingly targeted by adware. While Mac malware saw a more than 60 percent increase from Q4 2018 to Q1 2019, adware was particularly pervasive, growing over 200 percent from the previous quarter.
  • The US leads in global threat detections at 47 percent, followed by Indonesia with nine percent and Brazil with eight percent.

To learn more about threats and trends in cybercrime in Q1, download the full report:

Cybercrime Tactics and Techniques Q1 2019

The post Labs Cybercrime Tactics and Techniques report finds businesses hit with 235 percent more threats in Q1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A look inside the FBI’s 2018 IC3 online crime report

Malwarebytes - Wed, 04/24/2019 - 15:57

The FBI’s Internet Crime Complaint Center have released their annual Crime Report, with the most recent release focusing on 2018. While the contents may not surprise, it definitely cements some of the bigger threats to consumers and businesses—and not all of them are particularly high tech. Sometimes less is most definitely more.

What is the Internet Crime Complaint Center?

Good question. For those not in the know, it’s the FBI’s way of allowing you to file a complaint about a computer crime. If the victim or alleged perpetrator are located in the US, you can file. The information is then handed to trained analysts who distribute the data as appropriate.

They eventually take all that information and turn it into a report. There’s a fair bit in there to chew on—here’s the report, in PDF format—but there are some prominent themes on display. Shall we take a look at what’s hot?

Business Email Compromise (BEC)

Business Email Compromise is something we mention on here fairly regularly. Someone usually pretends to be the CEO of an organisation, and attempts to pull off a wire transfer via someone else in finance. Cash is often routed through Hong Kong where wires are common, so as not to attract attention. 

It’s a straightforward attack, low risk, small overheads, and if you fire enough out, eventually someone will bite. You only need one successful attack to walk away with millions.

In 2018, IC3:

  • Received just over 20,000 reports of BEC attacks
  • Declared adjusted losses of over $1.2 billion

Those are big numbers, but even bigger when you consider BEC reports the year before were 15,000, and adjusted losses were $675 million. One slightly peculiar twist to the usual “steal your money” approach is this:

In 2018, the IC3 received an increase in the number of BEC/EAC complaints requesting victims purchase gift cards. The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons.

Not quite as glamorous as Hong Kong wires, and in all honesty it sounds faintly ludicrous at first viewing, but it’s definitely working for somebody.

Payroll diversion

This is an interesting twist on the BEC scams. The attackers don’t waste time pretending to be CEOs. Instead, they go for logins tied to payroll processing systems. Once they’re in, they change the account information and the money is diverted to somewhere controlled by the hacker. They’ll also hide warnings to admins, which would’ve alerted them to deposit information changes. The money will then typically be sent to a  prepaid card—yes, prepaid cards are flavour of the month (year?) this time around. From the report:

Institutions most affected by this scam have been education, healthcare, and commercial airway transportation.

From just one hundred complaints, there was a combined reported loss of $100 million dollars. This is frankly astonishing. Phishing can truly be devastating in the right hands.

Tech support fraud

Tech support scams feel as though they’ve been around forever, and they’re busy cementing their place in the top three table of awful things. The 2018 tally for these antics weigh in at 14,000 complaints from victims scattered across 48 countries. The losses almost hit $39 million, representing a 161 percent rise from the previous year. Most of the victims are over 60, which fits the general M.O. of going after older targets who may not be aware of the latest happenings in fraud land.

The full report covers topics such as top states divided by both number of victims and victim losses, breakdowns on target age groups, crime types, assets recovered, and much more.

One thing’s for sure: with over 900 complaints a day, roughly 300,000 complaints received per year on average, and something in the region of $2.71 billion in losses accounted for in 2018, online crime isn’t going away anytime soon.

The post A look inside the FBI’s 2018 IC3 online crime report appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Consumers have few legal options for protecting privacy

Malwarebytes - Tue, 04/23/2019 - 17:03

There are no promises in the words, “We care about user privacy.”

Yet, these words appear on privacy policy after privacy policy, serving as disingenuous banners to hide potentially invasive corporate practices, including clandestine data collection, sharing, and selling.

This is no accident. It is a strategy.

In the US, companies that break their own privacy policies can—and do—face lawsuits over misleading and deceiving their users, including making false statements about data privacy. But users are handicapped in this legal fight, as successful lawsuits and filings are rare.

Instead of relying on the legal system to assert their data privacy rights, many users turn to tech tools, installing various web browsers, browser extensions, and VPNs to protect their online behavior.

Luckily, users aren’t alone in this fight. A small number of companies, including Apple, Mozilla, Signal, WhatsApp, and others, are truly committed to user privacy. They stand up to overbroad government requests. They speak plainly about data collection. And they often disengage from practices that put user data in the hands of unexpected third parties.

In the latest blog in our series on data privacy and cybersecurity laws, we look at the options that consumers actually have in asserting their digital privacy rights today. In the US, it is an area of law that, unlike global data protection, is slim.

As Jay Stanley, senior policy analyst with the ACLU Speech, Privacy, and Technology Project, put it: “There’s a thin web of certain laws that exist out there [for digital consumer privacy], but the baseline default is that it’s kind of the Wild West.”

Few laws, few protections

For weeks, Malwarebytes Labs has delved into the dizzying array of global data protection and cybersecurity laws, exploring why, for instance, a data breach in one state requires a different response than a data breach in another, or why “personal information” in one country is not the same as “personal data” in another.

Despite the robust requirements for lawful data protection around the world, individuals in the United States experience the near opposite. In the US, there is no comprehensive federal data protection law, and thus, there is no broad legal protection that consumers can use to assert their data privacy rights in court.

“In the United States, the sort of default is: Consumer beware,” said Lee Tien, senior staff attorney with the digital rights nonprofit Electronic Frontier Foundation.

As we explored last month, US data protection law is split into sectors—there’s a law for healthcare providers, a law for video rental history, a law for children’s online information, and laws for other select areas. But user data that falls out of those narrow scopes has little protection.

If a company gives intimate menstrual tracking info to Facebook? Tough luck. If a flashlight app gathers users’ phone contacts? Too bad. If a vast network of online advertising companies and data brokers build a corporate surveillance regime that profiles, monitors, and follows users across websites, devices, and apps, delivering ads that never disappear? Welcome to the real world.

“In general, unless there is specific, sectoral legislation, you don’t have much of a right to do anything with respect to [data privacy],” Tien said.

There is one caveat, though.

In the US, companies cannot lie about their own business practices, data protection practices included. These laws prohibit “unlawful, unfair, or fraudulent” business practices, along with “unfair, deceptive, untrue, or misleading” advertising. Whatever a company says it does, legally, should be what it actually does, Tien said.

“Most of consumer privacy that’s not already controlled by a statute lives in this space of ‘Oh, you made a promise about privacy, and then you broke it,’” Tien said. “Maybe you said you don’t share information, or you said that when you store information at rest, you store it in air-gapped computers, using encryption. If you say something like that, but it’s not true, you can get into trouble.”

This is where a company’s privacy policy becomes vital. Any company’s risk for legal liability is only as large as its privacy policy is detailed.

In fact, the fewer privacy promises made, the fewer opportunities to face a lawsuit, said ACLU’s Stanley.

“This is why all privacy policies are written to not make any promises, but instead have hand-wavy statements,” Stanley said. “What often follows a sweeping statement is 16 pages of fine print about privacy and how the company actually doesn’t make any promises to protect it.”

But what about a company that does make—and break—a promise?

Few laws, fewer successful assertions

Okay, so let’s say a company breaks its data privacy promise. It said it would not sell user data in its privacy policy and it undeniably sold user data. Time to go to court, right?

Not so fast, actually.

The same laws that prohibit unfair and deceitful business practices also often include a separate legal requirement for anyone that wants to use them in court: Individuals must show that the alleged misconduct personally harmed them.

Proving harm for something like a data breach is exceedingly difficult, Tien said.

“The mechanism of harm is more customized per victim than, say, an environmental issue,” Tien said, explaining that even the best data science can’t reliably predict an average person’s harm when subjected to a data breach the way that environmental science can predict an average person’s harm if they’ve been subjected to, for instance, a polluted drinking source.

In 2015, this difficulty bore out in court, when an Uber driver sued the ride-hailing company because of a data breach that affected up to 50,000 drivers. The breach, the driver alleged, led to a failed identity theft attempt and a fraudulent credit card application in his name.

Two years later, the judge dismissed the lawsuit. At a hearing she told the driver: “It’s not there. It’s just not what you think it is…It really isn’t enough to allege a case.”

There is, again, a caveat.

Certain government officials—including state Attorneys General, county District Attorneys, and city attorneys—can sue a company for its deceitful business practices without having to show personal harm. Instead, they can file a company as a representative for the public.

In 2018, this method was also tested in court, with the exact same company. Facing pressure from 51 Attorneys General—one for each US state and one for Washington, D.C.—Uber paid $148 million to settle a lawsuit alleging the company’s misconduct when covering up a data breach two years earlier.

Despite this success, waiting around for overworked government attorneys to file a lawsuit on a user’s behalf is not a practical solution to protecting online privacy. So, many users have turned to something else—technology.

Consumer beware? Consumer prepared

As online tracking methods have evolved far past the simpler days of just using cookies, consumers have both developed and adopted a wide array of tools to protect their online behavior, hiding themselves from persistent advertisers.

Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, said that, while the technology of tracking has become more advanced, so have the tools that push back.

Privacy-focused web browsers, including Brave and Mozilla’s Firefox Focus, were released in the past two years, and tracking-blocking browser extensions like Ghostery, Disconnect, and Privacy Badger—which is developed by EFF—are all available, at least in basic models, for free to consumers. Even Malwarebytes has a browser extension for both Firefox and Chrome that, along with obstructing malicious content and scams, blocks third-party ads and trackers that monitor users’ online behavior.

Stephens said he has another philosophy about protecting online privacy: Never trust an app.

“We have this naïve conception that the information we’re giving an app, that what we’re doing with that app, is staying with that app,” Stephen said. “That’s really not true in most situations.”

Stephens pointed to the example of a flashlight app that, for no discernible reason, collected users’ contact lists, potentially gathering the phone numbers and email addresses for every friend, family member, and met-once-at-a-party acquaintance.

“Quite frankly,” Stephens said, “I would not trust any app to not leak my data.”

Corporate respect for consumer privacy

There is one last pillar in defending consumer privacy, and, luckily for many users, it’s a sturdy one: corporations.

Yes, we earlier criticized the many nameless companies that window-dress themselves in empty privacy promises, but, for years, several companies have emerged as meaningful protectors of user privacy.

These companies include Apple, Signal, Mozilla, WhatsApp, DuckDuckGo, Credo Mobile, and several others. They all make explicit promises to users about not selling data or giving it to third parties that don’t need it, along with sometimes refusing to store any user data not fundamentally needed for corporate purposes. Signal, the secure messaging app, takes user privacy so seriously that the company cannot read users’ end-to-end encrypted messages to one another.

While many of these companies are household names, a smaller company is putting privacy front and center, and it’s doing it for a much-needed field—DNA testing.

Helix DNA not only tests people’s genetic data, but it also directs them to several partners who offer services that utilize DNA testing, such as The Mayo Clinic and National Geographic. Because Helix serves as a sort of hub for DNA testing services, and because it works so closely with so many companies and organizations that handle genetic data, it decided it was in the right position to set the tone for privacy, said Helix senior director of policy and clinical affairs Elissa Levin.

“It is incumbent on us to set the industry standards on privacy,” Levin said.

Last year, Helix worked with several other companies—including 23andMe, Ancestry, MyHeritage, and Habit—to release a set of industry “best practices,” providing guidance on how DNA testing companies should collect, store, share, and respect user data.

Among the best practices are several privacy-forward ideas not required by law, including the right for users to access, correct, and delete their data from company databases. Also included is a request to ban sharing any genetic data with third parties like employers and insurance companies. And, amidst recent headlines about captured serial killers and broad FBI access to genetic data, the best practices suggest that companies, when possible, notify individuals about government requests for their data.

Helix itself does not sell any user data, and it requires express user consent for any data sharing with third parties. Helix also brought in privacy executive and current head of data policy at the World Economic Forum Anne Toth to advise on its privacy practices before even launching, Levin said.

As to whether consumers appreciate having their privacy protected, Levin said the proof is not so much in what consumers say, but rather in what they don’t say.

“The best way to gauge that is in looking at the fact that we have not gotten negative feedback from users or concerns about our privacy practices,” Levin said. She said that any time a company is in the news for data misuse, there is never a large uptick in users reflexively walking away, even though Helix allows users to remove themselves from the platform.

Consumer privacy is the future

Online privacy matters, both to users and to companies. It should matter to lawmakers, but in the US, it has taken Congress until barely last year to take substantial interest in the topic.

Until the US has a comprehensive data privacy law, consumers will find a way to protect themselves, legal framework or not. Companies should be smart and not get left behind. Not only is protecting user privacy the right thing to do—it’s the smart thing to do.

The post Consumers have few legal options for protecting privacy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How Well Do You Understand Invisibility in Dungeons & Dragons?

DM David - Tue, 04/23/2019 - 10:52

Lately, I’ve played in some high-level Dungeons & Dragons games with enough invisibility to make me study how the feature works in the game. Despite all my years playing D&D—or perhaps because of them, invisibility in fifth edition often defies my expectations. I can’t be alone, so I wrote a quick guide to invisibility. At the end, I pose a brain teaser where invisibility and Mind Blank meets True Seeing.

D&D presumes that creatures can perceive the location of invisible creatures

The Player’s Handbook explains that when a creature becomes invisible, “The creature’s location can be detected by any noise it makes or any tracks it leaves.” This seems obvious, but the game design presumes more. In a Sage Advice segment, D&D lead designer Jeremy Crawford suggests assuming that creatures can usually locate invisible creatures based on sound and other clues. Signs like footprints on damp stone, the squeak of floorboards, the stir of tapestries, the twang of a bow, or the snicker-snack of a sword could all expose an invisible creature. The specific clues seldom matter, but unless invisible creatures attempt to sneak, something reveals their general location.

When we dream of becoming invisible, we tend to imagine roaming undetected, but the game’s assumption better matches reality. Even with your eyes closed, you can usually track someone moving nearby.

To avoid revealing your presence while invisible, you need to be sneaky. Outside of combat, that means Dexterity (Stealth) checks. Inside combat, that means taking the Hide action.

The need for stealth to go undetected benefits game play in two ways:

  • Invisibility helps characters, but they still need talent and skill to evade detection. Otherwise, invisibility would just make a better replacement for stealth.

  • Invisible foes become a bit easier to locate, making battles against them less frustrating.

Ultimately, the dungeon master decides when or whether to adopt the premise that creatures generally know the location of invisible foes.

A DM can rule that noises or distractions allow invisible characters to go undetected without stealth. Jeremy Crawford gives the example of an invisible wizard who doesn’t bother to hide from orcs. “The DM might decide that because the barbarian is screaming in their face and the rogue lit the gunpowder barrels nearby on fire and they just exploded, the orcs are not even paying attention and they don’t know where she is.”

To escape detection, creatures must hide

If creatures notice the location of invisible creatures, how does invisibility help? Normally, to hide, you need to be out of plain sight. Invisibility enables hiding anywhere.

Hiding prevents people from hearing you or otherwise discerning your location. “If you’re dashing around, swinging your sword in combat, or yelling to your friends, you’re not hiding,” Jeremy says. “People can’t see you, but they can certainly hear you.”

When you take the Hide action, you make a Dexterity (Stealth) check in an attempt to hide. If your check exceeds the passive perception scores of those who might notice you, you become hidden from them. If something imposes disadvantage on a passive perception score, the score is at a -5 penalty.

Someone whose passive perception fails to notice a hidden creature can spend an action to actively perceive them. Then, the action allows a Wisdom (Perception) check to beat the Dexterity (Stealth) check and locate the hidden creature.

Once you have made your check, you can move without making another check or spending another action to hide. That stealth roll from your Hide action continues to apply. The design aims to avoid slowing the game with rerolls.

Obviously, talking and other activities can ruin hiding. Attacks reveal your location. “If you are hidden—both unseen and unheard—when you make an attack, you give away your location when the attack hits or misses.” This rule’s wording makes clear that even though the attack exposes you after it hits or misses, you get the advantage of attacking while hidden. The Invisibility spell uses less careful wording, but its effect still lasts until you hit or miss. Jeremy says that the spell “doesn’t predict what you’re about to do.”

Invisibility benefits attacking and defending

You can attack a hidden and invisible foe by trying to guess its location. “If the target isn’t in the location you targeted, you automatically miss, but the DM typically just says that the attack missed, not whether you guessed the target’s location correctly.”

Even though creatures typically discern the location of invisible creatures nearby, invisibility grants powerful advantages. “Attack rolls against the creature have disadvantage, and the creature’s attack rolls have advantage.”

Because advantage and disadvantage cancel, if two invisible creatures swing at each other, they attack as normal with neither advantage nor disadvantage. Invisible creatures rarely trade blows, but blinded creatures in, say, Darkness or a Fog Cloud often do, and the offsetting advantage and disadvantage leads to normal attack rolls.

Invisibility blocks many spells from targeting you

Invisibility’s strongest advantage stems out of all the spells from Acid Splash to True Polymorph that only target someone the caster can see. An invisible creature gains protection from all these spells. Plus an invisible spellcaster can’t be countered. Counterspell is cast as a reaction, “which you take when you see a creature within 60 feet of you casting a spell.”

This makes Greater Invisibility the strongest defense spell for casters.

Occasionally, going unseen hinders allies. For example, Spirit Guardians says, “When you cast this spell, you can designate any number of creatures you can see to be unaffected by it.” When clerics cast Spirit Guardians, they can’t exclude the party’s invisible members from the guardians’ harmful effects. Likewise, the evoker’s Sculpt Spell ability requires the caster to see allies to exclude them from a spell’s area, so the invisible rogue gets more chances to show off Evasion.

Invisibility versus True Seeing and Mind Blank

True Seeing is a divination spell that grants Truesight and its ability to see invisible. Mind Blank makes its target immune to divination spells. Can someone affected by True Seeing see an invisible creature affected by Mind Blank? You might argue that the divination spell only affects the person gaining Truesight, and that their new perception isn’t blinded by a creature’s immunity to divination. Or does Mind Blank somehow cloud anyone attempting a divination spell? Do you have your answer?

Jeremy Crawford says True Seeing fails to reveal an invisible creature affected by Mind Blank. But in your game, you are the dungeon master. Your answer remains correct.

Categories: Tabletop Gaming Blogs

Pages

Subscribe to Furiously Eclectic People aggregator