Feed aggregator

Labs Cybercrime Tactics and Techniques report finds businesses hit with 235 percent more threats in Q1

Malwarebytes - Thu, 04/25/2019 - 07:01

The Malwarebytes Labs Cybercrime Tactics and Techniques Q1 2019 report found businesses at the butt end of a bad joke. In just one year, threats aimed at corporate targets have increased by 235 percent, with Trojans, such as Emotet, and ransomware in particular revving up in the first quarter.

Included in the report is analysis of sharp declines in consumer cryptomining and other threats, further cementing the shift away from individual targets and toward businesses, with SMBs in particular suffering because of lack of resources.

“Consumers might breathe a sigh of relief seeing that malware targeting them has dropped by nearly 40 percent, but that would be short-sighted,” said Adam Kujawa, director of Malwarebytes Labs. “Consumer data is more easily available in bulk from business targets, who saw a staggering 235 percent increase in detections year-over-year. Cybercriminals are using increasingly clever means of attack to get even more value from targets through the use of sophisticated Trojans, adware and ransomware.”

In addition to analysis of trending threats, broken down by region and segment (consumer vs. business), this quarter the Labs team added a section on data privacy to the report.

Following its March survey on data privacy, in which respondents overwhelmingly showed concern about protecting their data online, the Labs team highlighted some of its key takeaways and discussed ways in which businesses are failing to shore up that data.

Highlights from the report include:

  • Emotet continues to target enterprises. Detections of Trojans (Emotet’s parent category) on business endpoints increased more than 200 percent since Q4 2018, and almost 650 percent from the same time last year.
  • Ransomware has gained rapid momentum, with an increase of 195 percent in business detections from Q4 2018 to Q1 2019. Compared to the same time last year, business detections of ransomware have seen an uptick of over 500 percent, due in large part to a massive attack by the Troldesh ransomware against US organizations in early Q1.
  • Cryptomining against consumers is essentially extinct. Marked by the popular drive-by mining company CoinHive shutting down operations in March, consumer cryptomining has significantly decreased both from the previous quarter and the previous year.
  • Mobile and Mac devices are increasingly targeted by adware. While Mac malware saw a more than 60 percent increase from Q4 2018 to Q1 2019, adware was particularly pervasive, growing over 200 percent from the previous quarter.
  • The US leads in global threat detections at 47 percent, followed by Indonesia with nine percent and Brazil with eight percent.

To learn more about threats and trends in cybercrime in Q1, download the full report:

Cybercrime Tactics and Techniques Q1 2019

The post Labs Cybercrime Tactics and Techniques report finds businesses hit with 235 percent more threats in Q1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A look inside the FBI’s 2018 IC3 online crime report

Malwarebytes - Wed, 04/24/2019 - 15:57

The FBI’s Internet Crime Complaint Center have released their annual Crime Report, with the most recent release focusing on 2018. While the contents may not surprise, it definitely cements some of the bigger threats to consumers and businesses—and not all of them are particularly high tech. Sometimes less is most definitely more.

What is the Internet Crime Complaint Center?

Good question. For those not in the know, it’s the FBI’s way of allowing you to file a complaint about a computer crime. If the victim or alleged perpetrator are located in the US, you can file. The information is then handed to trained analysts who distribute the data as appropriate.

They eventually take all that information and turn it into a report. There’s a fair bit in there to chew on—here’s the report, in PDF format—but there are some prominent themes on display. Shall we take a look at what’s hot?

Business Email Compromise (BEC)

Business Email Compromise is something we mention on here fairly regularly. Someone usually pretends to be the CEO of an organisation, and attempts to pull off a wire transfer via someone else in finance. Cash is often routed through Hong Kong where wires are common, so as not to attract attention. 

It’s a straightforward attack, low risk, small overheads, and if you fire enough out, eventually someone will bite. You only need one successful attack to walk away with millions.

In 2018, IC3:

  • Received just over 20,000 reports of BEC attacks
  • Declared adjusted losses of over $1.2 billion

Those are big numbers, but even bigger when you consider BEC reports the year before were 15,000, and adjusted losses were $675 million. One slightly peculiar twist to the usual “steal your money” approach is this:

In 2018, the IC3 received an increase in the number of BEC/EAC complaints requesting victims purchase gift cards. The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons.

Not quite as glamorous as Hong Kong wires, and in all honesty it sounds faintly ludicrous at first viewing, but it’s definitely working for somebody.

Payroll diversion

This is an interesting twist on the BEC scams. The attackers don’t waste time pretending to be CEOs. Instead, they go for logins tied to payroll processing systems. Once they’re in, they change the account information and the money is diverted to somewhere controlled by the hacker. They’ll also hide warnings to admins, which would’ve alerted them to deposit information changes. The money will then typically be sent to a  prepaid card—yes, prepaid cards are flavour of the month (year?) this time around. From the report:

Institutions most affected by this scam have been education, healthcare, and commercial airway transportation.

From just one hundred complaints, there was a combined reported loss of $100 million dollars. This is frankly astonishing. Phishing can truly be devastating in the right hands.

Tech support fraud

Tech support scams feel as though they’ve been around forever, and they’re busy cementing their place in the top three table of awful things. The 2018 tally for these antics weigh in at 14,000 complaints from victims scattered across 48 countries. The losses almost hit $39 million, representing a 161 percent rise from the previous year. Most of the victims are over 60, which fits the general M.O. of going after older targets who may not be aware of the latest happenings in fraud land.

The full report covers topics such as top states divided by both number of victims and victim losses, breakdowns on target age groups, crime types, assets recovered, and much more.

One thing’s for sure: with over 900 complaints a day, roughly 300,000 complaints received per year on average, and something in the region of $2.71 billion in losses accounted for in 2018, online crime isn’t going away anytime soon.

The post A look inside the FBI’s 2018 IC3 online crime report appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Consumers have few legal options for protecting privacy

Malwarebytes - Tue, 04/23/2019 - 17:03

There are no promises in the words, “We care about user privacy.”

Yet, these words appear on privacy policy after privacy policy, serving as disingenuous banners to hide potentially invasive corporate practices, including clandestine data collection, sharing, and selling.

This is no accident. It is a strategy.

In the US, companies that break their own privacy policies can—and do—face lawsuits over misleading and deceiving their users, including making false statements about data privacy. But users are handicapped in this legal fight, as successful lawsuits and filings are rare.

Instead of relying on the legal system to assert their data privacy rights, many users turn to tech tools, installing various web browsers, browser extensions, and VPNs to protect their online behavior.

Luckily, users aren’t alone in this fight. A small number of companies, including Apple, Mozilla, Signal, WhatsApp, and others, are truly committed to user privacy. They stand up to overbroad government requests. They speak plainly about data collection. And they often disengage from practices that put user data in the hands of unexpected third parties.

In the latest blog in our series on data privacy and cybersecurity laws, we look at the options that consumers actually have in asserting their digital privacy rights today. In the US, it is an area of law that, unlike global data protection, is slim.

As Jay Stanley, senior policy analyst with the ACLU Speech, Privacy, and Technology Project, put it: “There’s a thin web of certain laws that exist out there [for digital consumer privacy], but the baseline default is that it’s kind of the Wild West.”

Few laws, few protections

For weeks, Malwarebytes Labs has delved into the dizzying array of global data protection and cybersecurity laws, exploring why, for instance, a data breach in one state requires a different response than a data breach in another, or why “personal information” in one country is not the same as “personal data” in another.

Despite the robust requirements for lawful data protection around the world, individuals in the United States experience the near opposite. In the US, there is no comprehensive federal data protection law, and thus, there is no broad legal protection that consumers can use to assert their data privacy rights in court.

“In the United States, the sort of default is: Consumer beware,” said Lee Tien, senior staff attorney with the digital rights nonprofit Electronic Frontier Foundation.

As we explored last month, US data protection law is split into sectors—there’s a law for healthcare providers, a law for video rental history, a law for children’s online information, and laws for other select areas. But user data that falls out of those narrow scopes has little protection.

If a company gives intimate menstrual tracking info to Facebook? Tough luck. If a flashlight app gathers users’ phone contacts? Too bad. If a vast network of online advertising companies and data brokers build a corporate surveillance regime that profiles, monitors, and follows users across websites, devices, and apps, delivering ads that never disappear? Welcome to the real world.

“In general, unless there is specific, sectoral legislation, you don’t have much of a right to do anything with respect to [data privacy],” Tien said.

There is one caveat, though.

In the US, companies cannot lie about their own business practices, data protection practices included. These laws prohibit “unlawful, unfair, or fraudulent” business practices, along with “unfair, deceptive, untrue, or misleading” advertising. Whatever a company says it does, legally, should be what it actually does, Tien said.

“Most of consumer privacy that’s not already controlled by a statute lives in this space of ‘Oh, you made a promise about privacy, and then you broke it,’” Tien said. “Maybe you said you don’t share information, or you said that when you store information at rest, you store it in air-gapped computers, using encryption. If you say something like that, but it’s not true, you can get into trouble.”

This is where a company’s privacy policy becomes vital. Any company’s risk for legal liability is only as large as its privacy policy is detailed.

In fact, the fewer privacy promises made, the fewer opportunities to face a lawsuit, said ACLU’s Stanley.

“This is why all privacy policies are written to not make any promises, but instead have hand-wavy statements,” Stanley said. “What often follows a sweeping statement is 16 pages of fine print about privacy and how the company actually doesn’t make any promises to protect it.”

But what about a company that does make—and break—a promise?

Few laws, fewer successful assertions

Okay, so let’s say a company breaks its data privacy promise. It said it would not sell user data in its privacy policy and it undeniably sold user data. Time to go to court, right?

Not so fast, actually.

The same laws that prohibit unfair and deceitful business practices also often include a separate legal requirement for anyone that wants to use them in court: Individuals must show that the alleged misconduct personally harmed them.

Proving harm for something like a data breach is exceedingly difficult, Tien said.

“The mechanism of harm is more customized per victim than, say, an environmental issue,” Tien said, explaining that even the best data science can’t reliably predict an average person’s harm when subjected to a data breach the way that environmental science can predict an average person’s harm if they’ve been subjected to, for instance, a polluted drinking source.

In 2015, this difficulty bore out in court, when an Uber driver sued the ride-hailing company because of a data breach that affected up to 50,000 drivers. The breach, the driver alleged, led to a failed identity theft attempt and a fraudulent credit card application in his name.

Two years later, the judge dismissed the lawsuit. At a hearing she told the driver: “It’s not there. It’s just not what you think it is…It really isn’t enough to allege a case.”

There is, again, a caveat.

Certain government officials—including state Attorneys General, county District Attorneys, and city attorneys—can sue a company for its deceitful business practices without having to show personal harm. Instead, they can file a company as a representative for the public.

In 2018, this method was also tested in court, with the exact same company. Facing pressure from 51 Attorneys General—one for each US state and one for Washington, D.C.—Uber paid $148 million to settle a lawsuit alleging the company’s misconduct when covering up a data breach two years earlier.

Despite this success, waiting around for overworked government attorneys to file a lawsuit on a user’s behalf is not a practical solution to protecting online privacy. So, many users have turned to something else—technology.

Consumer beware? Consumer prepared

As online tracking methods have evolved far past the simpler days of just using cookies, consumers have both developed and adopted a wide array of tools to protect their online behavior, hiding themselves from persistent advertisers.

Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, said that, while the technology of tracking has become more advanced, so have the tools that push back.

Privacy-focused web browsers, including Brave and Mozilla’s Firefox Focus, were released in the past two years, and tracking-blocking browser extensions like Ghostery, Disconnect, and Privacy Badger—which is developed by EFF—are all available, at least in basic models, for free to consumers. Even Malwarebytes has a browser extension for both Firefox and Chrome that, along with obstructing malicious content and scams, blocks third-party ads and trackers that monitor users’ online behavior.

Stephens said he has another philosophy about protecting online privacy: Never trust an app.

“We have this naïve conception that the information we’re giving an app, that what we’re doing with that app, is staying with that app,” Stephen said. “That’s really not true in most situations.”

Stephens pointed to the example of a flashlight app that, for no discernible reason, collected users’ contact lists, potentially gathering the phone numbers and email addresses for every friend, family member, and met-once-at-a-party acquaintance.

“Quite frankly,” Stephens said, “I would not trust any app to not leak my data.”

Corporate respect for consumer privacy

There is one last pillar in defending consumer privacy, and, luckily for many users, it’s a sturdy one: corporations.

Yes, we earlier criticized the many nameless companies that window-dress themselves in empty privacy promises, but, for years, several companies have emerged as meaningful protectors of user privacy.

These companies include Apple, Signal, Mozilla, WhatsApp, DuckDuckGo, Credo Mobile, and several others. They all make explicit promises to users about not selling data or giving it to third parties that don’t need it, along with sometimes refusing to store any user data not fundamentally needed for corporate purposes. Signal, the secure messaging app, takes user privacy so seriously that the company cannot read users’ end-to-end encrypted messages to one another.

While many of these companies are household names, a smaller company is putting privacy front and center, and it’s doing it for a much-needed field—DNA testing.

Helix DNA not only tests people’s genetic data, but it also directs them to several partners who offer services that utilize DNA testing, such as The Mayo Clinic and National Geographic. Because Helix serves as a sort of hub for DNA testing services, and because it works so closely with so many companies and organizations that handle genetic data, it decided it was in the right position to set the tone for privacy, said Helix senior director of policy and clinical affairs Elissa Levin.

“It is incumbent on us to set the industry standards on privacy,” Levin said.

Last year, Helix worked with several other companies—including 23andMe, Ancestry, MyHeritage, and Habit—to release a set of industry “best practices,” providing guidance on how DNA testing companies should collect, store, share, and respect user data.

Among the best practices are several privacy-forward ideas not required by law, including the right for users to access, correct, and delete their data from company databases. Also included is a request to ban sharing any genetic data with third parties like employers and insurance companies. And, amidst recent headlines about captured serial killers and broad FBI access to genetic data, the best practices suggest that companies, when possible, notify individuals about government requests for their data.

Helix itself does not sell any user data, and it requires express user consent for any data sharing with third parties. Helix also brought in privacy executive and current head of data policy at the World Economic Forum Anne Toth to advise on its privacy practices before even launching, Levin said.

As to whether consumers appreciate having their privacy protected, Levin said the proof is not so much in what consumers say, but rather in what they don’t say.

“The best way to gauge that is in looking at the fact that we have not gotten negative feedback from users or concerns about our privacy practices,” Levin said. She said that any time a company is in the news for data misuse, there is never a large uptick in users reflexively walking away, even though Helix allows users to remove themselves from the platform.

Consumer privacy is the future

Online privacy matters, both to users and to companies. It should matter to lawmakers, but in the US, it has taken Congress until barely last year to take substantial interest in the topic.

Until the US has a comprehensive data privacy law, consumers will find a way to protect themselves, legal framework or not. Companies should be smart and not get left behind. Not only is protecting user privacy the right thing to do—it’s the smart thing to do.

The post Consumers have few legal options for protecting privacy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Of hoodies and headphones: a spotlight on risks surrounding audio output devices

Malwarebytes - Mon, 04/22/2019 - 18:15

More than a decade ago, cardiologists from the Beth Israel Medical Center in Boston presented their findings at the American Heart Association (AHA) Scientific Sessions 2008 about MP3 headphones causing disruptions with heart devices—such as the pacemaker and the implantable cardioverter defibrillator (ICD)—when the headphones were placed on their chests, directly over their devices’ location.

These interference can range from preventing a defibrillator from detecting abnormal heart rhythms, deactivating the defibrillator temporarily (and, thus, stopping it from delivering a life-saving shock), forcing a pacemaker to deliver signals to the heart (and, thus, making it beat while disregarding the patient’s current heart rhythm), to fully reprogramming the heart device.

Experts named neodymium magnets, which are common in most headphones, as the culprit to these potentially life-threatening disruptions. Doctors have been repeatedly warned pacemaker and defibrillator patients about the risks of magnets and other devices that would accidentally interrupt their functionalities, but the warnings seem to have fallen on deaf ears.

Headphones, earphones, and headsets were never designed to interfere with heart devices—yet, interfere they did. While the interference was accidental, the curious among us may start to wonder: Can headphones be intentionally messed with to harm their users? What else can headphones do that they weren’t supposed to? Thankfully, the answer to the former is, “Not with life-endangering consequences.” However, audio output devices, including headphones, can pose a security and privacy risk to users, especially when abused by smart people with ill-intent.

Headphones, like webcams, are now suspect

It’s not just the webcam you should mind and secure. For years, researchers have been looking for and poking holes in our audio output devices, in the name of security and privacy. While the potential risks of headphones may be a new subject for our readers, the solutions for securing them are (thankfully) practical and familiar.

In the next few sections, we’ll cover various potential risks and vulnerabilities of headphones and other audio output devices, as well as any tech related to them—including the software that comes with some headphone sets.

From headphones to microphone to risk

YouTube houses a trove of videos on how one can turn their headphones and even ear buds into a microphone. This is possible because the make of the two are identical, meaning they work in much the same way. That makes it easy for anyone to MacGyver a microphone if all they have is a pair of headphones.

Exactly how do users transform their headphones into microphones? By physically plugging their headphone or earphone jack into the audio line in port. Unfortunately, headphones aren’t optimized to be microphones and vice versa, which means the quality won’t be the same.

But can headphones used as a makeshift microphone be a risk to your privacy? Indeed they can, albeit a minor one. If you put one speaker really close to your mouth while pouring your heart out, vulnerabilities in the headphones can enable threat actors to record whatever it is you’re spouting to the mirror or to a room full of tipsy friends.

Spying without spyware

Improvising a microphone with headphones is not the only way to put oneself at risk. As this CNET video shows, headphone software can be used to create a microphone and become subject to attacks as well.

Researchers at Ben Gurion University (BGU) in Israel found a way to automate the physical task of switching the output to the input, and improve the headphones’ ability to capture sounds clearly from across the room in the process.

They did this by introducing a proof-of-concept malware they called SPEAKE(a)R to a Realtek audio sound card, which quietly re-tasked the output channel to an input channel of a headphone set connected to a PC or laptop, and recorded any sounds or conversations happening in the room. You can watch the video recording of the demo in their lab below, or read their paper on the subject here [PDF]:

The SPEAKE(a)R lab demo

In their tests, the researchers used a pair of Sennheiser headphones. This could probably explain the clear quality of the recorded sound even from 20 feet away. We guess that the sound quality is dependent on the quality of headphones, as Sennheiser is one of a handful of brands known for high fidelity headphones.

The only way to make the SPEAKE(a)R malware useless is to not physically attach the headphones to an affected system.

When headphone software opens systems to MITM attacks

Speaking of Sennheiser, the company found itself in security hot water after researchers at Secorvo found a vulnerability not in their headphones, but in their headphone software: HeadSetup.

According to Secorvo’s 16-page report [PDF], this flaw can affect users of both Windows and macOS systems who are using or have used the headphones software. The flaw stems from the way the software creates an encrypted Web Socket (a communications protocol) with the browser: It installs a self-signed TLS certificate in the OS’s Trusted Root CA certificate store (for Windows) and the macOS Trust Store (for macOS).

Since all TLS certificates and their associated keys are identical for all installation instances of the headphone software, threat actors who use HeadSetup can potentially access the key and use it to forge certificates. This automatically confirms fake sites, which can be used to perform Man-in-the-Middle (MITM) attacks against target users. Yikes.

Sennheiser users can update the HeadSetup software to the latest version to protect themselves from future attacks.

Exploited USB headphone port in Nexus 9 can lead to data exfiltration

Aleph Security researchers, inspired by the work of Michael Ossmann and Kyle Osborn on multiplexed wired attack surfaces [PDF], experimented on and later discovered that the headphone jack of the Nexus 9 can be used to access and interact with its FIQ (Fast Interrupt Request) Debugger. The Debugger is a developer tool that is shipped with Google Nexus devices. The researchers were able to access it using a Universal Asynchronous Receiver/Transmitter (UART) debug cable that they built themselves.

More unfortunate still, the FIQ Debugger for the Nexus 9 could respond to commands that those with ill-intent may find especially useful. This includes the unauthorized access of sensitive information in the Android OS via the stack canary value, registry, and process list, and other functionalities, such as bootloader, that could force the device to do a factory reset.

FIQ Debugger interface with a list of help commands (Source: Aleph Security)

Fortunately, Google has fully patched flaws the researchers reported.

Risks surrounding Bluetooth headphones, earphones, and headsets

BlueBorne is the name used to describe an attack method that uses Bluetooth technology to infiltrate and control Bluetooth-enabled devices. Since many wireless headphones, ear buds, and stream services use Bluetooth tech, they are susceptible to this attack.

Discovered in 2017 by IoT security company Armis, BlueBorne consists of eight related zero-day vulnerabilities that can compromise major OS platforms. Affected devices can cause all sorts of security problems to their users, including malware propagation, espionage, and information theft, to name a few.

Anyone can eavesdrop on users via Bluetooth-enabled headsets, even if they’re not in discoverable mode. All one needs is the known default PIN code of the headset, which for most is “0000” (without quotation marks), an external antenna (to extend the Bluetooth range), and a device to control it remotely. SANS Senior Instructor Joshua Wright showed how this can be done in the video “Eavesdropping on Bluetooth Headsets.”

Users can avoid falling victims to BlueBorne attacks and eavesdropping by ensuring that their device’s firmware is up-to-date and turning off their device’s Bluetooth when not in use.

From audiophile to…paranoiac?

Covering your laptop’s built-in webcam is a common and effective security practice to deter potential voyeurs from clandestinely watching you without your knowledge. This is also the reason why users are recommended to disconnect external cameras from desktop computers when not being used.

In terms of headphones, headsets, and earphones, another set of approaches are needed. While securing webcams is easy, securing audio inputs is not. In fact, putting a tape over a laptop’s microphone input—even a thick piece doubled up à la Mark Zuckerberg—simply wouldn’t work. Securing audio inputs takes knowledge of how your device’s audio technology works, a bit of patience, and, in extreme cases, destroying a good pair of ear plugs.

If you’re worried that your headphones, earphones, or headset could be used to invade your privacy, you don’t have to go to extremes. Applying basic cybersecurity hygiene to how you use your audio listening devices, such as updating all software and hardware, including firmware and the apps you use with the device, is a good place to start.

But if you absolutely and undoubtedly don’t want your headphones snooping on you in any way, here’s a simple, low-cost way of doing it: disconnect them from your computing or mobile device.

Happy, and safe, listening!

Other resources:

The post Of hoodies and headphones: a spotlight on risks surrounding audio output devices appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 15 – 21)

Malwarebytes - Mon, 04/22/2019 - 15:47

Last week, Malwarebytes Labs revealed multiple giveaway online scam campaigns banking on the popularity (and generosity) of Ellen DeGeneres, weighed in on the hack that compromised legacy Microsoft email service accounts like Hotmail and MSN, explained what “like-farming” means and how to spot it on social media, and spotlighted on uncharacteristic executable file formats one of our researchers presented at the SAS conference.

We also exposed persistent phishing campaigns targeting Electrum wallet users to defraud them of Bitcoins and how malware can pose a physical threat to those inside industrial plants and to the residents nearby them.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (April 15 – 21) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sagas of Midgard

Stargazer's World - Mon, 04/22/2019 - 09:37

I am lucky enough that in my day job I both work from home and work entirely online. What this means is that I could be pretty much anywhere in the world as long as I can get an internet connection. In practical terms I am a little more limited as it is not just me, there is a Mrs R, two horses, three dogs and a scattering of grown up children and grandchildren.

What I did do recently is move from the far south west of Cornwall, UK to about as far north as you can get in the UK. I am spending seven months living on Shetland. I have swapped Celtic legends and Cornish Giants for Norse myth and legend. This a little bit of an adventure.

And talking of adventures… I have been playing Sagas of Midgard for the past two weeks and I have come to really enjoy the game. The game is very rules light. It has a single rule for resolving everything. The GM sets a target number and the players roll a d100 and add whatever they can to it and try and roll over the target number. It is one of those games where the GM doesn’t roll any dice. Combat is players roll to hit when they attack and they roll to dodge when they are defending.

What appeals the most is that this is a game where the heroes are heroic. D100 systems have a nasty habit of thinking they need to be gritty and realistic. I think it is the fact that a single roll has a hundred options means the designers feel they need to use them all (slight exaggeration).

Just look at this quote about should giants using bows be able to shoot further than humans, *not* from Sagas. “But m/(m+mv) scales in a way that depends on the relative contribution of m vs mv. If we assume m is much more important than mv, that simplifies to m/m and velocity will double because m/m * L is double. If we assume mv is much more important than m, that simplifies to m/mv and velocity will remain constant. So, the actual scaling is somewhere between x1 and x2, dependent on the relative contribution of m vs mv.

I found one reference that suggested for a bow, mv is about 20% the weight of an arrow. It may be much higher for a thrown weapon…? Would be good to see some numbers. But my initial impression is that Dan’s approximation of x1.41 (square root of 2) is within the range of x1 to x2 and not unreasonable.”

Really? There is a point at which when dealing with giants and dragons you kind of have to leave the physics behind. Back in Cornwall one of our local giants, Trecobben, could throw a rock the size of a VW Transporter seven miles. I would like to see the calculations for that (not!).

Sagas is NOT that sort of game. Sagas is all about the story, heroic action and dying well in battle. There is a great rule called With Joy I Cease which allows the player to trade the death of their character in exchange for delivering a truly heroic blow either killing a normal creature outright or delivering a massive wound to unique creatures. It is better to die honourably with your sword in your hand and enter the halls of Valhalla than to die in your bed as an old man.

All in all Sagas of Midgard is a great little game, fast to learn, simple to play and the core system has loads of potential to expand into other genres due to its sheer simplicity.

Related posts:

  1. Midgard
  2. Review: Midgard Bestiary Volume 1
  3. Review: Midgard Bestiary (Pathfinder Edition)

Categories: Tabletop Gaming Blogs

Upcoming: The Withered Crag

Chaotic Henchmen - Sat, 04/20/2019 - 19:04
A new module is in the works: The Withered Crag. For low-level characters. Hopefully in time for NTRPGCon in June. Here's the back cover art by Alex Zisch.

Categories: Tabletop Gaming Blogs

Kickstarter: Odyssey of the Dragonlords

Stargazer's World - Wed, 04/17/2019 - 11:33

Modiphius is more active than ever. I just heard from their PR assistant Panny that they just recently started another Kickstarter project which has been funded in its first 24 hours. They are raising funds for “Odyssey of the Dragonlords”, and 5th Edition adventure book inspired by Greek mythology and written by Arcanum Worlds which has been founded by ex-Bioware people. This might definitely raise some eyebrows … and in a good way.

Odyssey will be an about 260-paged hardcover book containing an epic quest in the world of Thylea which will take a party of adventurers from 1st to 10th level. The artwork shown on the Kickstarter page looks gorgeous, and if you want to delve deeper into it, there’s already a free Player’s Guide to Odyssey of the Dragonlords available on DriveThruRPG.

If you’re a fan of D&D 5th Edition and Greek myth, you definitely should give this Kickstarter a look.

Related posts:

  1. How not to run a Kickstarter to fund your RPG
  2. Preview: Odyssey–The Complete Game Master’s Guide to Campaign Management
  3. Kickstarter: Mindjammer – The Roleplaying Game

Categories: Tabletop Gaming Blogs

James Albert Smith Jr (1968–2019)

Stargazer's World - Wed, 04/17/2019 - 06:48

On April 10th James Smith known for his OSR blog Dreams of Mythic Fantasy passed away. I didn’t really know him, but I’ve read his blog from time to time. Regardless it always saddens me deeply when someone from our small community of RPG bloggers dies. My condolences go to his family and friends.

James’ family has set up an obituary page, where you can leave a tribute. If you want to support his family with the funeral costs, you can donate to their PayPal account.

Related posts:

  1. RPG Blog Anthology
  2. Roleplaying music: An interview with James Semple
  3. Kickstarter: RPG Smith

Categories: Tabletop Gaming Blogs

John Carter of Mars Live Play

Stargazer's World - Tue, 04/16/2019 - 06:21

I don’t actually remember when I first learned about Edgar Rice Burrough’s series of books about a civil war veteran from Virginia who suddenly finds himself on Mars,  but I immediately fell in love with it. I even love the not-so-successful Disney movie from 2012. It took some liberties with the story, but in my opinion has perfectly captured the atmosphere of the books.

And so has done Modiphius’ John Carter of Mars roleplaying game. So it’s no surprise that I just had to support the Kickstarter project back in January 2018.  The fulfilment took a bit longer than expected, but the long wait was definitely worth it. The books I got so far are gorgeous! Unfortunately I haven’t had the time to give the books a closer look yet, that’s why Modiphius’ upcoming Live Play is of interest to me. I have played another game using their in-house 2d20 System before, but John Carter of Mars uses a simplified version which could make things easier for new players and also speed up play. Especially during combats 2d20 always felt a bit slow. But I digress.

The live play will be on Facebook Live and will start on Wednesday, 17th of April, on 3 PM BST. Hopefully this will be a great opportunity to learn more about how the game plays. So save the date!

If you want to learn more about the John Carter roleplaying game, check out the official site, or watch the videos I posted below!


Enjoy!

Related posts:

  1. Lazy Friday Video post: “John Carter of Mars – Full Trailer”
  2. Games I am excited about: 2018 Edition
  3. 5 Reasons Why You Should Get The New Star Trek Adventures RPG

Categories: Tabletop Gaming Blogs

Escape The Noose, A Zweihänder Adventure

Stargazer's World - Sun, 04/14/2019 - 06:30

ESCAPE THE NOOSE is a Zweihänder adventure from Nights of the Shed that makes full use of the Main Gauche [MG] supplement. The booklet does say that you may want to use Main Gauche, I would say it is virtually essential. I am not saying this is a bad thing, rather I think it is a great adventure to introduce some of the cooler parts of the Zwei addon companion to a game.

The stand out thing for me is the setting for this adventure. It is as close to ‘real world’ as I have ever seen in a published adventure, that included spell casters in the NPC list. What ESCAPE does is place the PCs into real world historical events and these play out as a backdrop to the characters’ trials and challenges. Zweihänder is not a game where the PCs are going to change history and turn back armies, the history books are probably safe.

The ‘adventure’ and I use the quotes intentionally is intended to last just one or two sessions and is best suited to bringing characters together and bonding them into a party. For that alone it is a great tool. The down side is that it is not really much of an adventure. There is one entry point and one exit point and a list of set play encounters in between.

So is this a good adventure module? I think it is. It is a little railroad but for a first session with new characters that is fine. At the end of the written module there are a number of ways the characters story can go, that is where the freedom to tell their own story really comes in.

Even through this is built out of a string of set plays the characters still have options. Zwei characters are not renowned for being heroic, just surviving is often enough. In the characters escape they have those opportunities to someone’s hero even if it is just one life at a time and their actions buy the victim just a moments respite.

You do not really have to take my word for this as you can listen to an actual play of this adventure on Sound Cloud https://soundcloud.com/user-458434613. I confess that I have not listened to it. There is not much in role playing that I don’t do but watching or listening to other people play is one of the things I simply don’t get.

Related posts:

  1. ZWEIHÄNDER
  2. ZWEIHÄNDER supplement round up
  3. Zweihänder Collaboration

Categories: Tabletop Gaming Blogs

Luridian Assassin

Graphite Prime - Sat, 04/13/2019 - 16:22


Luridian Assassin
AC: as chain (breast plate, gorget, and face-plate) HD: 5d8 (30 hp)Attacks:   
  • 2 with a Luridian long-sword, +7 to hit, 
  • Damage: 1d8+2
  • Critical Hit on a natural 18, 19 or 20. 

Initiative: +4Stealth: 4 in 6. Save As: fighter 10AL: neutral  Morale: 11 XP: 350     If the Luridian wins initiative she will size-up her opponent, letting them act first, thus gaining advantage on her first strike.
Luridian Assassins have their eyes burned out at birth, yet somehow they can see…
They will never use magic or poison.
Nobody seems to know why or how they choose their targets.



Luridian Assassin

About the drawing  The more I draw in ink, the more I want to.  This was a pure ink sketch, no pencils or digital altering (except to remove my signature; didn't like the way it looked for some reason, and I've been experimenting with a new signature involving GP for Graphite Prime.)  Anyhow, I'm beginning to love the chaos of drawing ONLY in ink.

R.I.P. James Smith.

Categories: Tabletop Gaming Blogs

Ballad of the Pistolero

Stargazer's World - Fri, 04/12/2019 - 06:00

A friend of mine has, completely by chance, been working on a Wild West RPG called Ballad of the Pistolero. I say completely by chance because the topic only came up when I was talking about my Devil’s Staircase Wild West RPG. The chances of two different developers writing wild west game at the same time has to be fairly low. It is hardly the most popular genre.

Anyway, DS Wild West is still plodding its way through public play test with over 300 downloads so far and I get a new download about every day. I have even set up a Discord server for play testers.

So a bit more about Ballad of the Pistolero… Foxwood Games tried to make a very cinematic action based wild west game but has included elements of Zweihanders d100 system in that mix. You can take a look at the test rules as there is a link to them near the bottom of the Kickstarter pitch. Making the test rules available is a nice idea as it does mean that backers get to know exactly what it is they are buying into if they support the pitch.

As this is a friend’s pitch I will particularly encourage you to take a look and lend your support. Not that I am biased at all!

Related posts:

  1. Lazy Friday Video Post: Ballad of the Monster Manual
  2. Remember that Wild West game?
  3. New Savage Worlds Test Drive… and more!

Categories: Tabletop Gaming Blogs

I think I finally “get” Fudge

Stargazer's World - Thu, 04/11/2019 - 06:51

Since I first discovered it many years ago I have been struggling with Fudge. There are aspects I love like it’s skill system and dice mechanic, but other parts of the game totally confused me. Yesterday I actually realized what may have contributed to this confusion.

I don’t actually remember where I first learned about that game, but eventually I tried to track down a copy. The only official copy available in print at that time was the 10th Anniversary Edition. It’s a huge tome with many optional rules, variant rules, and tips on how you can handle things in your game. When I first read it I was utterly confused. The basic mechanics were simple and easy to understand, but I still wasn’t sure on how to actually do things.

I had some success running a Fudge game set into the Fallout universe. Using the computer game as a basis helped me deal with some of the issues I had with Fudge at this point. I just copied attributes and skills from the computer game and instead of gifts and faults I copied Fallout’s perks (which are basically just gifts).

You have to understand that Fudge is built on the premise that you as a GM can pick and choose on how you want to do things. You can freely pick which attributes you want in your game, what skills to use, how combat works, et cetera. But it also allows you to just “fudge things”. This means that you can easily have a game in which each player character has a totally different set of attributes. For checks you just use what you deem appropriate. The moment you accept that this is a possibility, the confusion begins to clear up. I too often worry that I am not playing a game “right”, as if this was a thing. I fear my brain is just wired that way. Realizing that “fudging it” was actually the right way to do things, or at least one acceptable method, made things click for me.

Sure, you can pick exactly what you want to use in your game. And at least when it comes to certain mechanics this might actually necessary to avoid discussions at the game table, BUT when it comes to attributes, skills, gifts, and faults, you have much more freedom.

I also noticed that it’s probably best to check out the free 1995 edition of Fudge first, before delving deeper into the 10th Anniversary Edition. It’s about 100 pages long and contains everything you need to get started. The larger 10th Anniversary Edition has more stuff, but it might also be a bit overwhelming at first. Alternatively I can also recommend picking up “The Unexplained” by Carnivore Games, which is not only a great introduction to Fudge, but also a very cool game in its own right – especially if you have a soft spot for ghost hunters, cryptozoologists, and UFO “researchers”. You can check out my review of said game here.

So what do I plan to do with my greater understanding of Fudge? I really don’t know yet. I haven’t really run anything in a while, and I still suffer from some anxiety. It isn’t that bad that I can’t make plans, but it’s still bad enough to keep me from making any concrete plans. I have at least two players who are basically willing to play everything I am interested to run, so I might run a Fudge one-shot to get my feet wet again. I’ll keep you updated.

Related posts:

  1. How I stopped worrying and just used Fudge
  2. 5 Reasons Why You Should Check Out Fudge
  3. My quest to run a Fudge game

Categories: Tabletop Gaming Blogs

free pattern: Tulips (and a new video!)

Planet June - Thu, 03/28/2019 - 13:04

Here’s a new addition to my stemmed flower patterns: a beautiful realistic tulip flower with a clever one-piece construction. You’ll love how it comes together!

Don’t they look gloriously spring-like in their distinctive tulip colours? (I had so much fun picking the colours for these!)

I’ve also completed a new video (the first of many!) using my new audio/video equipment to accompany this pattern, and all my other stemmed flowers: Easy Yarn-Wrapped Stems for Crochet Flowers. As always, my videos are available in right- and left-handed versions, so you can see exactly what to do.

I hope you can see/hear the quality improvement in this new video, but if you don’t even notice because you’re concentrating on the content, that’s fine too. Clear, close-up and well explained techniques are always my top priority. Please subscribe to my YouTube channel so you’ll always see my latest videos – I have lots more in store!


Here are all my stemmed flowers together: Basic Rose, Daffodils, Carnations and the new Tulips. I hope they all brighten your day!

As I like to reward people who chose to donate for my donationware patterns, the PDF version of the Tulips pattern includes additional assembly photos (including left-handed photos) and my special technique for fastening off the yarn neatly at the base of the stem. As always, the pattern is free for you to use, and you need only donate if you’d like to thank me for my time in creating it, or if you’d like the easy-to-print PDF version.

Go to the free Tulips pattern >>

Or jump straight to donate:

Order the Tulips pattern >>

Not ready to make it yet? Add it to your Ravelry queue:

Categories: Crochet Life

Sision Tower Now Available!

Graphite Prime - Wed, 03/27/2019 - 21:37



Some time ago, the wind began to sing of death in the Sision River Valley, and if purgatory was a song, Glovakians are now listening to it.  The source of  this soul-crushing music was tracked to 90 miles northwest of Ambir.  What was found?   A massive, oddly built stone tower that wasn't there before. 

Word quickly spread and the curious set out in droves.  Many turned back however, as every passing day the music got worse, but a brave, or foolish few, managed to make camp and eventually go inside.  If anyone’s made it out, no one really knows, but there’s no shortage of rumors as to what's really going on in the place that has come to be known as, Sision Tower.
Sision Tower is an OSR styled, vertical dungeon-crawl where the PCs explore an odd domain of Holy origins.  Here, they will test their survival skills as well as their Faith.  Here, they will meet Saints and Seraphs.  Here, in the struggle between Law and Chaos they have to decide.......Plunder?? ...Sacrifice??...or Both!!!

Sision Tower includes:

  • All original black and white art.
  • Over a dozen, fully illustrated, new magic items.
  • Unique monsters and a sample setting.
  • A vertical dungeon crawl of 35 rooms.
  • A spiritual setting in the same vein as Praise the Fallen.

Sision Tower is designed to challenge character levels 3-5 and is easily used with most traditional fantasy role-playing systems.  39 printer-friendly pages, now available at DriveThruRPG!   



Sision Tower



For all who purchase...Thank You!




Categories: Tabletop Gaming Blogs

Kickstarter: RPG Smith

Stargazer's World - Mon, 03/25/2019 - 07:26

This is just a quick update to let you folks know that the Kickstarter campaign to fund the RPGSmith (check out my article about it) GM features is now live. They need about €22,125 to add new functionality to their web application. Following are the GM features they want to add if the fundraiser is successful:

    • Create and manage campaigns (similar to Rule Sets in the current player version).
    • Invite player accounts to join their campaign.
    • See their player’s character’s dashboard.
    • Make updates to anything on their player’s characters, including character stat values, inventory, etc. (If allowed by the Player)
    • Make updates to the Campaign settings (such as creation/removal of character stats, new items/spells/ abilities, updates to the default dashboard, etc.) which would be automatically updated for the PCs.
    • Provide a chat interface which all users joined to the campaign can use to sending private or public messages with anyone else in the campaign.
    • Share handouts, images, and other information with the players through a document sharing interface.
    • Build and control a campaign page of tiles visible to the players where the GM can store text, notes, images, counters, and other tiles.
    • Provide all users in the campaign access to share Dice results in real-time.
    • Have access to a campaign dashboard similar to the mock shown below. This will give GMs a high-level view and instant access to content they control in their campaign.

For more information on RPGSmith and the fundraising, check out the Kickstarter page.

Related posts:

  1. Kickstarter: Fate Core System
  2. Kickstarter: Feng Shui 2
  3. How not to run a Kickstarter to fund your RPG

Categories: Tabletop Gaming Blogs

Easy NPC Reactions

Stargazer's World - Sat, 03/23/2019 - 18:44

Michael recently posted about the 3hex style of starting a game off easily with minimal prep.

I thought I would share a technique that makes for interesting and sophisticated ‘common’ NPCs but without having to do any real prep. It can also lead to some interesting spin-off adventures in its own right.

The technique is based around a cross reference between all the NPCs as you create them. I use a spreadsheet but any grid will do. You list the NPCs across the top and down the side and block out the point where they cross reference.

The point of the grid is to map out the attitudes between all the people you have created. The actual numbers should reflect the system you are playing so in B/X, for example, -3 to +3 would be about right as that reflects the Cha characteristic bonuses. If you were playing Zweihander then -30 to +30 would work well or -4 to +4 for FUDGE and FATE.

Here is an example for a small town.

So in this case any interactions between Captain Flack and the Pugh twins would be at +2 (reading across) because he likes or respects them, but the Pughs do not really care one way or another about Flack (their reaction modifier is ±0) but between Captain Flack and the Mayor is as -2 and Philby (the Mayors manservant) is -3.

The Mayor doesn’t have any strong feelings towards Flack (±0) but Philby is at -2 so it looks like the animosity lays there.

The numbers in this case were simply 1d6-3. What this gives you is a layer of social cohesion between all the NPCs in a town without having to prep and write complex back stories.

As a GM you can ‘lend’ these reactions to the PCs when they get caught between two NPCs. For example Captain Flack asks the characters to carry a message to the Mayor. He does this to avoid going there himself. If the characters have to ask to see the Mayor via Philby he is much more likely to make them wait around and just be plain awkward if Philby knows they are carrying a message from Flack.

As GM you can use this same grid to construct all sorts of small town politics. Let us look at Dora Minton, Chippy Minton’s wife. Philby has a +3 reaction to Dora but Flack has a -3. They are at totally opposite ends of the scale. Was that the source of their falling out?

Chippy Minton has a -1 reaction mod towards his own wife but she is at +2 towards him. Does that sound like he is angry at her for something and she is desperate to make amends?

This table/grid can be a source of town gossip, local tension or even great assistance to the characters. It is fast to build on the fly. If you create an NPC you can quickly rolls a couple of D6 to see how he or she is regarded by their peers. You do not need to complete the whole table at once. If the characters ask at the tavern about a place to stay you can quickly check the reactions between barkeep and two inn owners. Maybe he like one much better than the other?

I find this grid to be a really useful ‘no prep’ way of adding a layer of depth to towns and villages and the NPCs that inhabit them. If an NPC goes missing who do the local gossips start to blame? Who do you need to win over to resolve a local rivalry?

Related posts:

  1. Quietly beavering away
  2. Hinterland
  3. And then she said, “Wait, Professor Jones can help us with this one!”

Categories: Tabletop Gaming Blogs

RPGSmith

Stargazer's World - Tue, 03/19/2019 - 09:00

A couple of days ago, David Sumner, co-founder of RPGSmith got in touch with me and told me about his free web application. RPGSmith is – in a nutshell – an interactive character sheet with additional features like item, spell and ability management. The current application is meant for players, but they’ll be launching a Kickstarter later this week to fund an extended version of RPGSmith which will feature a GM campaign management interface.

At the moment, the application supports the following rulesets: D&D 5th Edition, Savage Worlds Deluxe Explorers Edition, Call of Cthulhu 7th Edition, Fate Core, Fate Accelerated, and Pathfinder. It is possible to add your own rulesets though.

From what I’ve seen so far RPGSmith could be a pretty nifty tool for players regardless whether they are playing online or offline. There is a bit of a learning curve though, but luckily the site provides users with quite a few tutorial videos.

Having an interactive character sheet definitely comes in handy from time to time, and RPGSmith has support for desktop PCs and mobile devices, which is a plus in my book. You can even customize your character sheets to your hearts content. Will it change the way we play RPGs? I have my doubts, but it’s worth a look nevertheless.

What are your thoughts on RPGSmith? Have you had the chance to try it out? Please share your comment below!

Related posts:

  1. Kickstarter: RPG Smith
  2. Medieval town map tutorial
  3. Mercator-style maps in Photoshop

Categories: Tabletop Gaming Blogs

All good things come in Threes…

Stargazer's World - Fri, 03/15/2019 - 12:44

If you have followed my blog for a while you surely must have noticed that there’s a certain white whale I am hunting for years now: an old-school D&D sandbox campaign. I’ve made several attempts to get one up and running, I switched around between various variants of the rules, sometimes abandoning D&D completely. Campaigns meant as sandboxes became more regular campaigns, and more often than not, I quickly burned out on running roleplaying games in general.

For years I have struggled with how the get things started. I either didn’t plan enough and relied on my improv skill alone or I overplanned and quickly felt overwhelmed, the fun draining out of me, like blood from a festering wound. But I think I finally found solutions to my problem. In his blog ChicagoWiz’s Games and his podcast The Dungeon Master’s Handbook he thoroughly explains his approach to old-school sandbox gaming and even provides us with countless campaign starters.

The idea behind his “Three Hexes Campaign Starters” is quite simple. You start things small. At first you come up with a short campaign idea. What is your world all about? Then you place a homebase (like a small town, keep, etc.) on your hex map. In addition to this you should come up with three interesting places to explore and place them onto the map adjacent to the homebase. This should give your players a couple of options on what to do next without overwhelming yourself of the players. Last but not least you should have three important NPCs ready: one where the party can buy new equipment and supplies, one where they can sell their loot and last but not least someone who helps them with acquiring new loot. That can be a patron providing them with incentive to explore the wilds beyond the homebase or it’s an old man sharing rumors and legends with them.

You can then expand on this by adding more hexes, more locations, more NPCs as needed. You don’t have to plan out more than what you can use in the next session. It also should provide enough options without paralyzing the players with too many option. If you want to learn more about Michael’s ideas on starting a starting a sandbox campaign, I highly recommend his post titled “Just Three Hexes”.

Related posts:

  1. From my reading list: ChicagoWiz’s RPG Blog
  2. Sandbox games: A collection of links
  3. In My Traveller Universe

Categories: Tabletop Gaming Blogs

Pages

Subscribe to Furiously Eclectic People aggregator