Feed aggregator

Review & Commentary On Cha'alt By Venger Satanis For OSR Games, D20 Crimson Dragon Slayer, & D&D fifth edition

Swords & Stitchery - Sat, 08/03/2019 - 07:26
"Cha'lt is  a campaign setting  &  megadungeon called Cha'alt.  It's gonzo, eldritch, post-apocalyptic science-fantasy, and about 218  pages geared to both the OSR and 5e D&D audience." I was sent a copy of Cha'alt by Venger Satanis because I supported the Kickstarter for this 218 page megadungeon. Its another reworking of Venger's D2o neoclone system Crimson Dragon Slay  & a mega dungeon Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs


First Comics News - Sat, 08/03/2019 - 07:25

Tickets to #AEW‘s TNT network debut on Wed, Oct 2, 2019 at Washington D.C.’s @CapitalOneArena are currently #SOLDOUT, THANK YOU!

AEW Fans: Please continue to check in via https://t.co/lZXODJGKNs & https://t.co/xD1UKLjrvj on a recurring basis as tickets may be released for sale. pic.twitter.com/PEbY75eLkz

— All Elite Wrestling (@AEWrestling) August 2, 2019

Categories: Comic Book Blogs

The True Story of Four Days That Changed The Course of History in BIG BLACK: STAND AT ATTICA From BOOM! Studios

First Comics News - Sat, 08/03/2019 - 05:53

Discover for the First Time Ever the True Story From the Man at the Center of it All in February 2020

LOS ANGELES, CA (August 2, 2019) – BOOM! Studios today announced a brand new original graphic novel, BIG BLACK: STAND AT ATTICA, written by Frank “Big Black” Smith and Jared Reinmuth and illustrated by Améziane (Muhammad Ali), available in stores February 2020. This is an unflinching look at the true story about the price of standing up to injustice in what remains one of the bloodiest civil rights confrontations in American history, told for the very first time from the man at the center of it all – Frank “Big Black” Smith.

In the summer of 1971, New York’s Attica State Prison was a symbol of everything broken in America – prisoner abuse, rampant racism and a blind eye turned towards the injustices perpetrated on the powerless. But when the guards at Attica overreacted to a minor incident, the prisoners decided they’d had enough – and revolted against their jailers, taking them hostage and making demands for humane conditions.

A natural leader, Frank “Big Black” Smith found himself at the center of this uprising, struggling to protect hostages, prisoners and negotiators alike. But when the only avenue for justice seemed to be negotiating with Governor Nelson Rockefeller, Big Black soon discovered that a peaceful resolution for the prisoners in Attica was unattainable.

Frank “Big Black” Smith was a former inmate at Attica prison who was tortured by officers following the deadly 1971 uprising. After his release from prison, he worked as a substance abuse counselor and devoted his life to becoming the voice of his fellow prisoners in a 26-year lawsuit against New York State. Smith later became an advocate for the Forgotten Victims of Attica, a group comprised of surviving hostages and relatives of the dead prison guards who were believed to have been encouraged to accept limited benefits which barred them from suing the state. Smith married in 1983, studied to be a paralegal, and worked as an investigator for lawyers. He passed away at 70 years old in Kingston, N.C., after a long battle with cancer. He is survived by his wife, Pearl.

“My only wish would be that Frank was alive to experience and be a part of this, because he would love this. And he would leave us with this message: ‘The struggle continues.’ The struggle continues!” said Pearl Battle Smith, wife of Frank “Big Black” Smith.

Jared Reinmuth has worked as an actor, writer, teacher, director, and songwriter. He made his acting debut at the 1994 Dionysian International Theatre Festival in Veroli, Italy in Karen Malpede’s The Beekeeper’s Daughter.  Reinmuth made his directorial debut in 2016 at the Theater for the New City’s Dream UP Festival with Andrea J. Fulton’s Roof-Top Joy. His adaptation of Alexandre Dumas’ seminal masterpiece, Monte Cristo, debuted at the Hackensack Cultural Arts Center. He began his writing collaboration with Frank “Big Black” Smith in 1997, while assisting his father, famed Attica attorney Dan Meyers. In 2017, at the suggestion of his friend and colleague, Patrick Kennedy, Reinmuth joined forces with co-creator and artist Améziane, Frank Smith’s wife Pearl Battle Smith, and composer Alex Tichane to fully realize the work initially started by Frank “Big Black” Smith, as the graphic novel BIG BLACK: STAND AT ATTICA.

“In September of 1971, I was a small child sitting in the living room with my brother and sister as the events at Attica played out on television. My mother vowed that if we were ever in a position to contribute, we would help the Attica Brothers,” said writer Jared Reinmuth. “Frank ‘Big Black’ Smith was our hero, and [the fact that] decades later he and his wife, Pearl, would trust me to attempt his biography stands as the honor of my life. But it was only with the addition of Améziane and his brilliant artwork that the project took flight. And when BOOM! Studios took us on, this story found its home. The opportunity to work with insightful and talented editors like Sierra Hahn and Allyson Gronowitz completes the circle to fulfill a promise made decades ago.”

Améziane is an illustrator and graphic designer who grew up in Paris, France and began his comic book career by writing several scripts, eventually working on the comics adaptation of Cuatro Manos with novelist Paco Ignacio Taibo II. Améziene’s first comics work published in the United States was the New York Times bestseller Muhammad Ali, written by Sybille Titeux de la Croi. Today, Améziane divides his time between his own Noir comics, projects with writer Sybille Titeux de la Croix, collaborations with Jared Reinmuth, and working in film.

“Jared felt certain that the biography of a legendary Attica Brother, Frank ‘Big Black’ Smith, was the perfect book for me. He was 100% right,” said artist Améziane. “Together, with the support of Frank’s family and those who for decades stood with the Attica Brothers, we strove humbly to do justice to a story much larger than ourselves. I couldn’t be more proud to present it to you.”

BIG BLACK: STAND AT ATTICA is the latest release from BOOM! Studios’ award-winning Archaia imprint, home to inspiring graphic novels such as The Realist by Asaf Hanuka, Girl on Film by Cecil Castellucci and Vicky Leta, Melissa Duffy, V. Gagnon & Jon Berg, New World by David Jesus Vignolli, About Betty’s Boob by Vero Cazot and Julie Rocheleau, Waves by Ingrid Chabbert and Carole Maurel, The Grand Abyss Hotel by Marcos Prior and David Rubín, and more.

“The story of Frank ‘Big Black’ Smith and the Attica Brothers represents a pivotal moment in our own violent and bloody history within the justice system and our country’s relationship with race, religion, and class,” said Sierra Hahn, Executive Editor. “The work done by Big Black, Jared, and Améziane in this graphic novel honors those who fought against injustice of the time and asks us to look at where we are today.”

Print copies of BIG BLACK: STAND AT ATTICA will be available for sale in February 2020 at local comic book shops (use comicshoplocator.com to find the nearest one), bookstores or at the BOOM! Studios webstore. Digital copies can be purchased from content providers, including comiXology, iBooks, Google Play, and the BOOM! Studios app.

For continuing news on BIG BLACK: STAND AT ATTICA and more from BOOM! Studios, stay tuned to www.boom-studios.com and follow @boomstudios on Twitter.

Categories: Comic Book Blogs


First Comics News - Sat, 08/03/2019 - 05:51

Enjoy all-ages adventures in the spirit of
the Hardy Boys, The X-Files, and Scooby-Doo.

Writer(s): Shawn Pryor, Giulie Speziani
Artist Name(s): Marcus Kwame Anderson, Chris & Gin, Tressina Bowling
Cover Artist(s): Caroline Frumento
96 pgs./ E / FC

Creator/writer Shawn Pryor (FORCE: THE WRIGHT TIME, KENTUCKY KAIJU) has a very special message below about his upcoming graphic novel out next week!

Dallas Cash and Inez Carrie aren’t your run-of-the-mill everyday kids. They’re best friends, and they solve mysteries of all sizes, anywhere and anytime!

Dallas is a tenacious techie who believes in the supernatural, whereas Inez bases her crime-solving skills in realism, and is also captain of the wrestling team.

This middle-readers series moves forward with the release of CASH & CARRIE – BOOK TWO: SUMMER SLEUTHS. I’ve always enjoyed the Hardy Boys & Nancy Drew novels, television series such as The X-Files, and animated series such as Scooby-Doo, Gravity Falls, and Fillmore. I wanted to take my love for all of those things and give a new generation of comic readers fun, exciting, and inclusive mystery-filled stories that anyone can enjoy.

But, I did not create CASH & CARRIE on my own. With co-creator Giulie Speziani and the talented Penny Candy Studios, we made a pilot comic in 2015 that turned into a successful Kickstarter campaign. The following year, we created a full-fledged graphic novel (CASH & CARRIE: BOOK ONE – SLEUTH 101). And now, CASH & CARRIE are finally back with all-new stories.

In BOOK TWO, schools out for the summer, and that means it’s time to retreat to a cabin in the woods where it’s always safe, and nothing wrong ever happens. Maybe.

It’s all fun and games at Summer Camp Sobol until strange things start happening. Campers end up missing, Bigfoot might exist, and what’s really in the cafeteria coleslaw?

With no Wi-Fi and the mosquito repellent not cutting it, our detective duo will have to stick together to solve these mysteries on their own. Will Cash & Carrie survive this spooky summer camp of supreme superstition? And who will win the Camp Sobol Summer Games? You’ll have to read Book Two to find out!

Additional stories include C+C in a culinary whodunit, and we also get a glimpse into the C+C universe and find out what the other kids in the neighborhood did over the summer, too! And there’s also a pinup gallery!

Book Two also features terrific artwork by up and coming talents such as Marcus Kwame Anderson, Chris Ludden & Ginger Dee, Tressina Bowling, and many others, with a cover by Caroline Frumento.

CASH & CARRIE is a project that is close to my heart, and I am thankful to everyone that has supported this graphic novel series so far. I will continue to get this book in the hands of more readers, no matter what it takes.

BOOK ONE and TWO are available wherever books are sold, so I hope you get a copy for your kids or a kid at heart.

Pre-order a copy of CASH & CARRIE BOOK 2 with the Diamond item code JUN191318.

Categories: Comic Book Blogs

 IDW to publish Classic Captain Action Comic Series

First Comics News - Sat, 08/03/2019 - 05:45

The 60s series to be collected for the first time

 New York, N.Y. (August 2, 2019): At their annual San Diego Comic-Con panel, Captain Action Enterprises announced plans for a collection of the classic comic series to be published by IDW in 2020. Originally published by DC comics from October/November of 1968 to June/July of 1969, these Captain Action comics have always been held in high regard by both comics fans and toy collectors.

Although short-lived, high-profile creators contributed to this series including Wallace Wood, Gil Kane, Jim Shooter, Dick Giordano, Carmine Infantino and Irv Novick. In fact, this was the series where Jim Shooter received his first in-comic credit and where Gil Kane first took the creative reins as both writer and artist.

Comic writer Mark Waid, also longtime Captain Action fan and collector, will provide the introduction to the collection.

Plans call for the hardcover release with a myriad of Captain Action extras, including “lost art” from Silver Age artists Murphy Anderson, Kurt Schaffenberger and Chic Stone.

“It’s great to see this historically significant material getting the collected edition treatment at last,” said J.C. Vaughn, Vice-President of Publishing, Gemstone Publishing (the Overstreet Comic Book Price Guide. “The work of Jim Shooter, Wally Wood and Gil Kane makes this a project work checking out even for those who are not yet familiar with Captain Action.”

This series focused on the adventures of Captain Action, Action Boy, his pet panther, Khem and the insidious Dr. Evil.  Captain Action’s amphibious “super-car” the Silver Streak, was also prominently featured in the series.

“We’ve got a lot of future projects percolating with Captain Action, but we’re especially thrilled to finally reprint these Silver Age classics,” said Michael Polis, Partner, Captain Action Enterprises.

More details, including pre-ordering and retailer information, will be made available soon.

Categories: Comic Book Blogs


First Comics News - Sat, 08/03/2019 - 04:50
Jughead and Vampironica now know how to set their respective realities right thanks to a most unexpected guest star—and the solution involves the very haunted history of Riverdale itself! The question is, have they bitten off more than they can chew (pun intended) as the newly arrived hordes of vampires try to end them both?
Script: Frank Tieri
Art: Pat and Tim Kennedy, Joe Eisma, Bob Smith, Lee Loughridge, Jack Morelli
Cover: Pat and Tim Kennedy, Bob Smith, Matt Herms
Variant Covers: Dan Panosian, Matthew Taylor
On Sale Date: 8/28
32-page, full color comic
$3.99 U.S.

Categories: Comic Book Blogs

ARCHIE VS. PREDATOR 2 #2 preview

First Comics News - Sat, 08/03/2019 - 04:50
Our trios (new and old) are getting to know each other better—like Classic Betty and Veronica discovering that the newer versions of themselves actually AREN’T both trying to win over Archie’s affections. There’s a lot to take in in this brave, new world, but they’ve got a more pressing issue to deal with: Predator-Archie is quickly turning back into a Predator, and time is running out. Fortunately, the Riverdale Halloween Dance may be just the cover the gang(s) need.
Script: Alex de Campi
Art: Robert Hack, Kelly Fitzpatrick, Jack Morelli
Cover: Robert Hack, Kelly Fitzpatrick
Variant Covers: Howard Chaykin, Bill Galvan, Rebekah Isaacs, Greg Smallwood, Michael Walsh
On Sale Date: 8/28
32-page, full color comic
$3.99 U.S.

Categories: Comic Book Blogs

Pathfinder 2.0 from Paizo

Gamer Goggles - Sat, 08/03/2019 - 02:32
PATHFINDER SECOND EDITION UNLEASHED! Advance your game with rules that are easier to learn, faster to play, and endlessly customizable. REDMOND, WASHINGTON (August 1, 2019): Today, Paizo released the highly anticipated second edition of the Pathfinder Roleplaying Game. The 640-page Pathfinder Core Rulebook contains everything players and Game Masters need to build deeply customizable characters and weave fantastic stories and adventures, while the 360-page Pathfinder Bestiary contains more than 400 monsters from Aeons to Zombies, with more lore and more intuitive game stats than ever before. A new Adventure Path, a standalone adventure, character sheets, condition cards, and more all launch today, providing players with a full slate of adventures and accessories for their campaigns.
“We’ve spent years of development improving the design of Pathfinder to provide deeper character customization, faster gameplay, and crafting rules that are easier for players to learn. We’re excited to see how Pathfinder Second Edition empowers your storytelling and creates shared experiences that last a lifetime!” said Erik Mona, Paizo’s Publisher and Chief Creative Officer.
Your story awaits! Dive into a murder mystery with the 64-page Fall of Plaguestone standalone adventure. If epic campaigns that take your character all the way to 20th level are more your style, start with the Hellknight Hill adventure and embark on a continent-spanning conflict against cultists, slavers, and a fiery draconic devastation in the Age of Ashes Adventure Path.
For a single evening of storytelling, join tens of thousands of players as an agent of the Pathfinder Society, a legendary league of explorers, archaeologists, and adventurers dedicated to discovering and chronicling the greatest mysteries and wonders of an ancient world beset by magic and evil. The new season starts today, so it’s the perfect time to join! Learn more at PathfinderSociety.club.
Pathfinder accessories, like the double-sided Fall of Plaguestone Flip-Mat, GM Screen, Combat Pad, Character Sheet Pack, and Condition Cards, also release today immerse Pathfinder players even more deeply in their new adventures.
Paizo’s official licensed partners also join us for the launch of Pathfinder Second Edition!
Accessories: Campaign Coins releases Pathfinder Hero Point Tokens, a new dice tray, and the Pathfinder Second Edition logo pin. Q-Workshop adds a Second Edition dice set. Dog Might launches the Pathfinder Valhalla GM Screen and Dragon Sheath.
Actual Play: Join The Glass Cannon as they play Silent Tide on YouTube, as well as their live performances in Indianapolis during Gen Con! Don’t miss Geek & Sundry’s weekly Knights of Everflame Tuesdays at 4 p.m. Pacific, Paizo’s very own Oblivion Oath Thursdays at noon Pacific, and Dragons & Things live on Twitch at 6 p.m. Pacific every Friday.
Audio: Syrinscape releases the Fall of Plaguestone SoundSet, giving GMs and players a deeper and more immersive experience as they adventure through the Fall of Plaguestone adventure.
Miniatures: WizKids releases the Legendary Adventures Preview Pack, featuring 8 monsters and heroes from Pathfinder Second Edition, followed in September by the 44-figure Legendary Adventures booster set and Goblin Village premium set.
Online: Create a brand new Second Edition character with Hero Lab Online and play with friends around the world on virtual tabletops like Fantasy Grounds and Roll20, and d20Pro.
Online Rules: Archives of Nethys has the official Pathfinder Second Edition SRD available at PFRD.Info.
Terrain: Dwarven Forge begins preorders on the Fall of Plaguestone Adventure Kit.
Translations: New Order Editora launches Pathfinder Second Edition in Brazil with the Pathfinder Core Rulebook (PDF) in Portuguese, with additional products released in October and December. Devir (Spanish), Ulisses Spiele (German), and Black Book Editions (French) are all at work on Second Edition releases as well. Stay tuned!
Pathfinder Second Edition is one of the most-supported roleplaying game launches in history with more than 1,000 pages of rules, lore, adventures, and accessories available for purchase now. Pathfinder products are available at your favorite local game store, book store, online retailer, and paizo.com. PDFs are available exclusively at paizo.com.
To start playing today, visit PathfinderSecondEdition.com.               About PaizoPaizo Inc. is one of the world’s leading hobby game publishers. Since 2002, millions of players have joined the goblin army by playing the Pathfinder® and Starfinder® roleplaying games across tabletops, at conventions, at their favorite local game store, and digitally on virtual tabletops. Paizo.com is an online retail hobby destination for millions of gamers that carries the latest products from top hobby game publishers. Players also find accessories, like dice and maps, miniatures, T-shirts, goblin plush toys, and the newest releases to quickly replenish those adventuring supplies for the next dungeon run. Copyright secured by Digiprove © 2019
Categories: Tabletop Gaming Blogs

Free OSR PDF Dragon Foot Resource ~ Guide To The Realms of Aedenne For Your Old School Fantasy Campaign

Swords & Stitchery - Fri, 08/02/2019 - 23:03
"A new gaming world  of adventure  designed for First Edition Advanced Dungeons & Dragons, but of course easily adapted for use in all roleplay games." Download It Right Over HERE This is a campaign world designed in the vein of the classic first edition AD&D game but easily adaptable to any OD&D world or retroclone currently on the market. The world is described by Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

The Revenge Of The Rumps - Tegel Manor 1977 By Judge's Guild Campaign Notes

Swords & Stitchery - Fri, 08/02/2019 - 18:28
"Tegel Manor is an adventure involving Tegel Manor, a great manor-fortress belonging to the Rump family, whose only living member is Sir Runic the Rump, who has tried to sell the manor with no luck, and would reward anyone who could rid the manor of his corrupt, dead ancestors" Well let's charge into today's entry. Like a bad dream Tegel Manor has reared its head in my world once Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Say hello to Lord Exploit Kit

Malwarebytes - Fri, 08/02/2019 - 18:15

Just as we had wrapped up our summer review of exploit kits, a new player entered the scene. Lord EK, as it is calling itself, was caught by Virus Bulletin‘s Adrian Luca while replaying malvertising chains.

In this blog post, we do a quick review of this exploit kit based on what we have collected so far. Malwarebytes users were already protected against this attack.

Exploit kit or not?

Lately there has been a trend of what we call pseudo-exploit kits, where a threat actor essentially grabs a proof of concept for an Internet Explorer or Flash Player vulnerability and crafts a very basic page to load it. It is probably more accurate to describe these as drive-by download attacks, rather than exploit kits.

With an exploit kit we expect to see certain feature sets that include:

  • a landing page that fingerprints the machine to identify client side vulnerabilities
  • dynamic URI patterns and domain name rotation
  • one or more exploits for the browser or one of its plugins
  • logging of the victim’s IP address
  • a payload that may change over time and that may be geo-specific
Quick glance at Lord EK

The first tweet from @adrian__luca about Lord EK came out in the morning of August 1st and shows interesting elements. It is part of a malvertising chain via the PopCash ad network and uses a compromised site to redirect to a landing page.

We can see a very rudimentary landing page in clear text with a comment at the top left by its author that says: <!– Lord EK – Landing page –>. By the time we checked it, it had been obfuscated but remained essentially the same.

There is a function that checks for the presence and version of the Flash Player, which will ultimately be used to push CVE-2018-15982. The second part of the landing page collects information that includes the Flash version and other network attributes about the victim.

Interesting URI patterns

One thing we immediately noticed was how the exploit kit’s URLs were unusual. We see the threat actor is using the ngrok service to craft custom hostnames (we informed ngrok of this abuse of their service by filing a report).

This is rather unusual at least from what we have observed with exploit kits in recent history. As per ngrok’s documentation, it exposes a local server to the public internet. The free version of ngrok generates randoms subomains which is almost perfect (and reminds us of Domain Shadowing) for the exploit kit author.

Flash exploit and payload

At the time of writing, Lord EK only goes for Flash Player, and not Internet Explorer vulnerabilities. Nao_Sec quickly studied the exploit and pointed out it is targeting CVE-2018-15982.

After exploiting the vulnerability, it launches shellcode to download and execute its payload:

The initial payload was njRAT, however the threat actors switched it the next day for the ERIS ransomware, as spotted by @tkanalyst.

We also noticed another change where after exploitation happens, the exploit kit redirects the victim to the Google home page. This is a behavior that was previously noted with the Spelevo exploit kit.

Under active development

It is still too early to say whether this exploit kit will stick around and make a name for itself. However, it is clear that its author is actively tweaking it.

This comes at a time when exploit kits are full of surprises and gaining some attention back among the researchers community. Even though the vulnerabilities for Internet Explorer and Flash Player have been patched and both have a very small market share, usage of the old Microsoft browser still continues in many countries.

Brad Duncan from Malware Traffic Analysis has posted some traffic captures for those interested in studying this exploit kit.

Indicators of Compromise

Compromised site


Network fingerprinting


Lord EK URI patterns




Eris ransomware


The post Say hello to Lord Exploit Kit appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Capital One breach exposes over 100 million credit card applications

Malwarebytes - Fri, 08/02/2019 - 16:00

Just as we were wrapping up the aftermath of the Equifax breach—how was that already two years ago?—we are confronted with yet another breach of about the same order of magnitude.

Capital One was affected by a data breach in March. The hacker gained access to information related to credit card applications from 2005 to early 2019 for consumers and small businesses. According to the bank the breach affected around 100 million people in the United States and about 6 million people in Canada.

What’s very different in this breach is that a suspect has already been apprehended. On top of that, the suspect admitted she acted illegally and disclosed the method she used to get hold of the data. From the behavior of the suspect you would almost assume she wanted to get caught. She put forth only a minimal effort to hide her identity when she talked about having access to the data, almost bragging online about how much she had been able to copy.

What happened?

A former tech company software engineer that used to be employed by Amazon Web Services (AWS) was storing the information she gained from the breach in a publicly accessible repository. AWS is the cloud hosting company that Capital One was using. From the court filings we may conclude that Paige Thompson used her hands-on knowledge of how AWS works and combined it with exploiting a misconfigured web application firewall. As a result, she was able to copy large amounts of data from the AWS buckets. She posted about having this information on several platforms which lead to someone reporting the fact to Capital One. This led to the investigation of the breach and the arrest of the suspect.

How should Capital One customers proceed?

Capital One has promised to reach out to everyone potentially affected by the breach and to provide free credit monitoring and identity protection services. While Capital One stated that no log-in credential were compromised, it wouldn’t hurt to change your password if you are a current customer or you recently applied for a credit card with the company. For other useful tips, you can read our blogpost about staying safe in the aftermath of the Equifax breach. You will find a wealth of tips to stay out of the worst trouble. Also be wary of the usual scams that will go online as spin-offs from this breach.

What can other companies learn from this incident?

While the vulnerability has been fixed, there are other lessons to be learned from this incident.

Even though it is impractical for companies the size of Capital One to run their own web services, we can ask ourselves if all of the sensitive information needs to be stored in a place where we do not have full control. Companies like Capital One use these hosting services for scalability, redundancy, and protection. One of the perks is that employees all over the world can access, store, and retrieve any amount of data. This can also be the downside in cases of disgruntled employees or misconfigured Identity & Access Management (IAM) services. Anyone that can successfully impersonate an employee with access rights can use the same data for their own purposes. Amazon Elastic Compute Cloud (EC2) is a web-based service that allows businesses to run application programs in the AWS public cloud. When you run the AWS Command Line Interface from within an Amazon EC2 instance, you can simplify providing credentials to your commands. From the court filings it looks as if this is where the vulnerability was exploited for.

Companies using AWS and similar cloud hosting services should pay attention to:

  • IAM provisioning: Be restrictive when assigning IAM roles so access is limited to those that need it and taken away from those that no longer need it.
  • Instance metadata: Limit access to EC2 metadata as these can be abused to assume an IAM role with permissions that do not belong to the user.
  • Comprehensive monitoring: While monitoring is important for every server and instance that holds important data, it is imperative to apply extra consideration to those that are accessible via the internet. Alarms should have gone off as soon as TOR was used to access the EC2.
  • Misconfigurations: If you do not have the in-house knowledge or want to doublecheck, there are professional services that can scan for misconfigured servers.

Ironically, Capital One has released some very useful open source tools for AWS compliance and has proven to have the in-house knowledge. Capital One has always been more on the Fintech side than most traditional banks, and they were early adopters of using the Cloud.  So, the fact that this breach happened to them is rather worrying as we would expect other banks to be even more vulnerable.

Stay posted

Even though we already know a lot more details about this data breach than usual, we will follow this one as it further unravels.

If you want to follow up directly with a few resources, you can click below:

Official Capital One statement

Paige Thompson Criminal Complaint

The post Capital One breach exposes over 100 million credit card applications appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Everything you need to know about ATM attacks and fraud: part 2

Malwarebytes - Fri, 08/02/2019 - 15:00

This is the second and final installment of our two-part series on automated teller machine (ATM) attacks and fraud.

In part 1, we identified the reasons why ATMs are vulnerable—from inherent weaknesses of its frame to its software—and delved deep into two of the four kinds of attacks against them: terminal tampering and physical attacks.

Terminal tampering has many types, but it involves either physically manipulating components of the ATM or introducing other devices to it as part of the fraudulent scheme. Physical attacks, on the other hand, cause destruction to the ATM and to the building or surrounding area where the machine is situated.

We have also supplied guidelines for users—before, during, and after—that will help keep them safe when using the ATM.

For part 2, we’re going to focus on the final two types of attacks: logical attacks and the use of social engineering.

Logical ATM attacks

As ATMs are essentially computers, fraudsters can and do use software as part of a coordinated effort to gain access to an ATM’s computer along with its components or its financial institution’s (FI’s) network. They do this, firstly, to obtain cash; secondarily, to retrieve sensitive data from the machine itself and strip or chip cards; and lastly, intercept data they can use to conduct fraudulent transactions.

Enter logical attacks—a term synonymous with jackpotting or ATM cash-out attacks. Logical attacks involve the exploitation and manipulation of the ATM’s system using malware or another electronic device called a black box. Once cybercriminals gain control of the system, they direct it to essentially spew cash until the safe empties as if it were a slot machine.

The concept of “jackpotting” became mainstream after the late renowned security researcher Barnaby Jack presented and demoed his research on the subject at the Black Hat security conference in 2010. Many expected ATM jackpotting to become a real-world problem since then. And, indeed, it has—in the form of logical attacks.

In order for a logical attack to be successful, access to the ATM is needed. A simple way to do this is to use a tool, such as a drill, to make an opening to the casing so criminals can introduce another piece of hardware (a USB stick, for example) to deliver the payload. Some tools can also be used to pinpoint vulnerable points within the ATM’s frame or casing, such as an endoscope, which is a medical device with a tiny camera that is used to probe inside the human body.

If you think that logical attacks are too complex for the average cybercriminal, think again. For a substantial price, anyone with cash to spare can visit Dark Web forums and purchase ATM malware complete with easy how-to instructions. Because the less competent ATM fraudsters can use malware created and used by the professionals, the distinction between the two blurs.

Logical attack types

To date, there are two sub-categories of logical attacks fraudsters can carry out: malware-based attacks and black box attacks.

Malware-based attacks. As the name suggests, this kind of attack can use several different types of malware, including Ploutus, Anunak/Carbanak, Cutlet Maker, and SUCEFUL, which we’ll profile below. How they end up on the ATM’s computer or on its network is a matter we should all familiarize ourselves with.

Installed at the ATM’s PC:

  • Via a USB stick. Criminals load up a USB thumb drive with malware and then insert it into a USB port of the ATM’s computer. The port is either exposed to the public or behind a panel that one can easily remove or punch a hole through. As these ATM frames are not sturdy nor secure enough to counter this type of physical tampering, infecting via USB and external hard drive will always be an effective attack vector. In a 2014 article, SecurityWeek covered an ATM fraud that successfully used a malware-laden USB drive.
  • Via an external hard drive or CD/DVD drive. The tactic is similar to the USB stick but with an external hard drive or bootable optical disk.
  • Via infecting the ATM computer’s own hard drive. The fraudsters either disconnect the ATM’s hard drive to replace it with an infected one or they remove the hard drive from its ATM, infect it with a Trojan, and then reinsert it.

Installed at the ATM’s network:

  • Via an insider. Fraudsters can coerce or team up with a bank employee with ill-intent against their employer to let them do the dirty work for them. The insider gets a cut of the cashed-out money.
  • Via social engineering. Fraudsters can use spear phishing to target certain employees in the bank to get them to open a malicious attachment. Once executed, the malware infects the entire financial institution’s network and its endpoints, which include ATMs. The ATM then becomes a slave machine. Attackers can send instructions directly to the slave machine for it to dispense money and have money mules collect.

    Note that as criminals are already inside the FI’s network, a new opportunity to make money opens its doors: They can now break into sensitive data locations to steal information and/or proprietary data that they can further abuse or sell in the underground market.

Installed via Man-in-the-Middle (MiTM) tactics:

  • Via fake updates. Malware could be introduced to ATM systems via a bogus software update, as explained by Benjamin Kunz-Mejri, CEO and founder of Vulnerability Lab after he discovered (by accident) that ATMs in Germany publicly display sensitive system information during their software update process. In an interview, Kunz-Mejri said that fraudsters could potentially use the information to perform a MiTM attack to get inside the network of a local bank, run malware that was made to look like a legitimate software update, and then control the infected the ATM.

Black box attacks. A black box is an electronic device—either another computer, mobile phone, tablet, or even a modified circuit board linked to a USB wire—that issues ATM commands at the fraudster’s bidding. The act of physically disconnecting the cash dispenser from the ATM computer to connect the black box bypasses the need for attackers to use a card or get authorization to confirm transactions. Off-premise retail ATMs are likely targets of this attack.

A black box attack could involve social engineering tactics, like dressing up as an ATM technician, to allay suspicions while the threat actor physically tamper with the ATM. At times, fraudsters use an endoscope, a medical tool used to probe the human body, to locate and disconnect the cash dispenser’s wire from the ATM computer and connect it to their black box. This device then issues commands to the dispenser to push out money.

As this type of attack does not use malware, a black box attack usually leaves little to no evidence—unless the fraudsters left behind the hardware they used, of course.

Experts have observed that as reports of black box attacks have dropped, malware attacks on ATMs are increasing.

ATM malware families

As mentioned in part 1, there are over 20 strains of known ATM malware. We’ve profiled four of those strains to give readers an overview of the diversity of malware families developed for ATM attacks. We’ve also included links to external references you can read in case you want to learn more.

Ploutus. This is a malware family of ATM backdoors that was first detected in 2013. Ploutus is specifically designed to force the ATM to dispense cash, not steal card holder information. An earlier variant was introduced to the ATM computer via inserting an infected boot disk into its CD-ROM drive. An external keyboard was also used, as the malware responds to commands executed by pressing certain function keys (the F1 to F12 keys on the keyboard). Newer versions also use mobile phones, are persistent, target the most common ATM operating systems, and can be tweaked to make them vendor-agnostic.

Daniel Regalado, principal security researcher for Zingbox, noted in a blog post that a modified Ploutus variant called Piolin was used in the first ATM jackpotting crimes in the North America, and that the actors behind these attacks are not the same actors behind the jackpotting incidents in Latin America.

References on Ploutus:

Anunak/Carbanak. This advanced persistent malware was first encountered in the wild affecting Ukrainian and Russian banks. It’s a backdoor based on Carberp, a known information-stealing Trojan. Carbanak, however, was designed to siphon off data, perform espionage, and remotely control systems.

The Anunak/Carbanak admin panel (Courtesy of Kaspersky)

It arrives on financial institution networks as attachment to a spear phishing email. Once in the network, it looks for endpoints of interest, such as those belonging to administrators and bank clerks. As the APT actors behind Carbanak campaigns don’t have prior knowledge of how their target’s system works, they surreptitiously video record how the admin or clerk uses it. Knowledge gained can be used to move money out of the bank and into criminal accounts.

References on Anunak/Carbanak:

Cutlet Maker. This is one of several ATM malware families being sold in underground hacking forums. It is actually a kit comprised of (1) the malware file itself, which is named Cutlet Maker; (2) c0decalc, which is a password-generating tool that criminals use to unlock Cutlet Maker; and (3) Stimulator, another benign tool designed to display information about the target ATM’s cash cassettes, such as the type of currency, the value of the notes, and the number of notes for each cassette.

Cutlet Maker’s interface (Courtesy of Forbes)

References on Cutlet Maker:

SUCEFUL. Hailed as the first multi-vendor ATM malware, SUCEFUL was designed to capture bank cards in the infected ATM’s card slot, read the card’s magnetic strip and/or chip data, and disable ATM sensors to prevent immediate detection.

The malware’s name is derived from a typo—supposed to be ‘successful’—by its creator, as you can see from this testing interface (Courtesy of FireEye)

References on SUCEFUL:

Social engineering

Directly targeting ATMs by compromising their weak points, whether they’re found on the surface or on the inside, isn’t the only effective way for fraudsters to score easy cash. They can also take advantage of the people using the ATMs. Here are the ways users can be social engineered into handing over hard-earned money to criminals, often without knowing.

Defrauding the elderly. This has become a trend in Japan. Fraudsters posing as relatives in need of emergency money or government officials collecting fees target elderly victims. They then “help” them by providing instructions on how to transfer money via the ATM.

Assistance fraud. Someone somewhere at some point in the past may have been approached by a kindly stranger in the same ATM queue, offering a helping hand. Scammers uses this tactic so they can memorize their target’s card number and PIN, which they then use to initiate unlawful money transactions.

The likely targets for this attack are also the elderly, as well as confused new users who are likely first-time ATM card owners.

Shoulder surfing. This is the act of being watched by someone while you punch in your PIN using the ATM’s keypad. Stolen PIN codes are particularly handy for a shoulder surfer, especially if their target absent-mindedly leaves the area after retrieving their cash but hasn’t fully completed the session. Some ATM users walk away before they can even answer the machine when it asks if they have another transaction. And before the prompt disappears, the fraudster enters the stolen PIN to continue the session.

Eavesdropping. Like the previous point, the goal of eavesdropping is to steal the target’s PIN code. This is done by listening and memorizing the tones the ATM keys make when someone punches in their PIN during a transaction session.

Distraction fraud. This tactic swept through Britain a couple years ago. And the scenario goes like this: An unknowing ATM user gets distracted by the sound of dropping coins behind him/her while taking out money. He or she turns around to help the person who dropped the coins, not knowing that someone else is already either stealing the cash the ATM just spewed out or swapping a fake card to his real one. The ATM user looks back at the terminal, content that everything looked normal, then goes on their way. The person they helped, on the other hand, is either given the stolen card to or tells their accomplice the stolen card’s PIN, which he/she memorized when their target punched it in and before deliberately dropping the coins.

A still taken from Barclay’s public awareness campaign video on distraction fraud (Courtesy of This is Money) Continued vigilance for ATM users and manufacturers

Malware campaigns, black box attacks, and social engineering are problems that are actively being addressing by both ATM manufacturers and their financial institutions. However, that doesn’t mean that ATM users should let their guards down.

Keep in mind the social engineering tactics we outlined above when using an ATM, and don’t forget to keep a lookout for something “off” with the machine you’re interacting with. While it’s quite unlikely a user could tell if an information-stealer had compromised her ATM (until she saw the discrepancies in her transaction records later), there are some malware types that can physically capture cards.

If this happens, do not leave the ATM premises. Instead, record every detail in relation to what happened, such as the time it was captured, the ATM branch you use, and which transactions you made prior to realizing the card would not eject. Take pictures of the surroundings, the ATM itself, and attempt to stealthily snap any people potentially lingering about. Finally, call your bank and/or card issuer to report the incident and request card termination.

We would also like to point you back to part 1 of this series again, where we included a useful guideline for reference on what to look out for before dropping by an ATM outlet.

As always, stay safe!

The post Everything you need to know about ATM attacks and fraud: part 2 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The First Appearance of Charles Gunn in ANGEL #4 From BOOM! Studios

First Comics News - Fri, 08/02/2019 - 14:49

Discover Your First Look at the Hottest New Issue of the Vampire with a Soul in August 2019

LOS ANGELES, CA (August 1, 2019) – BOOM! Studios, in partnership with 20th Century Fox, revealed today Charles Gunn, the iconic vampire hunter, will make his first full appearance in the next issue of the hit series, ANGEL #4, reimagining the pop culture phenomenon by acclaimed writer Bryan Edward Hill (Batman, American Carnage), artist Gleb Melnikov (Saban’s Go Go Power Rangers), along with visionary writer and director Joss Whedon (Buffy the Vampire Slayer, Marvel’s The Avengers), available August 28, 2019.

After saving the mysterious and troubled Fred from the demon stalking her in Sunnydale, Angel gets sucked into a twisted realm where he is tortured by visions of past atrocities and a mysterious figure with a stake aimed straight for his heart! In order to escape an eternity under the demon’s power, Angel must battle its insidious illusions and defeat his own fears. But little does he know, a much greater evil is on the horizon and he’ll need every resource and ally he can find to help him save the world, starting with Fred, who’s somehow connected to the dark forces surrounding Angel, and the first appearance of a familiar face from the streets of Los Angeles—vampire hunter Charles Gunn—but is he here to help the vampire with a soul or dust him once and for all?

ANGEL #4 features a main cover by artist Dan Panosian (Slots), as well as variant covers by artists Scott Buoncristiano (Buffy the Vampire Slayer), Gabriel Hernandez Walta (Vision), and series artist Gleb Melnikov.

Created by visionary writer and director Joss Whedon (Marvel’s The Avengers film franchise), Angel premiered on the WB Network on October 5th, 1999 and was a spin-off from Buffy the Vampire Slayer. The series ran for five seasons from 1999–2004, starring David Boreanaz as Angel, the tortured vampire destined to walk the earth with a soul who moved to LA to set up shop as a supernatural private investigator. Despite Angel’s best efforts to deal with the sins of his past all by himself, Angel Investigations soon became home to other lost souls searching for redemption and willing to fight by his side.

ANGEL is the newest release from BOOM! Studios’ eponymous imprint, home to critically acclaimed original series, including Once &  Future by Kieron Gillen and Dan Mora; Faithless by Brian Azzarello and Maria Llovet; Abbott from Saladin Ahmed and Sami Kivelä; Bury the Lede from Gaby Dunn and Claire Roe; Grass Kings from Matt Kindt and Tyler Jenkins; and Klaus from Grant Morrison and Dan Mora. The imprint also publishes popular licensed properties including Joss Whedon’s Firefly from Greg Pak and Dan McDaid; Buffy the Vampire Slayer from Jordie Bellaire and David Lopez; and Mighty Morphin Power Rangers from Ryan Parrott and Danielle Di Nicuolo.

Print copies of ANGEL #4 will be available for sale on August 28, 2019 exclusively at local comic book shops (use comicshoplocator.com to find the nearest one) or at the BOOM! Studios webstore. Digital copies can be purchased from content providers, including comiXology, iBooks, Google Play, and the BOOM! Studios app.

For continuing news on ANGEL and more from BOOM! Studios, stay tuned to www.boom-studios.com and follow @boomstudios on Twitter. And follow Angel on Facebook.

Categories: Comic Book Blogs

Unlikely Heroes Studios Expands Their Comics Empire with the Release of the Elsewhere

First Comics News - Fri, 08/02/2019 - 14:47

Anthology – 38 Independent Creators Take Readers … Elsewhere

HAMILTON, MT — Known to indie comics fans for Super!, the quick-witted, double-fisted send-up of all things tights ‘n capes, and for the blood-soaked post-apocalyptic Western, The Surgeon, Unlikely Heroes Studios is proud to announce the release of their genre-spanning anthology Elsewhere. Featuring contributions from seasoned, award-winning pros and indie newcomers alike Elsewhere weighs in at more than 150 pages. Readers will travel between all the realms that comics can do better than any other medium: horror, sci-fi, neighborhood intrigue, ghosts and monsters, and everything in between.

“We’ve never done anything like this before.” says Editor/Publisher Laurie Foster, “We tend to see so much competition in the world of indie comics, but really, we’re stronger if we work together. We decided to put out a call for submissions and we were shocked at the quality and quantity we received. I’m excited that we’ve built relationships with so many new, talented creators that we can collaborate with in the future. Plus, we’re really looking forward to doing this again next year for Volume 2!

“I always love working with Laurie,” says Editor John Pence, who founded the long-running Blotter literary magazine in 2003 and is the author of The Surgeon. “She’s such a pro and brings such good energy to any project, but every step of making this book was really satisfying and fun. Working with so many different creators was like the old days running a magazine, and it reminded me of how great it is to take a pile of submissions, put them together, and see a whole book emerge that’s way more than the sum of its parts. I’ve been needing something like this for a long time.”

Elsewhere is complete and ready to go to the printer. Unlikely Heroes just launched a Kickstarter August 1, and it boasts fantastic premiums from contributing creators.

Categories: Comic Book Blogs

Calvin’s Commentaries: Forest Fighters

First Comics News - Fri, 08/02/2019 - 14:37

Personally, I like deck builder quite a lot.

Ditto the group as a whole.

But, as we have now played more than 40 games which have deck-building as at least an element within the game, it’s not so easy to find a game in the genre that really impresses.

But, it happens.

Forest Fighters is such a game.

I’ll cut to the punch line here as they say, and note that the three of us who sat down recently to test drive the pre-production version of Forest Fighters all ended up agreeing it flirts with the top-10 deck builders we’ve played.

In my case, I track that on Board Game Geek where I keep a ‘GeekList’ of deck builders, and after adding Forest Fighters to the database, it’s that new, it ended up number six.

So yes, I like this game a lot.

I’ll start with admitting it plays much like Dominion at its core. Dominion is the granddad of the genre, and some might balk that this plays so much like its foundational ancestor.

But, there is certainly enough different here that the comparison, while natural, is not a steal of concept.

To start the theme is a fun one, focusing on the critters of the forest fighting to secure acorns. The player with the most acorns at the end of the game wins.

From Forest Fighter’s Kickstarter; “The winter is fast approaching and with the cold and snow comes a lack of food. The leaves are beginning to fall from the trees and with them the acorns. All of this means that it is time for the squirrel tribes inhabiting the forest to begin gathering food for the winter. There is just one problem! There is only one oak tree left in the forest making the much-coveted acorns a source of warfare. The squirrel tribes have gathered their forces and have even resorted to hiring other forest animals to help them squirrel away as many nuts for the winter as possible. Gathering acorns is easy; protecting them from bands of raiders sent out by the other squirrel tribes is a different story. In Forest Fighters, you will hire forest animals to help your tribe of squirrels gathers and protect acorns while stealing acorns from your opponents. Once all of the acorns have been gathered, the game ends and the player with the most acorns wins.”

You might gather from the introduction that this game allows for more player-to-player confrontation than a game like Dominion.

Most critters have an attack and defense rating and on your turn, you can attack an opponent. If the attack rating is higher than their defense you get to steal acorns, or send critters back to the supply, or rob them of blackberries, a key resource in the game. Even in a battle win, you face decisions.

Of course if you battle, then you likely won’t have resources left that turn to buy acorns – remember you need them to win or to add other critters to your hands.

Most critters come with special abilities too, all well thought out here. For example, a rabbit attracts another rabbit when played, the old multiplying rabbit theme. Bees get you, honey. Moles can bury acorns.

I like that the abilities fit with the animals.

The game comes with 326 cards: including 21 different characters and 3 items. This allows for a lot of replay as you don’t use all of the animals every game. Different strategies emerge depending on what critters are in play.

The artwork, again this is a prototype has a school student artist appeal that might not please all, but if it is the final art I’d be quite satisfied.

This is a game where cards have neat special abilities and so far we haven’t found a broken combination which detracts from the game.

There are always choices for players to make, and there does appear to be different strategies, based on card combos, that can put you seriously in the race for a win.

If you like deck builders at all this is a game I’d rate a must-have.

Thanks to fellow gamers Trevor Lyons and Adam Daniels for their help in running through this game for review.

Categories: Comic Book Blogs

Button Up Basket

Moogly - Fri, 08/02/2019 - 12:52

The Button Up Basket is a fun one skein crochet pattern that’s unique and modern, and free on Moogly! Disclaimer: This post includes affiliate links; materials provided by Red Heart and Clover USA. Inspiration I was inspired by a basket I saw in my favorite Swedish home goods store. Though it was made of felt...

Read More

The post Button Up Basket appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Flip Through 89: Pathfinder 2.0 Bestiary Second Edition

Gamer Goggles - Fri, 08/02/2019 - 11:37

In this Flip Through Matt takes a look at the new Bestiary for Pathfinder 2.0. He takes a good look at Dragons, Ghouls, Ghasts, and Vampires.

The Bestiary for second edition is awesome – I can’t wait to pit a dragon against my characters.

Copyright secured by Digiprove © 2019
Categories: Tabletop Gaming Blogs

Omniverse: The Spirit of '76, or Get Down America!

Sorcerer's Skull - Fri, 08/02/2019 - 11:00

In 1976, America’s dissatisfaction with the Presidential candidates offered by the major parties went in some strange directions. The All-Night Party, holding their convention in New York City, wound up nominating a security guard working the event. Who was also a talking duck.

The Constitutional question of whether a nonhuman from an alternate earth actually qualifies as an American citizen was never answered, because a photo published on the day of election suggesting inter-species sex destroyed Howard the Duck’s campaign.

The second most unusual candidate of that year was a super-villain, though admittedly, a super-villain in disguise. Ruby Thursday, a pipe-smoking young Californian, was actually ahead in the polls for a time. Her vague but proactive slogan “New Heads for Old” resonated with younger voters. Just when her campaign was gathering steam she was forced to reveal her head was actually a red sphere of flexible polymer circuitry at a public event. Her campaign was effectively over, as was her cabal’s attempt at world domination, thanks to the Defenders.


Subscribe to Furiously Eclectic People aggregator