Feed aggregator

IoT riddled with BadAlloc vulnerabilities

Malwarebytes - Fri, 04/30/2021 - 12:05

The Cybersecurity and Infrastructure Security Agency (CISA) has published advisory ICSA-21-119-04 about vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. Those operating systems and libraries are widely used in smart, Internet-connected “things”. The number of affected devices could be enormous.

As is the fashion these days, the collection of vulnerabilities has been given a name: BadAlloc. CISA has assigned a vulnerability score of 9.8 out of a maximum of 10 for the BadAlloc vulnerabilities and has urged organizations to address these issues as soon as possible.

The vulnerabilities included in BadAlloc

BadAlloc is a large set of remote code execution (RCE) vulnerabilities found by Microsoft’s Section 52:

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.

Section 52 is Microsoft’s Azure Defender for IoT security research group consisting of IoT/OT/ICS domain experts that reverse-engineer malware, and track ICS-specific zero-days, campaigns, and adversaries.

Where does the name BadAlloc come from?

The researchers found that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.

Heap is the name for a region of a process’ memory which is used to store dynamic variables. If these get written to the wrong place, an attacker could input malicious data, which if it is not validated, could allow an attacker to perform remote code execution, or crash the affected system.

In the programming language C++, bad_alloc is the type of the object thrown as exceptions by the allocation functions to report failure to allocate storage. So, this may have been the inspiration for the name.

Which devices are affected?

This is a long list and some of these, in turn, represent a lot of different devices:

  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0 
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-uallaoc, Version 1.3.0
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • Media Tek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uCOS II/uCOS III Versions 1.39.0 and prior
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1 
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36 
  • Windriver VxWorks, prior to 7.0

Microsoft worked with all the affected vendors in collaboration with the US Department of Homeland Security (DHS) to coordinate the investigation and release of updates.


For now, we have not seen any indications of these vulnerabilities being exploited, but given the amount of available targets, you can be sure exploits are being sought. Unlike computers, Internet-connected devices can be difficult, or even impossible to update. Because of that, mitigating against these issues could be extremely important for years to come.

In the CISA advisory you can find a list (under 4. Mitigations) which shows the updates that are available. The agency advises users to take the following defensive measures, to minimize the risk of exploitation:

  • Apply available vendor updates.
  • Ensure that affected devices are not accessible from the Internet.
  • Minimize network exposure for all control system devices and/or systems.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required.

Microsoft provides the following mitigation advice:

…we recognize that patching IoT/OT devices can be complex. For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets, as described in the mitigations section at the end of this blog post.

Stay safe, everyone!

The post IoT riddled with BadAlloc vulnerabilities appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is an IP address? Do I need one?

Malwarebytes - Fri, 04/30/2021 - 10:52

An IP address tells computers how to find a certain device within a computer network. An IP address is like an address label for information packets. For each network your computer is connected to, it has a unique IP address on that network. So, one device can have several IP addresses at the same time. In most home computers you may see traffic on these IP addresses:

  • is the loopback address which is used if something on your device needs to talk to another service on the same device.
  • A home network address which is usually in a range reserved for private networks. Well known ranges for this purpose start with 10. and 192.168. which are often pre-programmed in routers whose job it is, among others, to assign IP addresses to connected devices.
  • Your IP address on the Internet, which is in most cases is assigned to you by your Internet Service Provider (ISP), and changes from time to time. You can learn your current Internet IP address by looking at this site.
What does IP stand for?

IP is short for Internet Protocol and is part of TCP/IP which is the networking software that makes it possible for your device to interact with other devices on a computer network, including the Internet. TCP/IP is actually a stack of protocols that make it possible for computers around the world to communicate without differences between languages and hardware. For a device to be able to use the Internet protocol it needs to have IP software and an IP address.

How are IP addresses written?

Most IP addresses that you see will be Internet Protocol version 4 (IPv4) addresses. These have 32 bits of information and are written in four octets of eight bits. Since we are used to working with decimal numbers, you will usually see the four octets written as four decimal numbers between 0 and 255, separated by dots. For example, at the time of writing, the computer running this website had an IP address of

Decimal vs octal

In some cases, it might be beneficial to know the difference between the different notations.

Decimal means a number expressed in the base-ten system which is the system that we use every day that uses the ten digits 0-9, whereas octal means the number system that uses the eight digits 0-7.

Since an IP address is a 32-bit number, sometimes it makes sense to use the octal number system instead of decimal. The decimal IP address looks like 0177.0000.0000.0001 in octal. A computer will recognize both of them as different, equally valid ways of writing the same address. Here’s why:

In decimal, numbers are written according to how many ones they have, how many tens, how many hundreds, and so on. So, the number 127 is 1 * 100, 2 * 10 and 7 * 1.

In octal, numbers are written according to how many ones they have, how many eights, how many 64s, and so on. So, the number 127 is represented as 0177, which is 0 * 128, 1 * 64, 7 * 8 and 7 * 1.

Running out of IP addresses

There are only 4,294,967,296 different combinations of four numbers between 0-255, so that is the theoretical maximum number of IPv4 addresses you could have on any one network (in reality it’s less than this because some IP address ranges are reserved).

In November 2019, the RIPE NCC (the regional Internet registry for Europe, West Asia, and the former USSR) announced that it had exhausted its pool of IPv4 addresses. This did not come as a surprise, and it didn’t mean that suddenly nobody could have an IP address—sometimes addresses can be recovered, and networks can be extended using Network Address Translation—but it demonstrated the need to implement the successor of IPv4. RIPE warned that “Without wide-scale IPv6 deployment, we risk heading into a future where the growth of our Internet is unnecessarily limited. “

IPv4 and IPv6

What is Internet protocol version 6 (IPv6) and what makes it different from IPv4? Obviously, since one of the reasons to deign IPv6 was the shortage of IPv4 addresses, there are more IPv6 addresses available. As we pointed out earlier an IPv4 address is a 32 bit number, whereas IPv6 address is a 128 bit number. IPv4 is a numeric addressing method whereas IPv6 is an alphanumeric addressing method. And where IPv4 binary bits are separated by a dot(.), the IPv6 binary bits are separated by a colon(:).

The difference in bits allows for IPv6 to multiply the number of possible IP addresses by 1028, which may not sound like much, but it gives us 340 trillion trillion trillion possible addresses!

There are technical differences between the protocols as well. We will not handle them in detail as that is outside the scope of this post, but it’s good to be aware of them:

  • IPv6 has built-in quality of service (QoS).
  • IPv6 has a built-in security layer (IPsec).
  • IPv6 eliminates the need for Network Address Translation (NAT).
  • IPv6 enables multicasting by default which means the same packet can be sent to several addresses.
IP addresses and geolocation

IP addresses are allocated on a geographic basis, so they can be used for a crude form of geolocation. An important thing to remember though, especially for all the Internet detectives out there, is that finding out an IP address does not provide you with a physical location. The result you get from looking up an IP address’s location can be wrong by hundreds of miles. The location of an IP address on a map can be very misleading as it will often point to the location of the ISP that assigned the address, or to the center of an area where similar IP addresses reside. Innocent people have been harassed, even by the police, based on misunderstanding these “maps”.

IP-based geolocation is useful for website geotargeting (showing users content based on their country or region) but it is not suitable if you want to pay someone a visit.

Aside from geolocation, there is another way to connect an IP address into a physical address: Your Internet IP address is typically allocated by your ISP, and your ISP typically knows your physical address. Anyone who can convince your ISP to give up that information, either by buying it, issuing a subpoena or by social engineering, can learn your address.

How to hide your IP address

Many people don’t like their IP address to be known or visible to the websites or services they are interacting with. There are various possible reasons for wanting to hide your IP address. As awareness of corporate surveillance and criminal hacking has grown, so have concerns about personal privacy. Many people believe that it should be their choice when and how they give up some of their privacy, and don’t want prying eyes on their normal, legitimate behavior.

A Virtual Private Network (VPN) gives you more control over the IP address and other information that is visible on the Internet. Of course, you still need an IP address when using an online service or website, or the packets will not know where to go, but the outside world can only see your VPN provider’s IP address, not the one given to you by your ISP.

By using a VPN, your packets are taking a detour. Compare it to a PO box where you can have your mail sent without providing your physical address to the sender. With the difference that you don’t have to go out and fetch it, it still gets delivered to your home by the one thing that knows your real IP address: The VPN provider that you have decided to trust.

The post What is an IP address? Do I need one? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Signal app insists it’s so private it can’t provide subpoenaed call data

Malwarebytes - Fri, 04/30/2021 - 09:29

Signal—the private, end-to-end encrypted messaging app that surged in popularity in recent months—once again reminded criminal investigators that it could not fully comply with a legal request for user records and communications because of what it asserts as a simple, unchanging fact: The records do not exist on Signal’s servers.

This is at least the second request of this kind that Signal has received in the last five years, and in the same time period, similar government demands to pry apart end-to-end encrypted communications have become commonplace. Every single time the government has tried this—from the FBI’s insistence in 2016 that Apple create new software to grant access to a device, to the introduction of the EARN IT Act in Congress last year—cybersecurity experts have pushed back.

The legal request to Signal came from the US Attorney’s Office in the Central District in California in the form of a federal grand jury subpoena. According to the subpoena, investigators sought “all subscriber information” belonging to what appeared to be six Signal users. The requested information included “user’s name, address, and date and time of account creation,” the date and time that the users downloaded Signal and when they last accessed Signal, along with the content of the messages sent and received by the accounts, described in the request as “all correspondence with users associated with the above phone numbers.”

Signal responded to the subpoena with help from lawyers from American Civil Liberties Union. According to the company’s response, Signal could only comply with two categories of information requested by the US Attorney’s Office.

“The only information Signal maintains that is responsive to the subpoena’s inquiries about particular user accounts is the time of account creation and the time of the account’s last connection to Signal servers,” wrote ACLU attorneys Brett Kauffman and Jennifer Granick. Kauffman and Granick also addressed some of the US Attorney’s Office’s questions about the physical locations of Signal’s servers and whether the technical processes of account creation and communication for Signal users in California ever leave the state of California itself.  

In a blog published this week, Signal said why it again could not comply with a subpoena for user information, explaining that, because of the app’s design, such user information never reaches their hands.

“It’s impossible to turn over data that we never had access to in the first place,” the company wrote. “Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for.”

This lacking access, while excellent for user privacy, has frustrated law enforcement for years. It is a problem that is often referred to as “going dark,” in that the communications of criminals using end-to-end encrypted messaging apps are inaccessible to any third parties, including government investigators. Former Deputy Attorney General Rod Rosenstein has referenced the “going dark” problem, as has current FBI Director Christopher Wray. Many other representatives have, as well, and each time their refrain has stayed the same: End-to-end encrypted messaging apps provide a level of security that is too extreme to allow without a way for law enforcement to break through it.

But it’s magical thinking on the government’s part.

As many cybersecurity experts have explained over literal decades, allowing third parties to access secure, end-to-end encrypted communications will, by definition, make them less secure, functioning in effect as a backdoor. And a backdoor, in and of itself, is a security vulnerability.

Signal’s efforts to publicize its grand jury subpoena are notable—these requests often come with an instruction that the recipient not disclose any details of the request, else they risk jeopardizing an ongoing criminal investigation. These are valid concerns, but so are the concerns raised by Signal, which are that, even after all this time, government agents still believe that evidence can be conjured out of thin air.

The post Signal app insists it’s so private it can’t provide subpoenaed call data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Doctor Who Magazine SE #57: Writing Doctor Who

Blogtor Who - Fri, 04/30/2021 - 07:00

The latest Doctor Who Magazine Special Edition goes behind the keyboard to discover the secrets of Writing Doctor Who   How does an episode of Doctor Who evolve from an initial idea? Since 1963 many producers and editors have applied their own philosophies and working methods to the pre-production of this complex series. This Special […]

The post Doctor Who Magazine SE #57: Writing Doctor Who appeared first on Blogtor Who.

Categories: Doctor Who Feeds

What is Smishing? The 101 guide

Malwarebytes - Thu, 04/29/2021 - 18:51

Smishing is a valuable tool in the scammer’s armoury. You’ve likely run into it, even if you didn’t know that is its name. It doesn’t arrive by email or social media direct message, instead choosing a route directly aimed at what may be your most personal device: the mobile phone. So, what is Smishing? We’re glad you asked.

Defining a Smish

Smishing is a combination of the words “phishing” and “SMS”, to indicate phishing sent across your mobile network in the form of a text. It’s often thought of as the latest scam on the block, but it’s been popular for a few years now. The Pandemic combined with a rise in home deliveries has only increased its popularity still further.

What is a Smishing attack?

It’s a fake message sent to mobile devices, using social engineering to encourage the recipient to click a link. The difference between Smishing and Vishing, is that Vishing is fraudulent voice messages as opposed to text and links.

Common Smish attempts focus on everyday needs or requirements. Late payments, missed deliveries, bank notifications, fines, and urgent notices are prime vehicles for a smishing attack.

COVID-19 has ensured that bogus vaccination messaging is also a common Smishing technique.

Most smishing text messages attempt to direct victims to fake login screens, with the possibility of asking for payment details further on. They may use URL shortening services in an attempt to conceal overtly fake login links. Potential victims may have never seen a Smish before, and so assume anything sent via SMS is legitimate. It may also be more difficult to view the full URL on a mobile browser, which is to the phisher’s advantage.

Smishing attack examples

Offering fake discounts on bills is a popular method of smishing attack. The drawback here is that these messages aren’t typically targeted. As a result, large numbers of people without the relevant accounts will simply disregard the message. This isn’t necessarily a problem for the smisher, however. These messages are sent in bulk, and the scammer expects a small number of responses from casting a wide net. The combined ill-gotten gains from the people who do fall for it, likely more than makes up for initial outlay.

Late / delayed parcels are a huge prospect for Smishers. If you wanted to define Smishing, this would be the current-day quintessential Smish attack. With so many people at home, and so many daily purchases made online, we’re awash with cardboard. It’s very difficult to keep track of everything coming into the house. Combining well-known delivery services with fake “delivery fee” notifications is a recipe for Smishing success.

A Smishing message asking for a “shipping fee” to be paid at a bogus website

In both examples, you can see the potential for success. Pinning these two attacks around what people can gain (or indeed, lose) gives them added credibility by playing on the hopes and fears of victims.

Can we stop these attacks?

The reality of this situation is, nobody can stop Smishing 100%. However, we can certainly take some steps to significantly reduce it:

  • If it sounds too good (or too bad) to be true, it probably is. Having said that, many Smish messages sound totally innocent and aren’t trying too hard to bribe or threaten. What we’re trying to say here, is don’t assume any message from services or organisations are the real deal. If you’re being asked to do something, the very best thing you can do is contact them directly via a known method you trust. When it turns out to be a fake, you should be able to report it to them, there and then.
  • Those living somewhere with Do Not Call lists or spam reporting services, should make full use of them. Report, report, report those bogus messages and numbers. Your mobile device may already have some form of “safe” message ID enabled without you knowing. It’s tricky to give specific advice here because of the sheer difference of options available on models of phone, but the Options / Safety / Security / Privacy menus are a good place to start.
  • Never click the links, and don’t enter personal information on the websites the Smisher sends you. Avoid replying to the scam SMS too. Best case scenario, it’s not a real number and your message bounces. Worst case, you’ve confirmed you exist and they add you to spam lists and / or start harassing you further. Report, block, and move on.
Anti-Smishing efforts

It’s not just phone owners doing their bit to tackle Smishing. Organisations have been taking steps to lock this threat down for some time now. Last year, the SMS SenderID Protection Registry gave companies the ability to register and protect message headers. We have Attorney Generals warning of the dangers, and the sheer saturation by fake Royal Mail delivery fee messages has made the issue go mainstream in the UK. We can only hope Smishing’s sudden rise to fame during the pandemic leads to an equally speedy demise.

For the time being, keep a watchful eye on those text messages and treat them with the same suspicion you’d give to a random missive in your email inbox.

The post What is Smishing? The 101 guide appeared first on Malwarebytes Labs.

Categories: Techie Feeds

MooglyCAL2021 – Block #9

Moogly - Thu, 04/29/2021 - 15:00

MooglyCAL2021 Block 9 is a fun and pretty crochet square by The Lavender Chair! The Galaxy Flower Square features springy stitching and is a joy to watch come together. Read on for all the details, and for the link to Block #9 in this free year-long crochet along! Disclaimer: This post includes affiliate links; materials...

Read More

The post MooglyCAL2021 – Block #9 appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

City fined for tracking its citizens via their phones

Malwarebytes - Thu, 04/29/2021 - 15:00

The Dutch information watchdog—the Autoriteit Persoonsgegevens (AP)—has fined the city of Enschede for € 600,000 for tracking its citizens’ movements without permission. It is the first time that a Dutch government body has been fined by the AP. The investigation was set in motion after it received a complaint about tracking.

The Autoriteit Peroonsgegevens is the Dutch supervisor that has been commissioned to keep an eye on how companies and governments process Personally Identifiable Information (PII) in the Netherlands. In other words, it guards privacy-sensitive information, and how it is handled.

What did Enschede do wrong?

The city of Enschede hired a company to keep track of how crowded its city center was. The company they hired used Wi-Fi-tracking to measure how many people were present at one time. The Wi-Fi-tracking system assigned a unique ID to each passing phone that had Wi-Fi enabled (based on each phone’s unique MAC-address), so it could count the number of these phones. Which gave them a pretty accurate idea of the number of people.

However, because this method of measurement was used over a period of years (2017-2020) which overlapped with the period that the EU’s General Data Protection Regulation (GDPR) came into effect, the AP ruled that the method that was intended for counting, had turned into something that could be used for tracking.

The AP mentioned in its ruling that since a MAC-address is a unique identifier for a device, and since mobile devices like phones and tablets are mostly personal items, they can be used to identify a person. The system in Enschede used pseudonymization for the MAC addresses, but the AP ruled that was not enough to make the data truly anonymous, as they could still be combined with other data.

The AP ruled that the privacy of regular visitors and inhabitants of the city was compromised because they could be tracked without a real necessity. This was never the intention, but the fact that Wi-Fi-tracking over a prolonged period made this possible was reason enough for the steep fine.

In its ruling, the AP was adamant about the distinction between counting and tracking and emphasized how important it is that citizens should not be followed around, intentionally or not.

Tracking data can be turned into PII

If you find the same phone often enough, data intended for counting can be turned into data suitable for tracking. And if you put in enough effort and have enough data points you can establish patterns that can be used to identify a person (when this approach is used deliberately and legitimately, it’s called “Big Data”, for good reason). For example, if the same phone checks in at a certain point at 9 AM in the morning and leaves around 5 PM in the afternoon, you can make the assumption that the owner of that phone probably works in or near that location.

And even if none of the companies collecting or accessing that data intend to use it for that purpose, they or anyone buying or stealing the data, could.

The AP has strict rules about using Wi-Fi and Bluetooth-tracking and makes it clear that it is forbidden in most cases. It describes the large numbers of data points that can be collected by such tracking as “indirectly identifiable data” because while it is pseudonymous, it can be used to track people, and can be combined with other data to unmask individuals and render PII. For example, combining Wi-Fi-tracking with CCTV footage or payment data.

Who had access to the data?

The city and two companies that were involved in the measurements had access to the raw data. One of the companies carried out the order from the city and the other maintained the hardware and processed the data. The AP held the city responsible since it was the commissioning party. The city has filed an appeal against the ruling because they do not consider the data to be PII and their sole objective was counting, not tracking.

100 other cities

The company that operated the sensors in Enschede has 100 other cities and townships among its customers. But, when asked, it stated that the data gathered with Wi-Fi-tracking was no longer saved for more than 24 hours. Which, given the original goal for gathering the data makes perfect sense.

The post City fined for tracking its citizens via their phones appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Doctor Who Magazine 564: 25 Years of Eight!

Blogtor Who - Thu, 04/29/2021 - 07:00

Doctor Who Magazine Issue 564 marks a quarter century of Paul McGann as the Doctor! This month’s Doctor Who Magazine goes back in time to 1996. The final series of Doctor Who’s original run was seven years in the past, and it would be another seven years until the 2003 announcement that the show was […]

The post Doctor Who Magazine 564: 25 Years of Eight! appeared first on Blogtor Who.

Categories: Doctor Who Feeds

Rifts: Crazy PC class adapted for Cepheus Atom & Barbaric!

Swords & Stitchery - Thu, 04/29/2021 - 05:56
 The crazy receives a nano cybernetic enhancement that completely rewires the human mind down to the neuralogical level. They gain several abilites right off the bat, the crazy can or may the character  take two Significant Actions and two Minor Actions (or five Minor Actions) in each combat round, though this does not allow a character to move further than 12 meters in a single round. They also Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

It happened to Picasso too

Yarn Harlot - Thu, 04/29/2021 - 00:07

I’ve deleted a thousand posts because they all sound a bit sad and whiny, which I suppose is a little accurate- Toronto is still in a stay at home order and lockdown and I am rather sad and whiny about it, especially when I see my friends and colleagues to the south and across the pond slowly finding a way out of this thing. Still, it doesn’t do my heart any good at all to be jealous, and it makes no sense to compare Canada to the vaccine producing giants that are the US and UK. We’re making progress compared to  most countries that don’t have any domestic vaccine production, and I am so grateful for that. Still, after enduring that long and lonely Covid winter I had hoped for a little more freedom this spring – but the ICU’s are rammed full, the crisis is deeper than it ever was, and every healthcare worker I know would love to beat the everliving snot out of people who can’t honour the restrictions right now while they struggle to keep people alive, so here I sit.

I received my first vaccine three weeks ago – but Canada is separating the first and second doses by four months to make the most of the supply we have. I get it, as the variants savage the place it makes a lot of sense to try and give as many people as possible some protection, but it does mean that we don’t know anyone that’s enjoying the perks of being fully vaccinated. Hell, we don’t even have guidelines for those people yet, since it’s only 3% of the population. I know there’s an end in sight, but gentle readers, it just seems so far off.

Was that too sad? Whiny? I think it’s okay, I’ll leave it. The truth is that we’re holding on, despite Toronto enduring one of the worlds longest lockdowns (for the third time) and we remain pretty grateful that we’ve been able to be as safe as we have been – and that the hardest thing we’ve been asked to do is stay home and miss our families. Elliot’s dad and Sam are both essential workers in public facing jobs, and both unvaccinated as of yet, and I worry about them a lot. My hair is enormous and wild (salons and barbers closed at the beginning of the pandemic and were only open for about 7 weeks last summer, same as our restaurants) but I am used to that now and it helps that everyone I see looks the same, and frankly my own wild mane is a small price to pay for the glory that is Joe’s fantastical tresses.  I know he’ll get it cut the minute a barber opens, but for now it’s a big part of my pandemic entertainment. If I didn’t think it would be a gross violation of every vow I’ve ever made to him that would surely result in divorce, I’d show you the pictures I’ve been quietly taking each morning.

The big news though, is that something shocking has happened here, and I don’t know quite how to explain it. I have been knitting up a storm. I mean, just heaps. I think it helps me see forward movement and change in the face of all of this, and while knitting heaps isn’t odd, something else has been happening. First, I knit Elliot a blue sweater.

That’s Dogstar (rav link) again, I’ve knit him two now, though the look nothing alike – such a great pattern) and the yarn is Peer Gynt, a favourite worsted weight of mine. Hardworking, non-superwash, inexpensive, comes in a thousand colours… good stuff, that.  Now, there is nothing at all unusual about me knitting a blue sweater…for someone else. Me? My palette is famously more 1970’s appliance colours- or anything the colour of a dish you could get at an Indian restaurant.  I like korma pink, saag green, biryani yellow, … you see where I’m going with this. Dirty colours. I am not much at all for the pastels colours of spring, or the vivid tones of a summer, or even the cool crisps of the deep winter. I am fall. Autumn, the reaping and the gathering. That’s my jam. Now- that’s not to say that fall is my favourite season, far from it, actually.  I am a summer child, and I’ve always found fall to be a little bit sad since it’s the end of all that I adore and the beginning of the long-dark-tea-time-of-the-soul that is the Canadian winter, but I digress.

The last Love Note I made for myself was perfect for me. I loved the sweater, I loved the yarn and it was exactly, absolutely the right colour. (Lichen and Lace Marsh Mohair in “Shrub” and 1-ply fingering in “Woods” held together)

Now, I loved knitting that sweater so much, and I wear the finished product so much and the yarn was so fun that it made heaps of sense to me that I would knit another one, and so it wasn’t at all surprising that I found myself back on the website ordering more. What did surprise me was that I ordered this:

Same yarn, but this time in beautiful blues -the mohair was “calm waters” and the fingering “rainy day”.

Weird, right? I mean, me in blue? Me even knitting blue is a little odd, but for myself? A rather odd glitch I thought, but these are strange times.  I was confident that whatever this was, it was an isolated event. You could have knocked me over with a feather then, when mere days later, I ordered and received this:

For another sweater, for me, and yes, there were other colours available. There was even a properly yucky green that should have been what came over me, but look at that.  This time I’m after making Woven Shadows and even though I am only just past the swatching phase, I am entirely besotted and it’s the colour that’s most of it.  I tried to knock some me back into me by knitting a green sweater – but then I helplessly added blue at all the edges.

It’s like I don’t even know myself. (That’s Ellie, in Limepop. It’s a classic, as is his pandemic hair.) The crazy thing is that all this blue is delighting me.  Instead of rain and winter all I see in these blues are the things I long for, love and miss. The blue sky of Alberta and Saskatchewan, the ocean in Port Ludlow, Vancouver, Halifax and Spain, the bluebonnets in Texas at DFW, the cornflowers and lupins of summer here.

I can’t explain it and it’s so unlike me, but I’m wearing that blue sweater to bits almost every day and all this blue is making me so happy. It seems so funny to me right now that blue is associated with being sad, because here it’s uplifting. Oh – here’s a picture of the finished sweater. It’s not awesome because there aren’t a lot of photographers around, but here’s a selfie from my walk today. I propped my phone on a fence but screwed up the timer.

Anyway – just so that you know some things still stay the same?

Orange socks.

Categories: Knitting Feeds

High Tech Mysticism & High Caliber Adventure - Nightshift Veterans of the Supernatural Wars By Jason Vey & Lamentations of the Flame Princess

Swords & Stitchery - Wed, 04/28/2021 - 17:45
 "I felt like lying down by the side of the trail and remembering it all. The woods do that to you, they always look familiar, long lost, like the face of a long-dead relative, like an old dream, like a piece of forgotten song drifting across the water, most of all like golden eternities of past childhood or past manhood and all the living and the dying and the heartbreak that went on a million Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Bitcoin scammers phish for wallet recovery codes on Twitter

Malwarebytes - Wed, 04/28/2021 - 17:38

We’re no strangers to the Twitter customer support DM slide scam. This is where someone watches an organisation perform customer support on Twitter, and injects themselves into the conversation at opportune moments hoping potential victims don’t notice. This is aided by imitation accounts modelled to look like the genuine organisation’s account. The victim is typically sent to a phishing page where accounts, payment details, identities, or other things can be stolen.

We first observed the technique used on gamers back in 2014, and it eventually branched out into bank phishing. This time around, it’s being used to bag bitcoin. Shall we take a look?

Emptying your wallet

Trust Wallet is an app used to send, receive, and store Bitcoin along with other cryptocurrencies, including NFTs. With cryptocurrency being so very mainstream at the moment, it’s only natural lots of people are jumping on the bandwagon. Even those who know what they’re doing often run into trouble. I suspect the newcomers to the field are experiencing all manner of issues daily. This is a perfect storm of confused users and scammers lying in wait.

Take note of what the official TrustWalletApp account says, in relation to keeping your coins safe:

First rule of Crypto:
"Never give out your Recovery Phrase"

Second rule of Crypto:
"Never give out your Recovery Phrase."

Third rule of Crypto:
"Someone asks for your Recovery Phrase, remember the first and second rule."

Read on:https://t.co/yAroWY8Y00 pic.twitter.com/CHHizixhxL

— Trust – Crypto Wallet (@TrustWalletApp) April 22, 2021

They are emphatic about keeping the recovery phrase safe. This is a method to regain access to a wallet, made up of 12 words. Whoever possesses the phrase, holds the keys to the kingdom (or at least, your wallet). If your coins have a lot of value attached, it would clearly be disastrous to lose access.

This is where our tale begins in earnest, in the replies to that tweet.

Oh no, my coins!

An individual claims they had their coins stolen, but managed to regain them.

Thank God I finally got all my stolen coin and money back!

I can now rest my head.

So far, so good. Further down, however, it all goes a bit wrong. Just a few replies down, they say this:

I lost all my money and coins my wallet last week, until I contacted their support page and they helped me rectify and resolved it, I think if you have any of this problem you should write to them too at [URL removed]

The link (powered by a DIY survey creator, where anybody can make whatever batch of questions they want) does exactly what TrustWalletApp says not to do: asks for the 12 word recovery phrase.

A fake support form on a popular survey site asks users to break “The first rule of Crypto” A fake support form in a Google Doc asks users to break “The first rule of Crypto” A swarm of bad tidings

The scam isn’t being spread by just one account, nor is there just one bogus support form. Multiple Twitter profiles lurk in the replies of anyone having a bad cryptocoin experience. One even claims to be the “Trust Wallet Team”, and does nothing but spam links to a Google Doc. The accounts are most likely set up to autorespond to anybody sending messages to the TrustWalletApp account, especially if it looks like they need assistance. No fewer than 19 responses were sent in one day from one account, and given the ever-fluctuating cryptocurrency values, just one bite could result in a decently-sized payday for the scammers.

Scammers attempt to lure struggling cryptocoin owners into breaking the “First rule of Crypto”

This is a low maintenance attack, which brings potentially high gains. It’s very common, to the extent that one of the accounts sending bogus Google Doc links does so to the person, or bot, we originally saw firing out bad links!

What can you do to keep your coins secure?

This isn’t just imitation organisation accounts dropping themselves into support chats. We also have lots of random, non-imitation accounts trying the same tactic. As a result, “regular account” doesn’t necessarily mean they’re being helpful. The kindness of strangers is often very helpful, but never take anything for granted. Cryptocurrency is in a bit of a modern-day gold rush at the moment, and people will do absolutely anything to get their hands on it.

Legitimate companies are unlikely to be performing technical support via Google Docs or survey sites, so avoid links that attempt to do that. Most importantly though, as per the Trust Wallet team themselves: never send anybody your 12 word recovery phrase. Not even Trust Wallet. Ever.

Passwords, pass codes, pass phrases, pass-whatevers are meant to be secrets, and they aren’t secrets if you tell somebody else. No company worth bothering with will ever ask for your password so don’t give them out. It’s the surest way imaginable to lose control of an account. And, because of the way that cryptocurrencies work, once the scammers have your wallet, it’s theirs. You almost certainly won’t be able to recover it.

That’s one promise you can take to the crypto-bank.

The post Bitcoin scammers phish for wallet recovery codes on Twitter appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Watch out! Android Flubot spyware is spreading fast

Malwarebytes - Wed, 04/28/2021 - 17:06

Using a proven method of text messages about missed deliveries, an old player on the Android malware stage has returned for an encore. This time it seems to be very active, especially in the UK where Android users are being targeted by text messages containing a link to a particularly nasty piece of spyware called Flubot.

Warning from the National Cyber Security Centre

On its website, the National Cyber Security Centre (NCSC) warns about the spyware that is installed after a victim receives a text message that asks them to install a tracking app, because of a missed package delivery. The tracking app is in fact spyware that steals passwords and other sensitive data. It will also access contact details and send out additional text messages in order to further the spread of the spyware.

Network providers join in

Apparently, the problem is so massive that even network providers have noticed the problem and some of them, including Three and Vodafone have also issued warnings to users over the text message attacks.

Three urges victims that have installed the spyware:

You should be advised that your contacts, SMS messages and online banking details (if present) may have been accessed and that these may now be under the control of the fraudster.

It goes on to tell victims that a factory reset is needed or you will run the risk of exposure to a fraudster accessing your personal data.

Branding of the text messages

Most of the reported messages pretend to be coming from DHL.

DHL example

But users have also reported Royal Mail and Amazon as the “senders.” Readers should be aware that it isn’t enough to simply watch out for messages from one or two senders though. If the campaign proves successful for the criminals running it, it will evolve and change over time and they will likely try other tactics.

History of Flubot

These types of smishing (SMS phishing) attacks are on the rise the last few years. Previously, Flubot has been noticed operating a fake FedEx website targeting Android users in Germany, Poland, and Hungary in basically the same way. By sending text messages with a parcel tracking URL that led to malware downloads. Initially they operated in Spain (with Correos Express as the sender), until some arrests were made there which slowed the operation down for a while. It would not come as a surprise if the continued success will lead the Flubot operators to target the US next.

Infection details

Malwarebytes for Android detects the several Flubot variants as Android/Trojan.Bank.Acecard, Android/Trojan.BankBot, or Android/Trojan.Spy.Agent.

As we pointed out the initial attack vector is a text message with a link that downloads the malware. The package names often include com.tencent and have the delivery service’s logo as the icon. During the install the malware will show you misleading prompts to get installed and acquire the permissions it needs to perform the actions it needs. These permissions allow it to:

  • Send messages to your contacts
  • Act as spyware and steal information

Depending on the variant, Flubot can also:

Don’t click!

Unless you know exactly what to look for to determine whether a message is actually coming from the claimed sender, it is better not to click on links in unsolicited text messages. Which is always solid advice, but when you are actually expecting a parcel, the message may not count as unsolicited in your mind.

Our first impulse is often to click and find out what’s up. At the very least, we should stop and ask if the message and the URL stand up to scrutiny. If you think the message is genuine, it is still best not to click on the link, but instead search for the vendor’s website and look for its parcel tracker.

If you did not click the link, simply remove the message from your device so you do not click it by accident in the future.

If you have clicked the link but then stopped because you were suspicious of the fact that it initiated a download, well done. You stopped in time.

If you did download the malware, scan your device with a legitimate Android anti-malware app. If it can’t disinfect your phone, you will need to perform a factory reset to remove it. If you do this, there is a possibility you will lose more than just the malware, unless you have made backups.

You should also change any passwords you stored on the device, and any you entered on the device after the infection began, because they may have been compromised by the spyware.

Finally, if you used the device for online banking, check your bank balances and contact your bank so that they can stop or correct any fraud that results.

Stay safe, everyone!

The post Watch out! Android Flubot spyware is spreading fast appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to Latch Hook with WonderArt Kits Class

Moogly - Wed, 04/28/2021 - 15:00

Latch Hook is back – and WonderArt kits make it easy to pick up this craft for the first time, or the first time in a long time! Learn how to get set up and get latch hooking, here on Moogly! Disclaimer: Materials provided by Yarnspirations and Michaels; this post includes affiliate links.  The Supplies...

Read More

The post How to Latch Hook with WonderArt Kits Class appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Doctor Who: Forty – Big Finish celebrates the Fifth Doctor’s 40th Anniversary

Blogtor Who - Wed, 04/28/2021 - 14:00

Big Finish celebrates four decades of Peter Davison as the Doctor with The Fifth Doctor Adventures: Forty   Big Finish are smelling a flower, watching a sunset, and eating a well-prepared meal to mark forty years since Peter Davison debuted as the Doctor. But, more than that, they’re releasing two brand-new volumes of full-cast audio […]

The post Doctor Who: Forty – Big Finish celebrates the Fifth Doctor’s 40th Anniversary appeared first on Blogtor Who.

Categories: Doctor Who Feeds

Wednesday Comics: Who's Who Omnibus

Sorcerer's Skull - Wed, 04/28/2021 - 12:13

I was sick all last weekend, so my reading on June 1980 cover date DC got slowed down. So while you wait on that, you should check out the gorgeous tome that is the DC Who's Who Omnibus vol 1. It's got all of the pre-loose leaf Who's Who entry in it (well, except Atari Force characters they no longer had the rights to) and it looks great.

Here's an image on an interior spread:

Ransomware group threatens to leak information about police informants

Malwarebytes - Wed, 04/28/2021 - 10:16

UPDATE 12:12 PM Pacific Time, April 28: As of at least 9:40 AM Pacific Time, the Babuk ransomware gang removed any reference to the allegedly stolen DC Police Department data from its data leak website. This does not indicate with any certainty that the DC Police Department paid Babuk, but it is rare for a ransomware group to remove data without first receiving payment.

A screenshot captured by a Malwarebytes researcher is shown below, with no reference to the DC Police Department hack.

The Babuk ransomware group’s data leak website no longer shows any reference to the DC Police Department data hack. Credit: Malwarebytes

Original story below:

One day after a ransomware group shared hacked data that allegedly belonged to the Washington, D.C. Police Department online, the police force for the nation’s capital confirmed it had been breached.

“We are aware of unauthorized access on our server,” the Metropolitan Police Department—the official title of the DC police—said on Tuesday. “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”

But as the DC police sort out the attack, they’re working against the clock—the cyberattackers threatened to share information on police informants with criminal gangs in just three days, threatening the safety of those informants and the stability of related criminal investigations.

The attack represents the latest example in two growing trends, in which cybercriminals have increasingly targeted government agencies since the start of 2021, and in which ransomware operators are exchanging their bread-and-butter tactics—which include encrypting a victim’s files and then demanding a payment to unlock those files—with new threats to publish sensitive data.

Claiming responsibility for the DC police cyberattack is the ransomware gang Babuk. On Monday, the group said on a dark web data leak site that it had stolen 250 GB of data from the DC police, and it posted several screenshots as proof. According to Bleeping Computer, which viewed the images, the screenshots included folder names that related to “operations, disciplinary records, and files related to gang members and ‘crews’ operating in DC.”  

Bleeping Computer also shared Babuk’s threat that was made to the DC police:

“Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon.” 

The ransomware group also warned that one of the files in its possession could be related to arrests made following the January 6 insurrection against the US Capitol.

The attack, while severe, is part of an increasingly commonplace trend. According to the New York Times, this is the third police department hit by cybercriminals in just three weeks. Further, since the start of 2021, 26 government agencies have been victims of ransomware attacks, and 16 of those agencies were specifically hit with threats to publish sensitive data.

These attacks follow what Malwarebytes has called a “double extortion” model, in which ransomware operators hit the same target two times over—not only locking a victim’s files, which will cost money to decrypt, but also stealing sensitive data, which will also cost money to keep private.

The double extortion model is relatively new, but it is already popular.

According to a March analysis from the cybersecurity company F-Secure, nearly 40 percent of the ransomware families discovered in 2020, as well as several older families, demonstrated data exfiltration capabilities by year’s end. And almost half of those families used those capabilities in the wild. Further, as we learned in the Malwarebytes State of Malware 2021 report, the double extortion model has proved to be surprisingly lucrative: One ransomware group pulled in $100 million in 2019 without pressing victims to unlock encrypted files.

That Babuk—which was discovered by Bleeping Computer just months ago—has already incorporated the double extortion model likely means that this threat will not be going away any time soon.

The post Ransomware group threatens to leak information about police informants appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator