IT NEWS

On Monday, Apple released its first batch of Rapid Security Response (RSR) patches, iOS 16.4.1 (a), iPadOS 16.4.1 (a), and macOS 13.3.1 (a), for iPhone and iPad, and macOS devices, respectively.

RSR is a new type of software patch delivered between Apple’s regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They’re meant to make the deployment of security improvements faster and more frequent. According to an Apple notice about RSRs, the new updates “may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist ‘in the wild’.”

Think of it as the company’s version of Microsoft’s out-of-band (OOB) patches.

“When a Rapid Security Response has been applied, a letter appears after the software version number, as in this example: macOS 13.3.1 (a),” the notice said, giving users a glimpse of how RSR versioning works.

Apple introduced Rapid Security Response updates with the launch of iOS 16, iPadOS 16, and macOS Ventura at its Worldwide Developers Conference last summer. Devices allow automatic RSR patching by default, but the company provided its users with the option to disable it. You can visit this Apple Support page to learn how you can do this on iPhone, iPad, and Mac.

If you do disable RSR, you will still receive security fixes as part of Apple’s regular software updates, just as you did previously. However, not getting a quick fix when it’s available could leave your device vulnerable to in-the-wild exploits.

Apple began testing RSR last year, with its beta testers. Monday’s patches were the first to be released to the public. Some users reported they couldn’t install the updates, even when devices successfully downloaded the patches, but that problem seems to have been resovled now, according to The Verge.

The company also didn’t make clear what security fixes RSR for iOS, iPadOS, and macOS addressed, since there were no notes released for them. Moving forward, Apple will only make RSR available to all devices running the latest version of iOS, iPadOS, and macOS.

RSRs aren’t the only recent innovation that should make it harder for criminals to exploit Apple devices. On April 21, we reported on Citizen Lab’s investigation into the effectiveness of Apple’s Lockdown Mode, a feature designed to provide a safer environment for users at a higher risk from targeted attacks, such as those developed by NSO Group, the company behind the notorious spyware Pegasus, and QuaDream. NSO Group is known to take advantage of 0-day vulnerabilities. RSRs should improve protection further by allowing Apple to patch those 0-days immediately after they’re discovered.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A Finnish newspaper is making clever use of popular video game titles to promote press freedom and bypass Russian media restrictions regarding the invasion of Ukraine. The plan: Hide a secret room underneath a map, which players can stumble upon and see facts, figures, and photographs of what’s been going on.

The map is a custom built design intended to be used in the game Counter-Strike: Global Offensive, playable via the Steam platform. We decided to take a look at how effective this is in practice, and what’s contained in the hidden room.

Is this the part where I fire up my ancient Counter-Strike account? It sure is.

Finding the map

First thing’s first. The map is a custom build, not designed by the game developers. How do you find it? The answer is to visit the game’s Workshop page. This is where custom made content for eligible games on Steam can be found, from maps and weapons to in-game objects or playable characters, depending on the title.

The map, de_vonya, currently displays as the most popular map of the week so it’s off to a good start. The map description says:

On the surface, it seems like a normal Slavic city. However, there might be something hidden underneath.

If you click on the map to open its page, and then hit the green “Subscribe” button, the map will be available next time you load up the game.

Finding the room

Counter-Strike is a team based first person shooter, where small teams race to complete objectives. I haven’t played in years, so I took the easy way out and set up a custom game with the only other combatants being bots. Playing against other people would be a surefire way to make a mess of this exploratory adventure.

The central idea of this map is to accidentally stumble upon the room containing the free press style content. In practice, this proves to be rather difficult.

The first problem: You can’t access the secret room unless you’re dead (don’t worry, I’ll come back to this). While playing normally, the door remains resolutely shut no matter what you try.

“How do I access the room when I’m dead,” you say? Well, when you die in Counter-Strike you can watch your teammates or you can float around the whole map and take in all of the action. In this state, you have no collision detection. In other words, players who are still alive will stop moving if they walk into an object like a wall. While dead, you’re essentially a floating camera and will pass right through it.

The second problem: Counter-Strike rounds are short, around a couple of minutes. They’re short enough with bot, but with actual humans playing, everything can be over very quickly indeed. Even with bots set to the easiest difficulty, three rounds had ended before I eventually found the room.

The third problem: Flying around the map is not entirely helpful with regard to finding the room. Counter-Strike makes use of a game design element called skyboxes. A skybox is something which acts as a distant background in the game you’re playing. Imagine a big cube wrapped around the level you’re in, with the sky (or something else altogether) projected on it. No skybox, no background. The world around you would just be a black void.

If the level you’re on has a small or “low” skybox, you’ll run into problems when trying to find a hidden secret. Want to fly up and take in a bird’s eye view of the map? The moment you fly too high up, the screen goes blank (or at least blue coloured, in this level’s case).

As a result, the “best” way to find the hidden room is to float around slightly underneath the floor and look for some flashing lights. If you manage to do this before the level ends prematurely, you’ll be able to locate and enter the room.

Inside the room

The room itself is made up of several areas of information, with a main table located in the middle.

One wall reads:

COUNTERSTRIKE OF THE FREE PRESS. This room contains independent journalism that is forbidden in Russia

A sign on one wall states “Russian strikes on civilian targets 2022-2023,” above a map highlighting strike locations, next to several photographs of the damage inflicted.

One wall of monitors and overturned TV screens states “Russians left behind mass graves in Bucha and Irpin”, along with images of said actions.

All very powerful. It is somewhat bizarre to look at a wall of photographs and text which reads “Missile strikes: he went to buy food, she and her child were killed in their home” as the game flashes up a message about the last round of Counter-Strike saying “Terrorists win. MVP: BOT Yanni for most eliminations”, though.

This is certainly an innovative way to bypass Russia’s media restrictions. One has to wonder if it would be a lot easier to simply have the secret room’s door open, especially as one team starts the level right next to it.

If you go looking for the room, be warned that some of the images are graphic. We’ve blurred some elements of the above screenshots that you may find disturbing, including dead bodies and body parts. While Steam Workshop has policies in place for individual items like characters or weapon skins, we can’t find anything for maps. Could players with an objection to the map’s existence cause it to be removed from Steam? Possibly.

It’s likely we’ll see more maps along these lines, especially as regular map makers see the idea and decide to run with it. Could Russia ultimately ban a game like Counter-Strike over this? Also possible, but I suspect (for now at least) very unlikely.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The continued existence of World Password Day is a tell that something has gone badly wrong in cybersecurity.

Now in its tenth year, the day is supposed to act as an annual reminder for people to follow good password hygiene: Don’t reuse passwords; use long passwords; no, longer passwords than that; use a collection of random words; no, not those words; use a phrase; use a collection of phrases; don’t forget the weird characters; etc., etc.

This is bad. Critical technology should not require an annual pep talk to function correctly. There is no annual “how to avoid nuclear meltdown” day.

And make no mistake, password authentication is critical technology. It is the bedrock on which security is built. Fail at authentication and it doesn’t matter how “military-grade” your encryption is or if you patch twice a day before flossing, you’re toast.

The existence of World Password Day is a symptom of two problems.

The first is that password authentication is a terrible design. Its success hinges on humans being good at something humans are really bad at: Creating and remembering long strings of random characters.

In an environment where users must now remember about 100 passwords each, it is impossible to use passwords well without assistance. The only chance you have of making it work is to outsource the “creating and remembering” part you’re really bad at to a computer, in the form of some password management software.

Password managers are great—apart from where they aren’t, like when you’re logging in to Windows—but from what we can tell, most people still don’t use password managers, and those that do are almost certainly the most security-aware among us; in other words, the folks who need its help the least.

And when I write “impossible” I am not being hyperbolic. You cannot remember 100, different, strong passwords. You just can’t. Almost all of us run into serious problems juggling fewer than ten. (If you’re still doubtful, read Why (almost) everything we told you about passwords was wrong, it’s got more details and links to the research.)

The second problem is that for too long we made passwords a problem for users to solve instead a problem for IT or security. Dispersing the responsibility like this created an enormous headache that has consumed untold resources. A system is only as strong as its worst password choice, but we almost never know what the worst choice is or who made it. That creates a situation where improving security rests on our ability to improve every single user in the hope that we’ll reach the worst.

Attempts to level up users often boil down to edicts about how to do passwords better, such as making sure each password includes a mixture of uppercase and lowercase letters, and that passwords are not reused.

It’s like we asked the janitor to configure the firewall rules and then tried to fix our terrible mistake by having a firewall expert constantly lecture the janitor about not messing up the firewall.

Repeated password breaches over decades—which show us real users’ password choices—suggest that these edicts are having little effect. This shouldn’t be a surprise. Reusing passwords and making passwords simpler may be bad for security, but they make perfect sense if your most pressing problem is working out how to juggle an unmanageably large portfolios of passwords.

Our experiment in shifting responsibility and blame to users hasn’t worked. Ransomware gangs rely routinely on phished, stolen, or guessed passwords to break into corporate networks through VPNs or remote desktops, causing untold damage and disruption.

The good news is that while there isn’t much we can do about problem number one, number two was a choice, and it’s a choice we can un-make. There is another way, but it requires a shift in mindset.

Instead of thinking about how to get users to choose stronger passwords, businesses should focus on protecting themselves from users’ poor password choices instead.

The most powerful way to do this is to remove passwords entirely. Thankfully, after decades of false starts, a slew of technologies like Apple’s Touch ID, Windows Hello, and FIDO2 has appeared that now make this a viable option in a number of areas.

Passwords are going to be with us for a long time yet though, so we still need ways to cope with bad ones where passwordless authentication is unavailable.

Where you can’t abandon passwords, the next best option is multi-factor authentication (MFA). In 2019, Microsoft’s Alex Weinert wrote that “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

MFA comes in different flavors and your choice of flavor makes a difference: Hardware keys are better than push notifications from an app, which are better than One-Time Password (OTP) codes from an app, which are better than OTP codes over SMS. But the improvements that come in the steps between the different forms of MFA are incremental. The step between MFA of any kind and no MFA at all is transformational.

More than any other choice or technology, MFA puts the responsibility for password security back into the hands of IT and security specialists where it belongs.

There are other measures, too. When you go to an ATM you don’t have to type in a 14-character password with eight quattuordecillion (that’s a number with 45 zeroes at the end of it) possible combinations to get your money—a 4-digit PIN with a paltry 10,000 possible combinations will do.

Why? Because the ATM isn’t going to give an attacker 10,000 chances to guess the correct PIN, it’s going to give them three, and then it’s going to eat the card. The same thing happens on your iPhone. Six wrong guesses and you’re on the naughty step. Ten wrong guesses and your data can self-destruct.

No normal user is going to make hundreds of guesses at their password before phoning support, so take a leaf out of your bank’s playbook and give your users a handful of chances to enter their password correctly.

Like MFA, account lockouts allow users to stay secure even with truly awful password choices. (After all, EVERY 4-digit PIN is a terrible password choice.)

In the interests of defense in depth, businesses may still want to ensure that users are making strong passwords, or at least avoiding weak ones. Here, the thinking has changed in the last decade, and that change is enshrined in the National Institute of Standards and Technology (NIST) Digital Identity Guidelines.

Forcing people to create passwords to a formula, insisting on at least one uppercase letter, at least one special character etc, is out. And so are periodic password resets. Both are far more effective at annoying users than they are at improving security.

Instead, NIST says, it’s more effective to simply stop users choosing known bad passwords, such as passwords that have appeared in breaches or that are based on dictionary words.

If you are going to insist on strong passwords, please make a password manager part of the standard software suite on all your organization’s machines, and make sure employees actually know how to use it. Many users simply don’t trust password managers, and unless you’ve sat with somebody using one for the first time, you may not appreciate how difficult it can be for people to make sense of them.

The measures I’ve suggested in this article are not interchangeable or equally effective: You should start at the top and work down. If you do that, you can improve password security, remove the need for toothless edicts, and perhaps we can finally get rid of these annual pep talks.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

OK, it’s time for me to keep a promise.

Back in October 2022, I wrote an article called Why (almost) everything we told you about passwords was wrong. The article summarizes how a lot of what you’ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don’t reuse passwords).

Most damningly of all, the vast effort involved in dispensing this advice over decades has generated little discernible improvement in people’s password choices. If it hasn’t quite been a wasted effort, it has certainly represented a galactically inefficient use of resources.

We know that this advice isn’t what it’s cracked up to be thanks to intrepid researchers, such as the folks Microsoft Research, who made it their business to discover what actually makes a difference to password security in the real world, and what doesn’t.

If you want the full, three-course meal version of why all the password advice you’ve been told stacks up to much less than the sum of its parts you can read the original article. Here’s the snack version:

How strong, long, and complicated your password is almost never matters in the real world. The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it’s so common for people to reuse the same password in two places and it is completely unaffected by password strength. The next most common attack is password spraying, where criminals use short lists of very simple passwords on as many computers as possible. In both situations a laughably simple but unique password is good enough to defeat the attack.

There are rare types of attack—offline password guessing—where a strong password might help, but the trade-off is that strong passwords are far harder for people to remember, which leads them to use the same password for everything, which makes them much more vulnerable to credential stuffing. Notebooks are a really good, simple solution to the password reuse problem, but for years people were ridiculed for using them. Password managers are also a good solution but they are much harder to use than notebooks and a majority of people don’t use them, and don’t trust them, despite years of positive press and advocacy.

OK, back to the promise I mentioned.

As somebody who has done his fair share of dispensing this kind of advice, I ended my Why (almost) everything we told you about passwords was wrong article with a mea culpa in the form of a promise. Never again would I dish out laundry lists of things you should do to your password. I would instead focus my energy on getting you to do one thing that really can transform your password security, which is using two-factor authentication (2FA):

So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using 2FA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.

Well, today is World Password Day, and it’s time to make good on that promise. I was asked to write a list of password tips, so here they are:

• Set up 2FA somewhere.

To explain why I’m all-in for 2FA I can’t do any better than quote Microsoft’s Alex Weinert from his 2019 article, Your Pa$$word doesn’t matter. (He calls it MFA but he means the same thing, I’ll explain why lower down).

Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

Yes, he wrote 99.9%, and he wasn’t exaggerating. 2FA defeats credential stuffing, password spraying, AND password reuse, AND a bunch of other attacks.

Even if you don’t know what 2FA is, you’ve probably used it. If you’ve ever typed in a code from an email, text message or an app alongside your password you’ve used 2FA.

In the real world, 2FA just means “do two different things to prove it’s you when you log in”. One of those things is almost always typing a password. The other thing is often typing a six-digit code you get from your phone, but it might also be responding to a notification on your phone or plugging in a hardware key (a small plastic dongle that plugs into a USB port and does some fancy cryptographic proving-its-you behind the scenes).

2FA is very widely supported and any popular website or app you use is likely to offer it. In an ideal world those sites and apps would take responsibility for your security and just make 2FA a mandatory part of their account setup process. Unfortunately, we don’t live in an ideal world, and the tech giants that know better than anyone else how much 2FA can protect you have left it for you to decide if you need it.

To make your life a little harder still, they also give it different names. You’ve already met MFA, which means multi-factor authentication, while Google, WhatsApp, Dropbox, Microsoft, and others brand their version of 2FA with a slightly altered name: two-step verification (2SV).

If you have a choice, the best form of 2FA is a password and hardware key, but you’ll need to buy a hardware key. They are worth the small investment and not nearly as intimidating as they can seem.

If you aren’t ready for the that, the next best form of 2FA uses an app that prompts you with a notification on your phone. Next best after that is 2FA that uses a code from an app on your phone, and the least good version of 2FA uses a code sent over SMS.

However, don’t let anyone tell you any form of 2FA is “bad.” It’s all relative. Adopt any one of them and you can safely ignore the rest of the password advice you were probably ignoring already.

To help you get started, here are links to the 2FA setup instructions for the five most visited websites:

• Google 2-step verification
• YouTube 2-step verification (the company, owned by Google, uses the same process above)
• Facebook two-factor authentication
• Twitter two-factor authentication
• Instagram two-factor authentication

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Fact: 77% of organizations are convinced they’re capable of protecting their mobile devices—smartphones, tablets, and laptops (including Chromebooks)—from cybersecurity threats.

Another fact: A third of those organizations aren’t protecting their mobile devices at all.

And that matters—in its Mobile Security Index 2022 report, Verizon reported that 45 percent of businesses suffered a major mobile-related compromise with lasting repercussions.

The increase in companies’ reliance on mobile devices that began with the pandemic persists today. Many employees are working on their mobile devices more, which follows that more mobile devices (53 percent) have access to sensitive data compared to pre-pandemic times. We recognize how critical such devices are to our work, and yet, confident or not, we continue to treat their defense against cyberattacks like an afterthought.

So what can small business owners do to quickly turn things around?

Start by recognizing that the mobile space has become a battleground, so protecting it is a must. And then, develop a mobile security policy that touches on essentials for securing employee mobile devices.

A cybersecurity policy is essentially a high-level plan detailing how a company will protect its physical and digital assets. In the context of mobile devices, that means protecting the sensitive data they store and have access to, and stopping non-employees from physically accessing such devices.

The policy doesn’t have to be complicated or perfect, but it must be solid and effective. The document must evolve with changing technologies and attack trends to prevent it from becoming outdated. For a policy to be effective, it should clearly and explicitly state responsibilities for the organization and its employees.

Here’s a list of some organizational duties you might want to include in your mobile security policy, to help you get started.

• Use a mobile device management (MDM) platform. IT teams use MDM to provision, deploy, and manage mobile devices. It allows an administrator to perform remote tasks, such as troubleshooting and wiping devices after a theft. More importantly, an MDM can be used to enforce strong password practices and deploy software updates.
• Use a mobile endpoint security solution to provide real-time protection to employee devices.
• Ensure employees use a VPN to connect to the company network. Your small business may have adopted a working scheme that allows employees to work anywhere. In this case, it’s vital to encrypt data in transit, so you don’t have to worry about your employees using public Wi-Fi.
• Use FIDO2 two-factor authentication (2FA). FIDO stands for Fast Identity Online, a globally-recognized standard for passwordless authentication. Employees using mobile devices to read their emails are particularly vulnerable to phishing. Unlike other forms of 2FA, FIDO2 devices can’t be phished.
• Set clear Bring Your Own Device (BYOD) guidelines, explaining whether employees are allowed to use their personal devices for work and what their obligations are if they do.
• Educate employees on best practices for mobile security. Employees are your first line of defense—arm them with the tools and know-how they need to fulfill their role.

By creating a strong mobile security policy, a small business is better placed to prevent cyberattacks, and better prepared should one occur.

Good luck!

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A recent study by NewsGuard, trackers of online misinformation, makes some alarming discoveries about the role of artificial intelligence (AI) in content farm generation. If you’ve previously held your nose at the content mill grind, it’s probably going to become a lot more unpleasant.

Content farms are the pinnacle of search engine optimisation (SEO) shenanigans. Take a large collection of likely underpaid writers, set up a bunch of similar looking sites, and then plaster them with adverts. The sites are covered with articles expressly designed to float up to the top of search rankings, and then generate a fortune in ad clicks.

If you’ve ever searched for something and walked into a site which spends about 4 paragraphs slowly describing your question back to you before (maybe) answering it, congratulations. I share your pain.

The worst part about this kind of content production is that in recent years many otherwise legitimate sites now write like this too. The pattern to look out for is as follows:

• A paragraph or two describing your problem back to you as if you’re ten years old.
• A paragraph break with a large advert.
• Another 3 paragraphs which may or may not answer your question.

On top of that, sites don’t just populate with reasonable, genuine questions. They now fill up with ludicrous questions, or answer the questions badly. Not only is garbage like this unhelpful itself, it also keeps you away from the good stuff.

This is the current state of play before we throw AI-generated content into the mix. What did NewsGuard find?

49 news and information sites which appear to be “almost entirely written by artificial intelligence software”. There’s a broad spread of languages used on these sites, ranging from Chinese and Tagalog to English and French. This helps ensure the content is being seen by as many people as possible, as well as clogging up search engines that little bit more. Some of the key points:

• Lack of disclosure of ownership / control, making it hard to assess bias or possible political leanings.
• Topics include entertainment, finance, health, and technology.
• “Hundred of articles per day” published on some of the sites.
• False narratives are pushed by some of the sites.
• High advertising saturation.
• Generic names like “News Live 79” and “Daily Business Post”.

As for the actual written content itself, it is said to be filled with “bland language and repetitive phrases”. This is one of the key indicators of AI-generated content. Additionally, many of the sites began publishing just as the various content creation AI tools, tools like ChatGPT, started to be used by the public. Quite a coincidence!

Other strong indicators include:

• Phrases in articles which are often used by AI in response to prompts. One example given is “I am not capable of producing 1500 words… However, I can provide you with a summary of the article”.
• No bylines given for authors. Reverse image searches for a handful of supposed authors reveal that images have been scraped from other sources.
• Generic and incomplete About Us or Privacy Policy pages, some of which even link to About Us page generation tools.

If a smoking gun was even required at this point, the dead giveaway would be the inclusion of actual error messages produced by AI text generation tools. One example, from an article published in March of this year, includes the following text:

“As an AI language model”, and “I cannot complete this prompt”.

Despite this, site owners remain cautious about admitting to any use of AI to produce the content farm rings. In April of this year, NewsGuard attempted to get some answers from the websites as to who, or what, is creating the content. The results are not encouraging.

Of the 49 sites studied, NewsGuard contacted the 29 sites which included some form of contact details. Two sites confirmed use of AI, 17 did not respond, eight provided invalid contact details, and two didn’t answer the questions provided.

Since the story broke, Google has removed adverts from some pages across the various sites flagged. Ads were removed completely from sites where the search giant found “pervasive violations”. Although two dozen sites were reported to be making use of Google’s ad services, the use of AI-generated content is “not inherently a violation” of ad policies.

Nonetheless, given the content created is likely to be low value and little more than click bait, it seems likely that this kind of site is not long for Google’s ad world. A number of other ad-based organisations pulled their ads when contacted by Bloomberg. Even so, this is very much a game of whack-a-mole with the SEO spammers in the driving seat.

It’s very likely we’ll see campaigns like the above dedicated to other unpleasant online activities. What if the spam-filled SEO magnet sites churn out endless content to lure visitors to phishing pages? Or Bogus sign up forms? It’s not a stretch to imagine dozens of sites fired out by AI generators linking to fake downloads and bogus browser extensions.

As many people have noted in the above linked articles, the high speed and lost cost of generation here are key to getting bad things online as quickly as possible. When you can register sites in bulk and have the AI bots filling all of them with a text firehose, the fear is that advertising networks and abuse departments may not be able to keep up. All this happened in the same week that AI “Godfather” Geoffrey Hinton left Google, warning of the dangers posed by rogues misusing AI.

If you run an advertising division, now is probably a very good time to check if AI-generated content is addressed by your policies and update accordingly. Just don’t run it through an AI first.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Following criticism, Google has decided to bring end-to-end encryption (E2EE) to its Google Authenticator cloud backups. The search giant recently introduced a feature that allows users back up two-factor authentication (2FA) tokens to the cloud, but the lack of encryption caused some commentators to warn people off using it.

Google Authenticator is an authenticator app used to generate access codes, called one-time passwords (OTPs). These OTPs are only valid for a short period and are generated on demand. They serve as an additional form of authentication by proving that you have access to the device generating the OTP. Google Authenticator is one of the most well-known authenticators. Although it’s made by Google it’s not limited to Google’s own services, but can also be used with Facebook, Twitter, Instagram, and many more.

On April 24, 2023, Google announced an update across both iOS and Android, which added the ability to safely backup the secrets used to generate OTPs to your Google Account. This allows users to create a backup which they can use if their device is lost, stolen, or damaged. Since OTPs in Google Authenticator were previously only stored on a single device, a loss of that device locked you out of any service where you used it to log in.

Shortly after the new feature was rolled out, Mysk’s security researchers advised against turning on the new feature. They analyzed the network traffic that occurs when the app syncs the secrets, and found out that the traffic was not end-to-end encrypted. This would mean that in case of a data breach or if someone obtains access to your Google Account, all of your OTP secrets would be compromised, and they would be able to generate OTPs as if they were you.

The likelihood of someone stealing the secret seeds from Google’s servers is relatively small, but since it is better to be safe than sorry and one problem less is always good to have, users asked Google to add a passphrase to protect the secrets. This would introduce an extra safeguard that makes them accessible only to their owner.

Google’s primary objection to this method was that it heightens the risk of users getting completely locked out of their own data. Meaning that if you lost your device and the passphrase, you would lose all access to your accounts.

Google Group Product Manager Christiaan Brand tweeted that end-to-end encryption (E2EE) will be made available for Google Authenticator down the line, but they are rolling out this feature carefully.

(2/4) We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.

— Christiaan Brand (@christiaanbrand) April 26, 2023

According to Google, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves. But, if you want to try the new Authenticator with Google Account synchronization, simply update the app and follow the prompts.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google is in the midst of a legal campaign designed to take down the creators of a very persistent piece of malware called CryptBot. This malware, which Google claims compromised roughly 670k computers, set about infecting users of the Chrome browser. Unfortunately for the malware campaign operators, Google’s not impressed.

This legal campaign focuses on shutting down domains associated with the stealer. The lawsuit unsealed this week reveals Google’s line of approach for tackling CryptBot’s alleged primary distributors, located in Pakistan.

It’s easy to see what piqued Google’s interest in this infection campaign. A big part of the CryptBot tactics on display involved offering up cracked or modified versions of popular Google products. The products were secretly infected with CryptBot, which would then go on to try and plunder credentials from the infected systems. From the complaint document:

(The) defendants’ criminal scheme is perpetrated via a pay-per-install (“PPI”) network known as “360installer,” which fosters the creation of websites that offer illegally modified software (“Cracked Software Sites”).

These websites offer software infected with CryptBot malware, such as maliciously modified versions of Google Chrome and Google Earth Pro, and also cracked third party software. The Malware Distribution Enterprise operated by Defendants in this case is one of the primary means of spreading the CryptBot malware to new victims.

Google highlights that CryptoBot targets users of Chrome. When it notices Chrome is installed on a PC, it attempts to “locate, collect, and extract user credentials saved to Chrome”. This can be logins, authentication methods, private data, and several types of payment information, such as card details and cryptocurrencies.

This attempt at a takedown by Google isn’t just focused on the code side of things. There’s also a trademark component, and the search giant is none too happy about their familiar product icons being used for malware-related purposes. From the blogpost:

The legal complaint is based on a variety of claims, including computer fraud and abuse and trademark infringement. To hamper the spread of CryptBot, the court has granted a temporary restraining order to bolster our ongoing technical disruption efforts against the distributors and their infrastructure. The court order allows us to take down current and future domains that are tied to the distribution of CryptBot. This will slow new infections from occurring and decelerate the growth of CryptBot.

As The Register notes, this goes beyond the usual restraining order approach where URL registries falling under the court’s jurisdiction must shut down rogue domains. Hardware and virtual machines can be turned off,  network providers can kill server connections powering CryptoBot, and steps can be taken to keep the infrastructure offline permanently.

In other words, the CryptoBot folks are in a lot of trouble. The complaint states that this action is being brought under the Racketeer Influenced and Corrupt Organisations (RICO) act, Computer Fraud and Abuse Act (CFAA), Lanham Act, and New York state common law. RICO alone, intended to deal with the dismantling of organised crime, should be enough to give the ringleaders pause for thought. Everything else is just a bonus.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

On May 1, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

This means that Federal Civilian Executive Branch (FCEB) agencies are obliged to remediate the vulnerabilities by May 22, 2023. For the rest of us it means “pay attention,” everyone else with a vulnerable entity should do this as fast as possible too.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs added by CISA were:

• CVE-2023-1389 is a vulnerability in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Affected versions contain a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
• CVE-2021-45046 is a very old Apache Log4j2 deserialization of untrusted data vulnerability that still works on enough unpatched servers to be listed.
• CVE-2023-21839 affects Oracle WebLogic Server. It can lead to an unauthenticated attacker with network access gaining unauthorized access to “critical data or complete access to all Oracle WebLogic Server accessible data.”

We would like to zoom in on that last vulnerability for a few reasons.

• First of all because Oracle WebLogic is a very wide-spread java application server and has always been a popular entrance to networks for cybercriminals.
• The vulnerability is easily exploitable. Even for copycats, since there are proof-of-concepts (PoCs) available and exploits are incorporated in pen-testing tools.
• The scope of the vulnerability. There is a real risk that a remote, unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, and turn to the rest of the internal network.

Oracle WebLogic Suite is an application server for building and deploying enterprise Java EE applications which is fully supported on Kubernetes. That makes it easy to use on-premises or in the cloud. The companies using Oracle WebLogic are most often found in United States and in the Information Technology and Services industry.

In Oracle’s January security advisory you will notice that five researchers are credited with finding and reporting CVE-2023-21839. This may be due to the fact that Oracle issues patches in a quarterly cycle, where many others publish updates monthly. This means that researchers have more time to find new vulnerabilities, but they also have to keep quiet about them for longer. Nevertheless, five separate instances could indicate that this vulnerability was not hard to find.

What’s even worse is that it is easy to exploit the vulnerability. The published exploits target the Listen Port for the Administration Server. The protocol used with this port is T3—Oracle’s proprietary Remote Method Invocation (RMI) protocol, which transfers information between WebLogic servers and other Java programs. An unauthorized attacker with remote access can send a crafted request to a vulnerable WebLogic server and upload a file via an LDAP server. Basically allowing the attacker to execute reverse shells on the target. A reverse shell or “connect-back” shell opens communications with the attacker and allows them to execute commands, which enables them to take control of the system.

Update now

Affected versions of Oracle WebLogic Server are 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. A patch for this vulnerability is available on the Oracle support site for those that have an Oracle account.

Oracle always strongly recommends that you do not expose non-HTTPS traffic (T3/T3s/LDAP/IIOP/IIOPs) outside of the external firewall. You can control this access using a combination of network channels and firewalls.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Last week, OpenAI announced it had given ChatGPT users the option to turn off their chat history. ChatGPT is a “generative AI”, a machine learning algorithm that can understand language and generate written responses. Users can interact with it by asking questions, and the conversations users have with it are in turn stored by OpenAI so they can be used to train its machine learning models. This new control feature allows users to choose which conversations to use to train OpenAI models.

“Conversations that are started when chat history is disabled won’t be used to train and improve our models, and won’t appear in the history sidebar,” the company said in the announcement. “When chat history is disabled, we will retain new conversations for 30 days and review them only when needed to monitor for abuse, before permanently deleting.”

Prior incidents involving ChatGPT may have prompted these changes. Early this month, reports revealed Samsung employees had erroneously shared confidential company information with ChatGPT. Before this, OpenAI took ChatGPT offline after it exposed some chat histories to others using the tool at the same time. This incident earned the attention of a data protection agency in Italy, which then ordered a temporary ban for the AI, pending an investigation.

Along with its announcement, OpenAI also revealed a ChatGPT Business subscription that will keep users’ input out of its training data. “ChatGPT Business will follow our API’s data usage policies, which means that end users’ data won’t be used to train our models by default,” the company said.

How to opt out of OpenAI’s trianing data

Log in to ChatGPT and click the three dots next to your name to open a menu.

Choose Settings from the menu.

The Settings menu will appear in the middle of the screen. Click Show next to Data Controls to expand the window, and then toggle the switch next to Chat History & Training to the off position to stop your data being used to train ChatGPT.

Users can also export their chat history for local storage by clicking the Export data text in the expanded Settings window. Users will receive an email with a button link to the file containing all of their conversations.

Note that disabling Chat History & Training also turns off ChatGPT’s conversation history feature. Chats created after disabling the option won’t appear in the history sidebar, but cached conversations found in the sidebar of the page remain.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW