IT NEWS

Not enough children and teenagers trust their parents to support them online, and not enough parents know exactly how to give the support their children need.

Those are some of the latest findings from joint research conducted this summer by Malwarebytes and 1Password, which we have published today in the report “Forever connected: the realities of parenting and growing up online.” The data from our two, parallel surveys—one for Generation Z respondents aged 13 to 25 and one for parents whose children are between 8 to 17 years old—revealed the need for parents to take an active, prolonged role in preparing their children for staying safe and private online.

But the task of raising kids online is, understandably, quite nuanced.

As revealed in our research, parents and children often have different ideas about what will keep them safe online. Complicating the matter is that many parents are passing down outdated or ineffective habits to their children, potentially creating a division between how well parents believe they’re supporting their kids and how well kids think they’re being supported.

Separate from cybersecurity, parents and teens also differ on how to stay private online, and even on what online privacy means and for whom. For example, while a majority of Generation Z members want their parents to ask for consent before sharing photos of themselves online, far fewer parents believe their children are owed that consideration. Compounding this is the fact that more than a third of parents said they felt it was okay to start sharing online images of their kids as soon as they were born.

These trends aren’t born of malicious intent, though. Mark Beare, general manager of consumer business for Malwarebytes, noted how parents will share images and videos of their children because they are proud of their kids and want to share these moments with others. Further, many parents—and non-parents—are sharing with an earlier understanding of the Internet.

“As more and more parents have also moved to social media they have begun sharing about their children in a much more public way. They are sharing without understanding the future ramifications on how this affects the digital profile of their kids as they come of age and manage their own digital profiles,” Beare said.

He continued:

“As a society we are all learning that the initial ‘free and open sharing’ that people did when social media was new has ramifications on our privacy and for the privacy of friends and loved ones.” 

In separately reviewing our report, Jason Kelley, associate director of digital strategy and activism at Electronic Frontier Foundation, stressed how important it is for families to learn about the Internet together.

“Whatever age you are, when you go online, you deserve security and privacy,” Kelley said. “It is essential that parents and young people learn how to protect those rights, because at least for now, many online platforms, bad actors, and in many ways the entire ecosystem of the Internet are working against them.”

In our full report, we explore several key themes and statistics:

Lacking parental support. Three quarters (74%) of parents are confident they are keeping their kids safe online, but only 51% of Gen Z respondents agree with the statement: “I feel supported online by my parents.” 

Absent antivirus: Though 76% of parents protect their children’s online experiences by installing antivirus software on devices at home, just 28% of Gen Z said their parents required them to use that software on their own devices.

Problematic security advice. A majority of Gen Z (70%) report that their parents taught them about password security in some way, including problematic security advice like: write down passwords on paper (33%), make easy-to-remember passwords (30%), and use the same password for everything (17%).

The dangers of the internet. 96% of parents and 93% of Gen Z say that using the internet can have harmful effects, with cyberbullying (73% of parents, 66% of Gen Z) and being influenced by misinformation (65% of parents, 64% of Gen Z) being the top two. 

Online since birth. Four out of five (79%) parents post images, videos, or personal information about their kids online. And 39% say it’s fine to start posting images of their children as soon as they’re born.

Clashing expectations for privacy. While 73% of Gen Z wish their parents would ask permission before posting pictures about them online at least some of the time, only 34% of parents ask permission and 39% feel they don’t need permission to post content related to their kids.

Conflicting sense of reality. 89% of parents say they monitor their child’s activity, yet 66% of teenagers say their parents have no involvement in their online accounts.

Stealthy workarounds. 72% of Gen Z admit to having tactics to avoid their parents’ monitoring. Some kids even go above and beyond to avoid detection, with 13% using a virtual private network, 9% having a secret device parents don’t know about, and 6% performing factory resets on their devices.

READ THE FULL REPORT HERE

In a joint cybersecurity advisory, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.

The advisory aims to “inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).”

The US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the DIB (Defense Industrial Base) sector, which is related to military weapons systems; and other critical infrastructure sectors.

It is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.

The advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.

Last year, CISA began publishing a catalog of actively exploited vulnerabilities that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of vulnerabilities favored by Russian state-sponsored threat actors.

If your organization’s intellectual property is likely to be of interest to China, this is list is for you. And if it isn’t, this list is still worth paying attention to.

The vunerabilities

Remote code execution (RCE)

RCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: CVE-2021-44228 (also known as Log4Shell or LogJam), CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-26084, CVE-2021-42237, CVE-2022-1388, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Arbitrary file read

The advisory identifies two arbitrary file read flaws—CVE-2019-11510 and CVE-2021-22005—which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.

Authentication bypass by spoofing

CVE-2022-24112 is an authentication bypass flaw that allows attackers to access resources they shouldn’t have access to by spoofing an IP address.

Command injection

CVE-2021-36260 is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.

Command line execution

CVE-2021-1497 is a command injection flaw that allows attackers to inject data into an affected system’s command line.

Path Traversal

Also known as “directory traversal,” these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. CVE-2019-19781, CVE-2021-41773, and CVE-2021-20090 are all forms of path traversal attack.

Mitigations

The NSA, CISA, and FBI urge organizations to undertake the following mitigations:

• • Apply patches as they come, prioritizing the most critical l flaws in your environment.
  • Use multi-factor authentication.
  • Require the use of strong, unique passwords.
  • Upgrade or replace software or devices that are at, or close to, their end of life.
  • Consider adopting a zero-trust security model.
  • Monitor and log Internet-facing systems for abnormal activity.

In the fight against ransomware, much of the discussion revolves around prevention and response. Actually detecting the ransomware, however, is just as important to securing your business. To understand why, just consider the following example.

Let’s say you’re a farmer taking care of a flock of sheep and you’re worried about wolves. You’ve installed a fence: that’s prevention. You have an air horn to scare away the wolf in the event of an attack: that’s response. Great! But what if you had an alarm system and could take action as soon as the wolf got through your fence, before it started attacking at all? That’s what detection is all about.

Detection sits right between both prevention and response, and it’s a critical first defense against ransomware. You see, ransomware will get through your systems one way or another. And when it does, we want to detect it right away so we can stop it from moving through your network and encrypting any valuable or sensitive files.

But detecting ransomware can be tricky. Attackers use obfuscation and evasion techniques to avoid detection, and new ransomware variants are being produced every day. As a result, businesses should be using multiple different ransomware detection techniques, fully aware of the pros and cons of each.

In this post, we’ll look at 5 ransomware detection techniques and their pros and cons.

1. Static file analysis 

2. Common file extensions blacklist

3. Honeypot files / deception techniques 

4. Dynamic monitoring of mass file operations

5. Measure changes of files’ data (Entropy)

1. Static file analysis

Let’s say you’re on an IT or security team and an alert has triggered on a key server within the organization. The alert is rather vague but is reporting that the file is potentially malware.

Making matters worse, the hash of the file isn’t on VirusTotal and you can’t find any information on the Internet to determine if the file is malicious or not. 

To see if this file is potentially ransomware (or any malware for that matter), one option is to do static file analysis. Static file analysis is a type of malware analysis that looks at whether an executable file is suspicious without actually running the code.

In the context of ransomware, static file analysis looks for known malicious code sequences or suspicious strings, such as commonly targeted file extensions and common words used in ransom notes.

Static malware analysis examines a malware sample without executing it. Source.

One of the free tools that you may find useful for this purpose is PeStudio. This free tool flags suspicious artifacts within executable files and can be used to examine the embedded strings, libraries, imports, and other indicators of compromise (IOCs) in a file.

Pros: 

• Low false positive rate

• Effective against known ransomware

• Can stop attacks before execution so no files are encrypted

Cons:

• Time consuming if conducted manually

• Can be bypassed easily using Packers / Crypters or by simply replacing characters with digits or special characters

2. Common file extensions blacklist

With file access monitoring tools, you can blacklist file rename operations for well-known ransomware extensions, or be alerted as soon as a new file is created with such an extension. 

For example, a file-access monitoring tool by Netapp allows you to block certain types of extensions from being saved on the storage system and shares, such as the WannaCry ransomware (.wncry). Other ransomware blacklist solutions include ownCloud or Netwrix. 

There are a variety of lists on the Internet with lists of common ransomware extensions. One example is https://fsrm.experiant.ca/ (scroll down to “Raw List”).

Pros:

• Low false positive rate

• Effective against common ransomware

• No damage is done

Cons: 

• Trivial to bypass; ransomware with a new extension will manage to encrypt

• It can be difficult to find a file-monitoring solution that has a extension blacklist feature

3. Honeypot files / deception techniques 

A honey file is a fake file intentionally put into a shared folder/location in order to detect the existence of an attacker, and when the file is opened, an alarm is set off. For example, a file named passwords.txt could be used as a honeyfile on a workstation.  

One popular way to create quick and easy honeyfiles is by using Canarytokens. Canarytokens is a free tool by Canary that embeds a token (unique identifier) into a document, such as Microsoft Word, Microsoft Excel, Adobe Acrobat, images, directory folders, and more. 

Any time a Canarytoken is accessed, Canary sends you a notification email to the address tied to the token. You can rename the Canary files to names that ransomware actors search for when looking for files on the victim network, such as “statement,” “policy,” or “insurance.” 

Placing the Canarytoken in a folder where it will be seen by ransomware actors. Source.

Pros:

• Can detect ransomware that static engines do not catch.

Cons: 

• Some false positives, as programs and users may touch the bait files

• Files will be encrypted until ransomware touches the decoy files

• Bypass by skipping hidden files/folders, or by targeting specific folders

4. Dynamic monitoring of mass file operations

By monitoring the file system for mass file operations such as rename, write, or delete within a certain period of time, you can catch a ransomware attack happening in-real time and potentially even automatically block it (depending on your solution).

A File Integrity Monitoring (FIM) tool can help you detect ransomware in this way. A FIM verifies and validates files by comparing the latest versions of them to a known, trusted “baseline,” and alerts you when files have been altered, updated, or compromised. 

There are free open source FIM tools available, such as OSSEC and Samhain File Integrity, and others solutions feature real-time remediation capabilities so you can instantly block detected ransomware with an automated threat response.

Pros:

• Can detect ransomware that static engines do not catch

Cons: 

• Files will be encrypted until the defined limit is exceeded

• Bypass easily by adding delay between encryptions or by spawning multiple processes to encrypt batches/groups of files

5. Measure changes of files’ data (Entropy) 

In cybersecurity, a file’s entropy refers to a specific measure of randomness called “Shannon Entropy,” where typical text files will have a lower entropy and encrypted or compressed files will have a higher entropy. In other words, by tracking files’ data change rate, we can determine whether the file was encrypted or not. 

Patrick Wardle’s free RansomWhere? tool uses file entropy to detect (and block!) untrusted processes that are encrypting your personal files. Tools that measure file entropy can also block processes after multiple flagged modifications with significant changes.

Histogram of entropy of legitimate versus malicious files. Source.

Pros:

• Can detect ransomware that static engines do not catch

• Fewer false positives than previously mentioned dynamic techniques

Cons: 

• High CPU utilization on the endpoint

• Files will be encrypted until a level of confidence is reached, so not all damage is blocked

• Bypass by encrypting only part of the file, or by encrypting in chunks. Using multiple processes to encrypt 

Getting creative with ransomware detection techniques

Having several methods for detecting ransomware is integral to incorporate in your organizations anti-ransomware strategy. Catching the ransomware early offers great insurance against lateral movement and further damage. But remember: always assume an attack will be successful. 

No matter what, make sure you have a ransomware prevention and recovery strategy in place. You can read our Defenders Guide to Ransomware Resilience for more on ransomware response. In terms of prevention, our Ransomware Prevention Checklist is a great place to start.

Malwarebytes EDR’s anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity. It features a dedicated real-time detection engine that does not use signatures, and doesn’t require updates. Our EDR also has multiple combined modes of endpoint isolation and gives you up to 72 hours of ransomware rollback. 

Check out a few case studies below to see how organizations used Malwarebytes EDR to fight against ransomware.

City of Vidalia gains a ransomware and vulnerability-free zone

Mike Carney Toyota tackles the rising ransomware threat

Alden Central Schools gains peace-of-mind protection against ransomware threats

Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification ‘Critical’. Among them are a zero-day vulnerability that’s being actively exploited, and another that hasn’t been spotted in the wild yet.

The bad news is that the much-desired fix for the “ProxyNotShell” Exchange vulnerabilities was not included.

What was fixed

A widely accepted definition for a zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.

As such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.

The actively exploited vulnerability in this month’s batch is CVE-2022-41033, a vulnerability with a CVSS score of 7.8 out of 10. This is described as a ‘Windows COM+ Event System Service Elevation of Privileges (EoP)’ vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

Another publicly disclosed vulnerability that gets a fix is CVE-2022-41043, a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users’ authentication tokens.

What wasn’t fixed

The Exchange Server “ProxyNotShell” vulnerabilities, CVE-2022-41040 and CVE-2022-41082, were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.

Microsoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read this blog post to learn about mitigations for those vulnerabilities.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:

• Adobe released security updates to fix 29 vulnerabilities in several products.
• Apple published iOS 16.0.3.
• Fortinet released important security updates.
• Google patched several vulnerabilities for Android.
• Samsung has started rolling out October 2022 security updates for some of its devices.
• SAP has released updates for several of its products.
• VMware published security advisory VMSA-2022-0025.
• Xiaomi released the October 2022 Security Patch Update tracker.

That should be enough to keep you busy, et patching!

The UK government has issued a warning for people to be on their guard against fake tax rebate scams as they gearing up to fill out their 2021/22 tax returns.

Ensuring your self-employed documents are correct and accurate can be a complicated business at the best of times. Having to worry about scammers making it all worse can make it a nightmare.

During tax season, a wave of bogus emails, texts, and even phone calls, can find their way into your workspace as you arrange your receipts and spreadsheets. The department responsible for tax in the UK, known as HMRC, has this to say:

In the 12 months to August 2022, HMRC responded to more than 180,000 referrals of suspicious contact from the public, of which almost 81,000 were scams offering fake tax rebates.

Criminals claiming to be from HMRC have targeted individuals by email, text and phone with their communications ranging from offering bogus tax rebates to threatening arrest for tax evasion.

Facts and figures

HMRC is quite aggressive toward scam portals and fakeouts generally. According to its release, in the 12 months to August 2022 it:

• Responded to 181,296 referrals of suspicious contact.
• Responded to 55,386 reports of phone scams.
• Reported 10,565 malicious web pages for takedown.
• Helped remove 48 phone numbers used for scams.

That is indeed a decent slice of takedown action. If you want to contribute to this tally, you can take any or all of the below steps:

• Forward phishing mails to phishing@hmrc.gov.uk.
• Suspicious texts can be forwarded to 60599.
• Bogus phone calls can be reported using an online form.

With all of this in mind: What can you do to keep yourself safe from fake HMRC-related messaging?

Avoiding scams in a taxing time

There are some common traits which show up time and time again in fake tax scam land. As you may imagine, much of it hinges on fictitious refunds. Often, it isn’t “just” your tax info or logins the scammers are hunting for. If they can drag more data of yours into the mix, they’ll do it without a moment’s hesitation. Here’s what you need to watch out for:

• Be very suspicious of so-called refund attachments arriving by email. The attachment may be malware, or try to direct you to a phishing portal. HMRC does not issue refunds in this fashion.
• Some fake refund portals will encourage you to “search” for your account by entering your email, date of birth, and other information. One fake search page later and you’ll be asked to hand over the rest of your information.
• A number of HMRC phishing attacks will branch out into phishing for bank portal logins. Whether the landing page has a padlock or not, you should not trust sites which arrive alongside refund or tax assistance claims. If you want to visit your banking portal, navigate to the site directly. Following a chain of links from a “too good to be true” email is a recipe for tax and banking disaster. On a related note, they may go after your email logins too. The same rules apply: Do not visit these links, and if you do, avoid entering logins / bank details / personal information.
• Treat urgent, out-of-the-blue phone calls with extreme suspicion. If they claim to be offering a refund but “only for a few more days” or even just the length of the call, this is incredibly suspicious behaviour. It’s designed to put the would-be victim off guard so they make a rash decision. No genuine call would prevent you from calling the official number yourself and following up. It’s a scam!

Stay safe out there!

Over the last couple of years, key parts of our daily lives have been sliding into some form of Internet connectivity. Smartphones and other devices have become necessities. Paying bills? Those systems have moved online. Tax? Online. Wage slips and bank statements? It’s paperless time. Welfare assistance? There’s a login portal for that. In short, people need web access.

However, there’s a lot of non-critical systems and services which are making this leap too. And if it’s got a computer in it and it’s connected to the Internet, you know that sooner or later somebody will find a way to compromise it. Internet-connected light bulbs, now is your time to shine.

Shining a light on vulnerabilities

Back in 2021, researchers discovered two potential flaws in a popular smart lighting system. The vulnerability allowed them to make the light bulbs blink. In a worst case scenario, the system would “forget” its configuration and all bulbs would be set to maximum. These issues are outlined in CVE-2022-39064 and CVE-2022-39065. It’s the old “Blink once for yes, blink twice for no” except in this case it’s “Blink once to assume control, blink a few more times to perform a factory reset”.

Victims of these potential attacks could power cycle their gateway, but the attackers would be free to come back at any time without a fix in place. Now, some folks may wonder what the big deal is as it’s “just” making a light bulb blink. Well, if nothing else, ramping someone’s household to maximum lightbulb brightness over a sustained period of time isn’t great at a time of spiralling energy bill costs.

But there’s more too it than that. Whether the computer in question is a server or a light bulb, unauthorised users are not supposed to be able to make it do things without your permission. When they do, the only thing you know for sure is that your security has been breached.

The first CVE has been addressed with all software versions from 1.19.26 onward. According to The Record, CVE-2022-39064 “has not been fully dealt with” and there’s no ETA on when a full fix will arrive.

The winding road of IoT issues

The Internet of Things (IoT) is here to stay, and a lot of folks simply like the idea of managing every aspect of their home life via one app or service. Unfortunately, some services or devices are cheaply made and insecure by default.

IoT devices can introduce new risks too. Some devices inadvertently provide abusive people with new ways to harass and abuse their partner or ex-partner, for example.

And making devices “smart” often means making them dependent on an Internet connection or cloud service—which is fine until they aren’t there. In 2020, an Amazon cloud service outage managed to knock out all kinds of things that would previously have been unaffected, from doorbells to hoovers.

Realistically, the genie is out of the bottle and manufacturers are going to continue to include “smart” functionality in everything from TVs to refrigerators. As a result, it’s essential that researchers and device tinkerers are able to explore, find, and report on potential security concerns, because IoT failures can be far more serious than a bit of unauthorised light blinking. On a recent Lock and Code podcast, hacker Sick Codes explained how they broke open a John Deere tractor and installed a version of Doom.

So, what can you do about all this?

First of all, treat anything you own that’s “smart” as if it’s just another computer. Understand how you’ll learn about security updates, and how you download and apply them. If you can’t, or if there are known problems with no apparent fix, fire up a support conversation with the manufacturer.

If you like anti-phishing efforts, hashtags, and confusing but colourful video games, you’ll be interested to know that a security initiative involving all three is now live. The American Bankers Association and other banks in the US are involved in an awareness campaign tied in with National Cybersecurity Awareness Month.

The campaign focuses on phishing and ways to tackle it head on with the aid of some learning tools and an informative website. It’s called “Banks never ask that,” and this is a good place to focus a campaign given the number of times we do indeed say that “banks will never ask you this.” It’s a common bit of security messaging, given a potentially very visible boost. That can only be a good thing, right?

Scoping out the scams

The incredibly colourful Banks Never Ask That is a collection of tips focused on four key areas of phishing danger: text messages, mobile payment app scams, email, and phone calls. Each section focuses on advising would-be victims to slow things down and not be rushed into hasty decisions by the scammer. This is a good idea; many phishing attacks plug into a fear of missing out, or time limited offers, and even refunds and panic-inducing situations. This is all in an effort to have someone not think clearly, and hand over logins or payment details in ways which can’t easily be corrected.

Also, a related PDF that claims to offer a “deeper look” into the problem repeats much of the same info from the website’s dropdown menus. All the same, it’s still handy to have all of the information in one place as opposed to dropdown categories which are only viewable one at a time.

The rest of the site focuses on specific areas of security related to locking down accounts, using multi-factor authentication, insisting on calling back a bank directly instead of taking a random caller’s word for it and so on.

There’s also one of those pages where you can “spread the word”, in the form of pre-written tweets giving the same advice. I’m not entirely convinced this kind of thing is particularly effective, but the option is there nonetheless.

Let’s all go to the movies

There is a tendency for people to not read things, and any cybersecurity month runs the risk of overloading folks with information. When everyone is saying to do this, and not do that, over the space of a few weeks, then fatigue will come into play.

With this in mind, there’s a number of videos tied to the campaign which make a lot of the points easier to digest. One focuses on not falling for fake phone calls from your bank, another makes the point that bank staff will never ask for your PIN number. In fact, the videos seem to make the point about what banks don’t ask for more clearly than the various text-laden portions of the site. In conclusion, bonus points for the videos! They’re short, easy to understand, and work like a charm.

Taking a trip to Scam City

Finally, we come to the prominently promoted game on the front page called “SCAM CITY.” It’s a very old fashioned side scrolling game where you jump or slide underneath enemies designed to look like the various types of cyberthreats being warned about.

There’s a flying telephone in the form of a landline receiver, which some players probably won’t recognise. We have an angry wallet, which I thought was a brick. There’s something which for all the world looks like a rectangular fried egg, but is supposed to be a…payment app? A mobile phone? A brick covered in egg? I don’t know.

The game works by giving you security tips. Unfortunately, you most often see a tip once you collide with an enemy and then die. It’s also easy to miss the tips as they appear and click right through them. If you manage to survive long enough, you eventually see one additional bonus tip once you gain enough points.

What this means is we have an educational game where you’re only educated if you’re really bad at it, or decide to deliberately run into the enemies. Good players will see one tip and then that’s probably it, until they die and then are graced with a second tip.

From a design perspective, it feels like penalizing the player for doing well is at odds with trying to show them as many fun security tips as possible.

How to dodge the fakers and phishers

Despite the fun and breezy nature of this campaign, it is underpinned by some very serious business. As DRG News highlights, the United States Federal Trade Commission (FTC) estimated somewhere in the region of $5.8 billion lost to phishing and related fraud across 2021.

It only takes one mistake to find yourself faced with significant and damaging losses from a phish. As such, maybe a light and playful attempt at having folks think more about what a bank doesn’t ask you for is a smart move. Here’s a few more tips::

• You won’t be asked for PIN numbers, or secret passwords, or online banking logins by a legitimate bank employee. Someone on the phone will also never ask you for any kind of authentication code, either.

• Bogus refunds and non-existent problems with your account are common tactics. Where genuine issues such as these exist, you’ll almost certainly receive a letter in the post about it first or have an alert in your online banking portal to check out if you’re paperless. As with all of these fake-outs, you should phone the bank directly using a number from the official website.

• Treat email attachments with skepticism, especially in relation to refunds or payment issues. The attachment may direct you to a phishing site, or even attempt some form of malware hijack. If you’re using Microsoft Office products, most if not all forms of enablement required to activate malware via document should be disabled by default. “Read only” mode is best, but not opening the document in the first place is even better.

• Very rarely, scammers will claim that a bank’s site is being updated, or replaced, and moved to a new URL. Should you receive a message along these lines, call your bank and visit the real thing. It’s almost certainly going to be a fake, this isn’t the kind of thing a bank keeps quiet and then suddenly changes with almost zero warning.

• If you’re talking to your bank’s customer support on social media, make sure the account you’re talking to is the one you started with. Scammers create fake bank profiles and attempt to interject in your conversation when the real support channel is out of office.

Stay safe out there.

There is a semi-mythical scam which comes around every couple of years, like some sort of digital bad luck version of Halley’s Comet. Instead of flood, famine, and the death of Kings, it brings confusion, some level of hilarity, and a slice of sheer disbelief.

Unfortunately it also threatens to clean out somebody’s bank account. While I’m not aware of someone having lost money to this scam previously, it struck gold in 2022. An arrow fired roughly 18 years ago has finally found its mark.

Did I mention the arrow is in space?

2004: First contact

Cast your mind back to 2004, because that’s where our tale begins. A frankly spectacular email claimed to be from one Dr. Bakare Tunde, an “Astronautics Project Manager” who really needed some help. This is because he claimed his cousin, Abacha Tunde, was stranded on a secret Soviet military space station via the Soyuz, which would typically be one of its flights to and from the International Space Station.

A huge amount of wealth had accumulated up there in space on account of his wages still being paid somehow, instead of just bringing him back down from the super secret space station. The plan was to have a huge slice of cash transferred to the bank account of the potential victim, which would then allow them to access the $15,000,000 held in a trust. This would then be used to bring the lost astronaut home.

Yes, it’s all very silly. The email came and went with a lot of eye-rolling and mockery. Off it went back into the depths of space, never to be seen again.

Right?

2010: Still hitching a ride

Wrong. It’s now 2010, and Dr. Bakare Tunde is still asking for help to get his cousin, Abacha Tunde, returned to Earth. It seems nobody heeded the call, and so he’s back for another round of very peculiar investor funding.

As you might imagine, nobody still seems to be falling for this one. It’s just simply too far fetched for anybody to take seriously. Once again, the secret Soviet space station is lost to the void. This is surely Abacha’s last stand, isn’t it?

2016: The Abacha comeback special

Nope. Wind forward to 2016. He’s back! And he’s still trapped in space. Yes, our intrepid astronaut Abacha Tunde has now been sitting in space next to piles of cargo for 25 years. He’s very tired. A more inventive astronaut would’ve surely tried to rig the controls and land the thing in a field by this point. Instead, he’s still up there. At this point, there were even suspicions that this wasn’t a genuine scam (those words aren’t contradictory, we promise) anymore but a parody. Someone had simply dusted off a classic, so to speak, and fired it out as a joke.

I can only imagine Abacha was furious. Anyway, after everybody did their customary laughter and waved him off, that was absolutely, definitely the last time anybody would see him again.

Right?

2022: Passing the space baton

Well yes, actually, as it turns out. Abacha Tunde was indeed gone for good, only to be replaced in 2022 by an all new Russian astronaut stranded in space. Sadly for Abacha, this all new astronaut was trapped on the International Space Station and not the increasingly rusty Soviet base.

Our nameless space explorer had a social media page, apparently posting fake images to an Instagram account and luring in a 65 year old woman in Japan. This was to be no ordinary request for space transportation, but was actually a completely bizarre romance scam. The astronaut still needed help returning to Earth, but if she helped him out, he’d move to Japan and presumably settle down.

He extracted around $30,000 from her over a period of about a month. As the requests for cash increased, the victim became suspicious and contacted law enforcement. At this point, the facade collapsed and she realised she’d been swindled.

Final transmission

We cover romance scams a lot, and this is the second major one in as many weeks to hit the news in Japan. It’s a valuable reminder that this kind of attack can strike no matter where you’re located.

If you’re curious about the bizarre, historically accurate details from the original attack way back in 2004, someone pieced it all together during Abacha’s third and final appearance. We can only hope that he’s finally gone forever, because the last thing we need is two lost romance scammers bringing peril from the sky.

Growing up is different for teens today. 

Issues with identity, self-expression, bullying, fitting in, and trusting your friends and family—while all those certainly existed decades ago, they were never magnified in quite the same way that they are today, and that’s largely because of one enormous difference: The Internet. 

On the Internet, the lines of friendship are re-enforced and blurred by comments or likes on photos and videos. Bullying can reach outside of schools, in harmful texts or messages posted online. Entirely normal feelings of isolation can be negatively preyed upon in online forums where users almost radicalize one another by sharing anti-social theories and beliefs. And the opportunity to compare one’s self against another—another who is taller, or thinner, or a different color, or who lives somewhere else or has more friends—never goes away. 

The Internet is forever present for our youngest generation, and, from what we know, it’s hurting a lot of them. 

In 2021, the US Centers for Disease Control and Prevention surveyed nearly 8,000 high school students in the country and found that children today were sadder, more hopeless, and more likely to have contemplated suicide than just 12 years prior.

Despite the concerns, we still thrust children into the Internet today, either to complete a homework assignment, or to create an email account to register for other online accounts, or to simply talk with their friends. We also repeatedly post photos of them online, often without discussing whether they want that. 

In today’s episode of Lock and Code with host David Ruiz, we speak to two guests so that we can better understand what it is like to grow up online today and what the challenges are of raising children in this same enviornment now. 

Our first guest, Nitya Sharma, is a Bay Area teenager who speaks with us about the difficulties of managing her time online and in trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.

“I think the things that kids find on the Internet, they’re going to find anyways. I probably found some stuff too young and it was bad… I think it’s more of, I don’t want them to become dependent on it.”

But our episode doesn’t end there, as we also bring in 1Password co-founder Sara Teare to discuss how parents can help their kids navigate the Internet today and in the future. Teare’s keenly attuned to this subject, not only because she is a parent, but also because her company has partnered with Malwarebytes to release new reserach this week—available October 13—on growing up and raising kids online. 

Tune in today to her both Nitya’s stories and Sara’s advice on growing up and raising children online. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

On Tuesday, the Biden-Harris Administration’s Office of Science and Technology Policy (OSTP) unveiled a new Blueprint for an AI Bill of Rights, which lists five principles to guide the design, use, and development of intelligence-based automated systems “to protect the American public in the age of artificial intelligence”.

These principles focus on things that matter to Internet users: Protection from risky systems, protection from discrimination, data privacy, notice and explanation of AI use, and the option to opt out.

“Automated technologies are increasingly used to make everyday decisions affecting people’s rights, opportunities, and access in everything from hiring and housing, to healthcare, education, and financial services,” the White House said in a press release. It continued:

While these technologies can drive great innovations, like enabling early cancer detection or helping farmers grow food more efficiently, studies have shown how AI can display opportunities unequally or embed bias and discrimination in decision-making processes. As a result, automated systems can replicate or deepen inequalities already present in society against ordinary people, underscoring the need for greater transparency, accountability, and privacy.

While the blueprint is for big tech companies, Dr. Alondra Nelson, deputy director for science and society in the OSTP, made clear it’s also for every American who interacts with AI or whose life is affected by “unaccountable algorithms”. 

In mid-September, the White House conducted a listening session on tech platform accountability wherein experts identified six concerns, each paired with a core principle for reform.

AI prejudice

Perhaps the most significant source of AI pain is algorithm discrimination. The descrimination stems from the fact that AIs are trained using training data sets rather than programmed. Gaps or biases in the training data inform the way that AI evaluates data in the real world.

As a result, the human prejudices some hoped AI would eliminate are sometimes baked right in. There are AI’s that can’t understand certain accents, others have prevented African Americans from getting kidney transplants, and some just don’t think women can be computer programmers.

Although failings in AI are generally unintentional, their effects on marginalized populations can be real and severe.

Just the first step

While many organizations, such as the Center for Democracy and Technology (CDT), the American Civil Liberties Union (ACLU), and Access Now, have welcomed the government’s Blueprint for the AI Bill of Rights, some say it shouldn’t end here.

“This is clearly a starting point. That doesn’t end the discussion over how the US implements human-centric and trustworthy AI,” Marc Rotenberg, head of the Center for AI and Digital Policy (CAIDP), told Technology Review. “But it is a very good starting point to move the US to a place where it can carry forward on that commitment.”

He also wants to see the US implement “checks and balances to AI uses that have the most potential to cause harm to humans”, such as those in the EU’s upcoming AI Act.

“We’d like to see some clear prohibitions on AI deployments that have been most controversial, which include, for example, the use of facial recognition for mass surveillance,” Rotenberg said. 

Director of Policy for Stanford Institute for Human-Centered, AI Russell Wald, thinks the blueprint lacks details or mechanisms for enforcement. “It is disheartening to see the lack of coherent federal policy to tackle desperately needed challenges posed by AI, such as federally coordinated monitoring, auditing, and reviewing actions to mitigate the risks and harm brought by deployed or open-source foundation models,” he said.

Sneha Revanur, founder and president of Encode Justice, an organization focusing on the youth and AI, also sees that flaw but has high hopes: “Though it is limited in its ability to address the harms of the private sector, the AI Bill of Rights can live up to its promise if it is enforced meaningfully, and we hope that regulation with real teeth will follow suit,” she said.