IT NEWS

In 2020, a photo of a woman sitting on a toilet—her shorts pulled half-way down her thighs—was shared on Facebook, and it was shared by someone whose job it was to look at that photo and, by labeling the objects in it, help train an artificial intelligence system for a vacuum.

Bizarre? Yes. Unique? No. 

In December, MIT Technology Review investigated the data collection and sharing practices of the company iRobot, the developer of the popular self-automated Roomba vacuums. In their reporting, MIT Technology Review discovered a series of 15 images that were all captured by development versions of Roomba vacuums. Those images were eventually shared with third-party contractors in Venezuela who were tasked with the responsibility of “annotation”—the act of labeling photos with identifying information. This work of, say, tagging a cabinet as a cabinet, or a TV as a TV, or a shelf as a shelf, would help the robot vacuums “learn” about their surroundings when inside people’s homes. 

In response to MIT Technology Review’s reporting, iRobot stressed that none of the images found by the outlet came from customers. Instead, the images were “from iRobot development robots used by paid data collectors and employees in 2020.” That meant that the images were from people who agreed to be part of a testing or “beta” program for non-public versions of the Roomba vacuums, and that everyone who participated had signed an agreement as to how iRobot would use their data.

According to the company’s CEO in a post on LinkedIn: “Participants are informed and acknowledge how the data will be collected.”

But after MIT Technology Review published its investigation, people who’d previously participated in iRobot’s testing environments reached out. According to several of them, they felt misled. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with the investigative reporter of the piece, Eileen Guo, about how all of this happened, and about how, she said, this story illuminates a broader problem in data privacy today.

“What this story is ultimately about is that conversations about privacy, protection, and what that actually means, are so lopsided because we just don’t know what it is that we’re consenting to.”

Tune in today.

On January 26, 2023, the United States Department of Justice (DoJ) released details about a disruption campaign against the Hive ransomware group. The disruption campaign has reportedly had access to Hive’s infrastructure since July of 2022. Its access became public on Thursday when Hive’s dark web began showing a notice that “this hidden site has been seized.”

Hive

Hive ransomware has been around since June 2021. It is a ransomware-as-a-service (RaaS) operation which uses the threat to publish exfiltrated data as extra leverage to get the victims to pay. Hive was one of the most widely used RaaS in 2022, according to monitoring of dark web leak sites by Malwarebytes Threat Intelligence.

In August 2021, the FBI published a warning about Hive ransomware, sharing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation advice. In February 2022, researchers discovered a way to decrypt files for all versions of Hive ransomware up to and including version four. Hive is also thought to be one of the gangs that welcomed Conti members after the Conti disbandment in April 2022.

According to the DoJ, the Hive ransomware group has targeted over 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, attempting to extort hundreds of millions of dollars from victims in the United States and around the world.

Disruption

US officials credited German and Dutch authorities, and Europol for helping in the case. The German police were able to infiltrate the Hive infrastructure following an investigation of the Polizeipräsidium Reutlingen, which shows the importance of victims filing a report.

As part of the disruption the FBI has helped victims to decrypt their files for months, perhaps contributing to the dip in ransomware revenue over 2022. According to the DoJ this amassed to 336 victim interventions, preventing potentially $130 million in ransom payments.

The authorities also seized the leak site, where the group posted data exfiltrated from victims that were unwilling to pay, and the victim negotiation portal. This is a major setback and will undoubtedly cause affiliates and Initial Access Brokers (IABs) to take their business elsewhere.

Not done yet

But the hunt is far from finished. The US Rewards for Justice is offering a reward up to $10 million for information that links Hive or any other malicious cyber actors targeting US critical infrastructure to a foreign government. And in a press conference about the Hive takedown, FBI Director Christopher Wray acknowledged the FBI had infiltrated other ransomware groups.

Mitigation

The Europol statement about the takedown mentions some specific tactics used by Hive affiliates, which include using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In other cases, Hive actors gained access by exploiting vulnerabilities. Some Hive actors also gained initial access to victim’s networks by distributing phishing emails with malicious attachments.

Which prompts us to repeat, that you should implement measures to keep out IABs, such as employee phishing training, brute force protection, and timely vulnerability and patch management. It also reminds us of the importance of protecting your RDP.  

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Annual reviews of any year’s developments in privacy rarely lend themselves to pithy wrap-ups, but 2022 was different, providing the clearest example yet for so many people—American women in particular—that their privacy was not theirs to determine, and that the often-repeated refrain that privacy doesn’t matter for those who have “nothing to hide” only holds sway until the world around those words decides: “Now you do.”

The US Supreme Court’s decision to overturn Roe v. Wade and the associated Constitutional right to choose to have an abortion redefined personal privacy, as individual states can now treat previously benign health data as possible evidence in a criminal investigation. Where perhaps millions of women previously had “nothing to hide,” now, they do.

The Supreme Court’s decision was also an event that has few modern equivalents, changing the behaviors of three, core parts of society—government, corporate, and public.

In the wake of a leaked draft of the decision, Federal legislators introduced a new, targeted data privacy bill to protect reproductive health data. Immediately following the decision, countless individuals dropped their current period-tracking apps in search for another app that would promise to better protect their data. And months after the decision, companies are still announcing changes to what types of data they will no longer store.

In looking back at 2022, it isn’t that nothing else happened in data privacy—it’s that nothing else like this has happened for a long time.

Here’s a look at what happened in privacy in 2022.

Roe v. Wade overturned

The privacy fallout from the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization is both succinct and enormous: It changed what people want to keep private. 

By allowing a state-by-state approach to the legality of obtaining and providing abortion services, the US Supreme Court’s decision introduced a new uncertainty about what types of online activity—be it Google searches, Facebook posts, TikTok videos, or location histories revealing trips to an abortion clinic—could now be considered as potential evidence of a crime.

Would law enforcement, for example, be able to pull Google search requests on someone they suspected of seeking an abortion? Would text messages between friends be brought before an investigator? What about Instagram stories that included offers to pay for the travel and lodging of complete strangers seeking abortion from other states? And what about period-tracking app data? What if cops could see in a person’s data that, for a week or two, they were pregnant, and then soon after, they were not? 

In the absence of immediate best practices, individuals made their own choices. Period-tracking app users scrambled to find the most secure app online, and one period-tracking app maker promised to encrypt user data so that, even if law enforcement made a request for their data, the data would be unintelligible. (Those promises, one investigation found, were shaky.)

But it wasn’t just period-tracking apps that reconsidered data collection and storage policies.

In July, Google announced that it would automatically delete location histories that revealed physical trips to any sensitive locations, which Google defined as “medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, [and] cosmetic surgery clinics.” Samsung, too, recently announced that it would delete “Women’s health data” collected through Samsung Health.

To address this corporate, piecemeal approach to user privacy, Congressmembers introduced the My Body, My Data Act, which would place new, national restrictions on how companies handle reproductive health data.

Web wins (and one wayward rollout)

When the developers of the privacy-forward browser Brave released their own search engine last year, they touted that, unlike other search engines, “Brave Search” would pull from an entirely separate index of the Internet, only relying on Google’s index when it could not fill in the gaps for user searches. Upon Brave Search’s launch, this “independence score,” as the company put it, was 87 percent.

One year later, that score has reportedly increased to 92 percent for all Brave Search users, and Brave Search itself has exited out of beta. But perhaps the biggest privacy draw of all for the tool is simple: It doesn’t track users or their searches.

Privacy-minded users has another choice in web browsers last year, as well, as Mozilla claimed that a new feature in Firefox made it the “most private and secure major browser available across Windows, Mac, and Linux.”

The feature, called Total Cookie Protection, promises to create “cookie jars” for every website that users visit. This will reportedly put browsing activity into separate silos so that user activity cannot be stitched together across websites, which is often done to help build in-depth profiles of who to target with ads.

But why spend so much time on cookie restrictions when, according to Google’s own words several years ago, it, too, would retire third-party tracking in its browser, Chrome?

Probably because that major rollout was delayed yet again—this time to 2024.

A question of corporate commitment to privacy

If you can believe it, there was a time last year when the biggest thing happening to Twitter had nothing to do with its new owner, Elon Musk.

In August, the company confirmed a data breach that affected 5.4 million users, their email addresses and phone numbers now linked to their accounts in a data dump that could be found for sale on the dark web.

In May, Twitter was also hit with a $150 million fine from the US Federal Trade Commission for violating an earlier consent order that prohibited the company from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”

But with so broad a description, what, exactly, did Twitter do?

It used phone numbers that were specifically requested for two-factor authentication—a security measure—for targeted advertising.

(At least the company did put its services on Tor last year, a great step for familiarizing users with a more private online experience.)

To learn more about privacy and Tor’s security benefits to the Internet, listen to our Lock and Code podcast interview with Alec Muffet here.

But privacy blunders—and intentional evasions—have become a guarantee in Silicon Valley, and so Twitter shouldn’t receive all the spotlight.

Facebook, possibly angered by one browser’s decision to remove tracking parameters that Facebook inserted into URLs to help track users across pages, decided to encrypt their URLs so that the browser in question could no longer determine which part of the URL would need to be removed. The company is also facing a lawsuit alleging that it has built a “secret workaround” to safeguards built into the iPhone to prevent the social media giant from tracking users.         

Finally, Google settled multi-state charges that the company had allegedly misled users as to how their locations were tracked across various services, agreeing to pay a whopping $391.5 million. A separate but similar lawsuit is still active against the company.

Legislation and legal violation

Compared to earlier years, the legislative battle for data privacy cooled off in 2022, but that doesn’t mean it was necessarily less spirited.

In June, a draft of the US Supreme Court’s opinion in Dobbs v. Jackson Women’s Health Organization was leaked, suggesting that the Court was positioned to soon overturn both Roe v. Wade and Planned Parenthood v. Casey, previous decisions that had guaranteed a Constitutional right to choose to have an abortion. 

Before the Supreme Court could issue its final decision, legislators in Washington DC moved fast, introducing the My Body, My Data Act in both the House of Representatives and the Senate. The bill sought to place new restrictions on how companies use “personal reproductive or sexual health information,” allowing for the collection, use, retainment, and disclosure of such data only if a company was delivering a service requested by a user, or if the user gave express consent. The definition of “personal reproductive or sexual health information” in the bill is broad, including any info that could reveal someone’s attempts to “research or obtain” reproductive health service, along with any reproductive or sexual health “conditions,” including pregnancy or menstruation.

The bill has not significantly moved forward since its introduction.

Separately, last year saw the introduction of the American Data and Privacy Protection Act—the latest attempt from Congressmembers to pass a Federal, comprehensive data privacy law for the United States. Like many attempts before, the American Data and Privacy Protection Act would extend the rights to access, correct, and request deletion of the personal data that companies have already collected on them—similar to the rights granted to those living in the European Union through the General Data Protection Regulation (GDPR).

With a new Congress elected, it is unclear whether the bill will progress.

Aside from legislation that has only been introduced, one full-blown law scored its first-ever enforcement action. In California, the state’s attorney general announced a settlement with the makeup company Sephora over allegations that it violated the California Consumer Privacy Act, the state’s privacy law that was first passed in 2018.

According to the Office of the Attorney General, Sephora allegedly “failed to disclose to consumers that it was selling their personal information, … failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and … it did not cure these violations within the 30-day period currently allowed by the CCPA.”

Per the settlement, Sephora agreed to pay $1.2 million.

Pushing back against stalkerware

Rounding out a turbulent year, there was some good news in the continued fight against stalkerware.

Through a months-long investigation, the technology publication TechCrunch revealed that a network of stalkerware-type apps all shared the same security vulnerability that could allow “near-unfettered remote access” to the data of hundreds of thousands of devices that are already infected with said apps. TechCrunch worked with the Carnegie Mellon University Software Engineering Institute to both report the vulnerability and contact any party that could responsibly address the vulnerability. The investigation provided likely the strongest, global “map” of who is providing cover for these types of apps, and how they seem to skirt any consequences.

But there’s more.

Following questions that TechCrunch sent to a company called 1Byte, which operates the server infrastructure behind several of the apps under investigation, two of the apps “appeared to cease working or shut down.” 

Today, TechCrunch offers a tool that allows people to see if their devices are infected with the apps that the publication previously investigated.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

To help K–12 schools and school districts in their struggle against cybercrime the Cybersecurity & Infrastructure Security Agency (CISA) has released the report, Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats.

A cybersecurity incident can significantly impact a school or district’s ability to carry out its educational mission. Late last year, CISA warned of ransomware particularly targeting the education sector, and less than two weeks ago we reported on multiple schools being hit by a ransomware attack.

This report gives insight in the particular threats the K–12 community is facing and offers actionable steps school leaders can take to strengthen their cybersecurity efforts.

1. Resource constraints

When resources are limited, it is important to make sure that the measures you choose to take are the most impactful ones. Important recommendations to that effect are:

• Working with technology providers that offer low-cost services and products that are secure by design and default.
• Urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.

CISA also recommends starting with the security controls that have the highest priority, making sure you align near-term investments with pressing goals and compliance regulations. You should also have a long-term cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF), a set of guidelines for mitigating organizational cybersecurity risks.

2. Security measures

Some examples of high-priority measures provided by CISA, which ring true for most organizations, are:

• Deploying multifactor authentication (MFA)
• Mitigating known exploited vulnerabilities
• Implementing and testing backups
• Regularly exercising an incident response plan
• Implementing a strong cybersecurity training program

CISA recommends that K–12 organizations adopt its Cybersecurity Performance Goals (CPGs)—a set of cybersecurity practices that, when implemented, “can meaningfully reduce the likelihood and impact of known risks and adversary techniques”.

3. Help each other

Collaboration and information sharing are both cost-effective and mutually beneficial in order to improve awareness of current threats and how to meet them. CISA provides these suggestions:

• Join relevant information and threat intelligence collaboration groups, such as the MS-ISAC and K12 SIX.
• Work with other information-sharing organizations, such as fusion centers, state school safety centers, other state and regional agencies, and associations.
• Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel.

Toolkit

CISA has also published a toolkit that aligns resources and materials to each of its three recommendations, along with guidance on how stakeholders can implement each recommendation based on their current needs.

Malwarebytes

Many K–12 organizations operate their own IT systems, known as “on premises” systems. Such systems require time to patch, to monitor, and to respond to potential security events.

Malwarebytes can help K-12 organizations by combining these tasks and taking them to the cloud.

Read also: 5 must haves for K-12 cybersecurity.

Move over Lockbit, there’s a new ransomware-as-a-service (RaaS) player in town attacking the education sector—and its name is Vice Society.

Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. And their ideal prey? You guessed it: universities, colleges, and K-12 schools. The Federal Bureau of Investigation (FBI) has even released a joint Cybersecurity Advisory (CSA) after observing that Vice Society has disproportionately targeted the education sector. 

But with knowledge comes power. The more the education sector knows about Vice Society, the better prepared they get to defend against them. 

In this article, we’ll arm you with five facts about Vice Society so you can get the upper-hand against this persistent threat.

1. In 2022 they were far and away the biggest attackers on the education sector

If you’re a regular reader of our monthly ransomware review, you know that the education sector has gotten plenty of attention from ransomware gangs in the last year, to say the least.

It wasn’t until Vice Society, however, that we saw a gang taking their love for the sector to a whole new level. 

Like many other ransomware gangs, Vice Society is known to steal information from victims’ networks before encryption for the purposes of double extortion—threatening to publish the data on the dark web unless you pay up the ransom they demand.

A few of the institutions published on their leak site last year include De Montfort School, Cincinnati State, and one that made national headlines in September: Los Angeles Unified, the second largest school district in the US.

Around 40% of the victims shared on the Vice Society leak site are educational institutions, a large proportion compared to other gangs.

2. And they have shown no signs of slowing down in 2023

As of January 2023, Vice Society has already published the data of six schools on their leak site. That’s more than any other RaaS gang so far this year.

The Vice Society leak site

3. They leverage living off the land techniques to sneak past detection

Living off the land (LOTL) attacks are when threat actors use legitimate tools for malicious purposes, which effectively allows them to hide in plain sight as they carry out their attack.

Vice Society actors leverage one such legitimate tool, Windows Management Instrumentation (WMI), as a means of living off the land to execute malicious commands. WMI allows administrators to manage and monitor various aspects of a computer, such as hardware and software, from a remote location.

See where we’re going with this?

Vice Society and other adversaries can use WMI to gain access to a system and then execute malicious code, install malware, or steal sensitive information.

That means you won’t be able to detect them using traditional signature-based detection mechanisms—hash values, IOCs and signatures do not detect living off the land attacks. Instead, you’ll need to turn to an Endpoint Protection Platform (EPP) that uses a combination of machine learning, behavioral analysis, and sandboxing.

4. We know how they get initial access to networks

So we know what Vice Society is doing once they’re in school networks and how to detect it. But how can we stop them from entering in the first place?

Using a combination of data from Unit 42 and the Cybersecurity Advisory (CSA) posted on CISA.org, we can paint a pretty good picture of how Vice Society is getting initial access to their targets.

Vice Society is not reinventing the wheel: these threat actors are using familiar techniques such as phishing, compromised credentials, and exploits to establish a foothold in victim networks.

Three ways Vice Society is known to get initial access (with MITRE IDs)

Our advice is as old as time, but always worth reiterating:

• Address phishing with employee training, web-based protection, and DNS filtering
• Address compromised accounts by removing dormant accounts, enforcing the principle of least privilege, and having strict password policies.
• Address exploits by maintaining regular vulnerability assessment and patching, preferably using an automated tool.

5. It seems like they’re open to negotiating their initial ransoms

First things first, the FBI recommends never paying the ransom to attackers.

There’s a good argument for not paying too: doing so encourages more attacks and there’s no guarantee you’ll get your data back either way. There is no honor among thieves, after all.

But sometimes not paying is easier said than done. Paying the ransom might be the only option left for some organizations for various reasons.

A Vice Society ransom note.

We know that Vice Society isn’t the most aggressive gang when it comes to their ransom demands. The difference between their initial demands and final demands could be as large as 60% after negotiations take place.

Getting the upper-hand against RaaS gangs

Vice Society is currently the most severe RaaS threat to the education sector. Still, to say ransomware attacks on schools is a Vice Society problem purely is missing the forest for the trees.

We don’t want to say launching ransomware on K-12 schools, colleges, and universities is as easy as taking candy from a baby, but unfortunately that’s how many RaaS gangs see it. The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making them an easy target for cybercriminals. 

We recommend the education sector follow a few best practices to prevent (and recover) from ransomware attacks from every angle. That includes: 

• Make an emergency plan sooner, rather than later.
• Endpoint Protection that uses a layered approach with multi-vector detection and prevention techniques to stop ransomware early-on.
• Ransomware rollback options that should store changes to data files on the system in a local cache for 72 hours (no ransomware actually exceeds 24 hours), which can be used to help revert changes caused by ransomware.

In our Ransomware Emergency Kit, you’ll find more tips your educational organization needs to defend against RaaS gangs. 

Get the Ransomware Emergency Kit

Late last week, Twitter user Zuk (@ihackbanme) tweeted an issue about WhatsApp that has the potential to turn heads.

The recent WhatsApp accounts takeover is simple and genius.

This is how it works:
You’re sleeping.
A “hacker” tries to login to your account via WhatsApp.
You get a text message with a pincode that says “Do not share this”.

You don’t share it, yet you still get hacked.

How?

— Zuk (@ihackbanme) January 19, 2023

He explains that attackers can take advantage of two things: a user’s availability and how identity verification works on WhatsApp.

A user who is not available to respond to verification checks—whether they’re asleep, in-flight, or have simply set their smartphone to “do not disturb”—may be at risk of losing their WhatsApp account. All an attacker needs is their target’s phone number.

Here’s how it works. 

The attacker attempts to log in to a WhatsApp account. As part of the verification process, WhatsApp sends an SMS with a PIN to the phone number tied to the account.

The user is unavailable so doesn’t realise there is a suspicious login. The attacker then tells WhatsApp that the SMS didn’t arrive and asks for verification by phone call.

Since the account owner is still unavailable and cannot pick up the call, the call goes to the number’s voicemail. Knowing the target’s phone number, the attacker then attempts to access their voicemail by keying in the last four digits of the user’s mobile number, which is usually the default PIN code to access the user’s voicemail.

The attacker then has the WhatsApp verification code, and can use it to access the victim’s WhatsApp account. They can then set up their own 2FA (two-factor authentication) on it, leaving the actual owner locked out of their own account.

Once the account has been hijacked, the attacker could use it to hijack accounts of the user’s contacts, spread malware, or hold the account hostage until the owner pays up to get it back.

How to protect your own WhatsApp account

This isn’t a new tactic, and has been around for a while, but there are two pretty simple things you can do to avoid it happening to you.

1. Change the default PIN of your voicemail.

2. Enable two-step verification on your WhatsApp account:

• Open Settings.
• Tap Account > Two-step verification > Enable.
• Enter a six-digit PIN.
• Enter an email address, or tap Skip if you don’t want to. WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.
• Tap Next.
• Confirm the details and tap Save or Done.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Yesterday I spent some time helping to fix a relative’s gaming PC. Their gaming data tied to Rockstar’s Grand Theft Auto 5 (GTAV) had somehow become corrupted and was no longer functional. I managed to repair the account and restore everything back to the way it was, but this isn’t the end of the story.

There’s a possibility that my relative has been impacted by a hack claimed to be doing the rounds in GTAV circles. It was said to allow cheaters to tamper with your account by corrupting your game data, altering your statistics, and even changing how much money you have in game. Someone doing this pretty much has free rein to do whatever they wish to helpless players.

Rockstar confirms the bug is real

The last few days have seen multiple unconfirmed reports of something very bad happening to GTAV accounts. Although initially Rockstar made no comment, this is now no longer the case. Rockstar Support has made the following brief statement:

We are aware of potential new exploits in GTA Online for PC, which we aim to resolve in an upcoming planned security-related Title Update.

For now, the only surefire way to not be caught by this is to not play the game, which isn’t optimal for a title very much dependent on multiplayer and online functionality. Rockstar says impacted players can contact customer support for assistance.

This fix may help

If you find yourself staring at a corrupted data message, don’t panic. There is a “temporary fix” available. The solution to corruption issues is to delete your Rockstar Games folder from PC Documents, and then load up the game which will refresh your profile. According to reports, this should solve things (and it appears to have worked for my relative with no complaints since I tried it).

If you don’t do this fix once impacted, reports indicate you may be stuck in a sort of limbo with no game ever loading.

One thing to note where corrupted data messages are concerned: if you’re a modder, and you see a corrupted profile message, it may not be a compromise. If you’ve recently made some mod alterations, or changed how the mods themselves work, this can sometimes trigger a message along these lines. In most cases, the solution there is to delete and reinstall the game from scratch. 

An uncertain timeline

There is no estimate for when Rockstar will be able to patch this, so if you’re on PC, you may wish to play something else for the time being. It could cause hours of aggravation for anyone snared by someone up to no good, so hopefully it’s a case of all hands on deck for the megastar game developers and we’ll see the back of this one sooner rather than later.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Looking at the privacy related stories of 2022, it’s not hard to see that much of the focus was on the social media giants. Banning TikTok is slowly becoming a trend among US states. Google and Facebook’s owner Meta was fined on several occasions for amounts that would have put other companies out of business, and Twitter fell victim to a power struggle that made victims left and right.

Social media

The problem for social media users is that there will always be voices telling them it’s their own fault. But is it really? Can you blame users for being unable to stop using apps that have algorithms which are fine-tuned to a tee to keep them hooked. Social media platforms like TikTok are designed to serve you the content you have shown an interest in. The result? According to research, the average American teenager spends 7 hours and 22 minutes on their phone every day.

For many users, social media is a way to stay in touch with people to a level that would be impossible if they have to resort to physical contact or even phonecalls. For others, social media a way of showing the fruits of their creativity. For some, it’s a way of keeping up with current events, some of which is fake news.

It’s easy to tell social media users that they are responsible for providing their personal data themselves. In a breach you can point at the company that was supposed to keep your data safe, but when it comes to social media you are expected to read hundreds of pages of legalese and understand that the platforms will share your data with third parties.

For companies, social media platforms have become invaluable tools in education, marketing and communication. Stop using them and you are giving the advantage to your competition, allowing them to take your place.

Cookies and advertising

Internet giants like Meta (Facebook, Instagram) and Alphabet (Google) depend on advertising. Advertising represented 98% of Facebook’s $86 billion revenue in 2020, and more than 80% of Alphabet’s revenue comes from Google ads, which generated $147 billion in 2020.

Now that awareness, regulation, and tools to control cookies have become mainstream, these advertising moguls have started looking at other ways to capitalize on their user numbers. Google has started experimenting with its FLoC alternative and others have looked at alternatives like TrustPID.

Harvesting data

Social networking companies harvest huge amounts of sensitive data about their users’ activities, interests, personal characteristics, political views, purchasing habits, and online behavior. Although in most cases the data is gathered solely to increase the effectivity of advertising and making it more targeted, the data could be used for far more nefarious reasons if they fall into the wrong hands.

And, let’s face it, the personal data that social media platforms collect and retain are vulnerable to hacking, scraping, and data breaches.

Spying

Scraping data by and for advertisers is not the only concern about social media. The Chinese owned TikTok app has been under a lot of scrutiny, and a few US states have officially banned TikTok from state-owned or state-leased smartphones, laptops, and other internet-enabled devices.

Federal Communications Commissioner (FCC) Brendan Carr called for TikTok to be banned in America, months after deeming it an unacceptable security risk, and calling for Apple and Google to completely remove the app from their app stores. FBI Director Christopher Wray expressed deep concerns about China’s influence on US citizens via TikTok.

Alternatives

Yes, there are alternatives for popular social media. With a change of management at Twitter, part of the infosec community migrated to Mastodon, a decentralized platform. But as the Twitter case has demonstrated, migrating to a different platform only appeals to users within certain communities and most companies are waiting to add these new platforms to their outreach potential, let alone migrate from the old and proven to the new and unknown.

Privacy policies

I fear that having easy to find and understand privacy policies might not chase away existing users, but an often-heard complaint is that the privacy policy that is presented to a new user is hard to understand, full of loopholes and exceptions, and often not much more than a long-winded waiver which can be subject to one-sided change at any given moment.

Private information

When it comes to social media, there are three main methods of leaking information.

• The information you post voluntarily. Everything from which restaurants you visited, to sharing how happy you are about soft drugs getting legalized, can come back to bite you later. More importantly, it provides people and advertisers with information about what kind of person you are.
• The information your connections share about you. For example, remember how much fun we had together when we went to this event or that location? You can’t stop their sharing, so limit the number of connections to those that will understand if you ask them not to share that kind of information without checking first.
• The information you provide to the company running the social media service. And not just your birthday, recovery email address, and phone number, but also about your online behavior, your shopping preferences, and which topics you are into.

What all this information has in common is that once it’s out there, it’s impossible to make it disappear. If you share, post, and click with that in the back of your mind, you’re a long way towards responsible use of social media.

Countermeasures

It is doubtful whether the countermeasures we have tried so far have made more than a little dent in the money-making machines that are social media companies. Legislation and fines are tackled by some of the best lawyers that money can buy. And as long as the optimized algorithms keep us hooked, users will keep going back and give up their privacy voluntarily.

All we can do is remind users of the dangers, and inform them about methods that are less harmful than giving all their data up for free. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A fish is in hot water (metaphorically speaking) after having performed some incredible antics on a video game live stream. The fish, known for playing popular video game titles to completion on live streams, decided to take that whole gamer lifestyle thing a little too far and went on a rip-roaring crime rampage which came to a grand total of about 4 dollars.

Shall we take look? The answer, of course, is “Yes please, immediately”.

The wacky world of alternative video game controllers

Gamers have long since made their streams more interesting than watching someone play a game. Some streamers make performance part of the act of playing the game, and use all manner of odd objects and accessories to play a title. For example, folks used ultrasonic sensors to play Trombone Champ with real and home made trombones. Someone else beat one of the toughest bosses in Elden Ring while using a Dance Pad. 

Elsewhere, people make use of sensors and have their pets “play” video games. The star of our fishy tale has already completed an earlier version of Pokemon by using a grid corresponding to button presses tracked by a camera sending commands to a circuit board.  The fish completed the game in 3,000 hours, which to be fair is still a lot less than many people spend playing a massively multiplayer title.

The fish was due to thunder into action once more with the release of the newest Pokemon game. We’ve all heard the horror stories of unattended children spending vast fortunes on credit card purchases while the parents are out of the room. On this occasion, the child is fish shaped and the vast fortune is four dollars.

It still counts though.

A fishy heist

How did our intrepid phish manage to get its fins on the four dollars in question, I hear you ask? Well, the owner hadn’t accounted for two horrible possibilities.

One: that the game would crash.

Two: that the game would crash while they were off doing something entirely unrelated to a fish playing video games.

While the owner is away, the Pokemon loving fish will play. When the game crashed, the Switch exited to desktop but the fish was still in control. Lots of random button presses eventually resulted in our fishy friend managing to perform the following incredible and hilarious actions:

• Opening up the Switch store (twice!)
• Adding four dollar’s worth of funds to the owner’s account with stored card details.
• Purchasing a new avatar.
• Downloading an N64 emulator, because if the fish wanted to play Goldeneye it wouldn’t surprise me at this point.
• Triggering a confirmation email.
• Changing the account name to ROWAWAWAWA¥. Any resemblance to the words “row away” are both entirely fitting and absolutely intentional. This fish is going to be on an FBI ‘Wanted’ poster within the next six months.

Protecting your Nintendo account from aquatic threats

Nintendo’s store allows account holders to set various purchase restrictions for young children to prevent the kind of shenanigans highlighted up above. Purchases, content renewals, and even content visibility can all be set along with restrictions based on age. Your Nintendo-centric threat model may not have accounted for “gamer fish goes rogue” up until now, but here we are.

Please do not leave your Pokemon-conquering gamer fish alone with your console, and ensure the motion sensors are switched off when performing other tasks. You may return to find yourself, and your payment details, floundering.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Popular game developer Riot Games brings word of a system compromise which may cause issues for updates to well known titles, although for the time being it seems as though customer data isn’t affected.

A social engineering development

Making the notification via Twitter late last week, we’re still waiting on the full story as an investigation takes place. For now Riot, stewards of titles such as Valorant and League of Legends, made the following statement in relation to the attack:

Earlier this week, systems in our development environment were compromised via a social engineering attack. We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.

We may not be told the full details of what exactly took place here. Based on how these things usually tend to go, social engineering launched via an email sent directly to an employee could be a strong candidate.

Having said that, games publishers and developers make use of everything from social media to Discord for keeping in touch with players and fans. It could just as easily be that this began in a social media direct message and spiralled from there.

Slowdowns expected

Riot Games manages a number of incredibly popular online titles. This newly discovered compromise is going to cause some drag and delay in relation to keeping things updated with new content and other under the hood activities.

Unfortunately, this has temporarily affected our ability to release content. While our teams are working hard on a fix, we expect this to impact our upcoming patch cadence across multiple games.

League of Legends, for example, has a regular patching cycle and some of those patches are very large indeed, as you’d expect for an online game. The League of Legends Twitter account has already warned of potential impact. Valorant operates in much the same way. We can expect similar across all titles as resources are used up to ensure the compromise has been fully contained and addressed.

The game developer jackpot

Games companies have been major targets for compromise for years, which is only to be expected considering the huge amount of data these organisations have access to. There are so many areas for exploitation, from game platform logins to publisher-centric accounts. You can target a PC running a game with remote code execution, go phishing for two-factor authentication codes, steal an account and sell digital items from its inventory…the list is endless.

The only good thing here is the low probability of customer data having been grabbed, with the attack instead focusing on the development environment for reasons known only to the attacker. There have been many incidents where attackers poking around behind the scenes have been in an effort to upload or release rogue files via game titles themselves.

This hasn’t happened here, thankfully, and with any luck Riot Games will release additional information as the week goes by.

Update, 9:03AM (GMT-8)

Riot Games updated its Twitter followers regarding the compromise. It confirmed attackers were able to steal code for some its flagship games, League of Legends and Teamfight Tactics (TFT), and a legacy anticheat platform.

As promised, we wanted to update you on the status of last week’s cyber attack. Over the weekend, our analysis confirmed source code for League, TFT, and a legacy anticheat platform were exfiltrated by the attackers.

1/7 https://t.co/IogE05HaD1

— Riot Games (@riotgames) January 24, 2023

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.