IT NEWS

We’re thrilled to announce our Patch Management module for OneView, which is paired alongside our Vulnerability Assessment module to help you uncover vulnerabilities, respond to threats, and keep your customers productive and safe.

Vulnerability identification and system patching are critical to strengthening security postures, but they can become a monumental task that many organizations aren’t equipped to tackle. Despite the known risks of malware and ransomware infections, the average time to patch is 102 days and almost 75% of small and large businesses say they lack the resources to patch vulnerabilities quickly enough.

As an MSP, it is important you have tools to streamline an effective, intuitive approach to vulnerability visibility and patch management for your customers. Check out our blog post “6 reasons MSPs need a patch management platform” for more benefits of a VPM platform for MSPs.

Malwarebytes Vulnerability Assessment and Patch Management modules extend OneView functionality to provide your organization deep visibility into the security vulnerabilities in your customers’ digital ecosystems. In this post, we give you a walkthrough of how to use Patch Management for OneView. For our previous post on using Vulnerability Assessment for OneView, click here.

Using the Patch Management module 

Click on “Patch Management“.

Here you can find more information on the updates available for your site’s endpoints and install these updates. Choose between tabs for operating system patches and third-party software application updates.   Click on a particular patch to learn more.

Below you will see a list of all endpoints with this vulnerability. Select the endpoints and click “Apply patches“.

Check the status of these updates on the “Tasks” page.

Quickly uncover and respond to vulnerabilities with VPM for OneView

Vulnerability and Patch Management will scan for updates across your endpoints and hand you the keys so you can lock the doors quickly and easily. To recap, this module provides the following features:

• Scan for vulnerabilities across installed endpoint software.
• Patch outdated applications, operating systems, or software vulnerabilities across your endpoints.
• View detailed information on vulnerabilities across sites and endpoints.
• View detailed information on available software and OS patches across sites and endpoints.
• View recommended updates to perform on detected vulnerabilities.
• Send automatic email notifications to administrators on detected vulnerabilities, available patches, and installed patches.
• View summarized vulnerability and patching information across endpoints from your OneView dashboard.

If you have any questions, please visit service.malwarebytes.com.

Check out our MSP’s Guide to selling security!

September 2021 saw a huge spike of exploit detections against the manufacturing industry, with a distributed spread between California, Florida, Ohio, and Missouri.  This is combined with heavy detections of unseen malware, identified through our AI engine, spiking in May as well as September 2021.

May brought with it a flood of attacks that exploited the Dell system driver exploit (CVE-2021-21551), where we observed the greatest number of detections in Michigan. During this month, JBS, one of the largest meat suppliers, was targeted by the REvil group who likely exploited this vulnerability to infiltrate the network. By June, overall detection of this threat against manufacturing firms began to fall significantly, with only about two dozen detections averaged between November 2021 and June 2022.

In the first half of the year, we observed spiking detections of threats associated with tech support scams. These threats install applications on the system that create fake error messages, urging the user to call a “help center” that is, in reality, a scam operation. These spikes were in March and May 2021 and focused primarily on firms in New York and Texas. However, detections of this threat declined steadily through the rest of the analyzed timeframe.

Figure 1. United States manufacturing threat family detections by month

The notorious TrickBot Trojan was detected constantly throughout 2021, with small spikes in February and September 2021 and February 2022. This threat is very capable of infecting a single endpoint, and by using additional tools and features, can compromise the entire network, often for the benefit of launching additional malware.

While our detections of TrickBot focused on attacks in New York, the fallout from the September spike saw three more manufacturer breaches, all in October. Victims of these attacks included the candy maker Ferrara, who was targeted right before Halloween, and the cookware company Meyer, whose employee data was leaked.

Schreiber Foods, a cheese manufacturer, dealt with attacks attempting to disrupt plant and distribution center operations. That attack actually caused a nationwide shortage for cream cheese!

Figure 2. United States manufacturing family threat detections pie chart

Finally, manufacturing companies in North Carolina dealt with heavy information stealing spyware during the first few months of 2021, with a gradual decline to December 2021. However, that trend reversed in January 2022 with new spikes in February and April 2022.

Between February and May 2022, the industry dealt with significant manufacturer breaches. For example, the video card maker NVIDIA dealt with a significant attack in February 2022; March saw the infection of the tool manufacturer Snap-On Tools by Conti ransomware; in April there was an operation against General Motors; and in May, infiltration of the agricultural company, AGCO.

Exploits were a serious issue for the manufacturing industry in 2021. In fact, the JBS attack coincides with spikes of certain exploits, and after a huge spike in exploit detections during September, we observed three attacks in a single month. One of those attacks disrupted operations and caused a nationwide supply chain issue.

However, things aren’t the same in 2022, and detections for exploits have dropped significantly. Despite that, we’ve seen at least four major manufacturing attacks occur between February and May 2022, with threats like trojans, information stealers and backdoors possibly to blame for the breaches. 

Recommendations for the manufacturing industry

With all that in mind, we recommend that businesses who operate in the manufacturing industry consider the most important part of their security plan, which is to keep things moving. Therefore, we highly recommend that there be some division between networks for offices, plants, and distribution centers to reduce the chance that an infection of an endpoint will lead to a factory needing to shut down.

Combine this with a security playbook which will inform all staff on what procedures need to be followed if a cyberattack is discovered. For example, who to call, what systems to secure, etc. In the case of manufacturing firms, it’s important to describe how to keep operations continuing, even during an active breach.

Historically, exploit protection has been very important for this industry, so utilizing anti-exploit technology to block these types of attacks on all endpoints and servers will greatly reduce the chance attackers can use this method for infiltration. 

Next, the discovery of a lot of tech support scam malware could be the result of users who have too many rights on their endpoint, installing third-party, unverified software onto their corporate systems. So doing a thorough audit of user accesses and rights on their endpoint will reduce the junk they are able to install and greatly reduce the chance that junk will be bundled with something nasty.

Finally, the discovery of so many TrickBot attacks against this industry means that manufacturing is clearly a top target for this group. TrickBot frequently compromises every endpoint in a network before preparing it for a ransomware attack. Ransomware attacks that disrupt operations and start bleeding the company money are more likely to be quickly resolved, so going after manufacturing firms is a great way to get paid quick. To protect against this threat, you need to use anti-malware software that uses behavior as well as signatures to identify TrickBot and quickly remove it from the system.

In addition, TrickBot has multiple methods of initial infection, including phishing attacks against employees, so educating staff on how to recognize phishing is a great idea. But going one step further would be to deploy a phishing button in your organization’s email client. This make it easy for employees to submit a suspect email to be analyzed by the security team for any malicious intent.

A former Twitter executive has acted as a whistleblower and alleged some serious problems. Provided these accusations are true, the disclosure shows a side of Twitter that poses a threat to its own users’ personal information, to company shareholders, to national security, and to democracy.

Otherwise known as Mudge, Peiter Zatko is a network security expert, open source programmer, writer, and a hacker. His most recent position was as head of security at Twitter, reporting directly to the CEO. He was the most prominent member of the high-profile hacker think tank the L0pht, as well as the computer and culture hacking cooperative the Cult of the Dead Cow. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. Zatko first came to national attention in 1998 when he took part in the first congressional hearings on cybersecurity.

Zatko was fired by Twitter in January for what the company claims was poor performance.

“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance.”

Major problems

The 2020 Twitter hack was one of the main reasons for Twitter to hire Zatko, who previously held senior roles at Google, Stripe, and the US Department of Defense. When Zatko arrived at Twitter, he said he found a company with extraordinarily poor security practices, including giving thousands of the company’s employees — amounting to roughly half the company’s workforce — access to some of the platform’s critical controls. His disclosure describes his overall findings as “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”

According to Zatko, “it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”

Infrastructure

Twitter’s flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors. Zatko’s letter to a Twitter board member about that issue is included in the disclosure.

The disclosure also claims that Twitter lacks sufficient redundancies and procedures to restart or recover from data center crashes, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline.

FTC

In 2010, the Federal Trade Commission (FTC) filed a complaint against Twitter for its mishandling of users’ private information and the issue of too many employees having access to Twitter’s central controls. Zatko alleges that despite the company’s claims to the contrary, it has never been in compliance with what the FTC demanded over ten years ago.

Elon Musk

After recent events, whenever Twitter is mentioned, the name of Elon Musk comes up as well. Musk, who is engaged in a legal battle with Twitter over his attempt to back out of buying the company,  claims that the number of bots on the platform affect the user experience and that having more bots than previously known could therefore impact the company’s long-term value.

According to Zatko’s disclosure, Twitter’s CEO Parag Agrawal tweeted false and misleading statements about Twitter’s handling of bots on the platform. In fact, he stated, deliberate ignorance was the norm amongst the executive leadership team. The reason is simple to understand, a social platform’s value is based on the number of active users, since that is the potential audience for advertising on the platform. Twitter uses a unique metric called monetizable daily active users (mDAU’s) which it says counts all users that could be shown an advertisement on Twitter.

The company has repeatedly said that less than 5% of its mDAUs are fake or spam accounts. But Zatko’s disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.

Foreign influence

According to the disclosure, Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll.

Last year, prior to Russia’s invasion of Ukraine, Agrawal — then Twitter’s chief technology officer — proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance of the platform, Zatko alleges. While Agrawal’s suggestion was ultimately discarded, it was still an alarming sign of how far Twitter was willing to go in pursuit of growth, according to Zatko.

Zatko’s report is becoming public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia.

Motivation

By going public, Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy.

“Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission.”

Zatko may be eligible for a monetary award from the US government as a result of his whistleblower activities. Original, timely and credible information that leads to a successful enforcement action by the Securities and Exchange Commision (SEC) can earn whistleblowers up to a 30% cut of agency fines related to the action if the penalties amount to more than $1 million, the SEC has said.

The prospect of a reward was not a factor in Zatko’s decision, he said, and in fact he claims he didn’t even know about the reward program when he decided to become a lawful whistleblower.

Deepfakes are back, and causing major problems for people involved in financial circles. Scammers have been targeting people in the cryptocurrency community for some time now. There’s huge money to be made via the act of ripping folks off. Some of it is phishing, other attacks focus on breaking into currency exchanges. A few of these have dabbled in (very poorly done) Elon Musk deepfakes. The clips are bad, the voice an overt mashup of clipped and broken dialogue. All in all: not very convincing.

Well, scammers are back for another go.

Behold the Deepfake hologram

In this case, it’s a deepfake hologram impersonating Patrick Hillmann, Chief Communications Officer (CCO) at Binance. Hillman states that a “sophisticated hacking team” raided the old footage archives. News interviews, TV appearances, anything that they could get their hands on. The aim of the game? To use this footage and create a convincing deepfake.

The Hillmann deepfake was then used in a variety of scenarios to trick people, he said. The scam involved “potential opportunities to list their assets on Binance.com”. At least one incident involves someone ending up in a Zoom call with a “hologram”. We assume this is some sort of old hologram style marketing material repurposed for the bogus Zoom call. Or perhaps the person calling it a hologram is simply unfamiliar with this technology and just calling it a hologram because of that.

Fooling the community

While no footage of these fakes currently exists, Hillmann claims that these calls fooled “several highly intelligent crypto community members”. These individuals no doubt have some sort of familiarity with the people being used in the scam, so they must have been somewhat decently put together. Still: one person’s incredibly convincing deepfake is another person’s Playstation 2 full motion video emulator. Without seeing one of these in action, we may never know for sure.

There is also no word as to which projects were targeted by the scammers, or investment numbers/finance requests. Did anybody make off with some cash? We don’t know.

Avoiding cryptocurrency Deepfake scammers

Here are some tips from Binance in relation to avoiding scams like this one:

• Be vigilant and always take proactive steps to ensure you don’t fall prey to scams and impersonations.

• Use the Binance Verify tool to check whether the account officially represents Binance. Binance Verify isn’t foolproof though, and a scammer could spoof their “from” email address or hide behind the real name of a Binance employee. In both cases, Binance Verify would produce mixed results. 

• Report any suspicious activities or accounts to Binance Support.

On a related note, you can always ask someone you suspect of being a deepfake to turn their head to one side. Your reward will be a horrifying rendering of broken facial structure from the upside-down, or the pangs of social embarrassment felt from accusing someone of being entirely digital. Given the fakery running wild out there at the moment, one would hope the person you’re talking to would understand the need for caution. The choice, as they say, is yours.

We’ve all heard the stories: Organizations getting breached like there’s no tomorrow thanks to threat actors exploiting unpatched vulnerabilities. Likewise, we’ve also all heard the familiar refrain: Patch regularly! But for many businesses—including the Managed Service Providers (MSPs) that serve them—“patching regularly” is easier said than done.

From prioritizing what to patch to getting a common view of all the vulnerabilities across their customer environment, patching is no cakewalk for MSPs. To boot, many MSPs already face constrained staff resources and a team that is often overloaded with alert triage. 

With a patch management platform, however, MSPs can greatly simplify the patching process for their clients—and the benefits don’t end there.

In this post, we break down six reasons MSPs need a patch management platform.

Table of Contents

1. Fills a dire need for MSP customers
2. Generates new MSP revenue streams
3. Gives visibility across diverse customer assets
4. Helps MSPs become a more holistic cybersecurity provider
5. Streamlines threat assessment and mitigation
6. Allows you to quickly stay on top of evolving security risks

Simplify patch deployment for your customers

1. Fills a dire need for MSP customers 

According to Ponemon Institute, almost 60% of low-security maturity organizations (i.e most MSP customers) suffered a data breach because “a patch was available for a known vulnerability but not applied”. 

So, why aren’t SMBs applying patches? Simply put, because their vulnerability and patch management (VPM) activities are either only partially deployed (40%) or not even “planned or deployed at all” (24%), according to the same Ponemon study.

This is where MSPs can step in. By taking the reins of their customers’ VPM activities with a VPM platform, MSPs are filling a dire need for organizations who lack the budget and staff to do patch management themselves.

2. Generates new MSP revenue streams

According to Market Data Forecast: “The global patch management market size is forecasted to grow to USD 1.084 billion by 2027 from USD 652 million in 2022, growing at a CAGR of 10.7% between 2022 to 2027.”

Needless to say, as the threat of unpatched vulnerabilities continues to increase, and as organizations with limited budgets and IT staff continue to struggle with patching, MSPs are in great shape to capitalize on the growing market size of patch management platforms.

“Adding a VPM platform to your MSP’s existing menu of security services will allow you to generate new/additional Monthly Recurring Revenue (MRR),” says Josh Pederson, MSP expert and Senior Director of Global Product Marketing at Malwarebytes. 

What’s also important to highlight here is not just how MSPs can grow revenue directly from VPM, but indirectly as well. Nadia Karatoreos, Senior MSP Growth Strategist at Malwarebytes, explains: “Having a simplified and automated patch management process allows the MSP to focus their attention on other revenue generating activities.”

Check out our MSP’s Guide to selling security!

3. Gives visibility across diverse customer assets

Most MSPs (69%) have up to 100 different clients, according to Datto’s Global State of the MSP Report. Dozens of different clients, each using different flavors of OSes, servers, and applications—and each one of those with their own unique vulnerabilities. 

Without a VPM platform, patching all of these assets would be a nightmare for MSPs.

“The more OS and application combinations at a customer site, the more individual patches need to be maintained,” says Pederson. “Most customers do not have a homogenous set of endpoints (only Mac, etc), so MSPs are forced to stay on top of multiple versions of the same software (Slack for OSX and Slack for Windows–double the challenge).”

A patch management platform can bring all the vulnerabilities and patch updates across your network under one view. For example, in the below screenshot of Malwarebytes OneView VPM, you can see detailed information on available software and OS patches across sites and endpoints.

4. Helps MSPs become a more holistic cybersecurity provider

MSPs are heroes to the companies they serve. Providing IT services and support is not an easy job, and to do it well, requires a technology stack that is scalable, reliable, and above all, comprehensive.

SMBs who outsource their cybersecurity are looking for providers who cover all their bases–in fact, 91% of SMBs would consider switching IT service providers if they found a new one that offered the “right” cybersecurity services. And while the “right” services will vary from SMB to SMB, some form of endpoint protection, EDR, and VPM services are high-up on the list for every security-minded business.

“Enhancing their ability to prevent infections is an urgent need of MSPs,” says Pederson. “Patch management is a preventative measure that helps the MSP reduce customer risk of malware infection. Many AV and EDR options do not provide this as a layer of protection, so clients are looking for it.”

In addition, adding VPM services to their portfolio not only helps MSPs better serve their clients, but it also helps them stay competitive in a notoriously competitive MSP landscape.

“MSPs can outcompete other MSPs when they provide a more comprehensive security service. A patch management platform provides that to them,” says Pederson. 

5. Streamlines threat assessment and mitigation

“Threat assessment involves identifying threats, determining the seriousness of each threat, and prioritizing how to manage threat actors,” says Nosa Obosohan, Senior Director, Cloud Product Platform at Malwarebytes.

The most common way of measuring security vulnerabilities is with the Common Vulnerability Scoring System (CVSS), which provides IT professionals a standardized process for assessing vulnerabilities. Without a VPM platform, you can expect to experience a higher level of effort trying to assign priority to your patching schedule manually.

“IT teams’ patch management challenges start with incomplete asset inventory, not being able to prioritize vulnerabilities, and determining how to patch up those systems in a timely manner. A VPM platform can address all these concerns,” says Obasohan.

6. Allows you to quickly stay on top of evolving security risks

By now, we should understand that one of the best pieces of insurance against infection is not just patching, but timely patching. Automated patching–a feature of most VPM platforms–vastly improves your ability to patch in a timely manner.

“Many data breaches and ransomware attacks are the result of known vulnerabilities that have not been addressed,” says Rumna Mishra, VP of Product Management at Malwarebytes. “VPM helps organizations minimize their attack surface, identify & patch vulnerabilities in a timely manner.”

Organizations who don’t automate their patching have a much more difficult time patching things quickly–80% of organizations that use automation say they have the ability to respond to vulnerabilities in a shorter time frame. A patch management platform that automates patching gives MSPs the tool they need to quickly prevent security risks for their customers.

Simplify patch deployment for your customers 

The benefits of a patch management platform for MSPs are manyfold. 

On the business side, a VPM platform not only helps MSPs generate revenue and stay competitive, but it also fills a dire need for MSP customers. On the practical side, a VPM platform gives MSPs easy visibility into all of their customers’ assets, and, through automation, streamlines CVSS scoring and timely patching.

Want to continue learning how to maximize the profitability of your MSP business? Give a listen to our newly launched MSP podcast, “MSP Smartbytes”!

With Malwarebytes Vulnerability and Patch Management for OneView, MSPs can easily search for vulnerabilities across their customer ecosystem and patch them quickly. See the demo below!

If you want to know how to secure your Mac so your kids can use it safely, I can help.

In 2018 I decided to give my kids an old Apple laptop to share, and I documented the steps I took to secure it. They were still a few years short of their tenth birthdays, and it was their first computer, so I looked into every child safety feature in macOS and dialled everything up to eleven.

It’s now four years later—my kids have changed, the laptop has died and been replaced by another Mac, and we have been through the acid test of several periods of computer-based home schooling, thanks to the pandemic.

As a result I’ve learned a few things about how Apple’s parental controls worked out in practice. In the article I’ll tell you how you can secure your Mac for your kids, and what I found useful about Apple’s safety features.

Basic security

Securing a computer for a child is not the same as securing a computer for an adult, although there are significant overlaps and similarities. Malware and malicious websites don’t care if it’s an adult or a child at the screen, so every Mac needs the same basic security precautions in place, no matter who’s using it:

• Apply macOS security updates promptly. All the software on the computer needs to be maintained by installing the latest security updates when they become available. To ensure your Mac is installing macOS updates automatically, choose Apple menu > System Preferences, then click Software Update, and tick Automatically keep my Mac up to date. You can automatically download and install app updates from the App Store by opening App Store and going to App Store > Preferences and selecting Automatic Updates.
• Use security software. Macs don’t see as much malware as Windows, but it is out there, and you don’t want it on your computer. We strongly recommend that you install a third-party security solution like Malwarebytes Premium for Mac.
• Start backing up. The only backup people ever regret is the one they didn’t make. They are your last line of defense against system-altering malware, bad software updates, hardware failure and theft, and simple mistakes. Read Apple’s introduction to Time Machine and get yours working now, before you need it.
• Install a password manager. A password manager is software for creating and remember strong passwords. Good ones also provide a safe way for users to share passwords with other people. Proper password handling is something lots of adults struggle with, so get your kids doing the right thing from day one!

Security for kids

In addition to the threats adults face, kids also have to struggle with growing up online. They may have to deal with peer bullying, predatory adults, and harmful content. They may struggle to turn off their devices willingly, and while they may not be as interested as you in invoices from UPS or riches from Nigerian princes, they are naïve and vulnerable to other scams.

For that reason there are a lot of specialist tools for protecting children. On a Mac, they are called Screen Time. But before we look at Screen Time, I want to tell you what I think the most important thing you can do for your kids is, whatever computer they use:

Set up separate accounts

The first thing I did on my kids’ laptop was give each child their own separate user account. They each had their own virtual space to arrange as they liked, and it meant I could use different parental control setups for each child if necessary. Most importantly to me, it meant each child would have their own password.

It is much harder to learn good habits if you’ve already been taught bad ones, so I wanted my children to start out expecting they would always have their own account, and that they’d have a password that nobody else knew.

You will need at least two accounts: An admin account for yourself, and a separate account for each child.

Log on to your Mac using your admin account and go to System Preferences > Users & Groups. On the left side is a list of users. Under your name it should say Admin.

Create an account for each child by clicking the padlock, entering your password, and then clicking on the + button, choosing a Standard account, and filling in the child’s details. When it’s time to enter the password, have the child do it and make a point of looking away.

My perspective

Ensuring that both kids had their own account was the best decision I’ve made about securing the Mac. I was concerned that they might find it a drag to log out when they’d finished, or to log the other child out and enter their own password. In fact, they embraced having their own digital space, with their own avatar and wallpaper, and their own mess. Without realising, they have established an important expectation about their digital privacy and security. I hope that when they are older they’ll find it odd if somebody wants to share their account, or expects them to share theirs.

Using separate accounts also allowed me to teach the kids about the importance of keeping passwords secret from the very start. It is very hard to teach a young child how to make a strong password, but it is easy to teach them that a password is a secret.

We made a game of out of picking a password that nobody else was allowed to know, not even me. Over the days and weeks that followed I’d ask “what’s your password” and they delighted in refusing to tell me.

Screen Time (Parental controls)

Apple provides parents with controls for restricting what children can and can’t do on their devices.

The functionality was once clearly signposted under the name Parental Controls but is now available through the far-less-obviously named Screen Time, which you’ll find in System Preferences > Screen Time.

The change from Parental Controls to Screen Time is a shift from a paradigm that imagines adults placing limits on their children, to a paradigm that imagines users placing computer-enforced guardrails around themselves and others. Personally, I find it hard to view this as a step forward, but it acknowledges the reality that it isn’t just kids that can get carried away with screen time.

Screen Time controls can be extended to children via Apple’s Family Sharing, accessible via Preferences > Family Sharing, and across multiple devices, using iCloud, which brings needed parity with Microsoft’s multi-device view of parental control.

Exhaustive and up-to-date details about how to set up Screen Time are available on Apple’s Use Screen Time on your Mac support page so I will not repeat them here. Suffice to say, the major features offered by Screen Time are:

• Monitor how much time your child spends on certain apps and websites
• Schedule downtime, so that certain apps aren’t available at certain times
• Limit how much time your child can spend on certain apps
• Restrict what type of content they can see in apps or websites
• Set limits on who they can communicate with
• Disallow access to features that might impact privacy, such as the camera

Similar, but less granular features were available via Parental Controls four years ago when I set up my kids’ laptop and I used all of them.

Their accounts would only work at times they were supposed to be awake, and for a maximum of one hour per day.

They were restricted to using a short list of pre-approved websites and apps, and a very short list of people they were allowed to exchange emails with. Whenever there was an option to turn on a content filter, such as restricting access to adult websites or blocking explicit language in music, I turned it on and dialled it up.

My perspective

Within a year of setting up the parental controls I removed them all, for two reasons.

Some of the controls simply proved unnecessary. For example, the children already had an established routine around when they could use screens, so it turned out there was simply no need for automatic enforcement of it. And while automatic enforcement didn’t make the kids any safer, it did give us an unwelcome hurdle to clear if we wanted to be flexible and give the children an extra 15 minutes of time.

The other controls I simply found too restrictive. Operating an allow list of websites seems like a great idea until you find yourself adding endless exceptions. Similarly, operating an allow list of apps seems like a great idea until you discover that some apps have dependencies on other apps that aren’t immediately clear. Knowing exactly what you have to add to the allow list in order for something to work was often not as clear as it needed to be.

The straw that finally broke the camel’s back on parental controls for me was school homework tasks.

It is important to understand that I felt I didn’t need the parental controls because we had already created a set of guardrails for our kids and how they use screens. Software restrictions can be useful, but they can only ever be a tool that helps with parenting and not a substitute.

For the next three years I found one other thing helped a great deal.

Because the children didn’t have access to a credit card, and didn’t have the access rights they needed to install software, they had to ask if they wanted to install something or buy something. That provided a bottleneck to prevent a lot of problems. For example, one of my children wanted to buy a game and came to me very excited about it, knowing they could afford it. The child hadn’t realised that the game was a pre-release that asked customers to part with their money and then wait (and hope) for the game to be released. As disappointed as they were, it was a great opportunity to talk about how some things aren’t what they seem.  

All of which is to say Parental Controls didn’t work for us, and our children, in our situation, at a particular age. I would encourage any concerned parent to play with the controls, try them for a reasonable period, and see what works for you. It is unlikely you will hit the bullseye with the first try.

And me? I will be taking another look at Screen Time this summer because one of my children is now racing towards teenage, and is about to get their first phone. This is the biggest change in their access to computing since I gave them the laptop and I will be thinking hard about appropriate rules and guidance, and then looking to see if software can help me.

In an email sent to its users, Plex has revealed that a cybercriminal accessed some customer data, including emails and encrypted passwords.

From the email that was sent out by the Plex security team:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

What to do

Plex advised all customers to reset their passwords immediately. While doing that, it asked customers to make sure the checkbox “Sign out connected devices after password change” is ticked. This will sign out all of your devices and require you to sign back in with your new password.

It’s also worth making sure you have two-factor authentication set up on your account to add an extra layer of security.

Problems

Some users experienced some problems following the instructions provided by Plex. Here’s this from Troy Hunt of “Have I been pwnd?”:

Apparently it helps to uncheck the recommended “Sign out connected devices after password change” option and the password change will work.

Additional actions

If you have reused your Plex login credentials elsewhere, you will want to change the passwords on those sites and services as well, since there is a chance that they will end up in a database for sale on the Dark Web.

If you are having trouble keeping track of all the different passwords, we advise using a password manager.

Also be wary of phishing mails that may or may not be targeted at Plex users. Exfiltrated email addresses like these have a tendency to surface in phishing campaigns.

Microsoft recently released a report about a ChromeOS remote memory corruption vulnerability. The issue has already been fixed. In fact, it was reported to Google in April. The fix was applied shortly after, and released on June 15. The resulting deep-dive from Microsoft is a fascinating look at how one technology giant addresses another’s bugs and issues.

A critical issue

The problem, known as CVE-2022-2587 on the Common Vulnerabilities and Exposures (CVE) list, caused big headaches for Chrome. It also racked up a Common Vulnerability Score (CVSS) of 9.8, which results in it being tagged as “Critical”. As per the description:

Out of bounds write in Chrome OS Audio Server in Google Chrome on Chrome OS prior to 102.0.5005.125 allowed a remote attacker to potentially exploit heap corruption via crafted audio metadata.

This is a memory corruption vulnerability in a ChromeOS component. As per the Microsoft report, it can be triggered remotely. Attack options are varied, ranging from denial of service attacks to remote code execution. Manipulating audio metadata and baiting potential victims with songs played in browsers or paired Bluetooth devices could be enough to set the ball rolling.

How was this possible? Let’s take a look.

The realm of common ChromeOS problems

Microsoft points out that ChromeOS vulnerabilities typically land in one of three categories:

1. ChromeOS specific logic vulnerabilities.

2. ChromeOS specific memory corruption vulnerabilities.

3. Broad threats like browser vulnerabilities.

This one falls under category number 2. The problem stems from the use of something called D-Bus.org.chromium.cras, a D-Bus service related to audio which gives users a way to channel audio to new devices. These devices might take the form of headsets, speakers, anything as long as it’s audio-centric.

The strange world of Strcpy

While looking at the ways audio could be routed to new peripherals, Microsoft observed a handling function called SetPlayerIdentity. Where this goes wrong is one of the functions involved makes a call to something called strcpy. Sadly for strcpy, it’s been known as something potentially dangerous which should be avoided when possible for many years.

Strcpy doesn’t know how big a destination buffer is going to be. Programming accidents may result in the buffer being overrun. This could lead to otherwise innocent crashes or actual exploitation by people with bad intentions.

In this case, it resulted in a vulnerability triggered using a single command line sent-argument containing more than 128 bytes. That’s bad, but this requires developer mode. As the majority of Chrome users will never touch that mode, Microsoft researchers needed a way to make this happen without it.

Remotely exploiting your way to a fix

Going back to the SetPlayerIdentity handling function, researchers made their breakthrough. Changes to audio metadata could trigger the vulnerability in just the way they were looking for:

• From the browser: The browser’s media component invokes the function when metadata is changed, such as when playing a new song in the browser.

• From Bluetooth: The media session service in the operating system invokes the function when a song’s metadata changes, which can happen when playing a new song from a paired Bluetooth device.

It took Google less than a week to have code ready and made available to users. As a result, ChromeOS users have been happily connecting new audio devices for some time now without having a sound-related mishap of the exploitation kind.

In September 2021 we told you about insecure Hikvision security cameras that were ready to be taken over remotely.

However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update, and are therefore vulnerable to exploitation.

The vulnerability

According to the researcher that reported it last year, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner, and the attack is not detectable by any logging on the camera itself. A cybercriminal could exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.

The patch

The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021. The critical bug received a 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact that it gives the attacker to gain even more access than the owner of the device has, since the owner is restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.

The abuse

One possible exploit of this vulnerability was published by packet storm in October 2021.

In December 2021, BleepingComputer reported that a Mirai-based botnet called Moobot was spreading aggressively via exploiting this vulnerability in the webserver of many Hikvision products.

A Metasploit module based on the vulnerability was published by packet storm in February of 2022.

The Cybersecurity & Infrastructure Security Agency (CISA) added the vulnerability to its list of known exploited vulnerabilities that should be patched by January 24, 2022.

Unpatched

Given the amount of available information, it is trivial even for a “copy and paste criminal,” to make use of the unpatched cameras.

Of an analyzed sample of 285,000 internet-facing Hikvision web servers, CYFIRMA found roughly 80,000 of them were still vulnerable to exploitation. Most of these are located in China and the United States, while Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania all count above 2,000 vulnerable cameras.

Mitigation

If you are in doubt whether you are using a vulnerable product, there is a list of the vulnerable firmware versions in the researchers’ post. Hikvision says you should download the latest firmware for your device from the global firmware portal.

In general it is not a good idea to make your cameras accessible from the internet and if you do, put them behind a VPN.

Mark noticed something was wrong with his son. His penis was hurting and appeared to be swollen. Since it was a Saturday during the pandemic, an emergency consultation was scheduled by video. So the doctor could assess the problem ahead of time, the parents were advised to send photos of their toddler’s groin area before the appointment. In one of these pictures Mark’s hand was visible, helping to better display the swelling.

Luckily for his son, the doctor diagnosed the issue and prescribed antibiotics. But the episode left Mark with a much larger problem, one which made him the target of a police investigation, according to a recent article in the New York Times. The subsequent investigation ruled that this was not a case of child sexual abuse.

False positive

In computing, a false positive is a file that gets marked as malicious when it actually isn’t, and Mark’s photos were a false positive. But sadly there are a lot of images that aren’t false positives.

Although estimates vary across studies, research shows that about one in four girls and one in thirteen boys in the United States experience child sexual abuse.

In the second half of 2021, Google alone filed over 287,368 reports of child abuse material and disabled the accounts of over 140,000 users as a result. The US National Center for Missing and Exploited Children (NCMEC) which is the clearinghouse for abuse material, received 29.3 million reports last year, an increase of 35% from 2020. In 2021, The NCMEC’s CyberTipline reported that it had alerted authorities to over 4,260 potential new child victims.

From numbers provided by Facebook and LinkedIn we can see that over half of the accounts that were reported to the authorities were dismissed after manual review.

The consequences

We have heard from cybersecurity evangelist Carey Parker how hard it is to de-Google your life. Imagine being forced into that position without fair warning.

When Mark’s photos were flagged as abuse, he lost access to all his Google accounts, including his Android phone. Even after being exonerated by the police his access was not restored.

“Not only did he lose emails, contact information for friends and former colleagues, and documentation of his son’s first years of life, his Google Fi account shut down, meaning he had to get a new phone number with another carrier. Without access to his old phone number and email address, he couldn’t get the security codes he needed to sign in to other internet accounts, locking him out of much of his digital life.”

Inevitable

When you look at the numbers, it is clear that automation is needed to review the huge number of reports. Not to mention the mental health issues a human moderator may encounter. But can we trust Artificial Intelligence (AI) to decide in cases where the consequences can be so dire? How can we make a choice between ruining someone’s life just because an algorithm coughed up their name, and missing a case of child abuse?

Whichever way we decide to go, we should not leave this in the hands of machines alone. To extend the comparison to malware false positives: If our AI detects a false positive and we find out, we hurry to remove the false detection and help correct any errors that ensued from it. That is what our customers expect from us and they are right to do so.

Oblivious

Both governments and tech giants are unwilling to share details about the inner working of the system, for understandable reasons. But should we not have at least some insight? At least enough to not become the next false positive.

By not knowing how these scanning algorithms work, we have no idea of knowing how we can avoid becoming  a false positive. I’ve sometimes wondered, because of my profession and my interests in coding and malware how many alarms I have triggered and whether at some point someone is coming to knock on my door and ask what’s up with that?

The end verdict

While the discussion about the algorithms and their consequences is a valid one, maybe we shouldn’t even be having it. What gives any government or tech giant the right to go through our personal files? In an article written in response to the New York Times article, the Electronic Frontier Foundation (EFF) concludes that the real solution lies in “real privacy”.

“The answer to a better internet isn’t racing to come up with the best scanning software. There’s no way to protect human rights while having AI scan peoples’ messages to locate wrongdoers.”

The problem is real, but giving up our privacy may not be the answer.