IT NEWS

One of the biggest wrestling stars around, Mick Foley, had his Twitter account hijacked in an attempt to legitimize a very popular scam. When a well known individual has their social media accounts compromised, disaster looms, as everything from phishing to malware distribution waits in the wings for potential victims.

But this time, we traded messages with the scammer to see what was up.

The fake Mick Foley PS5 giveaway extravaganza

At some point in the last 24 hours, Mick Foley lost control of his Twitter account. It’s now playing host to multiple Tweets offering up PS5 giveaways. Well, I say “giveaway.” There is a catch, of the financially shaped variety.

Mick’s Twitter account is selling these PS5 consoles “for retail price,” with the proceeds going directly to charity. Note that there is no word of which charity will be receiving the money. I’ve never known a celebrity wrestler to get involved in charity work of some kind and not explain at length who is benefitting.

Some of the other tweets throw in the promise of “free tickets” to his next show as an incentive to paying up. Every tweet related to these PS5s has the replies turned off, which means people can’t easily question the legitimacy of this offer.

At the very least, you’d think Mick would take some photos of the supposed PS5s sitting in front of him. Did Mick take this picture in one of the many tweets promoting the PS5 sale, for example?

Hold that thought, because here is the same photo being used on a totally unrelated seller listing. An unexpected PS5 sale, replies turned off, and stolen images used for the consoles in question? This isn’t a few red flags, it’s a parade.

Asking the important questions

The person running Mick Foley’s account asked would-be buyers to contact him via direct message. I always wanted to hang out with a WWE wrestler, so off I went to see how this scam plays out. I asked how to obtain the PS5, and whoever is running the account seemed oddly reticent to explain where to send my money.

Eventually I was told to organise a Zelle payment for $540 USD through Mick’s definitely-real-and-not-at-all-fictional assistant. Considering Foley has 2 million followers on social media, this has the potential for an awful lot of stolen payments. Scammers targeting verified accounts is a popular tactic, and helps to give their fraudulent activities a sheen of legitimacy.

Lock it down

You may not have the social media reach of a WWE superstar, but you can still do your bit for a safer social experience. Here’s what Twitter recommends to keep things secure where your social experience is concerned:

• Use a strong password that you don’t reuse on other websites.
• Use two-factor authentication.
• Require email and phone number to request a reset password link or code.
• Be cautious of suspicious links and always make sure you’re on twitter.com before you enter your login information.
• Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.
• Make sure your computer software, including your browser, is up-to-date with the most recent upgrades and anti-virus software.
• Check to see if your account has been compromised.

The post Wrestling star Mick Foley’s Twitter compromised, selling PS5 consoles appeared first on Malwarebytes Labs.

Security researcher Derek Abdine has published an advisory about vulnerabilities that exist in the MIT-licensed muhttpd web server. This web server is present in Arris firmware which can be found in several router models.

muhttpd web server

muhttpd (mu HTTP deamon) is a simple but complete web server written in portable ANSI C. It has three major goals: Be simple, be portable, and be secure. Simplicity was the main goal for muhttpd, but because of its simplicity and broad use, it also must prioritize security.

ISP customer premise equipment (CPE) often uses this web server, and ISP subscribers will typically get these routers in loan for telephony and Internet access.

Path traversal

A path traversal attack aims to access files and directories stored outside the web root folder. These attacks are sometimes referred to as dot-dot-slash attacks since they manipulate variables that reference files with “dot-dot-slash (../)” sequences and variations of them to access arbitrary files and directories.

The muhttpd server 1.1.5 (last official release 2010) has a path traversal vulnerability. The latest release of muhttpd is version 1.1.7 (released June 1, 2022). Unfortunately the Arris firmware is based on the vulnerable version of muhttpd.

Vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Derek Abdine found several vulnerabilities, one of which is:

CVE-2022-31793: Path traversal from the filesystem root. Simply prepending a single character that is not a dot (“.”), forward slash (“/”) or question mark (“?”) before the requested path is sufficient to obtain any regular file on the device. This vulnerability allows an unauthenticated remote attacker (in cases where remote administration is enabled) or any local (LAN) party to obtain:

• The contents of the md5crypt (salted/hashed) passwords in /etc/passwd.
• The SSID and plaintext password of the 2G and 5G Wi-Fi networks broadcast by the device.
• The usernames and (sometimes encrypted) passwords of all administration accounts on the system.
• Configuration information including the TR-069 protocol in use by an internet service provider (ISP).
• Session Initiation Protocol (SIP) usernames (phone numbers) and passwords, including SIP endpoint URLs.
• Port forwarding configuration information.
• Other sensitive network information, such as established TCP connections.
• Various system and firewall logs.
• A complete list of the LAN IP address, hostname, MAC, uptime, and device characteristics such as the operating system and known applications of every device on the LAN.
• The router serial number.
• The certificate and private key for the web management portal.
• Router process information.

Other vulnerabilities

The researcher found two more vulnerabilities which are not so easy to exploit:

NULL pointer dereference: The muhttpd server receives HTTP requests on a non-blocking socket. Socket connections are accepted and fed to a forked process to execute. When data is received, the server reads in a loop until a sequence of two carriage return/newline characters are received. Processing is then handed off to another method which attempts to parse the request method. Injecting a NULL byte into the request steam will cause the request process (forked from the server process) to segfault. A segmentation fault (aka segfault) is a common condition that causes programs to crash.

Buffer over-read when defanging URLs: The muhttpd server contains a buffer over-read when dealing with percent-encoded values. When encountering a percent “%” in the URL, the server attempts to decode the next two characters without checking the bounds. As a result, if the URL consists of “%” with no following characters, the decode_url function will read past the URL data and into the parts of the request buffer containing the HTTP protocol version string. While not practically exploitable, safeguards should be made to prevent accessing unintended address space.

Affected devices

The affected muhttpd server is used in fiber and DSL-based Arris router products (NVG), as well as whitelabel/OEM products by other vendors. Internet Service Providers (ISPs) around the world typically loan these routers out to their collective millions of subscribers. In 2017 for example, experts discovered easily exploitable flaws in Arris modems distributed by AT&T.

Arris router models that were found to be vulnerable are NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320. Please note that Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05, and SBR-AC1200P 1.0.5-B05 are vulnerable to another vulnerability listed as CVE-2022-26992 which allows attackers to execute arbitrary commands via a crafted request.

Internet searches revealed 19,000 vulnerable routers directly connected to the internet. The owners were informed and most of the devices have been patched by now. Both Arris and muhttpd have issued patched versions but since the firmware is widespread and every ISP manages their own firmware updates independently, it’s likely that this issue will persist for years.

Mitigation

At the moment there are no reports of these vulnerabilities being used in the wild, but now that the vulnerabilities are known and proof of concept code is available, it might only be a matter of time until an attack is carried out.

If your router uses a vulnerable version of muhttpd you are advised to disable remote administration since that limits exploitability of the vulnerabilities to LAN attacks. Also, either get a patched version as soon as possible or replace the device.

The post Millions of Arris routers are vulnerable to path traversal attacks appeared first on Malwarebytes Labs.

When Katie Yates suddenly started receiving nude photos of her friend, Natalie Claus, over on Snapchat, she instantly recognized that Claus had just become a victim of a sextortion attack. She also knew how Claus should respond.

This happened in December 2019 when Claus was a sophomore. Both were students at the State University of New York.

Yates has a story of her own, too. Months before receiving those messages from Claus, she was herself a victim of sexual assault. After reporting the abuse, Yates started receiving abusive messages on social media. Seeing the lack of support from anyone on campus, she explored ways to identify her harasser.

This vigilanteism—Yates taking the matter into her own hands because she’s not getting any help—proved beneficial for Claus. So when Yates asked Claus if she wanted to catch her hacker, Claus said, “Yeah.”

Hacker posed as “Snapchat Security”

The case of Claus’s hacker, David Mondore (a chef), actually made headlines around 2020 and 2021. Claus is not his sole victim, and a press release revealed that Mondore was involved in a string of Snapchat hijacking activities from July 2018 to August 2020. During this period, the hacker gained unauthorized access to at least 300 Snapchat accounts, including Claus’s.

This Bloomberg article mentioned that Mondore posed as a “security employee” who warned Claus of an alleged breach of her Snapchat account. The Office of the US Attorney of New York provided more detail on the ruse that tricked Claus into handing over her account to Mondore.

According to Claus, whom the press release refers to as Victim 1, she received a Snapchat message from an acquaintance, whom the press release refers to as Acquaintance 1. The person messaging Victim 1 is actually Mondore using Acquaintance 1’s account.

Acquaintance 1 asked Victim 1 for her Snapchat credentials, so they can use the account to check if another user blocked them. In Snapchat, you can’t see anyone who’s blocking you even when you search for their username or full name. It appears the only way to see who’s blocking who is using another account. Several sites use this tactic.

Clearly, Mondore took advantage of this.

After Victim 1 sent her credentials to Acquaintance 1, Mondore sent Victim 1 a text message via an app anonymizing his actual phone number. The message he sent purportedly came from Snapchat Security, requesting Victim 1 to send the passcode for her “My Eyes Only” folder to verify that Victim 1’s account has been legitimately accessed.

“My Eyes Only” is a secure, encrypted, and private folder within Snapchat where users can save potentially sensitive photos and videos. This can only be accessed with a passcode.

After gaining access to Victim 1’s Snapchat account and her “My Eyes Only” folder, Mondore rinses and repeats. He contacted Victim 1’s contacts using her account, asking for their credentials under the pretense of checking who blocked them.

Mondore also used Claus’s private photos, which she had taken for herself as she attempted to recover from a rape, to gather compromising material from her Snapchat contacts. The message sent out with her nude images says, “Flash me back if we’re besties.” It was sent to 116 people, four of whom responded with explicit photos of themselves.

“Gotcha”

Claus hatched a plan to trap her hacker with Yates’s help. Using her own Snapchat account, Yates sent a message to Claus’s account, which Mondore had already controlled by then, saying she had nude images to share, with a URL link made to look like a porn site.

The URL, once clicked, collected the IP address of anyone who accessed it using the Grabify IP Logger website. Not only that, Yates and Claus set up the URL to redirect Mondore to the Wikipedia page for the word “gotcha” instead of the porn site he probably expected.

Mondore, upon seeing the Wikipedia redirect, messaged Yates saying, “What the hell is this?” She then blocked Claus’s account after collecting Mondore’s IP: he was in Manhattan and using an iPhone without a VPN.

Claus sent her police report to the campus police, who then forwarded it to the New York state police. One of the officers then knew who to contact within the FBI. The tip eventually led to Mondore’s arrest. He received a sentence of 6 months jail time.

“It was him being an idiot that did it,” Claus said of her hacker. “When I passed all that information to the FBI, they said, ‘There’s a really good chance that we wouldn’t have caught him without this.’”

Despite what happened to her and the “too light” punishment Mondore received, Claus believes he’s not a monster. “He’s a human,” she told Bloomberg. “That’s what makes it scary.”

The post When a sextortion victim fights back appeared first on Malwarebytes Labs.

We’ve seen many examples of third-party cookies being tackled by browsers recently. It’s not so long ago that Firefox effectively locked down third-party tracking by isolating cookies into so-called jars. By doing so, their “Total Cookie Protection” seeks to prevent all those cookies on your PC communicating with one another. This means advertisers can’t fully build up shadowy profiles following you around the net.

Increasingly, more browsers are going down this same route. Google has a huge hand in online advertising. This role often sits uneasily alongside issues of privacy and security, for example rogue ad campaigns misusing Google’s own ads.

Despite this, Google has also talked about killing off tracking cookies for some time now (including a pilot effort to introduce a type of tracking technology called “FLoC” which would allegedly preserve privacy by categorizing users into “groups” of behavior sets). The hammer was supposedly falling sometime this year, with the basic idea being that traditional third-party tracking cookies would no longer be functional in Chrome. That slice of potentially invasive advertiser pie would shrink down just a little bit further.

However, we’re now faced with the second pushback of cookie tracking lockdown where Chrome is concerned. Did Google jump the gun on this allegedly privacy-enhancing announcement?

Delaying an inevitable sunset

You probably won’t see any sunsetting of third party tracking cookies until the second half of 2024. The reason is detailed in a recent Google Blog posted by Anthony Chavez, the VP of Privacy Sandbox.

The Privacy Sandbox Initiative aims to replace tracking across sites and apps. It also wants to limit how far your data can be shared. According to the company initiative, advertising IDs and third party cookies are out; more sophisticated technologies which block invasive tracking are in.

At least, they would be but for the constant delays and pushbacks. As the Privacy Sandbox site puts it:

Billions of people around the world rely on access to information on sites and apps. To provide this free resource without relying on intrusive tracking, publishers and developers need privacy-preserving alternatives for their key business needs, including serving relevant content and ads.

In other words: organisations still need to make money from adverts, so here’s a very wobbly tightrope which we’ll all be inching down. It seems this potentially contradictory aim is causing inevitable delays.

More time for advertisers means more time for advertising

The specifics boil down to advertisers needing more time to figure out the new technologies replacing third party tracking. From the blog:

Improving people’s privacy, while giving businesses the tools they need to succeed online, is vital to the future of the open web. That’s why we started the Privacy Sandbox initiative to collaborate with the ecosystem on developing privacy-preserving alternatives to third-party cookies and other forms of cross-site tracking.

He goes on to say:

The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome. This feedback aligns with our commitment to the CMA to ensure that the Privacy Sandbox provides effective, privacy-preserving technologies and the industry has sufficient time to adopt these new solutions. This deliberate approach to transitioning from third-party cookies ensures that the web can continue to thrive, without relying on cross-site tracking identifiers or covert techniques like fingerprinting.

You can view a timeline of the Privacy Sandbox work, which details at length what is happening and when. Third party cookie phaseout currently says support will be phased out “over a two month period”. There is no further information available on this at time of writing. Of course, potentially invasive tracking and advertising techniques will still be in use until sunsets finally come into play.

Major platforms are trying whatever they can to make it harder for people to extricate themselves from tracking. Most recently, Facebook was seen to be altering links designed to track clicks. By the time Google finally sunsets tracking cookies and other potentially invasive technologies, we may find that the new normal is another entirely set of invasive technologies to contend with.

The post Google delays Chrome third party cookie sunsetting…again appeared first on Malwarebytes Labs.

Action Fraud, the UK’s national reporting center for fraud and cybercrime, is warning of a very disturbing scam involving social media and “indecent images of children.” Details are light, but social media fans should take this as a warning to lock down their accounts immediately.

Based on multiple reports received, social media accounts are being “hacked and flooded with indecent images of children.” These attacks have been increasing month on month since January 2022, with 60 reports received in 2022. While the number isn’t enormous, the damage caused by just one such attack could have serious consequences for both viewer and account holder.

How does the attack take shape?

Accounts are hijacked and then used to post both images and video of indecent content containing children. Sadly, there is no mention of which platforms this content is being uploaded to. This makes giving platform-specific advice tricky.

There appears to be no financial motive to the attacks. Affected accounts are not held to any kind of ransom, nor does the attacker attempt to contact the victim by, for example, sending emails to the registered email account. They simply steal accounts and begin posting.

It’s possible some of the hijacked accounts aren’t used very often or even abandoned. The first time that the majority of victims reportedly learned about this criminal activity was when they received a “Your account has been suspended” notification.

Warding off the threat of illegal material

Nobody wants to see damaging content on their computer. You definitely don’t want bits and pieces of it being fanned out to several locations on your PC like temporary storage, caches, download folders, and so on.

Seeing such content can be incredibly traumatic and could also put you at legal risk in jurisdictions where viewing and storing such content is considered a crime—not just making or sharing such content. Considering the firehose that is social media, it doesn’t take much for a compromised account to begin spamming this material far and wide.

Action Fraud has released the following tips:

• If you come across indecent images of children online, report it to the police by calling 101 or visiting your local police station. You should take with you the device you were using when you came across the images.
• Do not, under any circumstances, screenshot, save or share the image. You will not be required to share the images with the police when making a report.
• Use 2-step verification (2SV, also known as 2FA or MFA) to protect your social media accounts. 2SV can keep people from gaining access to your accounts, even if they know your password.
• Ensure your social media accounts use a strong and different password to your other accounts. Combining three random words that each mean something to you is a great way to create a password that is easy to remember but hard to crack.
• Victims of account hacking should not pay any ransoms, whether it is monetary or in the form of a ‘testimony’ video.

This is one of the more extreme reasons to secure a social media account, and reported numbers of this happening are low. The caveat: reports might be low because people don’t want to get into trouble. Taking some time to lock down your accounts is definitely a good thing. If you’ve ever thought “Why bother, what’s the worst that could happen,” well: watching your social media account sending illegal content to friends, co-workers, and family is probably somewhere near the top as an answer.

The post Criminals using compromised social media accounts to “post indecent images of children” says UK cybercrime organization appeared first on Malwarebytes Labs.

Fewer victims are choosing to pay their ransomware extorters, especially among large enterprises, according to a recent investigation from Coveware. As a result of this, and other circumstances, we can see some shifts in the way that ransomware groups and their affiliates work.

Large organizations

An encouraging trend among large organizations is that they refuse to consider negotiations when ransomware groups demand impossibly high ransom amounts. As a result, the threat actors are responding by shifting their focus to the mid-market. That may explain why the median cost of ransom payments fell by 51 percent from the previous quarter, down to $36,300.

Legislation

A contributing factor to the drop in payments is also the fact that some countries and states are banning municipal organizations from paying ransoms. Sanctions against Russia resulted in a decline of ransomware attacks and payments, but ransomware groups have taken measures to make attribution and branding harder. Groups like Conti were absorbed by existing and new Ransomware-as-a-Service (RaaS) groups such as Black Basta, BlackCat, Hive, and Quantum.

Law enforcement

Law enforcement cracking down on ransomware has created the necessity for ransomware groups to use a more flexible infrastructure and be more vigilant when accepting new affiliates. We’ve also seen how law enforcement was able to recover some major ransom payments in recent years—a feat that, until recently, was nearly impossible or at least unheard of. This could be another reason for ransomware groups shifting to a larger quantity of smaller victims—when they attack large enterprises, they attract the attention of law enforcement and at least sometimes lose out on their ill-gotten gains.

Insurance

Meanwhile, insurance companies are expecting the rise in premiums to continue. Their main problem is the inability to assess the cybersecurity level of their customers. A new market is developing where insurers will offer a reduction on pricing if you provide a quarterly report through a specific security platform, because they know it’s a good product that helps to improve cyberhygiene.

Data theft and extortion

The more advanced ransomware groups are already trying to extract as high a ransom as possible by using data extortion and leak sites as a means to increase the pressure on organizations. This sites publicly announce which companies have been hit by a ransomware group should the organization refuse to pay the ransom, tarnishing the company’s reputation and also threatening to publish its sensitive data online. More ransomware groups can be expected to use the tactics of extortion, shaming, and data leaks to convince their victims to pay.

Different targets

With the shift from large botnets as the initial foothold to targeted attacks, the affiliates can not only be more picky when it comes to their victims, some can also choose between RaaS providers or decide to proceed on their own. On the defense side this means we have to be ready for an increase in possible attack vectors as we can expect affiliates to specialize in exploiting certain vulnerabilities.

Another change in tactics is to increase the number of possible targets. Almost every RaaS variant has stable Windows, Linux and ESXI versions and as such are able to target every server, regardless of the operating system.

Branding

Branding used to be an important factor for ransomware groups. A strong brand could carry a reputation for effectively decrypting the files of victims that paid, and operating a leak site that punished non-paying victims. But brands make attribution easier, and all it takes is one high profile attack on a pipeline or hospital to foul the brand and draw geopolitical or law enforcement attention.

As a result, RaaS groups are keeping a lower profile and vetting both affiliates and their victims more thoroughly. That means affiliates are increasingly required to handle initial access, stolen data storage, and negotiations alone, which is likely to reduce their profits.

Not going away

Unfortunately there are no signs that ransomware is going away. But fewer and smaller payments will certainly reduce the damage it is doing. And the reduction of payments will bring down the investments of RaaS groups in development and infrastructure, as well as the desire for affiliates to become increasingly independent.

If you haven’t already, put up a fight against ransomware.

Stay safe, everyone!

The post The ransomware landscape changes as fewer victims decide to pay appeared first on Malwarebytes Labs.

Uber covered up the 2016 data breach that affected its 57 million customers and drivers. The confession came as part of the settlement between the DOJ (US Department of Justice) and the taxi company, which will see it avoid criminal prosecution.

In a press release from the DOJ, Uber “admits that its personnel failed to report the November 2016 data breach to the FTC despite a pending FTC investigation into data security at the company.”

If you may recall, cybercriminals breached Uber’s system years ago using stolen credentials. The cybercriminals accessed a private repository of source code where they got a private access key. They then used this key to access and copy data associated with Uber users (names, email addresses, and phone numbers) and drivers (license numbers).

The hackers used the stolen data to blackmail Uber. So, the company hid this from the public and paid the hackers $100,000 to delete the data and keep quiet.

The Uber hack came to light after new leadership took over the company in 2017, a year after the incident occurred.

Uber CEO Dara Khosrowshahi, who took over after the ousting of former CEO Travis Kalanick, along with the new leadership team, conducted an internal investigation on the breach. The outcome led to Khosrowshahi firing Joe Sullivan, Uber’s chief security officer at that time, for being complicit in the cover-up. It also led to Uber reporting the incident to their drivers, regulators, law enforcement, attorneys general, and the FTC (Federal Trade Commission).

Sullivan was charged with obstruction of justice for the cover-up from the FTC and Uber management. His case is scheduled to go on trial in September 2022.

The press release noted the FTC will not prosecute Uber because Khosrowshahi and the new management reported the breach. The rideshare company also entered an agreement with the FTC wherein it will maintain a “comprehensive privacy program” for 20 years and will continue reporting future breaches to the FTC.

Lastly, Uber paid $148M for civil litigation settlement.

The post To settle with the DoJ, Uber must confess to a cover-up. And it did. appeared first on Malwarebytes Labs.

A convenience shop chain is under fire and facing legal charges for installing cameras with facial recognition software in 35 of its branches across the UK.

The cameras analyze and convert video face captures into biometric data. The data is compared with a database of people who have committed crimes in the shop, such as theft or violent behavior. Southern told the BBC that it only placed cameras in shops where there is a history of crime.

But Big Brother Watch, a non-profit privacy campaigning organization based in the UK, said the Southern Co-op’s camera system “breaches data protection” and that people visiting the shops may find themselves unknowingly being placed on a watch list.

A Southern spokeswoman said the watch list isn’t a list of criminals, but of people whom the co-op has evidence of criminal or anti-social behavior. Should any of the people on their list turn up at the shop, they are asked to leave, or a staff member will approach them with an offer of help, making it clear that the shop knows they’re there.

Big Brother Watch questioned the legality of having these systems installed, asserting that biometric scans are “Orwellian in the extreme.”

Silkie Carlo, Director of Big Brother Watch, says, “The supermarket is adding customers to secret watch-lists with no due process, meaning shoppers can be spied on, blacklisted across multiple stores and denied food shopping despite being entirely innocent.”

“This is a deeply unethical and a frankly chilling way for any business to behave.”

The group added that the system is not necessary for preventing crime nor to “protect the public from harm in any meaningful way”.

“At best, it displaces crime, empowering individual businesses to keep ‘undesirables’ out of their stores and move them elsewhere,” the complaint further asserts.

Big Brother Watch raised a complaint with the Information Commissioner’s Office (ICO), and Southern said it welcomes constructive feedback.

“We take our responsibilities around the use of facial recognition extremely seriously and work hard to balance our customers’ rights with the need to protect our colleagues and customers from unacceptable violence and abuse,” Southern said.

Southern Co-op said its branches with the camera systems installed have appropriate signage on display.

“The safety of our colleagues and customers is paramount and this technology has made a significant difference to this, in the limited number of high-risk locations where it is being used.”

Facewatch, the provider of the system Southern Co-op uses, says: “Facial recognition may be used where it is necessary because other methods to prevent crime, such as policing, CCTV and manned guarding, have tried and failed.”

“Any privacy intrusion is minimal and proportionate. Facewatch is proven to be effective at crime prevention, and our clients experience a significant reduction in crime.”

The post “Orwellian in the extreme” food store installs facial recognition cameras to stop crime, faces backlash appeared first on Malwarebytes Labs.

Controversy over supposed pro-China messaging in apps from TikTok owner Bytedance continues to grow. Tales are emerging relating to a now shelved app called TopBuzz. Former employees have spoken to BuzzFeed, making claims of both pro-China content promotion and forms of censorship elsewhere.

Staying on message

Buzzfeed claims that former employees who worked on the TopBuzz app were instructed to place “specific pieces of pro-China messaging in the app”. There are claims of China-centric content being pinned to the top of the app, including videos about travel, as well as one about moving a start-up to China. The former employees say they had to take screenshots to prove that they had pinned the content.

Elsewhere, there are claims that certain types of content was being censored. This includes alleged removal of Hong Kong protest coverage, for example. Other “edge case” content resulted in liaisons with the Beijing team to decide its fate. There’s also references to outright removal of content related to Winnie the Pooh memes.

Bytedance didn’t respond to comments related to censorship, though the embattled organisation did object strongly to claims about pro-China messaging. There’s also additional claims of everything from scraped content to mass deletions of fake accounts “degrading the user experience“.

Rules and regulations

Travel videos and clips of pandas may sound harmless. But this is still a news issue due to fears of regulatory concerns. Apps and businesses walk a tightrope of concerns where any connection exists to a nation which may be at odds with the one they’re trying to do business in. It wasn’t so long ago that former US President Donald Trump tried (and ultimately failed) to force a TikTok ban. More than anything else, this attempt may have made issues of compliance in this realm front and center in the public eye.

This public pressure isn’t going away anytime soon when members of the FCC are demanding Google and Apple remove TikTok from their stores. FCC Commissioner Brendan Carr insists the company “can’t be trusted” with information given by users.

Of leaks and downplaying

It’s not just bad news for the now defunct app. There’s now also word of internal TikTok documents related to questions of ByteDance, China, and AI:

The main counterpoints referencing these subjects include:

• TikTok not being available in China
• Not sharing user data with the Chinese government, and refusing to do so if asked
• Citing the “measures in place” to “significantly reduce access to user data”.

There’s many other unrelated topics in the document, including dealing with questions related to user demographics, user data generally, and children spending money on livestreaming gifts.

Given the non-stop debate over issues related to China, and the fairly restrictive guidance contained within for answering questions, it’s likely this is where the focus will remain over the coming days as the document continues to be analysed.

The post TikTok owner ByteDance pushed a pro-China agenda to Americans, say former employees appeared first on Malwarebytes Labs.

The Spanish police arrested two people under the accusation of tampering with the Red de Alerta a la Radiactividad (RAR). The RAR is part of the Spanish national security systems and in use to monitor gamma radiation levels across the country. The network is managed, operated and maintained by the General Directorate of Civil Protection and Emergencies (DGPCE) of the Ministry of internal affairs.

RAR

The RAR network contains more than 804 detection points across the country. Each detection point has at least one sensor plus a control unit. The detection points measure gamma radiation across the country. The network serves as a warning system if there’s a spike in radiation levels. Each sensor unit is connected to the central node located in the control center at the DGPCE headquarters. In addition, there are ten regional nodes and seven associated nodes that allow alternative access to the network, which have more limited management capabilities.

Spain has seven nuclear reactors which together generate about a fifth of the country’s power supply. The RAR system serves to measure radiation levels and raise an alert in case of a detected abnormal level.

The hack

The two suspects are accused of sabotage by disabling more than a third of the RAR sensors. The hackers attacked the computer system and caused the connection of the sensors to fail, reducing their detection capacity even in the close proximity of nuclear power plants.

The intrusion took place between the months of March and June,2021. The attack was directed at the two main components of the network. On the one hand, there was unauthorized access into the computer system itself, the purpose of which was to delete the RAR management web application in the control center. On the other hand, the threat actors attacked over 300 sensors, causing the failure of their connection with the control center and thus reducing the detection capacity of the network.

Inside job

While the motive behind the attack remains unclear, it has become clear that the two accused were responsible for the maintenance program of the RAR system, through a company contracted by the DGPCE. The intimate knowledge of the maintenance program enabled them to pull of this attack.

It also helped them to hide their involvement which made the investigation difficult and time consuming. The arrests came after a year-long investigation that involved raids in Madrid and San Agustín de Guadalix, and the seizure of numerous computer and communications devices related to the attack.

Critical infrastructure

While we tend to think about other things first while discussing critical infrastructure, this warning system qualifies as such because it’s intended to monitor a possible threat to the population. And if anything had happened during the time the system was under attack and only functioning in part, the consequences could have been disastrous.

The post Radioactivity monitoring and warning system hacked, disabled by attackers appeared first on Malwarebytes Labs.