IT NEWS

According to a joint security advisory published yesterday by US and UK cybersecurity and law enforcement agencies, a new malware called Cyclops Blink has surfaced to replace the VPNFilter malware attributed to the Sandworm group, which has always been seen as a Russian state-sponsored group.

Cyclops Blink

The alert issued by the Cybersecurity & Infrastructure Security Agency (CISA) and an analysis published by the UK’s National Cyber Security Center (NCSC) show Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) for this new malware.

Cyclops Blink has primarily been deployed to networking hardware company WatchGuard’s devices. According to WatchGuard, Cyclops Blink may have affected approximately 1% of active firewall appliances, which are devices mainly used by business customers.

Cyclops Blink has been found in WatchGuard’s firewall devices since at least June 2019. But the NCSC warns that it is likely that Sandworm is capable of compiling the same or very similar malware for other architectures and firmware. The attackers were able to infect their devices via a WatchGuard vulnerability that was patched in a May 2021 update.

The analysis says Cyclops Blink malware also comes with modules specifically developed to upload/download files to and from its command and control server, collect and exfiltrate device information, and update the malware. The presence of a Cyclops Blink infection does not mean that an organization is the primary target, but its machines could be used to conduct attacks on others. Either way, it is in your best interest to disconnect and remediate any affected devices.

Sandworm

In light of world news, it’s important to note that the Sandworm group has been known to target Ukrainian companies and government agencies. They were held responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities in the Ukraine (BlackEnergy malware), and releasing the NotPetya malware. NotPetya is the name given to a later version of the Petya malware that began spreading rapidly, with infection sites focused in Ukraine, but from there it also spread across Europe and beyond.

Among the latest attacks on Ukraine was a distributed denial of service (DDoS) attack. Cyberattacks, such as DDoS attacks, fall under the traditional categories of sabotage, espionage and subversion. So far, we can see the results of these attacks as several of Ukraine’s bank and government department websites crashed, and earlier this week some 70 Ukrainian government websites underwent the same fate.

As we learned from NotPetya, these attacks can spread around the world. NotPetya affected computer networks worldwide, targeting hospitals and medical facilities in the United States, and costing more than US$1 billion in losses.

VPNFilter

CISA and the NCSC both describe the Cyclops Blink malware as a successor to an earlier Sandworm tool known as VPNFilter, which infected half a million routers to form a global botnet before it was identified by Cisco and the FBI in 2018 and largely dismantled. It never fully disappeared, and the Sandworm group has since shown limited interest in existing VPNFilter footholds, instead preferring to retool.

VPNFilter was deployed in stages, with most functionality in the third-stage modules. These modules enabled traffic manipulation, destruction of the infected host device, and likely enabled downstream devices to be exploited.

Mitigation and detection

WatchGuard firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet which is the default setting for all WatchGuard’s physical firewall appliances. Internet access to the management interface of any device is a security risk.

All WatchGuard appliances should be updated to the latest version of Fireware OS.

When it comes to infected appliances, Cyclops Blink persists on reboot and throughout the legitimate firmware update process. So, affected organizations should take steps to remove the malware. WatchGuard customers and partners can eliminate the potential threat posed by malicious activity from the botnet by immediately enacting WatchGuard’s 4-Step Cyclops Blink Diagnosis and Remediation Plan.

Owners of infected appliances will also need to update the passphrases for the Status and Admin device management accounts and replace any other secrets, credentials, and passphrases configured on the appliance. All accounts on infected devices should be assumed to be compromised.

Heightened awareness of Cyclops Blink and other malware attacks that may be aimed at the Ukraine is required. This is true for everyone involved in cybersecurity by the way, not just owners of WatchGuard appliances.

Stay safe, everyone!

The post Cyclops Blink malware: US and UK authorities issue alert appeared first on Malwarebytes Labs.

Malicious actors use influence operations, like spreading false information, to shape public opinion, undermine trust, amplify division, and create dissension. In response, the Cybersecurity & Infrastructure Security Agency (CISA) has released CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides proactive steps organizations can take to assess and mitigate the risks of information manipulation.

The Insights document is designed for critical infrastructure owners and operators, to ensure they are aware of the risks of influence operations leveraging social media and online platforms.

False information

Instead of “false information” CISA uses the term “MDM“, which covers misinformation, disinformation, and malinformation. This deserves some clarification to understand their definitions of these types of misleading information:

• Misinformation is false, but not created or shared with the intention of causing harm.
• Disinformation is deliberately created to mislead, harm, or manipulate.
• Malinformation is based on fact, but used out of context to mislead, harm, or manipulate.

CISA warns that threat actors both inside and outside the USA use MDM campaigns to cause chaos, confusion, and division.

Foreign actors

In its report, CISA focuses on foreign actors that engage in MDM to bias the development of policy and undermine the security of the USA and its allies. By using social media, MDM threat actors have means at their disposal unlike any in history. It warns that while a single MDM narrative can seem innocuous, when narratives are promoted consistently to targeted audiences, and reinforced by peers and social media influencers, it can have compounding effects.

Modern foreign influence operations demonstrate how a strategic and consistent exploitation of divisive issues, and a knowledge of the target audience and who they trust, can increase the potency and impact of an MDM narrative. Furthermore, current social factors, including the USA’s heightened polarization, and the ongoing global pandemic, increase the risk and potency of influence operations to the USA’s critical infrastructure, especially by experienced threat actors.

CISA insights goal

This CISA Insights product is intended to ensure that critical infrastructure owners and operators are aware of the risks of influence operations leveraging social media and online platforms. Organizations can take steps internally and externally to ensure swift coordination in information sharing, as well as the ability to communicate accurate and trusted information in order to bolster resilience.

Mitigation

In the CISA Insights we find some proactive actions that can limit or mitigate the influence of MDM campaigns:

• Identify your vulnerabilities. CISA urges organizations to ask themselves what narratives or incidents have the potential to negatively affect their critical functions.
• Secure social media. Hijacked accounts and defaced websites can be used to influence public opinion, so organizations should educate their staff on securing their personal social media accounts.
• Practice smart email hygiene. Organizations should pracitce smart email hygiene and watch for phishing attacks.
• Prepare communication channels in advance. CISA suggests that preparing communication channels and establishing contacts before MDM incidents occur allows organizations to respond quickly, and share accurate and verifiable information.
• Review and update your website. Organizations need to make information as clear, transparent, and accessible as possible.
• Review and update your social media. Organizations need to stay on top of their social media, and make sure they’re verified on each platform, so they can be identified as official accounts.
• Anticipate MDM. Clear, consistent, and relevant communications that respond to and anticipate MDM can help organizations maintain security and build public confidence.
• Review existing communications channels. Organizations should look at how they communicate—such as newsletters, reports, blog posts, events, social media content, podcasts, or other activities—and identify opportunities for improvement.
• Coordinate with other organizations. Working with other organizations in your sector can amplify and reinforce messaging, and create a strong network of trusted voices.
• Maintain contact with key outlets. Communications professionals should maintain contact with key communications outlets.

An incident response plan

CISA goes on to provide some more details about what it takes to have an effective incident response plan.

• Clear internal communications channel. Designate an individual to oversee the MDM incident response process and associated crisis communications.
• Establish roles and responsibilities for MDM response, including but not limited to responding to media inquiries, issuing public statements, communicating with your staff, engaging your previously identified stakeholder network, and in implementing physical security measures.
• Ensure your communication systems are set up to handle incoming questions. Phones, social media accounts, and centralized inboxes should be monitored by multiple people on a rotating schedule to avoid burnout.
• Identify and train staff on reporting procedures to social media companies, government, and/or law enforcement.
• Consider your internal coordination channels and processes for identifying incidents, delineating information sharing and response. Foreign actors can combine influence operations with cyber activities, requiring additional coordination to facilitate a whole-of-organization response.

Stay safe, everyone and verify your sources!

The post CISA offers guidance on dealing with information manipulation appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Adobe patches actively exploited Magento/Adobe Commerce zero-day
• Ransomware gang hits 49ers’ network before Super Bowl kick off
• Don’t let scammers ruin your Valentine’s Day
• CISA Ransomware report warns “triple threat” attacks still on the prowl
• City: Skylines developers warn of rogue mod
• Update now! Chrome patches actively exploited zero-day vulnerability
• Journalist won’t be indicted for hacking for viewing a state website’s HTML
• Ban Pegasus spyware, urges European Union Data Protection Supervisor
• Roblox Beamers steal items from kids
• Firefox and Chrome reaching major versions 100 may break some websites
• US senators introduce the Kids Online Safety Act (KOSA)
• Watch out for this bump in LinkedIn phishing

And don’t forget to listen to our recent podcast about the world’s most coveted spyware, Pegasus.

Stay safe!

The post A week in security (February 14 – February 20) appeared first on Malwarebytes Labs.

Ken Paxton, the Attorney General of Texas, recently filed a lawsuit against Facebook’s parent company, Meta, for harvesting the facial recognition data of millions of Texan residents—for a decade.

Paxton filed the lawsuit on Monday in the state’s Harrison County District Court. The suit contains arguments that Facebook’s now-defunct photo-tagging feature illegally collected data about Texan people’s faces, including those who are non-Facebook users but were tagged by someone who is, without asking for consent. Facebook was able to collect such data via its face recognition technology.

Facebook introduced face recognition technology in 2010 to make tagging friends and family on photos more manageable. The company updated and implemented this technology in December 2017 to assist users in managing their identity on the platform by helping them “find photos that you’re not tagged in and help you detect when others might be attempting to use your image as their profile picture.” Not only was the tool intended to protect users’ identities on Facebook, it was also supposed to help visually impaired users to identify the people in the photos they encountered on Facebook.

Three months ago, Jerome Presenti, the VP of artificial intelligence, announced that Facebook would be shutting down its face recognition system as part of a company-wide move to limit its use in their products. This change, in turn, will affect blind and visually impaired services that identify names in photos. Facebook users who are wary that their faces might be in pictures or videos posted by other users—especially those who create fake Facebook profiles and use stolen photos—will no longer be notified. But the most significant effect of all is that the “facial recognition templates” of more than a third of Facebook’s users will be deleted, the company says.

We believe facial recognition can help for products like these with privacy, transparency and control in place, so you decide if and how your face is used,” wrote Presenti, “There are many concerns about the place of facial recognition technology in society, and regulators are still in the process of providing a clear set of rules governing its use. Amid this ongoing uncertainty, we believe that limiting the use of facial recognition to a narrow set of use cases is appropriate.

The lawsuit Paxton has filed alleges that Facebook, before shutting down its AI tool, had already amassed “biometric identifiers of Texans for a commercial purpose without their informed consent, disclosed those identities to others, and failed to destroy collected identifiers within a reasonable time, all in violation of the Texas Capture or Use of Biometric Identifier Act (CUBI). Paxton also alleges that the social media platform engaged in deceptive acts, breaking the Texas Deceptive Trade Practices Consumer Protection Act (DTPA).

Paxton doesn’t see Facebook’s face recognition technology as a means to protect its user’s identities. Instead, he sees it as a deceptive scheme against Texans. The system captured their immutable data as they innocently shared photos and videos with friends and family members on the platform. All the while, the company profited from the data and trained its AI while putting its users at risk.

Meta may have pulled its face recognition tool from Facebook, but Meta has other platforms. And, according to the lawsuit, Facebook “made no such commitment with respect to any of the other platforms or operations under its corporate umbrella, such as Instagram, WhatsApp, Facebook Reality Labs, and its upcoming virtual reality metaverse.”

According to the Texas Tribune, this lawsuit against Facebook is just the latest in a string of Paxton’s actions against big named companies. In January, he sued Google over “deceptively tracking users’ location without consent” and issued a probe on Twitter for its content moderation practices. Earlier this month, his office joined a brief to accuse Apple of violating antitrust laws (among others). And last week, he opened an investigation into GoFundMe for pulling the “Freedom Convoy,” a fundraiser campaign for Canadian truckers protesting against pandemic restrictions.

The post Facebook sued for siphoning facial recognition data without consent appeared first on Malwarebytes Labs.

LinkedIn is sometimes forgotten about in more general coverage of phishing attacks. Social media sites such as Facebook, Twitter, and Instagram receive regular attention. Cryptowallet customer support scams run wild in the replies to any cryptocurrency themed tweet. Facebook users can often be found dealing with compromised accounts asking for money. Instagram has a wave of influencers having their accounts held to ransom. The big questions is: have you ever wondered what’s on LinkedIn?

Presenting: What’s on LinkedIn

It’s not just endless spam for unsuitable job positions and motivational speeches. It turns out there’s a whole lot of phishing happening behind the scenes, too. At the beginning of February, Brian Krebs reported that scammers are using “Slinks” to redirect to phishing pages. Worse still, that particular technique has been around since 2016. In the most recent example, the phishing attempts seen in the wild were not hunting LinkedIn accounts specifically. Even so, tying bad URLs to reassuringly convincing LinkedIn redirects will always end badly for someone.

More recently…

Phishing by increasingly large numbers

Research claims that bogus imitation LinkedIn mails have increased around 232% since the beginning of February. Overfamiliarity with a stream of genuine messages mentioning profile views, new messages, and employment opportunity suitability may be causing people to start clicking through. Times are tough out there, and given LinkedIn is a natural fit for networking and job hunting it’s understandable that some folks will click everything in sight.

I’m a professional (phisher)

The mails are convincingly branded, look realistic, and emulate the real thing in a way that may drift past people’s sense of caution. The research points out that the fake mails also piggyback on the back of other genuine brands to make themselves look even more convincing. CVS Carepoint and American Express are two of the brands named as being spoofed in the fake mails.

Should someone click through to the phishing pages and start entering details, they may well lose the login credentials. Unlike the attacks from the beginning of February, these mails are specifically looking for LinkedIn password and username combinations. The research doesn’t say what the scammers do with the accounts once harvested, but it’s a good bet they’ll be used for spamming, social engineering, or even just more phishing attempts.

Avoiding the LinkedIn scammers

These mails appear to be getting past at least some email security defences and precautions. It’s nice to know people are checking out your profile. It’s helpful that there are awesome jobs out there for you to check out, but be careful! You don’t have to click into the latest email in your mailbox. Consider navigating directly to LinkedIn yourself and seeing what’s in there.

Bogus messages and jobs referenced in the fake mails won’t be waiting for you on the site itself. This doesn’t rule out actually being sent bogus messages and job references on LinkedIn itself. However, going there yourself and seeing what lies in wait at least negates the threat of the phishing mails.

The post Watch out for this bump in LinkedIn phishing appeared first on Malwarebytes Labs.

US Senators Richard Blumenthal of Connecticut and Marsha Blackburn of Tennessee have introduced the Kids Online Safety Act (KOSA), legislation that aims to enhance children’s safety online.

This follows the The Wall Street Journal (WSJ)’s reporting on the harm Instagram can inflict on teens, which was based on controversial Facebook documents that whistleblower Frances Haugen leaked to the WSJ, and coupled with multiple hearings with social media companies about their failures to protect kids online.

“Protecting our kids and teens online is critically important, particularly since COVID increased our reliance on technology,” said Blackburn in a press release.

“Big Tech has brazenly failed children and betrayed its trust, putting profits above safety. Seared in my memory—and motivating my passion—are countless harrowing stories from Connecticut and across the country about heartbreaking loss, destructive emotional rabbit holes, and addictive dark places rampant on social media. The Kids Online Safety Act would finally give kids and their parents the tools and safeguards they need to protect against toxic content—and hold Big Tech accountable for deeply dangerous algorithms. Algorithms driven by eyeballs and dollars will no longer hold sway.”

In a one-page summary document, KOSA is presented as a solution to the longstanding problem of social media platforms playing a hand in their most vulnerable users’ mental health and well-being: children and teens. The senators presented how parents or carers and young social media users can benefit from KOSA by:

• Requiring social media platforms to provide their young users (age 16 years and below) options to protect their online information, disable features that would cause them addiction, and opt out of algorithmic recommendations. These algorithms pull from a user’s personal data to suggested content that triggers users to keep scrolling.
• Requiring platforms to enable the strongest possible setting to minors by default.
• Giving parents provision to support children under their care and identify harmful behavior. Platforms should also provide parents and kids a dedicated channel where they can report harms.
• Creating accountability for social media platforms to act in preventing and mitigating content that could harm minors. Such content includes the promotion of unlawful products for minors (e.g. gambling and alcohol), self-harm, substance abuse, eating disorder, sexual exploitation, and suicide.
• Requiring social media platforms to conduct an annual independent audit aimed at assessing risks to minors, compliance to legislation, and whether they are taking meaningful steps to ensure that harms are prevented. The end product of this assessment would be an annual report.
• Providing academic researchers and non-profit organizations access to critical social media platform datasets to foster research on the safety and well-being of minors. This would also require the National Telecommunications and Information Administration to setup a program where researchers could apply for data sets from these social media platforms.

Meanwhile in California, lawmakers introduced a bill on Thursday that requires Meta and YouTube to limit collecting children’s data on their platforms. If passed into law, the profiling of young users for targeted advertising will be restricted, introducing age-appropriate content policies will be mandated, and serving up behavioral nudges to get children and teens to weaken their privacy protections will be banned.

This California bill is said to be modeled after the UK’s Age Appropriate Design Code (aka “Children’s Code”), which came into force in September 2021.

The post US senators introduce the Kids Online Safety Act (KOSA) appeared first on Malwarebytes Labs.

Mozilla has issued a warning about the upcoming versions 100 for both Chrome and Firefox. The change in the version number from 2 to 3 digits may cause some problems when visiting websites that are not prepared for this change. For example, it’s possible that some parsing libraries may have hard-coded assumptions or bugs that don’t take into account three-digit major version numbers.

Version 100

Chrome expected to reach the first three digit major version number in the first half of 2022. According to the Firefox release calendar, Firefox Nightly will reach version 100 during the first quarter of 2022 (probably March). At that rate it will reach Firefox stable release version early May 2022.

For now, the estimated dates are March 29 for Chrome and May 3 for Firefox.

User agent string

The problem originates from the user agent string that browsers send to websites you are visiting. If you are the kind of person that uses different browsers or different devices to access websites, you may have noticed that sites can look quite different depending on which browser you use to view them. When your browser sends a request to a website, it identifies itself with the user agent string before it retrieves the content you’ve requested. The data in the user agent string help the website to deliver the content in a format that suits your browser. Even though depending on user agents alone is no longer enough to optimize a website, they are still an important source of information.

For web browsers the format of the user agent string is:

[Browser]/[version] ([system and browser information]) [platform] ([platform details]) [extensions]

For example the latest version of Firefox will show:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0

Why is that a problem?

As we pointed out, websites read the user agent string and optimize their content for the browser they identify by reading that information.

Some website developers will have created routines or use JavaScript libraries to identify the string Firefox and then grab either the first two digits after the semicolon “/” or the last two digits before the “.” which does not pose any problems as long as the user agent string is broadcasting two digits. But now that the last part will change to Firefox/100.0 these routines will identify your Firefox version as respectively “10” or “00”. Other libraries may even return a null result which will effectively break the site.

As a result of a mismatched version number, the visitor may get the version of the website that was designed for very early versions of the correct browser, or a version that was designed to work for all types of “unidentifiable” browsers. This is usually not an optimal experience.

Testing

Both Mozilla and Firefox are testing the compatibility of major websites ahead of time.

With the experience racked up back when browsers first reached version 10 long ago, when lots of issues were discovered with User Agent parsing libraries, Chrome has warned that developers and IT admins should test their services in advance to avoid the same issues from happening again.

If there are issues with sites that Mozilla or Google cannot fix before these versions are released, both Google and Mozilla have backup plans ready to ensure the sites are not affected.

If you would like to help testing or to test your own site, you can read here how to proceed, and if you notice something that is breaking because of the user agent string, you are welcome to file a report on webcompat.

Edge

Edge is not trailing far behind in version number, but since Edge is a Chromium based browser we can expect the worst problems to be found out by that time. Starting with Microsoft Edge 97, site owners can test this upcoming user agent string by enabling the #force-major-version-to-100 experiment flag in edge://flags to ensure their user agent parsing logic is robust and works as expected.

The post Firefox and Chrome reaching major versions 100 may break some websites appeared first on Malwarebytes Labs.

A journalist incorrectly branded as a “hacker” by the governor of Missouri won’t be prosecuted “for hacking”.

This was a quick and foreseen win for St. Louis Post-Dispatch reporter Josh Renaud after a prosecutor from Cole County dismissed Missouri Governor Mike Parson’s criminal charges against him for allegedly hacking a government website by viewing its public HTML code— something anyone can do by simply pressing the F12 button.

Perhaps due to the absurd allegation, Internet users following the cause couldn’t help but rename this as “the F12 case”.

Locke Thompson, a Cole County Prosecutor, released a statement on Friday last week, which includes:

“There is an argument to be made that there was a violation of law. However, upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means, As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case. The investigation is now closed, and the Cole County Prosecutor’s Office will have no further comment on the matter.”

How it all began

In October 2021, St. Louis Post-Dispatch pushed out Renaud’s story about a flaw on a website maintained by the Missouri Department of Elementary and Secondary Education (DESE) which exposed Social Security numbers (SSNs) of administrators, counselors, and school teachers across the state, putting more than 100,000 educators at risk.

According to Renaud’s article, the teacher’s SSNs were contained in the site’s HTML source code. This is easily accessed by simply pressing the F12 function key and opening the Developer’s Console on the right-hand side of the webpage. When consulted, Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis confirmed Renaud’s findings, calling it “a serious flaw.”

“We have known about this type of flaw for at least 10-12 years, if not more,” Khan was quoted in an email, “The fact that this type of vulnerability is still present in the DESE web application is mind-boggling!”

The department was supposed to discuss Renaud’s findings, but things took a quick turn for the worse. On Wednesday evening, the department sent out a letter to teachers and posted a press release on its website, minimizing the flaw’s impact and blaming Renaud—and by association, the Post-Dispatch—for taking records of educators from their site.

Education Commissioner Margie Vandeven said in a letter to teachers that “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”

An echo of this sentiment was reflected in the press release, further stating that the person (Renaud) responsible for discovering the flaw was a “hacker” and “took the records of at least three educators.”

In reality, according to the Post-Dispatch, Renaud had discovered the flaw and confirmed that the nine-digit numbers he’d seen on the webpage’s code were indeed SSNs. The paper had also told DESE that it confirmed the flaw with three educators and Professor Khan. Post-Dispatch further noted that these SSNs were available and searchable by anyone through DESE’s educator certification search tool on its website.

Although the SSNs in the HTML were encoded and not in plain text, they were not encrypted, said Khan in a separate Post-Dispatch article. Encrypted data would require a unique decryption key to view the actual data. On the other hand, encoded data only means that the data is in a different format.

“Anybody who knows anything about development—and the bad guys are way ahead—can easily decode that data,” Khan said. That wasn’t even the issue though. The bigger problem, according to Khan, was the presence of sensitive data accessible by anyone with a browser.

DESE has made teacher information accessible to local school districts when verifying a teacher’s certification. As SSNs are part of the information pool, it would be easy to identify an educator using the last four digits of their SSN. After Renaud reported the flaw to DESE, this search tool has been removed.

Joseph Martineau, a Lewis Rice attorney representing Post-Dispatch, issued the following response to DESE’s press release:

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.

For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

It should also be noted Post-Dispatch held off publishing Renaud’s article to give DESE enough time to address the flaw in its site.

The state of Missouri also targeted Professor Khan in their investigations, but this was halted after Khan sent a litigation hold and demand letter to Parson and some state agencies.

Relief for Renaud

Josh Renaud issued a statement expressing relief and remorse for the damage done to him and his family. He described the entire ordeal as “a political prosecution of a journalist.”

“Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers’ private data. At the same time, I am concerned that the governor’s actions have left the state more vulnerable to future bad actors. His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed.”

Gov. Parson could have responded to Renaud’s reporting differently, and hacker Rachel Tobac couldn’t have encapsulated this more perfectly:

The post Journalist won’t be indicted for hacking for viewing a state website’s HTML appeared first on Malwarebytes Labs.

The European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms.

What is Pegasus?

On July 18, a group of 17 newspaper and media organizations—aided by Amnesty International’s Security Lab and the research group Citizen Lab—revealed that one of the world’s most advanced and viciously invasive spyware tools had been used to hack, or attempt to hack, into 37 mobile phones owned by human rights activists, journalists, political dissidents, and business executives.

This spyware, called Pegasus and developed by the Israeli company NSO Group, is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents. Pegasus is designed to successfully attack almost any smartphone running either iOS or Android, based on specific yet very basic information like a telephone number. Pegasus effectively turns the smartphone into a 24/7 surveillance device by gaining complete access to all sensors and information on the smartphone, including messages before they are encrypted, geolocation, camera, and calls. As Amnesty International’s Security Lab put it:

“Pegasus can do more than what the owner of the device can do.”

For an in-depth look at Pegasus, have a listen to our podcast about the world’s most coveted spyware, Pegasus: Lock and Code S03E04.

What is the EDPS?

The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority. The EDPS is an increasingly influential supervisory authority that aims to provide requested as well as unsolicited advice to EU institutions and bodies on all matters relating to the processing of personal data.

Besides monitoring and ensuring the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals, one of the EDPS missions is to monitor new technology that may affect the protection of personal information.

Level of intrusiveness

The EDPS is convinced that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

The EDPS warns against regarding Pegasus as yet another law enforcement interception tool, but more as a hacking tool that has to be seen as a government Trojan in the form of a permanent backdoor. Unfortunately, Pegasus is not the only spyware tool of this type that is marketed as a law enforcement tool. However, Pegasus is considered a game-changer that renders existing legal and technical safeguards ineffective and meaningless.

EU law

Targeted surveillance is regulated in the national legislation of virtually every EU member state. But Article 52(1) of the EU Charter of Fundamental Rights requires that any limitations on the exercise of the fundamental rights and freedoms of the individual are proportionate and necessary. Such limitations must in any event be provided for by law and respect the essence of the fundamental rights and freedoms as recognized by the Charter.

The EDPS considers that only in cases of a very exceptional nature could Pegasus meet the requirements of proportionality and even in those cases less intrusive surveillance tools would be preferable. Therefore, using information gathered with the help of Pegasus and similar tools is likely to be considered inadmissible in a court of law. Also, many forensic experts may not have the necessary knowledge to identify and examine such highly advanced technology developed by private companies.

The advice

In its conclusion, the EDPS states that:

 “Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy. This fact makes its use incompatible with our democratic values. “

The EDPS therefore believes that a ban on the development of spyware with the capability of Pegasus in the EU would be the most effective option to protect our fundamental rights and freedoms.

It goes on to provide a list of steps and measures to block the unlawful use of Pegasus and similar tools:

• Strengthen the democratic oversight over surveillance measures.
• A strict implementation of the EU legal framework on data protection.
• Judicial review of surveillance order applications should not be a mere formality.
• Criminal procedural laws should outlaw the use of highly intrusive hacking tools.
• Reduce the risk of using data gained by such methods reaching the databases of the European Union (e.g. Europol).
• Stop (ab)using “national security” purposes for legitimizing politically motivated surveillance.
• Address deficiencies in the rule of law that create grounds for abuse of secret surveillance.
• Bring awareness and public debate to support and empower civil society.

By publishing this document, the EDPS has made its contribution to the public discussion whether there is a place for spyware tools like Pegasus in a democratic society.

The ban

Given that some member states of the EU are listed as NSO Group customers, the reason for requesting this ban is clear. It should also be clear by now that the individuals targeted by using Pegasus are not terrorist organizations, drug cartels, human traffickers, pedophile rings or other criminal syndicates, but rather reporters, scientists, romantic partners, and potentially even heads of state.

But, knowing how hard it is to detect such tools on affected devices, and—even if they are detected—finding out who is behind the infection in the first place, there will be people and organizations that are willing to risk using such tools.

Stay safe, everyone!

The post Ban Pegasus spyware, urges European Union Data Protection Supervisor appeared first on Malwarebytes Labs.

Roblox gamers are once again being warned to be on their guard against scammers plundering valuable digital items.

Most multiplayer titles are all about customization. You won’t find many popular games where digital items aren’t up for grabs. Some games lock the items, such as outfits, weapons, or valuables, to your account and/or characters. Other games allow players to trade them. Those trades can be straightforward item swaps, or paid for with in-game fictional currency. They might end up on marketplaces where they’re bought and sold with real world cash. It all depends. This isn’t new, but it is awful.

What’s happening with Roblox?

Roblox allows you to make your own games, or just take part in challenges created by others. It’s constantly changing, and there’s always something new to do. As a result, it’s hugely popular with young kids and teens. Their accounts and digital items are highly coveted by scammers and account compromisers. In Roblox land, these people are known as “Beamers”.

Beamers use a variety of tricks to compromise accounts, and then head off to various shady marketplaces. There, they try to sell or trade for US dollars or cryptocurrency. This is pretty commonplace for a large number of online titles, but ripping off kids is always going to leave a bad taste in the mouth.

How do scammers rip off Roblox players?

It’s a mixture of old and new techniques. Below, we’ve listed some from the Beamer article and a few which we’ve looked at ourselves. Forewarned is forearmed, and all that.

• Phishing: Beamers use creation kits to whip up bogus sites for their imitation domains. As the article mentions, it often begins with a message sent to another player. While we don’t know the content of those messages, a popular trick is to pretend they’re a game admin or mod. The Beamer might claim the victim is in trouble, or has failed a safety check. Or they might claim to be offering a cool free item.
• SIM swap: Another timeless classic. This is where attackers trick mobile networks into redirecting texts to their own device. By doing so, they can bypass SMS based two-factor authentication because the codes end up being sent to them, as opposed to the victim.
• Generators: Never discount the allure of free in-game currency. Generators aren’t mentioned in the article, but they are a mainstay of scam tactics. Offer a bogus tool, claim to create as much currency as the victim requires, and have them run it. The executable may contain malware, or it may direct the user to a phish or survey scam.
• Ransomware: Another one for the “I didn’t expect that” pile. In this particular instance, we’re talking bogus versions of real tools designed to automate certain functions.

Scammer hideouts and information gathering tools

It appears a lot of the Beamer activity takes place inside services such as Discord. This makes sense; it’s a fast, easy way to keep trades flowing with minimal set-up fuss for the creator to worry about. Tying Discord channels to phishing pages so the owner knows when someone has entered details is part of the trick.

Additionally, gaming data often feeds into third-party sites. This can be useful. If you play an MMORPG and need to buy low/sell high? There’s usually a site for that, and it’s possible you’ll be able to see the item owner’s character details, or the server they play on. Great for trades, but bad for painting a large target on your back. Years ago, scammers would filter Xbox360 gamers by prestigious achievements and high gamer scores and mark targets that way. Now it’s a lot more item/commodity centric, but despite this the account is still at risk of being hijacked and sold on.

Time to lock down your Roblox accounts

A good reminder, then, to keep yourself up to date with the security measures recommended on the Roblox security page. You can bet people are coming up with new and creative ways to relieve you of your account at any given moment. It’s up to you to ensure you’re always one step ahead of the item-stealing crowd.

The post Roblox Beamers steal items from kids appeared first on Malwarebytes Labs.