IT NEWS

Researchers at Netlab have discovered a new botnet that re-uses the Mirai framework to pull vulnerable Android devices into DDoS attacks.

The new botnet, which is called Matryosh, is named after the Russian nesting dolls because the encryption algorithm it uses, and the process of obtaining command and control (C2) are nested in layers. The botnet supports DDoS attacks using tcpraw, icmpecho, and udpplain attacks.

How does Matryosh spread?

Like other botnets before it, Matryosh propagates via Android Debug Bridge (ADB), a diagnostic and debugging interface that uses port 5555. While ADB has a genuine use for developers, an internet-facing ADB also opens the way for remote attacks.

Unfortunately, some vendors are shipping Android devices with port 5555 open. This allows developers to communicate with devices remotely in order to control a device and execute commands, which is generally used for diagnostic and debugging purposes. But it also creates a backdoor for any other attackers that connect to this port.

Android Debug Bridge

ADB is a versatile command-line tool that lets you communicate with an Android device and facilitates a variety of device actions, such as installing and debugging apps. It also provides access to a shell that you can use to run a variety of commands on a device.

Although Android is commonly known as a popular operating system for phones, it is also used as an operating system for any number of internet-connected “Things”, such as exercise bikes and television sets.

To make the potential disaster complete, ADB does not require authentication, meaning anybody can connect to a device running ADB to execute commands. In short, with ADB enabled, anybody can remotely connect to the device as root.

How does Matryosh work?

Matryosh is special in that it uses the encrypted Tor network to mask its malicious traffic. When Matryosh runs on an infected device, it decrypts a remote hostname and uses DNS TXT requests to obtain the Tor C2 server and proxy details. After that, Matryosh uses those details to establish a connection with C2 server, via the Tor proxy, to get its commands.

To perform the DDoS attacks the botnet supports tcpraw, icmpecho, and udpplain attacks. This means it is able to launch DDoS attacks via protocols like TCP, ICMP, and UDP.

How to disable ADB

Although ADB is turned off by default on most Android smartphones and tablets, some vendors do ship their devices with ADB enabled.

• Android users: It is hard to provide clear instructions that work for every device, but generally speaking you need to disable the “Developer options” of the device. In the Malwarebytes for Android client there is a Security audit feature that indicates if Developer mode is enabled, where ADB is located, but does not specifically point out that ADB is on or off. If Developer mode is enabled the audit will point that out and a user can access Developer mode by tapping on Development mode in the audit results, which will be displayed in yellow. When Developer mode is disabled, ADB should be disabled as well.

• Enterprises should scan their internal and external networks for port 5555 to see if any devices are listening on that port, which could be an indication that devices are open to receive ADB commands. It also wouldn’t hurt to read our blogpost DDoS attacks are growing: What can businesses do?
• Vendors need to stop shipping products with Android Debug Bridge enabled over a network, especially of those devices are designed to be connected to the internet.

Keep your devices out of the botnets!

The post Android devices caught in Matryosh botnet appeared first on Malwarebytes Labs.

CD PROJEKT RED, the game developer behind Cyberpunk 2077, announced earlier on Twitter that it has fallen victim to a targeted ransomware attack.

The company says it has backups for the affected systems and does not intend to pay the ransom. In their ransom note the attackers boast that they have stolen the source code for some of the company’s games, including its beleaguered flagship, Cyberpunk 2077.

Further details of the attack are still unknown as of this writing, but we’ll update this post accordingly as developments emerge.

The official announcement from the company reads:

Yesterday we discovered that we have become a victim of a targeted cyber attack, due to which some of our internal systems have been compromised.

An unidentified actor gained unauthorized access to our internal network, collected certain data belonging to CD PROJEKT capital group, and left a ransom note the content of which we release to the public. Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data.

We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach.

We are still investigating the incident, however at this time we can confirm that—to our best knowledge—the compromised systems did not contain any personal data of our players or users of our services.

We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensice specialists, and we will closely cooperate with them in order to investigate this incident.

The full text of the ransomware note left by the threat actors reads:

@
!!!!!!!!!!!!!!!!!! Hello CD PROJEKT !!!!!!!!!!!!!!!!!!

You have been EPICALLY pwned!!

We have dumped FULL copies of the source codes from your Perforce server for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3!!!

Also, we have encrypted all of your servers, but we understand that you can most likely recover from backups.

If we will not come to an agreement, then your source coded will be sold or leaked online and your documents will be sent to our contacts in gaming journalism. Your public image will go down the shitter even more and people will see how you shitty your company functions. Investors will lose trust in your company and the stock will dive even lower!

You have 48 hours to contact us.

Challenges associated with Cyberpunk 2077’s release did not hinder it from becoming one of the most well-known name in the video gaming industry to date. And this popularity alone is a reason for cyber criminals to start banking on the brand.

And they have.

More than a week after the game’s official release on the PlayStation 4, Stadia, Windows, and Xbox One, cybercriminals were caught mimicking a mobile version of Cyberpunk 2077—something that really doesn’t exist. According to Tatyana Shishkova, a researcher from Kaspersky, the purported mobile game is ransomware.

Just yesterday, CD PROJEKT RED released a Cyberpunk 2077 hotfix for a flaw that allows any third-party to modify data and save game files.

The post Cyberpunk 2077 developer hit by ransomware appeared first on Malwarebytes Labs.

The FBI, the Secret Service, and the Pinellas County Sheriff’s Office are currently investigating an attempted poisoning of a city by an individual or group of hackers that occurred Friday last week. If it hadn’t been caught in time, at least 15,000 people could have been affected.

In a Monday press conference, Pinellas County Sheriff Bob Gualtieri revealed details of this attack to the press.

“On Friday morning, of about 8 o’clock, a plant operator at the Oldsmar water treatment facility noticed that someone remotely accessed the computer system that he was monitoring,” Sheriff Gualtieri said. This was, apparently, the first unauthorized attempt to remotely access the system. The connection was brief, so the operator didn’t think much of it as his supervisor and other colleagues would also randomly log in to the computer he’s monitoring.

It seems the attacker had gained access to TeamViewer, a remote desktop application used by the plant’s operators to access the water facility’s computer system.

“…about 1:30 (PM), when someone again remotely accessed the computer system and it showed up on the operator screen with the mouse being moved about to open various software functions that control the water being treated in the system. The person remotely accessed the system for about 3 to 5 minutes opening various functions on the screen. One of the functions opened by the person hacking into the system was one that controls the amount sodium hydroxide in the water.”

Sodium hydroxide, also known as caustic soda or lye, is used to treat acidity in water by raising its pH levels and removing heavy metals. Too much lye in water could cause skin burns and rashes—something residents in a small town in Massachusetts had experienced when they had a water supply treatment problem back in 2007.

Sheriff Gualtieri continues, “The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase.”

After the attacker left the system, the operator quickly reduced the lye concentration level back to 100 parts per million.

Thankfully, this short adjustment by the hacker didn’t deal any adverse effect on the the water being treated. No lye reached homes, thus no one was ever in danger. Moreover, the water treatment plant have redundancies in place, so if anyone missed this adjustment, the system would have caught the change in the pH levels in the water.

As of this writing, the Pinellas County Sheriff’s office don’t have a suspect but are following leads.

Attacks on vital infrastructure are among the “worst case scenario” cyberattacks that every professional in the industry fears. “Stuxnex”, a malware weapon designed to damage Iran’s nuclear centrifuges has become the poster child of such attacks.

However, there is no indication that this was a terrorist attack, or even that it was an attack targeted at the Oldsmar facility specifically. It may simply have been an act of vandalism. Internet-connected Industrial Control Systems (ICS) are not difficult to find.

Thankfully, this attack was not successful, but it is a timely reminder that the first priority for security often isn’t the zero-day busting, APT-stopping sort of work, but unglamorous grunt work like air-gapping, patching, enforcing strong passwords and 2FA, and taking inventory.

“The important thing is to put everyone on notice,” Oldsmar Mayor Eric Seidel said, “These kinds of bad actors are out there. It’s happening. So really take a hard look at what you have in place.”

The post Hackers try to poison Florida City’s drinking water appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we dug into a load of security events. We first peered into how Fonix ransomware was giving up the ghost, swearing off a life of crime and even apologizing for past actions. We looked at a credit card skimmer that found opportunity in the latest Magento 1 hacking spree, we warned about the risks of browser sync, and we pondered whether or not real identities make social media safer (spoiler alert: they do not).

Finally, in capping off a busy week, we uncovered a barcode scanner that infected 10 million users with one update, and we wrote about an Android emulator that was abused to introduce malware onto PCs.

Other cybersecurity news

• Phishing campaign shut down: Police tackle “SMS bandits” (Source: Krebs on Security)
• Sharing is (not) caring: Too many workers are oversharing data (Source: Help Net Security)
• Infinite coffee: Smart card hack raises several cups (Source: The Register)
• Scams up, reports down: Worrying research shows victims reluctant to report (Source: SKY News) 
• Emulator targeted by hackers: NoxPlayer updates cause problems for gamers (Source: Teiss)
• CacheFlow extends welcome: Malware lurked for years in popular browser extensions (Source: The Daily Swig)
• Watch out for Office phishing: Scammers are making use of Google’s FireBase to host phishing pages (Source: SCMagazine)
• Over 70s beware: fraudsters have a new target for Covid scams (Source: YourMoney)

Stay safe, everyone!

The post A week in security (February 1 – February 7) appeared first on Malwarebytes Labs.

The heated spat between Europe and AstraZeneca over a contract has segued into an unexpected blunder that left many of us chuckling and surprised at the same time. Perhaps even feeling a bit awkward.

Recently, the European Commission published a PDF version of the contract it had with AstraZeneca, a multinational pharmaceutical company based in the UK, over the availability and delivery of a certain number COVID-19 vaccine doses for Europeans.

The EU prefinanced 400 million doses from the pharma and expected it to deliver all of them as per contract. However, AstraZeneca said that it would only be delivering 40 percent of those doses.

To put pressure on AstraZeneca to fulfill its agreement with the EU, the bloc decided to make the contract public.

Although the document that was published on their website was supposed to be heavily redacted, whoever is responsible for making the document look “clean” forgot to redact the contents of the PDF’s bookmarks, which revealed significant portions of the redacted text.

There is a first time for everything.
This is not it.

We will have you know that there had been similar incidents in the past where improper obscuring of sensitive information about something has made history.

In 2011, the UK government accidentally breached itself by publishing a document containing certain secrets of Britain’s nuclear submarines. The PDF redaction was done by putting a black background behind the document’s black text. A simple copy and paste of its contents into a text editor, such as Windows Notepad, revealed the redacted PDF contents. Thankfully, these “secrets” weren’t as exciting as one would have expected.

This similar copy-and-pasting strategy worked with other purportedly redacted documents, such as that time when a judge’s analyses of the Apple versus Samsung ruling was revealed in an initially released PDF document.

If you can’t remember that, maybe you remember the time a reporter from The Guardian was able to reveal the full contents of the document in the case against Paul Manafort, Donald Trump’s former campaign chairman, containing details of his relationship with a former associate who had Russian ties.

Redacting PDFs 101

These are only a handful of stories from dozens more that have been reported and eventually buried (unless you start digging). Thankfully, embarrassing blunders like these can be avoided.

Here’s a caveat, however. You may find that digitally redacting documents may not be as straightforward as picking up a black permanent market and gliding the tip over the words you want to conceal (and if you think it is, you’re probably doing it wrong). Although technology is there to help make things quick for us, there are certain things that may need a bit of fiddling to ensure they’re done right and proper.

Adobe has a page dedicated to removing sensitive information from PDF documents that you can read in glorious detail here. But long story short, no matter how good your redactions look, they aren’t safe until you flip the Sanitize And Remove Hidden Information toggle when you save it.

Hope this helps!

The post How NOT to fail at PDF redaction appeared first on Malwarebytes Labs.

Emulators have played a part in many tech-savvy users’ lives. They introduce a level of flexibility that not only allows another system to run on top of a user’s operating system—a Windows OS running on a MacBook laptop, for example—but also allows video gamers to play games designed to work on a different platform than the one they own.

Recently, ESET revealed a campaign that targeted users of NoxPlayer, a popular Android emulator for PCs and Macs. Affected users didn’t have to visit a potentially dubious website to get malware. All they did was download the update for NoxPlayer.

What we see here is the latest example of a supply-chain attack, wherein threat actors were able to manipulate a legitimate executable file to make it behave in a way it’s not supposed to. In this case, attackers manipulated two files: Nox.exe, the main NoxPlayer file, and NoxPack.exe, the downloader of the update itself. The latter is its infection vector.

How users can get infected

Everything starts and happens at the backend where users cannot see what is really going on.

In the post, ESET explains that upon opening NoxPlayer—and before a message pops up telling users that a software update is available for download—the program queries the update server via the BigNox HTTP API to check for updates and if so, retrieves update-related information. This includes the URL where the update file is housed.

The researchers believe that certain sections of the BigNox infrastructure were compromised. It’s thought that either the attackers replaced the legitimate update file with malware, or changed the file name or download URL to point to a destination they controlled. These new download URLs mimicked the legitimate download location of the NoxPlayer update.

Malware was then executed on affected systems. Reconnaissance is pinned as the main purpose of this yet unknown malware. The researchers also observed that throughout the end of 2020 and the start of 2021, certain victims were infected with other malware.

Signs of the times

The video gaming industry isn’t exempted from any cyberattack and online risks. For years, companies within the industry have been targeted by phishing, scammers, and sometimes, malware.

Early this year, employees (and sometimes clients) of big-name gaming companies like Ubisoft had their credentials leaked on the dark web. In mid-2020, PipeMon, the product of an attacker group called Winnti, who is also known to use supply-chain attacks, infected several massive multiplayer online (MMO) game developers to use game builds and game servers for their malicious purpose.

Because the current pandemic has fueled the popularity of vide gaming, including how much people spend within these games, it shouldn’t surprise anyone that cybercriminals are homing in on them now more than ever. This particular attack on a gaming emulator company may seem unusual, but it aligns with the current trend.

While video gamers are enjoying their games, they should realize that they have caught the attention of cybercriminals. Similarly, video game companies should understand they are targets too. To keep the cybercriminals at bay, both will need to do their part.

The post Android emulator abused to introduce malware onto PCs appeared first on Malwarebytes Labs.

Late last December we started getting a distress call from our forum patrons. Patrons were experiencing ads that were opening via their default browser out of nowhere. The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store. Then one patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner. An app that has 10,000,000+ installs from Google Play! We quickly added the detection, and Google quickly removed the app from its store.

Simple scanner turns evil

Many of the patrons had the app installed on their mobile devices for long periods of time (one user had it installed for several years). Then all of sudden, after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware! Although Google has already pulled this app, we predict from a cached Google Play webpage that the update occurred on December 4^th, 2020.

Malicious intent

The majority of free apps on Google Play include some kind of in-app advertizing. They do this by including an ad SDK to the code of the app. Usually at the end of the app’s development. Paid-for versions simply do not have this SDK included.

Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It’s a win-win situation for everyone. Users get a free app, while the app developers and the ad SDK developers get paid.

But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive. Sometimes even landing the apps that use it in the Adware category. When this happens, it is not the app developers’ doing, but the SDK company. I explain this method to say that in the case of Barcode Scanner, this was not the case.

No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.

Bad behavior

The toughest part of malware analysis can be replicating what our users are experiencing. That wasn’t a problem with Barcode Scanner, it went into action within minutes of install. Watch the short video below to see its malicious behavior:

Removed from Play, but not from mobile device

Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. Thus, until they install a malware scanner like Malwarebytes for Android, or manually remove the app, it will continue to display ads.

Lying dormant

It is hard to tell just how long Barcode Scanner had been in the Google Play store as a legitimate app before it became malicious. Based on the high number of installs and user feedback, we suspect it had been there for years. It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.

App Information

App Name: Barcode Scanner

MD5: A922F91BAF324FA07B3C40846EBBFE30

Package Name: com.qrcodescanner.barcodescanner

The post Barcode Scanner app on Google Play infects 10 million users with one update appeared first on Malwarebytes Labs.

A Chrome patch has been issued with an advisory stating that the Stable channel has been updated to 88.0.4324.150 for Windows, Mac and Linux. The only noteworthy thing about this update is a patch for a zero-day vulnerability that has been actively exploited in the wild. But that one looks to be extremely important.

Which zero-day got patched?

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This zero-day got listed as CVE-2021-21148. From the update announcement for this Chrome patch we can learn that the patch counters a heap buffer overflow in the V8 JavaScript engine, reported by Mattias Buelens on January 24, 2021.

What is a heap buffer overflow?

Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

So, by creating a specially crafted input, attackers could use this vulnerability to write code into a memory location where they normally wouldn’t have access. Having this attack vector available as a zero-day in a popular browser is a golden opportunity for a watering hole.

Watering holes are used as a targeted attack strategy. The attackers infect a website where they know their intended victim(s) will visit, or lure them to a site of their own making. Depending on the nature of the infection, the attackers can single out their intended target(s) or just infect anyone that visits the site unprotected. The watering hole strategy is a mix of social engineering, hacking, and drive-by infections that requires a high level of knowledge and a well-thought-out strategy.

How was this vulnerability used in the wild?

Based on the timing of the discovery (January 24) and this report by Google’s Threat Analysis Group (TAG) issued on January 26, the general assumption is that the attack was used against security researchers working on vulnerability research and development at different companies and organizations. To connect and gain trust among security researchers, the actors created a research blog and multiple Twitter profiles to interact with potential targets.

One of the methods the attackers used was to interact with the researchers and get them to follow a link on Twitter to a write-up hosted on a malicious website. Shortly after the visit, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin to communicate with a command and control (C&C) server. This sure sounds like something that could be accomplished using a heap buffer overflow in a browser.

The update

Despite its discovery, this exploit remains useful to cybercriminals. We advise everyone to update and get the latest version of Chrome as soon as possible.

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the zero-day vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

Stay safe, everyone!

The post Update now! Chrome patches zero-day that was exploited in the wild appeared first on Malwarebytes Labs.

Modern browsers include synchronization features (like Google Chrome’s Sync) so that all your browsers, on all your devices, share the same tabs, passwords, plugins, and other features. While this is certainly convenient, particularly when you’re migrating to a new device, synchronizing browsers also comes with some risks.

What is browser sync?

Browser syncing was introduced in 2012 by Chrome with the goal of letting you continue at home where you left off at work, and vice versa. Since then, other browsers have introduced similar features. There are slight differences between them when it comes what you can synchronize, but the basics are pretty much the same for most of them.

When Chrome Sync is toggled on, the synchronised information includes bookmarks, passwords, history, open tabs, settings, preferences, and, in some cases, even payment information saved in Google Pay.

Firefox lets you synchronize your data and preferences—such as your bookmarks, history, passwords, open tabs, and installed add-ons—across all your devices.

Microsoft Edge can synchronize your favorites, passwords, and other browser data—including payment information—across all your signed-in devices.

Opera lets users synchronize their bookmarks, settings, and open tabs between mobile and desktop browsers. Earlier, Opera required users to create an account and sign in on both platforms, or use the more limited “Opera Touch” app in order to do so. After users install the latest Android and desktop updates, however, they can synchronize all that data across devices within the core apps using a QR code, no need for an account.

Sharing with strangers

Synchronized data can include browser history, bookmarks, passwords, cookies, and other information that users consider private and typically have no intention of sharing with anyone else. Password, cookie and payment card secrecy is also important for security. Browser synchronization increases the risk of you inadvertently sharing that information with other users of the computers you sync between.

It’s important to consider whether you are truly the only user of a system that is set to synchronize. Imagine what can happen if your kids are playing with your home laptop and it synchronizes to your work system.

You should also consider the risk of your device being lost or stolen but continuing to sync your information to the thief (as if there wasn’t enough stress involved in losing a device.)

Another thing to consider before synchronizing is that having a universal ID for all your systems can lead a hacker from one of your systems to all of them!

Spreading danger

Security threats can also be copied from one device to another, in the form of malicious extensions (also called plugins or add-ons), and open tabs.

Malware in the form of browser extensions is relatively rare, but it does happen. We have seen infected JavaScript-based extensions with malicious code that made it possible to introduce malware to an affected system.

Google regularly has to clear out bad extensions from its Chrome Web Store. While many of those extensions would fall into the categories of Potentially Unwanted Programs (PUPs) or adware, they can still cause problems and many would be frowned upon if you introduced them into your work environment by synchronizing from your home browser.

Open tabs are potentially even more risky. While most browsers have built-in methods to get out of browlocks, copying them to another device is undesirable.

Differences in patching and security software between machines can also create opportunities for threats to thrive. While a malicious website might be harmless on your personal device, because of local protection, it might seize the opportunity if the tab it’s in is synchronized to a work device that relies on different security measures.

Cloud privacy issues

Another reason why some people dislike the idea of synchronizing browsers is because the synchronized data isn’t just shared between devices, it’s also stored in the cloud, under the control of the browser vendor.

Not all browsers are the same here. The popular Firefox browser encrypts your data locally—with a cryptographically secure, randomly generated key—before storing it in the cloud, so it can’t read your information. Chrome users who want similar protection must set a passphrase.

People who just don’t like that idea of sharing their information with browser vendors, even if it’s encrypted, can use specialized software that promises to synchronize your browser data in a more secure way.

Chrome disables sync API for third-parties

Recently a story that is sideways related hit the news. Google issued a statement saying that it will block third-party Chromium web browsers from using private Google APIs that were only intended for Chome. (Chromium is an open source project run by Google that provides most of the code for Google Chrome, and forms the basis of other popular browsers like Microsoft Edge and Brave.)

Google Chrome Engineering Director Jochen Eisinger stated:

“During a recent audit, we discovered that some third-party Chromium-based browsers were able to integrate Google features, such as Chrome sync and Click to Call, that are only intended for Google’s use.”

Google will limit 3rd party Chromium browsers from accessing private Chrome APIs starting March 15, 2021. However, Google says that users who have accessed private Google features such as Chrome Sync while using third-party browsers will still be able to access the synchronized data locally or in their Google account, depending on their settings. And if you should decide to look into the third-party alternatives we talked about earlier, you will find that some of these will provide you with options to synchronize other Chromium browsers.

An informed decision

An informed decision is all we can hope to offer you. Before you decide it’s safe to synchronize your browser data, these are the questions we would like you to ask:

• Is the owner of the two devices the same? If this is not the case, it wouldn’t hurt to ask for permission first.
• Is the main user of the two devices the same person? If not, synchronizing could leak data, or be considered spying on someone.
• Do you trust the provider of the synchronization service and its cloud facility to handle your data with care?
• What are the chances of carrying over malicious content from one device to another? Are both devices equally well protected?

Asking these questions will remind you of what could go wrong and help you decide whether it is worth it.

Stay safe, everyone!

The post Browser sync—what are the risks of turning it on? appeared first on Malwarebytes Labs.

“Use real identities to reduce abuse online” is a talking point you’ve almost certainly seen down the years. It also seems to come around like clockwork every other month, and is currently a hot topic in the UK after prominent journalists / media personalities raised the issue.

It’s an interesting idea, but the devil is in the details. “Verified identities solve the problem” won’t address the new problems such an approach creates. Is it possible to make this work, or is it all just pie in the sky?

Real users still behave badly

Think back to some of the worst arguments you’ve seen on social media. They almost certainly involve verified accounts somewhere in the mix. Often they initiate the aggression, or wade into replies and make it worse.

They may also utilise platform features to spread the argument further afield. Accounts with large followings on Twitter will do this via quote tweeting. They may simply retweet a stance they disagree with to initiate a so-called “pile on“, or retweet other people arguing, or quote tweet adding their own commentary along the way. They may even retweet their own replies.

Once this happens, it’s often game over for the other person whose notifications are essentially ruined with a flood of angry responses. I could be wrong, but I don’t believe I’ve ever seen a verified account banned for causing a pile on. I have, however, seen small accounts targeted by such things delete their profile completely. On balance, this doesn’t seem particularly fair.

Realness doesn’t equate to accuracy

Going back to Twitter, this is somewhat a problem of their own making. Whether an accurate assumption or not, the verified system was originally where you assumed all the celebrities you liked ended up. Twitter expanded it to include other people of note, for example authors, athletes, scientists, and so on. Then lots of folks were handed verification simply for working in news / media orgs. Alongside this, for a period of time you could submit a request to be verified and if you passed the bar, you got your checkmark.

Already, you can see how the system was torn between notions of “Is this a badge of notability, identity, or something else altogether?” Things became even more confusing as for a few years, the Twitter verification information page insisted verification was not currently happening…while new checkmarks continued to be given out.

The scheme is currently undergoing renovation, but it remains to be seen what happens with it.

Whether intentional or not, people seem to trust verified accounts as trustworthy voices of reason. This is not sensible, as people will tweet whatever they feel like. If we’re asking, “Does verification help reduce abuse or misinformation”, it can be argued that no, it does not. A drop of 73% in election misinformation after Twitter suspended Donald Trump is a frankly staggering statistic.

This alone should be a fatal blow to the “Use a real identity and things will magically be better somehow” idea.

Facebook’s foray into real names

Facebook already requires you to register an account with your legal name. The problem is if they think your name is not real, you’re locked out and have to try and regain access. This has had very mixed results, causing problems over everything from “fake” names to Star Wars.

Consider all the effort involved in policing this, and the hassle for site users, and then compare that with the number of accounts who are happily pushing large-scale propaganda campaigns via fake profiles on Facebook anyway.

Is it really worth all that effort? Is it helping?

Access denied

If we want everyone online with a real ID, there’s many privacy issues up for debate if identity documents are involved. There’s also the massive problem of access. The international gold-standard for ID is your passport. Many verification schemes ask for scans of your passport at some point.

Problem: lots of people don’t have passports, because it’s not a mandatory document. Depending on country, it might be very expensive. It could involve a complicated process or have its own barriers to entry. Live in a different country to the one you were born in? You may only have a residence permit. It’s possible your passport has expired. Will they even accept an expired passport?

In 2018, around 76% of people had a passport in the UK. That compares with 42% of Americans and 66% of Canadians. That leaves an awful lot of people out of the loop across just 3 locations. This is before you factor the rest of the world in.

Unless passports are somehow made free worldwide, or a universal form of ID is created, people will lose out. When crucial services like banking, tax, municipal services, gas and electricity are all moved online, this seems irresponsible. We typically don’t need to show our energy company a scan of our passport to use their service online. Does it make sense that the bar to entry is so much higher to post on a social network?

There are limited circumstances where a social network currently may ask to see a form of identification. That’s mostly tied to issues of death and memorialisation. Similarly, some verification processes involve passport scans.

Scanning everybody, though? That’s going to cause additional problems…

All the eggs, in the biggest basket

Any social media app containing something approaching the whole world’s passports is instantly a massive target for hacks and scams. It’s debatable if they could keep it all secure and locked down—they only have to fail once. For comparison, the UK’s Home Office deals with a frankly unimaginable volume of personal data. Passports, birth certificates, wedding certificates, photographs, personal emails, biometrics, the works. Some of this is outsourced to third parties.

It is incredibly important this data is kept under lock and key. This is now the point where we mention a 120% rise in data loss incidents. With 4,204 incidents “in the last financial year” alone, that’s an awful lot of problems related to paper documents and electronic devices. If this is the scale of the issue for UKGOV despite their best efforts, imagine the problem for a much less wealthy social media site. It just seems too much of a leap of faith to think this would end in anything but disaster.

This leads us neatly on to…

Data theft fallout

When people say that losing their anonymity online “isn’t a problem”, or “wouldn’t bug me”, that’s great for them. But just because something isn’t in their threat model, doesn’t mean it can’t hurt someone else, as the EFF’s Eva Galperin pointed out on Twitter only recently:

Some people are at risk from domestic violence or racial abuse. For some, anonymity is built into aspects of their job. For others, their stay in a country might be. conditional but they’d like to speak up on the issues affecting them without feeling they’re jeopardising their status.

“You’re not living in a repressive regime” should not be the barrier to entry for privacy. Treating your right to keep yourself safe from data abuse isn’t a special exemption, kept out of reach except in the direst of emergencies. This normalises the idea of privacy and safety as an exception. You know who loves it when privacy and safety are treated as abnormal?

People who’d rather you have as little of it as possible, that’s who.

Same again next time?

I’ve seen this discussion come around many, many times now. No matter the circumstance, it tends to fizzle out and be resurrected a few months later. In the UK, at least, “everyone should supply ID” will collapse under weight of sheer impossibility. The task there is made harder by virtue of the fact there is no nationally issued, mandatory identity card system in operation.

Things are a little more complicated in the US, where anonymous online speech is concerned. The legal provision that protects free speech online—Section 230—is under increasing scrutiny. It remains to be seen how things will play out there.

Having said that, this talking point will return. When it does, you’ll be armed with the knowledge that data privacy is incredibly important. Due to a variety of social, legal, and practical problems in this particular realm, social media sites won’t be asking you for verification any time soon.

The post Would real identities make social media safer? appeared first on Malwarebytes Labs.