IT NEWS

You may have seen the Dark Web referenced in popular TV shows and have gotten the wrong idea, or if you already knew about it, you may have snorted in derision. The Dark Web is also sometimes called the Deep Web, when in fact the Dark Web is only a part of the Deep Web.

Terminology

• Surface Web is what we would call the regular World Wide Web that is indexed and where websites are easy to find.
• The Deep Web is the unindexed part of the Web. Actually, anything that a search engine can’t find.
• The Dark Web is intentionally hidden, anonymous, and widely known for illicit activities.

Maybe it’s a good idea to clear up some of the misconceptions about the Dark Web for those that are not in the know. That should tell you a lot about what it really is.

The Dark Web is a separate part of the World Wide Web

Well, it’s not as much separate, but sites on the Deep Web are harder to find as the Deep Web is an unindexed part of the internet. Actually, the indexed part of the Web, which is the part that can be found by robots, is only a small fraction of the entire web. It is hard to tell how big the Dark Web is, since, again, it is unindexed. Estimates say that only 5% of the Web is easily accessible and searchable to the general public. Many other sites can only be visited if you have a direct URL.

Only criminals use the Dark Web

Even though most of the traffic on the Dark Web is used up by criminal activities, such as—

• Drug trafficking
• Selling weapons to countries where they are forbidden or selling types of weapons that are prohibited
• Child (and other illegal) porn
• Malware (as a Service), think of this as programmers selling their malware for a fee or part of the profit
• Sites where victims can pay the ransom for some ransomware they have been hit with
• Buying and selling stolen data
• Fraud related services
• Fake ID’s
• Leak sites where ransomware gangs publish exfiltrated data if the victim refuses to pay

—there are also groups of users that need the Dark Web for reasons that are only considered illegal in a few places, such as:

• Journalists working in “difficult” countries
• People resisting a totalistic regime
• Whistleblowers
• Places where crimes can be reported anonymously
• Bitcoin services
• Forums on various subjects that do not wish to be public

As you can see there are some grey areas, depending on where you stand in a certain situation.

You need a special browser to access the Dark Web

There are several methods of restricting access to many of the resources on the Dark Web, but you can certainly expect you will have to login when you arrive at the site that you want to access. But in most cases, you will also need to be using some kind of service like a VPN, proxy, or an anonymized network.

For sites with an Onion (hence the symbol) domain, you will need a Tor browser to access them. This browser protects your privacy and anonymity by encrypting your traffic to and from the websites you are visiting, and by using a proxy. But if you are a Firefox user, you may see a big resemblance with the Tor Browser, so the browser is not that special. It’s the way how it connects that is different. You can also use Tor on the surface Web. People often do this for privacy reasons.

Surfing the Dark Web is dangerous

If you take the necessary precautions, surfing the Dark Web will not get you hurt, robbed, and mugged. But, like on the surface Web, you have to be vigilant and be protected. Keep in mind, for example, that torrents often bypass your proxy settings and might, therefore, expose your real location. And, needles to say, when you’re actively dealing with criminals, you can actually expect to get deceived and even robbed. So, stay away from those guys.

But as we recently learned, even the bad guys are not always safe on the Dark Web. People do get careless after a while and in these cases, it got the bad guys busted. Keep that in mind if you make it a habit to visit the darker corners of the Web. Curiosity killed many a cat.

The post What is the Dark Web? The Dark Web explained appeared first on Malwarebytes Labs.

The Krita digital painting application is currently being targeted by ransomware authors. Available on Steam and other platforms, it’s a powerful tool with a very cheap purchase price and great reviews. A perfect bit of bait to start reeling in potential victims, in other words.

How does the scam work?

Ransomware scammers send out mails to artists. Those mails claim to be from the team behind the Krita tool, and contain links which redirect potential victims to the real domain. This is to make everything look above board and legitimate.

The mails seen so far read as follows:

Hello dear, please give me a moment of your time. Krita team is eager to collaborate with you.

After this follows a generic promo text for the program. They follow this up with:

We would like to consider integrating a 30-45 second ready-made promo into your media space (Facebook, Instagram, Youtube), can we consider that?

Other mails claim that once the registration process is done and dusted, an email address, payment information, and phone number are required. Yes, there’s a bit of data grabbing alongside the malware slinging.

The aim of the game is revenue generation, and this is always going to be an attractive proposition for artists.

The bogus mediabank zip makes its entrance

Regardless of how the emails present themselves, there’s one common factor. They claim to link to a “mediabank” which contains icons, screenshots and previous video campaigns. The contents are “confidential”, which is a sneaky way to prevent potential victims telling anybody about it.

Some folks have reported the contents of the zip as .scr files masquerading as images/videos.

Why an scr file?

Any scam which involves images has a good chance of falling back on scr files. It’s a very old technique. Folks unfamiliar may think it means “screenshot”. This is especially the case where they’re opening up zips expecting to see imagery. Sadly, this isn’t the case. An scr is a screen saver file, and it runs on your system like a program. If it contains bad things, then bad things will be headed your way in an instant.

Tricking visual artists with scr files seems like a particularly cruel trick, whether intentional or not.

What happens next?

Krita previously reported this as ransomware, and as you can see, the mails are still going strong:

They look pretty convincing, which certainly won’t hurt the scammers one bit. If you’re going to trick people who work with visuals, it pays to look as good as possible.

Forward on any dubious messages you receive to the Krita team, and delete the mails afterwards. Don’t trust zip attachments, and give any scr file extensions a wide berth. Showing file extensions is also helpful, both for this and any other potential attacks generally. It appears a lot of the domains used for these mails are down, but it’s easy enough to put up replacements. Be careful out there!

The post Ransomware scammers target artists with fake Krita revenue deals appeared first on Malwarebytes Labs.

HP has released a patch to fix a flaw in the HP OMEN driver.

As far as we know the flaw isn’t being actively exploited, but it’s worth applying the patch as soon as you can.

The flaw, the fix

The driver vulnerability, which is tracked as CVE-2021-3437, was found by Kasif Dekel, a senior security researcher at SentinelLabs.

If exploited, the vulnerability could allow a malicious threat actor to escalate privileges to kernel mode. This would enable the actor to perform tasks within affected systems, such as disabling security solutions, running malicious code in kernel mode, and elevating privileges of other users, and more. Exploiting this flaw could also allow the actor to trigger a denial-of-service (DoS) condition, which prevents traffic from going to the device.

The driver, HpPortIox64.sys, is used by the HP OMEN Gaming Hub (previously called HP OMEN Command Center), software that comes pre-installed in HP OMEN systems. Although this SYS file is created by HP, according to Dekel, it is actually “a partial copy of another problematic driver, WinRing0.sys, developed by OpenLibSys.”

HpPortIox64.sys essentially inherited the privilege kernel-mode problem from WinRing0.sys.

“It’s worth mentioning that the impact of this vulnerability is platform dependent,” continues Dekel in the report, “It can potentially be used to attack device firmware or perform legacy PCI access by accessing ports 0xCF8/0xCFC. Some laptops may have embedded controllers which are reachable via IO port access.”

The flawed HP driver accepts IOCTL (Input/Output Control) requests from non-privileged users, who aren’t subjected to access control rules. Because of this, such drivers can be abused, “by design.”

Road 96 and OMEN

It’s worth mentioning that HP’s first official video game, Road 96, gives its video game players and fans the option to download the OMEN Gaming Hub in a section of the game.

Although we can’t say for sure if the driver problem will pose a threat to non-HP users should they agree to install the Hub, we do note another threat to consider. According to Chris Boyd, lead malware intelligence analyst for Malwarebytes, “Certain games offer additional skills or abilities in return for installing OMEN, such as the award-winning, Road 96. As a result, many people will have it on their system even if they have no intention of ever using it. Where updates aren’t taking place, this could be dangerous should an exploit arise in the wild.”

The post HP OMEN users, update your driver now! appeared first on Malwarebytes Labs.

Jay Tipton, chief executive for the Managed Service Provider (MSP) Technology Specialists, remembers his Fourth of July weekend this year like many MSP employees likely remember theirs: As a bit of a nightmare.

“That’s like the worst feeling you’ll ever have,” Tipton said about his initial impressions about a fast-moving ransomware attack that he originally thought hit just his company. His Microsoft Outlook instance closed down unexpectedly, his phone rang and he learned about a customer having trouble connecting to some software tools, and then, just minutes later, his phone rang again. The number of customer problems had already multiplied.

As Tipton and the world would soon learn, his Fort Wayne, Indiana-based MSP was just one of up to 1,500 companies ensnared in what was is probably the largest ransomware attack ever, when threat actors poisoned the remote monitoring and management software tool Kaseya VSA—a favorite for many MSPs—with ransomware.

The attack, which actually led to grocery stores shuttering their doors in Sweden, proved so detrimental because of its cascading nature. By attacking Kaseya VSA, threat actors not only managed to compromise the software, but also the MSPs that used the software, and the small- to medium-sized businesses that were supported by those same MSPs.

Recovery for Tipton’s company has been slow but hopeful. Technology Specialists retrieved data for its customers, maintained strong customer relationships, and even received an outpouring of support from ex-employees and clients themselves.

But in speaking with MJ Shoer, executive director for the nonprofit CompTIA’s Information Sharing and Analysis Organization, Tipton revealed that even the best recovery plans will hit unforeseen obstacles.

Take, for instance, Technical Specialists’ efforts in recovering their clients’ data. Their backups worked, Tipton said, but the process itself happened slower than expected.

“We’ve had some restoring issues, and part of it had to do with download speeds, because everyone was trying to hit the same data centers at the same time,” Tipton told Shoer. “That’s part of the problem. You can’t plan for that.”

Through this process, Tipton compiled a long list of things he’d like to change moving forward, most of it on a large Post-It note covering much of one of his walls. Here’s what Tipton is focusing on moving forward. His lessons are relevant to all organizations, not just MSPs.

Ransomware recovery lessons

1. Put passwords and disaster recovery plans on paper

If the worst happens, you’ll wish you had made a recovery plan. Recovery plans typically identify the key systems and data inside your organization, and the shortest path to restoring critical business functions.

Following the Kaseya VSA ransomware attack, Tipton said that he is focusing on a way to provide “paper printouts” for his company and his clients’ disaster recovery plans. He also added that he wants to find a way to “securely print out passwords” because the attack also seemingly affected Technical Specialists’ password vault.

“We had to wait almost 36 hours to get our password vault restored so we could get passwords out of it,” Tipton said.

Both ideas have immediate value for any business, big or small. A disaster recovery plan is only as useful as it is accessible, and an inaccessible password vault could slow down literally every single part of a data recovery effort if administrators simply cannot access their accounts.

2. Say goodbye to public whitelists

Allowing MSPs to manage some or all of their IT and security makes sense for lots of small businesses, but it comes with its own risks. MSPs act as administrators, so any tools they use get administrator privileges too. MSPs also need to make their toolchain work across all the various customer environments they work with too.

A common practice for MSP software vendors is to advise users of directories that should be “whitelisted” against antivirus software, so that their software can work without interference from cybersecurity tools. This practice is understandable—attackers try hard to disguise themselves as administrators and security tools have the difficult job of letting legitimate remote administration go ahead while stopping malicious remote administration—but it is ill-advised.

These whitelist guides are available for anyone to view online, but, according to Tipton, Technical Specialists is asking for more control into how to actually treat some directories. Tipton said some of what he’s doing moving forward is “not allowing the software vendors to push us into whitelisting directories. That’s not happening anymore.”

“Give me control of which directory it is and how far down I can bury it—I’ll consider it, because then I can control how it’s working, what’s going on in there, and where it’s at so it’s not public knowledge that directory exists,” Tipton said. “But this open whitelisting of programs and directories isn’t going to happen.”

3. Insist that software is digitally signed

In speaking with Shoer, Tipton mentioned that one of the vendors that Technical Specialists use has the annoying habit of changing its DLLs (the software libraries that their product uses) quite regularly. Tipton said he will not allow that anymore unless the vendor starts digitally signing the DLLs.

Why? Because this is another situation where legitimate behavior and malicious behavior can look very similar. If a DLL changes and it hasn’t been signed by the vendor, Tipton has no way of knowing if the new DLL is legitimate or if it has been tampered with by an attacker.

“I’ve got a vendor that likes to keep changing their DLLs, and I think some of them change on the fly and it causes all kinds of problems,” Tipton said. “You’re going to have to sign your program with a cert because I’m going to block it and it’s not optional.”

Moving on

People are often understandably reluctant to talk about their experiences with ransomware, so we applaud Tipton for being open and transparent, and giving us all the opportunity to benefit from his experience.

All of Tipton’s goals seem to be focused on giving Technical Specialists more visibility and capability into how it supports its clients. And perhaps that’s the right mindset—Tipton shared with Shoer that his business lost very few clients after the attack, and of the clients he did lose, seemingly all of them misplaced blame on the MSP itself.

“There are a few that don’t get it, won’t ever get it, will never understand, and say it’s all our fault,” Tipton said. “I can’t change their minds, so I’ll just shake their hands, part as friends, and go on with life.”

Ransomware podcasts

Ransomware recovery is an important subject that benefits enormously from the real-world perspective and experience of those who have been through it. Several recent episodes of Malwarebytes Labs’ Lock and Code podcast have dealt with different aspects of recovering from ransomware.

Racing against a real-life ransomware attack

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. Kacoroski explains what happened next, and what Northshore did to recover from the attack and prevent it from happening again.

Listen to Racing against a real-life ransomware attack

“Seven or eight” zero-days: The failed race to fix Kaseya VSA

The Dutch Institute for Vulnerability Disclosure (DIVD) discovered “seven or eight” zero-days in Kaseya VSA before the REvil ransomware group did. DIVD chair Victor Gevers explains why that wasn’t enough to stop the biggest ransomware attack in history, and reveals that Kaseya VSA’s vulnerabilities represent just one data point in a far larger and more worrying trend.

Listen to “Seven or eight” zero-days: The failed race to fix Kaseya VSA

Why backups aren’t a “silver bullet” against ransomware

Any cybersecurity expert will tell you that the last line of defense against ransomware is backups. But if they’re so important, why are we still so bad at getting them right? Host David Ruiz speaks with VMware’s Matt Crape about why making good backups is so hard, and what missteps you should watch out for.

The post 3 security lessons from an MSP that survived the Kaseya VSA attack appeared first on Malwarebytes Labs.

We all know cookies as tasty baked treats that we love to eat, but computer cookies are quite different. Although they’re most popularly known as just “cookies”, they may be referred to as browser cookies, Internet cookies, HTTP cookies, web cookies, computer cookies, or digital cookies.

What are cookies?

Cookies are pieces of information that a website can save in your browser. Websites can ask your browser to save cookies whenever the browser asks it for a page, picture, download, or any other piece of information. Until the cookie expires, the browser will keep it, and send it back to the website whenever it requests anything else.

The language web browsers and websites use to talk to each other is “stateless”, meaning that every message is totally independent and isolated from every other message. It’s like having a conversation with somebody who instantly forgets who you are after every sentence.

One of the most common uses for cookies is to provide a link between messages, so that a website can remember who you are, and tell that your messages are coming from the same individual.

To do this, a website sends a web browser a cookie with a unique ID the first time they communicate, and the web browser repeats the unique ID back to the website every time it sends a message.

In the language of the web, cookies allow us to link sentences into conversations.

Without this functionality we would not be able to log in to any websites, keep wish lists, see recommendations, use web-based video or instant messaging, or do most of the other things we rely on websites for.

Importantly, websites can read their own cookies, but can’t read cookies saved by other websites. However, there is a loophole that has led to most of the problems we have come to associate with cookies: third-party cookies.

Tracking with third-party cookies

Many people associate cookies with the cross-site tracking used by advertising companies. Advertisers like Google and Facebook can track users as they travel around the web from site to site, building up profiles of the kinds of sites they like to visit, and showing them targeted advertising.

Tracking somebody across multiple sites like this relies on third-party cookies.

Although a website can only read cookies that it has created, individual web pages can be assembled from components hosted by multiple websites. Sometimes those components are visible, like images, and sometimes they are just bits of code you can’t see.

If a website you visit includes a component pulled from another website (a third-party), that third-party website can send and receive cookies along with the component. If you visit a different website that includes the same third-party component, the third-party can read its cookies on both sites.

This is how Facebook uses its Like buttons, and Google uses its advertising code, to track you across the web. They can tell whenever you visit a site that includes one of their components because they can read their own cookies.

Importantly, the tracking stops if you block or delete those cookies.

Session cookies, persistent cookies, and “super cookies”

Just like edible cookies, digital cookies come in different flavors. Cookies that expire whenever you close your browser are called session cookies. These are used for temporary things, like telling a website that you have logged in successfully. If a website uses session cookies for its logins then you will be logged out when you close your browser, and you will have to log in again when you next visit.

Cookies that aren’t deleted when you close your browser are called persistent cookies. Persistent cookies last until you delete them, or until they expire. These are useful for things like remembering your username, so it can be pre-filled when you visit a website you have logged out of.

For all practical purposes, persistent cookies can last forever. (On 32-bit systems cookies can’t live past 2038, but we assume you’ll be using a different device by then.)

Because third-party tracking can be defeated by users deleting their cookies, some unscrupulous advertisers have turned to other things that can offer cookie-like persistence, such as ETags or browser fingerprints. Technologies that act like cookies, but aren’t affected by blocking or deleting regular cookies, are unofficially referred to as super-cookies.

So, are cookies bad?

No. Cookies are essential to the operation of the web as we know it and used for many useful, helpful things. However, cookies can also be used for things some people don’t like, such as third-party tracking, and adverts that seem to follow you around the web.

Luckily, cookies are easy to control. All browsers let you delete cookies, and there are numerous browser add-ons that can be used to block cookies, or control what cookies you will and won’t allow.

In response to increased sensitivity about cross-site tracking, some browsers, including Firefox, Safari, and Brave, now block third-party cookies by default. Google is working on an alternative, more privacy-conscious tracking technology called FLoC, and plans to block third-party cookies in 2023.

Cookie consent

In the European Union (EU), websites have to ask for your consent before they can set cookies, which has lead to web users seeing a profusion of cookie popups. Some people argue that this has led to “cookie fatigue“, and that privacy has not been improved.

What happens if you decline to accept cookies varies from site to site, and can range from the site working perfectly to the site not working at all.

Will a VPN stop tracking cookies?

No. A Virtual Private Network (VPN) guards your privacy by masking your IP address and your location, and by passing your traffic through an encrypted tunnel that protects it from rogue WiFi hotspots, or ISPs that want to sell advertisers information about your browsing habits.

To block or rewrite cookies, a VPN would have to look at your web traffic as it passed through its servers. VPNs can’t read encrypted communication, like HTTPS, so cookie blocking would be impossible for most web traffic.

Even it was possible it would probably cause some websites to malfunction. And if that could be overcome, privacy-loving VPN users would probably rather their VPN provider stayed out of their traffic anyway.

The post What are computer cookies? appeared first on Malwarebytes Labs.

The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare… nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this patch is so easy to circumvent.

The total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are “old friends”. There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.

Azure was the subject of five CVE’s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.

PrintNightmare

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.

The problem was made worse by significant confusion about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.

This month, Microsoft patched the remaining Print Spooler vulnerabilities under CVE-2021-36958. Fingers crossed.

MSHTML

This zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only found last week, but has attracted significant attention. It was listed as CVE-2021-40444, a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML.

Threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.

Given the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.

DNS elevation of privilege vulnerability

This vulnerability was listed as CVE-2021-36968 and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.

Microsoft says that exploitation is “less likely”, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP).

OMIGOD

OMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:

• CVE-2021-38647 OMI RCE Vulnerability with a CVSS score of 9.8 out of 10.
• CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
• CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
• CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability

The researchers that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:

Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.

OMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It’s likely that many users aren’t even aware they have it running.

The RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.

A coding mistake means that any incoming request to the service without an authorization header has its privileges default to uid=0, gid=0, which is root.

OMIGOD, right?

The researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.

They advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:

• For Debian systems (e.g., Ubuntu): dpkg -l omi
• For Redhat based system (e.g., Fedora, CentOS, RHEL): rpm -qa omi

If OMI isn’t installed, the commands won’t return any results, and your machine isn’t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.

The post Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD appeared first on Malwarebytes Labs.

Secure Sockets Layer (SSL) certificates are what cause your browser to display a padlock icon, indicating that your connection to a websites is secure. Although the padlock may soon be hidden from view, certificates aren’t going anywhere.

Let’s start with some definitions and explain some of the terminology.

On a strictly technical level, SSL was actually superseded by Transport Layer Security (TLS) many years ago, but the name has stuck around. So, in this article we’ll use SSL to refer to the entire SSL/TLS family of protocols.

SSL is a security technology for establishing an encrypted link between a server and a client, such as a website and a browser, or a pair of email servers. An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection.

What is the purpose of SSL certificates?

SSL certificates serve two important purposes:

• Authentication. It authenticates the identity of the computer you are talking to.
• Privacy. It ensures that a connection between two computers is encrypted.

On the web, SSL makes a connection to a website more trustworthy: You are talking to the website identified in the certificate, and nobody is listening in or tampering with the communication between you. This is particularly important when you are exchanging private information like credit card details or passwords.

It does not make the website more trustworthy though, only the communication between it and you. Not every website that has an SSL certificate can be trusted. Evil websites, like phishing sites, can have SSL certificates and you can establish safe, trustworthy connections to evil sites using SSL!

Despite lots of (now outdated) advice, SSL certificates and padlocks should not be used as an indicator that a website is “safe”. Equally, if a website does not have a certificate, that does not mean it cannot be trusted.

How do SSL certificates work?

SSL encryption is possible because of the public-private key pairing that SSL certificates facilitate. A website visitor’s browser gets the public key necessary to open an encrypted connection from a server’s SSL certificate. The public key is not secret and anyone can see it, so it doesn’t matter if it’s intercepted. Anyone with the public key can use it to encrypt a message, but only the corresponding private key on the server can decrypt it.

Depending on the type of certificate it also provides a visitor with information about the holder of the certificate:

• The domain name the certificate is valid for
• Information about the holder of the certificate
• Which certificate authority issued the certificate
• Issue and expiration date of the certificate
• The public key needed for the encryption

SSL certificates are generally divided into three types:

• Domain Validated (DV) Certificates. DV certificates assert a link between a certificate and a domain. Projects like Let’s Encrypt, which provides free certificates and automates the process of creating and installing them, rely on domain validation.
• Organization Validated (OV) Certificates. OV certificates assert a link between a certificate and an organization. The body issuing the certificate must validate the legal and physical existence of the organization.
• Extended Validated (EV) Certificates. EV certificates assert a link between a certificate and an organization using a more thorough vetting process than OV certificates.

Where do you get SSL certificates?

SSL certificates are issued by a Certificate Authority (CA). Most browsers will accept certificates issued by hundreds of different CAs.

If you are looking for a certificate for your website, one option is to contact your hosting provider. They will usually be able to point you in the right direction, and will probably be able to provide one. Mention what type of certificate you are looking for since that is important information to start on your quest. Alternatively, you can automate the process of certificate creation and installation using services like Let’s Encrypt.

Is an SSL certificate necessary for a website?

The majority of the web is now encrypted, making sites without SSL the exception. SSL protects private data in transit, such as credit card details. Even when it isn’t protecting sensitive data, it stops attacks that might send you to fake websites, and prevents criminals injecting adds or malware into your traffic.

If that isn’t enough for you, there are other reasons to use SSL too.

Aside from securing your traffic, having an SSL certificate also helps your website’s search engine rankings. The current Google algorithm rewards sites with SSL by giving them higher rankings (or, better put, it punishes sites that do not use SSL).

SSL also makes a site look more professional and secure. Depending on the visitor’s browser, sites without an SSL certificate may trigger a warning that the site is not secure.

An increasing number of browser features require SSL to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS, which relies on SSL. Which makes sense, because you are providing sensitive information to such sites. It poses a security risk if those features could be tampered with by a person-in-the-middle, or other network interference or impersonation.

The post What are SSL certificates? appeared first on Malwarebytes Labs.

Google announced on Monday that it will be issuing patches for 11 high severity vulnerabilities found in Chrome, including two that are currently being exploited in the wild. The patch, which is part of the Stable Channel Update for Chrome 93 (93.0.4577.82), will be released for Windows, Mac, and Linux (if it hasn’t already). Chrome users are expected to see the roll out in the coming days and weeks.

Readers should note that other popular browsers such as Brave and Edge are also Chromium-based and therefore likely to be vulnerable to these flaws too. Keep an eye out for updates.

You can check what version of Chrome you are running by opening About Google Chrome from the main menu.

The vulnerabilities

The fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. That said, the company has included names of the researchers who found the flaws in their announcement.

The two vulnerabilities that are being actively exploited—namely, CVE-2021-30632 and CVE-2021-30633—were  submitted anonymously. The former is an “Out of bounds write” flaw in the V8 JavaScript engine and the latter is a “Use after free” bug in the Indexed DB API.

Because threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. Per Google:

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

V8, the thorn in Chrome’s side?

Nobody will be surprised to see that one of the in-the-wild exploits affects Chrome’s V8 engine.

At the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8. These components need to accommodate frequent updates and adhere to a bewildering array of web standards, while also being both fast and secure.

Chrome’s V8 JavaScript engine has been a significant source of security problems. So significant in fact, that in August Microsoft—whose Edge browser is based on Chrome—announced an experimental project called Super Duper Secure Mode that aims to tackle the rash of V8 problems by simply turning an important part of it off.

A little under half of the CVEs issued for V8 relate to its Just-in-Time (JIT) compiler, and more than half of all ‘in-the-wild’ Chrome exploits abuse JIT bugs. Just-in-time compilation is an important performance feature and turning it off is a direct trade of speed for security. How much? According our quick-and-dirty testing, turning off the JIT compiler makes JavaScript execution twice as slow in Edge.

11 zero-days and counting

To date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog:

• CVE-2021-21148
• CVE-2021-21166
• CVE-2021-21193
• CVE-2021-21206
• CVE-2021-21220
• CVE-2021-21224
• CVE-2021-30551
• CVE-2021-30554
• CVE-2021-30563

With so much bad PR, you might expect Chrome’s market share to suffer; yet, it remains by far the most popular browser. Users—and the Google Chrome brand—seem unaffected.

Make sure you update your Chrome or Chromium-based browser once you see the patch available, or better still, make sure your browser is set to update itself.

Stay safe!

The post Update now! Google Chrome fixes two in-the-wild zero-days appeared first on Malwarebytes Labs.

NBC News has collected and analyzed a trove of children’s personal information it discovered on the Dark Web. Even though this information may not be as useful to cybercriminals as credit card details or login credentials, the information is still out there, where we don’t want it.

So what is it, and how did it get there?

Ransomware

Modern ransomware gangs don’t just encrypt data, they frequently steal it too. If their ransom demands aren’t met, they leak the stolen data via their Dark Web sites. These data leaks have lead to information about (amongst others) businesses, police officers, hospital patients, and school children ending up on the Dark Web.

And schools and school districts have been very popular targets for ransomware attacks. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by a ransomware analyst.

Ransomware threat actors are always looking for low-hanging fruit. And schools have always been easy targets for ransomware, because of their limited budgets, especially for security. All of which was made worse by the demand for distance learning created by the Coronavirus pandemic.

What information is out there?

Some schools may not be able to tell you how much, and what, information they have about your child if you ask them. But the evidence says it’s even worse than you might expect; it isn’t just the information you may have handed over to the school when you filled out the application. Over time, information like medical conditions or your family’s financial status may get added. Some information, like social security numbers or birthdays, will be a constant in the child’s life, and that information in the wrong hands can set up a child for identity theft throughout their life, and at any time in their life.

The NBC article provides a few examples that may raise your eyebrows.

A few months after a ransomware attack on Toledo Public Schools in Ohio, which lead to students’ names and social security numbers being published online, a parent discovered that someone had started trying to take out a credit card and a car loan in his elementary school-aged son’s name.

Following an attack on Weslaco Independent School District, data relating to approximately 16,000 students was leaked, including: Their names, dates of birth, race, social security numbers, gender, immigration status, whether they were homeless or economically disadvantaged, and if they’d been flagged as potentially dyslexic.

Can the information be removed?

The chances of permanently removing information from a ransomware leak site are slim to none. By the time the victim of a ransomware attack pays the ransom, their data has already been stolen, so they have nothing more than the word of criminals that it will be destroyed or kept safe. There is little incentive for ransomware gangs not to trade the data of payers and non-payers alike on some Dark Web forum. And when data has been shown on a leak site, anyone could have grabbed a copy.

What is the Dark Web?

Maybe it’s a good idea to clear up some of the misconceptions about the Dark Web. There are two “dark” regions on the World Wide Web: The Deep Web, and the Dark Web.

The Deep Web is an unindexed part of the web, which includes anything behind a login screen, for example. The indexed part of the web—the part that can be found by search engines—is likely to be a small fraction of the entire web, which makes the Deep Web enormous.

The Dark Web is a part of the web that can only be accessed via Tor. The Dark Web is designed to hide the location (strictly, the IP address) of everyone and everything on it. And if you can’t trace the real IP address of a user or a website, you can’t find them, arrest them, or shut them down. Which is why the Dark Web is where you’ll find ransomware leak sites.

Unlike the Deep Web, the Dark Web is extremely small, but it is very popular with criminals, for obvious reasons. Alongside ransomware leak sites, the Dark Web also hosts forums where cybercriminals can buy and exchange information, and marketplaces that sell anything and everything that’s illegal.

What can you do?

School cybersecurity is increasingly important, and parent-pressure makes a difference. Ask your school about its approach to cybersecurity, and what information about your child it keeps. Should you or your children’s information become part of a data breach you may want to read some more about identity theft, and credit monitoring.

The post Parts of the Dark Web “awash” with school children’s personal data appeared first on Malwarebytes Labs.

Spyware developed by the company NSO Group is back in the news today after Apple released an emergency fix for iPhones, iPads, Macs, and Apple Watches. The update fixes a vulnerability silently exploited by software called Pegasus, which is often used in high-level surveillance campaigns by governments.

Zero-day

Pegasus spyware is typically installed on victims’ phones using a software exploit that requires little or no user interaction—perhaps no more than a click. The exploits change over time, as they are discovered and patched by Apple.

This most recent exploit is a “zero-day, zero-click” flaw in Apple’s iMessage app that requires no user interaction at all. Known as “FORCEDENTRY”, it was discovered by CitizenLab after a forensic examination of a phone belonging to a Saudi activist.

The exploit has apparently been in use since at least February 2021, and reportedly works on Apple iOS, MacOS, and WatchOS devices.

What should you do next?

Put simply, if you run any of these devices, you must update immediately to iOS 14.8.

As per the description:

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An integer overflow was addressed with improved input validation.

CVE-2021-30860: The Citizen Lab

If you want specifics on what exactly is affected, Apple has said the following:

“All iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.”

Pegasus spyware

The NSO Group says that its spyware is used against criminals and terrorists, but journalists and human rights activists are known to have been targeted by Pegasus attacks, along with political dissidents and business executives at the highest levels. The software can be used to collect all manner of personal data from devices, intercept calls and messages, and much more. If your work is particularly sensitive, it isn’t something you want anywhere near your phone.

Is the sky falling?

Absolutely not. It’s very good practice to keep all of your devices updated. It’s something we should be doing by default. Sometimes you may have to do some updating manually to ensure crucial systems don’t break inside whatever daisy-chain of a network you have in operation. Businesses can typically work around this if needed.

For the most part, you can typically set updates to automatic and deal with them as they come through.

As far as Pegasus goes though, the vast majority of people will never, ever run into a piece of spyware like it. Pegasus campaigns are expensive, and so are the exploits they use. Campaign owners simply do not care about most people enough to waste valuable resources on them. They do care about defined, specific, known targets in advance, however. This isn’t something which tends to get spammed out to hundreds of thousands of Gmail accounts, or dropped into Discord chat. If you are a high value target—perhaps if you work at a center for human rights—you might need to ponder the implications of something like Pegasus.

As Apple itself explains, these attacks cost “millions” to develop, have short lifespans, and “are not a threat to the overwhelming majority of our users”.

All the same, you should apply the fix as soon as possible. While you’re almost certainly not at risk from Pegasus, there’s a lot of other bad things out there which do target regular folks and businesses. The danger for most people is that somebody else manages to reverse-engineer this exploit into something that’s used more widely.

Grab the update, and go about your business safe in the knowledge that being hit by Pegasus is now even more unlikely than it was previously.

The post Apple releases emergency update: Patch, but don’t panic appeared first on Malwarebytes Labs.