IT NEWS

If you use Brave browser, then you’re shortly going to find you have a new string added to your security bow. Websites performing port scanning will now be automatically blocked beginning with version 1.54 of the browsing tool.

Port scanning, I hear you cry? Yes indeed. You may well not have even been aware that sites do such a thing. You may expect some antics related to cookies and perhaps the occasional tracking beacon, but port scanning?

Who is doing this and why?

Well, let’s start at the beginning with a rundown of what port scanning actually is. Port scanning involves scanning a computer network for open ports, which can then be exploited by individuals up to no good to gain unauthorised access or gather information about potential system vulnerabilities. It’s worth noting that scanning is not by default a malicious activity. For example, an organisation’s IT team may do this to ensure everything is working as expected and close any potential gaps which may have been missed.

As Ars Technica notes, a 2021 list of sites compiled by a researcher makes it clear that many major sites are, or have been, involved in this practice. Brave claims that many popular browsers allow websites to “access local network resources without protection or restriction, which puts users’ privacy and security at risk.”

The issue Brave is tackling is one related to how browsers typically work. While you may think everything is being served up from the web, some aspects of what you see in a browser are being hosted by software on your computer. Browsers are allowed to access these resources, and, on top of that, some software has been built to be accessible to websites with no malicious intention behind it. From the Brave update website:

…a small but important amount of software has been built expecting to be freely accessible by websites, often in ways invisible to users. And many of these uses are benign. Examples include some wallets for cryptocurrencies, security software provided by banks or security companies, and hardware devices that use certain Web interfaces for configuration.

Now we come to the crunch. Lots of dubious software can use the access to localhost resources to get up to mischief. As Brave explains, fingerprinting scripts will try to figure out the combination of software running on your system. By doing so, someone now has a picture of you built up and can potentially track you across the web. They could also try to determine if you have some vulnerable products running on your device and then come back with an exploit.

From Brave version 1.54 and up, this will no longer be possible. Brave already blocks scripts known to maliciously scan localhost resources and block requests from public sites to localhost resources. This is what the new version will do:

• Requests to localhost resources, from a localhost context are allowed automatically; Brave does not block a locally hosted page from accessing other locally hosted resources. 1
• Brave will continue to use filter list rules to block scripts and sites known to abuse localhost resources.
• Brave will include a new permission called the “localhost” permission. Only sites with this permission will be able to make sub-resource requests to localhost resources. By default, no sites have this permission and, importantly, most sites have no way to prompt users for this permission. However, advanced users can use the existing site settings interface to grant sites this permission. 2
• Brave will also include a list of trusted sites, or sites known to access localhost resources for user-benefiting reasons. The first time a site on this list initiates a sub-request to a localhost resource, it will trigger a permission prompt of the previously mentioned localhost permission. This list is publicly available, and will be maintained by Brave.

The thinking behind this is that abuse of localhost resources is more common than it being used for beneficial actions. The Brave developers also don’t want to waste users’ time with lots of popups asking permission to do things that they expect “will only cause harm”.

Brave mentions that only Safari browser currently really does anything significant in this area, and that’s more of a “side-effect of security restrictions” rather than deliberate targeting. It remains to be seen if other browsers will jump on the localhost resource blocking bandwagon, but it probably wouldn’t be a bad thing if they do.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In the United States, when the police want to conduct a search on a suspected criminal, they must first obtain a search warrant. It is one of the foundational rights given to US persons under the Constitution, and a concept that has helped create the very idea of a right to privacy at home and online. 

But sometimes, individualized warrants are never issued, never asked for, never really needed, depending on which government agency is conducting the surveillance, and for what reason. Every year, countless emails, social media DMs, and likely mobile messages are swept up by the US National Security Agency—even if those communications involve a US person—without any significant warrant requirement. Those digital communications can be searched by the FBI. The information the FBI gleans from those searches can be used can be used to prosecute Americans for crimes. And when the NSA or FBI make mistakes—which they do—there is little oversight. 

This is surveillance under a law and authority called Section 702 of the FISA Amendments Act. 

The law and the regime it has enabled are opaque. There are definitions for “collection” of digital communications, for “queries” and “batch queries,” rules for which government agency can ask for what type of intelligence, references to types of searches that were allegedly ended several years ago, “programs” that determine how the NSA grabs digital communications—by requesting them from companies or by directly tapping into the very cables that carry the Internet across the globe—and an entire, secret court that, only has rarely released its opinions to the public. 

Today, on the Lock and Code podcast, with host David Ruiz, we speak with Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia about what the NSA can grab online, whether its agents can read that information and who they can share it with, and how a database that was ostensibly created to monitor foreign intelligence operations became a tool for investigating Americans at home. 

As Guariglia explains:

“In the United States, if you collect any amount of data, eventually law enforcement will come for it, and this includes data that is collected by intelligence communities.”

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Stalkerware-type app LetMeSpy says it has been hacked, with the attacker taking user data with it.

From the message posted to the login screen on the LetMeSpy website:

On June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.

As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts.

To be clear, much of the data that was stolen is the data from the phone which has the tracking app on it, which has likely been installed without the phone owner’s knowledge. That’s because LetMeSpy is often invisible to the phone’s owner. 

So as long as someone can get quick access to install an app on your Android phone, they can monitor you. Once the app is on your phone, you often can’t tell it’s there. However, in the background, it is maliciously uploading all your calls, texts, and location to the LetMeSpy servers, which is what has now been hacked.

These sorts of apps have been used by people wanting to monitor their partner’s movements, along with parents and employers.

Polish site Niebezpiecznik first reported the breach. In the database file which was later dumped online, the blog said there was:

• 26,000+ email addresses of the tool’s “operators” along with hashes of their passwords.
• 16,000+ text messages, including passwords and codes for various services
• Telephone numbers of people who had contacted the tracked phones
• Telephone numbers of the people whom the tracked phone owner had called (along with the names associated with them in the contacts list)
• Database dump in SQL format, containing more data, including locations

Spokesman Adam Sanocki for the Polish data protection authority UODO confirmed to TechCrunch that it had received a breach notice from LetMeSpy. When many breaches happen, the affected company should inform users that their data has been breached. But the users of the service here are the ones tracking people, and, sadly, it’s unlikely they’re going to let the people they are spying on know that their data has been taken.

How to prevent spyware and stalkerware-type apps

• Set a screen lock on your phone and don’t let anyone else access it
• Keep your phone up-to-date. Make sure you’re always on the latest version of your phone’s software.
• Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you’re sharing with each app on Android, so you can keep an eye on your privacy. Malwarebytes detects the LetMeSpy app as Android/Monitor.LetMeSpy.

Coalition Against Stalkerware

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Scammers are using a novel technique with Amazon listings to trick fans of Evil Dead into downloads they may not want, and expensive rolling payments they have no interest in. Evil Dead Rise, the breakout horror film of 2023, started with big cinema numbers and has moved on to a victory lap in streaming land for good measure. In fact, it’s doing so well that the original film from 1981 has crept into the charts too:

2 Evil Dead flix top 10 in the world on HBO. Thanks, Deadites. You keep watching, we’ll keep making. pic.twitter.com/TOoTcvylkd

— Bruce Campbell (@GroovyBruce) June 27, 2023

A good time to be a Deadite. Not so good if you’re unable to catch a legitimate stream or the movie isn’t out in your region yet. If you decide to pre-order it from Amazon, you’ll see something odd nestled in the physical media section which we’ve highlighted in red. Bizarrely, there’s a podcast claiming to offer up a free version of Evil Dead Rise via streaming.

The full movie, in podcast form? I know Amazon has some pretty impressive technology but I don’t think we’re at that level just yet. The full text reads as follows:

!Streaming Evil Dead Rise 2023 Movie Evil Dead Rise 2023 Movie Warner Evil Dead Rise 2023 Pictures! Are you looking to download or watch the new Evil Dead Rise 2023 online?

If you are looking for Watch Evil Dead Rise (2023) : Full Movie Online Free, Watch Evil Dead Rise Streaming Full Movie Online Free ||Prime.

Playing the audio clip reveals about 24 seconds of generic soft rock music, presumably only present because the “podcaster” has to upload something to create a listing. To even access the audio file, you’d need to open it via an Audible account or Amazon Music.

Clicking the link redirects you through several URLs before settling on what looks like it’s about to offer you a stream of the film.

Evil Dead Rise for download or streaming, with a “Subscribe to watch: $0.00” message underneath? You can add this to the “Too good to be true” pile.

No matter what you click, on a mobile device you may be offered a download. In testing, we saw a program claiming to offer all manner of media downloads:

In another test, we were directed to an odd payment page:

I say odd, because the URL contains the word “antivirus”, which would suggest you’re potentially signing up for a security service of some kind. Despite this, there’s no clear indication of what exactly is being paid for here. Is it a security product? Am I still trying to sign up to the supposedly “free” version of Evil Dead Rise? I don’t know, but the page says this at the top:

“This is a special offer for a limited period of 3 days which comes with a £13.00 welcome gift card to explore and buy products in one of our affiliates’ websites. By acquiring this membership you will be automatically enrolled in our affiliate membership services. The membership fee amount of £29.24 which will be automatically deducted every 14 days unless skipped or cancelled.

That’s a lot of money to pay for who knows what!

Meanwhile, clicking the movie streaming link on a desktop redirects to a generic sign up page with no additional details with regard to terms and conditions or privacy policies. Sites like this typically have a rolling subscription fee mentioned somewhere in the T&Cs. There is simply no reasonable way to know what you’re signing up for here.

How to avoid bogus spam listings on Amazon

• Watch where you pay. Your typical Amazon transactions should be taking place within the main Amazon site. If you’re buying an item, watch out if you are directed to go to another URL. If in doubt, check with Amazon customer support.
• Beware of “empty” content. Ebooks and audio files which do little but ask you to go somewhere else to obtain something are almost certainly scams. A one page ebook saying “Go here”, or an audio file which is bereft of audio with hyperlinks going off-site should be treated with suspicion.

This is not the first time we’ve seen inventive uses of Amazon services to promote a scam. We’ve previously covered a range of spam ebooks on the Kindle store used to link to similar streaming services. In this case, we’ve reported the account uploading these podcasts to Amazon and users of Malwarebytes products will find they’re protected from the sites involved. Groovy.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Voice authentication is back in the news with another tale of how easy it might be to compromise. University of Waterloo scientists have discovered a technique which they claim can bypass voice authentication with “up to a 99% success rate after only six tries”. In fact this method is apparently so successful that it is said to evade spoofing countermeasures. 

Voice authentication is becoming increasingly popular for crucial services we make use of on a daily basis. It’s a particularly big deal for banking. The absolute last thing we want to see is easily crackable voice authentication, and yet that’s exactly what we have seen.

Back in February, reporter Joseph Cox was able to trick his bank’s voice recognition system with the aid of some recorded speech and a tool to synthesise his responses.

A user typically enrolls into a voice recognition system by repeating phrases, so the system at the other end gets a feel for how their voice sounds. As the Waterloo researchers put it:

When enrolling in voice authentication, you are asked to repeat a certain phrase in your own voice. The system then extracts a unique vocal signature (voiceprint) from this provided phrase and stores it on a server.

For future authentication attempts, you are asked to repeat a different phrase and the features extracted from it are compared to the voiceprint you have saved in the system to determine whether access should be granted.

This is where Cox and his synthesised vocals came into play—his bank’s system couldn’t distingusih between his real voice and a synthesised version of his voice. The response to this was an assortment of countermeasures that involve analysing vocals for bits and pieces of data which could signify the presence of a deepfake.

The Waterloo researchers have taken the game of cat and mouse a step further with their own counter-counermeasure that removes the data characterstic of deepfakes.

From the release:

The Waterloo researchers have developed a method that evades spoofing countermeasures and can fool most voice authentication systems within six attempts. They identified the markers in deepfake audio that betray it is computer-generated, and wrote a program that removes these markers, making it indistinguishable from authentic audio.

There are many ways to edit a slice of audio, and plenty of ways to see what lurks inside sound files using visualiser tools. Anything that wouldn’t normally be present can be traced, analysed, and altered or made to go away if needed.

As an example, loading up a spectrum analyser (which illustrates the audio signal in visible waves and patterns) may reveal images hidden inside of the sound. Below you can see a hidden image represented by the orange and yellow blocks every time the audio file plays. While the currently discussed research isn’t available outside of paid access, the techniques relied upon to find any deepfake generated cues will likely work along much the same lines. There will be telltale signs of synthetic markers in the sound files, and with these synthetic aspects removed the detection tools will potentially miss the now edited audio because it looks (and more importantly sounds) like the real thing.

It remains to be seen what organisations deploying voice authentication will make of this research. However, you can guarantee whatever they come up with will continue this game of cat and mouse for a long time to come.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A researcher at Akamai has posted a blog about a worrying new trend—proxyjacking—where criminals sell your bandwidth to a third-party proxy service.

To understand how proxyjacking works, we’ll need to explain a few things.

There are several legitimate services that pay users to share their surplus Internet bandwidth, such as Peer2Profit and HoneyGain. The participants install software that adds their systems to the proxy-network of the service. Customers of the proxy service have their traffic routed through the participants’ systems.

The foundation of the proxyjacking problem lies in the fact that these services don’t check where the shared bandwidth is coming from. Peer2Profit and Honeygain claim to only share their proxies with theoretically vetted partners, but according to Akamai’s research they don’t check if the one offering the bandwidth is the actual owner.

Proxies and stolen bandwidth have always been popular among cybercriminals since they allow them to anonymize their traffic. What’s new about this campaign is that these same criminals are now “renting out” the bandwidth of compromised systems to make money instead of simply using them.

The researcher became aware of the campaign when they noticed an attacker establishing multiple SSH (Secure Shell) connections to one of their Cowrie honeypots. Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. It can be used to emulate a UNIX system in Python, or to function as an SSH and telnet proxy to observe attacker behavior to another system.

For the criminals the beauty of the attack is that it is mostly fileless and the files that are actually used, curl and the public Docker images for the proxy monetization services Peer2Profit and Honeygain, are legitimate and will not be detected by anti-malware solutions.

And proxyjacking is a lot less likely to be detected than cryptojacking since it requires only minimal CPU cycles and uses surplus Internet bandwidth. Interesting to note, the researchers found out that the compromised distribution server also contained a cryptomining utility, as well as many other exploits and common hacking tools.

Protection

Since these seemingly legitimate services can be used by criminals on both ends, both to anonymize their activities and to sell others’ resources, we would rather see them disappear altogether, but they should at least improve the verification of their customers and their participants.

Home users can protect themselves from proxyjacking by:

• Keeping their systems and software updated
• Use an effective and secure password strategy

Corporate users can add:

• Monitor network traffic for anomalies
• Keep track of running containerized applications.
• Using key-based authentication for SSH instead of passwords

Akamai added:

“In this particular campaign, we saw the use of SSH to gain access to a server and install a Docker container, but past campaigns have exploited web vulnerabilities as well. If you check your local running Docker services and find any unwanted resource sharing on your system, you should investigate the intrusion, determine how the script was uploaded and run, and perform a thorough cleanup.”

If you lack the time and resources for constant monitoring, Malwarebytes can offer Managed Detection and Response (MDR). Want to learn more about how we can help protect your business? Get in touch.

TRY NOW

The internet is great for bringing people together, helping you feel part of a community, and staying in touch with your nearest and dearest. But it can also be a nasty place – from malware to scammers, to people just being plain awful to others. It’s probably not surprising to read that recent research by the Anti-Defamation League (ADL) showed LGBTQAI+ people were the marginalized group most harassed online, with 51% of transgender people and 47% of LGBQ+ people—compared with 33% of all Americans— reporting online harassment of some sort within the last 12 months.

So, while the tips below are good advice for anyone, the stats show it’s tougher online for LGBTQAI+ people, and that means it’s really important to do as many of them as you can. Think we missed anything? Let us know in the comments section.

1. Secure your online accounts

Avoid handing over your accounts to anyone who shouldn’t have access by getting the security basics right.

• Use strong, unique passwords for every account
• Consider a password manager to help you keep hold of all those passwords
• Enable MFA wherever you can.

These three things do take a bit more time than if you didn’t do them, but they are the best way to keep your accounts secure.

2. Deal with cyberbullies

If someone is bullying you online, block and report them as soon as you can. Pretty much every platform will offer this function, so make sure you use it. Confide in a trusted friend or family member, especially if the bullying is having a significant impact on your mental health. And, if the bullying has reached criminal proportions, consider reporting it to the relevant authority in your region.

3. Be careful when meeting an online friend IRL

It would be all too easy to say “never meet anyone face to face that you met online,” but that’s not practical. However, there are some things you can do to stay as safe as possible.

Meet in a public place, and let a friend know who you are meeting and where. Then check in with them after you return home.

Make sure the person is who they say they are by doing a reverse image search of the person’s picture. If you see the same image posted next to someone else’s name, or even multiple people’s names, then you might well be talking to a scammer.

4.  Stay safe on social

Don’t reveal personal information about you such as your address or date of birth which could be used by fraudsters, doxxers or stalkers. If you’re going away then leave that information off your social media until you return, so your home isn’t targeted.

It’s worth periodically checking your social media privacy settings too to make sure they’re at the level you are comfortable with.

5. Respect others’ privacy

Sure, you might want to show off your camo jumpsuit to your Instagram followers, but maybe the go-go dancer behind you doesn’t want their photo published online. If someone is in a photo that you want to put online, make sure you get explicit consent from them before posting.

6. Steer clear of hate

Finally, we all know there is a lot of nasty stuff going on online. It’s easy to get sucked into reading or interacting with others you disagree with, but that also might be detrimental to your mental health. The hate comes from within them, and it isn’t worth your energy to engage with them. If you know there’s a forum, comments section or somewhere else where you’re likely to encounter hate, avoid it. 

We don’t just talk about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Navigating the world of endpoint security is challenging, with numerous vendors stoking “Fear, Uncertainty, and Doubt” (FUD) and making bold claims that are difficult to verify. In times like these, the honest opinions of real users are invaluable for busy IT teams.

Enter G2, an industry-leading peer-to-peer review site. Each quarter, G2 releases reports highlighting the products with the highest customer satisfaction and strongest market presence.

In the G2 Summer 2023 Grid Reports, Malwarebytes earned 19 “Leader” badges across five endpoint security categories (Antivirus, EDR, Endpoint Management, Endpoint protection platforms, Endpoint protection suites). We also received awards for the #1 spot in Endpoint Protection and the Easiest Setup for EDR, among many others.

Let’s take a closer look at how organizations evaluated solutions and what they said about using Malwarebytes.

#1 Endpoint Protection: Highest Rated for Results, Relationship, and More

Malwarebytes Endpoint Protection (EP), the essential foundation of our EDR and MDR offerings, won dozens of awards based on receiving the highest customer satisfaction score across a range of areas, including “Best Results,” “Best Support,” “Most Implementable,” and more.

Dashboard for Nebula, the cloud-hosted security platform for EP and EDR

For example, Malwarebytes EP won the “Best Results” badge (highest overall Results score) by having the highest combination of estimated ROI, meets requirements, and likelihood to recommend scores. What some of our customers had to say:

“Malwarebytes is easy to install and configure. It integrates with Windows 10 and runs silently in the background. Infection rate of Malware has dropped dramatically. If I run across a machine that has Malware, installing it cleans it up almost 100% of the time.”

Chris S.

“Malwarebytes was able to detect and block a virus that our previous AV was not able to. Wish we had moved to this product sooner.”

Robert S.

“I consider myself faithful to this software because Malwarebytes has taken me out of problems that other antivirus programs have not been able to solve. It is not a very heavy software and can run in the background without even noticing it thanks to the updates.”

Verónica M.

Customers also praised Malwarebytes for its friendly staff and exceptional support, for which we won the “Best Relationship” badge by having the highest combination of “Likely to Recommend,” “Ease of business,” and “Quality of Support” ratings.

Here’s what some of our customers had to say:

“The support team started us off on the right track by getting us up and running in no time. Any questions I had before and after setup were answered quickly and thoroughly.”

Gary P.

“Highly recommended, and their support team is the best you can ask for!”

Rifaat K.

Easiest To Use EDR

Our EDR solution, paired with our Vulnerability and Patch Management (VPM) modules, delivers an impressive return on investment by quickly enhancing your organization’s security posture. Malwarebytes EDR is designed to be both efficient and cost-effective, allowing your team to see the benefits of your investment immediately.

By focusing on ease of use, quick implementation, and powerful security features without requiring an IT security army, Malwarebytes ensures that your organization is maximizing resources and receiving the best ROI in the industry.

Malwarebytes had the best estimated ROI (payback period in months) in the enterprise Endpoint Management category, which evaluate products that help users keep track of devices in a system and ensure their software is secure and up to date.

“The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.”

Ron M.

“It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.”

Tyson B.

Most Implementable EDR: Seamless Setup and User-Friendly Experience

On the Enterprise Implementation Index for Endpoint Detection & Response (EDR) Malwarebytes EDR clutched the #1 spot. With a seamless setup process, your team can spend more time focusing on what matters most: protecting your organization from cyber threats. Here’s how we won:

• Malwarebytes EDR has an Implementation Score several points higher than the industry average.
• Ease of Setup: Malwarebytes EDR scores several points higher than the industry average in ease of setup.
• Average User Adoption: Malwarebytes EDR scores several points higher than the industry average in user adoption rate. 

“The Nebula console is one of the most user-friendly interfaces we’ve come across. We can’t recommend it enough.”

Justin N.

“Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so its win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.”

John K.

“If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”

Mauro B.

“Very easy to install and deploy, setup, and configure – for instance – a 5 machine setup would take roughly ~10 mins from start to finish.”

Verified User

“Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings.”

Doug C.

Two options to easily begin deployment with your endpoint users in Nebula

Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

UPGRADE TO ENTERPRISE-GRADE PROTECTION

Chinese-made surveillance cameras find themselves in a spot of controversy, after a BBC investigation uncovered flaws in devices during several brand tests.

Surveillance and webcam vulnerabilities are common, and we’ve covered them many times on our blog. What’s interesting with this story is that its being presented as some sort of potential threat to national security and infrastructure. From just one of the comments provided to the BBC:

“We’ve all seen the Italian Job in our youth, where you bring the whole of Turin to a halt through the traffic light system. Well, that might have been fiction then, it wouldn’t be now.”

All very dramatic, but we’ve yet to see The Italian Job play out in real life. Even so, many devices manufactured by one firm, Hikvision, are used by many local councils across the UK. They’re also used to monitor Government buildings. If a device is vulnerable, it’s definitely worth trying to figure out the scale of the problem. With this in mind, what kind of numbers are we talking about?

According to the BBC, a large-scale freedom of information campaign set in motion by Big Brother Watch tried to find out. No fewer than 4,510 Freedom of Information requests were filed with various public bodies between August 2021 and January 2022. 1,289 responses came back, with 806 of those confirming the use of Hikvision or, another brand mentioned by the BBC, Dahua cameras. Of the 806, 227 local councils and 15 police forces use Hikvision, with 35 local councils making use of Dahua.

That’s certainly a lot of cameras. What risk was discovered?

The BBC asked experts to try and compromise a Hikvision camera under test conditions, though specifics are hard to come by. Is “a test network with no firewall and little protection” an accurate reflection of a local council or Government network? Is it fair to assume the manufacturer would be at fault for organisations not applying updates and patches dating back 6 years?

I ask this, because the results with the tested (six year old) camera found a vulnerability from 2017. The testers claim the flaw as “a back door that Hikvision built into its own products”, with somewhere in the region of 100,000 cameras online “still vulnerable” to this issue. Which means that a lot of organisations actually are failing to update their devices.

Having compromised the camera and gaining access to visuals, testers now established if they could access the Dahua cameras by forcing their way into the software controlling them. Once again, they were able to do it and this time gained access to the camera’s microphone.

In both cases, vendors claimed to have patched both of these vulnerabilities soon after the issues came to light. In fact, Hikvision released an open letter to those responsible for the investigation. It reads:

To claim that this stunt has uncovered a security breach or an intentional backdoor in June 2023 is farcical. It sensationalises a problem that was already fixed to universally recognised CVE standards. Furthermore, this test has not been conducted on a typical network, but rather an unsecured one. This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC have run.

It goes on:

Hikvision’s conduct with regards to this vulnerability has followed all internationally accepted standards of best practice. When made aware of the vulnerability in March 2017, Hikvision patched it in less than one week. The vulnerability – and Hikvision’s patch – were subject to further scrutiny in the US with the then-Chairman of the US House of Representatives Small Business Committee noting in a public hearing that Hikvision’s work with the US Department of Homeland Security on this vulnerability meant that any continuing issues resulting from unpatched equipment would lie with ‘small businesses that do not engage with the government or the DHS regularly’.

Going further, the Deputy Assistant Secretary for the US Department of Homeland Security Office of Cybersecurity and Communications said they ‘worked with the company’ to resolve the problem and that ‘standard practice was followed’. 

All in all, this one is a bit of a mess and likely won’t be untangled soon. Whether your own devices are brand new or a few years old, they’ll typically prompt you to perform an update. Whether you think years old devices should be taken offline for safety reasons, or that organisations are solely responsible for their security, one thing is for certain: You can feel much more reassured that your own devices are safe by hitting that update button as soon as you possibly can.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Online content is largely powered and paid for by advertising. Almost every site you visit, every forum you browse, and even the online stores you buy things from is an advert extravaganza, and they don’t just stop at showing cool offers for shirts at 50% off. The scaffolding the adverts sit on goes out of its way to track you, tie you to clicks, associations, and more. More adverts, tailored to your theoretical interests, then start to follow you around across other sites. Sometimes, it’s not very sophisticated: Ever searched for the one and only quarter height stepladder you’ll ever buy in your life? Congratulations, every advert is a stepladder.

Sadly, dozens of stepladder adverts are far from your only concern. We’re going to explain why running an ad blocker is a good thing for your digital health, and highlight all of the ways things can go wrong with ads enabled.

Adverts are the biggest of business, with billions of ad impressions per month. Individual companies can rack up billions of impressions just for their own ads, before you try and figure out overall tallies. Disney and Amazon had a total of 40bn impressions between them in the first quarter of 2020, and Google is pretty much powered by advertising:

Google is an attention merchant that – in 2022 – generated over $224 billion (almost 80% of revenues) from ads (Google Search, YouTube Ads, and Network sites.

If you want some idea of the scale of advertising you’re subjected to on a daily basis, things are only moving up. Recent research by Lunio claims that, on average, people might have seen between 500 and 1,000 ads a day in the 1970s. By 2007, when adware vendors dropping ad-spewing installers was common and ad affiliate networks in meltdown was a daily occurrence, it was estimated at 5,000. By 2021, it was an average of 6,000 to 10,000 per day.

You have adverts and pop ups on your phone. You have advertising on your video game console dashboard. There’s another batch of stepladder adverts on your desktop. Your IoT home hub either plays an occasional ad or is plugged into some other service you use to buy things from.

Your television? Well, it might be one of the upcoming models where the TV is free in return for built in adverts constantly playing on a smaller screen. This is probably as good a place as any to remind you to always read the small print, however:

today in privacy policies pic.twitter.com/83QI7l7iFu

— shoshana wodinsky (she/her) 📉 (@swodinsky) May 16, 2023

Some of the most common types of advertising you’ll encounter include:

• Pay per click (PPC). Advertisers pay publishers every time an advert is clicked.
• Affiliate marketing. With this form of marketing, the creator of a product avoids taking up the marketing slack. Instead, it is essentially outsourced to others in the form of unique affiliate links or clickthroughs offered by apps or programs. If a sale is made, the affiliate earns commission money. There may be additional incentives on offer depending on the product.
• Mobile ads. These are hugely popular in “free” games, where ads may be served by the app itself, or through a network being used by the app. The links may also lead to additional phone installations.

You’ll bump into others, but these are the three main areas of advertising which you’ll probably experience on a daily basis. They’re also a potential goldmine for scammers.

PPC is one of the oldest forms of advertising. Bogus ad clicking tools that artificially inflate revenue have been around forever, to various degrees of sophistication. Basic forms of malware are programmed to autoclick ads detected on websites. Other enterprising individuals concoct ways of manually clicking ads in ways which would not look suspicious to the advertisers.

Affiliate advertising is where much of the ad network chaos takes place. Back in the adware vendor days, rogue ad campaigns using malware, exploits, or fake products to make adware cash would be shut down after much outrage. The adware vendor would make a lot of noise about “rogue affiliates”, and claim it wasn’t their fault. Everything would go back to this same routine the day after and adware vendors would pretend they were somehow free of blame in all of this. Sometimes they would be sued into the ground and abandon the adware life, and other times the evidence of dubious antics were on display for all to see.

Even now, in the case of rogue advertising involving malware (malvertising) there’s often an affiliate component to the “your PC is now compromised” pipeline. You’ll encounter it in many ways:

• Rogue sponsored adverts which sit above organic results in services like Google and Yahoo! search engines. These links may imitate brands or other services to entice you to click
• Fake adverts embedded on websites. These also mimic popular brands to drive clicks
• Compromised websites which may look like a familiar service, but every link offered up is potentially harmful to your PC

The ads in search engine results which look as though they resolve to legitimate sites like Amazon can also be harmful. This is as a result of advertisers being able to display a brand’s official URL within the ad snippet, even when an ad URL has nothing to do with the brand. From here you could be sent to a phishing page, a fake tech support site, or worse. Below you can see an example of a supposedly genuine sponsored ad which actually leads to a fake Amazon login.

Exploits are often a key component of malvertising attacks, and without the right protection on board you may realise too late that something has gone badly wrong.

On top of all this, we have the previously mentioned tracking going on under the hood. Web beacons are used to monitor activity on a website. Tracking cookies shared by multiple services constantly build up a picture of what you’ve done. So-called “shadow profiles” are used to track the activity of people who don’t even use a particular service.

Finally, we have the issue of speed. Lots of ads, tracking, and page elements being served up from different points of origin can all contribute to slowing down your browsing. You’ve almost certainly experienced the “thrill” of a website serving up the ads before the content at some point. This often happens because the ads are served from dedicated content delivery networks (CDNs). Their purpose is to get the ad in front of you as fast as possible, which can mean ads are the first thing you see. While your connection is (probably) a lot better now than it was five years ago, this can still cause issues in some cases…and who wants adverts to be the first thing they see on a page anyway?

As you may have gathered, it’s the marketing Wild West out there. It’s also worth noting that sites such as YouTube are now experimenting with detecting ad blockers, and disallowing users to view videos until their ad blocker is turned off.

So what can we do about it?

• Pick the right browser for your needs. Increasingly, browsers offer more options to specify a level of tracking and advertising that you’re comfortable with. Back in 2020, Safari started blocking third party tracking cookies by default. Firefox has gone down the path of individual cookie jars, called “Total Cookie Protection”, which prevents tracking across websites. Elsewhere, Google is still delaying the sunsetting of third party tracking cookies.
• Extend your options. On the subject of browsers, most will allow you to install extensions to increase your blocking capabilities. Some browsers like Opera include their own ad blocker by default which can be enabled in two clicks. You can also try Malwarebytes Browser Guard, which filters out ads and scams as well as blocking trackers that spy on you.
• Beware shady blockers. You’ll sometimes see fake blockers riding on the coat tails of legitimate products. You may also run into websites or services which claim to dodge ad blocker detection, but serve up spam or surveys. Always do some research on anything you plan to install. Reviews and store rankings can help with this.
• Tackle the scripts. It’s not “just” ads on the surface level. You also need to consider the tracking scripts, cookies, and everything else happening invisibly. Ensure your setup allows for taking care of third party ad tracking.
• Things will break. A note of caution: Blocking scripts or other functionality can break some websites. You’ll need to customise your settings in these situations. Some products integrate ads into the actual structure of a product, so removing or blocking will break the product. Tablet games where you’re granted a new life by watching an ad, for example. There may not be much you can do when this happens. Use the product as is, or cut your losses and move on.

Malwarebytes protects against annoying ads and scams while blocking trackers that spy on you.

TRY NOW