IT NEWS

A week in security (May 1 – 7)

Last week on Malwarebytes Labs:


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft vs Google spat sees users rolling back security updates to fix browser issues

We like to imagine we’re in total control of our desktop experience, carefully curated to look and work the way we want it to. However, every so often a story comes along which reminds us how little control we have when the big players notice one another’s existence. A recent Windows update really wants you to use Edge instead of rival browsers, to the extent that some features in those rival browsers are breaking.

A lot of people will only ever use Microsoft’s default Edge browser to download another browser they’d rather use. Last year, Chrome made some changes to how you go about making it your default browser, after you’ve downloaded it with Edge. One “Default” button to press, and boom…your default browser is set to Chrome without having to dig around in your system settings.

This is how things should work, and for a while they did! As Gizmodo notes, this was not to be the case for long.

Microsoft released update KB5025221 last month, and users of Chrome quickly began to flag peculiar experiences. From a Reddit user:

If Chrome is set as the default browser, clicking on the link shortcut will open the link in chrome, but also open the Windows settings on the default apps. Anyone know where this behaviour comes from? It doesn’t happen if we change the default browser to Edge.

Elsewhere, we have a thread about how someone’s 600 business devices all exhibit the same behaviour:

Opening chrome causes default app settings to open each and every time. After today’s cumulative update for Windows 10 and 11, 2023-04, every time I open Chrome the default app settings of windows will open. I’ve tried many ways to resolve this without luck. This is happening to all 600 systems with the update. Removing the update makes the issue go away. Anyone else having this issue? This does not occur when opening edge or brave browser, only Chrome for us.

A quick glance at the replies illustrates that Todd isn’t the only one impacted, as well as presenting the solution:

Good morning Todd, We’re having the same issue through our organization as well. We’re on Windows 10 machines and pushed updates the last couple days. Many machines here seeing the issue. We may have just found a fix. Remove the Security Update KB5025221 and restart, this removes the problem. Looks to have fixed several machines just these last few minutes. May need to block KB5025221 until it’s reissued.

Yes, to prevent this behaviour you had to make a decision on removing cumulative security updates. What did KB5025221 offer users? That would be fixes for no fewer than “ten issues that could lead to crashes, compatibility problems, and bugs in the operating system”. Would people really want to gamble by removing such a thing in order to prevent the aggravating system popups when opening Chrome?

It seems not, looking at the various replies to threads on this posted to Reddit and elsewhere. Informing users of the reason for the popups was the more sensible course of action on display. Even so, the mere possibility of people considering removing security updates to fix browser wars (intentional or otherwise) is a terrible position to find yourself in. Even without having to decide what to keep or remove because competing programs on your desktop may be having a fist fight, there are other aspects at play.

Way back in 2004, adware giants Direct Revenue went head to head in a court of law with ad company Avenue Media. The spectacularly named article “Adware cannibals feast on each other” describes how adware vendors thirsty for profit battled for desktop supremacy. The infamous Direct Revenue was accused of detecting the presence of rivals and attempting to uninstall them from PCs. This involved killing a competitor’s program and deleting registry entries to prevent it coming back to life. Indeed, from the Direct Revenue user agreement:

You further understand and agree, by installing the software, that the software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer.

Considering just one Direct Revenue product like Aurora could make a system keel over, the last thing you’d want is half a dozen competing products all playing whack-a-mole with registry entries and who knows what else.

This is, of course, an extreme example from a very extreme time. Aggravating system popups and browser frustrations are not on the same level. Pondering update rollbacks, however, could direct us to such a place by means of another route. It’s to everyone’s benefit if these battles don’t spark the digital touch paper.

For now, Chrome’s default button has been removed as a result of this most recent Windows update. All this, on top of aggravating pop up messages, space hogging adverts, and overly complicated user actions being required just to make a decision. We’ll have to wait and see what happens next in the battle of the browsers. It’s not quite at the “whoever wins, we lose” stage but it’s hard to argue a case where any of this benefits the people using these products.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google and Apple cooperate to address unwanted tracking

Google and Apple have announced that they are looking for input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking. Samsung, Tile, Chipolo, eufy Security, and Pebblebee have stated that they will support the specification in future products.

The specification will consist of a set of best practices and protocols for accessory manufacturers whose products have built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Google’s expected Grogu.

The basic principle of these tags is that anyone with the matching app and permissions on their device (usually a phone) contributes to find the last location where the tag was detected. The idea is that you attach a tag to the objects you are afraid of misplacing or losing, such as your keys or your laptop, or even you car, and when you need to find the object you can look in the app and see where it last made contact with a device. This type of contact is usually made over Bluetooth.

After several complaints and reports that these tracking devices were used to track people rather then finding lost objects, some states introduced bills to ban the use of trackers to aid stalking. But a bill doesn’t stop those that had criminal intentions anyway. Nor do these bills stop the car thieves that planted AirTags on expensive cars, so they could find the cars at home where they were less well protected.

Apple and Google’s specification aims to set a standard for apps that can detect and warn users about Bluetooth-trackers, and if needed tell the user how to disable them. The alliance between the two tech giants ensures that this can be done from Android phones and iPhones. Earlier, Apple introduced an app called “Tracker Detect” which made it possible to look for item trackers that are separated from their owner and that are compatible with Apple’s Find My network. The proposed specification would allow users to find Bluetooth trackers of various vendors in pretty much the same way.

The draft for the “Datatracker” specification says that the goal is to help protect the privacy of individuals from unwanted tracking by location-tracking accessories.

“Location-tracking accessories provide numerous benefits to consumers, but, as with all technology, it is possible for them to be misused. Misuse of location-tracking accessories can result in unwanted tracking of individuals or items for nefarious purposes such as stalking, harassment, and theft.  Formalizing a set of best practices for manufacturers will allow for scalable compatibility with unwanted tracking detection technologies on various smartphone platforms and improve privacy and security for individuals.”

The best practices outlined in the specification are aimed at location-enabled accessories that are small, not easily discoverable, and use Bluetooth Low Energy (LE) as the transport protocol. Interested parties are invited and encouraged to review and comment over the next three months. Following the comment period, Google and Apple will partner to address feedback and will release a production implementation of the specification for unwanted tracking alerts by the end of 2023 that will then be supported in future versions of Android and iOS.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Apple releases first Rapid Security Response update for iOS, iPadOS, and macOS users

On Monday, Apple released its first batch of Rapid Security Response (RSR) patches, iOS 16.4.1 (a), iPadOS 16.4.1 (a), and macOS 13.3.1 (a), for iPhone and iPad, and macOS devices, respectively.

RSR is a new type of software patch delivered between Apple’s regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They’re meant to make the deployment of security improvements faster and more frequent. According to an Apple notice about RSRs, the new updates “may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist ‘in the wild’.”

Think of it as the company’s version of Microsoft’s out-of-band (OOB) patches.

easset upload file54317 265942 e

“When a Rapid Security Response has been applied, a letter appears after the software version number, as in this example: macOS 13.3.1 (a),” the notice said, giving users a glimpse of how RSR versioning works.

Apple introduced Rapid Security Response updates with the launch of iOS 16, iPadOS 16, and macOS Ventura at its Worldwide Developers Conference last summer. Devices allow automatic RSR patching by default, but the company provided its users with the option to disable it. You can visit this Apple Support page to learn how you can do this on iPhone, iPad, and Mac.

If you do disable RSR, you will still receive security fixes as part of Apple’s regular software updates, just as you did previously. However, not getting a quick fix when it’s available could leave your device vulnerable to in-the-wild exploits.

Apple began testing RSR last year, with its beta testers. Monday’s patches were the first to be released to the public. Some users reported they couldn’t install the updates, even when devices successfully downloaded the patches, but that problem seems to have been resovled now, according to The Verge.

The company also didn’t make clear what security fixes RSR for iOS, iPadOS, and macOS addressed, since there were no notes released for them. Moving forward, Apple will only make RSR available to all devices running the latest version of iOS, iPadOS, and macOS.

RSRs aren’t the only recent innovation that should make it harder for criminals to exploit Apple devices. On April 21, we reported on Citizen Lab’s investigation into the effectiveness of Apple’s Lockdown Mode, a feature designed to provide a safer environment for users at a higher risk from targeted attacks, such as those developed by NSO Group, the company behind the notorious spyware Pegasus, and QuaDream. NSO Group is known to take advantage of 0-day vulnerabilities. RSRs should improve protection further by allowing Apple to patch those 0-days immediately after they’re discovered.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Newspaper evades Russian censors, hides news in Counter-Strike map

A Finnish newspaper is making clever use of popular video game titles to promote press freedom and bypass Russian media restrictions regarding the invasion of Ukraine. The plan: Hide a secret room underneath a map, which players can stumble upon and see facts, figures, and photographs of what’s been going on.

The map is a custom built design intended to be used in the game Counter-Strike: Global Offensive, playable via the Steam platform. We decided to take a look at how effective this is in practice, and what’s contained in the hidden room.

Is this the part where I fire up my ancient Counter-Strike account? It sure is.

Finding the map

First thing’s first. The map is a custom build, not designed by the game developers. How do you find it? The answer is to visit the game’s Workshop page. This is where custom made content for eligible games on Steam can be found, from maps and weapons to in-game objects or playable characters, depending on the title.

The Most Popular Maps panel on the Counter-Strike: Global Offensive Workshop page

The map, de_vonya, currently displays as the most popular map of the week so it’s off to a good start. The map description says:

On the surface, it seems like a normal Slavic city. However, there might be something hidden underneath.

If you click on the map to open its page, and then hit the green “Subscribe” button, the map will be available next time you load up the game.

Finding the room

Counter-Strike is a team based first person shooter, where small teams race to complete objectives. I haven’t played in years, so I took the easy way out and set up a custom game with the only other combatants being bots. Playing against other people would be a surefire way to make a mess of this exploratory adventure.

The central idea of this map is to accidentally stumble upon the room containing the free press style content. In practice, this proves to be rather difficult.

The first problem: You can’t access the secret room unless you’re dead (don’t worry, I’ll come back to this). While playing normally, the door remains resolutely shut no matter what you try.

The door to the secret room
The door to the secret room can’t be opened if you’re alive

“How do I access the room when I’m dead,” you say? Well, when you die in Counter-Strike you can watch your teammates or you can float around the whole map and take in all of the action. In this state, you have no collision detection. In other words, players who are still alive will stop moving if they walk into an object like a wall. While dead, you’re essentially a floating camera and will pass right through it.

The second problem: Counter-Strike rounds are short, around a couple of minutes. They’re short enough with bot, but with actual humans playing, everything can be over very quickly indeed. Even with bots set to the easiest difficulty, three rounds had ended before I eventually found the room.

The third problem: Flying around the map is not entirely helpful with regard to finding the room. Counter-Strike makes use of a game design element called skyboxes. A skybox is something which acts as a distant background in the game you’re playing. Imagine a big cube wrapped around the level you’re in, with the sky (or something else altogether) projected on it. No skybox, no background. The world around you would just be a black void.

If the level you’re on has a small or “low” skybox, you’ll run into problems when trying to find a hidden secret. Want to fly up and take in a bird’s eye view of the map? The moment you fly too high up, the screen goes blank (or at least blue coloured, in this level’s case).

As a result, the “best” way to find the hidden room is to float around slightly underneath the floor and look for some flashing lights. If you manage to do this before the level ends prematurely, you’ll be able to locate and enter the room.

Flashing lights indicate where the room is
Flashing lights indicate the presence of the room

Inside the room

The room itself is made up of several areas of information, with a main table located in the middle.

One wall reads:

COUNTERSTRIKE OF THE FREE PRESS. This room contains independent journalism that is forbidden in Russia

A message written on a wall reads "COUNTERSTRIKE OF THE FREE PRESS"

A message on a wall reads "This room contains independent journalism that is forbidden in Russia"

A sign on one wall states “Russian strikes on civilian targets 2022-2023,” above a map highlighting strike locations, next to several photographs of the damage inflicted.

A wall map allegedly shows Russian strikes on civilians

One wall of monitors and overturned TV screens states “Russians left behind mass graves in Bucha and Irpin”, along with images of said actions.

Screens show images off mass graves in Bucha and Irpin

All very powerful. It is somewhat bizarre to look at a wall of photographs and text which reads “Missile strikes: he went to buy food, she and her child were killed in their home” as the game flashes up a message about the last round of Counter-Strike saying “Terrorists win. MVP: BOT Yanni for most eliminations”, though.

Counter-Strike announces the end of the round

This is certainly an innovative way to bypass Russia’s media restrictions. One has to wonder if it would be a lot easier to simply have the secret room’s door open, especially as one team starts the level right next to it.

If you go looking for the room, be warned that some of the images are graphic. We’ve blurred some elements of the above screenshots that you may find disturbing, including dead bodies and body parts. While Steam Workshop has policies in place for individual items like characters or weapon skins, we can’t find anything for maps. Could players with an objection to the map’s existence cause it to be removed from Steam? Possibly.

It’s likely we’ll see more maps along these lines, especially as regular map makers see the idea and decide to run with it. Could Russia ultimately ban a game like Counter-Strike over this? Also possible, but I suspect (for now at least) very unlikely.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The one and only password tip you need

OK, it’s time for me to keep a promise.

Back in October 2022, I wrote an article called Why (almost) everything we told you about passwords was wrong. The article summarizes how a lot of what you’ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don’t reuse passwords).

Most damningly of all, the vast effort involved in dispensing this advice over decades has generated little discernible improvement in people’s password choices. If it hasn’t quite been a wasted effort, it has certainly represented a galactically inefficient use of resources.

We know that this advice isn’t what it’s cracked up to be thanks to intrepid researchers, such as the folks Microsoft Research, who made it their business to discover what actually makes a difference to password security in the real world, and what doesn’t.

If you want the full, three-course meal version of why all the password advice you’ve been told stacks up to much less than the sum of its parts you can read the original article. Here’s the snack version:

How strong, long, and complicated your password is almost never matters in the real world. The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it’s so common for people to reuse the same password in two places and it is completely unaffected by password strength. The next most common attack is password spraying, where criminals use short lists of very simple passwords on as many computers as possible. In both situations a laughably simple but unique password is good enough to defeat the attack.

There are rare types of attack—offline password guessing—where a strong password might help, but the trade-off is that strong passwords are far harder for people to remember, which leads them to use the same password for everything, which makes them much more vulnerable to credential stuffing. Notebooks are a really good, simple solution to the password reuse problem, but for years people were ridiculed for using them. Password managers are also a good solution but they are much harder to use than notebooks and a majority of people don’t use them, and don’t trust them, despite years of positive press and advocacy.

OK, back to the promise I mentioned.

As somebody who has done his fair share of dispensing this kind of advice, I ended my Why (almost) everything we told you about passwords was wrong article with a mea culpa in the form of a promise. Never again would I dish out laundry lists of things you should do to your password. I would instead focus my energy on getting you to do one thing that really can transform your password security, which is using two-factor authentication (2FA):

So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using 2FA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.

Well, today is World Password Day, and it’s time to make good on that promise. I was asked to write a list of password tips, so here they are:

  • Set up 2FA somewhere.

To explain why I’m all-in for 2FA I can’t do any better than quote Microsoft’s Alex Weinert from his 2019 article, Your Pa$$word doesn’t matter. (He calls it MFA but he means the same thing, I’ll explain why lower down).

Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

Yes, he wrote 99.9%, and he wasn’t exaggerating. 2FA defeats credential stuffing, password spraying, AND password reuse, AND a bunch of other attacks.

Even if you don’t know what 2FA is, you’ve probably used it. If you’ve ever typed in a code from an email, text message or an app alongside your password you’ve used 2FA.

In the real world, 2FA just means “do two different things to prove it’s you when you log in”. One of those things is almost always typing a password. The other thing is often typing a six-digit code you get from your phone, but it might also be responding to a notification on your phone or plugging in a hardware key (a small plastic dongle that plugs into a USB port and does some fancy cryptographic proving-its-you behind the scenes).

2FA is very widely supported and any popular website or app you use is likely to offer it. In an ideal world those sites and apps would take responsibility for your security and just make 2FA a mandatory part of their account setup process. Unfortunately, we don’t live in an ideal world, and the tech giants that know better than anyone else how much 2FA can protect you have left it for you to decide if you need it.

To make your life a little harder still, they also give it different names. You’ve already met MFA, which means multi-factor authentication, while Google, WhatsApp, Dropbox, Microsoft, and others brand their version of 2FA with a slightly altered name: two-step verification (2SV).

If you have a choice, the best form of 2FA is a password and hardware key, but you’ll need to buy a hardware key. They are worth the small investment and not nearly as intimidating as they can seem.

If you aren’t ready for the that, the next best form of 2FA uses an app that prompts you with a notification on your phone. Next best after that is 2FA that uses a code from an app on your phone, and the least good version of 2FA uses a code sent over SMS.

However, don’t let anyone tell you any form of 2FA is “bad.” It’s all relative. Adopt any one of them and you can safely ignore the rest of the password advice you were probably ignoring already.

To help you get started, here are links to the 2FA setup instructions for the five most visited websites:


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

How small businesses can secure employees’ mobile devices

Fact: 77% of organizations are convinced they’re capable of protecting their mobile devices—smartphones, tablets, and laptops (including Chromebooks)—from cybersecurity threats.

Another fact: A third of those organizations aren’t protecting their mobile devices at all.

And that matters—in its Mobile Security Index 2022 report, Verizon reported that 45 percent of businesses suffered a major mobile-related compromise with lasting repercussions.

The increase in companies’ reliance on mobile devices that began with the pandemic persists today. Many employees are working on their mobile devices more, which follows that more mobile devices (53 percent) have access to sensitive data compared to pre-pandemic times. We recognize how critical such devices are to our work, and yet, confident or not, we continue to treat their defense against cyberattacks like an afterthought.

So what can small business owners do to quickly turn things around?

Start by recognizing that the mobile space has become a battleground, so protecting it is a must. And then, develop a mobile security policy that touches on essentials for securing employee mobile devices.

A cybersecurity policy is essentially a high-level plan detailing how a company will protect its physical and digital assets. In the context of mobile devices, that means protecting the sensitive data they store and have access to, and stopping non-employees from physically accessing such devices.

The policy doesn’t have to be complicated or perfect, but it must be solid and effective. The document must evolve with changing technologies and attack trends to prevent it from becoming outdated. For a policy to be effective, it should clearly and explicitly state responsibilities for the organization and its employees.

Here’s a list of some organizational duties you might want to include in your mobile security policy, to help you get started.

  • Use a mobile device management (MDM) platform. IT teams use MDM to provision, deploy, and manage mobile devices. It allows an administrator to perform remote tasks, such as troubleshooting and wiping devices after a theft. More importantly, an MDM can be used to enforce strong password practices and deploy software updates.
  • Use a mobile endpoint security solution to provide real-time protection to employee devices.
  • Ensure employees use a VPN to connect to the company networkYour small business may have adopted a working scheme that allows employees to work anywhere. In this case, it’s vital to encrypt data in transit, so you don’t have to worry about your employees using public Wi-Fi.
  • Use FIDO2 two-factor authentication (2FA). FIDO stands for Fast Identity Online, a globally-recognized standard for passwordless authentication. Employees using mobile devices to read their emails are particularly vulnerable to phishing. Unlike other forms of 2FA, FIDO2 devices can’t be phished.
  • Set clear Bring Your Own Device (BYOD) guidelines, explaining whether employees are allowed to use their personal devices for work and what their obligations are if they do.
  • Educate employees on best practices for mobile security. Employees are your first line of defense—arm them with the tools and know-how they need to fulfill their role.

By creating a strong mobile security policy, a small business is better placed to prevent cyberattacks, and better prepared should one occur.

Good luck!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

AI-powered content farms start clogging search results with ad-stuffed spam

A recent study by NewsGuard, trackers of online misinformation, makes some alarming discoveries about the role of artificial intelligence (AI) in content farm generation. If you’ve previously held your nose at the content mill grind, it’s probably going to become a lot more unpleasant.

Content farms are the pinnacle of search engine optimisation (SEO) shenanigans. Take a large collection of likely underpaid writers, set up a bunch of similar looking sites, and then plaster them with adverts. The sites are covered with articles expressly designed to float up to the top of search rankings, and then generate a fortune in ad clicks.

If you’ve ever searched for something and walked into a site which spends about 4 paragraphs slowly describing your question back to you before (maybe) answering it, congratulations. I share your pain.

The worst part about this kind of content production is that in recent years many otherwise legitimate sites now write like this too. The pattern to look out for is as follows:

  • A paragraph or two describing your problem back to you as if you’re ten years old.
  • A paragraph break with a large advert.
  • Another 3 paragraphs which may or may not answer your question.

On top of that, sites don’t just populate with reasonable, genuine questions. They now fill up with ludicrous questions, or answer the questions badly. Not only is garbage like this unhelpful itself, it also keeps you away from the good stuff.

This is the current state of play before we throw AI-generated content into the mix. What did NewsGuard find?

49 news and information sites which appear to be “almost entirely written by artificial intelligence software”. There’s a broad spread of languages used on these sites, ranging from Chinese and Tagalog to English and French. This helps ensure the content is being seen by as many people as possible, as well as clogging up search engines that little bit more. Some of the key points:

  • Lack of disclosure of ownership / control, making it hard to assess bias or possible political leanings.
  • Topics include entertainment, finance, health, and technology.
  • “Hundred of articles per day” published on some of the sites.
  • False narratives are pushed by some of the sites.
  • High advertising saturation.
  • Generic names like “News Live 79” and “Daily Business Post”.

As for the actual written content itself, it is said to be filled with “bland language and repetitive phrases”. This is one of the key indicators of AI-generated content. Additionally, many of the sites began publishing just as the various content creation AI tools, tools like ChatGPT, started to be used by the public. Quite a coincidence!

Other strong indicators include:

  • Phrases in articles which are often used by AI in response to prompts. One example given is “I am not capable of producing 1500 words… However, I can provide you with a summary of the article”.
  • No bylines given for authors. Reverse image searches for a handful of supposed authors reveal that images have been scraped from other sources.
  • Generic and incomplete About Us or Privacy Policy pages, some of which even link to About Us page generation tools.

If a smoking gun was even required at this point, the dead giveaway would be the inclusion of actual error messages produced by AI text generation tools. One example, from an article published in March of this year, includes the following text:

“As an AI language model”, and “I cannot complete this prompt”.

Despite this, site owners remain cautious about admitting to any use of AI to produce the content farm rings. In April of this year, NewsGuard attempted to get some answers from the websites as to who, or what, is creating the content. The results are not encouraging.

Of the 49 sites studied, NewsGuard contacted the 29 sites which included some form of contact details. Two sites confirmed use of AI, 17 did not respond, eight provided invalid contact details, and two didn’t answer the questions provided.

Since the story broke, Google has removed adverts from some pages across the various sites flagged. Ads were removed completely from sites where the search giant found “pervasive violations”. Although two dozen sites were reported to be making use of Google’s ad services, the use of AI-generated content is “not inherently a violation” of ad policies.

Nonetheless, given the content created is likely to be low value and little more than click bait, it seems likely that this kind of site is not long for Google’s ad world. A number of other ad-based organisations pulled their ads when contacted by Bloomberg. Even so, this is very much a game of whack-a-mole with the SEO spammers in the driving seat.

It’s very likely we’ll see campaigns like the above dedicated to other unpleasant online activities. What if the spam-filled SEO magnet sites churn out endless content to lure visitors to phishing pages? Or Bogus sign up forms? It’s not a stretch to imagine dozens of sites fired out by AI generators linking to fake downloads and bogus browser extensions.

As many people have noted in the above linked articles, the high speed and lost cost of generation here are key to getting bad things online as quickly as possible. When you can register sites in bulk and have the AI bots filling all of them with a text firehose, the fear is that advertising networks and abuse departments may not be able to keep up. All this happened in the same week that AI “Godfather” Geoffrey Hinton left Google, warning of the dangers posed by rogues misusing AI.

If you run an advertising division, now is probably a very good time to check if AI-generated content is addressed by your policies and update accordingly. Just don’t run it through an AI first.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

World Password Day must die

The continued existence of World Password Day is a tell that something has gone badly wrong in cybersecurity.

Now in its tenth year, the day is supposed to act as an annual reminder for people to follow good password hygiene: Don’t reuse passwords; use long passwords; no, longer passwords than that; use a collection of random words; no, not those words; use a phrase; use a collection of phrases; don’t forget the weird characters; etc., etc.

This is bad. Critical technology should not require an annual pep talk to function correctly. There is no annual “how to avoid nuclear meltdown” day.

And make no mistake, password authentication is critical technology. It is the bedrock on which security is built. Fail at authentication and it doesn’t matter how “military-grade” your encryption is or if you patch twice a day before flossing, you’re toast.

The existence of World Password Day is a symptom of two problems.

The first is that password authentication is a terrible design. Its success hinges on humans being good at something humans are really bad at: Creating and remembering long strings of random characters.

In an environment where users must now remember about 100 passwords each, it is impossible to use passwords well without assistance. The only chance you have of making it work is to outsource the “creating and remembering” part you’re really bad at to a computer, in the form of some password management software.

Password managers are great—apart from where they aren’t, like when you’re logging in to Windows—but from what we can tell, most people still don’t use password managers, and those that do are almost certainly the most security-aware among us; in other words, the folks who need its help the least.

And when I write “impossible” I am not being hyperbolic. You cannot remember 100, different, strong passwords. You just can’t. Almost all of us run into serious problems juggling fewer than ten. (If you’re still doubtful, read Why (almost) everything we told you about passwords was wrong, it’s got more details and links to the research.)

The second problem is that for too long we made passwords a problem for users to solve instead a problem for IT or security. Dispersing the responsibility like this created an enormous headache that has consumed untold resources. A system is only as strong as its worst password choice, but we almost never know what the worst choice is or who made it. That creates a situation where improving security rests on our ability to improve every single user in the hope that we’ll reach the worst.

Attempts to level up users often boil down to edicts about how to do passwords better, such as making sure each password includes a mixture of uppercase and lowercase letters, and that passwords are not reused.

It’s like we asked the janitor to configure the firewall rules and then tried to fix our terrible mistake by having a firewall expert constantly lecture the janitor about not messing up the firewall.

Repeated password breaches over decades—which show us real users’ password choices—suggest that these edicts are having little effect. This shouldn’t be a surprise. Reusing passwords and making passwords simpler may be bad for security, but they make perfect sense if your most pressing problem is working out how to juggle an unmanageably large portfolios of passwords.

Our experiment in shifting responsibility and blame to users hasn’t worked. Ransomware gangs rely routinely on phished, stolen, or guessed passwords to break into corporate networks through VPNs or remote desktops, causing untold damage and disruption.

The good news is that while there isn’t much we can do about problem number one, number two was a choice, and it’s a choice we can un-make. There is another way, but it requires a shift in mindset.

Instead of thinking about how to get users to choose stronger passwords, businesses should focus on protecting themselves from users’ poor password choices instead.

The most powerful way to do this is to remove passwords entirely. Thankfully, after decades of false starts, a slew of technologies like Apple’s Touch ID, Windows Hello, and FIDO2 has appeared that now make this a viable option in a number of areas.

Passwords are going to be with us for a long time yet though, so we still need ways to cope with bad ones where passwordless authentication is unavailable.

Where you can’t abandon passwords, the next best option is multi-factor authentication (MFA). In 2019, Microsoft’s Alex Weinert wrote that “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

MFA comes in different flavors and your choice of flavor makes a difference: Hardware keys are better than push notifications from an app, which are better than One-Time Password (OTP) codes from an app, which are better than OTP codes over SMS. But the improvements that come in the steps between the different forms of MFA are incremental. The step between MFA of any kind and no MFA at all is transformational.

More than any other choice or technology, MFA puts the responsibility for password security back into the hands of IT and security specialists where it belongs.

There are other measures, too. When you go to an ATM you don’t have to type in a 14-character password with eight quattuordecillion (that’s a number with 45 zeroes at the end of it) possible combinations to get your money—a 4-digit PIN with a paltry 10,000 possible combinations will do.

Why? Because the ATM isn’t going to give an attacker 10,000 chances to guess the correct PIN, it’s going to give them three, and then it’s going to eat the card. The same thing happens on your iPhone. Six wrong guesses and you’re on the naughty step. Ten wrong guesses and your data can self-destruct.

No normal user is going to make hundreds of guesses at their password before phoning support, so take a leaf out of your bank’s playbook and give your users a handful of chances to enter their password correctly.

Like MFA, account lockouts allow users to stay secure even with truly awful password choices. (After all, EVERY 4-digit PIN is a terrible password choice.)

In the interests of defense in depth, businesses may still want to ensure that users are making strong passwords, or at least avoiding weak ones. Here, the thinking has changed in the last decade, and that change is enshrined in the National Institute of Standards and Technology (NIST) Digital Identity Guidelines.

Forcing people to create passwords to a formula, insisting on at least one uppercase letter, at least one special character etc, is out. And so are periodic password resets. Both are far more effective at annoying users than they are at improving security.

Instead, NIST says, it’s more effective to simply stop users choosing known bad passwords, such as passwords that have appeared in breaches or that are based on dictionary words.

If you are going to insist on strong passwords, please make a password manager part of the standard software suite on all your organization’s machines, and make sure employees actually know how to use it. Many users simply don’t trust password managers, and unless you’ve sat with somebody using one for the first time, you may not appreciate how difficult it can be for people to make sense of them.

The measures I’ve suggested in this article are not interchangeable or equally effective: You should start at the top and work down. If you do that, you can improve password security, remove the need for toothless edicts, and perhaps we can finally get rid of these annual pep talks.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google Authenticator WILL get end-to-end encryption. Eventually.

Following criticism, Google has decided to bring end-to-end encryption (E2EE) to its Google Authenticator cloud backups. The search giant recently introduced a feature that allows users back up two-factor authentication (2FA) tokens to the cloud, but the lack of encryption caused some commentators to warn people off using it.

Google Authenticator is an authenticator app used to generate access codes, called one-time passwords (OTPs). These OTPs are only valid for a short period and are generated on demand. They serve as an additional form of authentication by proving that you have access to the device generating the OTP. Google Authenticator is one of the most well-known authenticators. Although it’s made by Google it’s not limited to Google’s own services, but can also be used with Facebook, Twitter, Instagram, and many more.

On April 24, 2023, Google announced an update across both iOS and Android, which added the ability to safely backup the secrets used to generate OTPs to your Google Account. This allows users to create a backup which they can use if their device is lost, stolen, or damaged. Since OTPs in Google Authenticator were previously only stored on a single device, a loss of that device locked you out of any service where you used it to log in.

Shortly after the new feature was rolled out, Mysk’s security researchers advised against turning on the new feature. They analyzed the network traffic that occurs when the app syncs the secrets, and found out that the traffic was not end-to-end encrypted. This would mean that in case of a data breach or if someone obtains access to your Google Account, all of your OTP secrets would be compromised, and they would be able to generate OTPs as if they were you.

The likelihood of someone stealing the secret seeds from Google’s servers is relatively small, but since it is better to be safe than sorry and one problem less is always good to have, users asked Google to add a passphrase to protect the secrets. This would introduce an extra safeguard that makes them accessible only to their owner.

Google’s primary objection to this method was that it heightens the risk of users getting completely locked out of their own data. Meaning that if you lost your device and the passphrase, you would lose all access to your accounts.

Google Group Product Manager Christiaan Brand tweeted that end-to-end encryption (E2EE) will be made available for Google Authenticator down the line, but they are rolling out this feature carefully.

According to Google, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves. But, if you want to try the new Authenticator with Google Account synchronization, simply update the app and follow the prompts.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW