IT NEWS

Researchers from VulnCheck have observed a campaign using real security researchers as bait for malware. The campaign goes to some lengths to appear genuine, using fake profiles, downloads, websites, and bogus GitHub profiles, to paint a convincing picture of security professionals offering up exploit code for popular programs.

The campaign included a network of fictitious Twitter accounts posing as employees of a firm called “High Sierra Cyber Security”. The Record notes that several photographs of real security researchers working at well known firms were misused in the campaign.

The tale begins in May of this year, with the discovery of a malicious GitHub repository claiming to be for a zero-day attack for the Signal messaging app. This bogus offering was taken down, but the group behind the page were determined to stick around.

New downloads were offered, but this time in the guise of the previously mentioned security entities. Every High Sierra Cyber Security account claiming to offer exploits for well known products was actually offering up malicious repositories harbouring malware. The supposedly exploitable products included Chrome, Discord, and Exchange. All popular programs, and guaranteed to grab the attention of anyone interested in the security space.

The people behind this leaned heavily into social media to make it all look real, promoting their “finds” on networks such as Twitter. This was a risky gambit for the creators of this malware scam. While it added legitimacy to the overall gameplan, it ran the risk of someone realising that one of the security researchers actually worked somewhere else. This is indeed exactly what happened, and more researchers were identified from the stolen images as the days went by.

The GitHub pages also leaned into social aspects, making use of popular tags like “discordapp”, “cve”, and “rce-exploits” to draw more potential victims in to look at the rogue pages. They must have known that using tags like that would guarantee actual security researchers taking a look and saying “Wait a minute…”

While the GitHub pages are all now offline, the fake Twitter accounts are still live. VulnCheck notes that if you’ve interacted with any of the GitHub pages and Twitter accounts listed on its advisory, you may have been compromised if you downloaded and executed the files.

The GitHub accounts and repositories discovered by VulnCheck are as follows:

GitHub Accounts

• github.com/AKuzmanHSCS
• github.com/RShahHSCS
• github.com/BAdithyaHSCS
• github.com/DLandonHSCS
• github.com/MHadzicHSCS
• github.com/GSandersonHSCS
• github.com/SSankkarHSCS

Malicious Repositories

• github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
• github.com/MHadzicHSCS/Chrome-0-day
• github.com/GSandersonHSCS/discord-0-day-fix
• github.com/BAdithyaHSCS/Exchange-0-Day
• github.com/RShahHSCS/Discord-0-Day-Exploit
• github.com/DLandonHSCS/Discord-RCE
• github.com/SSankkarHSCS/Chromium-0-Day

If any of the above look familiar, and if you recognise any of the usernames from their matching Twitter accounts, it may well be time to run some security scans on your PC. It’s not unusual for security researchers themselves to be targeted by scams and attacks. If nothing else it’s a major win for malware authors and people up to no good, the bigger the target’s name the better.

However, it’s not quite as common to see security researchers themselves used as a way to infect others online. This is a valuable reminder to always check code you download before executing it. If in doubt, ask someone more familiar with whatever it is you’re trying to do. As a general rule, “download this cool exploit for popular program X” tends to not work out very well for the person or organisation downloading it.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, France, and New Zealand (CERT NZ, NCSC-NZ) have all published a joint Cybersecurity Advisory about LockBit.

To help organizations understand and defend against this global threat and its large number of unconnected LockBit affiliates, the advisory titled Understanding Ransomware Threat Actors: LockBit includes:

• A list of approximately 30 freeware and open-source tools used by LockBit actors
• Over 40 of their TTPs mapped to MITRE ATT&CK
• Observed common vulnerabilities and exposures (CVEs) used for exploitation
• An evolution of LockBit RaaS (Ransomware as a Service) along with worldwide trends and statistics
• Resources and services available from authoring agencies and recommended mitigations to help protect against the worldwide LockBit activity

The advisory points out that in 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on its data leak site.

This confirms Malwarebytes findings that LockBit is the most active Ransomware-as-a-Service operator. In our monthly Ransomware Reviews, LockBit often ranks top for victim count, although Cl0p is a close rival. Cl0p has switched to a different modus operandi, where the gang acquires a vulnerability in popular business tools, develops an exploitation method, and then uses it on every vulnerable instance it can find. Because of this, the attacks come in waves, while LockBit is more constant.

One of the advantages of being a RaaS operator is the diversity of attack vectors that the initial access brokers (IABs) bring to the table. Some specialize in malspam, while other use known vulnerabilities against organizations that are behind on patches, or try to brute force Internet-facing systems like VPNs, RDP, or SSH. So when one affiliate has a bad month, another is likely to compensate.

This variety has another downside for the defenders. The advisory states:

“Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.”

A disadvantage for operators of an RaaS model is the mutual trust that is needed. When you’re among anonymous criminals that must prove to be an exceptional challenge, which is very likely the reason why many other RaaS operators like DarkSide and Avaddon shut down.

The geographical distribution of the IABs is also grounds for some remarkable differences. Some of the participating countries provided their own statistics for LockBit’s share in ransomware attacks, with Australia noting that in the last year the gang made up 18% of total reported ransomware incidents. In Canada (22%) and New Zealand (23%), LockBit was responsible for over one in every five attacks in 2022.

France said 11% of the attacks it has seen since 2020 involved LockBit. In the US, however, the main target of almost every commercial ransomware group, LockBit is responsible for 16% of attacks on public entities, which include municipal and county governments, public higher education and K-12 schools, as well as vital services like law enforcement agencies.

The advisory also provides long lists of the legitimate tools, vulnerabilities, tactics, and techniques deployed by the LockBit affiliates. As we said, due to the number (over 100) and diversity of the affiliates these lists are long and subject to change. 

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google has released a Chrome update which includes five security fixes. One of these security fixes is for a critical vulnerability in Autofill payments.

Google labels vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. 114.0.5735.130/.131 for Android will become available on Google Play over the next few days.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome needs a relaunch to apply the update

After the update, your version should be 114.0.5735.133 for Mac and Linux, and 114.0.5735.133/134 for Windows, or later.

The critical vulnerability

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVE patched in these updates is listed as CVE-2023-3214:  Use after free in Autofill payments in Google Chrome prior to 114.0.5735.133 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Google is always very careful about providing information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the vulnerability description we can learn a few things.

The Autofill payments function is to automatically enter payment details in online forms.

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

A remote attack means that this vulnerability could potentially be exploited by tricking the user into visiting a specially crafted website.

Whether all this actually means that vulnerable Chrome versions will spill payments details on such a website remains to be seen, but it’s not the unlikeliest of scenarios.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

It’s that time of the month again: We’re looking at June’s Patch Tuesday roundup. Microsoft has released its monthly update, and compared to previous months, it’s actually not so bad. No actively exploited zero-days and only six critical vulnerabilities.

So, we’ll have the luxury of going over those in some more detail.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVEs patched in these updates are:

CVE-2023-29357 (CVSS score: 9.8 out of 10): a Microsoft SharePoint Server Elevation of Privilege  (EoP) vulnerability. Successful exploitation could provide an attacker with administrator privileges. For the exploitation, the attacker needs no privileges nor do they require user interaction.

The Microsoft advisory states:

“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user.”

JWT is a token based stateless authentication mechanism. Basically, the identity provider generates a JWT that certifies the user identity and the resource server decodes and verifies the authenticity of the token by using secret salt or public key.

CVE-2023-29363 (CVSS score: 9.8 out of 10): a Windows Pragmatic General Multicast (PGM) Remote Code Execution (RCE) vulnerability.

PGM is a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is a receiver-reliable protocol, which means the receiver is responsible for ensuring all data is received, absolving the sender of reception responsibility. It is mainly used for delivering multicast data such as video streaming or online gaming.

CVE-2023-32014 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.

CVE-2023-32015 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.

For all the PGM vulnerabilities, Microsoft points out that: when Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.

The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.

CVE-2023-32013 (CVSS score: 6.5 out of 10): a Windows Hyper-V Denial of Service (DoS) vulnerability. Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Hyper-V is Microsoft’s hardware virtualization product. It lets you create and run virtual machines, which are software emulations of a computer system.

CVE-2023-24897 (CVSS score: 7.8 out of 10): a .NET, .NET Framework, and Visual Studio Remote Code Execution (RCE) vulnerability. The word “Remote” refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE) because the attack itself is carried out locally.

I’d like to throw one important vulnerability in the mix because we expect to hear more about it, because it is, well, you know, Exchange.

CVE-2023-32031 (CVSS score: 8.8 out of 10): a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. An attacker could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.

This is typically a vulnerability that is used in a chained attack, because the attacker will need access to a vulnerable host in the network to gain the necessary authentication they need to successfully exploit this vulnerability.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

• Cisco released security updates for several products
• Google released security updates for Google Chrome
• Google also released its Android June 2023 updates
• SAP has released its June 2023 Patch Day updates
• VMware released VMware ESXi updates

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Taylor Swift fans are being warned to be cautious when buying tickets for her current “Eras” tour, with scammers waiting in the wings to trick would-be gig goers. The Better Business Bureau says it has received somewhere in the region of 200 complaints from residents of Michigan, and there’s bound to be more from other locations.

The issue is so bad that Michigan’s Attorney General advised the local “Swifties” about fraud in relation to last weekend’s Michigan leg of the tour. His warning reads as follows:

“Michigan residents who are defrauded by online ticket scammers should not just shake it off,” said Nessel. “We know these scams all too well. If you believe you were taken advantage of, filing a complaint with my office is better than revenge.”

Reports of scammers taking advantage of Swift’s fans, called Swifties, indicate some have lost as much as $2,500 paying for tickets that don’t exist or that never arrive. The Better Business Bureau has reportedly received almost 200 complaints nationally related to the Swift tour. The complaints range from refund struggles to outright scams.

Other locations for the tour are trying to get ahead of the scam curve, issuing their own warnings ahead of events where possible. For example, Cincinnati has highlighted tales of woe related to fake ticket sales on Facebook. Detroit flagged fake ticket sales on Instagram. CBC covered multiple fake sale attempts cheating folks in Canada out of significant chunks of money. Elsewhere, teens have lost out on $1,200 thanks to Craigslist scammers.

With something like 19 dates left in the US alone stretching from Minneapolis and Pittsburgh to Los Angeles and Seattle, there’s still plenty of opportunity for scammers to crawl out of the woodwork. These are undoubtedly the hottest music tickets around at the moment, so you’ll want to follow some common sense rules before trying to get your hands on some. This is especially the case given that the only ticket source left may be resellers.

How to avoid ticket scams

• Research the ticket seller. Anybody can set up a fake ticket website, and sponsored ads showing at the top of search engines can be rife with bogus sellers. You may also run into issues buying tickets from sites like ebay. Should you decide to use sites other than well known entities like Ticketmaster, check for feedback on the BBB website.
• Use a credit card if possible. You’ll almost certainly have more protection than if you pay using your debit card, or cash. We definitely recommend that you avoid using cash. If someone decides to rip you off, that money is gone forever.
• A “secure” website isn’t all it seems. While sites that use HTTPS (the padlock) ensure your communication is secure, this does not guarantee the site is legitimate. Anyone can set up a HTTPs website, including scammers.
• It’s ticket inspector time. One of the best ways to know for sure that your ticket is genuine is to actually look at it. Is the date and time correct? The city, the location? Are the seat numbers what you were expecting to see? It may well be worth calling the event organisers or the event location and confirming that all is as it should be. Some events will give examples of what a genuine ticket should look like on the official website.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A relatively new service provided by Microsoft’s browser Edge sends images you’ve viewed online back to Microsoft. A new feature labelled Enhance images in Microsoft Edge has raised some privacy concerns. The feature is designed to upscale low resolution images, making them sharper, and improving the lighting and contrast.

Unlike the Video Super Resolution which uses local resources to enhance the quality of video viewed in Microsoft Edge, the pictures submitted to the Enhance images service are sent to Microsoft for processing as Edge loads them. This is enabled by default, so users have to opt out if they don’t want their images to be sent.

Observant Edge Canary users spotted a difference in the description of the feature after an update. Under Enhance images in Microsoft Edge in settings, it now says “Image URLS will be sent to Microsoft to provide super resolution.”

Microsoft offers Edge users different update channels. The Canary Channel ships daily and is the most bleeding edge of all the channels. If you want access to the newest updates, they’ll appear here first. The downside is that it also comes with a certain amount of bugs.

This recent update also came with the option to have a more granular control about images from which sites should be enhanced.

Image courtesy of Neowin

How to disable the service

If you prefer to turn of the Enhance image service, here’s how to do it:

• In Edge, open the Settings menu and select Privacy, search, and services (edge://settings/privacy)
• Scroll down to the Services section and find the Enhance images in Microsoft Edge entry
• Switch the toggle to Off.

And while we have your attention and you are in the Privacy menu anyway, if you scroll up a little bit, you may see the Show Collections and follow content creators in Microsoft Edge. If you are not actively using this feature you may want to disable that as well. The feature was found to track every single URL you visited and send them to Microsoft.

Reportedly, Microsoft is working on resolving this unintentional behavior.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In early June, we reported on the discovery of a critical vulnerability in MOVEit Transfer—known as CVE-2023-34362. 

After the first vulnerability was discovered, MOVEit’s owner Progress Software partnered with third-party cybersecurity experts to conduct further detailed code reviews of the software. Now, Progress says it has discovered multiple SQL injection vulnerabilities in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.

There are no CVEs yet available for the new vulnerabilities, but Progress has released patches.

Users of Progress MOVEit Transfer versions released before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), 2023.0.2 (15.0.2) should follow the recommendations in the security bulletin about the new vulnerabilities.

This code review was undoubtedly triggered by the severe consequences of the first vulnerability that was exploited by the Cl0p ransomware gang. Cl0p confirmed it was behind these attacks in responses to inquiries by Reuters and BleepingComputer

Cl0p is showing a very different behavior from other ransomware groups. The gang either found or bought the CVE-2023-34362 vulnerability and reportedly started testing it against victims as far back as 2021.

They felt comfortable enough to wait with actively deploying their ransomware, and didn’t launch a large scale campaign until the 2023 Memorial Day weekend in the US. This demonstrates a level of sophistication and planning that we don’t see in other ransomware groups.

Victims of this exploitation wave are plentiful and new ones keep coming forward. All the victims of this attack have been told to contact the Cl0p ransomware group before June 14, 2023 or “face the consequences,” which tends to suggest that their data will be published online.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers at NC State University have outlined potential privacy issues with popular fitness app Strava which could lead to users’ homes being pinpointed. The researchers’ findings are detailed in a paper called Heat marks the spot: de-anonymising users’ geographical data on the Strava heat map. 

Strava, used by more than 100 million people, includes features you’d commonly see in this kind of product like heart rate, GPS data, and so on. Users can build up a picture of their health related activities over time and make informed decisions based on the findings of the service. 

The mobile tracking app is designed to track exercise activity, but it also includes a social component, allowing users to connect with each other. The primary concern of researchers focused on the heat map feature, which aggregates user data and allows you to see how many people are doing forms of exercise in various locations.

Although there are attempts to anonymise user data, the study highlighted ways in which some personal information—including home address—could be found. Researchers claim they found a “loophole” to ignore the anonymity of aggregated heatmap data. From their post:

Specifically, the researchers found it is possible for anyone to look up all of the Strava users in a given area. It is also possible for users to look at the aggregate data on a heatmap and see where each of the anonymous users’ routes begin and end.

In a densely populated area, with lots of routes and lots of users, there is so much data that it would be extremely difficult to track any specific person,” Das says. “However, in areas where there are few users and/or few routes, it becomes a simple process of elimination – particularly if the person someone is looking for is a highly active Strava user. Even users who have marked their accounts as private show up when anyone searches for a list of all the users in a given municipality, so marking an account private doesn’t necessarily provide additional protection against this tracking technique.

Strava told the researchers that heat map data isn’t shared unless several users are active in any given area, but the researchers still managed to identify the home addresses of some users via the heatmap. These locations were confirmed using voter registration data. Note that depending on which country you live in, voter data may not be available to use in this manner (or even be available in the first place).

While this may all sound very straightforward to do, the actual process involved is fairly involved. As Bleeping Computer highlights, the process is as follows:

• Collect data on your chosen location for a period of roughly a month.
• Overlay OpenStreetMaps (an open geographic database maintained by volunteers) at a zoom level which allows for singling out residence addresses.
• Compare heatmap endpoints and user data accessible from search to establish connections between “high activity points” and home addresses.

This, combined with public profiles displaying real names, photographs, and data related to specific activities means that singling out certain users was achievable. A word of caution: the success rate for this kind of needle in a haystack activity is not fantastic. The study mentions that more active users will be potentially easier to track down, but for “average” users of the app the likelihood of being discovered is 37.5%.

The paper highlights a few of the ways Strava users can reduce the possibility of falling victim to this attack, but a lot depends on the app developers implementing them or the randomness of your personal circumstances. For example, living in a heavily populated area will go a long way toward blending you into the crowd.

Another is large exclusion zones around your home area, to make it impossible to figure out which specific location you’re exiting and entering. You can set your Strava profile to private, and also disable the heatmap feature if you don’t need any of the social features available to you. If you use another form of fitness tracking app, this is the ideal moment to see what data you may be sharing and lock down as needed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Trusting AI not to lie: The cost of truth: Lock and Code S04E12
• 5 unusual cybersecurity tips that actually work
• The 2023 State of Ransomware in Education: 84% increase in attacks over 6-month period
• Information stealer compromises legitimate sites to attack other sites
• Play ransomware gang compromises Spanish bank, threatens to leak files
• Vice Society: The #1 cyberthreat to schools, colleges, and universities
• Cl0p ransomware gang claims first victims of the MOVEit vulnerability
• Microsoft illegally collected and retained children’s data, says FTC
• Facebook clickbait leads to money scam for users
• How Coffee County Schools safeguards 7500 students and 1200 staff
• Update Chrome now! Google patches actively exploited zero-day
• Warning: Victims’ faces placed on explicit images in sextortion scam
• Unveiling Nebula’s Report 2.0: A new approach to security reporting
• VMware patches critical vulnerabilities in Aria Operations for Networks
• Update your Cisco System Secure Client now to fix this AnyConnect bug
• Ransomware review: June 2023
• Former TikTok exec: Chinese Communist Party had “God mode” entry to US data

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We’ve got into the habit of expecting internet access wherever we go. But data costs can be expensive, and out of your own home often the only WiFi available is public, passwordless and free.

In security, we’ve been trained to carefully contemplate anything that’s free, because, well, often when something is free, you turn out to be the product. So should we be concerned about free Wi-Fi?

A few years ago, we wrote:

“A WiFi connection’s safety depends on its security settings and the source of the WiFi connection. In public, using shared WiFi carries risks. If you have to use public WiFi hotspots, it’s wise to also use a VPN to keep your activity private while you use that connection.  A VPN wraps your network traffic (including web browsing, email, and other things) in a protective tunnel and makes up for any weaknesses in their encryption.”

While this is still basically true, the internet has changed since then. Most websites have switched to HTTPS (Hypertext Transfer Protocol Secure), which means that any traffic to and from the website you are trying to access is encrypted. That means that it couldn’t be read by anyone trying to intercept the traffic in order to snoop on your data. 

So nowadays, my advice is this: For day-to-day use, I wouldn’t recommend setting up a new banking account over public WiFi, but I wouldn’t fret about using public Wi-Fi for everyday browsing either.

How to reduce public WiFi security risks

In order to see if a website is using HTTPS, check for the padlock symbol in the browser address bar, and make sure the website starts with “https://”.

If you really want to be sure, or you need to do something like set up a bank account, then you can use a Virtual Private Network (VPN) to secure your traffic when using public WiFi.

By wrapping your traffic in a single, impenetrable tunnel, the best VPN services will keep your data safe from attempts to intercept your communications.

We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.