IT News

A number of bogus offers are doing the rounds in Discord land at the moment. Discord, a group text chat/VoiP app of choice for many gaming communities, is having a bit of trouble with phishing links.

You may recall we’ve covered a lot of Discord scams previously. Service users can create bots, those bots can be invited into channels, and then they get to work spamming. The messages run the range of free games, discount sign-ups for services, or just plain old fake login screens.

You’ll also frequently see bots pushing offers for things which simply don’t exist anymore. Their purpose is to hit the channels and drift forever, spamming all and sundry until they get a few hits. This week it’ll be a bot promoting a “red hot” offer from 2018. Next week it’ll be promoting crossover deals with a service which went out of business a year ago.

While many gamers who know their stuff won’t fall for those kinds of things, plenty of others will. They could stand to lose their gaming accounts, their logins for other services, some money, or perhaps a combination of all 3. Depending on the scam, they could also be used to send spam messages to an even bigger audience. You definitely don’t want any of this clogging up the channels you use on a daily basis.

What’s happening?

Spam messages are sent to other Discord users. As is common with this kind of attack, they’re themed around “Nitro”. This is a paid Discord service which offers added functionality in the servers along with some other features. At one point, games were included in some of these deals, and those were a big target for scammers even after the games were no longer available. The scammers are just banking on nobody checking before clicking the links.

Here’s what some of the current messages going around look like:

Note that this isn’t being sent from bots (as in, chatbots specifically coded to send spam links). As the Tweeter points out, this is all being sent by friends. Those friends have likely been compromised earlier in the chain, and are now being used for malicious purposes.

As for the messages themselves? They’re a mixed bunch. One claims a friend has sent the recipient a Nitro subscription. The others claim the recipient “has some Nitro left over”, tied to a URL which mentions billing and promotions.

When sneaky sites go phishing…

The sites here use a common trick. This is where they switch out the letter i, for an L in the URL. As a result, you’re not visiting Discord, you’re visiting something along the lines of dLscord instead (we’re using the uppercase L here purely for visual clarity).

From there, it’s a case of phishing the victim’s logins.

Tackling the Discord phishers

Sometimes these sites already have multiple red flags thrown up along the way:

Other times, you’re reliant on the site being taken down or your security tools stopping the scam in its tracks. Either way, if you’ve entered your details into one of these sites (or similar!), then change your login as soon as possible.

How to protect your Discord account

Discord offers some tips on how to keep your account safe:

1. Use a strong password, and one that is unique to your Discord account. A password manager can help generate and store strong passwords for you, because it’s very very difficult to remember them yourself
2. Set up two-factor authentication (2FA) on your account
3. Set up message scanning, which automatically scans and deletes any explicit content. You can choose to do this for all messages or just those from people not on your Friends List
4. Block users if you need to. Discord offers more information on how to do that in tip 4.

Stay safe out there!

The post Discord scammers lure victims with promise of free Nitro subscriptions appeared first on Malwarebytes Labs.

If you hadn’t noticed by now, we are in the first week of National Cybersecurity Awareness Month, which, according to the Cybersecurity Infrastructure and Security Agency in the United States, means that we should all consider how people, organizations, and businesses can “be cyber smart” this year and ahead.

While there are countless ways to interpret exactly how to “be cyber smart”—like adopting cybersecurity best practices around strong password use, two-factor authentication, and remote desktop protocol ports—we at Malwarebytes Labs wanted to take a step back and consider: How do you train people to be cyber smart in the first place?

After all, cybersecurity training is likely the first and most important step in cybersecurity awareness, whether at home or in the office. But developing engaging, actionable cybersecurity training programs can be a difficult endeavor, as those who develop the training have to potentially meet their organization’s compliance requirements while considering their audience’s interests, needs, awareness level, and time available to actually complete training programs.

To better understand how to make smart, engaging cybersecurity training, and to help businesses everywhere roll out their own, we asked Kelsey Prichard, security awareness program manager at Malwarebytes, to share her insights. At Malwarebytes, Prichard develops the security awareness programs and compliance training for the company’s employees—which are sometimes affectionately called “Malwarenauts.” She has developed seven “microlearning modules” and one security compliance training course—with another soon to come—and she has organized multiple in-house security webinars.

Prichard’s programs have also taken advantage of what she described as a “playful culture” at Malwarebytes, as each October, she has structured the annual security training to be “based around a different popular sci-fi movie.” The themed training programs have found a perfect home at the company, as its Star Wars-themed Santa Clara headquarters includes multiple conference rooms named after popular characters and its hallways are adorned with plenty of movie art.

The following Q&A with Prichard has been edited for clarity and length.

When you first joined Malwarebytes, you were tasked with something quite intimidating: Developing a cybersecurity training program for hundreds of company employees. Where do you even start with a task this large? 

This was quite the challenge, as this role was my first formal introduction to the world of security. My background’s in learning and development, and I used to work for Tesla developing their body repair training. So much of the material was new to me. Luckily, the security team here is fantastic and gave me a lot of the security frameworks I needed to get started. I think being a “beginner” in security helped give me a clarity I’m not sure I would’ve had otherwise. The first few months consisted of a lot of Googling, online training courses, and trial and error. As I learned, I developed courses and wrote down ideas. It was extremely important to me that I didn’t start a program that people didn’t want, nor were interested in, so a huge aspect of that was learning how to make it fun. Malwarebytes has a lot of very smart individuals, and this is a security company, so I had to develop content that was interesting and yet also met compliance requirements, so everyone took training in a timely manner

How did you measure the cybersecurity familiarity of Malwarebytes employees to ensure that the training programs you built would fit their level of understanding? 

We have a huge range of security knowledge here at Malwarebytes, so we’ve tried to incorporate variability in the content we upload. Some formats, like our training modules, are catered to Malwarenauts who may have less security understanding, while others, like our monthly webinars, are more technical. We also have a Security Champions program where our security experts in the company come together to learn from each other and our security team so that they can help educate their fellow Malwarenauts. There are some things, however, like our compliance training that we need to roll out to everyone, so this needs to cover a broad spectrum of security knowledge.

How did developing these training programs specifically for employees at a cybersecurity company influence, if at all, the development process? 

Lucky for me, working at a cybersecurity company has meant more engagement in security training than you’d see at other companies. However, it also makes our mandatory trainings more difficult since we have such a broad level of security knowledge and it’s odd knowing that you may be training someone with more security knowledge than yourself. That being said, I really love that there are so many people around me that are knowledgeable and excited about cybersecurity. It means I have a lot of people to learn from and I get a lot of support from upper management, but it was definitely intimidating at first! 

When deciding what topics to prioritize, I imagine you had an enormous list. Can you describe what was on that early list? 

Yes! The first thing I needed to do was set up our first annual security training, which was easy to prioritize for compliance reasons. Cybersecurity Awareness Month was also a big priority because I used it as the launch of our security awareness program and it’s the optimal time to make a big deal of cybersecurity. Creating a plan for the year on topics to be covered was also very helpful, as it allowed for getting the expert speakers for those topics. It requires a lot of coordination.

How did you narrow down the first few topics you developed training programs for? Why did you choose those topics? 

My security teammates were hugely valuable. They were aware of the biggest threats to our organization, so I initially developed training to highlight and help our employees prevent these threats from occurring. From there, we really wanted to cover the “cybersecurity basics” to set a knowledge groundwork for all employees.  

In developing the training programs, was there any practice you knew you wanted to avoid? 

I am very aware that “learning fatigue” is easy to succumb to with mandatory training modules. Because of this, I wanted to ensure that all training programs were split up to take no longer than 15 minutes at a time. This is why you’ll see our mandatory training is 30 minutes in total, but is split into three separate courses that are combined into one learning plan. This gives learners the option to complete a course and return to the learning plan as needed.

I also aim for story-based training, where it makes sense, to simplify otherwise complex content and make it relatable. 

Finally, what is your top tip for other cybersecurity trainers who want to make smart training progrmas for their organizations? 

Keep it engaging. I think as cybersecurity trainers we tend to get wrapped up in what the content is and forget how crucial it is to make the learning entertaining. If your audience doesn’t engage in the training you create, all it’s doing is checking a compliance box. 

The post Making better cybersecurity training: Q&A with Malwarebytes expert Kelsey Prichard appeared first on Malwarebytes Labs.

Sometimes good news in the security world comes unexpectedly. This is one of those times. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is going disable Excel 4.0 macros for everyone. Better late than never, right?

Talk about a big sigh of relief.

Excel 4.0 macros, aka XLM macros, were first added to Excel in 1992. They allowed users to add commands into spreadsheet cells that were then executed to perform a task. Unfortunately, we soon learned that (like any code) macros could be made to perform malicious tasks. Office documents have been a favorite hiding place of malicious code ever since.

For backward compatibility reasons the feature was never removed, despite being superseded by Visual Basic for Applications (VBA) just one year after it was introduced.

I understand the argument in favor of keeping it back then, but why keep it enabled by default for so long after, when so few people use it? Microsoft could have made it so that those that needed Excel 4.0 macros had to turn the feature on, and the rest of us (the overwhelming majority of Excel users) could have been more secure without having to remember to turn it off.

Good news? What happened?

Microsoft announced plans to disable Excel 4.0 macros in an email sent to customers. It will be disabled for all Microsoft 365 users by the end of the year, but the exact schedule depends on which kind of customer you are:

• Insiders-Slow: Complete in early November.
• Current Channel: Complete by mid-November.
• Monthly Enterprise Channel: Complete by mid-December.

Trust me, it’s not easy to make all security professionals happy at once. Most feel this should have been done long ago. For some the glass is half full, while others are asking “why has this glass been half empty for so long?”

Will you miss it?

It is very, very unlikely you will miss Excel 4.0 macros. XLM was the default macro language for Excel through Excel 4.0, but beginning with version 5.0, Excel recorded macros in VBA by default, although XLM recording was still allowed as an option. After version 5.0 that option was discontinued. All versions of Excel are capable of running XLM macros, though Microsoft discourages their use.

Now—almost 30 years after they were made obsolete—it’s fair to stay that the biggest users of Excel 4.0 macros are probably malicious threat actors.

Abuse cases

Attackers have always liked Office macros because they provide a simple and reliable method to spread malware using legitimate features, and without relying on any vulnerability or exploit. XLM macros have been used to drop many well known malware families, including ZLoader, TrickBot, BitRat, QBot, Dridex, FormBook and StrRat, among others.

And in just the last month, Malwarebytes Labs has seen XLM macros weaponized to deliver threat-actor-favorite Cobalt Strike, and a malware campaign using XLM macros to deliver a .NET payload under the cover an Excel spreadsheet full of stats about US airstrikes on the Taliban regime.

Disable manually

Should you feel the need to disable this feature right now, you can do so in the Trust Center. In July Microsoft added a new checkbox setting, “Enable Excel 4.0 macros when VBA macros are enabled”, which allows users to individually configure the behavior of XLM macros without impacting VBA macros.

Security over backward compatibility

Despite the shared joy about this security enhancing roll-out, it raises the question of when does security overrule backward compatibility? Microsoft must have better things to do than fix obsolete features from the past century. Wouldn’t it have been preferable if the step up to VBA in 1993 had been less steep, so we could all forget about 4.0 and move on to the latest version without having to look over our shoulder? Or perhaps Microsoft could have disabled this potentially dangerous feature decades ago and left it to those who actually wanted it to turn it back on?

If history has taught us anything, it’s that the incentive to enable something you need is a lot stronger than the incentive to disable something that might be potentially dangerous.

Stay safe, everyone!

The post At long last, Microsoft is disabling Excel 4.0 macros by default appeared first on Malwarebytes Labs.

Mozilla is trying a novel experiment into striking a balance between ad revenue generation and privacy protection by implementing a new way to deliver ads in its Firefox web browser—presenting them as “suggestions” whenever users type into the dual-use search and URL address bar.

The advertising experiment lies within a feature called “Firefox Suggest,” which was announced in September. According to Mozilla, Firefox Suggest “serves as a trustworthy guide to the better web, finding relevant information and sites to help you accomplish your goals.”

Much like other browsers, Firefox already offers users a bevy of suggestions depending on what they type into the search and address bar. That has included suggestions based on users’ bookmarks, browser histories, and their open tabs. But with the new Firefox Suggest feature, users will also receive suggestions from, according to Mozilla, “other sources of information such as Wikipedia, Pocket articles, reviews, and credible content from sponsored, vetted partners and trusted organizations.”

Though the explanation seems simple, the implementation is not.

That’s because there appear to be two different levels of suggestions for Firefox Suggest, which are only referred to by Mozilla as “Contextual suggestions,” and “improved results for Contextual Suggestions.”

On its support page for Firefox Suggest, Mozilla explicitly said that “contextual suggestions are enabled by default, but improved results through data sharing is only enabled when you opt-in.” That data sharing, covered in more detail below, broadly includes user “location, search queries, and visited sites,” Mozilla said.

How that additional data produces separate results, however, is unclear, because Mozilla remains frustratingly vague about the experience that users can expect if they have the default “contextual suggestions” enabled compared to users who have opted-in to “improved results for Contextual Suggestions.”

Under the heading “What’s on by default,” Mozilla said that, starting with Firefox version 92, users “will also receive new, relevant suggestions from our trusted partners based on what you’re searching for. No new types of data are collected, stored, or shared to make these new recommendations.”

Under the heading, “Opt-in Suggestions,” however, Mozilla only said that a “new type of even smarter” suggestion is being presented for some users that the company hopes will “enhance and speed up your searching experience.” Mozilla said that it “source[s] and partner[s] with trusted providers to serve up contextual suggestions related to your query from across the web,” which sounds confusingly similar to the default contextual suggestions that come from the company’s “trusted partners” and are “based on what you’re searching for.”

Fortunately, Mozilla offered a way for users to check if they’ve opted-in to the data sharing required for improved contextual suggestions. Unfortunately, when Malwarebytes Labs installed the latest version of Firefox (93.0 for MacOS), we could not find the exact language described in Mozilla’s support page.

Mozilla said that, for those who go into Firefox’s preferences:

“If you see ‘Contextual suggestions’ checked with the string ‘Firefox will have access to your location, search queries, and visited sites’, you have opted in. If you do not see that label then the default experience is enabled with no new kinds of data sharing.”

As shown in the image below, though we did find this setting in Firefox’s preferences, we did not find the exact language about “location, search queries, and visited sites.”

When Malwarebytes Labs tested Firefox Suggest, we could not produce any sponsored content results. We did, however, receive a Wikipedia suggestion on our search of “Germany” and a Firefox Pocket suggestion on our search of “chicken soup,” as shown below.

During our testing, we also could not find a way to opt-in to improved contextual suggestions. According to Mozilla, opting-in seems to currently rely on a notification message from Firefox asking users to specifically agree to sharing additional data. During our testing of Firefox Suggest, we did not receive such a message.

New model, new data

Firefox’s experiment represents a sort of double-edged sword of success.

In 2019, Mozilla decided to turn off third-party tracking cookies by default in its then-latest version of Firefox. It was a bold move at the time, but just months later, the privacy-forward browser Brave launched out of beta with similar anti-tracking settings turned on by default, and in 2020, Safari joined the anti-tracking effort, providing full third-party cookie blocking.

The anti-tracking campaign seems to have largely worked, as even Google has contemplated life after the third-party cookie, but this has put privacy-forward browsers in a difficult position. Advertising revenue can be vital to browser development, but online advertising is still rooted firmly in surreptitious data collection and sharing—the very thing these browsers fight against.

For its part, Brave has responded to this problem with its own advertising model, offering “tokens” to users who opt-into advertisements that show up as notifications when using the browser. The tokens can be used to tip websites and content creators. Similar to Mozilla, Brave also vets the companies who use its advertising platform.

As to the role of advertising partners in Firefox Suggest, Mozilla said it attempts to limit data sharing as much as possible. “The data we share with partners does not include personally identifying information and is only shared when you see or click on a suggestion,” Mozilla said.

To run improved suggestions, Mozilla does need to collect new types of data, though. According to the company’s page explaining that data collection:

“Mozilla collects the following information to power Firefox Suggest when users have opted in to contextual suggestions.

• Search queries and suggest impressions: Firefox Suggest sends Mozilla search terms and information about engagement with Firefox Suggest, some of which may be shared with partners to provide and improve the suggested content.
• Clicks on suggestions: When a user clicks on a suggestion, Mozilla receives notice that suggested links were clicked.
• Location: Mozilla collects city-level location data along with searches, in order to properly serve location-sensitive queries.”

Based on the types of data Mozilla collects for improved contextual suggestions, we might assume that users who opt-in will see, at the very least, suggestions that have some connection to their location, like perhaps sponsored content for an auto shop in their city when they’re looking up oil changes. The data on a user’s suggestion clicks might also help Mozilla deliver other suggestions that are similar to the clicked suggestions, as they may have a higher success rate with a user.

As to whether the entire experiment works? It’s obviously too early to tell, but in the meantime, Mozilla isn’t waiting around to generate some cash. Just this year, the company released a standalone VPN product. It is the only product that Mozilla makes that has a price tag.

The post Firefox reveals sponsored ad “suggestions” in search and address bar appeared first on Malwarebytes Labs.

Google’s announced some changes to how it’s helping millions of its users stay safe and secure. The biggest of those changes is that it plans to auto-enrol its users in to two-step verification, or 2SV.

2SV adds an extra layer when logging into your account and the additional step happens after you’ve entered your password. For Google users, it involves just tapping a notification on their phone to confirm it’s them. It’s simple, and it dramatically decreases the chance of someone else accessing an account.

AbdelKarim Mardini, Group Product Manager for Chrome, and Guemmy Kim, Director of Account Security and Safety, wrote in a blog post:

2SV has been core to Google’s own security practices and today we make it seamless for our users with a Google prompt, which requires a simple tap on your mobile device to prove it’s really you trying to sign in. And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users’ accounts into a more secure state.

By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV and require 2 million YouTube creators to turn it on.

It’s been a long time coming—Google announced its intentions to auto-enrol users into 2SV back in May. Then, in August, Google’s official YouTube Twitter account told content creators they will have to enable their 2SV in order to log in.

For those who, for some reason, cannot use the 2SV option, Google says it’s “working on technologies that provide a convenient, secure authentication experience and reduce the reliance on passwords in the long-term.”

Google has a handy Security Checkup that’s worth going through, to make sure your account is as secure as it can be, and ready for 2SV.

Lastly, Google has shared other methods of securing accounts, such as building security keys in Android devices; creating the Google Smart Lock App for Apple users; creating the Titan Security Key, a 2SV physical key; and creating the Google Identity Service, a way to verify identities using tokens instead of passwords.

The post Google to auto-enrol users, YouTubers into 2SV appeared first on Malwarebytes Labs.

The last few years have seen a mushrooming of the number and type of security tools that organizations can use to protect themselves. You can have tools, tools to integrate the tools, tools to monitor the tools, APIs, dashboards (so many dashboards), and machine learning with everything. And yet, against this backdrop of rapidly escalating security sophistication, the ransomware epidemic has got measurably worse. Moreover, as 2021 comes to a close, criminals are also still regularly exploiting vulnerabilities that their victims could have patched three years ago.

The orthodox explanation for this is that we are, collectively, not sophisticated enough—we are simply failing to adopt new technology quick enough to head off the latest threats. For some organizations that is what’s happening, but is that all there is to it?

Too much of a good thing

A year ago, IBM’s annual Cyber Resilient Organization Report (which is based on a survey of 3,400 IT and security professionals by the Ponemon institute) unearthed an interesting consequence of all this tooling: Too many tools weaken cyber resilience, it said:

The study revealed that the number of security solutions and technologies an organization used had an adverse effect on its ability to detect, prevent, contain and respond to a cybersecurity incident.

IBM’s isn’t the only recent research to identify this problem. Earlier this year, security services provider Reliaquest collaborated with IDG on a report about technology sprawl, in which it pointed out much the same thing:

The majority of survey respondents (92%) agree there’s a tipping point where the number of security tools in place negatively impacts security. Seventy-eight percent said they’ve reached this tipping point.

And there may be another, related problem too.

Over on social media, at around the same time as Reliaquest released its report, ubiquitous security influencer Kevin Beaumont was barking up an adjacent tree. To nods of approval from security professionals, he pointed out “a common trip up in cybersecurity” was “buying the best solutions … and then not having the resources/skills/whatever to actually use the solution”.

“You can buy the best – can you run the best? If not, it ain’t the best.”

The view from the trenches

To understand more about these issues I spoke to Crystal Green, Malwarebytes’ Director of Customer Success.

In fact, the Customer Success team’s very existence suggests that there is substance to these ideas. As Green explained to me, part of her work involves making sure customers aren’t left behind: “As the threat landscape changes, security software providers have to constantly improve, adding new features and protections … it is our job [in the Customer Success team] to ensure that customers are educated on the best practices for deploying and maintaining our solutions, and are getting the most value and protection from their investment.”

I started by asking if she had encountered the problem identified by IBM and Reliaquest, of some companies having too many tools. After all, we’ve all been preaching “defence in depth” for years, so aren’t a variety of tools a good thing?

“While a layered security approach is necessary, the more tools that are in the security stack, the greater the potential for conflicts between the tools increases. Additionally, key features and functionality may be intentionally, or mistakenly disabled, causing a gap in protection.”

And what about the issue that Beaumont and his followers raised, of companies buying capable software they then struggling to implement? I wonder if that was just the social media echo chamber at work or if she’d seen it for herself.

“We see a lot of companies that purchase software but don’t actually deploy or use the software. Sometimes it doesn’t get deployed at all, other times key features aren’t used.”

The reasons will sound familiar to anyone who has worked in a corporate IT department. Green explains: “This happens for many reasons, including conflicts with time, other priority projects that make the implementation of software a lesser priority, or there may not be a complete understanding of how to best use the solution.”

So can companies simply freeze their security solutions in time and stop updating? Sadly, no. Threat actors aren’t standing still, she explains, and modern tools are important. It’s just that simply owning the tools isn’t enough.

“We’ve all been seeing numerous companies in the news this year being hit by ransomware attacks. It is critical that business (and individuals) have the right tools in place. But those tools must also be implemented, configured, and maintained correctly.”

Security as a process

Green recommends that businesses need to manage their security tools as an ongoing process not a project, no matter what their vendor says about how easy the software is to setup.

“Each environment is different, and environments change over time, so it’s important that administrators complete regular reviews of each tool to ensure that the configuration is meeting their current security needs and if a particular functionality is turned off, that the risks associated with that decision are understood.”

That’s all very well, but administrators have a lot on their plate. What about the ones who don’t know what they don’t know?

“We deal with this through having business reviews with our customers where we will showcase what is going well, as well as pointing out gaps, including features and functionality that are not being utilized.”

Green sees that kind of relationship building as crucial to being “cyber smart” and tackling the problem of technology sprawl, and she thinks vendors need to be open to letting customers shape the software they use, sitting on advisory boards, and even speaking to engineering teams directly.

As Beaumont said, security isn’t about tools you can afford, it’s about the tools you can operate effectively.

The post Stop. Do you really need another security tool? appeared first on Malwarebytes Labs.

The official Facebook page of the US Navy’s destroyer-class warship, USS Kidd, has been hijacked. According to Task & Purpose, who first reported on the incident, the account has done nothing but stream Age of Empires, an award-winning, history-based real-time strategy (RTS) video game wherein players get to grow civilizations by progressing them from one historical time frame to another.

In an interview with Task & Purpose, Cmdr. Nicole Schwegman, a Navy spokesperson, confirmed the hijacking: “The official Facebook page for USS Kidd (DDG 100) was hacked. We are currently working with Facebook technical support to resolve the issue.”

As we write, the US Navy has yet to regain control of the account.

The hijacked account started streaming the video game live on October 4 for four hours. That session was followed by five more streams one after the other, each lasting for up to two hours.

Yes, the poor fellow couldn’t get past the Stone Age.

Official accounts of the US military getting compromised is rare but not unheard of. A year ago, the administrator responsible for the Fort Bragg Twitter account forgot to switch from that account to his own personal Twitter account before posting lewd comments on a model’s page.

How to avoid Facebook hijacking

Whether you’re an organization or an individual who’d like to secure their accounts from such potential hijacking incidents, make sure that you take full advantage of Facebook’s full suite of security and privacy settings. Make sure you understand the settings for how your account is used, secured, and viewed by others. Don’t just accept the default settings.

And let us not forget passwords. Yes—make it a good, strong one. Better yet, let your password manager create and, well, manage all password-related tasks for you.

Two-factor authentication is a relatively simple option to turn on for your Facebook account, and makes it much harder for anyone else to login as you.

And if you manage a business’s social media accounts, please be mindful of the account you’re currently handling before pushing posts to the public. If it helps, use Twitter or Facebook in the browsers for your business and the Twitter or Facebook app for your personal accounts.

A social media disaster? Not today.

The post US Navy ship Facebook page hijacked to stream video games appeared first on Malwarebytes Labs.

Online safety is hard enough for most adults. We reuse weak passwords, we click on suspicious links, and we love to share sensitive information that should be kept private and secure. (Just go back a few months to watch adults gleefully sharing photos of their vaccine cards.) The consequences of these failures are predictable and, for the most part, proportional—a hacked account, a visit to a scam website, maybe some suspicious texts asking for money.

But for an often-ignored segment of the population, online safety is more about discerning lies from truth and defending against predatory behavior. These are the threats posed specifically to children with special needs, who, depending on their disabilities, can have trouble understanding emotional cues and self-regulating their emotions and their relationship with technology.

This year, for National Cybersecurity Awareness Month, Malwarebytes Labs spoke with Alana Robinson, a special education technology and computer science teacher for K–8, to learn about the specific online risks posed to special needs children, how parents can help protect their children with every step, and how teachers can best educate special needs children through constant reinforcement, “gamification,” and tailored lessons built around their students’ interests.

Importantly, Robinson said that special needs education for online safety is not about a handful of best practices or tips and tricks, but rather a holistic approach to equipping children with the broad set of skills they will need to safely navigate any variety of risks online.

“Digital citizenship, information literacy, media literacy—these are all topics that need to be explicitly taught [to children with special needs],” Robinson said. “The different is, as adults, we think that you should know this; you should know that this doesn’t make sense.”

Whether adults actually know those things, however, can be disputed.

“I mean, as I said,” Robinson added, “it is also challenging for adults.”

Our full conversation with Robinson, which took place on our podcast Lock and Code, with host David Ruiz, can be listened to in full below.

The large risk of disinformation and misinformation

The risks posed to children online are often similar and overlapping, no matter a child’s disability. Cyberbullying, encountering predatory behavior, interacting with strangers, and posting too much information on social media platforms are all legitimate concerns.

But for children with behavioral challenges, processing challenges, and speech and language challenges in particular, Robinson warned about one enormous risk above all: The risk of not being able to discern fact from fiction online.

“Misinformation and disinformation online [are] a great threat to our students,” Robinson said. “There were many times [my students] would come in and say ‘I saw this online’ and we would get into discussions because they were pretty adamant that what they saw is correct.”

Those discussions have increased dramatically in frequency, Robinson said, as her students—and children all over the world—watch videos at an impossibly fast rate on platforms like YouTube, which, according to the company’s 2017 statistics, streams more than one billion hours of video a day. That video streaming firehose becomes a problem when those same platforms have to consistently play catch-up to stop the wildfire-like spread of disinformation and conspiracy theories online, as YouTube just did last week when it implemented new bans on vaccine misinformation.

“I have students pushing back and telling me, no, we never landed on the moon, that’s fake,” Robinson said. “These are the things they’re consuming on these platforms.”

To help her students understand how misinformation can spread so easily, Robinson said she shows them how it can be daylight outside her classroom, but at the same time, if she wanted, she could easily post a video online saying that it is instead nighttime outside her classroom.

Robinson said she also encourages her students to ask if they’re seeing these claims made elsewhere, and she steers them to what are called “norm-based reputable sources”—trustworthy websites that can provide fact-checks while also removing her students from the progression of recommended online videos that are fed to them through algorithms that prioritize engagement above all else.

“This is what we call building digital habits,” Robinson said, emphasizing the importance of digital literacy in today’s world.

Constant reinforcement

The promise of a “solution” to misinformation and disinformation online almost feels too good to be true, whether that solution equips special needs children with the tools necessary to investigate online sources or whether it helps adults without special needs defend against hateful content that is allegedly prioritized by one enormous technology company to boost its own profits.

So, when Robinson was asked directly as to whether these teaching models work, she said yes, but that the models require constant reinforcement from many other people in a child’s life.

Comparing digital literacy education to math education, Robinson said that every single year, students revisit the topics they learned the year before. She called this return to past topics “spiraling.”

“Part of developing digital students into really successful, smart, discernible, digital adults is the ongoing, constant spiraling and teaching of these concepts,” Robinson said. “If you can collaborate with other content area educators in your building, you’re infusing these topics through subject areas.”

Essentially, Robinson said, teaching online safety and cybersecurity to special needs children needs to be the responsibility of more than just a single technology teacher. It needs to be taken on by several subject matter educators and by parents at home.

For parents who want to know how they can help out, Robinson suggested finding teaching moments in everyday, common mistakes. If a parent themselves falls for a phishing scam, Robinson said those same parents can take that as an opportunity to teach their children about spotting online scams.

“It’s an ongoing work and it never stops,” Robinson said.

Teach kids about what they like using

To help special needs children understand and take interest in online safety education, Robinson said she always pays attention to what her students are using and what they’re interested in. This simple premise makes lessons both applicable and interesting to all students—not just those with special needs—and it provides a way for children to immediately understand what they’re learning, why they’re learning it, and how it can be applied.

As an example, since so many of her students watch videos on TikTok, Robinson spoke to her students last year about the US government’s reported plans to ban the enormously popular app.

“The federal government was thinking of not allowing TikTok to be used here because it might’ve been a safety risk, and so we had that discussion, and I said ‘What happens if you couldn’t use TikTok anymore?’” Robinson said.

Robinson said this tailored approach also gives teachers and parents an opportunity to help kids not just stay safe online, but also learn about the tools they use every day to view online content. The tools themselves, Robinson said, can greatly impact how a child with special needs feels on any given day—sad, happy, worried, scared, anything goes—and that children with special needs can often use guidance in self-regulating and understanding their own emotions.

Robinson added that many of her lessons about online tools and platforms have a similar message: If a game or website or tool makes her students feels uncomfortable, they should tell an adult.

It’s a rule that could likely help even adults when they find themselves gearing up to get into an online argument for little legitimate reason.

Embrace the game

Finally, Robinson said that many of her students enjoy using online games to learn about online safety, and she specifically mentioned Google’s Internet safety game called “Interland,” which parents can find here.

Google’s Interland leads kids through several short “games” on online safety, with lessons centered around the topics of “Share with Care,” “It’s Cool to Be Kind,” and “Don’t Fall for Fake.” The browser-based games ask kids to go through a series of questions with real scenarios, and each correct answer earns them points while their digital character jumps from platform to platform. The website works with most browsers, but Malwarebytes Labs found that it ran most smoothly on Google Chrome and Safari.

Interestingly, when it comes to lessons that Robinson’s special needs students excel at, she said they are excellent at creating strong passwords—and at calling people out for using weak ones.

“I teach 100 students, 10 classes, [and] I used not a very strong password for every student in this one class … and I said ‘By the way, everyone has this [password],’ and they’re like, when I said everyone has this same password, they’re like ‘Oh no no! That’s not a strong password, oooh,’” Robinson said, laughing. “They literally let me have it.”

The post What special needs kids need to stay safe online appeared first on Malwarebytes Labs.

Update, 7th October: Twitch has now confirmed the breach. The company’s statement is as follows:

We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.

At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.

Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.

Original post:

Big, breaking news going around at the moment. If you have a Twitch account, you may wish to perform some security due diligence. There are multiple reports of the site being compromised. And they absolutely do mean compromised:

There’s still no independent verification from Twitch itself yet. However, multiple people have confirmed that the leak details, which include streamer revenue numbers, match what they have in fact generated.

What has happened?

A 128GB torrent was released on the 4chan message board. The poster claims it incorporates all of Twitch including

• Source code for desktop, mobile, and console clients
• 3 years of creator payouts
• Some form of unreleased Steam competitor
• Various bits of data on several Twitch properties
• Internal security tools

The leak is marked as “part 1”. The current data appears to contain nothing in the way of passwords or related data, but that potentially may be included in whatever comes next. This is something we may well find out from Twitch if and when it makes a statement.

In the meantime, we’d strongly suggest taking some proactive steps.

What should Twitch users do?

Log into your Twitch account and change your password to something else. If you’ve used the password on other services then you need to change them there too. Then enable two-factor authentication on Twitch, if you’re not already using it.

One small possibility against the leaking of passwords is there’s not been any visible “strange” activity from big name accounts. One would assume all sorts of dubious message shenanigans would follow in the wake of such a data grab. However, it’s possible that stolen passwords are being kept under lock and key until any such “Part 2” arrives.

This makes it all the more crucial to take some action now and start locking things down.

We’ll be updating this post with more information as we get it, so if you’re a Twitch user please feel free to check back every so often.

The post Twitch compromised: What we know so far, and what you need to do appeared first on Malwarebytes Labs.

The Apache HTTP Server 2.4.49 is vulnerable to a flaw that allows attackers to use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. This issue is known to be exploited in the wild.

The vulnerability

The Apache HTTP Server Project started out as an effort to develop and maintain an open-source HTTP server for modern operating systems, including UNIX and Windows. It provides a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards.

The flaw (listed as CVE-2021-41773) was introduced by a change made to path normalization in Apache HTTP Server 2.4.49. So, earlier versions are not vulnerable, nor are servers that are configured to “require all denied”.

Unfortunately, “require all denied” is off in the default configuration. This is the setting that typically shows an error that looks like this:

“Forbidden. You don’t have permission to access {path}.”

Path traversal attack

Path traversal attacks are done by sending requests to access backend or sensitive server directories that should be out of reach for unauthorized users. While normally these requests are blocked, the vulnerability allows an attacker to bypass the filters by using encoded characters (ASCII) for the URLs.

Using this method an attacker could gain access to files like cgi scripts that are active on the server, which could potentially reveal configuration details that could be used in further attacks.

Impact

The Apache HTTP Server Project was launched in 1995, and it’s been the most popular web server on the Internet since April 1996. In August 2021 there were some 49 million active sites running on Apache server. Obviously we do not know which server every domain is using, but of the sites where we can identify the web server, Apache is used by 30.9%.

A Shodan search by Bleeping Computer showed that there are over a hundred thousand Apache HTTP Server 2.4.49 deployments online, many of which could be vulnerable to exploitation.

Security researchers have warned that admins should patch immediately.

Another vulnerability

There’s a second vulnerability tackled by this patch—CVE-2021-41524—a null pointer dereference detected during HTTP/2 request processing. This flaw allows an attacker to perform a denial of service (DoS) attack on the server. This requires a specially crafted request.

This flaw also only exists in Apache Server version 2.4.49, but is different to the first vulnerability in that, as far as we know, it is not under active exploitation. It was discovered three weeks ago, fixed late last month, and incorporated now in version 2.4.50.

Mitigation

All users should install the latest version as soon as possible, but:

• Users that have not installed 2.4.49 yet should skip this version in their update cycle and go straight to 2.4.50.
• Users that have 2.4.49 installed should configure “require all denied” if they do not plan to patch quickly, since this blocks the attack that has been seen in the wild.

A full list of vulnerabilities in Apache HTTP Server 2.4 can be found here.

Stay safe everyone!

The post Patch now! Apache fixes zero-day vulnerability in HTTP Server appeared first on Malwarebytes Labs.