IT News

When it comes to picking a new device for your child, it’s often difficult to know where to start.

Whether you’re looking for a smartphone, a laptop, a gaming device or something else, or even just signing up for an account online, you want to make sure your kids are protected. It’s important to get the basics right, and you also want to be able to set parental controls, leaving little room for your child end up in online destinations you don’t want them going.

Of course, setting controls shouldn’t be a be-all and end-all. Nothing can replace having good and open communication with your kids.

Today’s generation of kids and teens consider their devices and the Internet as extensions of their lives. So it’s really important to talk to them about how they should use their devices responsibly, what they should and shouldn’t be doing online, and how they should be treating other people.

So without further ado, let’s dive into what we should be teaching our kids about Internet safety and what we can do to enforce these teachings.

C O N T E N T S

1. Keep your online accounts secure
2. Respect your privacy
3. Capture and share with care
4. Take care of your data
5. Take care of your device
6. Be wary of certain sites and content online
7. Be kind

7 Internet safety tips

1. Keep your online accounts secure

Whether your child needs their own personal email address, an account for school, or a social media login, the advice is largely the same. Show them these tips:

Never use the same password twice

It seems like we can’t go a week—or even a day sometimes—without hearing about an online service being breached.

After a breach, cybercriminals often sell and re-sell the stolen data. And if your child uses the same password across multiple accounts, when one gets breached they are all vulnerable.

This is where a password manager comes in.

As parents and carers, you can introduce your kids to this nifty tool. Not only can it create lengthy and complex passwords, it remembers them all for you. Many of them auto-populate the login fields when you attempt to access an online account, so you know you are on the correct site and not an imitation site that’s phishing you.

Use strong passwords

You need to make sure the passwords your kids use are strong, and by today’s standard, this means they should have a decent amount of length.

Some websites cap the length of the characters one can use in a password. Some welcome a level of complexity you can bake into a password. What you should be considering is a site should have a set minimum password length of 8-characters. Anything below that…you might want to reconsider ever joining at all.

A strong password is one that nobody else knows, and is extremely hard (for a powerful computer) to guess. Make sure your child uses the maximum length with the maximum level of complexity a site can offer. For example, if a site only allows passwords that are 18 characters long and a combination of numbers and big or small letters, then create a password that has all these elements.

Your password manager can help with this. Just make sure you choose a super-strong password for the manager itself.

Enable multi-factor authentication (MFA)

Passwords alone just aren’t enough these days. You need to put in as much friction as possible in order to protect your kids’ accounts. Multi-factor authentication is a great step to add in on every service that offers it.

MFA provides an additional layer of identity confirmation. Once your child has entered their username and password, they’ll need to prove they are the account holder by using another method of verification. This could be a one-time login code sent via text, a code on an authenticator app, or a push notification, among others.

Make sure your child takes advantage of this feature when available, and if a site your child would like to try doesn’t have MFA, perhaps the better question to ask is: Security-wise, should they even be using it?

2. Respect your privacy

In our Malwarebytes 2019 Privacy Survey we found that younger generations of Internet users are actually quite privacy-conscious. However, one thing we learned is that when it comes to potentially identifiable information (PII), younger people tend to have different opinions from older generations on what counts as personal data and what doesn’t.

Various states, countries, and organizations also have their own list of what data should and shouldn’t be considered PII. The European Union, for example, considers an IP address as personal data, but under the California Consumer Privacy Act (CCPA) an IP address is only “sometimes” classed as PII.

Clearly it’s confusing. But teach your kids to, at the very least, carefully consider not sharing:

• their full name
• the school they’re currently attending
• their personal contact number
• their personal email address
• their Social Security Number (SSN)
• your home address
• your home phone number/landline (if you still use one)
• email addresses of relatives and/or friends
• information about relatives and friends, such as where they work.

Telling your kids what they can share and what they shouldn’t is a good first step to taking their privacy seriously.

From here, carefully look through your child’s browser privacy and security settings to make sure they’re as tight as they can be. Do this on all the devices they use, including their smartphones.

You might also want to install some privacy- and security-enhancing extensions for the browser. If you don’t know where to start, Pieter Arntz, Malware Intelligence Researcher and regular contributor to the Malwarebytes Labs blog, has shared the six brilliant Chrome extensions he personally uses.

Bonus points if you can encourage your kid into using a browser that is already optimized for privacy and security.

Lastly, don’t just stop at browsers. Your child’s social media platform of choice may need its privacy and security settings tinkering with as well.

3. Capture and share with care

If your kid respects their own privacy, then they should respect other people’s privacy, too.

Thanks to smartphones, we’ve found in ourselves our inner shutterbug. While being creative is good, snapping images here and there and sharing them online with nary a though is not. This is also true for video, of course.

Tell your kids that if they plan to share online photos and videos of other people in the background, they should take the time to edit out the faces, or other elements in them that might give away locations they frequent.

And they should always ask permission first from the people in the photo or video before posting them online.

4. Take care of your data

Securing your child’s data is one of the biggest concerns of parents today. With stories of ransomware targeting and successfully hitting schools, not to mention the many other data breaches, parents and carers might feel that there is nothing they can do to protect their child’s data.

Far from it.

Securing your kid’s online accounts is the first step (see above), but there are other steps you can take to secure your child’s data.

Be careful with files and links. Cybercriminals use files and malicious links to get their malware into devices. So teach your kids to treat files and links with caution. Although criminals used to send unsolicited private messages to random recipients, things have moved on. Now they create fake social media profiles of celebrities or people your kid knows, or even compromise legitimate accounts to spread their malware.

If your child is messaged privately by a friend, classmate, relative, or anyone they might know containing a link or a file, encourage your child to contact the person via a separate method to ask if they have indeed sent that message.

Make sure all software is updated. One way for cybercriminals to infiltrate systems is to find weaknesses in software and then exploit them. Think of it like a door that anyone can open without alerting those already in the house. Make sure that door in your child’s computer is sealed, and apply updates as soon as they’re available.

Be careful when connecting to public Wi-Fi. Your child’s school Wi-Fi isn’t the only hotspot they can connect to. When they’re out with friends or at a classmate’s house, they’re bound to connect to other Wi-Fi networks. Remind your kids that they shouldn’t allow their devices to connect to Wi-Fi that doesn’t use a password. And even then, they should also be picky about what they do online or what accounts they are accessing.

If connecting to a public Wi-Fi can’t be avoided, advise them to use a virtual public network (VPN).

Don’t share passwords with anyone. And we mean, anyone—including friends. If your kid does this, it not only puts their data at risk, but also opens the door for abuse. They might be a close friend at school, but that doesn’t mean they wouldn’t try pulling a prank using your kid’s account, for example. Better safe than sorry, right?

Install an antivirus (AV) you trust. Accidents happen. Many people have clicked a dodgy link or opened a questionable email attachment at some point. And when accidents like this happen to your kids, its good to have an AV installed to stop malicious code from downloading or running before it could wreak havoc on your device. It could also prevent you from seeing potentially malicious sites, such as phishing sites, when you click a questionable link.

Back up data. Even if you do everything you can to protect your kid’s data, you could still end up as one of the unlucky ones. This is why it’s good practice to back up your data. This is the process of creating at least one copy of (usually) important files that we can’t afford losing. Ever.

5. Take care of your device

How your kids look after their computing devices is just as important as how they take care of the data stored in them. One form of data compromise your kids should avoid is device theft.

Lock down the device after a certain time of idleness. This way, if your child takes their eyes off their device for a bit when in a public space, the device won’t be able to be quickly accessed by anyone else.

Secure their laptop to an object. If your child is prone to spending time in public places to work on their laptop, it’s a good idea to suggest using a security cable to physically secure their laptop onto a chair or desk in case they need to leave the device for a while. Security cables can be bought online or in computer hardware shops.

Speaking of theft, it’s also good to install anti-theft or tracking software in your child’s phone and other mobile devices, such as a laptop, that they bring with them to school or anywhere.

Password protect the device. For mobile devices, this could either be a PIN or a pattern. For laptops and desktop computers, this could be a local user password, a physical security key, or a picture code to name a few.

Update your child’s device’s firmware. Just like any software that’s installed on their devices, it is equally important to update firmware. Firmware can have vulnerabilities like any regular software, and so updates should be installed as soon as possible.

6. Be wary of certain sites and content online

The Internet is a place where misinformation, fake news, and scams spread if people aren’t careful enough. Not every site on the Internet is a safe place to visit, and this is something to gently drill in your child’s mind.

Indeed, there are so many social media platforms right now that a lot of us parents cannot keep up. It’s great that your child has a number of options to choose from, but in this case ask them to be picky.

If your child has a Facebook account, perhaps it’s a good idea to talk to them about fake news and how to identify it.

They need to be wary of everyone they are talking to online. Omegle, for example, is a social site where investigators found predators encouraging young boys to expose themselves on camera. Usually, these people claim to be the same age as their victims but they are, in fact, evil grown-ups taking advantage of kids. And it’s not just boys at risk, recent research found 11-13 year old girls are the most likely targets of predators.

When it comes to picking which sites they should join or content to consume, your child could be as confused as you are. And most of the time, they follow the herd, their friends, and what’s trendy at the moment. They might need your guidance here, so prepare to learn the ropes together.

7. Be kind

…to others

Online abuse could happen to anyone. Cyberbullying, cyberstalking, threats of physical violence, flaming, non-contact sexual abuse—this includes flashing, forcing a child to perform sexual acts or take part in sexual conversations, and showing pornography among others—and other forms of abuse continue to affect many for life, with some destroying the lives of their targets and those close to them.

Instil in your child the kindness, understanding, and patience you would want others to approach them with. Having a healthy communication between children and parents or carers becomes significant here. Talking about any or all of these topics doesn’t just happen once. As you help them navigate through life—both in the real and the digital one—such conversations should be expected to come up and (hopefully) the topics are tackled with care, respect, and zero judgement.

If you want your kids to be kind to others online, show, don’t just tell.

…to yourself

Yes, your kids can be kind to themselves, too. Being online all the time, could be really fun and entertaining at first. But after a while, this could take a toll on them mentally and emotionally. Your kids could feel anxious, stressed, or tired because they’re absorbing and processing everything they see and read about.

This is why it’s advisable that they disconnect from the digital world often and reconnect with family, friends, and even with themselves. When was the last time they picked up a hobby that doesn’t involve a computer or phone? Or perhaps…when was the last time your child actually picked up a book to read for pleasure?

Should you accept this challenge…

The Internet is both a good and bad place. A good approach is to spend little to no time on sites that do not give your child a positive and learning experience. And when it comes to Internet safety for kids and teens, the best approach is for parents and carers to be involved in their child’s digital life.

I don’t mean micromanaging their digital life or making all their online decisions for them. If only that was possible!

Being involved means taking interest in your child’s online activities. It means becoming a presence when they need to understand, be reassured, be guided, be confident in what they do online. Being involved also means allowing them to decide for themselves and make mistakes—even after repeated warnings—but always on the ready to be a confidante or sounding board when things get rough.

Internet safety should start from the home. So raise your digital native to not only be smart about staying secure online and respectful of their (and other people’s) privacy, but also a force of good in the digital realm. This is a challenge every modern parent must recognize and take to heart.

Challenge accepted.

The post Internet safety tips for kids and teens: A comprehensive guide for the modern parent appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Why backups aren’t a “silver bullet” against ransomware, with Matt Crape: Lock and Code S02E17
• The many tentacles of Magecart Group 8
• Apple releases emergency update: Patch, but don’t panic
• Update now! Google Chrome fixes two in-the-wild zero-days
• Parts of the Dark Web “awash” with school children’s personal data
• Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD
• What are SSL certificates?
• Ransomware scammers target artists with fake Krita revenue deals
• HP OMEN users, update your driver now!
• What are computer cookies?
• What is the Dark Web? The Dark Web explained
• FBI and CISA warn of APT groups exploiting ADSelfService Plus
• Facebook’s own research reveals the harm that Instagram can inflict

Other cybersecurity news

• Hackers stole the source code of an application Puma, the German sportswear company, is using internally. (Source: The Record)
• Fake UPS courier phishers unmasked by researchers. (Source: vpnMentor)
• What are zero-click attacks, and how do they work? (Source: Security Week)
• There’s a black market for fake COVID vaccine certificates, and it’s booming (Source: Check Point Blog)
• Threat actors pretended to be the US Department of Transportation, so they can harvest Microsoft credentials (Source: INKY)
• New Zealand companies are being bombarded with DDoS, but their government is mum about it. (Source: The Register)
• A top FBI official said that there is “no indication” that Russia has cracked down ransomware gangs. (Source: The Record)
• Exclusive: Gaggle follows kids home for remote learning. (Source: The 74 Million)
• A ransomware gang has encrypted the entire network of South Africa’s Department of Justice (Source: BleepingComputer)
• One ransomware gang has threatened to delete decryption keys if its victims contact law enforcement or hire a negotiator. (Source: BleepingComputer)

Stay safe!

The post A week in security (Sept 13 – Sept 19) appeared first on Malwarebytes Labs.

The wheels of justice have turned, if perhaps a bit slower than you may have expected. A Dublin resident, Eric Eoin Marques, has been sentenced to 27 years in federal prison. The reason is the frankly terrifying tally of child sexual abuse material (CSAM) he helped to distribute. Eoin helped to make no fewer than 8.5 million images of abuse available on the Dark Web. No fewer than 2 million of those images contained victims not previously known to those in law enforcement circles.

The main point of reference for these acts was something called “Freedom Hosting”. This website hosting service helped keep all of the illegal content online, and available for distribution. Law enforcement seized $155,000 from Marques, who stated that his business had been “very successful”.

How did the FBI, Interpol, and the Garda set about taking this nest of vipers down?

How Freedom Hosting operated

Freedom Hosting operated as a hidden service (a destination on the Dark Web), available to Tor users if they knew where to look for it. To prevent any confusion, as per the Tor blog:

The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research.

According to the investigation, “the hosting service contained over 200 child exploitation websites that housed millions of images of child exploitation material”. Essentially, they played host to the absolute worst of the worst. 

Shortly after the FBI began seeking Eoin’s extradition in 2013, malware—later identified as EgotisticalGiraffe—was discovered on a number of Freedom Hosting sites. The malware exploited a bug in the Tor browser that revealed the IP addresses of visitors, defeating Tor’s anonymity protection, and allowing them to be located.

The FBI later revealed in court that it had taken control of Freedom Hosting in July 2013 and planted the malware to identify people looking for CSAM there.

Racking up the charges

Marques at this time was facing up to four charges, plus extradition to the US, which eventually happened in 2019. By the end of it all, he stood accused of creating and operating servers from 2008 to 2013. He pleaded guilty at the start of 2020, after a year-long investigation.

Things have now come to a conclusion, for him at least, and he won’t be out of prison for a very long time. Considering his initial admission of guilt came with a mandatory sentence of 15 years, he managed to end up with quite a few more added to the tally.

Watching the dominoes fall

The combined efforts of law enforcement around the world have made a significant dent on this one operation. One suspects in real terms it’s a drop in the ocean with regards to numbers. Even so, this is a fantastic result:

More than 200 primary sites taken offline, along with “hundreds of other sites” sponsoring or facilitating the various activities; “The activities of tens of thousands of online pornographers disrupted”; over 4 million images / videos seized, and more than 100 unknown series of abuse uncovered; “dozens” of offenders identified and prosecuted throughout the world.

As for Marques himself, he apparently kept out of the limelight and “lived a quiet life”. He is also said to have been searching for information on Russian visas and passports, hoping to make extradition as tricky as possible.

We’re pleased to say this didn’t happen, and he’s proof positive that you can’t always hide from the long arm of the law.

The post Freedom Hosting operator gets 27 years for hosting Dark Web child abuse sites appeared first on Malwarebytes Labs.

In a recent blog Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

A long time coming

At first glance this looks like a great idea and many user will sigh in relief and wait in hope for the next tech giant to take this step. All those that were in favor of this change must have thought: What took them so long?

In 2019 Bret Arsenault, Microsoft’s security chief, explained why the company was eliminating passwords. And in 2020 Microsoft started to enable alternatives for many of its products, like Yubico, HID Crescendo, TrustKey, and AuthenTrend.

All these alternatives are a lot more secure and harder to compromise and we have been advocating them as a second factor in login procedures for ages.

Why get rid of passwords?

Microsoft gives two reasons for this move:

• Nobody likes passwords, (which I can guarantee is not true).
• They are a prime target for attacks.

One of the reasons that nobody likes passwords is that the password situation has also been made worse by ridiculous and unnecessary rules, such as asking users to pick passwords that follow formulas, or forcing users to change their password every few months. Both have been discredited but continue to haunt us. Formulas reduce the number of possible passwords a user can pick from, and regular password resets encourage users to pick passwords that conform to a predictable pattern, both of which can make guessing passwords easier, which is the opposite of what we want.

I will agree with the fact that passwords can be guessed makes them a target. But the reasoning here is a bit crooked in my opinion. If the thieves are after my jewellery, sure I can sell them at the  nearest pawn shop. But is that not just shifting their attention elsewhere? Now I have money, and that’s a target too.

Shifting from passwords to biometrics has this same problem many times over. If I swap my password for my fingerprints, my fingerprints become a target. Can I replace my fingerprints if I lose them? What ways will criminals think of to steal them? And what happens when they have them? Talk about re-using the same credentials everywhere…

Expert opinion from Per Thorsheim

Malwarebytes Labs was somewhat divided in our opinions about this news, so we decided to reach out to one of the world’s leading experts on passwords. Per Thorsheim, who tweeted some major concerns about this Microsoft initiative.

Malwarebytes Labs: Per, thank you for your time, can you tell our readers a bit about yourself and how you got so interested in passwords?

Per Thorsheim: I’m Per Thorsheim, and I am the founder and main organizer of PasswordsCon, the first and only global conference dedicated to passwords and digital authentication. By day I work with security for BankID, the digital ID/authentication/signature solution in Norway, operated by vipps.no. My rather obsessive interest into passwords came about when I was working as a penetration tester for PWC, and somewhere pre-Y2K managed to get Domain Admin in less then a day of a Fortune 500 company due to an employee using “Password” as his password.

In december 2010 I ran PasswordsCon for the first time, by invitation from the university here in Bergen, on the west coast of Norway, where I live. (See passwordscon.org for more info.)

Malwarebytes Labs: Is it correct to assume that your major concern is what happens when people lose access to their account for some reason? And would the same objections not also apply if they used one of Microsoft’s passwordless options as a second factor of authentication?

Per Thorsheim: Yes, at the time of writing that is my main concern. Or not exactly, better rephrase that as “when people lose access to their choice of authenticator, and by that lose access to their Microsoft account”. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers. As a result I’ve seen people just resign and create a new account instead. This can in particular be seen with teenagers and their use of social media such as Instagram, TikTok, and Snapchat. It’s just easier to create a new account and tell your friends you have a new username.

Now that Microsoft allows you to actually REMOVE your password and thus your “something you know” factor, are we only left with options that can be easily stolen or abused in close relationships? Does this make those scenarios easier, as an attacker no longer has to guess or obtain a victims password? Are we essentially degrading from passwords to simple 4-6-8 digit PINs?

I don’t have the answers, but I have to say I am impressed by Microsoft taking this bold step forward.

I’m old enough to have seen tons of different solutions that promised better UX and/or better security, with so many failing miserably. I’ve seen corporate integrations of smartcards, a myriad of two-factor solutions, including the infamous RSA SecurID.

During pen-tests and audits I remember seeing admins removing the need for SecurID OTP and setting the PIN to “123456” or similar for CxO levels and members of the board. “Because they said it was too hard to remember bringing that hardware token with them all the time”.

CxO-level executives also sometimes have personal assistants, who administer the majority of the digital lives of the person they work for.  And then there’s the shared accounts to handle, like press, booking or helpdesk. That’s just some of the many challenges corporations face these days where ‘personal’ accounts are not the only types of accounts in existence.

Malwarebytes Labs: What would, in your expert opinion, be a better alternative  for abandoning passwords altogether—one that deals with brute force attacks and phishing for passwords?

Per Thorsheim: I honestly do not believe there is a solution available for abandoning passwords. There is no risk analysis justifying their removal, neither is there a cost/benefit analysis.

On the other hand, there are tons of business cases supporting attempts to develop and sell solutions to remove, replace or at least hide passwords for users.

Now that Microsoft provides an option to remove your password for free, I wonder what the REAL cost of doing so will be for us all—and for Microsoft. Only time will tell.

I hope this works for you. I can go on for hours on this, but…

Malwarebytes Labs: Thank you Per, for your precious time and your valuable insights.

While we still have passwords

Time will tell whether this “bold move” from Microsoft will make for an improvement in security or not. We would like to advise users to think it through before taking their first steps towards the password-less future.

Whether you embrace Microsoft’s passwordless features or not, the fact is that you are likely to be using passwords elsewhere for a long time to come. While that’s still true, one of the best things you can do for your password security is use a password manager. Not only do they make it easier to create and remember strong passwords, and to avoid password reuse, they also stop us filling out our credentials on fake (phishing) sites!

The post Microsoft makes a bold move towards a password-less future appeared first on Malwarebytes Labs.

In a joint advisory the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine’s single sign-on (SSO) solution.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under CVE-2021-40539 as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.

In-the-wild exploitation

When word of the vulnerability came out it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday’s joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability.

They find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes 16 critical infrastructure sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The joint advisory points out that  the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors—including transportation, IT, manufacturing, communications, logistics, and finance.

It also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

According to the advisory, the JavaServer Pages web shell arrives as a .zip file “masquerading as an x509 certificate” called service.cer. The web shell is then accessed via the URL path /help/admin-guide/Reports/ReportGenerate.jsp.

However, it warns:

Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.

Please consult the advisory for a full list of IOCs.

Mitigation

A patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.

Stay safe, everyone!

The post FBI and CISA warn of APT groups exploiting ADSelfService Plus appeared first on Malwarebytes Labs.

For years, people have accused social media, and particularly image-driven sites like Instagram, of being bad for young people, particularly young women. It turns that Instagram’s owner, Facebook, agrees.

Thirty-two percent of teen girls said that when they felt bad about their bodies, Instagram made them feel worse.

This was one of the findings of internal Instagram researchers which was included in a presentation slide posted to Facebook’s internal messaging board in March 2020. It continues:

“Comparisons on Instagram can change how young women view and describe themselves.”

The Wall Street Journal (WSJ) has reviewed and revealed the contents of such slides in its latest instalment in the The Facebook Files, a WSJ series of investigative articles based on “internal Facebook documents, including research reports, online employee discussions and drafts of presentations to senior management.” Sometimes, included in these reports are findings from other companies the social network giant owns, like Instagram and WhatsApp.

Concerned parents and carers who may have observed or heard something from their teen who is being affected by Instagram would likely get confirmation on what they already know: Instagram is not helping with their body issues and sense of self at all. What may be more shocking to them, is that Facebook knows this too.

What Facebook knows

Facebook has been conducting internal studies of how Instagram affects its young users for three years, but had never shared any of its findings until three days ago, in response to the WSJ investigation.

According to the Journal, more than 40 percent of Instagram users are 22 years old or younger, with about 22 million teens logging on to Instagram in the US each day. The social media giant is said to have repeatedly found that Instagram is harming its young users, especially teenage girls.

It reports that the research conducted by Facebook revealed that Instagram makes body image issues worse for about one in three girls; that teenagers blame Instagram for increases in the rate of anxiety and depression; and that one in five teenagers said that Instagram makes them feel worse about themselves. The slides also revealed that a percentage of female teens in the US and UK have suicidal thoughts over what they see on Instagram.

Teen girls aren’t the only ones affected though. In Facebook’s 2019 research report, it found that 14 percent of boys in the US had said that Instagram made them feel bad about themselves. The following year, they found that 40 percent of teen boys experienced negative social comparisons. This, the researchers have concluded, is a problem specific to Instagram.

“Social comparison is worse on Instagram,” is what Facebook noted after doing a deep dive into body image issues in teen girls in 2020. What Instagram users tend to do is share only the best and most perfect photos and moments, which can trigger negative reactions, and may even lead to eating disorders, an unhealthy outlook towards themselves, and depression.

According to the researchers, young Instagram users who are struggling with mental health are aware that the app is affecting them in a negative way and need to spend less time on it, but admit they couldn’t stop themselves.

Facebook executives are stumped

The Journal claims that Facebook’s internal documents reveal that it has done little to address these issues, and even downplays these in public. For example, Adam Mosseri, head of Instagram, has told reporters that the research suggests the app’s effects on teen well-being is, “quite small”.

“In no way do I mean to diminish these issues…. Some of the issues mentioned in this story aren’t necessarily widespread, but their impact on people may be huge,” Mosseri further said in an interview with the Journal.

In another example, Mark Zuckerberg, CEO of Facebook, said at a March 2021 congressional hearing that, “The research that we’ve seen is that using social apps to connect with other people can have positive mental-health benefits,” which only highlights one side of the story while failing to mention the other.

Instagram’s response to the WSJ, written by Karina Newton, head of public policy on Instagram, says the Journal focusses on “a limited set of findings and casts them in a negative light”. She stands behind the company’s research and efforts to make things better for every teen user on Instagram, writing that “It demonstrates our commitment to understanding complex and difficult issues young people may struggle with, and informs all the work we do to help those experiencing these issues.”

In other words, as so many Facebook profiles say: It’s complicated. “The research on the effects of social media on people’s well-being is mixed, and our own research mirrors external research. Social media isn’t inherently good or bad for people. Many find it helpful one day, and problematic the next. What seems to matter most is how people use social media, and their state of mind when they use it.”

The Journal claims that Facebook executives are struggling to find ways to reduce Instagram’s harm while keeping people on the platform. Project Daisy, for example, was a pilot program created as a potential solution to keeping kids from feeling anxious and having negative feelings, based on a focus group feedback, when they see “like” counts. In Project Daisy, “like” counts are hidden. However, the results of the program have revealed that it didn’t improve teens’ lives.

Project Daisy was rolled out, nonetheless, with executives noting in an internal discussion that this, essentially, is just for show. “A Daisy launch would be received by press and parents as a strong positive indication that Instagram cares about its users, especially when taken alongside other press-positive launches.”

Mosseri acknowledges in an interview with the Journal that he doesn’t think there is a clear-cut solution to fixing Instagram. “I think anything and everything should be on the table,” he said, “But we have to be honest and embrace that there’s trade-offs here. It’s not as simple as turning something off and thinking it gets better, because often you can make things worse unintentionally”.

In an comparison that might not have come across in the way he hoped it would, Mosseri recently equated social media to cars in a podcast interview with Peter Kafka on the Recode Media podcast. “Cars have positive and negative outcomes. We understand that. We know that more people die than would otherwise because of car accidents. But by and large, cars create way more value in the world than they destroy. And I think social media is similar.”

However, Kafka, and some helpful users on Twitter, pointed out that they are not the same at all: Cars are heavily regulated, licensed, policed, regularly tested for problems, are not accessible to teens who are 16 years old and below, and have meaningful safety measures in place.

This is a call for help

Perhaps what stands out most from the reporting is not a single statistic, or how negatively Instagram has been affecting teens for years, or even that Facebook is well aware of the negative side of its social media empire, but the fact that the teens who are reporting problems are finding it really difficult to unplug or quit the app.

Parents and carers: Do not expect Instagram or Facebook to do this for you any time soon, because these online services were engineered to make users want to come back for more, even when they know it’s not good for them.

As computer scientist Dr. Cal Newport said in his memorable TED Talk, Why you should quit social media, social media is designed to provide a constant flow of small, intermittent rewards, just like a slot machine. Newport: “It’s one thing to spend a couple of hours at a slot machine in Las Vegas, but if you bring one with you, and you pull that handle all day long, from when you wake up to when you go to bed: We’re not wired for that”.

Kids cannot be expected to handle the social media slot machine alone—parents, family members, and our childrens’ friends all have a role to play in helping our kids overcome this.

Recommended reading:

• How to delete your Instagram account

The post Facebook’s own research reveals the harm that Instagram can inflict appeared first on Malwarebytes Labs.

The Krita digital painting application is currently being targeted by ransomware authors. Available on Steam and other platforms, it’s a powerful tool with a very cheap purchase price and great reviews. A perfect bit of bait to start reeling in potential victims, in other words.

How does the scam work?

Ransomware scammers send out mails to artists. Those mails claim to be from the team behind the Krita tool, and contain links which redirect potential victims to the real domain. This is to make everything look above board and legitimate.

The mails seen so far read as follows:

Hello dear, please give me a moment of your time. Krita team is eager to collaborate with you.

After this follows a generic promo text for the program. They follow this up with:

We would like to consider integrating a 30-45 second ready-made promo into your media space (Facebook, Instagram, Youtube), can we consider that?

Other mails claim that once the registration process is done and dusted, an email address, payment information, and phone number are required. Yes, there’s a bit of data grabbing alongside the malware slinging.

The aim of the game is revenue generation, and this is always going to be an attractive proposition for artists.

The bogus mediabank zip makes its entrance

Regardless of how the emails present themselves, there’s one common factor. They claim to link to a “mediabank” which contains icons, screenshots and previous video campaigns. The contents are “confidential”, which is a sneaky way to prevent potential victims telling anybody about it.

Some folks have reported the contents of the zip as .scr files masquerading as images/videos.

Why an scr file?

Any scam which involves images has a good chance of falling back on scr files. It’s a very old technique. Folks unfamiliar may think it means “screenshot”. This is especially the case where they’re opening up zips expecting to see imagery. Sadly, this isn’t the case. An scr is a screen saver file, and it runs on your system like a program. If it contains bad things, then bad things will be headed your way in an instant.

Tricking visual artists with scr files seems like a particularly cruel trick, whether intentional or not.

What happens next?

Krita previously reported this as ransomware, and as you can see, the mails are still going strong:

They look pretty convincing, which certainly won’t hurt the scammers one bit. If you’re going to trick people who work with visuals, it pays to look as good as possible.

Forward on any dubious messages you receive to the Krita team, and delete the mails afterwards. Don’t trust zip attachments, and give any scr file extensions a wide berth. Showing file extensions is also helpful, both for this and any other potential attacks generally. It appears a lot of the domains used for these mails are down, but it’s easy enough to put up replacements. Be careful out there!

The post Ransomware scammers target artists with fake Krita revenue deals appeared first on Malwarebytes Labs.

HP has released a patch to fix a flaw in the HP OMEN driver.

As far as we know the flaw isn’t being actively exploited, but it’s worth applying the patch as soon as you can.

The flaw, the fix

The driver vulnerability, which is tracked as CVE-2021-3437, was found by Kasif Dekel, a senior security researcher at SentinelLabs.

If exploited, the vulnerability could allow a malicious threat actor to escalate privileges to kernel mode. This would enable the actor to perform tasks within affected systems, such as disabling security solutions, running malicious code in kernel mode, and elevating privileges of other users, and more. Exploiting this flaw could also allow the actor to trigger a denial-of-service (DoS) condition, which prevents traffic from going to the device.

The driver, HpPortIox64.sys, is used by the HP OMEN Gaming Hub (previously called HP OMEN Command Center), software that comes pre-installed in HP OMEN systems. Although this SYS file is created by HP, according to Dekel, it is actually “a partial copy of another problematic driver, WinRing0.sys, developed by OpenLibSys.”

HpPortIox64.sys essentially inherited the privilege kernel-mode problem from WinRing0.sys.

“It’s worth mentioning that the impact of this vulnerability is platform dependent,” continues Dekel in the report, “It can potentially be used to attack device firmware or perform legacy PCI access by accessing ports 0xCF8/0xCFC. Some laptops may have embedded controllers which are reachable via IO port access.”

The flawed HP driver accepts IOCTL (Input/Output Control) requests from non-privileged users, who aren’t subjected to access control rules. Because of this, such drivers can be abused, “by design.”

Road 96 and OMEN

It’s worth mentioning that HP’s first official video game, Road 96, gives its video game players and fans the option to download the OMEN Gaming Hub in a section of the game.

Although we can’t say for sure if the driver problem will pose a threat to non-HP users should they agree to install the Hub, we do note another threat to consider. According to Chris Boyd, lead malware intelligence analyst for Malwarebytes, “Certain games offer additional skills or abilities in return for installing OMEN, such as the award-winning, Road 96. As a result, many people will have it on their system even if they have no intention of ever using it. Where updates aren’t taking place, this could be dangerous should an exploit arise in the wild.”

The post HP OMEN users, update your driver now! appeared first on Malwarebytes Labs.

Jay Tipton, chief executive for the Managed Service Provider (MSP) Technology Specialists, remembers his Fourth of July weekend this year like many MSP employees likely remember theirs: As a bit of a nightmare.

“That’s like the worst feeling you’ll ever have,” Tipton said about his initial impressions about a fast-moving ransomware attack that he originally thought hit just his company. His Microsoft Outlook instance closed down unexpectedly, his phone rang and he learned about a customer having trouble connecting to some software tools, and then, just minutes later, his phone rang again. The number of customer problems had already multiplied.

As Tipton and the world would soon learn, his Fort Wayne, Indiana-based MSP was just one of up to 1,500 companies ensnared in what was is probably the largest ransomware attack ever, when threat actors poisoned the remote monitoring and management software tool Kaseya VSA—a favorite for many MSPs—with ransomware.

The attack, which actually led to grocery stores shuttering their doors in Sweden, proved so detrimental because of its cascading nature. By attacking Kaseya VSA, threat actors not only managed to compromise the software, but also the MSPs that used the software, and the small- to medium-sized businesses that were supported by those same MSPs.

Recovery for Tipton’s company has been slow but hopeful. Technology Specialists retrieved data for its customers, maintained strong customer relationships, and even received an outpouring of support from ex-employees and clients themselves.

But in speaking with MJ Shoer, executive director for the nonprofit CompTIA’s Information Sharing and Analysis Organization, Tipton revealed that even the best recovery plans will hit unforeseen obstacles.

Take, for instance, Technical Specialists’ efforts in recovering their clients’ data. Their backups worked, Tipton said, but the process itself happened slower than expected.

“We’ve had some restoring issues, and part of it had to do with download speeds, because everyone was trying to hit the same data centers at the same time,” Tipton told Shoer. “That’s part of the problem. You can’t plan for that.”

Through this process, Tipton compiled a long list of things he’d like to change moving forward, most of it on a large Post-It note covering much of one of his walls. Here’s what Tipton is focusing on moving forward. His lessons are relevant to all organizations, not just MSPs.

Ransomware recovery lessons

1. Put passwords and disaster recovery plans on paper

If the worst happens, you’ll wish you had made a recovery plan. Recovery plans typically identify the key systems and data inside your organization, and the shortest path to restoring critical business functions.

Following the Kaseya VSA ransomware attack, Tipton said that he is focusing on a way to provide “paper printouts” for his company and his clients’ disaster recovery plans. He also added that he wants to find a way to “securely print out passwords” because the attack also seemingly affected Technical Specialists’ password vault.

“We had to wait almost 36 hours to get our password vault restored so we could get passwords out of it,” Tipton said.

Both ideas have immediate value for any business, big or small. A disaster recovery plan is only as useful as it is accessible, and an inaccessible password vault could slow down literally every single part of a data recovery effort if administrators simply cannot access their accounts.

2. Say goodbye to public whitelists

Allowing MSPs to manage some or all of their IT and security makes sense for lots of small businesses, but it comes with its own risks. MSPs act as administrators, so any tools they use get administrator privileges too. MSPs also need to make their toolchain work across all the various customer environments they work with too.

A common practice for MSP software vendors is to advise users of directories that should be “whitelisted” against antivirus software, so that their software can work without interference from cybersecurity tools. This practice is understandable—attackers try hard to disguise themselves as administrators and security tools have the difficult job of letting legitimate remote administration go ahead while stopping malicious remote administration—but it is ill-advised.

These whitelist guides are available for anyone to view online, but, according to Tipton, Technical Specialists is asking for more control into how to actually treat some directories. Tipton said some of what he’s doing moving forward is “not allowing the software vendors to push us into whitelisting directories. That’s not happening anymore.”

“Give me control of which directory it is and how far down I can bury it—I’ll consider it, because then I can control how it’s working, what’s going on in there, and where it’s at so it’s not public knowledge that directory exists,” Tipton said. “But this open whitelisting of programs and directories isn’t going to happen.”

3. Insist that software is digitally signed

In speaking with Shoer, Tipton mentioned that one of the vendors that Technical Specialists use has the annoying habit of changing its DLLs (the software libraries that their product uses) quite regularly. Tipton said he will not allow that anymore unless the vendor starts digitally signing the DLLs.

Why? Because this is another situation where legitimate behavior and malicious behavior can look very similar. If a DLL changes and it hasn’t been signed by the vendor, Tipton has no way of knowing if the new DLL is legitimate or if it has been tampered with by an attacker.

“I’ve got a vendor that likes to keep changing their DLLs, and I think some of them change on the fly and it causes all kinds of problems,” Tipton said. “You’re going to have to sign your program with a cert because I’m going to block it and it’s not optional.”

Moving on

People are often understandably reluctant to talk about their experiences with ransomware, so we applaud Tipton for being open and transparent, and giving us all the opportunity to benefit from his experience.

All of Tipton’s goals seem to be focused on giving Technical Specialists more visibility and capability into how it supports its clients. And perhaps that’s the right mindset—Tipton shared with Shoer that his business lost very few clients after the attack, and of the clients he did lose, seemingly all of them misplaced blame on the MSP itself.

“There are a few that don’t get it, won’t ever get it, will never understand, and say it’s all our fault,” Tipton said. “I can’t change their minds, so I’ll just shake their hands, part as friends, and go on with life.”

Ransomware podcasts

Ransomware recovery is an important subject that benefits enormously from the real-world perspective and experience of those who have been through it. Several recent episodes of Malwarebytes Labs’ Lock and Code podcast have dealt with different aspects of recovering from ransomware.

Racing against a real-life ransomware attack

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. Kacoroski explains what happened next, and what Northshore did to recover from the attack and prevent it from happening again.

Listen to Racing against a real-life ransomware attack

“Seven or eight” zero-days: The failed race to fix Kaseya VSA

The Dutch Institute for Vulnerability Disclosure (DIVD) discovered “seven or eight” zero-days in Kaseya VSA before the REvil ransomware group did. DIVD chair Victor Gevers explains why that wasn’t enough to stop the biggest ransomware attack in history, and reveals that Kaseya VSA’s vulnerabilities represent just one data point in a far larger and more worrying trend.

Listen to “Seven or eight” zero-days: The failed race to fix Kaseya VSA

Why backups aren’t a “silver bullet” against ransomware

Any cybersecurity expert will tell you that the last line of defense against ransomware is backups. But if they’re so important, why are we still so bad at getting them right? Host David Ruiz speaks with VMware’s Matt Crape about why making good backups is so hard, and what missteps you should watch out for.

The post 3 security lessons from an MSP that survived the Kaseya VSA attack appeared first on Malwarebytes Labs.

We all know cookies as tasty baked treats that we love to eat, but computer cookies are quite different. Although they’re most popularly known as just “cookies”, they may be referred to as browser cookies, Internet cookies, HTTP cookies, web cookies, computer cookies, or digital cookies.

What are cookies?

Cookies are pieces of information that a website can save in your browser. Websites can ask your browser to save cookies whenever the browser asks it for a page, picture, download, or any other piece of information. Until the cookie expires, the browser will keep it, and send it back to the website whenever it requests anything else.

The language web browsers and websites use to talk to each other is “stateless”, meaning that every message is totally independent and isolated from every other message. It’s like having a conversation with somebody who instantly forgets who you are after every sentence.

One of the most common uses for cookies is to provide a link between messages, so that a website can remember who you are, and tell that your messages are coming from the same individual.

To do this, a website sends a web browser a cookie with a unique ID the first time they communicate, and the web browser repeats the unique ID back to the website every time it sends a message.

In the language of the web, cookies allow us to link sentences into conversations.

Without this functionality we would not be able to log in to any websites, keep wish lists, see recommendations, use web-based video or instant messaging, or do most of the other things we rely on websites for.

Importantly, websites can read their own cookies, but can’t read cookies saved by other websites. However, there is a loophole that has led to most of the problems we have come to associate with cookies: third-party cookies.

Tracking with third-party cookies

Many people associate cookies with the cross-site tracking used by advertising companies. Advertisers like Google and Facebook can track users as they travel around the web from site to site, building up profiles of the kinds of sites they like to visit, and showing them targeted advertising.

Tracking somebody across multiple sites like this relies on third-party cookies.

Although a website can only read cookies that it has created, individual web pages can be assembled from components hosted by multiple websites. Sometimes those components are visible, like images, and sometimes they are just bits of code you can’t see.

If a website you visit includes a component pulled from another website (a third-party), that third-party website can send and receive cookies along with the component. If you visit a different website that includes the same third-party component, the third-party can read its cookies on both sites.

This is how Facebook uses its Like buttons, and Google uses its advertising code, to track you across the web. They can tell whenever you visit a site that includes one of their components because they can read their own cookies.

Importantly, the tracking stops if you block or delete those cookies.

Session cookies, persistent cookies, and “super cookies”

Just like edible cookies, digital cookies come in different flavors. Cookies that expire whenever you close your browser are called session cookies. These are used for temporary things, like telling a website that you have logged in successfully. If a website uses session cookies for its logins then you will be logged out when you close your browser, and you will have to log in again when you next visit.

Cookies that aren’t deleted when you close your browser are called persistent cookies. Persistent cookies last until you delete them, or until they expire. These are useful for things like remembering your username, so it can be pre-filled when you visit a website you have logged out of.

For all practical purposes, persistent cookies can last forever. (On 32-bit systems cookies can’t live past 2038, but we assume you’ll be using a different device by then.)

Because third-party tracking can be defeated by users deleting their cookies, some unscrupulous advertisers have turned to other things that can offer cookie-like persistence, such as ETags or browser fingerprints. Technologies that act like cookies, but aren’t affected by blocking or deleting regular cookies, are unofficially referred to as super-cookies.

So, are cookies bad?

No. Cookies are essential to the operation of the web as we know it and used for many useful, helpful things. However, cookies can also be used for things some people don’t like, such as third-party tracking, and adverts that seem to follow you around the web.

Luckily, cookies are easy to control. All browsers let you delete cookies, and there are numerous browser add-ons that can be used to block cookies, or control what cookies you will and won’t allow.

In response to increased sensitivity about cross-site tracking, some browsers, including Firefox, Safari, and Brave, now block third-party cookies by default. Google is working on an alternative, more privacy-conscious tracking technology called FLoC, and plans to block third-party cookies in 2023.

Cookie consent

In the European Union (EU), websites have to ask for your consent before they can set cookies, which has lead to web users seeing a profusion of cookie popups. Some people argue that this has led to “cookie fatigue“, and that privacy has not been improved.

What happens if you decline to accept cookies varies from site to site, and can range from the site working perfectly to the site not working at all.

Will a VPN stop tracking cookies?

No. A Virtual Private Network (VPN) guards your privacy by masking your IP address and your location, and by passing your traffic through an encrypted tunnel that protects it from rogue WiFi hotspots, or ISPs that want to sell advertisers information about your browsing habits.

To block or rewrite cookies, a VPN would have to look at your web traffic as it passed through its servers. VPNs can’t read encrypted communication, like HTTPS, so cookie blocking would be impossible for most web traffic.

Even it was possible it would probably cause some websites to malfunction. And if that could be overcome, privacy-loving VPN users would probably rather their VPN provider stayed out of their traffic anyway.

The post What are computer cookies? appeared first on Malwarebytes Labs.