IT News

If you use Brave browser, then you’re shortly going to find you have a new string added to your security bow. Websites performing port scanning will now be automatically blocked beginning with version 1.54 of the browsing tool.

Port scanning, I hear you cry? Yes indeed. You may well not have even been aware that sites do such a thing. You may expect some antics related to cookies and perhaps the occasional tracking beacon, but port scanning?

Who is doing this and why?

Well, let’s start at the beginning with a rundown of what port scanning actually is. Port scanning involves scanning a computer network for open ports, which can then be exploited by individuals up to no good to gain unauthorised access or gather information about potential system vulnerabilities. It’s worth noting that scanning is not by default a malicious activity. For example, an organisation’s IT team may do this to ensure everything is working as expected and close any potential gaps which may have been missed.

As Ars Technica notes, a 2021 list of sites compiled by a researcher makes it clear that many major sites are, or have been, involved in this practice. Brave claims that many popular browsers allow websites to “access local network resources without protection or restriction, which puts users’ privacy and security at risk.”

The issue Brave is tackling is one related to how browsers typically work. While you may think everything is being served up from the web, some aspects of what you see in a browser are being hosted by software on your computer. Browsers are allowed to access these resources, and, on top of that, some software has been built to be accessible to websites with no malicious intention behind it. From the Brave update website:

…a small but important amount of software has been built expecting to be freely accessible by websites, often in ways invisible to users. And many of these uses are benign. Examples include some wallets for cryptocurrencies, security software provided by banks or security companies, and hardware devices that use certain Web interfaces for configuration.

Now we come to the crunch. Lots of dubious software can use the access to localhost resources to get up to mischief. As Brave explains, fingerprinting scripts will try to figure out the combination of software running on your system. By doing so, someone now has a picture of you built up and can potentially track you across the web. They could also try to determine if you have some vulnerable products running on your device and then come back with an exploit.

From Brave version 1.54 and up, this will no longer be possible. Brave already blocks scripts known to maliciously scan localhost resources and block requests from public sites to localhost resources. This is what the new version will do:

• Requests to localhost resources, from a localhost context are allowed automatically; Brave does not block a locally hosted page from accessing other locally hosted resources. 1
• Brave will continue to use filter list rules to block scripts and sites known to abuse localhost resources.
• Brave will include a new permission called the “localhost” permission. Only sites with this permission will be able to make sub-resource requests to localhost resources. By default, no sites have this permission and, importantly, most sites have no way to prompt users for this permission. However, advanced users can use the existing site settings interface to grant sites this permission. 2
• Brave will also include a list of trusted sites, or sites known to access localhost resources for user-benefiting reasons. The first time a site on this list initiates a sub-request to a localhost resource, it will trigger a permission prompt of the previously mentioned localhost permission. This list is publicly available, and will be maintained by Brave.

The thinking behind this is that abuse of localhost resources is more common than it being used for beneficial actions. The Brave developers also don’t want to waste users’ time with lots of popups asking permission to do things that they expect “will only cause harm”.

Brave mentions that only Safari browser currently really does anything significant in this area, and that’s more of a “side-effect of security restrictions” rather than deliberate targeting. It remains to be seen if other browsers will jump on the localhost resource blocking bandwagon, but it probably wouldn’t be a bad thing if they do.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In the United States, when the police want to conduct a search on a suspected criminal, they must first obtain a search warrant. It is one of the foundational rights given to US persons under the Constitution, and a concept that has helped create the very idea of a right to privacy at home and online. 

But sometimes, individualized warrants are never issued, never asked for, never really needed, depending on which government agency is conducting the surveillance, and for what reason. Every year, countless emails, social media DMs, and likely mobile messages are swept up by the US National Security Agency—even if those communications involve a US person—without any significant warrant requirement. Those digital communications can be searched by the FBI. The information the FBI gleans from those searches can be used can be used to prosecute Americans for crimes. And when the NSA or FBI make mistakes—which they do—there is little oversight. 

This is surveillance under a law and authority called Section 702 of the FISA Amendments Act. 

The law and the regime it has enabled are opaque. There are definitions for “collection” of digital communications, for “queries” and “batch queries,” rules for which government agency can ask for what type of intelligence, references to types of searches that were allegedly ended several years ago, “programs” that determine how the NSA grabs digital communications—by requesting them from companies or by directly tapping into the very cables that carry the Internet across the globe—and an entire, secret court that, only has rarely released its opinions to the public. 

Today, on the Lock and Code podcast, with host David Ruiz, we speak with Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia about what the NSA can grab online, whether its agents can read that information and who they can share it with, and how a database that was ostensibly created to monitor foreign intelligence operations became a tool for investigating Americans at home. 

As Guariglia explains:

“In the United States, if you collect any amount of data, eventually law enforcement will come for it, and this includes data that is collected by intelligence communities.”

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Scammers are using a novel technique with Amazon listings to trick fans of Evil Dead into downloads they may not want, and expensive rolling payments they have no interest in. Evil Dead Rise, the breakout horror film of 2023, started with big cinema numbers and has moved on to a victory lap in streaming land for good measure. In fact, it’s doing so well that the original film from 1981 has crept into the charts too:

2 Evil Dead flix top 10 in the world on HBO. Thanks, Deadites. You keep watching, we’ll keep making. pic.twitter.com/TOoTcvylkd

— Bruce Campbell (@GroovyBruce) June 27, 2023

A good time to be a Deadite. Not so good if you’re unable to catch a legitimate stream or the movie isn’t out in your region yet. If you decide to pre-order it from Amazon, you’ll see something odd nestled in the physical media section which we’ve highlighted in red. Bizarrely, there’s a podcast claiming to offer up a free version of Evil Dead Rise via streaming.

The full movie, in podcast form? I know Amazon has some pretty impressive technology but I don’t think we’re at that level just yet. The full text reads as follows:

!Streaming Evil Dead Rise 2023 Movie Evil Dead Rise 2023 Movie Warner Evil Dead Rise 2023 Pictures! Are you looking to download or watch the new Evil Dead Rise 2023 online?

If you are looking for Watch Evil Dead Rise (2023) : Full Movie Online Free, Watch Evil Dead Rise Streaming Full Movie Online Free ||Prime.

Playing the audio clip reveals about 24 seconds of generic soft rock music, presumably only present because the “podcaster” has to upload something to create a listing. To even access the audio file, you’d need to open it via an Audible account or Amazon Music.

Clicking the link redirects you through several URLs before settling on what looks like it’s about to offer you a stream of the film.

Evil Dead Rise for download or streaming, with a “Subscribe to watch: $0.00” message underneath? You can add this to the “Too good to be true” pile.

No matter what you click, on a mobile device you may be offered a download. In testing, we saw a program claiming to offer all manner of media downloads:

In another test, we were directed to an odd payment page:

I say odd, because the URL contains the word “antivirus”, which would suggest you’re potentially signing up for a security service of some kind. Despite this, there’s no clear indication of what exactly is being paid for here. Is it a security product? Am I still trying to sign up to the supposedly “free” version of Evil Dead Rise? I don’t know, but the page says this at the top:

“This is a special offer for a limited period of 3 days which comes with a £13.00 welcome gift card to explore and buy products in one of our affiliates’ websites. By acquiring this membership you will be automatically enrolled in our affiliate membership services. The membership fee amount of £29.24 which will be automatically deducted every 14 days unless skipped or cancelled.

That’s a lot of money to pay for who knows what!

Meanwhile, clicking the movie streaming link on a desktop redirects to a generic sign up page with no additional details with regard to terms and conditions or privacy policies. Sites like this typically have a rolling subscription fee mentioned somewhere in the T&Cs. There is simply no reasonable way to know what you’re signing up for here.

How to avoid bogus spam listings on Amazon

• Watch where you pay. Your typical Amazon transactions should be taking place within the main Amazon site. If you’re buying an item, watch out if you are directed to go to another URL. If in doubt, check with Amazon customer support.
• Beware of “empty” content. Ebooks and audio files which do little but ask you to go somewhere else to obtain something are almost certainly scams. A one page ebook saying “Go here”, or an audio file which is bereft of audio with hyperlinks going off-site should be treated with suspicion.

This is not the first time we’ve seen inventive uses of Amazon services to promote a scam. We’ve previously covered a range of spam ebooks on the Kindle store used to link to similar streaming services. In this case, we’ve reported the account uploading these podcasts to Amazon and users of Malwarebytes products will find they’re protected from the sites involved. Groovy.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Stalkerware-type app LetMeSpy says it has been hacked, with the attacker taking user data with it.

From the message posted to the login screen on the LetMeSpy website:

On June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.

As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts.

To be clear, much of the data that was stolen is the data from the phone which has the tracking app on it, which has likely been installed without the phone owner’s knowledge. That’s because LetMeSpy is often invisible to the phone’s owner. 

So as long as someone can get quick access to install an app on your Android phone, they can monitor you. Once the app is on your phone, you often can’t tell it’s there. However, in the background, it is maliciously uploading all your calls, texts, and location to the LetMeSpy servers, which is what has now been hacked.

These sorts of apps have been used by people wanting to monitor their partner’s movements, along with parents and employers.

Polish site Niebezpiecznik first reported the breach. In the database file which was later dumped online, the blog said there was:

• 26,000+ email addresses of the tool’s “operators” along with hashes of their passwords.
• 16,000+ text messages, including passwords and codes for various services
• Telephone numbers of people who had contacted the tracked phones
• Telephone numbers of the people whom the tracked phone owner had called (along with the names associated with them in the contacts list)
• Database dump in SQL format, containing more data, including locations

Spokesman Adam Sanocki for the Polish data protection authority UODO confirmed to TechCrunch that it had received a breach notice from LetMeSpy. When many breaches happen, the affected company should inform users that their data has been breached. But the users of the service here are the ones tracking people, and, sadly, it’s unlikely they’re going to let the people they are spying on know that their data has been taken.

How to prevent spyware and stalkerware-type apps

• Set a screen lock on your phone and don’t let anyone else access it
• Keep your phone up-to-date. Make sure you’re always on the latest version of your phone’s software.
• Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you’re sharing with each app on Android, so you can keep an eye on your privacy. Malwarebytes detects the LetMeSpy app as Android/Monitor.LetMeSpy.

Coalition Against Stalkerware

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Voice authentication is back in the news with another tale of how easy it might be to compromise. University of Waterloo scientists have discovered a technique which they claim can bypass voice authentication with “up to a 99% success rate after only six tries”. In fact this method is apparently so successful that it is said to evade spoofing countermeasures. 

Voice authentication is becoming increasingly popular for crucial services we make use of on a daily basis. It’s a particularly big deal for banking. The absolute last thing we want to see is easily crackable voice authentication, and yet that’s exactly what we have seen.

Back in February, reporter Joseph Cox was able to trick his bank’s voice recognition system with the aid of some recorded speech and a tool to synthesise his responses.

A user typically enrolls into a voice recognition system by repeating phrases, so the system at the other end gets a feel for how their voice sounds. As the Waterloo researchers put it:

When enrolling in voice authentication, you are asked to repeat a certain phrase in your own voice. The system then extracts a unique vocal signature (voiceprint) from this provided phrase and stores it on a server.

For future authentication attempts, you are asked to repeat a different phrase and the features extracted from it are compared to the voiceprint you have saved in the system to determine whether access should be granted.

This is where Cox and his synthesised vocals came into play—his bank’s system couldn’t distingusih between his real voice and a synthesised version of his voice. The response to this was an assortment of countermeasures that involve analysing vocals for bits and pieces of data which could signify the presence of a deepfake.

The Waterloo researchers have taken the game of cat and mouse a step further with their own counter-counermeasure that removes the data characterstic of deepfakes.

From the release:

The Waterloo researchers have developed a method that evades spoofing countermeasures and can fool most voice authentication systems within six attempts. They identified the markers in deepfake audio that betray it is computer-generated, and wrote a program that removes these markers, making it indistinguishable from authentic audio.

There are many ways to edit a slice of audio, and plenty of ways to see what lurks inside sound files using visualiser tools. Anything that wouldn’t normally be present can be traced, analysed, and altered or made to go away if needed.

As an example, loading up a spectrum analyser (which illustrates the audio signal in visible waves and patterns) may reveal images hidden inside of the sound. Below you can see a hidden image represented by the orange and yellow blocks every time the audio file plays. While the currently discussed research isn’t available outside of paid access, the techniques relied upon to find any deepfake generated cues will likely work along much the same lines. There will be telltale signs of synthetic markers in the sound files, and with these synthetic aspects removed the detection tools will potentially miss the now edited audio because it looks (and more importantly sounds) like the real thing.

It remains to be seen what organisations deploying voice authentication will make of this research. However, you can guarantee whatever they come up with will continue this game of cat and mouse for a long time to come.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A researcher at Akamai has posted a blog about a worrying new trend—proxyjacking—where criminals sell your bandwidth to a third-party proxy service.

To understand how proxyjacking works, we’ll need to explain a few things.

There are several legitimate services that pay users to share their surplus Internet bandwidth, such as Peer2Profit and HoneyGain. The participants install software that adds their systems to the proxy-network of the service. Customers of the proxy service have their traffic routed through the participants’ systems.

The foundation of the proxyjacking problem lies in the fact that these services don’t check where the shared bandwidth is coming from. Peer2Profit and Honeygain claim to only share their proxies with theoretically vetted partners, but according to Akamai’s research they don’t check if the one offering the bandwidth is the actual owner.

Proxies and stolen bandwidth have always been popular among cybercriminals since they allow them to anonymize their traffic. What’s new about this campaign is that these same criminals are now “renting out” the bandwidth of compromised systems to make money instead of simply using them.

The researcher became aware of the campaign when they noticed an attacker establishing multiple SSH (Secure Shell) connections to one of their Cowrie honeypots. Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. It can be used to emulate a UNIX system in Python, or to function as an SSH and telnet proxy to observe attacker behavior to another system.

For the criminals the beauty of the attack is that it is mostly fileless and the files that are actually used, curl and the public Docker images for the proxy monetization services Peer2Profit and Honeygain, are legitimate and will not be detected by anti-malware solutions.

And proxyjacking is a lot less likely to be detected than cryptojacking since it requires only minimal CPU cycles and uses surplus Internet bandwidth. Interesting to note, the researchers found out that the compromised distribution server also contained a cryptomining utility, as well as many other exploits and common hacking tools.

Protection

Since these seemingly legitimate services can be used by criminals on both ends, both to anonymize their activities and to sell others’ resources, we would rather see them disappear altogether, but they should at least improve the verification of their customers and their participants.

Home users can protect themselves from proxyjacking by:

• Keeping their systems and software updated
• Use an effective and secure password strategy

Corporate users can add:

• Monitor network traffic for anomalies
• Keep track of running containerized applications.
• Using key-based authentication for SSH instead of passwords

Akamai added:

“In this particular campaign, we saw the use of SSH to gain access to a server and install a Docker container, but past campaigns have exploited web vulnerabilities as well. If you check your local running Docker services and find any unwanted resource sharing on your system, you should investigate the intrusion, determine how the script was uploaded and run, and perform a thorough cleanup.”

If you lack the time and resources for constant monitoring, Malwarebytes can offer Managed Detection and Response (MDR). Want to learn more about how we can help protect your business? Get in touch.

TRY NOW

The internet is great for bringing people together, helping you feel part of a community, and staying in touch with your nearest and dearest. But it can also be a nasty place – from malware to scammers, to people just being plain awful to others. It’s probably not surprising to read that recent research by the Anti-Defamation League (ADL) showed LGBTQAI+ people were the marginalized group most harassed online, with 51% of transgender people and 47% of LGBQ+ people—compared with 33% of all Americans— reporting online harassment of some sort within the last 12 months.

So, while the tips below are good advice for anyone, the stats show it’s tougher online for LGBTQAI+ people, and that means it’s really important to do as many of them as you can. Think we missed anything? Let us know in the comments section.

1. Secure your online accounts

Avoid handing over your accounts to anyone who shouldn’t have access by getting the security basics right.

• Use strong, unique passwords for every account
• Consider a password manager to help you keep hold of all those passwords
• Enable MFA wherever you can.

These three things do take a bit more time than if you didn’t do them, but they are the best way to keep your accounts secure.

2. Deal with cyberbullies

If someone is bullying you online, block and report them as soon as you can. Pretty much every platform will offer this function, so make sure you use it. Confide in a trusted friend or family member, especially if the bullying is having a significant impact on your mental health. And, if the bullying has reached criminal proportions, consider reporting it to the relevant authority in your region.

3. Be careful when meeting an online friend IRL

It would be all too easy to say “never meet anyone face to face that you met online,” but that’s not practical. However, there are some things you can do to stay as safe as possible.

Meet in a public place, and let a friend know who you are meeting and where. Then check in with them after you return home.

Make sure the person is who they say they are by doing a reverse image search of the person’s picture. If you see the same image posted next to someone else’s name, or even multiple people’s names, then you might well be talking to a scammer.

4.  Stay safe on social

Don’t reveal personal information about you such as your address or date of birth which could be used by fraudsters, doxxers or stalkers. If you’re going away then leave that information off your social media until you return, so your home isn’t targeted.

It’s worth periodically checking your social media privacy settings too to make sure they’re at the level you are comfortable with.

5. Respect others’ privacy

Sure, you might want to show off your camo jumpsuit to your Instagram followers, but maybe the go-go dancer behind you doesn’t want their photo published online. If someone is in a photo that you want to put online, make sure you get explicit consent from them before posting.

6. Steer clear of hate

Finally, we all know there is a lot of nasty stuff going on online. It’s easy to get sucked into reading or interacting with others you disagree with, but that also might be detrimental to your mental health. The hate comes from within them, and it isn’t worth your energy to engage with them. If you know there’s a forum, comments section or somewhere else where you’re likely to encounter hate, avoid it. 

We don’t just talk about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Navigating the world of endpoint security is challenging, with numerous vendors stoking “Fear, Uncertainty, and Doubt” (FUD) and making bold claims that are difficult to verify. In times like these, the honest opinions of real users are invaluable for busy IT teams.

Enter G2, an industry-leading peer-to-peer review site. Each quarter, G2 releases reports highlighting the products with the highest customer satisfaction and strongest market presence.

In the G2 Summer 2023 Grid Reports, Malwarebytes earned 19 “Leader” badges across five endpoint security categories (Antivirus, EDR, Endpoint Management, Endpoint protection platforms, Endpoint protection suites). We also received awards for the #1 spot in Endpoint Protection and the Easiest Setup for EDR, among many others.

Let’s take a closer look at how organizations evaluated solutions and what they said about using Malwarebytes.

#1 Endpoint Protection: Highest Rated for Results, Relationship, and More

Malwarebytes Endpoint Protection (EP), the essential foundation of our EDR and MDR offerings, won dozens of awards based on receiving the highest customer satisfaction score across a range of areas, including “Best Results,” “Best Support,” “Most Implementable,” and more.

Dashboard for Nebula, the cloud-hosted security platform for EP and EDR

For example, Malwarebytes EP won the “Best Results” badge (highest overall Results score) by having the highest combination of estimated ROI, meets requirements, and likelihood to recommend scores. What some of our customers had to say:

“Malwarebytes is easy to install and configure. It integrates with Windows 10 and runs silently in the background. Infection rate of Malware has dropped dramatically. If I run across a machine that has Malware, installing it cleans it up almost 100% of the time.”

Chris S.

“Malwarebytes was able to detect and block a virus that our previous AV was not able to. Wish we had moved to this product sooner.”

Robert S.

“I consider myself faithful to this software because Malwarebytes has taken me out of problems that other antivirus programs have not been able to solve. It is not a very heavy software and can run in the background without even noticing it thanks to the updates.”

Verónica M.

Customers also praised Malwarebytes for its friendly staff and exceptional support, for which we won the “Best Relationship” badge by having the highest combination of “Likely to Recommend,” “Ease of business,” and “Quality of Support” ratings.

Here’s what some of our customers had to say:

“The support team started us off on the right track by getting us up and running in no time. Any questions I had before and after setup were answered quickly and thoroughly.”

Gary P.

“Highly recommended, and their support team is the best you can ask for!”

Rifaat K.

Easiest To Use EDR

Our EDR solution, paired with our Vulnerability and Patch Management (VPM) modules, delivers an impressive return on investment by quickly enhancing your organization’s security posture. Malwarebytes EDR is designed to be both efficient and cost-effective, allowing your team to see the benefits of your investment immediately.

By focusing on ease of use, quick implementation, and powerful security features without requiring an IT security army, Malwarebytes ensures that your organization is maximizing resources and receiving the best ROI in the industry.

Malwarebytes had the best estimated ROI (payback period in months) in the enterprise Endpoint Management category, which evaluate products that help users keep track of devices in a system and ensure their software is secure and up to date.

“The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.”

Ron M.

“It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.”

Tyson B.

Most Implementable EDR: Seamless Setup and User-Friendly Experience

On the Enterprise Implementation Index for Endpoint Detection & Response (EDR) Malwarebytes EDR clutched the #1 spot. With a seamless setup process, your team can spend more time focusing on what matters most: protecting your organization from cyber threats. Here’s how we won:

• Malwarebytes EDR has an Implementation Score several points higher than the industry average.
• Ease of Setup: Malwarebytes EDR scores several points higher than the industry average in ease of setup.
• Average User Adoption: Malwarebytes EDR scores several points higher than the industry average in user adoption rate. 

“The Nebula console is one of the most user-friendly interfaces we’ve come across. We can’t recommend it enough.”

Justin N.

“Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so its win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.”

John K.

“If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”

Mauro B.

“Very easy to install and deploy, setup, and configure – for instance – a 5 machine setup would take roughly ~10 mins from start to finish.”

Verified User

“Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings.”

Doug C.

Two options to easily begin deployment with your endpoint users in Nebula

Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

UPGRADE TO ENTERPRISE-GRADE PROTECTION

Chinese-made surveillance cameras find themselves in a spot of controversy, after a BBC investigation uncovered flaws in devices during several brand tests.

Surveillance and webcam vulnerabilities are common, and we’ve covered them many times on our blog. What’s interesting with this story is that its being presented as some sort of potential threat to national security and infrastructure. From just one of the comments provided to the BBC:

“We’ve all seen the Italian Job in our youth, where you bring the whole of Turin to a halt through the traffic light system. Well, that might have been fiction then, it wouldn’t be now.”

All very dramatic, but we’ve yet to see The Italian Job play out in real life. Even so, many devices manufactured by one firm, Hikvision, are used by many local councils across the UK. They’re also used to monitor Government buildings. If a device is vulnerable, it’s definitely worth trying to figure out the scale of the problem. With this in mind, what kind of numbers are we talking about?

According to the BBC, a large-scale freedom of information campaign set in motion by Big Brother Watch tried to find out. No fewer than 4,510 Freedom of Information requests were filed with various public bodies between August 2021 and January 2022. 1,289 responses came back, with 806 of those confirming the use of Hikvision or, another brand mentioned by the BBC, Dahua cameras. Of the 806, 227 local councils and 15 police forces use Hikvision, with 35 local councils making use of Dahua.

That’s certainly a lot of cameras. What risk was discovered?

The BBC asked experts to try and compromise a Hikvision camera under test conditions, though specifics are hard to come by. Is “a test network with no firewall and little protection” an accurate reflection of a local council or Government network? Is it fair to assume the manufacturer would be at fault for organisations not applying updates and patches dating back 6 years?

I ask this, because the results with the tested (six year old) camera found a vulnerability from 2017. The testers claim the flaw as “a back door that Hikvision built into its own products”, with somewhere in the region of 100,000 cameras online “still vulnerable” to this issue. Which means that a lot of organisations actually are failing to update their devices.

Having compromised the camera and gaining access to visuals, testers now established if they could access the Dahua cameras by forcing their way into the software controlling them. Once again, they were able to do it and this time gained access to the camera’s microphone.

In both cases, vendors claimed to have patched both of these vulnerabilities soon after the issues came to light. In fact, Hikvision released an open letter to those responsible for the investigation. It reads:

To claim that this stunt has uncovered a security breach or an intentional backdoor in June 2023 is farcical. It sensationalises a problem that was already fixed to universally recognised CVE standards. Furthermore, this test has not been conducted on a typical network, but rather an unsecured one. This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC have run.

It goes on:

Hikvision’s conduct with regards to this vulnerability has followed all internationally accepted standards of best practice. When made aware of the vulnerability in March 2017, Hikvision patched it in less than one week. The vulnerability – and Hikvision’s patch – were subject to further scrutiny in the US with the then-Chairman of the US House of Representatives Small Business Committee noting in a public hearing that Hikvision’s work with the US Department of Homeland Security on this vulnerability meant that any continuing issues resulting from unpatched equipment would lie with ‘small businesses that do not engage with the government or the DHS regularly’.

Going further, the Deputy Assistant Secretary for the US Department of Homeland Security Office of Cybersecurity and Communications said they ‘worked with the company’ to resolve the problem and that ‘standard practice was followed’. 

All in all, this one is a bit of a mess and likely won’t be untangled soon. Whether your own devices are brand new or a few years old, they’ll typically prompt you to perform an update. Whether you think years old devices should be taken offline for safety reasons, or that organisations are solely responsible for their security, one thing is for certain: You can feel much more reassured that your own devices are safe by hitting that update button as soon as you possibly can.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In 2020, we reported on how law enforcement managed to compromise a secure communications system set up by and for criminals.

Now, Europol has published a progress report showing the enormous impact the infiltration of the encrypted communications tool EncroChat made.

EncroChat, a company based in the Netherlands, advertised its services as safer than safe, stating that no messages were saved on its servers, which were located “offshore.” However, Dutch law enforcement figured out the EncroChat servers were located in France and got to work, hoping to catch criminals in the act. And they did.

The EncroChat system was well organized and had gained a lot of trusting users over the years. Criminals felt secure enough to chat freely about everything: Names of customers, drug deliveries, and even assassinations. And their trust was understandable, given what EncroChat promised to offer:

• Phones were dual boot, so users could alternatively start the Android operating system and their phones would look like a normal, old-fashioned model
• The phones had a “wipe all” button that would delete all the stored conversations in case of an arrest or other emergency
• No messages were stored on servers so they could not be seized and decrypted later
• The service used OTR which is a cryptographic protocol that provides both authentication and end-to-end encryption for instant messaging. This protocol ensures that session keys will not be compromised even if the private key of the server is compromised. Even when a server is seized, the conversations cannot be decrypted or lead back to the participants

EncroChat users paid hefty fees for this service— thousands of dollars per year, per device. The exorbitant fees may explain why the majority of the EncroChat clientele could be found on the wrong side of the law. Other parties that might have a vested interest in keeping their chat messages secret include government parties, journalists, security professionals, or lawyers. However, there are cheaper, if somewhat less sophisticated, alternatives for legitimate secret-keeping that law enforcement does not target.

According to Europol, most EncroChat users were either members of organized crime, or performed drug trafficking. The rest engaged in money laundering, assassinations, and firearms trafficking.

EncroChat users divided by crime area, courtesy of Europol

Three years later the harvest of the operation stands at:

• 6,558 suspects arrested, including 197 high value targets  
• 7,134 years of imprisonment of convicted criminals up to now
• EUR 739.7 million in cash seized
• EUR 154.1 million frozen in assets or bank accounts
• 30.5 million pills of chemical drugs seized
• 103.5 tonnes of cocaine seized
• 163.4 tonnes of cannabis seized
• 3.3 tonnes of heroin seized
• 971 vehicles seized
• 271 estates or homes seized
• 923 weapons seized, as well as 21,750 rounds of ammunition and 68 explosives
• 83 boats and 40 planes seized

All this was possible thanks to the analysis of 115 million conversations between the roughly 60,000 users of the EncroChat platform.

Similar operations like the one against Sky ECC, and a fake secure chat service set up by the Federal Bureau of Investigation (FBI) and the Australian Federal Police (AFP) called AN0M, have shown that despite being unable to break secure encryption, law enforcement agencies have found ways to eavesdrop on the criminals that feel safe using them.

We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.