Trolls abuse Twitter Lists to collate their targets

I’ve been using Twitter for more than a decade. And one of its features that I find valuable is Lists. Turns out I’m not the only one.

Lists allow Twitter users to group profiles or feeds based on certain criteria, such as sports, tech news, celebrities, fashion—you get the idea. Having Lists makes it a lot easier to find content or catch up on posts I’d otherwise miss without having to scroll down through the seemingly bottomless frames of tweets. Those who follow thousands and don’t want to miss out can relate.

However, a recent report from CNBC details how the Lists feature is used by those with ill intent to collate a group of accounts—aka targets—they can follow, troll, harass, and bully.

This is nothing new. Twitter has been aware of such misuse for several years now, yet according to many users who found themselves or know someone else at the receiving end of abuse, the company has done little to help address this problem.


Read: Tackling the myths surrounding cyberbullying


Twitter stopped notifying users when they were added to a list two years ago. In a Twitter Safety tweet, the company revealed why they did this:

This was understood as “Getting notified about what lists you’re added to isn’t as important as who followed you or retweeted and replied to your tweet.” This may seem like a benevolent company move, but for those who deal with targeted social attacks daily, this was terrible news, as they no longer had the means to know who was targeting them. The community had been vocal about this, too:

After the loud rumblings, Twitter reversed the process two hours after its initial announcement. They tweeted:

Since then, Twitter has made and enforced measures in an attempt to curb or end cyberbullying on its platform, such as introducing better content and keyword filtering, making abuse reporting more transparent, collapsing “low quality and abusive tweets” to prevent them showing, upgrading the Mute feature, and temporarily restricting accounts when their algorithm deems they’ve been engaging in bullying behavior.


Read: When trolls come in a three-piece suit


According to those interviewed by CNBC, not much has changed to keep Twitter Lists safer. Twitter’s own Support page don’t have a guideline on how to remove oneself from a list. This is unhelpful for someone who is on multiple “hit lists.”

So third-party tools have been created to address this challenge. CNBC mentions Block Together, a web app “designed to reduce the burden of blocking when many accounts are attacking you, or when a few accounts are attacking many people in your community.” And then there’s Twitter Block Chain, a Chrome app that “blocks all users on a following/followers page.”

There are pros and cons to using automated blocking tools. Depending on how they work, it’s entirely possible to accidentally take a sledgehammer to a walnut. If a tool looks at followers and their networks, you can end up being blackballed because of a handful of bad follows. You may have muted (but not unfollowed) people long ago; they now contribute to your bad score. Bam! You’re potentially on “The Bad People” list forevermore. It’s somewhat inelegant, which can put people off.

News of the latest improvement on Twitter’s battle against cyberbullying came last April. In a blog post entitled “A healthier Twitter: Progress and more to do,” VP of Twitter Service Donald Hicks and Twitter Product Manager David Gasca revealed the numbers that spoke about their progress in addressing this issue, how they’re now taking proactive steps in flagging bullying and not just relying on reports—thus, unburdening the targets from reporting their bullies—and provided an overview of what Twitter users should expect in the future.

Bullying is never cool, and it will never bring about anything positive to either the bully or their targets. Personally, it’s great to see Twitter finally doing something to address the problem that has plagued the platform for years. Fingers crossed that these new measures could also address the misuse of Lists and restore them to whatever glory they may have once had.

The post Trolls abuse Twitter Lists to collate their targets appeared first on Malwarebytes Labs.

Adware and PUPs families add push notifications as an attack vector

Some existing families of potentially unwanted programs and adware have added browser push notifications to their weapons arsenal. Offering themselves up as browser extensions on Chrome and Firefox, these threats pose as useful plugins then haggle users with notifications.

A family of search hijackers

The first I would like to discuss is a large family of Chrome extensions that were already active as search hijackers, but have now added a notifications service from a provider hailing from a domain blocked for fraud by Malwarebytes. What that means is you can now expect browser notifications inviting you to come gamble at an online casino or advertisements selling you get-rich schemes that use pictures of celebrities to gain your trust.

This family is detected under the PUP.Optional umbrella, meaning that Malwarebytes flags them for misconduct but recognizes they offer some kind of functionality and are upfront about the fact that they will change your search settings. The third part of Malwarebytes’ detection name usually refers to the name of the extension. So this one is called PUP.Optional.StreamAll.

permissions for the StreamAll extension

The extensions in this family are search hijackers—they redirect users to Yahoo! search results when searching from the address bar. The websites behind all the extensions in this family are presented in three different styles that are completely interchangeable:

version 1

Version 1 is a basic design kindly guiding you through the steps of installing the Chrome extension.

version 2

Version 2 shows a circle that fills with color until it reaches 100 percent and then tells you it is ready to install the extension.

version 3

Version 3 is a bit more “in your face” and lets you know you really shouldn’t miss out on this extension. It does come in a few slightly different color schemes.

The three websites posted above all lead to StreamAll, the same Chrome extension that I have used as an example for this family. In fact, they all redirect to this extension in Chrome’s web store at some point:

streamall in webstore
A stunning lot of users, which never ceases to amaze me.

Another thing the members of this family have in common is a “thank you” screen after installing one of their extensions, already busy pushing promotional deals. This one has a blue background but can also be fully white.

Thank you page

Their offer to receive notifications is made as soon as you reach one of their sites:

These prompts have also been added to member sites of this family that didn’t promote push notifications earlier on.

If you accept this offer you can find the resulting permission in the Settings menu > click on Advanced > under Privacy and Security > select Site settings > select Notifications.

The number of extensions in this family is rather large, but here is a list of removal guides I created for the most active ones at the moment of writing:

open tabs

By active I mean they are being heavily promoted by some of the popular ad-rotators. To achieve this, they are probably paying a pretty penny and you can be sure they want to make good on that—at your expense.

A Facebook spammer

The second threat family I want to discuss is into far more serious business. This family of Firefox extensions is detected by Malwarebytes as Trojan.FBSpammer.

These extensions can be found at sites that try to convince users they need a Flash player update.

notications and flash update
Prompts and links everywhere. What to do first?

They also ask for permission to send you notifications and—just like StreamAll—they use a provider that is blocked by Malwarebytes for fraud. But in this case, annoying push notifications are the least of users’ worries. As our friends at BleepingComputer figured out, this extension checks users’ Facebook connection and, if the user is logged in, the extension will join some Facebook groups on their behalf and start spamming them.

The extension performs a check to see whether the user is connected to Facebook every two seconds.
The extension adds users to some Facebook groups if they are logged in.
Then it fetches a campaign and starts spamming those groups in the user’s name.

Lesson learned

While browser push notifications can be annoying, they are easy to resolve, as I explained in detail in my blog Browser push notifications: a feature asking to be abused. But we have seen from the examples above that there are worse things.

Choose carefully which extensions you decide to install, as well as which programs you allow to send push notifications. The extensions in these cases are up to no good—especially the Trojan that will give your Facebook reputation a quick shove into the cellar. And if you have trouble determining which extensions are benign and which are taking advantage of users, you can always count on Malwarebytes to point you in the right direction.

Stay safe, everyone!

The post Adware and PUPs families add push notifications as an attack vector appeared first on Malwarebytes Labs.

MegaCortex continues trend of targeted ransomware attacks

MegaCortex is a relatively new ransomware family that continues the 2019 trend of threat actors developing ransomware specifically for targeted attacks on enterprises. While GandCrab apparently shut its doors, several other bespoke, artisanal ransomware families have taken its place, including RobinHood, which shut down the city of Baltimore, Troldesh, and CrySIS/Dharma.

Detected by Malwarebytes as Ransom.MegaCortex, MegaCortex saw a spike in business detections in late May and has since slowed down to a trickle, following a similar trend as its Troldesh and CrySIS forebearers.

malwarebytes blocks Megacortex

Our anti-ransomware technology detected Ransom.MegaCortex even before defintions were added.

generic detection megacortex

Distribution

The methods of distribution for MegaCortex are still not completely clear, but there are indications that the ransomware is dropped on compromised computers by using Trojan downloaders. Once a corporate network has been compromised, the attackers try to gain access to a domain controller and spread across the entire network from there.

Suspected Trojans that might be responsible for the distribution of MegaCortex are Qakbot aka Qbot, Emotet, and Rietspoof. Rietspoof is a multi-stage malware that spreads through instant messaging programs.

Execution

Before the actual ransomware process starts, several tools and scripts are deployed to disable certain security processes and attempt to gain access to the domain controller so the ransomware can be distributed across the network.

Once the ransomware process is activated, it creates these files:

  • ********.log
  • ********.tsv
  • ********.dll

The ******** are eight random characters that are identical for the three files on the affected system. These names are also mentioned in the ransom note called !!!_READ_ME_!!!.txt.

The ransom note, the log file, and the tsv file are all located in the root drive. The dll, on the other hand, can be found in the %temp%  folder.

The encrypted files are given the extension .aes128ctr. The encryption routine skips files with the extensions:

  • .aes128ctr
  • .bat
  • .cmd
  • .config
  • .dll
  • .exe
  • .lnk
  • .manifext
  • .mui
  • .olb
  • .ps1
  • .sys
  • .tlb
  • .tmp

The routine also skips the files:

  • desktop.ini
  • ********.tsv
  • ********.log

It also skips all the files and subfolders under %windir%, with the exception of %windir%\temp. In addition, MegaCortex deletes all the shadow copies on the affected system.

After the encryption routine is complete, MegaCortex displays this rather theatrical ransom note, high on drama and low on grammatical correctness.

megacortex ransom note

Remarkable ransom note quotes

Some notable quotes from the ransom note:

  • “All of your computers have been corrupted with MegaCortex malware that has encrypted your files.” So the name MegaCortex comes from the threat actors themselves, as opposed to the security researchers who discovered it. (That is one way to help the industry to use a unified detection name.)
  • “It is critical that you don’t restart or shutdown your computer.” This implies that one of the seeds for the encryption routine will be made irretrievable if the computer gets rebooted.
  • “The software price will include a guarantee that your company will never be inconvenienced by us.” Is this a tell-tale sign about how much granular control the threat actors have over the malware attacks, or just another empty promise made by criminals?
  • “We can only show you the door. You’re the one who has to walk through it.” A reference to The Matrix or a failed fiction writer?

The ransom note also makes clear that the information necessary for the decryption routine is contained in the randomly named tsv file. So, if all the information except the private key is on the infected computer, does that mean there will be a free decryptor soon? That depends on many other factors, but if the cybercriminals used the same private key for each infection, there could be a possible escape on the horizon.

Undoubtedly it will take some reverse engineering to get definitive answers to these questions, but it certainly gives us some clues.

Countermeasures

Given that the exact infection vector is as of yet unknown, it is hard to give specific protection advice for this ransomware family. But there are some countermeasures that always apply to ransomware attacks, and they might be useful to repeat here:

  • Scan emails with attachments. Suspicious mails with attachments should not reach the end user without being checked first.
  • User education. Users should be taught to refrain from downloading attachments sent to them via mail or instant messaging without close scrutinization.
  • Blacklisting. Most endpoints do not need to be able to run scripts. In those cases, you can blacklist wscript.exe and maybe other scripting options like Powershell.
  • Update software and systems. Updating your systems and your software can plug up vulnerabilities and keep known exploits at bay.
  • Back up files. Reliable and easy-to-deploy backups can shorten the recovery time.

We are far from knowing everything there is to know about this ransomware, but as we discover new information, we will keep our blog readers updated. In the meantime, it is imperative for enterprises to employ best practices for protecting against all ransomware.

After all, we can only show you the door. You’re the one who has to walk through it.

Stay safe, everyone!

The post MegaCortex continues trend of targeted ransomware attacks appeared first on Malwarebytes Labs.

Maine governor signs ISP privacy bill

Less than one week after Maine Governor Janet Mills received one of the nation’s most privacy-protective state bills on her desk, she signed it into law. The move makes Maine the latest US state to implement its own online privacy protections.

The law, which will go into effect July 1, 2020, blocks Internet service providers (ISPs) from selling, sharing, or granting third parties access to their customers’ data unless explicitly given approval by those customers. With the changes, Maine residents now have an extra layer of protection for the emails, online chats, browser history, IP addresses, and geolocation data that is commonly collected and stored by companies like Verizon, Comcast, and Spectrum.

In signing the bill, Governor Mills said the people of Maine “value their privacy, online and off.”

“The Internet is a powerful tool, and as it becomes increasingly intertwined with our lives, it is appropriate to take steps to protect the personal information and privacy of Maine people,” said Governor Mills in a released statement. “With this common-sense law, Maine people can access the Internet with the knowledge and comfort that their personal information cannot be bought or sold by their ISPs without their express approval.”

The bill, titled “An Act to Protect the Privacy of Online Customer Information,” was introduced earlier this year by its sponsor, Democratic state Senator Shenna Bellows. It passed through the Maine Legislature’s Committee on Energy, Utilities, and Technology, and gained approval both in the House of Representatives and the Senate soon after. Given until June 11 to sign the bill into law, Governor Mills moved quick, giving her signature on June 6.

As Maine’s lawmakers worked to review and slightly amend the bill (adding a start date to go into effect), it picked up notable supporters, including ACLU of Maine and GSI Inc., a local, small ISP in the state. In an opinion piece published in Bangor Daily News, GSI’s chief executive and chief operating officer voiced strong support for online privacy, saying that “if people can’t trust the Internet, then the value of the Internet is significantly lessened.”

The Maine State Chamber of Commerce opposed the bill, arguing that a new state standard could confuse Maine residents. The Chamber also said the bill was too weak because it did not extend its regulations to some of the Internet’s most noteworthy privacy threats—Silicon Valley companies, including Facebook and Google.

The ACLU of Maine and the Maine State Chamber of Commerce did not return requests for comment about the Governor’s signing.

Sen. Bellows, in the same statement referenced above, commended Maine’s forward action.

“Mainers need to be able to trust that the private data they send online won’t be sold or shared without their knowledge,” Sen. Shenna said. “This law makes Maine first and best in the nation in protecting consumer privacy online.”

The post Maine governor signs ISP privacy bill appeared first on Malwarebytes Labs.

Cybersecurity pros think the enemy is winning

There is a saying in security that the bad guys are always one step ahead of defense. Two new sets of research reveal that the constant cat-and-a-mouse game is wearing on security professionals, and many feel they are losing in the war against cybercriminals.

The first figures are from the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG). The two polled cybersecurity professionals and found 94 percent of respondents believe that cyber adversaries have a big advantage over cyber defenders—and the balance of power is with the enemy. Most think that advantage will eventually pay off for criminals, as 91 percent believe that most organizations are extremely vulnerable, or somewhat vulnerable, to a significant cyberattack or data breach.

This mirrors Malwarebytes’ own recent research, in which 75 percent of surveyed security professionals admitted that they believe they could be breached in the next one to three years.

What’s behind this defeatist mindset?

In a blog post on the ESG/ISSA research, Jon Oltsik, principal analyst at ESG says in part the lack of confidence exists because criminals are well organized, persistent, and have the time to fail and try a new strategy in order to infiltrate a network. Meanwhile, security managers are always busy and always trying to play catch up.

The skills shortage that is impacting the security field is compounding the sense of vulnerability among organizations. ESG found 53 percent of organizations report a problematic shortage of cybersecurity skills, and 63 percent of organizations continue to fall behind in providing an adequate level of training for their cybersecurity professionals.

“Organizations are looking at the cybersecurity skills crisis in the wrong way: It is a business, not a technical, issue,” said ISSA International President Candy Alexander in response to findings. “In an environment of a ‘seller’s market’ with 77 percent of cybersecurity professionals solicited at least once per month, the research shows in order to retain and grow cybersecurity professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function.”

Where do we go from here?

An entirely new perspective on addressing risk mitigation is required to turn this mindset around. As Alexander notes, security is a business issue, and it needs attention at all levels of the organization.

But the research shows it doesn’t get the respect it deserves, as 23 percent of respondents said business managers don’t understand and/or support an appropriate level of cybersecurity. Business leaders need to send a clear message that cybersecurity is a top priority and invest in security tools and initiatives in turn to reflect this commitment.

This approach is well-supported by research. In fact, a recent report from  Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC) finds top-performing security programs have one thing in common: They have the attention of executive and board leadership, which also means security is seen as a priority throughout the organization.

ESG/ISSA makes other recommendations for changing the thinking about security. They include:

CISO elevation: CISOs and other security executives also need an increased level of respect and should be expected to engage with executive management. Regular audience with the board is critical to getting security the visibility it requires organization-wide.

Practical professional development for security pros:  While 93 percent of survey respondents agree that cybersecurity professionals must keep up with their skills, 66 percent claim that cybersecurity job demands often prevent them from taking part in skills development. Other noted certifications do not hold as much value on the job, with 57 percent noting many credentials are far more useful in getting a job than doing a job. The report suggests prioritizing practical skills development over certifications.

Develop security talent from within: Because the skills gap makes hiring talent more challenging, 41 percent of survey respondents said that their organization has had to recruit and train junior personnel rather than hire more experienced infosec professionals. But this is a creative way to deal with a dearth of qualified talent.

The report recommends designing an internal training program that will foster future talent and loyalty. It also suggests casting a wider net beyond IT and finding transferable business skills and cross career transitions will help expand the pool of talent.

While the overall picture appears as though security progress is slow in business, adjustments in approach and prioritization of security can go a long way in raising the program’s profile throughout the organization. With more time, attention, and respect given to security strategy and risk mitigation, defense in the future can be a step ahead instead of woefully behind the cybercriminal.

The post Cybersecurity pros think the enemy is winning appeared first on Malwarebytes Labs.

A week in security (June 3 – 9)

Last week on Malwarebytes Labs, we rounded up some leaks and breaches, reported about Magecart skimmers found on Amazon CloudFront CDN, proudly announced we were awarded as Best Cybersecurity Vendor Blog at the annual EU Security Blogger Awards, discussed how Maine inches closer to shutting down ISP pay-for-privacy schemes, asked where our options to disable hyperlink auditing had gone, and presented a video game portrayals of hacking: NITE Team 4.

Other cybersecurity news

  • At Infosecurity Europe, a security expert from Guardicore discussed a new cryptomining malware campaign called Nanshou, and why the cryptojacking threat is set to get worse. (Source: Threatpost)
  • A security breach at a third-party billing collections firm exposed the personal and financial data on as many as 7.7 million medical testing giant LabCorp customers. (Source: Cnet)
  • A researcher has created a module for the Metasploit penetration testing framework that exploits the critical BlueKeep vulnerability on vulnerable Windows XP, 7, and Server 2008 machines to achieve remote code execution. (Source: BleepingComputer)
  • Microsoft’s security researchers have issued a warning about an ongoing spam wave that is spreading emails carrying malicious RTF documents that infect users with malware without user interaction, once users open the RTF documents. (Source: ZDNet)
  • The Federal Trade Commission has issued two administrative complaints and proposed orders which prohibit businesses from using form contract terms that bar consumers from writing or posting negative reviews online. (Source: FTC.gov)
  • Security researchers have discovered a new botnet that has been attacking over 1.5 million Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet. (Source: ZDNet)
  • Microsoft has deleted a massive database of 10 million images which was being used to train facial recognition systems. The database is believed to have been used to train a system operated by police forces and the military. (Source: BBC news)
  • On Tuesday, the Government Accountability Office (GAO) said that the FBI’s Facial Recognition office can now search databases containing more than 641 million photos, including 21 state databases. (Source: NakedSecurity)
  • Despite sharing a common Chromium codebase, browser makers like Brave, Opera, and Vivaldi don’t have plans on crippling support for ad blocker extensions in their products—as Google is currently planning on doing within Chrome. (Source: ZDNet)
  • Traffic destined for some of Europe’s biggest mobile providers was misdirected in a roundabout path through the Chinese-government-controlled China Telecom on Thursday, in some cases for more than two hours. (Source: ArsTechnica)

Stay safe, everyone!

The post A week in security (June 3 – 9) appeared first on Malwarebytes Labs.

Video game portrayals of hacking: NITE Team 4

Note: The developers of NITE Team 4 granted the blog author access to the game plus DLC content.

A little while ago, an online acquaintance of mine asked if a new video game based on hacking called NITE Team 4 was in any way realistic, or “doable” in terms of the types of hacking it portrayed (accounting for the necessary divergences from how things would work outside of a scripted, plot-goes-here environment).

The developers, AliceandSmith, generously gave me a key for the game, so I’ve spent the last month or so slowly working my way through the content. I’ve not completed it yet, but what I’ve explored is enough to feel confident in making several observations. This isn’t a review; I’m primarily interested in the question: “How realistic is this?”

What is it?

NITE Team 4 is an attempt at making a grounded game focused on a variety of hacking techniques—some of which researchers of various coloured hats may (or may not!) experience daily. It does this by allowing you full use of the so-called “Stinger OS,” their portrayal of a dedicated hacking system able to run queries and operate advanced hacking tools as you take the role of a computer expert in a government-driven secret organisation.

Is it like other hacking games?

Surprisingly, it isn’t. I’ve played a lot of hacking games through the years. They generally fall into two camps. The first are terrible mini-games jammed into unrelated titles that don’t have any resemblance to “hacking” in any way whatsoever. You know what I’m talking about: They’re the bits flagged as “worst part of the game” whenever you talk to a friend about any form of digital entertainment.

The second camp is the full-fledged hacking game, the type based entirely around some sort of stab at a hacking title. The quality is variable, but often they have a specific look and act a certain way.

Put simply, the developers usually emigrate to cyberpunk dystopia land and never come back. Every hacker cliché in the book is wheeled out, and as for the actual hacking content, it usually comes down to abstractions of what the developer assumes hacking might be like, rather than something that it actually resembles.

In other words: You’re not really hacking or doing something resembling hacking. It’s really just numbers replacing health bars. Your in-game computer is essentially just another role-playing character, only instead of a magic pool you have a “hacking strength meter” or something similar. Your modem is your stamina bar, your health bar is replaced by something to do with GPU strength, and so on.

They’re fun, but it’s a little samey after a while.

Meanwhile, in NITE Team 4: I compromised Wi-Fi enabled billboards to track the path of the potentially kidnapped owner of a mobile phone.

Tracking a car

Click to enlarge

I used government tools to figure out the connection between supposedly random individuals by cross referencing taxi records and payment stubs. I figured out which mobile phone a suspect owns by using nearby Wi-Fi points to build a picture of their daily routine.

Cracking Wi-Fi

Click to enlarge

I made use of misconfigured server settings to view ID cards belonging to multiple companies looking for an insider threat.

I performed a Man-in-the-Middle attack to sniff network traffic and made use of the Internet of Things to flag a high-level criminal suspect on a heatmap.

IoT compromise

Click to enlarge

If it sounds a little different, that’s because it is. We’re way beyond the old “Press H to Hack” here.

Logging on

Even the title screen forced me to weigh up some serious security choices: Do I allow the terminal to store my account username and password? Will there be in game repercussions for this down the line? Or do I store my fictitious not-real video game login in a text file on my very-real desktop?

Title screen

Click to enlarge

All important decisions. (If you must know, I wrote the password on a post-it note. I figure if someone breaks in, I have more pressing concerns than a video game login. You’re not hacking my Gibson, fictitious nation state attackers).

Getting this show on the road

Your introduction to digital shenanigans isn’t for the faint of heart. As with many games of this nature, there’s a tutorial—and what a tutorial.

Spread across three sections covering basic terminal operations, digital forensics, and network intrusion, there’s no fewer than 15 specific tutorials, and each of those contains multiple components.

I can’t think of any other hacking-themed game where, before I could even consider touching the first mission, I had to tackle:

Basic command line tools, basic and advanced OSINT (open source intelligence), mobile forensics, Wi-Fi compromise, social engineering via the art of phishing toolkits, MiTM (Man in the Middle), making use of exploit databases, and even a gamified version of the infamous NSA tool Xkeyscore.

When you take part in a game tutorial that suggests users of Kali and Metasploit may be familiar with some aspects of the interface, or happily links to real-world examples of tools and incidents, you know you’re dealing with something that has a solid grounding in “how this stuff actually works.”

Tutorial intro

Click to enlarge

In fact, a large portion of my time was spent happily cycling through the tutorial sections and figuring out how to complete each mini objective. If you’d told me the entire game was those tutorials, I’d probably have been happy with that.

What play styles are available?

The game is fairly aligned to certain types of Red Team actions, primarily reconnaissance and enumeration. You could honestly just read an article such as this and have a good idea of how the game is expected to pan out. Now, a lot of other titles do this to some degree. What’s novel here is the variety of approaches on offer to the budding hacker.

There are several primary mission types: The (so far) four chapter long main mission story, which seems to shape at least certain aspects based on choices made earlier on. This is where the most…Hollywood?…aspects of the story surrounding the hacking seem to reside. In fairness, they do assign a “real life” rating to each scenario and most of them tend to err on the side of “probably not happening,” which is fair enough.

The second type of mission is the daily bounties, where various government agencies offer you rewards for hacking various systems or gathering intel on specific targets. I won’t lie: The interface has defeated me here, and I can’t figure out how to start one. It’s probably something incredibly obvious. They’ll probably make me turn in my hacker badge and hacker gun.

Last of all—and most interesting—are the real world scenarios. These roughly resemble the main missions, but with the added spice of having to leave the game to go fact finding. You may have to hunt around in Google, or look for clues scattered across the Internet by the game developers.

Each mission comes with a briefing document explaining what you have to do, and from there on in, it’s time to grab what information you can lying around online (for real) and pop your findings back into the game.

Manila documents

Click to enlarge

In keeping with the somewhat less Hollywood approach, the tasks and mission backgrounds are surprisingly serious and the monthly releases seem to follow “what if” stories about current events.

They deal with everything from infiltrating Emannuel Macron’s files (topical!) to tackling methamphetamine shipments in South Korea, and helping to extract missing journalists investigating the internment of religious minorities in China. As I said…surprisingly serious.

Getting your gameface on

Most tasks begin by doing what you’d expect—poking around on the Internet for clues. When hackers want to compromise websites or servers, they often go Google Dorking. This is essentially hunting round in search engines for telltale signs of passwords, or exposed databases, or other things a website or server should keep hidden, but the admin hasn’t been paying enough attention.

The idea in NITE Team 4 is to rummage around for subdomains and other points of interest that should’ve been hidden from sight and then exploit them ruthlessly. Different combinations of search and different tools provided by Stinger OS produce different results.

Once you have half a dozen subdomains, then you begin to fingerprint each one and check for vulnerabilities. As is common throughout the game, you don’t get any sort of step-by-step walkthrough on how to break into servers for real. Many key tasks are missed out because it probably wouldn’t make for an interesting game, and frankly there’s already more than enough here to try and figure out while keeping it accessible to newcomers.

Should you find a vulnerable subdomain, it’s then time to run the custom-made vulnerability database provided by Stinger OS, and then fire up the compromise tool (possibly the most “gamey” part of the process) that involves dragging and dropping aspects of the described vulnerability into the hacking tool and breaking into the computer/server/mobile phone.

From there, the mission usually diverges into aspects of security not typically covered in games. If anything, the nuts and bolts terminal stuff is less of a focus than working out how to exploit the fictitious targets away from your Stinger terminal. It feels a lot more realistic to me as a result.

What else can you do?

Before long, you’ll be trying various combinations of data about targets, and their day-to-day life, in the game’s XKeyscore tool to figure out patterns and reveal more information.

XKeyscore

Click to enlarge

You’ll be using one of your VPNs to access a compromised network and use several techniques to crack a password. Maybe you won’t need to do that at all, because the target’s phone you just compromised has the password in plaintext in an SMS they sent their boss. What will you do if the password isn’t a password, but a clue to the password?

phone time

Click to enlarge

Once obtained, it might help reveal the location of a rogue business helping an insider threat hijack legitimate networks. How will you take them down? Will you try and break into their server? Could that be a trap? Perhaps you grabbed an email from the business card you downloaded. Is it worth firing up the phishing toolkit and trying to craft a boobytrapped email?

phish kit

Click to enlarge

Would they be more likely to fall for a Word document or a Flash file? Should the body text resemble an accounting missive, or would a legal threat be more effective?

I hear those IoT smart homes are somewhat vulnerable these days. Anyone for BBQ?

BBQ

Click to enlarge

…and so on.

I don’t want to give too much away, as it’s really worth discovering these things for yourself.

Hack the planet?

I mentioned earlier that I’d have been happy with just the tutorials to play around in. You’re not going to pop a shell or steal millions from a bank account by playing this game because ultimately it’s just that—a game. You’re dropped into specific scenarios, told to get from X to Y, and then you’re left to your own devices inside the hacker sandbox. If you genuinely want to try and tackle some of the basics of the trade, you should talk to security pros, ask for advice, go to conferences, take up a few courses, or try and grab the regular Humble Hacking Bundles.

Occasionally I got stuck and couldn’t figure out if I was doing something wrong, or the game was. Sometimes it expected you to input something as it presented it to you but didn’t mention you’d need to leave off the “/” at the end. Elsewhere, I was supposed to crack a password but despite following the instructions to the letter, it simply wouldn’t work—until it did.

Despite this, I don’t think I’ve played a game based on hacking with so many diverse aspects to it.

Bottom line: Is it realistic?

The various storyline scenarios are by necessity a little “out there.” You’re probably not going to see someone blowing up a house in Germany via remote controlled Hellfire missile strike anytime soon. But in terms of illustrating how many tools people working in this area use, how they use lateral thinking and clever connections to solve a puzzle and get something done, it’s fantastic. There are multiple aspects of this—particularly where dealing with OSINT, making connections, figuring out who did what and where are concerned—that I recognise.

While I was tying up this blog post, I discovered the developers are producing special versions of it for training. This doesn’t surprise me; I could imagine this has many applications, including making in-house custom security policy training a lot more fun and interesting for non infosec employees.

Is this the best hacking game ever made? I couldn’t possibly say. Is it the most fleshed out? I would say so, and anyone looking for an occasionally tricky gamified introduction to digital jousting should give it a look. I’d have loved something like this when I was growing up, and if it helps encourage teenagers (or anyone else, for that matter) to look at security as a career option, then that can only be a bonus.

The post Video game portrayals of hacking: NITE Team 4 appeared first on Malwarebytes Labs.

Hyperlink auditing: where has my option to disable it gone?

There is a relatively old method that might be gaining traction to follow users around on the world wide web.

Most Internet users are aware of the fact that they are being tracked in several ways. (And awareness is a good start.) In a state of awareness, you can adjust your behavior accordingly, and if you feel it’s necessary, you can take countermeasures.

Which is why we want to bring the practice of link auditing to your attention: to make you aware of its existence, if you weren’t already. For those already in the know, you might be surprised to learn that browsers are taking away your option to disable hyperlink auditing.

What is hyperlink auditing?

Hyperlink auditing is a method for website builders to track which links on their site have been clicked on by visitors, and where these links point to. Hyperlink auditing is sometimes referred to as “pings.” This is because “ping” is the name of the link attribute hyperlink auditing uses to do the tracking.

From a technical perspective, hyperlink auditing is an HTML standard that allows the creation of special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page that can then examine the request headers to see what page the link was clicked on.

The syntax of this HTML5 feature is easy. A website builder can use this syntax to use hyperlink auditing:

<a href=”{destination url}”  ping=”{url that receives the information}”> 

Under normal circumstances, the second URL will point to some kind of script that will sort and store the received information to help generate tracking and usage information for the site. This can be done on the same domain, but it can also point to another domain or IP where the data can be processed.

What’s the difference between this and normal tracking?

Some of you might argue that there are other ways to track where we go and what we click. And you would be right. But these other methods use Javascripts, and browser users can choose whether they allow scripts to run or not. Hyperlink auditing does not give users this choice. If the browser allows it, it will work.

Which browsers allow link auditing?

Almost every browser allows hyperlink tracking, but until now they offered an option to disable it. However, now major browsers are removing the option for their users to disallow hyperlink auditing.

As of presstime, Chrome, Edge, Opera, and Safari already allow link auditing by default and offer no option to disable it. Firefox has plans to follow suit in the near future, which is surprising as Firefox is one of the few browsers that has it disabled by default. Firefox users can check the setting for hyperlink auditing under about:config >  browser.send_pings.

How can I stop link auditing?

You can’t detect the presence of the “ping” attribute by hovering over a link, so you would have to examine the code of the site to check whether a link has that attribute or not. Or, for more novice users, there are some dedicated browser extensions that block link auditing. For Chrome users, there is an extension called Ping Blocker available in the webstore.

Or you can resort to using a browser that is more privacy focused.


Please read: How to tighten security and increase privacy on your browser


Test if your browser allows hyperlink auditing

The link I posted below is harmless and pings the test IP that we have created especially to check whether the Malwarebytes web protection module is working without actually sending you to a malicious site. So this test will show a warning prompt if the following conditions are met:

  • Malwarebytes Web Protection module is enabled
  • You are allowing Malwarebytes notifications (Settings > Notifications)
  • Your browser allows link auditing

Create a textfile with the code posted below in it and save it as a html file. Rightclick the html file and choose to open it with the browser you want to test. If the browser allows link auditing, then you should see the warning shown below when you click this link:

<a href="https://blog.malwarebytes.com" ping="https://iptest.malwarebytes.com">The ping in this link will be blocked by MBAM</a>
iptest.malwarebytes.com is a test for Malwarebytes webprotection module

Malwarebytes and hyperlink auditing

As demonstrated above, Malwarebytes will protect you if either one of the URLs in a link leads to a known malicious domain or IP. There are no immediate plans to integrate anti-ping functionality in our browser extensions, but it is under consideration. Should the need arise for this functionality to be integrated in any of our products, we will lend a listening ear to our customers.

Abuse of hyperlink auditing

Hyperlink auditing has reportedly been used in a DDoS attack. The attack involved users that visited a crafted web page with two external JavaScript files. One of these included an array containing URLs: the targets of the DDoS attack. The second JavaScript randomly selected a URL from the array, created the <a> tag with a ping attribute, and programmatically clicked the link every second.

Skimmers could use hyperlink auditing if they figure out how to send form field information to a site under their control. If they would be able to plant a script on a site, like they usually do, but in this case use it to “ping” the data to their own site, this would be a method that is hard to block or notice by the visitors of the site.

Countermeasures

At the moment, there doesn’t seem to be an urgent need to block hyperlink auditing for the average Internet user. The only real problem here is that it takes third-party software to disable hyperlink auditing when browsers should be offering us that option in their settings. For the more careful Internet users that had disabled hyperlink auditing earlier, it is recommended to check whether that setting is still effectively working on the browser. The option could be removed after every update and you could have missed that this happened.

Stay safe everyone!

The post Hyperlink auditing: where has my option to disable it gone? appeared first on Malwarebytes Labs.

Malwarebytes Labs wins best cybersecurity vendor blog at InfoSec’s European Security Blogger Awards

Infosec Europe is now well underway, and last night was the annual EU Security Blogger Awards, where InfoSecurity Magazine:

…recognise[s] the best blogs in the industry as first nominated by peers and then judged by a panel of (mostly) respected industry experts.

Malwarebytes Labs was announced as winner of the Best Cybersecurity Vendor Blog. We previously won best corporate security blog in 2015 and 2016, and we were delighted to see we had several other nominations this year:

  • Best commercial Twitter account (@Malwarebytes)
  • Most educational blog for user awareness
  • Security hall of fame (for our own Jérôme Segura)
  • Grand Prix for best overall blog

It’s excellent to be recognised alongside such legendary security pros as Graham Cluley, Mikko Hyppönen, and Troy Hunt, as well as fellow security companies Tripwire, Sophos, Bitdefender, and many others. Without further ado, let’s see who won in the various categories.

The n00bs: Best new cybersecurity podcast

WINNER: Darknet Diaries

The n00bs: Best new/up and coming blog

WINNER: The Many Hats Club

The corporates: Best cybersecurity vendor blog

WINNER: Malwarebytes

The corporates: Best commercial Twitter account

WINNER: NCSC

Best cybersecurity podcast

WINNER: Smashing Security

Best cybersecurity video or cybersecurity video blog

WINNER: Jenny Radcliffe

Best personal (non-commercial) security blog

WINNER: 5w0rdFish

Most educational blog for user awareness

WINNER: NCSC

Most entertaining blog

WINNER: J4VV4D

Best technical blog

WINNER: Kevin Beaumont

Best Tweeter

WINNER: Quentynblog

Best Instagrammer

WINNER: Lausecurity

The legends of cybersecurity: hall of fame

WINNER: Troy Hunt

Grand Prix for best overall security blog

WINNER: Graham Cluley

Thank you!

We did indeed win an award thanks to your votes, and we can now set our Best Cybersecurity Vendor Blog trophy next to our two awards for Best Corporate Blog. We’ll continue to provide our readers with breaking news, in-depth research, educational guides on best practices, conference coverage, and much, much more.

We appreciate your votes, especially when there are so many excellent blogs out there, and we hope you might even find a few more valuable sources of information from the links above.

Congratulations to the winners, commiserations to everyone else, a hat-tip to the organisers, and a final round of applause to our readers. We couldn’t have done it without you.

The post Malwarebytes Labs wins best cybersecurity vendor blog at InfoSec’s European Security Blogger Awards appeared first on Malwarebytes Labs.