The Internet Is On Fire And The FCC Just Walked Away With The Extinguisher

It’s not often we see such a stark contrast between the urgent need for better security and the people in charge choosing to ignore it, yet here we are. In the same week that DoorDash was breached, Logitech customer data was compromised, and a 15.7 Tbps DDoS attack targeted Microsoft Azure, the FCC decided to rescind rules requiring telecoms to secure their networks.

If that’s confusing to you, well, it’s confusing to us, too. The usual semantics are at play in the FCC’s decision, so definitely check out the whole story, but the bottom line is that in a time where security is more important than ever, regulators charged with making sure tech companies actually care about it are less interested in doing so.

We’ve also seen how lax security at the platform or telecomm level can have real-world consequences. For example, DDoS attacks like the one that hit Azure this week (traced back to the Aisuru botnet, which targeted Cloudflare with a record-breaking 22 Tbps attack in September) or ransomware attacks can seem impossible to fight, but that’s not the case for people impacted by them. For example, we reported that a beloved community movie theater in Portland was hit with a ransomware attack this week, not because it was specifically targeted, but because ransomware attacks exploit any vulnerability they can find.

Meanwhile, have you updated Chrome recently? You should. Google has warned of a “high-severity bug” affecting the browser and has issued an immediate update. While there’s no evidence that the vulnerability has been exploited, it has been circulating on forums discussing how to do so. Therefore, it is recommended to protect yourself now and update. Also, if your passwords are as bad as the ones in this recent report, it’s time for you to get a password manager and fix that. Having a password like “12345” or “admin” is as bad as having no password at all.

Finally, AI-powered age verification is being introduced to the platforms and services you use, despite warnings from users and privacy experts against it. In our story, we spoke to representatives from Spotify and YouTube, two companies planning to use it, as well as privacy experts from the EFF and other companies (including Aylo, owners of Pornhub) who think users would be better served by using on-device age verification and content filtering instead.

Oh, and one last thing: one month left to grab your cut from the massive $177 million AT&T data breach settlement. So if you haven’t filed a claim, now’s the time.

Mac Users Warned About New Digitstealer Information Stealer

Security experts have been saying for years that Mac users should be just as concerned about malware as their Windows-using counterparts. It’s true that there isn’t as much malware targeted at macOS as there is for Windows, but Macs can inadvertently end up being carriers for Windows malware even if they don’t mean to be. Even worse, there is macOS-based malware, and when something new emerges, it can be more dangerous due to the lax mindset many Mac users have toward their security.

For example, as Malwarebytes reports, DigitStealer, a new infostealer targeting macOS, not only steals documents, keychain passwords, notes, crypto wallets, and other configuration files by uploading them to the attacker’s servers, but it also attempts to evade detection by antivirus tools, doesn’t write files to disk and simply works when it’s opened (it’s disguised as a system tune up app), and it only targets newer Macs running Apple’s latest silicon. As always, the best approach to protect yourself is to keep real-time antimalware software running on your Mac and to lock down your accounts with multi-factor authentication. That way, if your credentials are somehow compromised, an attacker can’t access your accounts without a security code or key.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

SecurityWatch Newsletter Image

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters

One of the reasons we frequently sound the alarm about ransomware here at PCMag is that it’s a lucrative business, generating millions of dollars. It’s far more profitable for criminals to breach corporate networks and deploy ransomware, get a tidy payout from the company in the form of cryptocurrency, and then just vanish (sometimes actually delivering the decryption key, sometimes not) than it is to go after individuals (although plenty of criminals still do that, too). And when anything is a booming business, services appear promising to make business easier, as long as you give them a cut.

Enter Shinyspider, a new ransomware as a service (RaaS) provider by ShinyHunters, the same team behind some of the largest ransomware attacks in recent history. According to reporting by Bleeping Computer, a build of a RaaS client developed by the team surfaced after being uploaded to VirusTotal, and it appears impressively devious, even killing certain processes before acting and freeing up disk space so it can encrypt data without worrying about running out of storage first. It even deletes shadow volume copies to make it harder to restore data after an encryption event.

Recommended by Our Editors

I know that in cases like this, I shouldn’t say “you gotta hand it to ‘em,” but it is even more evidence that ransomware is emerging as the most significant organizational security threat of the moment, and it’s only going to get easier and more disruptive as tools like this are available to more people. Of course, we have tips to protect yourself against ransomware, which start with strong antivirus protection, but staying on top of this as a developing security threat isn’t a bad idea either.

Your Online Reservations Are Telling Restaurants All About You

When you use an app, like say, OpenTable, to make a reservation at a restaurant, you’re probably expecting to trade a little information, like your name, phone number, and maybe email address, for the promise of a table when you arrive at a specific time, right? What you may not expect is to also send that restaurant a detailed profile of your dining habits, like whether you prefer red or white wine, whether you’re a big spender or a conservative eater, or how long you like to linger after you’ve finished your meal. But according to reporting by The Verge, that’s exactly the kind of information they get when you use AI-powered reservation systems.

Now, there’s an argument that some of that information is ultimately helpful. It might be nice for a restaurant to know your dietary preferences before you arrive. In this case, because OpenTable (and other apps, to be fair) collects data from the restaurant after your meal, including everything from what you ordered, how much you spent, and how long you stayed, there’s money in making that data available to new restaurants you visit, and to encourage old restaurants to reach out to you to come back.

In some ways, I don’t think this is a big deal, but it is instructive. It seems innocuous enough at first, but that’s how we lose our privacy: we trade a little information for some convenience, and then suddenly all of your data is for sale, including information you might not want sold, and information that may be wrong or inaccurate (for example, getting tagged as a “big spender” just because you used a company card to expense a big client dinner doesn’t make sense if the next reservation you make is just you and your family.) Luckily, as The Verge notes, there is a form to opt out.