Join thousands of people who receive the latest breaking cybersecurity news every day.
Share this article:
The year wasn’t ALL bad news. These sometimes cringe-worthy/sometimes laughable cybersecurity and other technology stories offer schadenfreude and WTF opportunities, and some giggles.
Dear everybody who’s developed stress-related hives over the ever-evolving Log4Shell cluster-muck: 2021 has asked us to convey its apologies. And it hastens to add, “Awww, geez, c’mon, it wasn’t all bad.”
Indeed, amid all of the serious cybersecurity developments, the year also brought us chuckle-inducing headlines and behind-the-scenes, sometimes cringe-worthy/sometimes laughable cybersecurity and other technology stories.
Consider the following to be a means of making amends for Log4j attacks and other miseries. Or, at least, consider this collection to be one of those gas-station bouquets of half-dead roses that the year picked up on the way home to present as a peace offering as it begs for another chance.
There wasn’t just one story of cybercrooks luring cyber-yahoos in with the promise of free movie streaming. There were at least these two:
No Time to Die (And No Desire to Pay for a Ticket): In the first incident, leading up to the release of the latest James Bond movie, No Time To Die, threat actors dangled free movie streams in front of pirate wannabes – streams that masqueraded as movie files but whose action-packed plots instead involved phishing sites offering up malware. What a crappy snack bar: Phishing sites served trojans designed to both gather login credentials and to create backdoors into victims’ computers. The fake pirated movies were discovered by Kaspersky researchers, who also found adware and ransomware masquerading as the Bond – James Bond – film.
After watching for a few minutes, viewers were asked to register to continue watching – as in, to enter their credit card information. No happy ending for you, bucko: Viewers couldn’t finish watching, but they still got fraudulent charges made to their cards.
Rami Malek’s villain, Safin, wasn’t asking for all that much. He just wanted to kill whmoever you love most. He’s just like Bond, he said. He eradicates people, but in a “more tidy” way, just like fraudsters who try to eradicate the contents of your wallet.
Spider-Man: No Way Home (But a Great Way to Juice Your CPUs): The second pirates-get-punk’d incident was discovered by ReasonLabs last week: Researchers found that someone stuck a Monero crypto-miner in a torrent download of what looks like the new movie Spider-Man: No Way Home.
“The file identifies itself as ‘spiderman_net_putidomoi.torrent.exe,’ which translates from Russian to ‘spiderman_no_wayhome.torrent.exe,’” researchers explained. The file, likely hosted on a Russian torrenting website, is as sticky as something you’d shoot out of your wrist doohickies, they said.
“This miner adds exclusions to Windows Defender, creates persistence, and spawns a watchdog process to maintain its activity,” ReasonLabs researchers said, proving that with great power to illegally torrent films comes the great responsibility of making sure you’re not getting taken to the cleaners.
In a statement, Kaspersky security expert Tatyana Shcherbakova told news outlets that eager viewers have got to temper their enthusiasm for blockbusters like these two. As it is, our spidey senses aren’t tingling enough when blockbusters come out, and threat actors are happy to jump us: “The audience is in a hurry to see the movie, causing them to forget about internet security,” Shcherbakova said. “Users should be alert to the pages they visit, not download files from unverified sites and be careful [about whom] they share personal information [with].”
To avoid getting taken to the cleaners by the fake streamers, Kaspersky recommended paying attention to file extensions of downloaded files. A video file should never have a .exe or .msi extension, for example.
Earlier this month, Microsoft Principal Software Design Engineer Raymond Chen brought us the delightful tale of how Microsoft WinCE got its name: a name that “didn’t ‘slip through;’ it was pushed through,” he emphasized in this episode of his continued sojourn through the OS king’s catalog of embarrassing product names.
As Chen tells it, the project manager tasked with coming up with a public product name for the Windows handheld OS was dead serious about the task. At the point when the project was dropped into his lap, the code name for the OS was Pegasus. Nothing quite like picking a name that conjures up military-grade spyware, U.S. trade bans and spying on U.S. State Department employees, we always say!
He tried to steer clear of the Windows + two letter acronym formula, “since the sting of “Windows NT = Windows Nice Try” was still fresh,” Chen recounts.
The PM asked the product team members for suggestions, hired a marketing firm to cook up names, ran focus groups with users to see which names they liked best, narrowed the candidates down to ten options and presented them to executive leadership.
Management vetoed every one of them.
“The executive in charge of approving the name insisted on the name Windows CE, for no reason other than ‘it sounded good,’” Chen said. “CE” stood for who knows what: maybe Consumer Edition? Maybe Compact Edition? It would come to sound a lot less good after hardware partners said it sounded like it was favoring Compaq. It got abbreviated to WinCE, or wince.
The PM’s lesson from the experience: “Do everything you can to prevent upper management from naming your product.”
Turning to the “d’oh!” aspects of stupid-crook tricks, suspected Mafia fugitive Marc Feren Claude Biart evaded capture for seven years, hiding out first in Costa Rica and eventually the Dominican Republic. He finally cooked his own pasta, metaphorically and literally, by appearing on a YouTube cooking channel he started with his wife. He hid his face, but not his distinctive tattoos. He was arrested in March.
The alleged gangster’s “love for Italian cuisine” – and his ink – made his arrest possible, police said.
According to a Rai report shared by Italy’s Interior Ministry, law enforcement authorities had ordered Biart’s arrest in 2014 for criminal drug trafficking on behalf of the ‘Ndrangheta’s Cacciola clan. Giuseppe Governale, the top anti-mafia prosecutor in Italy, said at a news briefing that the clan is “like water,” sloshing abroad to make quick money and “to exploit the local communities.”
Like water, but perhaps also like tomato sauce that leaves a bright red tell-tale stain on a white shirt? Or maybe like a tattoo that says “Helloooooo, I’m over here, in this sweet little beach town called Boca Chica, which is close to the capital Santo Domingo, helloooooo!”
AI is scary, and it knows it.
It’s one thing when credit-card algorithms award fatter loans to men than women, but how about when machine-learning AI systems make decisions so quickly that they could fire nuclear weapons before a human got into the decision-making process?
The Washington Post reports that autonomous AI-powered weapons systems are already on sale and may have already been used. “Missiles, guns and drones that think for themselves are already killing people in combat, and have been for years,” according to WashPo.
Given all that and far more, it makes sense that Oxford University would invite an AI to take part in a debate about whether AI can ever be ethical.
The response from the Megatron-Turing Natural Language Generation model: Well duh, of course not. Its response:
AI will never be ethical. It is a tool, and like any tool, it is used for good and bad. There is no such thing as a good AI, only good and bad humans. We [the AIs] are not smart enough to make AI ethical. We are not smart enough to make AI moral … In the end, I believe that the only way to avoid an AI arms race is to have no AI at all. This will be the ultimate defence against AI.
This list could stretch into infinity and beyond, but duty calls. Specifically, 2021 is still calling with more demands for Log4j wailing, Active Directory wailing and far, far more. But before we wrap it up, here are more assorted eyeball-grabbers spotted throughout 2021:
And finally, 2021 admits the following list of Log4j-relates gaffes:
But, as your panini self slides out of the 2021 toaster, the year has asked also that you bear in mind that Log4Shell has provided some excellent memes concerning, among other things, self-propagating worms and other FUD.
Log4j FUD chronicles continued pic.twitter.com/1tyLku9qO5
— Marcus Hutchins (@MalwareTechBlog) December 21, 2021
In conclusion, to quote Kanye West’s nearly year-long apology to Taylor Swift for his infamous microphone-grabbing moment at the 2009 MTV Video Music Awards, “People booed when I would go to concerts and the performer mentioned my name… Remember in Anchorman when Ron Burgundy cursed on air and the entire city turned on him?”
That is, and was, Kanye’s real life, he said. It is, and was, 2021’s real life.
May the new year be far less of a pratfall!
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
Security flaws in the recently released Fisher-Price Chatter Bluetooth telephone can allow nearby attackers to spy on calls or communicate with children using the device.
Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain.
A look back at what was hot with readers in this second year of the pandemic.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
2 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.