With people practicing social distancing during the coronavirus pandemic Google’s latest effort to boost video-conference capabilities brings group calling on its Duo app to the web.  Duo, which launched in 2016, was originally only for mobile platforms. The company last year added support for one-to-one calls on the web, but soon Google will roll out group […] More

Facebook said on Wednesday it tightened restrictions and booted off its service a number of groups related to the QAnon conspiracy theory, United States militia groups, and offline anarchist groups.
“We already remove content calling for or advocating violence and we ban organisations and individuals that proclaim a violent mission,” Facebook said in a blog post.
“However, we have seen growing movements that, while not directly organising violence, have celebrated violent acts, shown that they have weapons and suggest they will use them, or have individual followers with patterns of violent behaviour.”
Facebook said it has removed in excess of 790 groups, 100 pages, and 1,500 ads relating to QAnon, and imposed restrictions on over 1,950 groups, 440 pages, and over 10,000 Instagram accounts.
The company added it has removed 980 groups, 520 pages, and 160 from Facebook related to “militia organisations and those encouraging riots, including some who may identify as antifa”.
The types of restrictions imposed are: Limiting pages, groups, and Instagram accounts from being recommended to other users; lowering rankings of content from restricted groups in the Facebook news feed; removing groups, pages, and accounts from being seen in typeahead search suggestions, and lowering the rankings in search results; preventing pages from running ads or selling products, with Facebook warning it will extend this to “prohibit anyone from running ads praising, supporting or representing these movements”; and preventing nonprofit and personal fundraising if they support the restricted groups.
“While we will allow people to post content that supports these movements and groups, so long as they do not otherwise violate our content policies, we will restrict their ability to organise on our platform,” the company said.
See also: Facebook comments manifest into real world as neo-luddites torch 5G towers
Facebook said it has also pulled the related hashtag feature on Instagram while it works on “stronger protections”.
In a White House briefing on Wednesday, US President Donald Trump was asked his thoughts on QAnon.
“I’ve heard these are people that love our country,” he said.
The President was then asked about the conspiracy theory behind the movement believing the world is run by a “satanic cult of paedophiles and cannibals”.
“Well, I haven’t heard that. But is that supposed to be a bad thing or a good thing? I mean, if I can help save the world from problems, I’m willing to do it,” Trump said.
“I’m willing to put myself out there. And we are actually. We’re saving the world from a radical left philosophy that will destroy this country, and when this country is gone, the rest of the world would follow.”
At the start of the month, Facebook pulled down a video posted by Trump’s Facebook page, stating it had violated its COVID-19 misinformation policies.
The video showed footage from a Fox News interview, where Trump was pushing for the reopening of schools. During the interview, he said children are “virtually immune” to coronavirus.
“If you look at children, children are almost — and I would almost say definitely — but almost immune from this disease. So few — they’ve got stronger, hard to believe, and I don’t know how you feel about it, but they’ve got much stronger immune systems than we do somehow for this,” he said.
“They just don’t have a problem.”
Earlier this week, a suit was filed in San Francisco claiming censorship because Facebook was displaying fact-check messages on anti-vaccination posts.
Facebook had previously taken a swing at banning some QAnon content in May, with Twitter following suit last month.
Related Coverage More

Image: ZDNet, WordPress
Pirated (aka nulled) themes and plugins were the most common source of malware infections on WordPress sites in 2020, according to Wordfence, a provider of website application firewall (WAF) solutions for WordPress sites.

The security firm said its malware scanner detected more than 70 million malicious files on more than 1.2 million WordPress sites in 2020.
“Overall, the Wordfence scanner found malware originating from a nulled plugin or theme on 206,000 sites, accounting for over 17% of all infected sites,” the company said on Wednesday.
Of these 206,000 sites, 154,928 were infected with a version of the WP-VCD malware, a WordPress malware strain known for its use of pirated/nulled themes for distribution.
Wordfence said this particular malware operation was so successful last year that it accounted for 13% of all infected sites in 2020.
Over 90 billion malicious login attempts
But WordPress sites also got infected with malware via other means beyond pirated themes. Legitimate sites also got attacked and infected. Other methods through which these sites got hacked included brute-force attacks against login forms and the use of exploit code that takes advantage of unpatched vulnerabilities.
All in all, 2020 was a massive year in terms of brute-force attacks. Wordfence reported seeing more than 90 billion malicious and automated login attempts.

These attacks came from 57 million different IP addresses —most likely part of attack botnets and proxy networks— and amounted to 2,800 malicious login attempts per second against Wordfence customers.
To mitigate these attacks, Wordfence recommended that site owners either deploy a WAF or enable a two-factor authentication solution for their accounts.
On the vulnerability exploitation front, things were just as bad, with Wordfence reporting more than 4.3 billion exploitation attempts over the past year.
The most common form of vulnerability that attackers exploited last year was “directory traversals,” a type of bug that threat actors try to abuse to read files from WordPress installations (such as wp-config.php) or upload malicious files on a WordPress site.
Other exploitation attempts also relied on SQL injection, remote code execution bugs, cross-site scripting issues, or authentication bypasses, Wordfence said.

Image: Wordfence More

Like all operating systems, Linux isn’t perfectly secure. Nothing is. As security guru, Bruce Schneider said, “Security is a process, not a product.”  It’s just that, generally speaking, Linux is more secure than its competitors. You couldn’t tell that from recent headlines which harp on how insecure Linux is. But, if you take a closer look, you’ll find most — not all, but most — of these stories are bogus.

For instance, Boothole sounded downright scary. You could get root access on any system! Oh no! Look again. The group which discovered it comes right out and says an attacker needs admin access in order for their exploit to do its dirty work. 
Friends, if someone has root access to your system, you already have real trouble. Remember what I said about Linux not being perfect? Here’s an example. The initial problem was real, albeit only really dangerous to an already hacked system. But several Linux distributors botched the initial fix so their systems wouldn’t boot. That’s bad.   
Sometimes fixing something in a hurry can make matters worse and that’s what happened here.
In another recent case, the FBI and NSA released a security alert about Russian malware, Drovorub. This program uses unsigned Linux kernel modules to attack systems. True, as McAfee CTO, Steve Grobman said, “The United States is a target-rich environment for potential cyber-attacks,” but is production Linux run by anyone with a clue really in danger from it?
I don’t think so.
First, this malware can only work on Linux distributions running the Linux 3.6.x  kernel or earlier. Guess what? The Linux 3.6 kernel was released eight-years ago. 
I suppose if you’re still running the obsolete Red Hat Enterprise Linux (RHEL) 6 you might have to worry. Of course, the fix for signing Linux kernel modules has been available for RHEL 6 since 2012.  Besides, most people are using Linux distros that are a wee bit newer than that. 
In fact, let’s make a little list of the top production Linux distros:
CentOS/RHEL 7 started with kernel 3.10.
Debian 8 started with kernel 3.16.
Ubuntu 13.04 started with kernel 3.8.
SUSE Linux 12.3 started with kernel 3.7.10.
All these years-old distros started life immune to this attack. All recent Linux versions are invulnerable to this malware.
But, wait! There’s more. And this is the really annoying bit. Let’s say you are still running the no longer supported Ubuntu 12.04, which is theoretically vulnerable. So what. As Red Hat’s security team points out, “attackers [must] gain root privileges using another vulnerability before successful installation.”
Once more for Linux to be compromised — for your system to get a dose of Drovorub — your system already had to be completely compromised. If an attacker already has root access, you are totally hosed. 
Yes, there’s a security problem here, but it’s not a technical one. In the tech support business we like to call this kind of trouble: Problem Exists Between keyboard And chair (PEBKAC). So yes, if you have a complete idiot as a system administrator, you’ve got real trouble, but you can’t blame Linux for it.  
Let’s look at another example: Doki, a new backdoor trojan. This time around, although described by many as a Linux problem, it’s not. It can only successfully attack Linux systems when whoever set up the Docker containers exposed the management interface’s application programming interface (API) on the internet. 
That’s dumb, but dumber still is that for it to get you, your server’s firewall must be set to open up port 2375. Here’s a lesson from networking security 101: Block all ports except the ones you must have open. And, while you’re at it, set your firewall to reject all incoming connections that are not in response to outbound requests. If your administrator hasn’t already done this, they’re incompetent.
Finally, let’s consider the recent sudo command problem. This sudo security vulnerability was real, it’s since been patched, but it requires, again, a case of PEBKAC to work. In this case, you had to misconfigure sudo’s set up so that any user could theoretically run sudo. Once again, if you already have an insecure system, it can always get worse.
There’s a common theme here. The problems often aren’t with Linux. The problems are with totally incompetent administrators. And, when I say “totally incompetent,” that’s exactly what I mean. We’re not talking subtle, small mistakes that anyone might make. We’re talking fundamental blunders. 
Whether you’re running Windows Server, Linux, NetBSD, whatever on your mission-critical systems, if you utterly fail at security, it doesn’t matter how “secure” your operating system is. It’s like leaving your car keys in an unlocked car, your system will be hacked, your car will be stolen. 
So, enough with blaming Linux. Let’s blame the real problem: Simple system administrator incompetence. 
Related Stories: More

Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.
This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.
The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.
Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack —in what security researchers call a reflected/amplified DDoS attack.
Attacks already detected in the wild
Both Phenomite and ZDNet have reached out to Powerhouse Management to notify the company about its products’ behavior, seeking to ensure that a patch is deployed to its servers that would prevent its VPN infrastructure from being abused in future DDoS attacks.
However, the company has not responded to any of our emails.

Furthermore, we also learned today that threat actors have also discovered this DDoS attack vector, which they have already weaponized in real-world attacks, some of which have reached as much as 22 Gbps, sources have told ZDNet.
Around 1,520 Powerhouse VPN servers ready to be abused
According to a scan performed by Phenomite last week, currently, there are around 1,520 Powerhouse servers that expose their 20811 UDP port, meaning they can be abused by DDoS threat groups.
While servers are located all over the world, most vulnerable systems appear to be “in the UK, Vienna, and Hong Kong,” the researcher told ZDNet.
Until Powerhouse fixes this leak, the researcher has recommended that companies block any traffic that comes from the VPN provider’s networks (AS21926 and AS22363) or block any traffic where “srcport” is 20811.
The second solution is recommended, as it doesn’t block legitimate VPN traffic from all Powerhouse VPN users but only “reflected” packets that are most likely part of a DDoS attack.
Phenomite’s discovery comes to add to a long list of new DDoS amplification vectors that have been disclosed over the past three months. Previous disclosures included the likes of: More