2021 Wants Another Chance (A Lighter-Side Year in Review)

The year wasn’t ALL bad news. These sometimes cringe-worthy/sometimes laughable cybersecurity and other technology stories offer schadenfreude and WTF opportunities, and some giggles.

Dear everybody who’s developed stress-related hives over the ever-evolving Log4Shell cluster-muck: 2021 has asked us to convey its apologies. And it hastens to add, “Awww, geez, c’mon, it wasn’t all bad.”

Indeed, amid all of the serious cybersecurity developments, the year also brought us chuckle-inducing headlines and behind-the-scenes, sometimes cringe-worthy/sometimes laughable cybersecurity and other technology stories.

Infosec Insiders Newsletter

Consider the following to be a means of making amends for Log4j attacks and other miseries. Or, at least, consider this collection to be one of those gas-station bouquets of half-dead roses that the year picked up on the way home to present as a peace offering as it begs for another chance.

Punk’d Pirates

There wasn’t just one story of cybercrooks luring cyber-yahoos in with the promise of free movie streaming. There were at least these two:

No Time to Die (And No Desire to Pay for a Ticket): In the first incident, leading up to the release of the latest James Bond movie, No Time To Die, threat actors dangled free movie streams in front of pirate wannabes – streams that masqueraded as movie files but whose action-packed plots instead involved phishing sites offering up malware. What a crappy snack bar: Phishing sites served trojans designed to both gather login credentials and to create backdoors into victims’ computers. The fake pirated movies were discovered by Kaspersky researchers, who also found adware and ransomware masquerading as the Bond – James Bond – film.

After watching for a few minutes, viewers were asked to register to continue watching – as in, to enter their credit card information. No happy ending for you, bucko: Viewers couldn’t finish watching, but they still got fraudulent charges made to their cards.

Rami Malek’s villain, Safin, wasn’t asking for all that much. He just wanted to kill whmoever you love most. He’s just like Bond, he said. He eradicates people, but in a “more tidy” way, just like fraudsters who try to eradicate the contents of your wallet.

Spider-Man: No Way Home (But a Great Way to Juice Your CPUs): The second pirates-get-punk’d incident was discovered by ReasonLabs last week: Researchers found that someone stuck a Monero crypto-miner in a torrent download of what looks like the new movie Spider-Man: No Way Home.

“The file identifies itself as ‘spiderman_net_putidomoi.torrent.exe,’ which translates from Russian to ‘spiderman_no_wayhome.torrent.exe,'” researchers explained. The file, likely hosted on a Russian torrenting website, is as sticky as something you’d shoot out of your wrist doohickies, they said.

“This miner adds exclusions to Windows Defender, creates persistence, and spawns a watchdog process to maintain its activity,” ReasonLabs researchers said, proving that with great power to illegally torrent films comes the great responsibility of making sure you’re not getting taken to the cleaners.

In a statement, Kaspersky security expert Tatyana Shcherbakova told news outlets that eager viewers have got to temper their enthusiasm for blockbusters like these two. As it is, our spidey senses aren’t tingling enough when blockbusters come out, and threat actors are happy to jump us: “The audience is in a hurry to see the movie, causing them to forget about internet security,” Shcherbakova said. “Users should be alert to the pages they visit, not download files from unverified sites and be careful [about whom] they share personal information [with].”

To avoid getting taken to the cleaners by the fake streamers, Kaspersky recommended paying attention to file extensions of downloaded files. A video file should never have a .exe or .msi extension, for example.

How ‘WinCE’ Got Its Literally Cringy Name

Earlier this month, Microsoft Principal Software Design Engineer Raymond Chen brought us the delightful tale of how Microsoft WinCE got its name: a name that “didn’t ‘slip through;’ it was pushed through,” he emphasized in this episode of his continued sojourn through the OS king’s catalog of embarrassing product names.

As Chen tells it, the project manager tasked with coming up with a public product name for the Windows handheld OS was dead serious about the task. At the point when the project was dropped into his lap, the code name for the OS was Pegasus. Nothing quite like picking a name that conjures up military-grade spyware, U.S. trade bans and spying on U.S. State Department employees, we always say!

He tried to steer clear of the Windows + two letter acronym formula, “since the sting of “Windows NT = Windows Nice Try” was still fresh,” Chen recounts.

The PM asked the product team members for suggestions, hired a marketing firm to cook up names, ran focus groups with users to see which names they liked best, narrowed the candidates down to ten options and presented them to executive leadership.

Management vetoed every one of them.

“The executive in charge of approving the name insisted on the name Windows CE, for no reason other than ‘it sounded good,'” Chen said. “CE” stood for who knows what: maybe Consumer Edition? Maybe Compact Edition? It would come to sound a lot less good after hardware partners said it sounded like it was favoring Compaq. It got abbreviated to WinCE, or wince.

The PM’s lesson from the experience: “Do everything you can to prevent upper management from naming your product.”

Mamma Mia! Mafia Fugitive Caught Cooking on YouTube

Turning to the “d’oh!” aspects of stupid-crook tricks, suspected Mafia fugitive Marc Feren Claude Biart evaded capture for seven years, hiding out first in Costa Rica and eventually the Dominican Republic. He finally cooked his own pasta, metaphorically and literally, by appearing on a YouTube cooking channel he started with his wife. He hid his face, but not his distinctive tattoos. He was arrested in March.

The alleged gangster’s “love for Italian cuisine” – and his ink – made his arrest possible, police said.

According to a Rai report shared by Italy’s Interior Ministry, law enforcement authorities had ordered Biart’s arrest in 2014 for criminal drug trafficking on behalf of the ‘Ndrangheta’s Cacciola clan. Giuseppe Governale, the top anti-mafia prosecutor in Italy, said at a news briefing that the clan is “like water,” sloshing abroad to make quick money and “to exploit the local communities.”

Like water, but perhaps also like tomato sauce that leaves a bright red tell-tale stain on a white shirt? Or maybe like a tattoo that says “Helloooooo, I’m over here, in this sweet little beach town called Boca Chica, which is close to the capital Santo Domingo, helloooooo!”

AI Warns Researchers That It’s Dangerous

AI is scary, and it knows it.

It’s one thing when credit-card algorithms award fatter loans to men than women, but how about when machine-learning AI systems make decisions so quickly that they could fire nuclear weapons before a human got into the decision-making process?

The Washington Post reports that autonomous AI-powered weapons systems are already on sale and may have already been used. “Missiles, guns and drones that think for themselves are already killing people in combat, and have been for years,” according to WashPo.

Given all that and far more, it makes sense that Oxford University would invite an AI to take part in a debate about whether AI can ever be ethical.

The response from the Megatron-Turing Natural Language Generation model: Well duh, of course not. Its response:

AI will never be ethical. It is a tool, and like any tool, it is used for good and bad. There is no such thing as a good AI, only good and bad humans. We [the AIs] are not smart enough to make AI ethical. We are not smart enough to make AI moral … In the end, I believe that the only way to avoid an AI arms race is to have no AI at all. This will be the ultimate defence against AI.

More Random Bits of Joy and Schadenfreude

This list could stretch into infinity and beyond, but duty calls. Specifically, 2021 is still calling with more demands for Log4j wailing, Active Directory wailing and far, far more. But before we wrap it up, here are more assorted eyeball-grabbers spotted throughout 2021:

Log4Shell Memes

And finally, 2021 admits the following list of Log4j-relates gaffes:

  • The triple Apache patches;
  • Having to spend your weekends scouring infrastructure to dig out the numerously pockmarked Log4j logging library instead of wrapping doodads or shopping for creatures to roast;
  • The need to repeatedly update scanners and enterprise software as vendors scampered to keep up with the fast-mutating variants and newly discovered exploit capabilities;
  • The work of adding alerts to your Security Information and Event Management (SIEM) solutions as they’ve looked for incidents of compromise (IoCs);
  • Probably about a dozen or so other miseries by the time this year’s mea culpa is published; and
  • All the other stuff.

But, as your panini self slides out of the 2021 toaster, the year has asked also that you bear in mind that Log4Shell has provided some excellent memes concerning, among other things, self-propagating worms and other FUD.

Don’t Let the Log Slam You in the 4j as You Leave

In conclusion, to quote Kanye West’s nearly year-long apology to Taylor Swift for his infamous microphone-grabbing moment at the 2009 MTV Video Music Awards, “People booed when I would go to concerts and the performer mentioned my name… Remember in Anchorman when Ron Burgundy cursed on air and the entire city turned on him?”

That is, and was, Kanye’s real life, he said. It is, and was, 2021’s real life.

May the new year be far less of a pratfall!

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles