YouTube doesn't want you to run an ad blocker, but it would like you to watch this ad for one.

After performing local experiments for a few months, YouTube recently expanded its effort to block ad blockers. The move was immediately unpopular with some users, and raised some questions in Europe about whether it was breaking privacy laws.

In addition, there are some still some fundamental issues that have some people concerned. In this blog post, we look at a couple of examples that erode our trust in online ads. In fact, it’s not really an argument about free content, it’s about being able to consume content safely, and it seems as though we aren’t quite there yet.

**Inconsistent and untrustworthy ads**

YouTube has made it quite clear that using an ad blocker goes against its Terms of Service, reminding users that they have a choice between accepting ads or paying for a premium subscription.

Yet, as of November 9 2023, YouTube was still showing an ad for Total Adblock, a browser extension that blocks… ads. It certainly looks confusing and is sending mixed messages.

While there is some irony here, the greater concern is that perhaps YouTube doesn’t have a good handle on its ads and maybe that is why users have resorted to ad blockers in recent years.

It’s not that people want an ad-free experience to purposely hurt content creators. They more likely want a scam-free and malware-free experience but perhaps aren’t in a position to pay for a subscription.

While looking for evidence of scammy ads, it took us less than a minute to come across one of those infamous Quantum AI crypto scams:

The ad used typical click-bait tactics and redirected to a website that was obviously a scam. An unverified advertiser was allowed to serve this ad and expose users to a financial scam where they can lose hundreds or even thousands of dollars.

We have yet to see if YouTube will maintain its stance or take any actions to address those core issues. In the meantime, Malwarebytes continues to protect users from scams and malware, from whichever website they choose to visit. The Malwarebytes Browser Guard extension is the easiest way to block malicious ads and other web threats.

 YouTube shows ads for ad blocker, financial scams 

A judge has refused to bring back a class action lawsuit against four car manufacturers because the privacy violation did not meet the WPA standard.

A federal judge has refused to bring back a class action lawsuit that alleged four car manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record customers’ text messages and mobile phone call logs.

The judge ruled that the practice doesn’t meet the threshold for an illegal privacy violation under state law. The plaintiffs had appealed a prior judge’s dismissal.

Car manufacturers Honda, Toyota, Volkswagen, and General Motors were facing five related privacy class action suits. One of those cases, against Ford, had been dismissed on appeal previously.

Infotainment systems in the company’s vehicles began downloading and storing a copy of all text messages on smartphones when they were connected to the system. Once messages have been downloaded, the software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access, the lawsuit said.

The Seattle-based appellate judge ruled that the interception and recording of mobile phone activity did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In a recent Lock and Code podcast, we heard from Mozilla researchers that the data points that car companies say they can collect on you include social security number, information about your religion, your marital status, genetic information, disability status, immigration status, and race. And they can sell that data to marketers.

This is alarming. Given the increasing number of sensors being placed in cars every year, this is becoming an increasingly grave problem.

In the same podcast, we also explored the booming revenue stream that car manufacturers are tapping into by not only collecting people’s data, but also packaging it together for targeted advertising.

According to the Mozilla research, popular global brands including BMW, Ford, Toyota, Tesla, Kia, and Subaru:

> “Can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive. Researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics.”

In fact, the seasoned Mozilla team said “cars are the worst product category we have ever reviewed for privacy” after finding that all 25 car brands they researched earned the “Privacy Not Included” warning label.

Since that doesn’t give us much of a choice to go for a brand that respects our privacy, I suggest we turn of our phones before we start the car. It’s both safer and better for your privacy.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 Judge rules it&#8217;s fine for car makers to intercept your text messages 

At a Senate hearing, a Meta whistleblower has revealed some shocking numbers around children’s experiences of its platforms.

At a Senate hearing, a Meta whistleblower has revealed some shocking numbers around children’s experiences of its platforms.

Arturo Béjar, a former engineering director at Meta, testified before the US Congress on Tuesday. Not only did he share his own daughters’ experience suffering harassment on Instagram, he also shared some statistics.

> “13% of Instagram users under the age of 16 had received unwanted sexual advances on the platform in the previous 7 days.”

His own daughter received unsolicited pictures of male strangers’ privates on the platform. She reported them without ever receiving a response that indicated Meta would take appropriate action.

In a conversation with chief product officer Chris Cox, Béjar learned Meta was already aware of the statistics related to the harm done to teens.

Béjar is not the first Meta whistleblower to voice his concerns about Meta’s unwillingness to put the wellbeing of its users before the bottom line. On October 5, 2021, Frances Haugen told a Senate panel Tuesday that Congress must intervene to solve the “crisis” created by her former employer’s products.

Haugen, a former Facebook product manager for civic misinformation, stated that by design the Facebook algorithm is consistently used to prioritize the company’s own profits over users’ health and safety. As an example she explained how the algorithm, in its drive towards more profitable content, could steer young users from something relatively innocuous such as healthy recipes to content promoting anorexia in a short period of time.

Béjar previously worked as an engineering director at Facebook from 2009 to 2015, gaining recognition for his efforts to combat cyberbullying. Later he worked as a Meta consultant. In this capacity, his team at Meta created “Bad Emotional Experience Feedback” (BEEF) a recurring survey of 238,00 users’ experiences in the previous week.

Other statistics from these surveys raised concerns as well. Of the 13—15 year-olds on Instagram that filled out the survey, 26% said they had witnessed discrimination based on various identities and 21% felt worse about themselves due to others’ posts on Instagram.

Meta on the other hand issued a statement saying it’s working hard to keep minors safe.

> “The issues raised here regarding user perception surveys highlight one part of this effort, and surveys like these have led us to create features like anonymous notifications of potentially hurtful content and comment warnings.”

Meta has rolled out some 30 parental controls to manage who children can talk to or how much time they spend on Facebook and Instagram. In an earlier statement, Meta said it has strict policies and technology to prevent predators from finding or interacting with teenagers on its apps.

> “We’re continuously exploring ways to actively defend against this behavior, and we set up an internal task force to investigate these claims and immediately address them.”

Despite these promises, Béjar’s statements have reinforced in some senators the need for the Kids Online Safety Act (KOSA), to ensure that companies like Meta have a duty of care to the young people that drive their record profits.

KOSA is a bill that was introduced in the United States Senate in February 2022 and reintroduced in May 2023, The bill establishes guidelines meant to protect children on social media platforms. Criticism of the bill mostly points out that it might potentially enable censorship and increased online surveillance.

Nevertheless, this testimony and others may be the cause of dramatic changes to how kids use social media. Reportedly, a group of 42 US attorneys general already announced they are suing Meta Platforms Inc. for harms they say Instagram and Facebook are perpetrating on young people.

Instagram has already been fined €405 million after European Union privacy regulators came to a decision on a long-running complaint related to how the social media platform handles children’s data.

We are pretty confident that these are not the last fines and lawsuits Meta will face, but whether they will help to keep our children safe from predators remains to be seen. We will keep an eye on this.

**We don’t just report on threats—we remove th**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Meta whistleblower says company has long ignored how it sexually endangers children 

The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon's office and then publish them online.

The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon’s office, and then post the details online which included nude photos.

In February, cybercriminals gained access to Hankins & Sohn’s network, which has offices in both Henderson and Las Vegas. From there, the cybercriminals were able to download patient information.

The practice sent a letter to patients in March and April notifying them of the breach.

> “On or about February 23, 2023, Hankins & Sohn became aware of suspicious activity relating allegations by an unknown actor that data was stolen from our network. We quickly took steps to investigate the validity of the claims and to assess the nature and scope of the activity and what information may have been affected. We are also working with law enforcement to investigate the activity. We learned that files were taken by the unknown actor prior to this date.”

Apparently, the cybercriminals didn’t get what they wanted from Hankins & Sohn and started posting the information online. Several patients and court documents say that the stolen data included sensitive personal information, such as names and Social Security numbers, but also nude photos of patients taken before and after surgery.

They cybercriminals didn’t stop at that. They sent the data, along with the nude photos, to family and friends through patients’ email accounts.

According to 8NewsNow, about a dozen women have since filed a lawsuit against the firm, claiming they did not do enough to protect their private and personal information. None of the documents posted online were encrypted. It was unclear Monday if Hankins & Sohn was storing its data per HIPAA rules. A spokesperson for the office that oversees HIPAA-related investigations declined to comment.

HIPAA is short for Health Insurance Portability and Accountability Act. HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The victims claim that the Hankins and Sohn failed to implement adequate and reasonable cybersecurity procedures and protocols to protect their Personally Identifiable Information (PII) and Protected health information (PHI).

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 Nude “before and after” photos stolen from plastic surgeon, posted online, and sent to victims&#8217; family and friends 

A SysAid vulnerability is actively being exploited by a ransomware affiliate.

Users of SysAid on-premises should take action to deal with a vulnerability. SysAid is a widely used IT service management solution that allows IT teams to manage tasks.

Microsoft discovered an ongoing exploitation of a zero-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest. Lace Tempest is an initial access broker (IAB) usually associated with the Cl0p ransomware.

Once SysAid were notified by Microsoft on November 2, 2023, they started an investigation which confirmed that it was indeed a zero-day vulnerability. By definition, a zero-day vulnerability is any software vulnerability exploitable by hackers that doesn’t have a patch yet.

The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software. Path traversal vulnerabilities allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths.

The attackers used the vulnerability to upload a web shell and other payloads into the web root of the SysAid Tomcat web service. Tomcat is an open-source web server and servlet developed by the Apache Software Foundation. A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application.

The web shell provided the attacker with unauthorized access and control over the affected system. The attackers then used two PowerShell scripts to expand their hold. One to launch the Gracewire malware loader and the other to erase other evidence of the intrusion.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to this vulnerability is:

CVE-2023-47246: a path traversal vulnerability that affects all SysAid On-Premises installations running versions before 23.3.36. SysAid Cloud customers are not affected by this vulnerability.

If you are a SysAid customer using a SysAid On-Prem server, you are under advise you to ensure that your SysAid systems are updated to version 23.3.36 or later, which includes the patches for the identified vulnerability.

Organizations using SysAid should apply the patch as soon as possible and look for any signs of exploitation prior to patching (see Indicators of Compromise below). The Lace Tempest group exploited the vulnerability in the SysAid software to deliver a malware loader for the Gracewire malware. Once this foothold is established, it’s usually followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.

You should also review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior.

**IOCs**

**File:**

b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d     Malicious loader

**IPs:**

81.19.138.52     GraceWire Loader C2

45.182.189.100 GraceWire Loader C2

179.60.150.34  Cobalt Strike C2

45.155.37.105  Meshagent remote admin tool C2

_Malwarebytes blocks the Cobalt Strike C2 179.60.150.34_

**File Paths:**

C:\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe

C:\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles.war  

C:\\Program Files\\SysAidServer\\tomcat\\webapps\\leave  

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Update now! SysAid vulnerability is actively being exploited by ransomware affiliate 

Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.

The majority of malvertising campaigns delivering malicious utilities that we have tracked so far typically deceive victims with pages that are almost the exact replica of the software vendor being impersonated. For example, we have seen fake websites appearing like the real Webex, AnyDesk or KeePass home page.

In a new campaign, we observed a threat actor copying a legitimate Windows news portal (WindowsReport.com) to distribute a malicious installer for the popular processor tool CPU-Z.

This type of website is often visited by geeks and system administrators to read the latest computer reviews, learn some tips and download software utilities. The Windows Report was never compromised and is legitimate, but rather threat actors copied its content to trick users.

This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection. We have informed Google with the relevant details for takedown.

**Google ad and filtering**

The malicious ad is for CPU-Z, a popular utility for Windows users that want to troubleshoot their processor and other computer hardware details. The advertiser shows as Scott Cooper and is likely a compromised or fake identity.

One common technique used by threat actors to evade detection is to employ cloaking. Anyone clicking on the ad and who’s not the intended victim will see a standard blog with a number of articles.

We had previously identified another malicious ad using almost the same template.

**Redirect to Windows news site lookalike**

To show what happens when an actual victim clicks on the ad, here is the network traffic related to it as seen in the image below. This time, the corporatecomf\[.\]online website is no longer used to show a blog with articles but instead does a redirect (302 HTTP code) to another domain at workspace-app\[.\]online.

This domain uses content from the legitimate Windows portal WindowsReport.com and looks almost identical:

People who searched for CPU-Z and clicked the ad are now at the download page for the software, where they may wrongly assume that it is legitimate. The URL in the address bar does not match the real one, though.

There are several other domains hosted on the same IP address (74.119.192.188) also used in malvertising campaigns:

**Signed MSIX installer**

The payload is a digitally signed MSIX installer which contains a malicious PowerShell script, a loader known as FakeBat:

The script shows the malware command and control server as well as the remote payload (Redline stealer):

We are blocking the malvertising domains for all Malwarebytes customers:

ThreatDown, powered by Malwarebytes, already detected the final infostealer payload and we have added coverage for the its command and control servers as well.

It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page.

The download is also a signed MSI installer, which increases the chances for it to look legitimate from the operating system and antivirus software. These MSI loaders are quite common and allow threat actors to update the final payload by simply swapping a PowerShell script.

Software downloads have been a big target for the past year with criminals using a variety of tricks to deceive users and install malware. In an enterprise environment, it may be wise to verify a file’s checksum to ensure it has not been tampered with by comparing its SHA256 hash sum with what is posted on the vendor’s website.

**Indicators of Compromise**

Ad domains

argenferia\[.\]com  
realvnc\[.\]pro  
corporatecomf\[.\]online  
cilrix-corp\[.\]pro  
thecoopmodel\[.\]com  
winscp-apps\[.\]online  
wireshark-app\[.\]online  
cilrix-corporate\[.\]online  
workspace-app\[.\]online

Payload URLs

thecoopmodel\[.\]com/CPU-Z-x86.msix
kaotickontracting\[.\]info/account/hdr.jpg
ivcgroup\[.\]in/temp/Citrix-x64.msix
robo-claim\[.\]site/order/team.tar.gpg
argenferia\[.\]com/RealVNC-x64.msix

Payloads

55d3ed51c3d8f56ab305a40936b446f761021abfc55e5cc8234c98a2c93e99e1
9acbf1a5cd040c6dcecbe4e8e65044b380b7432f46c5fbf2ecdc97549487ca88
419e06194c01ca930ed5d7484222e6827fd24520e72bfe6892cfde95573ffa16
cf9589665615375d1ad22d3b84e97bb686616157f2092e2047adb1a7b378cc95

C2s

11234jkhfkujhs\[.\]site
11234jkhfkujhs\[.\]top
94.131.111\[.\]240
81.177.136\[.\]179

 Malvertiser copies PC news site to deliver infostealer 

USB drive malware is on the rise. Learn about our new Device Control features for Nebula and OneView.

With experts noting a troubling threefold surge in USB drive malware incidents in early 2023, Device Control has just leveled up with a key addition: the Advanced Auto Scanning & Block Until Scan feature. 

Here’s the breakdown: When a USB device is connected, ThreatDown now doesn’t just control access—it actively scans it. You can also now choose to block the device until the system scans it. This means threats are stopped in their tracks, well before they can do any harm. 

Available for both Nebula and OneView users, the new update also offers detailed device insights on the Quarantine and Detections pages. The interactive “Device” column, for example, reveals comprehensive details like the serial number and volume name. 

Advanced Device Control is designed to make it that much easier for organizations to defend against USB malware, which can cause data breaches and other system compromises. Let’s dive deeper into the update! 

**Automated Scanning **

When a USB device is inserted, the new feature automatically initiates a scan for potential threats. This is proactive, as opposed to the more passive nature of traditional device control, which simply controlled access when storage drives were connected via USB. 

**Conditional Access Based on Scan Results **

Perhaps the most significant addition is the ability to block access to the device until it has been scanned for threats. This ensures that no potentially harmful files are accessed before they are verified as safe, a capability not present in the original Device Control setting. 

**Customizable Alerts **

Users can craft an optional alert message that appears when a USB device is blocked pending a scan. This can help in communicating security protocols to users who might not be aware of why their device access is restricted. 

**Quarantine and Detections Pages Update **

Nebula’s Quarantine and Detections pages have been upgraded for improved management of USB-originated threats: 

*   “Device” Column: A new clickable column has been added, listing devices associated with threats. 
*   Device Details Slideout: Clicking on a device link provides immediate access to details like serial number and volume name. 

These updates streamline the threat analysis process, integrating crucial information directly into your workflow. 

**Additional features ****Restoration & Exclusion Enhancements **

Quickly restore false positives from quarantine when the device is reconnected and set exclusions to prevent future unnecessary blocks. 

**Detailed Threat Information **

The Endpoint details slide-out has been enhanced. Under the Detections and Quarantine tabs, users can now access comprehensive data on any USB threats discovered. 

**Action Taken **

A new “Action taken” column clearly shows the device scan history and status updates.

**Try Advanced Device Control today **

Advanced Device Control marks a leap in helping organizations stay ahead of USB malware, featuring proactive scanning, conditional access, and improved visibility to proactively thwart potential breaches.  

Try Advanced Device Control in Nebula and OneView today! 

Not a Nebula or OneView user? Get a free demo.

 Introducing Advanced Device Control: Shielding businesses from USB threats  

MSPs can now visualize the security posture of each client at a glance.

In a world rife with cyber threats, it is crucial for Managed Service Providers (MSPs) to conduct thorough assessments of their clients’ security posture. Even minor misconfigurations, if overlooked, can leave clients vulnerable to attacks.

Yet, lacking the necessary tools, many MSP IT teams are in the dark about the real status of their clients’ security, increasing the risk of cyber incidents for their customers.

The answer? A solution that enables organizations to visualize and improve their clients’ security posture in just a few minutes. Enter Security Advisor Site Scores for OneView. 

**Security Advisor Site Scores** for OneView enable MSPs to visualize the security posture of each client at a glance.

As **Security Advisor for OneView further develops,** it will empower MSP Admin users to closely monitor the overall health of their customer base, efficiently address issues, automate & scale actions, and facilitate seamless communication within our product. 

For now, let’s explore the **Security Advisor Site Scores** available today. 

**Security Advisor Site Scores for OneView **

**Site Score Metric** 

Site Health Scores offer a clear snapshot of each client’s security posture, enabling MSP Admins to identify at-risk customers who require the most urgent action.

**Factor Cards** 

Each client Site Score contains detailed information about the factors contributing to its specific score. A low score on any factor indicates that action for improvement is needed in that category.

Factors that apply to all Sites Health Scores include policy configuration, scheduled scans, and endpoint status. Paid add-on modules such as DNS Filtering and Vulnerability & Patch Management will only impact the Site Health Score if the site is licensed for these products.

**Benefits of the Security Advisor Site Scores for OneView **

**Comprehensive List of all Sites Health Scores**  

Within the OneView Sites page we have included each individual Site Score for MSPs to have a global view of the statuses of their entire customer portfolio. 

Comprehensive view of each end-customer health score 

**Immediate Assessment of Security Posture for each** **client**

Site Health Scores per can be clicked into to get a detailed look at individual client security. 

Site-level Health Score detail with Factors cards contributing to Site score 

**In-depth Information with Factor Cards per Site** 

By clicking on each Site Score, MSPs can view all the Factors cards that contribute to it. Low value on any factor directs the Admin user to the category of action they need to take within OneView console to improve the score. 

Each client Site Score contains detailed information about the factors contributing to its specific score.

**Continuous Threat Monitoring** 

Stay ahead of potential security issues with continuous assessment; client health scores are updated every 24 hours, with lower Site Scores indicating that action needs to be taken. 

**Try Security Advisor Today**

Ready to transform security management for your clients? OneView users can start using Security Advisor today, free of charge.

Not a OneView user? Get a free demo.

 Introducing Security Advisor Site Scores for OneView: Easy assessment of client security for MSPs  

Scientists have developed a ChatGPT detector with unprecedented accuracy. Even though it has a limited scope, this could be a big step forward.

ChatGPT and similar Large language models (LLMs) can be used to write texts about any given subject, at any desired length at a speed unmatched by humans.

So it’s not a surprise that students have been using them to “help” write assignments, much to the dismay of teachers who prefer to receive original work from actual humans.

In fact, in Malwarebytes’ recent research survey, “Everyone’s afraid of the internet and no one’s sure what to do about it,” we found that 40% of people had used ChatGPT or similar to help complete assignments, while 1 in 5 admitted to using it to cheat on a school assignment.

It’s becoming really hard to tell what was written by an actual person, and what was written by tools like ChatGPT, and has led to students being falsely accused of using ChatGPT. However, students that _are_ using those tools shouldn’t be receiving grades that they don’t deserve.

Worse than that could be an influx of so-called scientific articles that either add nothing new or bring “hallucination” to the table—where LLMs make up “facts” that are untrue.

Several programs that can filter out artificial intelligence (AI) texts have been created and tests are ongoing, but the success rate of these, mostly AI-based tools, hasn’t been great.

Many have found the existing detection tools not very effective, especially for professional academic writing. These tools have a bias against non-native speakers. Seven common web-based AI detection tools all identified non-native English writers’ works as AI-generated text more frequently than native English speakers’ writing.

But now it seems as if chemistry scientists have found an important building block in creating more effective detection tools. In a paper titled “Accurately detecting AI text when ChatGPT is told to write like a chemist” they describe how they developed and tested an accurate AI text detector for scientific journals.

Using machine learning (ML), the detector examines 20 features of writing style, including variation in sentence lengths, the frequency of certain words, and the use of punctuation marks, to determine whether an academic scientist or ChatGPT wrote the examined text.

To test the accuracy of the detector, the scientists tested it against 200 introductions in American Chemical Society (ACS) journal style. For 100 of these, the tool was provided with the papers’ titles, and for the other 100, it was given their abstracts.

It showed astonishing results. It outperformed the online tools provided by ZeroGPT and OpenAI by identifying ChatGPT-3.5 and ChatGPT-4 written sections based on titles with 100% accuracy. For the ChatGPT-generated introductions based on abstracts, the accuracy was slightly lower, at 98%.

_Image courtesy of_ _ScienceDirect_

The graph shows the accuracy of three detectors against texts written by humans (to determine the number of false positives), ChatGPT-3.5, and ChatGPT-4. P1 is the texts based on titles and P2 the ones based on abstracts.

What’s important about this research is that it shows that with specialized tools one can achieve a much better detection rate. That could mean that efforts to develop AI detectors could receive a significant boost by tailoring software to specific types of writing.

Once we learn how to quickly and easily build such a specialized tool, we can soon expand the number of areas for which we have specialized detectors. According to one of the researchers, the findings show that “you could use a small set of features to get a high level of accuracy.”

To put this into perspective, the development time to generate the detector was a part-time project, done in approximately one month by a few people. The scientists designed the detector prior to the release of ChatGPT-4, but it works just as effectively on GPT-3.5, so it’s unlikely that future versions would create text in a way that would significantly change the accuracy of this detector.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Using ChatGPT to cheat on assignments? New tool detects AI-generated text with amazing accuracy 

Two critical remotely exploitable vulnerabilities in QNAP's network attached storage devices need to be patched. Do it now!

QNAP has published a security advisory about two critical vulnerabilities that could allow remote attackers to execute commands via a network.

One of the vulnerabilities affects the QTS and QuTS operating systems (OS) for QNAP’s network attached storage systems (NAS). The second one can be found in versions of QTS, the Multimedia Console, and the Media Streaming add-on.

**CVE-2023-23368**

The first vulnerability, CVE-2023-23368 (CVSS score 9.8 out of 10), is an OS command injection vulnerability.

OS command injection (also known as shell injection) is a security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the device that is running an application, and typically fully compromise the application and all its data.

A fix is available for the vulnerability in the following versions:

*   QTS 5.0.1.2376 build 20230421 and later
*   QTS 4.5.4.2374 build 20230416 and later
*   QuTS hero h5.0.1.2376 build 20230421 and later
*   QuTS hero h4.5.4.2374 build 20230417 and later
*   QuTScloud c5.0.1.2374 and later

To update QTS, QuTS hero, or QuTScloud you can:

*   Log in to QTS, QuTS hero, or QuTScloud as an administrator.
*   Go to Control Panel > System > Firmware Update.
*   Under Live Update, click Check for Update.
*   The system will download and install the latest available update.

If that doesn’t work for you, you can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

**CVE-2023-23369**

The second vulnerability, CVE-2023-23369 (CVSS score 9 out of 10), is also an OS command injection vulnerability that reportedly affects several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.

A fix for the vulnerability is available for the following versions:

*   Multimedia Console 2.1.2 ( 2023/05/04 ) and later
*   Multimedia Console 1.4.8 ( 2023/05/05 ) and later
*   QTS 5.1.0.2399 build 20230515 and later
*   QTS 4.3.6.2441 build 20230621 and later
*   QTS 4.3.4.2451 build 20230621 and later
*   QTS 4.3.3.2420 build 20230621 and later
*   QTS 4.2.6 build 20230621 and later
*   Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later
*   Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later

To update the Multimedia Console:

*   Log on to QTS as an administrator.
*   Open the App Center and then click the search symbol (looking glass).
*   Type “Multimedia Console” into the search box and then press Enter.
*   Multimedia Console will appear in the search results.
*   Click Update. (Note: The Update button is not available if your version is already up to date.)
*   A confirmation message appears.
*   Click OK.

To update the Media Streaming add-on:

*   Log on to QTS as an administrator.
*   Open the App Center and then click the search symbol (looking glass).
*   Type “Media Streaming add-on” into the search box and then press Enter.
*   Media Streaming add-on will appears in the search results.
*   Click Update. (Note: The Update button is not available if your version is already up to date.)
*   A confirmation message appears.
*   Click OK.

Extra tip: while you are logged in as an administrator consider whether your password is strong enough. On October 19, 2023 QNAP reported a significant wave of weak password attacks. NAS owners are one of the most common targets of ransomware attacks against consumers.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Source

Malwarebytes