US to head off laptop ban on international flights with revised security requirements

Original Article Here

On Wednesday, the US Department of Homeland Security announced new security measures for foreign flights to the US that could end the ban on passengers from certain countries using laptops in flight, Reuters reported.

In March, the US banned in-cabin laptop use on flights to the US from 10 airports in eight countries: Turkey, Morocco, Jordan, Egypt, the United Arab Emirates, Qatar, Saudi Arabia, and Kuwait. The UK issued a similar ban shortly after. Passengers from these nations are currently not allowed to use larger electronics, including laptops, tablets, and digital cameras, in-flight, and instead must pack them in their checked luggage. Smartphones and medical devices are still allowed, however.

More about IT Security

The affected airports will require additional screenings for passengers and their electronic devices, to detect possible explosives. If the airlines comply, it will effectively end the ban, Reuters reported. But those that do not implement the new measures will still need to enforce them.

“Inaction is not an option,” US Homeland Security Secretary John Kelly said in a news briefing on Wednesday. He also said that he believed airlines would comply with the new screening, Reuters reported.

SEE: Travel and business expense policy (Tech Pro Research)

The new requirements would impact 325,000 airline passengers on some 2,000 commercial flights arriving in the US daily, Reuters noted.

US and European officials told Reuters that the airlines have 21 days to put in place enhanced explosive trace detection screening, and that they have 120 days to add other security measures, including improved screening of passengers. US officials also reported that they want to increase security measures around aircraft and in passenger areas, as well as to expand canine screening.

Kelly had previously said that the laptop ban might be expanded to all international flights entering the US. Some airlines feared that this would cause logistical problems and hurt profits, as many business class passengers use laptops and other electronics in flight—and pay more for their tickets.

Reuters reported that the airlines also said they would likely have to pay for the expanded screening costs themselves, leaving some industry groups concerned.

“The development of the security directive should have been subject to a greater degree of collaboration and coordination to avoid the significant operational disruptions and unnecessarily frustrating consequences for the traveling public that appear likely to happen,” said industry trade group Airlines for America (A4A)’s chief executive Nicholas E. Calio, in a statement to Reuters.

Kelly also said that he had a “step by step” security improvement plan that included several processes that would take at least a year to implement, Reuters reported. It remains to be seen if these new security enhancements will greatly impact business travelers.

The 3 big takeaways for TechRepublic readers

1. The US Department of Homeland Security announced new security measures for foreign flights to the US that could end the ban on passengers from certain countries using laptops in flight.

2. The airports affected by the ban will require additional screenings for passengers and their electronic devices, to detect possible explosives.

3. More security improvements are expected to be rolled out over the next year.


Image: iStockphoto/kasto80

Also see

FedEx's TNT Express deliveries disrupted by virus attack

Original Article Here

tnt-van-in-new-livery.jpgImage: TNT Express

FedEx’s delivery subsidiary TNT Express has warned that its systems have been significantly affected by a computer virus.

The company said in a note on its website: “Like many other companies and institutions around the world, we are experiencing interference with some of our systems within the TNT network,” which has lead to speculation that the problems were linked to the Petya ransomware which has been infecting PCs globally.

FedEx briefly halted trading in its shares for almost an hour yesterday as it announced its operations at its European subsidiary TNT Express operations had been “significantly affected” by a computer virus. FedEx warned investors that the disruption could have a material impact on its finances.

The notification came amid the Petya file-encrypting malware outbreak, which hammered Windows systems in the Ukraine, but also caused infections in 63 other countries.

“While TNT Express operations and communications systems have been disrupted, no data breach is known to have occurred,” the firm said.

No other FedEx business was affected by the attack. TNT Express’s domestic and regional network services were “largely operational, but slowed”, it said, with delays in TNT Express’s inter-continental services. FedEx Express services were deployed as alternatives.

A message still on TNT’s website today notes that it had to suspend myTNT online services due to the attack.

“We are implementing remediation steps as quickly as possible to support customers who experience limited interruption in pick-up and delivery operations and tracking systems access.”

The company hasn’t provided further updates.

As more details emerge about the Petya/NotPetya malware, several security researchers have concluded the attack was not intended to make money but rather to destroy infected computers, making this an example of so-called wiper malware, such as Shamoon.

“If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options,” wrote operational security expert, the Gruqq.

“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware’.”

Researchers at Kaspersky found that the malware’s unique installation ID, which would normally be used by the attacker to generate a recovery key for each infection, was just random data.

“That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” Kaspersky researchers wrote.


Not enough fiber to grow the internet for 5G, says consultant

Original Article Here

Treatment will be brought to the patients and patient data will be centralized, “turning hospitals into data centers,” a telco equipment maker says in a recent report.

Ericsson, in its 2017 Mobility report (PDF), published this month, says patient treatment will, in the future, no longer be performed in hospitals located far from patients’ homes, but performed remotely through new 5G wireless radio.

+ Also on Network World: Reliability, not principally speed, will drive 5G +

Wearables will be among the tools used for keeping an eye on folks’ health and dishing out medication. Diagnosis will be accomplished through online consultations, and robots will remotely execute surgeries at nearby healthcare clinics rather than far-off hospitals.

Ericsson is a mobile technology company actively involved in 5G wireless development, which it’s pitching at Internet of Things (IoT) uses. It says IoT devices in general will increase at a Compound Annual Growth Rate (CAGR) of 21 percent between 2016 and 2022 and that there will be 1.5 billion cellular IoT devices by 2022. That’s partly because of 5G.

This vision of decentralized healthcare is an example of something that could be driven by next-generation wireless networks, the company pitches in its report. A good thing: Patients are demoralized by the costs and inconvenience of medical attention, Ericsson points out, yet hospitals need to reduce costs.

5G devices, with low power consumption of possibly up-to-10-years battery life, along with new-found, low-latency that is expected to become possible with the millimeter frequencies in the spectrum used, could deliver haptic feedback. That might be good enough to supply a sense of close-to real-time touch for surgeries. 5G latency rates could be a single millisecond—compared to 4G LTE’s 50 milliseconds, Ericsson explains.

Additionally, 5G, with its possibly fresh approach to security, might be more watertight than existing communications channels and thus better suited to healthcare.

5G’s rollout, coming commercially as early as 2020, is “due to provide 10 to 100 times more capacity than 4G,” according to Ericsson. Interestingly, though, the 5G tech could encounter trouble, according to a consultant.

A bump in the road to 5G

It isn’t all about wireless, consultant Deloitte says. For 5G to achieve its suggested blockbuster status the U.S. must invest in fiber, of which there isn’t enough..

“The success of 5G wireless will hinge on deep fiber,” the company says in a press release.

Networks in the U.S. don’t have the “fiber density” to cope with the bandwidth demands of future 5G applications, Deloitte says. One issue is that the nature of shorter-distance millimeter spectrum is that it needs more cell sites. They need connecting.

“Without more deep fiber, carriers will be unable to support the projected four-times increase in mobile data traffic between 2016 and 2021,” Deloitte says.

(Ericsson’s latest projection is a 33 percent compound annual growth rate for U.S. mobile data between 2016 and 2022).

It will take “an investment of $130 billion to $150 billion in fiber infrastructure over the next five to seven years to adequately support broadband competition, rural coverage, and wireless densification [needed for 5G],” Deloitte says.

So, 5G might not be as simple as the pre-marketing rhetoric suggests. Someone has to come up with, and pay for, more underlying network, Deloitte says.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Microsoft aims to simplify Windows 10 PC set-up with Windows Autopilot

Original Article Here

Microsoft has developed a new set of cloud-powered technologies aimed at simplifying the set-up of new PCs that it’s calling Windows AutoPilot.

windowsautopilot.jpg Credit: Microsoft

Windows AutoPilot and a new Windows AutoPilot Deployment Program, both announced on June 29, are Microsoft’s latest attempts to improve the provisioning and deployment experience around Windows 10..

(Microsoft has used the “Autopilot” brand before for its own datacenter-management technology, some codename buffs may recall. But Windows AutoPilot seemingly has no connection to the original Microsoft Autopilot.)

The Windows AutoPilot Deployment Program is for OEMs, distributors and resellers. It will allow them to provide users with “business-ready” devices by link Windows 10 PCs to an organization, existing Azure Active Directory and Intune mobile-device management services and preloading it with Office 365 ProPlus apps.

The Surface team is already working with some customers and partners as part of the Windows AutoPilot Deployment Program, officials said. The program will be broadly available to customers later this year. Microsoft also is working to allow the Microsoft Store for Business to provide Windows AutoPilot support, allowing businesses to enroll their own devices.

In keeping with the Windows AutoPilot branding, Microsoft also will include in the Windows 10 Fall Creators Update this Fall a feature called Windows AutoPilot Reset, which officials describe as “a quick way to reset a PC to a known good state while maintaining MDM management and AAD (Azure Active Directory) connection state.”

Microsoft is adding more features to Intune to enable it to take advantage of Windows AutoPilot and the coming Windows Defender Application Guard technology that will be in the Fall Creators Update. Intune will provide a way to deploy and configure Windows Defender Application Guard and Windows Firewall rules. And Intune also will provide an option to show progress during the device provisioning process, so employees can see information about what their companies are managing, officials said.

Devices joined to Active Directory and automatically registered in Azure Active Directory can be enrolled in Intune or another mobile-device-management service via Windows Autopilot Deployment, officials said.



Credit: Microsoft

In other Windows 10 management news, Microsoft is planning to add a new Device Health capabilitiy to Windows Analytics. Device Health is meant to let users know proactively about potential issues that could affect their computing experience, and to offer options for resolving those issues.

Windows Analytics (formerly known as Upgrade Analytics) works with the Microsoft Operations Management Suite. The Device Health capability will be available “soon” for preview, with general availability later this calendar year, Microsoft officials said.

More Windows 10

AMD unveils Ryzen Pro, enterprise processors with a security focus

Original Article Here


AMD has revealed the Ryzen Pro processor range with an eye on enterprise users looking for better security built from the ground up.

On Thursday, Sunnyvale, Calif.-based semiconductor company said the new addition to the firm’s enterprise CPU portfolio is a family of desktop processors, designed to “meet the demands of today’s compute-intensive workplace.”

The Ryzen Pro product family comes with up to eight cores and 16 threads, up to 3.7 GHz, AMD SenseMI technology and up to 20mb L2 and L3 low latency cache. AMD’s Precision Boost is also supported and the company has also introduced Neural Net prediction which is designed to evaluate running applications to ‘predict’ the next steps that will be taken, both of which can ramp up the performance of the processors.

The new Ryzen Pro lineup includes the Zen core, which AMD says improves performance by 52 percent in comparison to the previous generation of Ryzen products. In addition, AMD claims the Ryzen 7 Pro 1700 model offers up to 62 percent more multi-threaded performance than rival products.

The full specifications are below:

  • RyzenTM 7 Pro: Model 1700X, Cores: 8, Threads: 16, Boost Clock (GHz): 3.8, Base Clock (GHz): 3.4, TDP (Watts): 95
  • RyzenTM 7 Pro: Model 1700, Cores: 8, Threads: 16, Boost Clock (GHz): 3.7, Base Clock (GHz): 3.0, TDP (Watts): 65
  • RyzenTM 5 Pro: Model 1600, Cores: 6, Threads: 12, Boost Clock (GHz): 3.6, Base Clock (GHz): 3.2, TDP (Watts): 65
  • RyzenTM 5 Pro: Model 1500, Cores: 4, Threads: 8, Boost Clock (GHz): 3.7, Base Clock (GHz): 3.5, TDP (Watts): 65
  • RyzenTM 3 Pro: Model 1300, Cores: 4, Threads: 4, Boost Clock (GHz): 3.7, Base Clock (GHz): 3.5, TDP (Watts): 65
  • RyzenTM 3 Pro: Model 1200, Cores: 4, Threads: 4, Boost Clock (GHz): 3.4, Base Clock (GHz): 3.1, TDP (Watts): 65

If you’re going to target the enterprise market, especially in today’s current environment with cyberattacks a constant threat, vendors must keep security in mind. AMD says that the Ryzen Pro will include silicon-level security with cryptographic technologies embedded at the hardware level.

In addition, the processor family supports secure boot, fTPM (firmware Trust Platform Module), AES, and Windows 10 Enterprise security features.

The Ryzen Pro range also has a built-in AES 128-bit encryption engine, DRAM encryption independent of the OS and applications, and has been created in what AMD calls a “secure production environment” in the supply chain.



“Ryzen PRO processors provide commercial-grade quality and reliability to help ensure platform longevity for future-ready computing. Industry-leading, open-standard DASH manageability allows for CPU-agnostic administration and helps ensure businesses avoid getting locked into proprietary solutions,” AMD says.

See also: AMD is making PCs and servers exciting again

At the Computex trade show in Taipei, Taiwan earlier this month, AMD said that all five major OEMs — Acer, Asus, Dell, HP, and Lenovo — will offer systems based on the Ryzen processor product family.

“Today marks another important step in our journey to bring innovation and excitement back to the PC industry: the launch of our Ryzen Pro desktop CPUs that will bring disruptive levels of performance to the premium commercial market,” said Jim Anderson, senior vice president of the Computing and Graphics Group at AMD. “Offering a significant leap in generational performance, leadership multi-threaded performance, and the first-ever 8-core,16-thread CPU for commercial-grade PCs, Ryzen PRO provides a portfolio of technology choices that meet the evolving needs of businesses today and tomorrow.”

Vendors are expected to use the Ryzen Pro in new desktop lineups in the second half of this year, and Ryzen Pro mobile is on track for release in the first half of 2018.

How To (And Not To) Make the Online Trust Honor Roll

Original Article Here

Five websites generated the highest score in their sector for the 2017 Online Trust Audit & Honor Roll. Here is what it takes to get there and be listed among the Online Trust Alliance’s Top 50


1 of 7


(Image Source: Shutterstock)

(Image Source: Shutterstock)

With consumer and enterprise sites getting slammed with attacks, the Online Trust Alliance recently unveiled its 2017 Online Trust Audit & Honor Roll to highlight those sites that engage in the best security and privacy practices.

The audit analyzed up to 1,000 consumer-related websites, Internet service providers, mobile carriers, email box providers, government agencies, and media sites, based on three key criteria: privacy, consumer protection, and security and resiliency. The total base points possible stood at 300, excluding bonus points, and a website needed to score at least 80% overall to be included in the honor roll.

“It’s all about following the basics,” says Craig Spiezle, executive director and president of the Online Trust Alliance (OTA).

In the security and resiliency category those “basics” include not only patching, but also: having a Secure Socket Layer (SSL) infrastructure; providing a link on the home page to report bugs and search for such common terms like “vulnerability disclosures”; a means to protect against web scraping, vulnerability scanning, and other common bot-driven actions; and an option for multi-factor authentication on the site.

Privacy criteria encompass policies and practices around user anonymity, data retention, and third-party data sharing.

Consumer protection was rated based upon measures like email authentication, anti-phishing technologies and domain security. 

Given these criteria, the five websites that received the highest score for their sector included: LifeLock, for the consumer and Internet retailers category; US Bank, for the FDIC or bank category, Microsoft Azure, for the ISPs, mobile carriers, and hosters section; Google News for the news and media category; and the Online Trust Alliance for the OTA members section.

The issue of which websites scored the highest for their respective category or made it onto the OTA honor roll is only part of the story. The overall trends for success and failure of achieving security and privacy on a website is the other important part of the picture that will be revealed in the following pages.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio


1 of 7


More Insights

French general accused of nicking fast jet for weekend trips to the Sun

Original Article Here

Defence ministry announces full inquiry

A French general stands accused of using military fast jets for weekend commutes to his country pile in Provence on the country’s sunny south coast.

French Army minister Florence Parly has ordered an investigation, following the allegations about General Richard Reboul’s travel arrangements by investigative and satirical (think Private Eye) newspaper Canard Enchaîné.

French newspaper Sud Ouest also reported the general’s cheeky alleged doings (en francais), noting that the general was alleged to be using an Alpha Jet training aircraft.

The Dassault-Dornier Alpha Jet is used as a basic fast jet trainer by a number of air forces around the world, including France’s. Its maximum level speed is around 990kph, giving a realistic cruising speed in the region of 600kph or so. The two-seater was said to have been flown from the south-western Atlantic city of Bordeaux to sunny Salon de Provence, on France’s Mediterranean coast.

Each alleged flight would have cost les contribuables thousands, given the customary landing fees and the cost of fuel; Alpha Jets burn somewhere in the region of 900 litres (approx 200 gallons) per hour during cruising flight, according to military contractor Air USA. The 301 statute mile flight might take about an hour, including a margin for time spent routing through airways, loitering in holding patterns, and so forth.

With the approximate price of Jet-A1 being £0.52 a litre at the time of writing, anyone making that flight in that jet would have burned through a cool £468 of fuel per flight. This doesn’t include landing fees, or the notional costs of operation (depreciated maintenance, etc) included by beancounters.

Air Force officers using service aircraft for private jollies is a dubious tradition that goes back decades. In 2008 Prince William, then a serving RAF helicopter pilot, was rapped over the knuckles for picking up his brother Prince Harry in an RAF Chinook helicopter before flying him to a stag party on the Isle of Wight; William’s Station Commander had been kept in the dark over the true nature of the “training” flights.

Back in the Second World War, Wing Commander Tom Neil acquired a Supermarine Spitfire after finding it seemingly abandoned near the USAAF unit he was attached to. After having the aircraft’s entire paint scheme stripped off, including its serial number, Neil spent the last year of the war treating the fighter like his personal property instead of equipment issued to the RAF, gallivanting all over the skies of Europe at will.

Once more and more people started asking where exactly the Spitfire had come from, Wg Cdr Neil pondered increasingly desperate measures to permanently rid himself of it, including baling out over the English Channel and leaving the fighter to crash itself into the sea. During this period he was also aware that an air commodore had been court-martialled and stripped of his rank for “acquiring” an obsolete Gloster Gladiator biplane under similar circumstances. The full tale of Neil’s Silver Spitfire, including how aviation historians deduced its true identity and eventual fate, is related in his book of the same name. ®

8tracks hacked: 18 million user account details stolen

Original Article Here

There’s bad news for internet music fans, as it has been revealed that the details of millions of users of the 8tracks internet radio service and music social network have been stolen by hackers.In a message posted on its corporate blog, 8tracks confirms it has suffered a security breach:“We received credible reports today that a copy of our user database has been leaked, including the email addresses and encrypted passwords of only those 8tracks users who signed up using email… 8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.”

8tracks points out that users who signed-up for the service via Google or Facebook authentication have not had their passwords compromised by the breach.As Motherboard reports, the millions of leaked passwords appear to have been hashed with the SHA1 algorithm, leaving open the possibility that some of them could be cracked.The threat of passwords being cracked in this particular case is less because most people aren’t overly worried about their internet music accounts being overrun by hackers. Even so, a cracked password – combined with a leaked username and email address – could still provide a skeleton key for accounts on other sites to be broken into if it’s been reused.As a result, the site is advising affected users to change their 8tracks passwords and to ensure that they are not using the same password anywhere else online.That’s sensible advice. Time and time again, we see examples of password reuse where the breach of one site can then lead to stolen passwords being used to unlock an individual’s otherwise unconnected online accounts elsewhere.

The details of how 8tracks suffered a data breach may act as a salutary warning to other businesses.As it describes in its blog post, 8tracks does not believe that its own servers were breached or accessed by unauthorized individuals.Instead, an employee’s GitHub account was compromised. That’s what provided a method for hackers to access a system where backups were made of the user database, including the leaked data.8tracks notes that the GitHub account was not protected by two-factor authentication, which would have provided an additional layer of security even if the employee’s password had been phished, guessed, stolen, or cracked.The first 8tracks knew of the breach was when it received a notification from GitHub that someone had attempted to change the account’s password.The company has apologized “to those affected by this breach for the inconvenience” and says it is working to improve its security:“We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system. We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption.”We’ve said it before; we’ll say it again. If a site offers you two-factor authentication, please turn it on. And ensure that your employees are taking advantage of that additional layer of security, as well.For advice on how to create a strong password, click here. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Logitech Slim Combo for Apple iPad 10.5 hands-on: Not very slim, but great for productivity

Original Article Here

I’ve been using my new iPad Pro 10.5 for a couple of weeks and thanks to a couple keyboards it is serving as my daily commuter platform to get work done.

The Apple Smart Keyboard was available at the Apple Store when I bought my 10.5 inch iPad Pro so I bought one to try and also compare to other keyboard options. Logitech sent along a black Slim Combo that also is sold in Apple stores and on the Apple Store website.

Logitech is well known for its keyboards and I have been using them on various mobile devices for many years. The Logitech Slim Combo for the iPad Pro is designed to work in four ways: typing in standard landscape orientation with the keyboard attached, viewing without the keyboard attached and the hinge down at a flatter angle, FaceTime calling with the keyboard removed and the iPad propped up in portrait orientation, and reading with just the iPad in your hand inside the upper part of the case. Reading could also be expanded to drawing too since this case comes with an integrated sleeve for the Apple Pencil, something that is sorely missing on the Apple Smart Keyboard.

Top piece of the Slim Combo

The Slim Combo is a two piece solution. The upper portion houses your iPad Pro and securely holds it after you snap in your iPad. There are large openings in the frame piece on the right side (in landscape orientation) for the dual speakers and Lightning port. The bottom is also mostly open since that is the area that connects to the Apple Smart Connector.

There are openings on the back left side for the speakers, headphone jack, microphones, camera, and flash. Raised buttons for volume and power are also present.

An Apple Pencil sleeve is positioned along the top (in landscape orientation) that covers about 50 percent of your Apple Pencil to keep it securely in place. I find myself using the Logitech Slim Combo more than the Apple Smart Keyboard on my daily commute due in large part to having a place to store the Apple Pencil. This is important for the road warrior carrying everything along with the iPad and one reason the Logitech Slim Combo is a good option.

There is also a large flap on the back with two hinges. You are able to extend this flap to prop up your iPad back about 50 degrees and then down to nearly flat. The hinges are stiff and once you move the flap into position everything stays exactly where you placed it. It’s a great hinge design and has satisfied all of the angles I desire for use.

Bottom piece of the Slim Combo

The bottom piece is the keyboard itself. It attaches via the Apple Smart Connector and is fully powered by your iPad. This includes providing the backlight and making the pairing of the keyboard possible. Apple reports that the keyboard uses around 0.4-2.3 percent of iPad battery for an hour of typing.

There are 14 keys on the top row of the keyboard that serve as the following shortcuts:

  1. Go to the Home screen
  2. Adjust screen brightness
  3. Adjust screen brightness down
  4. Bring up iOS search field
  5. Switch keyboard input language
  6. Adjust brightness of keyboard backlighting down
  7. Adjust brightness of keyboard backlighting up
  8. Media control for back
  9. Media control for play/pause
  10. Media control for forward
  11. Mute
  12. Volume up
  13. Volume down
  14. Locks iPad Pro screen

There are five rows of keys below this top line with a full number row, directional arrows, two CMD, Option, and Shift keys. Keyboard spacing is good and the travel is excellent so I don’t feel I am compromising on performance. I don’t feel cramped by the keyboard, even though I have mid-size hands.

The Logitech Slim Combo keyboard has a 19mm key pitch and 1.5mm key travel with scissor key mechanism. There is an ample palm rest too with the 12.9 inch palm rest having a foldable design.

There are three levels of backlighting so you can use the keyboard in any lighting condition. The bottom of the keyboard is textured so that it doesn’t slide around and is easy to hold onto when the package is closed up.

Daily usage experiences

I was quite excited to try out this keyboard solution and for the most part it is very functional and improves my productivity. However, I think the name is misleading since the Logitech Slim Combo is anything but slim. The cellular iPad Pro I own weighs in at 1.05 pounds while the Slim Combo is 1.16 pounds. The weight doesn’t even bother me though, it is the thickness of the combo that disappoints me.

With slim elegance, the Apple Smart Keyboard is what you want to carry for a minimalist solution. While I like the additional features of the Logitech Slim Combo, it is 1.06 inches in thickness when the top is closed down on the keyboard. The iPad Pro 10.5 is just 0.24 inches thick so you can see this is not a very slim package.

I can understand the bottom portion with the keyboard being a bit thick in order to support the travel of the keys and backlighting while also having a bit of an angle for easier typing. However, the top has a deep frame around the iPad that seems unnecessary and the complete combination package just feels too thick for an elegant Apple solution. Maybe there are reasons for this, but I think Logitech can do better at making a slimmer combination in the future. Or maybe Logitech just needs to rename the keyboard solution.

360 degree protection is provided by the Logitech Slim Combo so I did feel that my iPad was very well protected when traveling in my bag during my daily commute.

My iPad Pro turned on every time I popped open the keyboard, the keyboard connected every single time, the hinge worked well at propping up the iPad, and I was able to enter text at a fast rate. The Apple keyboard shortcuts are supported by the keyboard so you can always simply press and hold the CMD button to view the available shortcuts in each app you use on your iPad.

The Logitech Slim Combo comes in black or blue and is available for purchase in Apple retail stores, and The suggested retail price for the Slim Combo for 10.5-inch iPad Pro is $129.99. You can also find the combo for the 12.9-inch iPad Pro at $149.99.

How to make a strong password

Original Article Here

<link rel=”stylesheet” type=”text/css” href=””> <div class=”wls-embed-code”><div class=”wls-embed-code-content”>

</div> <h3><a class=”wls-article” href=””>How to make a strong password</a></h3><a class=”wls-link” href=”” target=”_blank” >BY WELIVESECURITY.COM – security news, views and insight from ESET experts</a></div>

Datameer makes deep learning more accessible

Original Article Here

Video: How Haven Life uses AI, machine learning to spin new life out of long-tail data

special feature

How to Implement AI and Machine Learning

How to Implement AI and Machine Learning

The next wave of IT innovation will be powered by artificial intelligence and machine learning. We look at the ways companies can take advantage of it and how to get started.

Given the spotlight on machine learning and AI, it’s natural to ask the question, “Now what?” The challenge has been how to take AI models from the laptop to production and deliver business value.

As nature abhors a vacuum, there’s been no shortage of solutions for addressing pieces of the gap. IBM’s Watson Data Platform is an ambitious framework of solutions addressing the lifecycle from collaboration to operationalization. Cloudera’s Data Science Workbench aims to move experimentation with algorithms from laptop to the Hadoop cluster. Data science collaboration tools from providers like Dataiku, Domino Data Lab, and Alpine Data target collaboration, workflow, and the lifecycle management of data science and machine learning models. Meanwhile, Alteryx lets you embed R programs under the hood of a self-service BI tool.

So there’s no silver bullet to bridging the gap from the mind of the data scientist to the everyday incorporation of models into day to day operational analytics. With SmartAI, Datameer is addressing the last mile. It adds the capability to “bring your own model” into Datameer and run it as a Datameer analytical spreadsheet function. Specifically, SmartAI imports binaries for models developed using TensorFlow, the deep learning library that has been open sourced by Google.

In practice, that means that once your data scientist or data science team has tested and validated models, it can then be dropped into a Datameer analytic pipeline. And that’s where the analytic lifecycle kicks in, beginning upstream with data preparation, integration, and feature engineering, and then executing the model by invoking it as a Datameer analytic function (the tool has a library of over a couple hundred functions). So a deep learning model can be applied to specific business problems, such as Customer 360, genomic data analysis, operational monitoring, or fraud detection. Closing the loop, the data sets can be used for training and refining the models.

So Datameer will provide the straightest path from developing a TensorFlow deep learning model to embedding it into a BI application. But that prompts the next question: how will customers take advantage of it?

If you drew a heat map around chatter and buzz, machine learning is front and center. But machine learning is a vast umbrella of approaches, spanning from the intelligent pattern matching of clustering, random forest, or path analysis approaches, to the more ambitious approaches of deep learning and cognitive computing that border on human perception and thought processes.


By targeting TensorFlow, Datameer has chosen the library that has drawn significant interest from developers. It’s a shrewd strategy, especially if Datameer were seeking to differentiate itself on the emerging Google Cloud platform. But given that deep learning is territory not as well charted compared to less ambitious machine learning approaches, we wonder how much practical advantage Datameer customers will realize in the short run.

Nonetheless, by enabling a form of plug and play to machine learning models, Datameer is clearing a pathway for making the benefits tangible through a BI tool that’s within the comfort zone of business analysts. The good news is that the connector could support similar integration to other popular machine learning libraries as well. If Datameer does so with Spark MLlib or others, it would open the floodgates to machine learning BI applications a lot wider.

Who was to blame for what looked like a DDoS attack on the AA? That would be … the AA

Original Article Here

From lost keys to dead batteries, UK car insurance giant the AA says it’s “here for everyone”. Except, that is, when it stalls its servers with a self-inflicted distributed denial of service (DDoS) attack.

As The Register reports, on Monday, the AA accidentally sent out a “password update” email to customers.

You can imagine the response: password update? What password update? Do I have to update my password?

Concerned motorists want to know! So they all floored it over to the site to change their passwords.

…creating a traffic jam, overwhelming the AA’s servers and running them clear off the road. The Register said that Brits were “furious” when they couldn’t access their profiles, fearing that their accounts had been hijacked, with hackers having gone in and changed their passwords.

The AA didn’t help matters much with its first Twitter communique, which sounded for all the world like a massive phishing attack was under way:

No, nobody changed anybody’s passwords. That email wasn’t supposed to go out, the business said next:

Customers were flummoxed. The site was turning them away, yet the business said it didn’t change passwords – so what’s the deal?

No, really, nobody changed your password, the AA said. Just give us a minute, we’re working on this!

…And while we’re at it, one commenter said, what’s going on with that database leak?!

That was likely in reference to a tweet, also on Monday, about 13GB of exposed database backups. The tweet came from Troy Hunt, security researcher and exposed-database wrangler extraordinaire:

So OK, a randomly sent, DDoS-spawning, not-a-phishing-attack email, followed by news about an exposed customer database that AA didn’t inform customers about?

No, no, no, the much-explaining AA said, that exposed database was trivial, nothing to worry about, and has been taken care of!

So…. just a stray email? Not a phishing attack? Sent by who, exactly? The Register suggested maybe an inexperienced staffer pressing the wrong button or something like that, rather than hostile hacker action… maybe?!

Well, it wouldn’t be surprising, if it were in fact a rookie mistake. And honestly, if it were the fault of a fat-fingered newbie, it wasn’t all that bad, as mistakes go.

True, there were frustrated customers galore, judging by the Twitter sputtering. But hey, any day that doesn’t end in blowing up a company’s live production database, getting fired, and then facing legal action after only one measly day on the job – and yes that’s a true story! – well, comparatively, this one is small potatoes!

Windows 10 snooping: Microsoft has halved data it collects from PCs says watchdog

Original Article Here

Microsoft has scaled back the volume of data it collects from Windows 10 PCs by ‘almost half’, leading French authorities to drop their threat of a fine.

The French regulator CNIL today announced that Windows 10 is no longer in breach of the country’s data protection laws, following changes to how the OS handles user privacy. Microsoft had previously faced the threat of a fine of up to €150,000 ($158,000) if Windows 10 wasn’t brought into compliance with French data protection rules.

Since the notice was issued to Microsoft in July last year, Windows 10 has almost halved the volume of data it collects when the user picks the ‘Basic’ telemetry setting, according to a notice issued by CNIL.

More about IT Security

Other positive changes highlighted by CNIL include Microsoft making it clearer that devices will be tied to an ID used for advertising purposes and making it easier for users to opt-out. CNIL also said Microsoft had tightened the security of the user-chosen, four-digit PIN that allows Windows users to access Microsoft’s online services, with obvious PINs being blocked and timeouts for multiple log-in attempts.

“The President of the CNIL considers the company has complied with the law “Informatique et Libertés” and thus decided to proceed with the closure of the formal notice procedure,” CNIL said in a statement.

Around the time of the Creators Update to Windows 10, Microsoft reduced data collection by the OS, introduced a new privacy menu that made it easier to disable some telemetry and revealed more information about the information it collects.

However, there is still a difference between how different editions of Windows 10 approach privacy. While Home and Pro users can only drop the level of data collection to “Basic” level, users of Enterprise, Education, and IoT Core editions are able to reduce collection further, to what Microsoft calls the “Security” level.

According to Microsoft, the “Security” level is the bare minimum necessary to keep Windows machines “protected with the latest security updates”. At this level Windows Update will not function correctly and organizations are required to use alternate methods, such as Windows Server Update Services, to patch machines.

While Swiss data protection and privacy regulator FDPIC also dropped its enforcement action related to Windows 10 earlier this year, Microsoft has faced questions about Windows 10 telemetry from an EU data protection body. In February, the EU’s Article 29 Working Party, said it “remained concerned about the level of protection of users’ personal data”.

At the time of publication, a spokesperson for the Article 29 Working Party had not responded to a request for comment about whether subsequent changes to Windows 10 had addressed its concerns.


The new privacy settings screen introduced by the Creators Update.

Image: Microsoft

Read more on Windows 10…

Petya ransomware outbreak shows hackers are getting smarter—but the rest of the world is not – The Daily Dot

Original Article Here

Less than two months after the WannaCry outbreak, the world is faced with another ransomware crisis, this one codenamed Petya. While in the first hours of the outbreak, Ukraine services and networks were the main victims, the virus quickly spread to other countries and areas, including France, Britain, Denmark, and the United States.

While in the first hours of the outbreak, Ukraine services and networks were the main victims, the virus quickly spread to other countries and areas, including France, Britain, Denmark, and the United States.

The question now is, can the world get ahead of the cybercriminals before a truly devastating attack occurs? Only if we change our overall security practices immediately—and it’s unlikely that’s going to happen.

Ransomware is a kind of malware that encrypts all the files on your hard drive and (obviously) demands for a ransom to give you the decryption key. Attackers usually receive their payments in bitcoin, which makes it much harder to trace them.

Petya (or NotPetya, as some experts call it) retains many of the traits of its predecessor. At the heart of WannaCry’s contagion was a known security bug in the Windows operating system. The vulnerability, revealed by a hacker group that leaked a trove of NSA cyberweapons, was already patched by Microsoft before the WannaCry outbreak.

However, a lot of organizations were not savvy enough to update their systems regularly, and some were still using outdated and unsupported versions of Windows. This lent to the chaotic spread of the virus across hundreds of thousands of computers in a matter of days.

It seems that the carnage caused by WannaCry wasn’t enough to teach businesses and organizations a lesson because Petya took advantage of the same vulnerability.

But while the world has been slow to respond to the rising threat of ransomware, cybercriminals have not remained idle. The details that have been obtained so far about the new breed of malware show that hackers are getting smarter in developing malware and planning attacks.

Petya/NotPetya is in many ways more powerful and dangerous than WannaCry because it uses multiple techniques to wreak havoc. According to security experts, the malware finds passwords on the local filesystem or memory of infected computers and uses it to spread to other systems.

Petya also uses administrative tools present on the system to execute malicious commands on other computers in the network. This can be especially harmful if a computer has administrative privileges, and it means that a single unpatched computer can help spread the malware on an entire network, even if the other devices are fully patched and up to date.

Petya’s developers also made sure not to leave a kill switch, like the kind that enabled a security researcher to stop the spread of WannaCry last month.

In recent years, ransomware has become one of the favorite business models for cybercriminals. Cybesecurity expert Mikko Hypponen recently explained ransomware’s rise in popularity at The Next Web Conference.

“For years and years, criminals online have been making money by stealing information and selling that information to the highest bidder,” Hypponen said in his speech. “The change in ransom trojans is that they realize for many types of data, the highest bidder for the data is the owner of the data itself.”

Targeted businesses and individuals often cave-in to the demands of ransomware attackers simply because they can’t continue work without access to the encrypted data.

In an interview with Forbes, Jakub Kroustek, Threat Lab Team lead at Avast, said, “One of the perfidious characteristics of Petya ransomware is that its creators offer it on the darknet with an affiliate model which gives distributors a share of up to 85 percent of the paid ransom amount, while 15 percent is kept by the malware authors.”

This ransomware-as-a-service model has opened up the use of this type of attack to a much broader, non-technical audience.

This latest episode shows that ransomware as a threat is here to stay and we’ll likely see more similar attacks in the months to come. If there’s a lesson to be learned here, it’s that everyone needs to up their game on cybersecurity. And Petya is a reminder that one person or party being sloppy at security can harm many others. The hacked website of a Ukrainian software company was allegedly used as a beachhead to spread the virus among thousands of users.

Contrary to what most think, for the most part, cybercriminals don’t use sophisticated hacks or zero-days (vulnerabilities that are unknown to a software’s vendor and for which no patch is available). They invest in human failure, in our laziness in updating our system, in our tendency to put convenience over security, to choose weak passwords, to enable the “remember me” checkbox, to avoid set up firewall rules, to leave excessive and unnecessary features in our operating system enabled, and to fail taking many other obvious measures to avoid creating windows of opportunity for attackers.

As the saying goes in cybersecurity, defenders have to win every battle—attackers only have to win once. It’s about time we took it seriously.

Ben Dickson is a software engineer and the founder of TechTalks. Follow his tweets at @bendee983 and his updates on Facebook.

NHS WannaCrypt postmortem: Outbreak blamed on lack of accountability

Original Article Here

Plus systemic underspending in IT. Imagine that

A lack of accountability and investment in cyber-security has been blamed for the recent WannaCrypt virus that hobbled multiple hospital NHS IT systems last month, a report by The Chartered Institute for IT concludes.

The report, published today, comes following a similar, but more limited attack against UK-based companies as the result of the spread of the NotPetya ransomware earlier this week.

Whilst doing their best with the limited resources available, the Chartered Institute for IT report suggests some hospital IT teams lacked access to “trained, registered and accountable cyber-security professionals with the power to assure hospital Boards that computer systems were fit for purpose”.

The healthcare sector has struggled to keep pace with cyber-security best practice thanks in large part to a systemic lack of investment. The WannaCrypt attack was an accident waiting to happen, according to David Evans, director of community & policy at The Chartered Institute for IT.

“Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the WannaCrypt ransomware virus was an inevitability, but with the roadmap we are releasing today, will make it less likely that such an attack will have the same impact in the future,” Evans said.

The Chartered Institute of IT has joined forces with the Patient’s Association, the Royal College of Nursing, BT and Microsoft to produce a blueprint that outlines steps NHS trusts should take to avoid another crippling cyber-attack. Employing accredited IT professionals tops the list. The NHS board is being urged to ensure it understands its responsibilities, and how to make use of registered cyber security experts. The number of properly qualified and registered IT professionals needs to be increased, the report recommends.

Almost 50 NHS Trusts were hit by the WannaCrypt cyber-attack that left infected computers with encrypted files and at least temporarily unusable in many areas of the health service. The outbreak led to operations and appointments being cancelled or postponed.

The issue of how to improve security in the NHS following the WannaCrypt outbreak has been raised in Parliament. In response to a written question, junior Department of Health minister Jackie Doyle-Price said a review of the cyber attack was under way. Emergency measures specifically allocated to deal with last month’s NHS ransomware attack cost £180,000. The government is making cyber-security a requirement of health service contracts, she added.

We have changed the National Health Service standard contract to include, from April 2017, cyber security requirements.

Evidence shows that the use of unsupported systems is continuing to reduce in health and care, as organisations replace older hardware. Latest estimates suggest the usage of Windows XP in the NHS has reduced from 15-18% at December 2015, to 4.7% of systems currently.

The 12 May 2017 ransomware incident affected the NHS in the United Kingdom. It is standard practice to review any major incident in the NHS. Further, the Chief Information Officer for health and care is undertaking a review into the May 2017 cyber-attack which is expected to conclude in the autumn.

The identifiable cost of emergency measures put in place to specifically address the NHS ransomware attack on 12 May 2017 was approximately £180,000. These costs were borne by NHS Digital and NHS England from internal budgets. Information relating to any expenditure incurred by individual local NHS trusts or other NHS organisations is not collected centrally.

There was a lot of focus on the NHS’s reliance on obsolete Windows XP systems in the aftermath of the WannaCrypt outbreak. However post-hack technical analysis revealed that Windows XP systems were more likely to crash than get infected. Some Win XP systems did nonetheless get pwned, but in any case they weren’t a vector in the spread of the cyber-pathogen. Windows 7 systems left unpatched against the leaked EternalBlue NSA exploits at the centre of the outbreak were a much bigger problem, it transpired.

The state of preparedness for online attacks in the NHS reflects those of the public sector more generally. Just over half (53 per cent) of local authorities across the UK are prepared to deal with a cyber-attack, according to a separate survey of over 100 council leaders by management consultancy PwC. Only a third (35 per cent) of local authority leaders are confident that their staff are well equipped to deal with cyber threats. ®

How a tiny LA cybersecurity firm pulled the plug on a global ransomware attack – Los Angeles Times

Original Article Here

Salim Neino had been waiting for something like WannaCry.

Fast, indiscriminate and disruptive, the computer infection locked up computers in British hospitals and was spreading across the world when Neino’s company Kryptos Logic stepped into the ring.

One of his researchers found a so-called kill switch in the WannaCry code and pounced. “We put it in a triangle choke!” joked Neino, a mixed-martial-arts fan.

Not bad for a 33-year-old Lawndale native and Cal State Long Beach grad, who co-founded Kryptos eight years ago with $120,000.

The mid-May episode thrust the small Los Angeles cybersecurity company onto a world stage. At the same time, it has opened a new era of broad-scale ransomware attacks — a fact driven home this week when a second worm, exploiting the same methods as WannaCry, briefly seized computers worldwide again, this time hitting oil, electric and shipping operations.

Neino has been quick to capitalize on the business opportunities from his new prominence. But he has also tried to use this status as ransomware wrangler to push for policy changes — measures he says are needed to cope with this new landscape of cyber-mayhem.

Testifying before Congress between attacks, Neino spelled out his proposal for a cybersecurity “Richter scale” — a triage system to help the public prioritize threats — and warned lawmakers against underrating the peril.

With WannaCry, and Tuesday’s reprise of it, the world got off easy, he insisted: “They had the bomb, they didn’t have the GPS.”

Up until last month, Kryptos was just another little-known boutique cybersecurity company operating, as much as possible, “in stealth mode,” Neino said. It does no marketing, employs no sales force and its workers guard their anonymity. The reason is that revenge hackers commonly target cybersecurity companies.

Genial, earnest and still fit from his wrestling days, Neino is the son of a Jordanian immigrant father and a Mexican American mother from Montebello. His father came to L.A. as a young man with no English but talent enough to rise in the region’s aerospace industry.

Neino was raised speaking Arabic and Spanish, but he can’t remember either language now. Maybe code took over that brain space, he said. He got his start as a self-taught teenage programmer, landed his first computer job at age 15, and became — after a sister — the second person in his family to go to college.

The background, he said, is typical of Angelenos his age raised by aerospace workers to whom cyber-tinkering came naturally.

After a few years as an independent cybersecurity specialist, Neino co-founded Kryptos while still in his twenties with friends-and-family seed money, and has used its revenue to expand ever since.

At first, Kryptos struggled. Neino could show potential clients that they had been hacked, but he couldn’t convince them to care.

The problem is rife in cybersecurity, a vast but fuzzily defined industry sector worth perhaps hundreds of billions of dollars in the near future — if only its purveyors could explain what it’s for.

People who are good at cybersecurity tend to speak in jargon; people who aren’t good at cybersecurity can’t understand them. Meanwhile, the fire hose of botnets and malware gushing through the Internet these days leaves victims feeling helpless. Throngs of companies peddle a mishmash of remedies — gadgets, software and services, in various combinations.

Then, on a lark, Neino joined a team that competed at the 2011 Defcon 19 hacking contest in Las Vegas and won a coveted Black Badge, a tchotchke shaped like a skull, almost actual size, designed to hang around the neck. The boost to Kryptos’ reputation brought new clients and lucrative contracts.

Today, privately held Kryptos has about 25 employees — nearly all engineers spread out across the U.S. and Europe, nearly all male, many with self-taught hacking skills — and annual revenue in the tens of millions. Its young CEO has traded blue-collar Lawndale for an ocean-view home. The Black Badge is on display in his office.

The company gathers information about who is trying to hack its clients and why. Then it helps them decide how to fight back.

Day to day, its researchers spend their time reporting on malware to subscribers, and tracking the tens of thousands of new malware codes that surface daily on the Web.

In essence, they operate like zoologists in the field: They detect malicious sequences by the signals they emit, catalog them and try to lure them into simulated targets so they can be dissected.

This is what Marcus Hutchins, a Kryptos researcher based in the town of Ilfracombe on the Bristol Channel in Southwest England, would have been doing on the morning of May 12 if he hadn’t been on vacation. Neino was too — on his way to Italy for a long-planned vacation with his wife.

Neino had hired Hutchins last year after coming across his blog. An unemployed computer hobbyist and surfer, Hutchins impressed Neino with his skill and ethics. Despite his youth — Hutchins is 22 — Neino hired him to run one of his divisions.

Fortunately for Kryptos — and for unpatched Windows systems everywhere — Hutchins hadn’t gone far from home.

As computers in Britain hospitals locked up and companies in Europe started to report problems, Hutchins conferred with Neino, who was in a hotel in Munich, Germany, on his way to catch his plane to Venice, Italy. Hutchins began analyzing samples of the malware code, sharing information via Twitter with other cyber researchers.  

WannaCry is a self-replicating worm that attacks a basic file-sharing protocol on older Windows operating systems. If successfully loaded, the ransomware spreads to any connected vulnerable terminal, locking files and demanding, in slightly broken English, $300 to $600 ransom to release them.

The worm exploits a vulnerability embedded in the very bones of the world’s most popular operating system. The code used in WannaCry, which can crack Windows systems, was stolen from the U.S. National Security Agency and shared on the Internet.

Like many in his industry, Neino knew that it was only a matter of time before ordinary bandits or terrorists put these military-grade spy tools to work. WannaCry, he realized, signaled that the moment had arrived.

From now on, he thought, vast sophisticated hacks, once limited to nation states, would be in reach of just about anyone.

Neino learned that Hutchins had found an unregistered domain to which WannaCry sent a signal prior to loading. Neither of them knew what it was for. But it was up for grabs.

Neino told Hutchins to “use best judgment” and headed to the airport.

By the time Neino got there, Hutchins had registered the domain, effectively throwing Kryptos’ servers into the path of the oncoming attack. To both men’s surprise, the domain functioned as a kill switch and stopped WannaCry from loading the ransom note in all subsequent infections.

With Kyptos controlling the domain, each new WannaCry infection produced a ping on its servers. So a stream of data was pouring in as the attack — now toothless — spread across the globe.

Neino couldn’t log into Kryptos to see for himself because he had no secure connection and his plane was leaving. He flew over the Alps, two worries gnawing at him.

One was for Hutchins’ safety. Because of blanket media coverage, Neino feared that Hutchins would be exposed and hackers would retaliate against him.

The other was for Kryptos’ servers. Because the company had essentially inserted itself into WannaCry’s protocol, Neino knew that law enforcement agencies might mistake the company for a source of the attack and seek to shut down its servers. That could inadvertently unleash the malware again.

Online again at last in his Venice hotel, he checked the dashboard, where tens of thousands of WannaCry’s pings were piling up.

He didn’t have time to marvel. Kryptos was under siege. Hutchins was being hounded. The story of the youthful hero who saved humanity from the world’s biggest ransomware attack proved irresistible to aggressive British tabloids.

At the same time, hackers were attacking Kryptos. As soon as word of the kill switch got out, a barrage of denial-of-service attacks were directed at the company’s servers worldwide.

This “devilish flood” of malicious botnets and copycat hacks was the company’s reward for stopping the worm, Neino said. He called some of the attackers “bandwagon jumpers” and said they probably just wanted to be pesky. But others were clearly trying to “take down the switch,” he said — a serious threat.

Already, just as Neino had feared, two of Kryptos’ servers had been mistakenly shut down by authorities in France, a common cyber friendly-fire mishap.

His engineers pulled all-nighters. Neino spent his 10-day vacation hunched over his laptop in the hotel room, talking to security agencies, assuaging the media, managing his researchers and maintaining the kill switch. His wife made sure that he didn’t forget to eat.

Attacks on Kryptos have continued for weeks. One recent botnet aimed at the company appeared to be coming from thousands of Russian routers, Neino said.

To the outside world, WannaCry quickly seemed overblown. One British publication suggested that it be renamed “What-a-wimp.”

It’s design was shoddy. Neino readily admits that Hutchins’ got lucky with the kill switch — ransomware usually doesn’t have such a feature and it’s not clear why this one did. Microsoft had patched a key vulnerability before the attack and subsequently released further patches, and Neino said the worm failed to load on most of the old Windows XP systems considered most vulnerable anyway.

Moreover, very few people paid the bitcoin ransom, which has yet to be collected.

But at Kryptos, where the kill switch remains permanently under guard — “we own this baby now,” Neino said — the picture is different. Neino said he has counted new WannaCry infections in the tens of millions — infections that Hutchins’ quick action had rendered harmless.

Kryptos has a list of “every single person affected by WannaCry,” he said. Among the would-be victims were major U.S. hospitals whose leaders may still have no idea, he told Congress.

“The brakes were fully on. This was residual smoke from the tires,” Neino said.

Like WannaCry, Tuesday’s ransomware attack centered in Ukraine also seemed to quickly fizzle. It used the same stolen NSA forced-entry tool, locked computers and demanded bitcoin ransom, with similarly poor results.

But Neino said it spread even more quickly, infecting 2 million computers in the first hour. It also had the ability to steal credentials and gain access to even more machines.

Most different of all, it had no kill switch. Instead, the attack seemed to shut down by itself, Neino said, with domains that hosted its payload quickly going dark.

Using his data from WannaCry, Neino published a report late Tuesday arguing that this new worm had even greater destructive potential.

By his own “Richter scale” measure, WannaCry might have rated a 7 and the new attack 7.2, said Neino, speaking as one raised in an earthquake zone. The pattern, suggests “saber rattling, perhaps for a bigger event to come,” he said.

The day after the most recent attack, with theories swirling as to its purpose, Neino stressed a message that he’d given Congress after WannaCry:

Worry less about who did it, and more about the problems such attacks expose, he said.

“If you leave the door open … would it really matter … who has done it?” he asked. “They do it because they can.”

Deep Root Analytics Is in Deep Trouble With Voter Data Breach

Original Article Here

Cybersecurity experts speculate that in our current state, up to 70% of cyber attacks, including breaches, go undetected in a given year. Part of identifying and stopping breaches is knowing what kind of information cybercriminals are after, and election season creates hotbeds of public information that are prime targets for a breach.

The companies that house this information are, of course, responsible for keeping your data protected, but things don’t always go according to plan. Case in point: During the 2016 election season, GOP analytics firm Deep Root Analytics left the door wide open for crooks to access 198 million Americans’ voting information.

Politicians Prosper, Voters Are Exposed

Deep Root was hired to gather the information to support what would become the successful 2016 GOP presidential campaign. It included names, birthdays, phone numbers, voting information and even home addresses.

The company stored all this information on a database which researcher Chris Vickery discovered was misconfigured. The error meant there was no access protection for the database. Anyone with an internet connection could view and potentially steal the personal information of nearly 2 million Americans.

The database also included modelled positions, strategic information used by the GOP to market its campaign to voters. Had a major retailer allowed this type of information about their customers to get out, it probably would have been all over the news. Thankfully, it appears that while the door was left open, there were no nefarious attempts to access the data made during the 12 days it was unprotected.

Deep Root Responds to the Breach

With the number of cybersecurity issues surrounding the 2016 election year already staggering, Deep Root has taken a transparent stance toward the information leak. In a statement, the company encourages voters to monitor their accounts for fraudulent activity. They also attempt to temper the blow by pointing out that much of this info is public domain in some states.

Presumably, not all of Deep Root’s customers are political parties, and the field of data analytics is growing rapidly. In a business setting, critical analysis of data not unlike what Deep Root gathered can help businesses decrease operating costs by 60 percent or more. That’s a service you can charge for, and chances are Deep Root doesn’t want to forfeit any more customers than it has to in the wake of such a major error.

To remedy the exposed database, Deep Root updated access settings to the information, adding the layers of security that should have been in place to begin with.

White Hat Probing Uncovered the Error

While it might sting a little now, Deep Root is fortunate that consultancy firm UpGuard was around to point out the issue. Had it been left unattended to, there’s no telling where the information could wind up. Probably on the dark web, just like the Yahoo account information that has been up for sale there for half a year now.

Chris Vickery, the man who located the flaw in Deep Root’s system, is just one of many researchers engaged in locating and reporting these types of errors every day. While you might not hear about them, they play a critical role in ensuring the security of your data.

Google’s Project Zero is one such operation, a dedicated department of the 800-pound internet gorilla focused solely on uncovering vulnerabilities and thinking like cybercriminals. Their goal is to find the flaws before bad guys get there, and oftentimes they do. When an issue is found, the Project Zero coders report it to the organization responsible so they can apply a patch or remove the vulnerability.

Is Privacy a Reasonable Expectation Anymore?

Can the efforts of these good-guy hackers ever fully curtail the leak of information that has been gushing out of the internet since, well, probably before we even know?

Maybe not, but through careful regulation and fastidious maintenance, we can patch the easy holes. Deep Root got lucky — it committed a blatant error and wasn’t punished for it.

Just like burglary, data breaches are nearly always a crime of opportunity. If you leave the front door wide open, you had better expect someone to come waltzing in.

Community Led Threat Prevention

Original Article Here

Community based threat detection and prevention has been a fundamental principle in Anti-Virus and Intrusion Detection Systems for years.  Pooling the information and experience of multiple organisations to rapidly identify emerging threats, this collaborative approach enables security companies to quickly create a patch and disseminate it globally to minimise a hacker’s opportunity with that specific attack vector.

This model is now being extended to voice security in a bid to combat the escalating threats, including toll fraud, telephony denial of service and voice mail hacking attacks, leveraging the cloud based Session Border Controller (SBC) and community collaboration to deliver rapid protection against emerging global events.

Paul German, CEO, VoipSec, explains why community led threat detection and prevention is fast becoming a critical component of the VoIP security model.

Stronger Together

Security is not static; and the concept of ‘working together we are stronger’ is well proven. The ability to pool information and experience has proved key in the fight against a continuously evolving threat landscape. The difference today is that the threat landscape increasingly includes voice.  With the huge growth in companies adopting Voice over IP (VoIP) and Unified Communications (UC) to drive down costs and improve productivity, the inherent insecurity of standard deployments has driven an explosion in telephony denial of service attacks, voice mail hacking and toll fraud.

According to the Communications Fraud Control Association (CFCA) $4.4 billion has been lost due to PBX hacking, while the US Department of Homeland Security’s Cyber Security Division has recently announced it is funding two research projects designed to harden defenses following recent Telephony Denial of Service (TDoS) attacks on 911 emergency call centres, financial services companies and a host of other critical service providers and essential organisations.

It is becoming increasingly apparent that the frequency of this voice related activity will only increase all the while voice security models remain outdated and static. Given the growing complexity hackers face to break through multi-layered security systems to gain access to personal data, the contrasting ease with which a telephony denial of service attack can be launched on an unsecured or inadequately secured voice network is stark. It is no wonder these incidents are on the rise – and organisations are enduring the devastating consequences.

Cloud based SBCs

Traditional models for protecting the voice network were based on hardware devices – an ‘install once’ Session Border Controller (SBC) that simply could not protect an organisation against continually evolving threats.  More recently, that model has shifted towards software based SBCs that can be upgraded in response to new security risks.  It is, however, the evolution towards cloud based SBC deployments that now enables the adoption of this community led voice security model.

This cloud based SBC deployment facilitates the adoption of community led intelligence on two fronts.  Firstly, working together a community of organisations sharing breach information radically extends the number of touch points into hacking events, transforming understanding and insight into the ways in which hackers are looking to compromise companies. Secondly, each hacking attempt to compromise a specific customer environment creates a fingerprint which can then be used by the security vendor to create a security patch or update that will actively immunise every other user of the cloud based SBC from being compromised with the same attack fingerprint.

This combination of routine product updates with shared intelligence ensures an attack on a single organisation can be quickly transformed into a patch or update that protects every business from the new risk.  

Understanding Threats

This model is particularly effective against the typical security threats now affecting voice networks – telephony denial of service and voicemail hacking.  When a hacker compromises a call centre and consumes all lines to prevent any in-bound or out-bound calls the implication on an organisation’s business is devastating. From the negative customer experience to the multi-million pound demands from hackers to unlock the lines, the business cost of one of these attacks can be very significant.

Each telephony denial of service attack will include specific attributes that will form the fingerprint. Taking a sample of that event – including what services the hacker is trying to access, the number called to or from, the digits being pressed when on the line – will enable the creation of a patch or update that can be shared with all users of the SBC, to ensure no other organisations are exposed to this specific breach attack.

A similar model applies to preventing wide exposure to voicemail hacking, a process that enables hackers to accept and make international collect calls – at huge cost to the compromised business. In addition to specific voicemail protection modules provided as part of a cloud based SBC to identify breach attempts, lock down the voice network and alert the organisation, the SBC will log rogue numbers identified across the cloud based network, rapidly creating a database of blacklisted numbers that can be deployed by all organisations to further protect against voicemail hacking attempts.

Prioritise and Evolve

This community model is particularly effective in highlighting and combatting global attacks.  An organisation operating single site security policies could be unaware that attacks are being launched simultaneously against multiple locations. With a global, cloud based SBC approach, the company will be made immediately aware of the scale of the global attack and therefore able to enforce policies that protect the entire environment against breach.

The ability to prioritise activity is also key. Every threat will be profiled and organisations have the option as to how frequently updates are made.  For example, most will opt to be immediately protected from critical risks, while high or medium risk updates could be made weekly, and low risks just once a month. In addition, the community model supports continual assessment of past threats by using validation techniques to track activity. If a specific fingerprint is not seen again, and the patch is no longer required, it can be removed from the SBC or replaced by a different approach, such as diverting any calls from a previously blocked number to a security desk.


It is this depth of security intelligence that is transformative. With growing consensus that the burden facing organisations attempting to fight security issues individually is simply too high, it is clear that joining a specific community of companies willing to work together is a far more effective approach to locking down a business against new threats affecting voice and UC.

Combining this community led collaboration with the ability to rapidly disseminate patches and update via a cloud based SBC will enable organisations to lock down the business against escalating VoIP security threats.

New report from CREST highlights the need to improve cyber security in Industrial Control Systems

Original Article Here

There is a pressing need to improve cyber security in Industrial Control System (ICS) environments to avoid future breaches that could impact critical national infrastructure concludes CREST, the not-for-profit accreditation body representing the technical information security industry, in its latest position paper, ‘Industrial Control Systems: Technical Security Assurance’.  The report highlights a number of challenges and suggests that more technical security testing has a significant role to play in ensuring higher levels of security assurance are met.

The report draws on the diverse views of the Industrial Control Systems and technical security communities and proposes a model for gaining greater assurance in ICS environments. It was based on the findings of a research project – which looked to set out the main challenges and possible solutions for protecting Industrial Control Systems, many of which are based on legacy technologies.

One of the key findings in the report is the absence of periodic standards-based technical security testing that is commonplace in many other industries. Because of this, ICS environment owners and operators have no objective way of knowing whether cyber risk is being adequately managed and at present there is no definitive standard for testing ICS environments that is mandated by regulatory bodies. The fact that ICS environments are rapidly changing also leads to a higher degree of exposure.

“ICS environment owners require assurances that risk is being identified, assessed and evaluated. Above all else they need to know that there are appropriate measures in place to manage and mitigate risk,” explained Ian Glover, president of CREST. “Research on the project has helped to identify the high-level characteristics of a practical technical security testing approach and organisations should consider how this could add value and protection. It is clear that ICS environments are more sensitive than conventional IT environments and any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution.”

“This position paper is supporting the work CREST is doing in many parts of the critical national infrastructure in the roll out of intelligence led penetration testing,” added Glover.

The UK National Cyber Security Centre (NCSC), commented. “We believe this paper provides a valuable contribution to the current thinking on this challenging topic and we look forward to working with CREST, as well as ICS operators and the cyber security industry in order to make the UK the safest place to live and do business online.”

The position paper is for organisations in both the private and public sector and is mainly targeted at IT managers, information security managers and technical security testing specialists. It will also be of interest to process engineers, safety specialists, business managers, procurement specialists and IT auditors.

CREST is now looking to expand on this initial ICS research to develop detailed guidance material that can be used by specialist to help secure ICS environments and in particular those that make up the Critical National Infrastructure. You can look at the full report here:

AI startup wants to create avatars of your favourite stars – CNET

Original Article Here

YG Entertainment

In the future, Daniel Radcliffe, Gal Gadot or whoever your favourite celebrity is could live inside your phone and other smart devices. At least, one company hopes so.

Artificial intelligence startup Oben has partnered with South Korean talent agency SM Entertainment to launch AI Stars. AI Stars will see avatars of celebrities created using AI technology for use in “lifestyle applications.”

The project will recreate a celeb’s voice, image and character within an avatar that replicates its human counterpart. Expected to be introduced later this year, the avatars will be incorporated into smart devices, robots, chatbots and self-driving vehicles.

This is good news for many in the west, where K-pop is becoming increasingly popular. Recent years have seen Korean bands perform on “The Late Show With David Letterman” and festivals like SXSW.  The company intends on eventually making avatars of US celebs too though, according to The Hollywood Reporter.  

The era of artificial intelligence is truly coming upon us, with assistants like Amazon’s Alexa, Apple’s Siri and Google’s, well, Assistant, getting more space in the home. The tech also has promising medical applications, and Facebook is also looking to use AI to fight terrorism on its platform.

Does the Mac still matter? Apple execs tell why the MacBook Pro was over four years in the making, and why we should care.

Tech Enabled: CNET chronicles tech’s role in providing new kinds of accessibility.

How Europe Is Grappling With Increased Cybersecurity Threats – NPR

Original Article Here

European cybersecurity experts have been meeting in Brussels to discuss ways to combat recent attacks, including Tuesday’s malware infection of thousands of business computers.

Information Stealer Found Hitting Israeli Hospitals

Original Article Here

The abuse of shortcut (LNK) files is steadily gaining traction among cybercriminals. We’ve seen a plethora of threats that leverage malicious LNK files: from well-known ransomware families, backdoors typically deployed in targeted attacks, and banking Trojans to spam emails, even an exploit to a LNK vulnerability itself. These threats are usually exacerbated by the further abuse of legitimate tools such as PowerShell, or script automation utility AutoIt. It’s thus not surprising that we discovered an information stealer employing LNK files, which our sensors detected in Israeli hospitals.

Healthcare is considered a cybercriminal cash cow, as it can be a lucrative source of personally identifiable information that can be monetized in underground marketplaces. Initial findings revealed that any browser-based information, e.g., login credentials, can be stolen, making the use of browser-based management systems and applications important.

We have observed its attempts to gain footholds in the systems and the local networks’ shared folders. Another notable aspect we’re seeing so far is the combination of worm propagation and stealth capabilities.

Our monitoring and analyses are still ongoing and we will update this post as we find more details about the threat. Here’s what we know so far:

Propagation via worm. Initial analysis of the malware indicates it propagates via a worm. It creates copies of itself, including shortcut files, a non-malicious AutoIt executable, and a malicious AutoIt script into the affected system’s root directory, i.e., C:WinddowsUpdated<file copy>.

Masquerades as a Windows updater. The shortcut files pose as browser and Windows updaters, a web 3D creation tool, and links to the system’s Downloads and Games folder.

Execution via AutoIt. AutoIt is a legitimate scripting language software/executable designed to automate tasks (i.e., macros) for several programs in Windows. However, it’s known to be abused for wrapping various remote access trojans (RAT). In this case, a legitimate AutoIt executable is used to run a secondary file that contains the malicious commands. We’ve actually seen a similar threat in the form of the IPPEDO worm (WORM_IPPEDO.B) back in 2014.

It gathers system information. The malware executes a command to retrieve system information via C:WINDOWSsystem32cmd.exe /c SystemInfo.

The LNK files are spawned on the affected machines. The LNK files are embedded with these malicious commands:

cmd.exe /c start ..WinddowsUpdateCheckWinddowsUpdater.exe “” & exit

The threat appears to be a highly obfuscated information stealer. The samples we are currently analyzing were highly obfuscated, with payloads hidden under layers of encryption, for instance. The packages we saw each contain malicious 4 LNK files. These LNK files will issue commands leading to AutoIt’s execution of .TNT and .EXE files. Based on the behavior we’ve observed so far, it appears it conducts browser-based information theft and records keystrokes. This actually makes sense given the sensitive nature of the information that goes through healthcare organizations.

As the threat landscape continues to mature and diversify, the IT/system administrators and information security professionals that secure organizations should do the same. Among these countermeasures: patch and keep the system updated, enforce the principle of least privilege, secure the gateways to reduce attack surface, and implement defense in depth by arraying multilayered security mechanisms—from endpoints, networks, and servers.

Indicators of Compromise (IoCs):
01e03241c42b12381e5c3ceb11e53f6c5c6bf0fa — WORM_RETADUP.A
1186e8d32677f6ac86a35704c9435ccd9ffa8484 — WORM_RETADUP.A
479dcd0767653e59f2653b8d3fcddb662a728df4 — LNK_RETADUP.A
580ff21d0c9d8aeda2b7192b4caaccee8aba6be4 — LNK_RETADUP.A
5f32f648610202c3e994509ca0fb714370d6761d — LNK_RETADUP.A
63ac13c121e523faa7a4b871b9c2f63bea05bbff — LNK_RETADUP.A
68d90647cf57428aca972d438974ad6f98e0e2b2 — LNK_RETADUP.A
ce1b01eccf1b71d50e0f5dd6392bf1a4e6963a99 — LNK_RETADUP.A

Smashing Security #031: Petya (don&#039;t know the name of this ransomware)

Original Article Here

Smashing Security #031: Petya (don't know the name of this ransomware)

Another major ransomware outbreak rattles the world – but no-one can decide what it’s called, the danger posed to driverless cars by kangaroos, and do you really want an Amazon Echo Show?

All this and more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest David Bisson.

Show notes:

Please check out the show notes for this podcast on the Smashing Security webpage.

Audio podcast: iTunes | Google Play | Overcast | Stitcher | RSS for you nerds.


Graham Cluley – @gcluley

Carole Theriault – @caroletheriault


David Bisson – @DMBisson

Thanks to our sponsor:

This episode of Smashing Security is made possible by the generous support of Rapid7.

Identifying, prioritizing and managing vulnerabilities all the way through to remediation is not only possible, it can be simple. Right now.

Build a vulnerability management program that works for you with Insight VM, by Rapid7. Get started with your free 30 day trial at

Follow the show:

Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.

Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy. Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

Follow @gcluley

Can backups really protect you against ransomware?

Original Article Here

More than 80 per cent of businesses feel that incidents of ransomware attacks are on the rise, and are fighting the increase with backup solutions to protect their data (if, of course, the backup isn’t corrupted itself).

Druva published the figures in its first annual Ransomware Report, which also claims that ransomware attacks have quadrupled in the past year: reaching an estimated $1 billion value in 2016 and expected to top $5 billion this year. 4,000 attacks occurred, on average, every day in 2016. Businesses responding to Druva’s questions said that half of those who had been hit by ransomware had been attacked multiple times.

Obviously, ransomware protection is crucial for all sizes and sectors of industry, as proven by both WannaCry and the recent NotPetya assault in Ukraine: it’s not a case of “if” a company will be targeted by ransomware any more, but “when”. Druva CEO Jaspreet Singh says, “”It’s no surprise that more and more companies are relying on backup to recover from ransomware attacks. Simple preventative planning greatly mitigates what could otherwise be costly and destructive to data recovery, not to mention devastating to overall business viability.”

The report also found that ransomware is increasingly targeting non-endpoints: a third of all attacks now target servers, for example, and 70 per cent spread to multiple devices.

Paying the ransom is not always a sure way of recovering data. Kaspersky estimates that 20 per cent of organisations that pay do not get their information back, and ‘in many cases’ the attackers demand a second ransom. Data backups were seen as a much more reliable method: 82 per cent of respondents said that backups helped them to recover from a ransomware infection.

Gartner also favoured backup as a protection against ransomware, saying, ‘As a fail-safe, organisations should implement enterprise endpoint backup for laptops/workstations, and set recovery point objectives (RPOs) for each server deemed to be at greater risk to ransomware according to organisational requirements, based on data loss time frame acceptable to the organisation.’

We spoke to Helge Husemann of Malwarebytes in a recent websem run by Computing, about the use of backup-as-ransomware-protection. Husemann agreed that attacks can be countered with backups, but “of course you need to make sure that the backup is safe and doesn’t contain a time bomb. AV, even layered AV, isn’t keeping us safe anymore. We’re seeing a lot of malware, viruses and Trojans that are getting into organisations – in a lot of cases because they lie low at first.”

Computing‘s next security websem, ‘Threat lifecycle management – a six-point stage workflow plan‘, will take place on the 6th July at 11am.

Further reading

Video: Why machine learning for defensive cybersecurity is a good idea

Original Article Here

Video: Why machine learning for defensive cybersecurity is a good idea

Length: 3:45 | Jun 29, 2017

Mathematician Miranda Mowbray explains how machine learning – the application of statistics to decision problems – can help organizations defend against large scale threats.

Azure blues: Active Directory Connect has password reset vuln

Original Article Here

Attackers can dive out of the cloud to pwn admin passwords

Microsoft is warning sysadmins to check their Azure Active Directory Connect configurations and implement a patch against a credential-handling vulnerability.

The bug’s in an Active Directory (AD) feature called password writeback. Azure AD can be configured to copy user passwords back to a local AD environment.

A convenience feature, password writeback is designed to simplify password resets, letting users change their local and cloud passwords simultaneously. It supports resets from Office365 and allows admins to push a reset from the Azure portal back to on-premises AD.

And if it’s misconfigured, Microsoft writes, it can be vulnerable to attackers forcing resets to get access to a user’s new password.

“When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts).”

A malicious cloud admin can therefore force resets of on-premises AD accounts – including those of admin-level users – and force the reset to a password of the attacker’s choice. That would then get written back to the victim’s local environment, and presto, the target’s pwned.

Microsoft has patched the issue in this update to Azure AD Connect. ®

NBlog June 29 – more than 5 years of ransomwareness

Original Article Here
We are in the final stages of preparing July’s NoticeBored awareness materials on “Workplace information security”.  Six cool new poster designs have come in from the art department so the staff/general employee stream is practically finished, aside from proofreading. We’re working hard to complete the management and professional briefings and tying up a couple of loose ends, leaving just the newsletter left to prepare, right on cue. As usual, we’ve left it to the very end of the month to make the newsletter, and in fact the whole module, as topical as humanly possible.
We’ve covered malware at least once a year since 2003, several times in fact since malware often crops up in awareness modules covering related topics such as social engineering, identity theft, phishing, fraud, email security and cybertage. Every time through the hoop, we endeavor to pick up on emerging risks and new trends …
I’ve just done a quick search of the NoticeBored Back Catalog. We first brought up ransomware way back in 2012, mentioning it in several awareness materials. It may be in the headlines now, but it’s old news for us and our subscribers.
Here’s an extract from the NoticeBored staff briefing on viruses delivered in February 2012:
Ransomware was an obscure issue when it first came to our notice, a risk that has grown steadily until today it is patently substantial – a real and present danger as they say. Because of that it’s easy to catch people’s eyes with awareness content on ransomware today, and that’s great because there are clearly still organizations and individuals who have yet to get the message, unfortunately. So, in March this year, our annual malware awareness update focused almost exclusively on ransomware, an entire module dedicated to ramsomwareness. 
Having said that, awareness of current risks and incidents is, in many ways, too late: employees and their employers need to be pre-warned so they have the chance to consider and address the risks before they get hit. I’ve said it before: forewarned is forearmed.
If you are still running around desperately trying to cobble something together to get the word out to your employees about ransomware, or worse still simply too busy to do anything at all on this topic, we can help
We have more than 50 Mb of top-quality security awareness content on ransomware ready-to-roll, today:
There are seminar slide decks, posters, briefings, an FAQ, a test, a glossary and more – a smorgasbord of ransomwareness content from which to serve up a tasty meal for your organization. Aside from the general employee awareness stuff, there is a stream of content written specifically for management (e.g. a model policy and metrics), and another more technical stream for professionals. It’s all customer-editable, so you are very welcome to adapt it to your particular circumstances and corporate comms style. No need to pay somone else a small fortune to customize it for you, do it yourself. 
PS  What are you doing to raise awareness on workplace information security? Is it even on your risk-radar, let alone your to-do list?

Fileless malware: The smart person&#039;s guide

Original Article Here

Typical malware detection software functions based on signature detection or identifiable pieces of code that are unique to a particular type of infection. Other malware, such as ransomware, doesn’t always leave a trace per se; however, through heuristics scanning, the behaviors specific to ransomware may be detected and halted, allowing users to take action to protect their data.

But how do you protect against an infection that does not have a signature that clearly identifies it or that performs a behavior that is out of the norm, such as encrypting hundreds of files per second? Furthermore, what can be done when the very commands and applications being called forth by the infection are native to the operating system and are used to perform actual management tasks?

These are characteristics of fileless malware, which is a type of malware that does not rely on virus-laden files to infect a host, but rather attacks a system from the inside to execute malicious code in resident memory. Its attack methods use stealth approaches to mask the commands it employs to not only keep access hidden, but also to conceal network traffic between infected hosts and remote command & control (C&C) servers, leaving a backdoor open for future malware attacks to occur.

This smart person’s guide details what you need to know about fileless malware and the ways in which it operates, so that you may best protect against it.

SEE: All of TechRepublic’s smart person’s guides

Executive summary

  • What is fileless malware? Fileless malware is a type of malware infection that uses a system’s own trusted system files and services to obtain access to devices while evading detection. It may be paired with other malware types to deliver multiple payloads.
  • Why does fileless malware matter? As malware continues to grow and evolve, the threats are becoming more sophisticated, and it is increasingly difficult to detect these threats, let alone stop them.
  • Who does fileless malware affect? Fileless malware is targeting corporate networks, particularly financial institutions. However, given that threat actors are pairing this with other forms of malware to deliver additional payloads, it is expected to grow into something that affects all computers users— personal and businesses alike.
  • When is fileless malware happening? Fileless malware, or memory-based malicious code that exists in RAM, has been around for quite some time. Though given some of the tools that are being used to manage systems, the invisible malware has seen a sharp increase in utilization in the past couple of years.
  • How do I avoid infection by fileless malware? Fileless malware infections are extremely hard to detect without forensic software to confirm the compromise. Businesses can implement strategies to minimize the exposure to infection, or at the very least, mitigate the spread of the infection to other devices on shared networks.

SEE: Network security policy (Tech Pro Research)


Image: iStock/stevanovicigor

What is fileless malware?

Fileless malware uses a system’s built-in services, management commands, and applications to infect the host. By using the system’s existing applications, a threat actor can leverage privilege escalation to execute commands used to manage the system (e.g., PowerShell) to create scripts that are run from the system’s memory, making it appear as a normally running process that is virtually undetectable.

Attackers typically use these system commands to create hidden shares where they store scripts that have been used to compromise systems, such as creating network proxy connections; those connections are used to communicate with remote command & control (C&C) servers that are maintained by threat actors for additional payload delivery.

Additional resources:

Why does fileless malware matter?

More about IT Security

Let’s face it, malware is not going away anytime soon. And with the prevalence of threat actors using their technical capabilities to attack business and personal networks, any advancements that allow them to exfiltrate data, encrypt user data in exchange for a ransom, or otherwise prevent access to services means it will take more effort and resources to secure devices on networks.

Fileless malware is especially worrisome because the infection vectors could be anything, but the indicators of compromise (IOC) can vary from infection to infection and depend on the attacker’s goal. Infections are defined as an Advanced Volatile Threat (AVT) that can persist in the infected machine’s memory, the registry, or combined with additional payloads for more targeted attacks in the future, such as inclusion as part of a group’s botnet.

Additional resources:

Who does fileless malware affect?

Fileless malware affects everyone that uses a computer. Based on attacks reported thus far, the main targets linked to compromises utilizing fileless malware have been networks in the financial sector. This is mainly due to the undetectable nature of the infection, which allows for stealthy data exfiltration to occur while leaving little trace the attack ever occurred.

Additional resources:

When is fileless malware happening?

Malicious code has existed for decades. Fileless malware is a relatively newer threat per se, but it’s ultimately based on the concept of malicious code.

SEE: Video: Why organizations need ethical hackers now more than ever before (TechRepublic)

In recent years as malware attacks have increased, so have the tactics used by threat actors; fileless malware is one such tactic that has shown an increase in usage in the last couple of years. Given its adaptability to being joined with other types of malware for increasingly damaging payloads, recent stealth-based attacks paired fileless malware with ransomware to not only compromise a host, but also encrypt data and leave a backdoor for future attacks.

Additional resources:

How do I avoid infection by fileless malware?

Fileless malware is difficult to detect and, unfortunately, there is no surefire way to protect against it. There are several things to look out for that are based on a combination of known vectors of infection and the types of programs typically compromised to carry out attacks.

SEE: Computer Hacking Forensic Investigation & Penetration Testing Bundle (TechRepublic Academy)

Administrators and end users can work together to minimize the potential for infection, as well as mitigate exposure on affected systems. Follow this security plan:

  • Keep patches up-to-date;
  • Disable unnecessary services and program features;
  • Uninstall nonessential applications;
  • Install endpoint security;
  • Restrict admin privileges;
  • Monitor network traffic; and
  • Provide security training to end users.

Additional resources:

Google Makes It Easier to Create Virtual Reality Videos

Original Article Here

Google last week introduced a new video format, VR180, developed with input from its Daydream team.

The VR180 format, which displays what’s in front of the user only, delivers good video quality both on desktop PCs and mobile devices.

While VR180 videos appear in 2D on desktops and mobile devices, they appear in 3D VR when viewed with Cardboard, Google’s Daydream headset or Sony’s PlayStation VR headset.

The VR180 Creative Process

Creators “don’t have to choose between making a 360 video and/or providing new content for their subscribers,” said Google spokesperson Liz Markman.

“It’s easy for creators to start producing VR videos since they won’t have to change up their filming style or production techniques,” she told TechNewsWorld. “There’s no need to think about what’s behind the camera.”

YouTube supports VR180, so it “works anywhere YouTube is,” Markman pointed out. VR180 also supports live-streaming videos.

Video creators can set up and film videos just like they would with any other camera. They can use their existing equipment, or eligible creators can apply to borrow a VR180-enabled camera from a YouTube Space in certain cities, including London, Paris and New York.

They soon will be able to edit the videos using familiar tools such as Adobe Premiere Pro.

Content creation issues aside, “VR headsets are still very intrusive and cumbersome,” observed Trip Chowdhry, managing director for equity research at Global Equities Research.

“The VR industry is still not ready to take off,” he told TechNewsWorld.

Making VR Technology Less Expensive

Companies including Yi Technology, Lenovo and LG have committed to building cameras from the ground up for VR180.

They will be as easy to use as point-and-shoot cameras and cost about the same, according to Google’s Markman.

The cameras will be available this winter. They will target consumers and “will be tightly integrated into our services, like YouTube, so it’s easy to go from filming to uploading,” Markman pointed out.

Google will offer a VR180 certification for other manufacturers. Z Cam will be one of its first partners.

Both the VR camera space and VR video content are forecast to experience “tremendous growth,” said Sam Rosen, a vice president at ABI Research.

Each segment will hit nearly US$7 billion by 2021, he told TechNewsWorld.

Clever Use of Technology

VR180 halves the viewing angle so consumers viewing videos on browsers and smartphones will see two 180-degree images of an object, one with each eye.

This “is more natural and pervasive from a camera technology standpoint,” ABI’s Rosen observed.

Google isn’t the first company to offer this capability, he said. Lucid VR will ship this month, for example.

However, based on its evaluation of early versions of the technology, ABI has “found it failed to adequately handle some of the complexity with 3D video,” said Rosen

It’s likely that Google will integrate VR180 into wearables, including smart glasses, to compete with Snapchat, he suggested.

Not Yet Ready for Prime Time

The VR180 format has applications in various segments, such as demo videos in the real estate and art fields; as productivity tools for remote workers; and perhaps gaming, as part of a mixed reality platform, said Jim McGregor, principal analyst at Tirias Research.

The ease of development and use lets anyone create VR content “with relatively inexpensive equipment,” he told TechNewsWorld. “This is much better than offering a high-end solution that takes years for an OEM to develop a solution that’s offered at a high cost to consumers.”

That said, “it’s interesting that we see these new video formats being adopted in alternative media spaces like social networking and YouTube videos, not traditional media,” McGregor noted. “This is possibly because the user base is still too small.”

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

Petya May Not be the Ransomware Everyone Thought it Was

Original Article Here

While it has already been established that Petya may have been preventable if patches were kept up to date, what is less clear, and what the cybersecurity community at-large is still trying to figure out, is what Petya, or as some have called it, NotPetya, actually is. Is it a more destructive version of Wannacry? Is it even ransomware at all?

The latter is something that information security researcher Grugq explored in analysis on Tuesday. He said that although the “not-really ransomware” is “camouflaged to look like the infamous Petya ransomware; it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)”

“Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of ‘send a personal cheque to: Petya Payments, PO Box …’)

The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.’”

Matt Suiche, a Microsoft MVP and founder of Comae Technologies, said this latest “version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.”

Suiche goes into detail about why Petya isn’t ransomware, and its similarities with Petya 2016 on his blog. He said, “The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.” As of Wednesday, the new version of Petya/NotPetya raised only $10,000.

Though investigation into the attack is still very much ongoing, many believe that Ukraine was the intended target of the attack, and the other countries where it appeared were causalities. Indeed, most infections were detected in Eastern Europe; according to Symantec, as of Tuesday morning U.S. time, more than 60 percent of infections they saw were in Ukraine.

In some cases, according to WIRED, Petya infected victims by “hijacking the update mechanism of a piece of Ukrainian accounting software called MeDoc.” But Microsoft researchers said Tuesday “that a few active infections of the ransomware initially started from the legitimate MEDoc updater process.”

In a detailed post describing the attack, Microsoft said that Petya is especially destructive because of its lateral movement capabilities.

“It only takes a single infected machine to affect a network,” Microsoft said. “The ransomware spreading functionality is composed of multiple methods responsible for: stealing credentials or re-using existing active sessions; using file-shares to transfer the malicious file across machines on the same network; using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines.”

Microsoft reassured customers that it delivered updates to all Microsoft free anti-malware products automatically.

At least one IT pro is feeling the pain after his unnamed organization works to get its PCs up and running after falling prey to Petya. “We were pretty patched up against MS17-010, obviously mustn’t have been 100%, but even then, if 1 single PC gets infected and the virus has access to Domain Admin credentials then you’re done already,” he said.

Those admins who blame patching fatigue for not being up to date are probably losing a lot of sleep as they race to patch their networks before the next ransomware or not ransomware hits.  

Petya ransomware scam: Lost files can&#039;t be restored

Original Article Here

Although the Petya-like malware appeared to be ransomware, researchers have found that the attack does not allow for the restoration of affected systems.

Matt Suiche, founder of Comae Technologies, and Kaspersky Lab independently discovered that the global attacks asking for ransom were nothing but a ransomware scam.

Kaspersky Lab said that the Petya-like malware was indeed a ransomware scam.

“To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery,” Kaspersky Lab wrote in its analysis. “ExPetr (aka NotPetya) does not have that installation ID, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.”

According to Suiche, while older versions of Petya ransomware would read each sector of a disk and reversibly encode them, this Petya-like malware “does permanent and irreversible damages to the disk” by overwriting sector blocks.

Suiche said this means the attacks were ransomware scams and the malware should be considered a “wiper” because its intent was not to make money but to “destroy and damage.”

“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon,” Suiche wrote in a blog post. “The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.”

Additionally, while the bitcoin address associated with the ransomware scam has received 45 payments worth approximately $10,000 (at the time of this post), the email address connected to the attackers has been shut down.

Ireland the best place to set up a data center in the EU

Original Article Here

A report from a data center consulting group BroadGroup says Ireland is the best place, at least in Europe, to set up a data center. It cites connectivity, taxes and active government support among the reasons.

BroadGroup’s report argued Ireland’s status in the EU, as well as its “low corporate tax environment,” make it an attractive location. It also cites connectivity, as Ireland will get a direct submarine cable system from Ireland to France—bypassing the U.K.—in 2019. The country also has a high installed base of fibre and dark fibre with further deployment planned.

The report also notes active government support for inward investment from companies such as Amazon and Microsoft has resulted in the construction of massive facilities around Dublin.

“Even now, authorities are seeking to identify potential land banks for new large-scale data centre facilities in Ireland, which indicates that the supply of more space will continue to enter the market,” the report says.

U.S. companies with data centers in Ireland

Amazon and Microsoft both have facilities in Dublin, with Microsoft’s being one of the largest in Europe. Now, Apple is looking to build a €850 million data center in Athenry, outside Dublin. It announced the plans two years ago, along with a sister location in Denmark.

Two years later, the Danish site is up and running, while Athenry hasn’t even broken ground due to legal problems because three people objected. Then the decision has been held up because there aren’t enough judges to make a ruling. The ruling is expected to go in Apple’s favor.

Other factors favoring Ireland is that it has benefitted from investment by U.S. firms from the gaming, pharmaceuticals and content sectors making the country their European headquarters. Also, data center investment covers a wide range of business models, making it the main hub for webscales regionally.

Renewable energy is also one reason for Ireland’s shine. EirGrid says potential data center power capacity could increase to 1,000 MW after 2019. Renewable energy—primarily from wind energy—is a key government priority and is targeting 40 percent by 2020, well beyond the EU mandatory benchmark of 16 percent. The proposed Apple data center would be powered 100 percent by renewable energy.

Of course, Ireland isn’t alone with its data center ambitions. Scotland recently saw the opening of a 60,000-sq.-ft. data center that can be expanded to 500,000 square feet.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Motive behind NotPetya a mystery, as researchers ponder possible Russian involvement

Original Article Here
Symantec Corporation on Wednesday released a chart of the 20 countries most affected by Petya. Ukraine was the most significantly impacted, with close to 140 organizations infected.

Symantec Corporation on Wednesday released a chart of the 20 countries most affected by Petya. Ukraine was the most significantly impacted, with close to 140 organizations infected.

The motive behind Tuesday’s ransomware attack that sowed chaos in Ukraine and around the world has emerged as a key mystery, even as analysts continue to learn more about the nature of the malware behind it.

While efforts to pinpoint attribution and motive are premature, there is already a contingent of experts who suspect that money was not the true motivation for launching the attack. Others went even further and suggested that Russia-sponsored hackers may have had a hand in the incident.

Meanwhile, researchers continue to assign new names to the ransomware, which was initially identified as a variant of Petya, but now appears to be distinctive enough to earn its own unique classification. According to SecureWorks, while the messages displayed by the ransomware are similar to Petya, there is no overlap in code between the two. Acknowledging these differences, many researchers are now referring to the malware as NotPetya, ExPetr and NyetYa. (It has also previously been referred to as PetrWrap and GoldenEye – but for consistency purposes, SC Media will refer to it as NotPetya.)

Mulling Motives

In an email to SC Media, Malwarebytes estimated that, conservatively, “we are looking at a number at least in the tens of thousands of systems infected.” Breaking these numbers down further, however, it’s apparently that a significant percentage of infected systems reside in the Ukraine.

Symantec Corporation on Wednesday released a chart of the 20 countries most affected by Petya. Unsurprisingly, Ukraine was most significantly impacted, with close to 140 organizations infected. The U.S. was number two, with a little more than 40 companies infected. Russia, France and the U.K. were the next most impacted.

It is now widely accepted that the attack most likely started when hackers allegedly compromised the update server of Ukrainian accounting software company MeDoc so that it would dispense NotPetya to unsuspecting victims. Indeed, Check Point Software Technologies has reported that in May the same company is suspected to was involved in the distribution of XData ransomware.

Of course, the ransomware’s heavy toll on Ukrainian organizations is suspicious, considering that the former Soviet nation’s power grid and other key assets have been the frequent target of Russian state-sponsored hackers. The attack also fell on Constitution Day, a national holiday for Ukraine. Naturally, this has led some to cast suspicions on the Kremlin as a possible culprit, even though some Russian companies were hit by NotPetya.

“The Ukraine continues to be in the cross hairs of persistent cyber attackers, said Edgard Capdevielle, CEO of Switzerland-based Nozomi Networks. “Whether you believe the Ukraine is a test-bed for nation state aggression… [or that this is] an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing.”

Tom Kellermann, CEO of Strategic Cyber Ventures, was more blunt in his assessment: “The cyber siege of Ukraine hearkens the escalation of the conflict along the border with Russia. This cyber pulse is being directed by the Kremlin and is using cyber militias… to take down critical infrastructure. This should serve as a warning to NATO members that Putin is ready to take the gloves off.”

Kellermann’s colleague Hank Thomas, COO of Strategic Cyber Ventures, added that the Russians “appear to be expanding their multi domain approach to their current campaign. Expect for there to be destructive attacks in the near future facilitated by cyber means.”

A Wired report on Wednesday cited a number of Ukrainian officials who laid blame at Russia’s feet, including Roman Boyarchuk, head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection. “This is definitely not criminal. It is more likely state-sponsored,” said Boyarchuk, noting that it would be difficult to imagine any country other than Russia targeting Ukraine in this manner.

In the same report, Oleksii Yasinsky, forensic analyst at Kiev-based Information Systems Security Partners, stated that the ransomware’s ability to wipe a hard drive’s master boot record is a hallmark of the Russian APT group Sandworm, which is believed to have disrupted the Ukrainian power grid offline in December 2015 and January 2016.

Regardless of who the perpetrators actually are, experts are also skeptical that financial gain is the true motive behind the attack. Observers are already noticing that, much like with the WannaCry campaign, the attackers don’t seem to be profiting much from their efforts.

For instance, Kevin Magee, global security strategist at Gigamon, reported that as of 7 p.m. ET on July 27, the attackers had received only 33 ransom payments totaling less than $8,600 in Bitcoin. “While the attackers might be excellent coders, it seems that they are lousy criminals,” said Magee. “How is it that an attack this prolific and noisy with global impact, just can’t seem to generate a significant profit? Which makes me wonder: What is the real motivation behind these attacks [and is there] a more nefarious and long-term purpose to them other than simply making money?”

In a blog post on Medium, Gavin O’Groman, an investigator on Symantec’s Security Response team, offered two theories behind the attack: One, the culprit is a criminal who made a foolish mistake using a single bitcoin wallet, and single e-mail account that was quickly suspended, cutting off his means of communicating with victims. Or two, the attack was actually meant to cause disruption, and the ransomware element was merely a diversion.

“Launching an attack that would wipe victim hard drives would achieve the same effect [as NotPetya]; however, that would be an overtly aggressive action,” said O’Groman. “Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: Are the attackers politically motivated, or criminally motivated?”

“Based on the current data, I’m inclined to believe the motive behind the Petya attacks may be the second option,” O’Groman concluded.

Yonathan Klijnsma, threat researcher at RiskIQ, agreed that the payment component of the attack “doesn’t seem like it was meant to function or scale well, meaning the actors involved may be more interested in mayhem and destruction than money.” Klijnsma also observed that the specific types of files targeted and encrypted by NotPetya indicated that the attackers were zeroing in on business users, not individuals.

NotPetya: The Latest Analysis

In other developments, an updated blog post from Cisco Talo states reports of Petya spreading to some organizations via email – for example, using phishing campaigns – “cannot be confirmed.” What researchers have confirmed is that, outside of the malicious MeDoc update, the ransomware further propagated itself via wormable tools and components including the Microsoft Windows EternalBlue SMB exploit, the Windows Management Instrumentation Command-line (WMIC) interface and the telnet alternative PsExec, and a credentials stealing tool.

Kaspersky Lab issued a statement warning victims that there is “little hope for victims to recover their data” once NotPetya encrypts their hard disks, even if they were to pay the ransom. “To decrypt a victim’s disk, threat actors need the installation ID. In previous versions of similar ransomware… this installation ID contained the information necessary for key recovery. [NotPetya] does not have that, which means that the threat actor could not extract the necessary information needed for decryption.” NotPetya simulates a CHKDSK screen while it is secretly encrypting files, before ultimately revealing a ransom note that demands $300 in Bitcoin.

IntSights Cyber Intelligence in Israel also reported discovering some personal details that were used to register domains and IPs linked to NotPetya. This includes the emails and aliases “”, “”, “javad fooladdadi”, and “antonio jose de maia santos”. These details are linked to a previously discovered IoT botnet that infects GoAhead and other OEM cameras, as reported last April by Netlab.

$71 Million Restitution Owed for Hacking, Fraud Scheme

Original Article Here

Convicted money launderer Muhammad Sohail Qasmani is sentenced to 4 years in prison, and will share the hefty payout with other co-conspirators convicted in the conspiracy.

Pakistani citizen Muhammad Sohail Qasmani has been sentenced to 48 months in prison for laundering $19.6 million on behalf of other actors in an international computer hacking and telecommunications fraud scheme, the DoJ reports. He previously pleaded guilty to one count of conspiracy to commit wire fraud.

The massive fraud scheme, which led to losses exceeding $70 million, was allegedly led by Noor Aziz of Karachi, Pakistan, a FBI Cyber Most Wanted suspect who remains at-large. The scheme involved unauthorized access to PBX systems that ran through the internal phone networks of several organizations across the United States.

Hackers targeted victims’ phone systems, which were illegally reprogrammed to make calls to long-distance locations and premium numbers to generate revenue. Qasmani laundered proceeds for Aziz and set up bank accounts to receive funds generated by fraudulent calls.

In addition to his prison sentence, Qasmani must pay a $25,000 fine and share restitution of $71,761,956.34 — the total amount lost in the scheme.

All players convicted in the conspiracy are jointly responsible for the full amount, the DoJ explains. The balance will remain open until paid, whether it’s by one member or several.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

Linux malware gaining favor among cybercriminals

Original Article Here


Linux malware is becoming a more important tool for cybercriminals as these individuals focus a greater portion of their attention on attacking IoT devices running the open-source operating system.

WatchGuard’s Internet Security Report Q1 2017 found malware targeting Linux now comprises 36 percent of all malware spotted by WatchGuard with three Linux variants, Linux/Exploit, Linux/Downloader and Linux/Flooder, being included in the list of top 10 malware samples of the first quarter.  For good measure the report argues PERL/ShellBot could also be considered a Linux malware as it primary targets systems running that software.

“Linux attacks and malware are on the rise. We believe this is because systematic weaknesses in IoT devices, paired with their rapid growth, are steering botnet authors towards the Linux platform,” the report stated.

The study also found each of the Linux variants tended to target certain geographic areas.

  • Linux/Exploit affected many European and American countries, but had the highest numbers in the U.S. and United Emirates.
  • Linux/Downloader mostly affected Germany, Great Britain, and Malaysia, but few others to the same extent.
  • Finally, Linux/Flooder primarily affected Germany and France.

The report noted that 99.99 percent of all Linux malware was delivered over the web during the first quarter, with only eight of 419,367 coming in via email or by FTP. This is due to the majority of attacks hitting IoT devices, which rarely have access to email, but are always connected to the web.

However, despite the growing usage of Linux, this threat vector was supplanted as the most frequently used threat vector being replaced by FakeAlert, which literally issues fake alerts to its victims to entice them to click on a malicious link.

ESET’s Virus Radar tool reported that FakeAlert activity peaked on April 3, 2017, fell precipitously in May, but has rebounded somewhat in June. 

ExPetr targets serious business

Original Article Here

We’re witnessing an outbreak of a new breed of cryptomalware. Our experts have named it ExPetr (others call it Petya, PetrWrap, and some other names). The key difference with this new ransomware is that this time, criminals have chosen their targets with greater precision: Most of the victims are businesses, not consumers.

The worst part is that far more critical infrastructure facilities are among the victims of this malware. For example, a few flights were reportedly delayed in Kiev’s Boryspil airport because of the attack. And it gets even worse — the infamous Chernobyl nuclear plant’s radiation-monitoring system was reported to be temporarily down for the same reason.

The worst part is that far more critical infrastructure facilities are among the victims of this malware.

Why do critical infrastructure systems keep getting hit by cryptomalware? It’s because they either are directly linked with corporate office networks or have direct access to the Internet.

What to do

Just like with WannaCry, we have two distinct problems: initial penetration of malware into a company’s infrastructure and its proliferation within. These two problems should be addressed separately.

Initial penetration

Our experts indicate various routes by which malware penetrates the network. In some cases, it used malicious sites (drive-by infection); users received the malware disguised as system update. In other cases, infection was spread by third-party software updates — for example, through Ukrainian accounting software called M.E.Doc. In other words, there is no single, predictable point of entry to guard.

We have some recommendations for preventing malware from penetrating your infrastructure:

  • Instruct your employees never to open suspicious attachments or click on links in e-mails (sounds obvious, but people just keep doing it);
  • Ensure that all systems connected to the Internet are equipped with up-to-date security solutions incorporating behavioral analysis components;
  • Check that critically important components of security solutions are enabled (for Kaspersky Lab products, ensure cloud-assisted threat intelligence network Kaspersky Security Network and behavioral engine System Watcher are active);
  • Regularly update security solutions;
  • Employ tools for controlling and monitoring security solutions from a single administrative console — and don’t allow employees to play around with their settings.

As an additional measure of protection (especially if you are not using Kaspersky Lab products), you can install our free Kaspersky Anti-Ransomware Tool, which is compatible with most other security solutions.

Proliferation within the network

Once it gets its hooks into a single system, ExPetr is much better than WannaCry at proliferating within a local network. That’s because it has an extended range of capabilities for that specific purpose. First, it uses at least two exploits: a modified EternalBlue (also used by WannaCry) and EternalRomance (another exploit of TCP port 445). Second, when it infects a system on which a user has administrative privileges, it starts disseminating itself using Windows Management Instrumentation technology or with the PsExec remote system control tool.

To prevent malware proliferation within your network (and especially within critical infrastructure systems), you should:

  • Isolate systems that require an active Internet connection in a separate network segment;
  • Split the remaining network into subnets or virtual subnets with restricted connections, connecting only those systems that require it for technology processes;
  • Get to know the advice Kaspersky Lab ICS CERT experts outlined after the WannaCry outbreak (encouraged for industrial companies in particular);
  • Make sure that critical Windows security updates are installed on time. Particularly important and relevant here, MS17-010 closes vulnerabilities exploited by EternalBlue and EternalRomance;
  • Isolate backup servers from the rest of the network and discourage using the connection to remote drives on the backup servers;
  • Prohibit the execution of a file called <i>perfc.dat</i> using the Application Control feature of the Kaspersky Endpoint Security for Business suite or with the Windows AppLocker system utility;
  • For infrastructures containing multiple embedded systems, deploy specialized security solutions such as Kaspersky Embedded Security Systems;
  • Configure Default Deny mode as an additional protective measure on systems where it’s possible — for example, on utility computers with software that is rarely modified. This can be done within the Application Control component of the Kaspersky Endpoint Security for Business suite.

As always, we strongly recommend employing a multilayered information security approach, incorporating automatic software updates (including for the operating system), an antiransomware component, and a component that monitors all processes within the operating system.

To pay or not to pay

Finally, although we generally do not recommend paying ransom, we understand that some companies feel they have no choice. However, if your data has already been affected by ExPetr ransomware, you should not pay under any circumstances.

Our experts discovered that this malware has no mechanism for saving the installation ID. Without this ID, the threat actor cannot extract the necessary information needed for decryption. In short, they are simply unable to help victims with data recovery.

Local government&#039;s cloud move cuts headaches, adds control

Original Article Here

cloud view of Omaha

Local government’s cloud move cuts headaches, adds control

Nebraska’s Douglas-Omaha Technology Commission (DOTComm) has improved operations and scalability for the Douglas County Board of Equalization by moving its outdated Java-based web application to the cloud.

Among the board’s responsibilities is handling residents’ protests on the assessments of their homes. After the county recently made changes to property taxes, the board saw record numbers of protests.  Residents often got error messages when they tried to file their protests because the system simply couldn’t handle the volume, said Vijay Badal, director of application services at DOTComm. The website was powered by a decade-old Java application running in a data center that was not very secure or scalable, he added.

Badal and his team converted the website to a serverless architecture using Python running on Amazon Web Services Lambda and S3 services. “You don’t have to worry about the hardware and the operating system,” Badal said.  The cloud-based system “takes away all our overhead of spinning up new servers, running operating systems, doing patching and all that stuff. This was a big win for us.”

During times of increased web traffic, AWS automatically spins up additional services to handle that load. “This is a huge advantage, so we are not getting those 404 errors,” Badal said.

The decision to move to AWS was based on operational and financial considerations, said DOTComm CIO Derek Kruse said. “Ultimately, this makes the department’s life easier because they’re not getting angry phone calls” from citizens trying to file their protests, Kruse said. “Our mission at the end of the day is to try to serve our community and serve our citizens. If this is done right, they’ll never know. A new citizen filing a protest will go in and it will be just like any other experience they have with a website in their personal life,” he said. “That’s how we know we’ve done a good job.”

This single cloud migration is one part of DOTComm’s larger plan to move all of its infrastructure, largely based on Joomla, to the cloud.

“Five years ago as we looked at that environment — all those websites were hosted in our environment, which was very aged … it was down-level,” Kruse said. “We were having denial-of-service [attacks], we were having outages, and it was very frustrating.”

Rather than invest millions of dollars in new on-premise infrastructure, Badal suggested hosting the websites in the cloud and using third parties to update and maintain the code. Today, DOTComm runs about 80 sites of the 200 websites it supports on AWS and has a road map to migrate the rest. On average, it moves three to four sites per month to Amazon.

“They all run on a same version, same platform,” Badal said. “They have multilayer security, they are secure, scalable, and then it’s cut down costs significantly because we auto scale.” DOTComm uses Google analytics to keep an eye on traffic from each and every site. “During peak hours, we scale up our services on Amazon, and during off hours, we scale it down,” he added.

From a business perspective, the move is a boon, Kruse said. It has allowed DOTComm to absorb the costs into its operating budget, rather than charge them to capital expenditures. That “drip approach” to costs also gives the commission more direct control, he said.

“From a business perspective, from my perspective, that has been the biggest advantage of going to AWS,” Kruse said. “It’s more than just, ‘We invested X and get a return of Y.’ It’s far more simple for us.”

DOTComm was a finalist for Amazon’s City on a Cloud Challenge in 2016 for its overall efforts and finalist again this year for its work with the Board of Equalization. “It’s that movement up the maturity curve that we’re really taking advantage of now,” said Kruse, adding that it shows how the commission is now “more surgical in using specific services to maximize the cost-benefits ratio.” DOTComm was able to take a really important function of  Board of Equalization “and make that operate even more efficiently than we could have in the past.”

When DOTComm began planning for the cloud, it asked city of Omaha and Douglas County managers to list their most vulnerable assets so it could prioritize the systems that would migrate first.

“Everything’s going to go eventually,” Kruse said. “We’re not just stopping at applications. We’re looking at our entire storage environment,” he said.  “We’re looking at all different ways to continue to take advantage of what we think has been a really good win for the city and the county and the citizens.”

About the Author

Stephanie Kanowitz is a freelance writer based in northern Virginia.

Choosing Windows for your organization should get you fired

Original Article Here

In the wake of yet another ransomware attack—this time named NotPetya—I have a special message specifically for those of you working in organizations that continue to run Microsoft Windows as the operating system on either your servers or your desktops:

You are doing a terrible job and should probably be fired. 

I know. That’s harsh. 

But it’s true. If you haven’t yet replaced Windows, across the board, you absolutely stink at your job. 

For years, we’ve had one trojan, worm and virus after another. And almost every single one is specifically targeting Microsoft Windows. Not MacOS. Not Linux. Not DOS. Not Unix. Windows. 

Wannacry managed to infect hundreds of thousands of highly vulnerable Windows installations around the globe. It was a huge problem for many major institutions that fill their organizations with the operating system from Redmond, Washington. 

But did you learn your lesson? No. 

Then another bit of ransomware comes along, called NotPetya, and manages to take out critical systems at freaking Chernobyl. Also airports and banks. Oh, and hospitals. Can’t forget about the hospitals. 

Sure we could freak out right now about the fact that our nuclear reactors, airports, banks and hospitals have either already had their systems compromised or are in danger of it happening soon. But what we really need to do is look at why. What decisions have been made by these organizations that allowed them to become vulnerable to these attacks. 

What all these cyber attacks have in common

There is one commonality. Go ahead. Take a guess at what it is. 

Yep. They decided to implement Microsoft Windows either as their server platform or as their system for desktop deployments across their organization. 

I’m not going to mince words here: At this point, with all of the damage we’ve seen caused by people running Windows, there is simply no further excuse for not migrating your organization’s vital systems away from MS Windows and onto a demonstrably more secure platform.

Right now, I’m hearing many Windows apologists yelling at their screen—shouting justifications for why this is happening and why it’s not really Windows’ fault. Maybe people weren’t doing a good enough job upgrading their systems quickly. Maybe they put off patching their system because they didn’t want the downtime. Perhaps the popularity of Microsoft Windows makes it a bigger target for hackers. 

The justifications are pointless. Maybe the points are true. Maybe they aren’t. But if you, personally, are responsible for deciding what platform is deployed across a company/organization and you knowingly choose the one that is measurably more likely to be hacked/compromised—you made a bad choice. 

Anything is more secure than Windows—even DOS

I’m not here to tell you to use one alternative to Windows over another. I have my personal preferences, but the reality is that almost anything (and I mean ANYTHING) will likely be more secure than Microsoft Windows. 

Case in point: I run a BBS (a text-based online service people used to dial into with modems before the internet was a thing) as a hobby project. The software I run for that BBS hasn’t been updated since the mid-1990s. That BBS runs on DOS (that’s right—old-school school DOS). It’s an operating system that doesn’t really have any security of any kind. People connect to it via Telnet—a protocol that is about as wide open and unprotected as a broken barn door. 

Yet it has never once, in many years, been hacked into in any way. People have tried. I’ve seen script kiddies attempt to hack their way into it with their bots and l33t skillz. They always fail—despite being a system that has, quite literally, the worst security imaginable and is running software that hasn’t been updated in over two decades. 

All of that means, in very real terms, that our nuclear reactors would be safer on a DOS system with zero security than running Windows. 

That may be an outlandish sounding statement, but prove me wrong. Show me the massive ransomware attacks against DOS, Linux or MacOS systems. Show me it happening month after month, day after day, like it does with Windows. 

Can’t do it? Then you need to migrate off of Windows and to something else. (I recommend some variation on Linux or *BSD.)

And you better hurry. Because the next major, successful attack is, if history is any guide, literally no more than a few weeks away.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

How agencies nurture digital transformation

Original Article Here

digital transformation (Wichy/

How agencies nurture digital transformation

Even with increasingly tight budgets, agencies are finding ways to spur digital innovation, according to former and current federal officials who shared their insights on creative ways to move digital transformation forward at a recent Washington event.

The Department of Agriculture’s Animal and Plant Health Inspection Service, for example, is moving its permitting process to an electronic system. ePermits is a web-based system that allows users to submit permit applications for import/interstate movement of animals, plants and biologics. Users can also track applications, apply for renewals and amendments and receive copies of their permits.

“There was a decision by our leadership to tackle permits because it had the most significant impact on our operations, but it was more complex than we imagined,” APHIS CIO Gary Washington told the audience at a June 27 FCW event.  “We wanted to get to the point that a permit was delivered in days or minutes versus months, and in some ways we have achieved that.”

One of the key components to moving to ePermits was getting APHIS senior management involved in the decision making.  While the transition was difficult for agency employees at the start, Washington said the agency set up a digital services support office to address staff concerns, and more people got onboard with the process over time.

For other agencies interested in overhauling their systems, Washington suggested creating a business case first that will drive the selection of technology providers rather than jumping into a business partnership without knowing your technological needs.

“You need to take this process in small chunks, and it has to be a participative process with your stakeholders and business folks,” Washington said.  “You are not going to swallow the whole elephant right away, so you need to pick some low-hanging fruit and allow those processes to be successful before you build on top of them.”

Casey Coleman, senior vice president of government solutions at Salesforce and a former CIO for the General Services Administration, said she found senior executives needed to be engaged in the process in order to move toward the GSA’s goals of more shared services.  To make employees feel they had more control over their purchasing, she said, GSA instituted a waiver process to help managers get the tools they needed to improve their workflows.

“We created a waiver process to tell senior executives that they can sign off on any technology purchase that they deem their organization needs, but by co-signing they were asked to be mindful that through taxpayer dollars our mission is to standardize and cut costs to become more efficient,” Coleman said. 

Over her six-plus years with the agency, Coleman said, approximately 100 waivers were signed, and the process encouraged GSA officials to be active participants in the agency’s goal to become more efficient.

Over the years, GSA rolled out a customer service plan that used Salesforce to manage and monitor customer relationships across GSA along with a common knowledge database that provided answers to top questions from various federal agencies.

“We didn’t have any money in the budget, and I was able to find a way to spend $100,000 to create some targeted FAQs and a knowledge base,” Coleman said.  “It made everyone feel like real progress was being made.”

At the White House, Rusty Pickens, now managing director at 508 Strategies, described how important training can be when introducing new software.  

While the majority of the Obama White House employees in were young digital natives, Pickens found they needed additional training to ensure they fully understood how to use the new email system that was turned on in October 2013.

 “I underestimated … in thinking that we could just hand them software as a service that is going to be pretty easy for them to use with very minimal training,” said Pickens, who served as the acting director for new media technologies at the White House for four years.  “My big takeaway from it was to provide twice as much training and change management as you think that you are going to need upfront.”

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.

‘Little Hope’ to Recover Data Lost to Petya Ransomware

Original Article Here

Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017 at 10 a.m. Eastern time for a webinar “The Inside Story of the Petya/ExPetr Ransomware.” Click here to attend.

Fewer than 50 ExPetr/Petya ransomware victims have paid approximately $10,200 in Bitcoin so far in the hopes of unlocking encrypted hardware and recovering scrambled files.

It’s likely not going to matter much.

Researchers at Kaspersky Lab have discovered an error in the malware’s code that prevents recovery of data. This, combined with the actions of German email provider Posteo in shutting down the attacker’s email address preventing victims from contacting the attacker in order to verifying payments, has left thousands of victims in dire straits.

“Our analysis indicates there is little hope for victims to recover their data,” Kaspersky Lab said in a statement. “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”

The issue is the lack of an installation ID that contains the information necessary for key recovery, Kaspersky Lab said. The original Petya infections, for example, contained the necessary installation ID.

“ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption,” Kaspersky Lab said. “In short, victims could not recover their data.”

The ransomware contains a wiper component that overwrites the Master File Table and Master Boot Record of infected machines. This type of destructive behavior is atypical of ransomware and has led one prominent researcher to speculate that the ransomware aspect of Tuesday’s attack was a cover.

“The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon,” Comae Technologies’ Matt Suiche wrote in an analysis published today. “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”

Meanwhile, the ShadowBrokers, the mysterious group responsible for the leak of the NSA exploits responsible for spreading yesterday’s ransomware as well as WannaCry, took a new, more hostile tone in a post today.

The messaging was part marketing of its monthly data dump subscription service and part attack against a person on Twitter it refers to as “Doctor.” The ShadowBrokers allege this individual is a former NSA Tailored Access Operations agent who carried out operations against interests in China.

The ShadowBrokers say “Doctor” is the cofounder of a new venture-funded security company and threaten if this person does not subscribe to its July dump, the group may dox him. From today’s announcement:

“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ persons choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company.”

The ShadowBrokers also said it has received small payments from a hidden service URL which the group called out as possibly being the FBI. A comment posted to the ShadowBrokers’ site, however, refutes that allegation and claims they are instead an operator on the Dark Web and the payment was a gesture toward a future business relationship.

Microsoft Issues ‘Important’ Security Fix for Azure AD Connect

Original Article Here

Microsoft is warning customers of a bug in its Azure Active Directory Connect product that could allow an adversary to escalate privileges and reset passwords and gain unauthorized access to user accounts.

The advisory (4033453) was issued Tuesday via Microsoft’s TechNet website for the vulnerability which it rated “important.” The advisory includes ways to determine a company’s exposure to the vulnerable. Remediation includes upgrading to the latest version of Azure AD Connect (1.1.553.0).

Azure Active Directory Connect is Microsoft’s tool for monitoring the status of a network’s synchronization (federation) between a local (on premises) Active Directory and a cloud-based Azure Active Directory (Azure AD).

“The update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement,” according to the advisory. “An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts.”

Microsoft explains that the password writeback feature is a component of Azure AD Connect that allows users to configure Azure AD to write passwords back to their on-premises AD user accounts. “When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts),” it wrote.

The risk is presented if a malicious Azure AD Administrator resets the password of an on-premises AD user privileged account to a known password value using Password writeback. That could lead to a malicious Azure AD Administrator gaining privileged access to a customer’s on-premises Active Directory, Microsoft said.

Verifying exposure to the vulnerability includes checking if Password writeback is enabled and determining whether your Azure AD Connect server has been granted Reset Password permission over on-premises AD privileged accounts.

“If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups,” according to the advisory. The advisory details the steps in full, but recommends updating to the most recent version of Azure AD Connect to fix the vulnerability.

The Azure AD Connect vulnerability was assigned the CVE identifier CVE-2017-8613 .

ExPetr/Petya/NotPetya is a Wiper, Not Ransomware

Original Article Here

After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.

This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.

Below the technical details are presented. First, in order to decrypt victim’s disk the attackers need the installation ID:

In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contains crucial information for the key recovery. After sending this information to the attacker they can extract the decryption key using their private key.

Here’s how this installation ID is generated in the ExPetr ransomware:

This installation ID in our test case is built using the CryptGenRandom function, which is basically generating random data.

The following buffer contains the randomly generated data in an encoded “BASE58” format:

If we compare this randomly generated data and the final installation ID shown in the first screen, they are the same. In a normal setup, this string should contain encrypted information that will be used to restore the decryption key. For ExPetr, the ID shown in the ransom screen is just plain random data.

That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID.

What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.

Our friend Matt Suiche from Comae Technologies independently came to the same conclusion.

The FBI is interviewing American employees of Russia&#039;s top cybersecurity firm

Original Article Here

kasperskyAn employee works near screens in the virus lab at the headquarters of Russian cyber security company Kaspersky Labs in Moscow July 29, 2013. If you want to hack a phone, order a cyber attack on a competitor’s website or buy a Trojan programme to steal banking information, look no further than the former Soviet Union. Picture taken July 29, 2013. REUTERS/Sergei Karpukhin

The FBI interviewed at least a dozen employees of the elite Russian cybersecurity firm Kaspersky Lab on Tuesday night, visiting them at their homes on the east and west coasts to gather facts about how the company works, NBC reported on Wednesday.

The news comes just over a month after ABC reported that the FBI had launched a counterintelligence investigation into the nature of Kaspersky’s relationship to the Kremlin. A company spokesperson said the firm had not been “officially approached or notified by the bureau about an investigation,” and has long denied having any ties to the Russian government. 

“The company has a 20 year history in the IT security industry of always abiding by the highest ethical business practices, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations,” the company said in a statement.

It is unclear whether the interviews had anything to do with FBI special counsel Robert Mueller’s investigation into Russia’s interference in the 2016 election, and whether any of President Donald Trump’s associates colluded with Moscow to undermine then-Democratic presidential nominee Hillary Clinton.

Retired Gen. Michael Flynn, Trump’s former national security adviser, was paid $11,250 by Kaspersky for a speaking engagement in 2015, according to documents obtained and published by the House Committee on Oversight and Government Reform in March. Flynn was paid for the speech while he still had top-secret-level security clearance, a year after he was fired as head of the Defense Intelligence Agency.

The Senate Intelligence Committee sent a secret memo in April to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions, according to ABC, asking them to look into Kaspersky employees’ relationships with Russian intelligence and military agencies that could make it vulnerable to state-sponsored hacking.

Coats was unequivocal when the committee asked him during a hearing last month whether he would use Kaspersky’s products: “A resounding no from me,” he said.

Kaspersky, for its part, reiterated on Wednesday that it has “no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts.” The spokesperson added that the firm’s CEO, Eugene Kaspersky, has offered to testify as needed.

While the firm is often aggressive in its pursuit of foreign hackers, however, it doesn’t pursue alleged Russian cyber operations “with the same vigor,” according to a 2015 Bloomberg investigation.

Eugene Kaspersky, the firm’s billionaire founder and CEO, was educated at a KGB-sponsored cryptography institute before working for Russian military intelligence. He reportedly maintains relationships with former and current Russian intelligence officials, but has pushed back against claims that his company works with the Kremlin.

A new model for government cloud security

Original Article Here

cloud security


A new model for government cloud security

Over the past several years, the federal government has embraced the cloud as a way to manage IT assets and operations. Yet while today’s leading cloud platforms adhere to the specific federal access and usage regulations, agencies must still be vigilant about monitoring their security and compliance.

With the proper cloud solution, agencies can take advantage of automatic compliance with critical requirements like the International Traffic in Arms Regulations and Federal Risk and Authorization Management Program and leverage built-in controls and compliance automation for National Institute of Standards and Technology Security Publication (SP) 800-53, Department of Defense Security Requirements Guide IL4 and both physical and technical security.

To get the most out of such solutions, however, agencies must take a thoughtful and judicious approach to managing security in the cloud.

A new model for security

Public clouds operate according to a shared responsibility model for security in which cloud service providers implement security of the cloud, while customers are responsible for security in the cloud. Agencies, therefore, must first understand that their security now has two levels. First, they have to secure their own “stuff” — everything related to the data they work with –whether that’s data in their own repositories or transactions conducted through application programming interfaces and connectors. It also includes the platforms, applications and access/authorization of any aspect of their IT landscape. Second, agencies must monitor the compute, storage, database and networking services of their cloud provider. The cloud environment contains an agency’s most valuable assets, and it is very clearly the agency’s responsibility to manage and secure it.

Security insight means constant awareness not just of data and applications but also how they are functioning within the cloud environment. In other words, it’s about the data, but it’s also about how the data is being treated in the cloud. Hackers don’t care where data resides, they just want an easy way to get in and access it. When sensitive, confidential or even classified data and assets are at stake, as they will be for government agencies, cloud managers must provide assurances that they can identify issues before they become disasters. Even with rigorous security management from the CSP, agencies must automate their view into, and plans for fixing, risks that arise in their cloud infrastructure.

Increased visibility

A study sponsored by the SANS Institute, Orchestrating Cloud Security, surveyed almost 500 enterprise IT department employees about their cloud infrastructures. It discovered that while 40 percent of organizations said they store or process sensitive data in the cloud, fully one-third of the survey participants said they do not have enough visibility into their public cloud providers’ operations. Cloud providers can demonstrate excellent track records, but agencies cannot presume that a CSP can monitor their intellectual property as well as they can.

A lack of clarity prevents some agencies from being able to fully use their cloud for fear of vulnerabilities. The inability to continuously monitor the state of their data and operations is a major cause of concern among IT leaders because they are on the hook for reducing vulnerabilities of their resources. If they can’t spot potential problems or know how a CSP is affecting them, they are failing in their role as protector of their organization’s assets.

Malicious cyber behavior and inadvertent non-malicious mistakes are difficult to anticipate or change, so agencies have to treat security and compliance as a continuously critical priority. Threat intelligence, through monitoring and automated solutions, is the most effective weapon at thwarting the work of hackers, and cloud users have to embrace this mindset and assign corresponding activity to this task.

Embedding security into operations

Federal cloud users that want to increase delivery speed, quality assurance and overall operations have benefitted from a DevOps approach. Although it can help them quickly achieve service mandates, in too many organizations adherence to DevOps has the undesired effect of shortchanging security. For a team dedicated to quick development, detailed security work often gets bypassed in favor of shortcuts and quick fixes that can unfortunately lead to major vulnerabilities. Security, both as an approach and as a tactical activity, must be embedded into the DevOps process. It is important to be specific about security requirements so the DevOps group will be more inclined to adopt it.

Cloud users must take care to assess all new data and application connectors within the context of controls and compliance requirements that were addressed at initial development. As the development is iterative, so too must be security practices that keep the environment safe and compliant. For agencies using a cloud service, this means updating their defense strategy with the limitations and requirements needed to operate in the cloud. It also means that if they adapt both their development and security operations, they can take advantage of continuous monitoring and automated remediation.

Although the cloud can be an essential tool for federal agencies in terms of operations and efficiency, there are still many compliance and security requirements they must meet. Organizations using the cloud should be thoughtful in adopting security solutions that surround their cloud engagement.

About the Author

Sebastian Taphanel is a principal solutions architect with

Biz Blog | LexisNexis®

Original Article Here

Reputation management, one of the major branches of modern public relations, is at its most important when a crisis strikes. If a brand you’re representing comes into bad press, your efforts to burnish the company’s image will face a major test. There are really two kinds of actions that will… Read More

From 1983 until 1994, PBS aired The Joy of Painting , which featured the always good-natured Bob Ross demonstrating wet-on-wet oil painting. While it doesn’t sound like a show that would attract a large audience, the show—and Bob’s folksy, conversational teaching style—enjoyed… Read More

How many people are seeing your PR messages? This is likely one of the first and most important metrics you check once a story with media analytics once your pitch reaches the masses. While this is a good start, however, it’s premature to call a campaign a success until you’ve determined whether… Read More

F ictional detective Sherlock Holmes is frequently quoted in forums and blogs related to competitive intelligence (CI). After all, he was obsessed with data. In The Boscombe Valley Mystery, for example, Holmes says, “You know my method. It is founded upon the observation of trifles.” He isn’t… Read More

Crisis management is the kind of PR skill where companies learn more from bad examples than good ones. Your department or agency should, therefore, be taking notes concerning United Airlines and the way it handled the forcible removal of a passenger from one of its overbooked flights. We’ve compiled… Read More

Public relations operations are a little different today than in the past, and failing to take the changes into account could harm your agency or department. Skills that were highly relevant only a few years ago could fail you now, and progress in the industry could be tied to your ability to evolve… Read More

The media research you perform as a PR professional has perhaps never been as important as it is today. Getting your message in front of an interested audience is still valuable, but the players on the news landscape are not the same as they have been. The rise of fake news and deliberate misinformation… Read More

When the Academy Awards ceremony takes place, millions tune into the pageantry and excitement of the big night. Of course, as a PR professional, you have your own perspective of Hollywood’s celebration of itself. There are plenty of lessons and useful tactics embedded in the endless campaigns actors… Read More

Below is a guest post from LexisNexis’s Thomas Stoeckle, who heads up the Small Data Forum podcast — a podcast that makes big data less intimidating, more actionable and thus more valuable. Episode 6 of the Small Data Forum podcast continues the discussion from our 2016 year-end edition, which… Read More

“Fake news” – those are the words on the lips of everyone from the president of the United States to other global leaders and citizens around the world. There is confusion about what exactly people mean when they talk about fake news, but it’s indisputable that incorrect information is… Read More

Creating PR campaigns and placing stories that reflect the season or any relevant holiday are tactics pulled right from the public relations playbook. Valentine’s Day provides so many opportunities to connect brands with emotions, and pros shouldn’t let it pass them by. Even when the holiday… Read More

Recently, more than a billion people celebrated the ringing in of the Year of the Rooster, and brands around the world cashed in by promoting their products and services. The geographic reach of Chinese New Year or Spring Festival promotional tie-ins is growing as population spreads, going from China… Read More

Not understanding mistakes often leads to repeating them. This means that one of the most important things public relations departments or agencies can do after a negative story breaks is to carefully go over the event and move forward with a renewed approach to communication. It only takes one slip… Read More

In an already confusing landscape of post-truth and fake news, President Trump’s administration recently added to the quagmire by using the phrase ‘Alternative Facts’. With the public becoming more skeptical by the minute, reputation has never been so valuable nor so easily lost. Building… Read More

When a disaster or bad publicity strikes a company, PR agencies and departments earn their keep. Of course, not every organization will thrive under tough circumstances. These events separate good PR teams that can provide positive return on investment from those that struggle. The media landscape… Read More

With a whole new year stretching out in front of you, it’s time to take stock of what trends and changes your department or company is going to face in the months ahead. The next steps for the Public Relations universe will likely include a few continuing trends from 2016, alongside a few long-gestating… Read More

Every calendar year is full of inspiring successful Public Relations campaigns – and some embarrassing mistakes. While the latter category may be promotions those companies would rather forget, they offer strong educational lessons for the rest of the PR community. Critically looking back Companies… Read More

When you’re working on PR pitches to the media between major events or product launches, you may wish you had a magic spell up your sleeve. Your job is essentially to conjure something valuable – favorable coverage – out of thin air. It’s time to believe in magic. This kind of hype-building… Read More

Coordinating a global PR strategy can sometimes seem like a Sisyphean struggle. When cornerstone ideas of your company’s (or client’s) brand don’t cross international borders, there’s a temptation to either limit your reach or cook up completely different strategies for each territory… Read More

This post was guest written by Brandon Teeple, a junior at Wright State University. The Millennial Generation, those who are born between the early 1980s and early 2000s, have recently become the largest generation in the U.S. They range anywhere from recent high school or college graduates to critical… Read More

The case could certainly be made that no other presidential race in memory or potentially history has received so much media attention—and, let’s face it, felt so much like a reality TV show—as this one. Now that the election is one for the record books, let’s take a look at how… Read More

It’s not enough to only score Public Relations victories when there is a new product to promote or a major news event to link. Keeping excitement for a brand at a simmering level for a long time keeps companies in touch with news providers and the public at large, and there are plenty of actions… Read More

The race is tight, so coloring in the electoral map has proven to be an arduous task. Media monitoring and social media analysis may help to color in some of those states by providing a glimpse into voter sentiment and enthusiasm that polls might not capture. Take a look at a guest blog post brought… Read More

What a difference a year and even a week makes. When we started tracking the presidential election coverage a year and a half ago, we aimed to test a few theories: Higher media coverage would lead to better poll results Social media would play a role in the election Swing states would reign… Read More

The temptation to use Halloween and the entire month of October as a tie-in to new product launches is great for brands, as the season’s themes are wide-ranging, fun and unabashedly commercial. That said, PR firms and departments need to be careful at this time of year. Without a keen and up-to-date… Read More


Original Article Here

Stay up to date on the latest CSO Online news

About RSS Feeds

Keep up to date effortlessly on the latest technology news, reviews and analyses using our RSS feeds.

You can use an RSS newsreader like Feedly, Flipboard or Pulse to get all our latest headlines, or just the stories about certain topics or by specific authors.

Click on a feed to add it to your favorite reader.

News in brief: Wimbledon adds AI; four arrested over support scams; Russia threatens to block Telegram

Original Article Here

Your daily round-up of some of the other stories in the news

IBM adds AI to Wimbledon tennis

The Wimbledon tennis tournament is one of the great global sporting events of the year – and this year, as if the talents of the players were not impressive enough, the tournament is getting even smarter: it’s adding artificial intelligence.

Bloomberg reported on Tuesday that IBM’s Watson AI agent will help guide fans to the most exciting matches having cobbled together insights from player statistics, generate video highlights and help visitors find their way around the huge All England Lawn Tennis and Croquet Club, the iconic venue in south-west London.

Watson has been fed nearly 54m tennis data points, 6,349 articles from the Daily Telegraph and more than 11m words’ worth of interview transcripts, social media posts and and Wimbledon annuals to build tools that will help both pundits and fans get the most out of the tournament, which starts on Monday.

“This year we’re using these technologies to determine what makes a great Wimbledon champion,” according to IBM.

Four arrested over support scams

We’ve had to write far too many pieces warning people about the risks of falling for scammers claiming to be from Microsoft who then install remote access software to convince anxious users they’ve got a virus and then scam them into handing over large sums of money.

So it’s good news that City of London Police, working with Microsoft, have arrested four people in the UK in connection with IT support scams.

Those arrested are a 29-year-old-man and a 31-year-old woman from Woking in Surrey, and a man of 37 and a 35-year-old woman were arrested in Tyneside. The pair from Surrey have been bailed, while the two from Tyneside were released pending further inquiries.

Commander Dave Clark of City of London Police said: “These arrests are just the beginning of our work, making the best use of specialist skills and expertise from Microsoft, local police forces and international partners to tackle a crime that often targets the most vulnerable in our society.”

Russia turns up the heat on Telegram

Russia is threatening to block access to Telegram, the encrypted messaging app, saying it had been used to carry out the suicide bombing on the St Petersburg metro in April, which killed 16 people.

Reuters reported that Roskomnadszor, Russia’s communications regulator, had said at the end of last week that it would block the app unless it handed over information it needs to put the app on the government’s official list of information distributors.

Telegram’s founder, Pavel Durov, has resisted handing over the information, and added that Russian authorities had also asked for the ability to decrypt user messages. The FSB, the successor to the KGB, said on Monday that the app gave “terrorists the opportunity to create secret chat rooms with a high degree of encryption”.

Durov said that Telegram had already blocked thousands of terrorist-related channels, and pointed out that if the authorities block Telegram, users will move to another app. “If you want to defeat terrorism by blocking stuff, you’ll have to block the internet,” he said.

Catch up with all of today’s stories on Naked Security

Half of Ransomware Victims Suffer Repeat Attacks

Original Article Here

Half of ransomware victims are likely to get hit again as threat actors change their strategies to target servers and accelerate the spread of ransomware.

Half of ransomware victims have been hit with attacks multiple times. Most (82%) of organizations believe ransomware attacks are on the rise.

These findings come from security firm Druva, which surveyed 832 IT pros across the globe to learn about their current responses to, and predictions for, ransomware attacks. Its Annual Ransomware Report shows this threat is evolving faster than businesses can keep up.

It’s worth noting this data was consistent across businesses of all sizes and all are struggling with the same issues. Half of organizations surveyed had more than 1,000 employees, 31% had 1,000-10,000 employees, and 19% had more than 10,000 employees.

It’s getting harder to prepare for attacks as threat actors adopt more advanced tactics. This week’s global ransomware outbreak, the second of its scale in the last two months, has proven more professional and harder to stop than the WannaCry attack in May.

“What we see is, a lot of businesses are caught in the headlights,” says Dave Packer, Druva VP of corporate and product marketing, who led the research for Druva’s report. “Their ability to reach and build out proper protection infrastructure is being compromised by rapid morphing of ransomware attacks.”

It’s critical for IT teams to detect potential attacks as quickly as possible, yet researchers found about 40% of the time, more than two hours pass before IT becomes aware of the problem.

Sometimes this is because the ransomware was delivered through the mistake of an end user, who may be reluctant to notify IT. Other malware operates on a time-release basis, meaning it spreads among devices without encrypting data or causing other issues to attract attention.

The latter type lays latent for two to three weeks, says Packer, and in that time it collects information about how the system works. It attacks after it has made minor system tweaks to ensure it has the largest impact, and businesses don’t know when the initial infection appeared.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

The speed and spread of ransomware

Once it finds an entry point, ransomware moves quickly. One infected machine can sync to a shared file server or cloud application, driving the spread of malware to all devices connected to that share. Respondents said 70% of ransomware attacks affected multiple devices.

Packer says it’s worth noting 33% of ransomware attacks hit corporate servers, which are becoming popular targets as they become more critical to operations. Experts anticipate servers will continue to be targets if they aren’t regularly patched.

The cloud is susceptible to ransomware, he explains, because of the way it’s architected. Organizations are most vulnerable to ransomware when they take their on-premise models and move them to the cloud. Native cloud models are less likely to experience ransomware attacks.

“In the news, we don’t see as much coverage of server-side [ransomware] as endpoint-side, but this is a problem,” Packer continues. It creates a mess for businesses, he says, because recovery has to be well thought-out; it’s not as simple as recovering an end-user device.

What can be done?

Most (82%) of respondents rely on backup data to recover from ransomware attacks and get their businesses back up and running. This is more reliable than paying ransoms, which only 5% of respondents report doing. Many victims who pay a ransom don’t actually receive their data back, or receive a demand for a second ransom.

“From our perspective, businesses should start looking at the cloud for secondary copies of data,” says Packer. There is “no easy frontline solution” to ransomware. While malware detection is useful and solves a big part of the problem, many systems aren’t prepared for the rapid changes in ransomware attacks.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

More Insights

Strawberrynet&#039;s privacy insanity

Original Article Here

A little while back, I wrote about Website enumeration insanity and how our personal data was being mishandled. In a nutshell, an enumeration risk boils down to a feature on a website allowing anyone to “ask” if a user exists on the website with the site then returning a positive or negative response. For example, to this day you can go to Adult Friend Finder’s password reset page, plug in anyone’s email address and they’ll happily tell you if they’d signed up for a bit of swinger sex action. (Or at least whether their address is on the site, someone else could have entered it into the registration form. Honestly…)

Now all that’s bad, but as I pointed out in the aforementioned blog post, it can also be a whole lot worse. I called out a couple of bad examples but chief among those was Strawberrynet who happily returned the following information when entering someone else’s address into the express checkout form:

Personal details shown

Yes, that’s exactly what it looks like, no this is not after logging in (anyone can anonymously retrieve the same data) and yes, they knew about this. Turns out it’s a “feature” and I included multiple quotes from them in the original blog post supporting their design decision. These quotes including justifying the feature due to the presence of SSL, that it’s OK because they’re PCI DSS compliant, that they’d run surveys and “a huge majority of customers like our system with no password” and my personal favourite:

Using your e-mail address as your password is sufficient security

But it seems that public pressure eventually got to them and sure enough, they acknowledged there’s a problem with the process:

Now I was a bit hesitant to take this at face value because they’d made murmurings along these lines in the past but wouldn’t you know it, they did actually end up addressing the privacy concerns people had. But it has to be seen to be believed and I’d like to share it here for you, dear reader, in all its glory:

Woah! Wow! Did that just…? I mean the asterisks for obfuscation but then the text boxes and… but… how?! Why?!

Now all I did here was enter a very common female name and wammo! There’s all her data – but it’s obfuscated. Changing the billing address showed all the data not obfuscated until the secret-ninja-client-script kicked in and hid it all from prying eyes. Very sneaky! But of course the data is still there in the fields anyway, however… those first and last names aren’t really befitting of a woman now, are they? But anyone can edit the billing address so clearly someone has taken a few liberties with the poor girl’s details.

I took a brief look at their HTML source in an attempt to better understand their thinking but, well, yeah:

It’s one of those cases where a very distinct pattern emerges that tells a very sad software development story, a story of someone’s brother’s cousin’s aunt’s dog doing a bit of web dev and offering to help out. In this case though, it’s helping out to build an international ecommerce platform targeting customers across the globe. That actually makes things a bit more interesting because in May next year, that will put them clearly in the sights of GDPR and European Data Protection Authorities don’t tend to have much of a sense of humour about these things. Maybe a stiff penalty will finally knock some sense into them…

Tweet Post Share Update Email RSS

Hi, I’m Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Please enable JavaScript to view the comments powered by Disqus.

Petya-like global ransomware attack can be mitigated

Original Article Here

A new global ransomware threat has been spreading quickly by exploiting the same vulnerabilities used in the WannaCry ransomware attacks, but researchers have found different ways to mitigate the damage.

Security researchers have been inconsistent in the branding of this global ransomware threat because it can be seen as a variant of both the Petya ransomware and GoldenEye, which itself was a variant of Petya. This led to a number of names being used, including NotPetya, ExPetr, PetrWrap, GoldenEye, Petya.A, Petya.C and PetyaCry.

However, Tod Beardsley, research director at Rapid7, said the name should not be the focus.

“We’re mostly interested in the capabilities and indicators of compromise, and not so much what the ‘real’ name is — after all, different security vendors end up calling malware samples like these different things all the time,” Beardsley told SearchSecurity.

Petya-like global ransomware spread

This new global ransomware attack was first detected in Ukraine government systems before spreading to a range of organizations around the world. A number of security research firms began analyzing the incidents and found multiple attack vectors.

Cisco Talos reported the initial point of entry to government systems in Ukraine was through a malicious software update for a tax accounting package called MeDoc.  

Kaspersky Lab found the attack could be spread via the EternalRomance remote code exploit tool found in the NSA cyberweapons dump.

There only needs to be one vulnerable machine on a network for it to get in — it can then spread to other machines within the network that have been properly patched. Lysa MyersSecurity researcher at ESET

However, the most common attack vector, reported by multiple research groups, was via phishing emails with malicious Office documents attached.

The malicious doc targeted systems that had not been patched against the EternalBlue vulnerability (MS17-010) in Windows Server Message Block (SMB) v1 and contains the DoublePulsar NSA tool to help the infection spread. Both of these exploits were used in the WannaCry ransomware attacks.

Marco Ramilli, malware evasion expert and CTO of Yoroi, a threat intelligence firm based in Italy, told SearchSecurity via Twitter that Petya-like had a backup option to help this infection spread compared to previous Petya variants:

According to Avira’s Virus Lab, “the Trojan collects the locally stored Windows login credentials and misuses them with the PsExec tool. This is just a regular tool, usually used by system admins, to run other tools on remote machines they have regular access or logins to. This method works even if the system is fully patched as PsExec is not an exploit but a regular tool from Microsoft and SysInternals.”

Lysa Myers, security researcher at ESET, said using the PsExec tool, which is a trusted part of Windows, “means that there only needs to be one vulnerable machine on a network for it to get in — it can then spread to other machines within the network that have been properly patched.”

Tying this global ransomware threat to the GoldenEye variant of Petya is the use of the Mischa component, which can encrypt individual files. But the main danger of Petya-like is that it will encrypt the master boot record (MBR) of a system after forcing a reboot.

Potential mitigation of the Petya-like global ransomware

Matthew Hickey, co-founder and director at cybersecurity consultancy Hacker House, found one way to avoid damage from this ransomware begins at the reboot process:

Another mitigation technique against the Petya-like global ransomware came from Amit Serper, security researcher at Cyberreason, and Dave Kennedy, founder of Binary Defense and TrustedSec. Serper and Kennedy found one specific file that could be blocked and trigger a sort of “kill-switch.”

For more preventative measures against this global ransomware threat, experts suggest the same precautions as for WannaCry, including patching against the EternalBlue exploit and blocking port 445 on any potentially vulnerable device.

Paul Vixie, CEO of Farsight Security, said there is one mitigation strategy that supersedes all others when it comes to any ransomware threat.

“The only proven defense against ransomware is backups of all important data,” Vixie told SearchSecurity. “No one with backups has yet lost data to a ransomware attack — so the most important thing in my opinion is to back up your data, and have a plan for recovering from those backups.”

From floppy disks to deep freeze: what’s the best way to store data?

Original Article Here

A key aspect of security is maintaining reliable access to the data you thought you owned. That’s our excuse for sharing NPR’s sweet story about the XFR Collective, a New York-based team of volunteer archivists and preservationists working to transfer old VHS videotapes into digital formats. It’s also our excuse for sharing a few long-term solutions to data preservation that might someday solve the problem once and for all – because data rot is a problem virtually all of us have – or will have).

XFR’s volunteers meet weekly in a Tribeca loft filled with “racks of tape decks, oscilloscopes, vector scopes and wave-form monitors” to painstakingly digitize cassettes from the 1980s and 1990s. (As they note, transferring video isn’t plug-and-go; much tweaking and troubleshooting can be required to get it right. That’s why they’ve only managed to transfer 155 tapes so far – a subnanoscopic percentage of the billions of tapes individuals recorded back then.)

XFR “partners with artists, activists, individuals, and groups to lower the barriers to preserving at-risk audiovisual media – especially unseen, unheard, or marginalized works.”

According to NPR, they often digitize videos from:

…people of color, queer people, immigrants, artists and activists… old videos of police brutality… weddings or old public access TV.

Whatever the content, once it’s digitized, it becomes publicly available via the Internet Archive. (See some of what they’ve saved here.)

What about your tapes? If XFR Collective isn’t an option, plenty of paid services still digitize old videotapes – or you can do it yourself using directions from CNET or Wikihow.

But you’d better get on it. Per Moving Image Preservation of Puget Sound:

Tape manufacturers predicted 20 to 30 years of life expectancy, but media lifespan depends greatly on environmental conditions… Format obsolescence contributes to the crisis… Umatic and VHS tapes are no longer manufactured and BetaSP will soon be discontinued. Machines to play these formats… are becoming more scarce as are the skills to maintain and repair them.

MIPoPS shares a page of resources and best practices for digitizing important old analog video while you still can. It’s ideal for archivists, “heritage organizations,” and anyone with lots of content to protect.

Of course, it’s not only videotape that’s at risk. Entropy is relentless, and anything recorded on magnetic or optical media will eventually suffer the fate of Ozymandias. Even if the medium remains intact, formats and interfaces become obsolete and disappear. Preserving data for the long term is a discipline worth more attention than we can give it here, but a few tips might be helpful:

  1. Keep track of how long media is likely to last – but remember that the statistics are controversial projections, and many folks won’t be so lucky. According to CNET:

    The general consensus is that CD-Rs should last 30 to 50 years, DVD-Rs less than that, and CD-RWs and DVD-RWs even less. Similarly, tapes and hard disks can be expected to be readable for 10 to 30 years, while portable disks, USB thumb drives, and other solid-state storage devices may survive for half that time, maybe.

    Back in 2005, The New York Times reported that 3.5” floppies have “an estimated life span of 10 years if stored in a cool, dry place with average care and use”. If you’ve still got any, we’ll bet they’re older than that!

  2. With this in mind, regularly copy data to new media, especially if it’s approaching its expiration date. (And make sure anything you haven’t saved is “in a cool, dry place,” not your attic or garage!) If you’re really serious, PC World suggests considering “write-once BD-R HTL (High To Low) [which] can last for 100 to 150 years given a relatively mild environment” or “Milleniatta’s M-Disc BD-R and DVD+R write-once discs [which] use an even more stable data layer that is rated for 10,000 years” based on French and US government testing.
  3. Move away from physical formats that are becoming obsolete. For example, many people who used to back up their data on Zip drives, Syquest cartridges and 1.44MB floppy drives no longer have access to these. Even interfaces can be an issue: external devices often used serial or parallel ports that no longer ship standard on computers (though desktop PC and ExpressCard laptop adapters can still be found). Make sure you’ve migrated your data before you dispose of an old device or format.
  4. A common related issue: data trapped on a working hard disk in a dead PC or laptop. The Guardian serves up some useful guidance on installing the drive in an external USB enclosure, and restoring from there.
  5. Migrate data from obsolete programs, or at least make sure you have the tools to do so when necessary. Millions of people still have content trapped in ancient word processing formats such as PFS: Write or Multimate. Tools for viewing such data or move it into “living” software include Quick View Plus and FastLook; for some formats, the free LibreOffice productivity suite or XNView image viewer might be all you need.
  6. TechRepublic offers some useful high-level advice on planning a long-term strategy for protecting your data here.

The future: some radically new solutions

All this is great as far as it goes, but as the amount of data we’re generating continues to soar, we’re likely to need some radically new solutions — especially if we want our data to last longer than some stray DVD-R. Here are three of our favorites:

Analog micro-etching: The Long Now Foundation  – which specializes in trying to envision the long-term future and solve the problems it might present – ran a full conference on super-long-term data storage. The solution it found promising enough to test: analog micro-etching onto nickel disks. Eight years later, they had a prototype: a disk containing information in about 1,500 human languages, plus translations of the Book of Genesis in each. Since the information is analog, it’s readable directly by humans (though they will need a microscope).

The Arctic World Archive: Officially opened on March 27 in Norway’s Svalbard Arctic region, the for-profit Arctic World Archive is already housing key documents from Brazil, Mexico, and Norway — safe, theoretically, from natural disaster and warfare. According to a report in The Verge, data is actually imprinted on special film, in huge high-density greyscale QR codes – and the archive is completely disconnected from the Internet to protect against hackers and ransomware. (Unfortunately, however, it’s located near the Global Seed Vault, which is already getting hammered by global warming.)

Best of all: DNA.  According to Science Magazine, researchers have been making breathtaking progress since the first attempts to store data in DNA molecules back in 2012. DNA is “ultracompact, and it can last hundreds of thousands of years if kept in a cool, dry place. And as long as human societies are reading and writing DNA, they will be able to decode it – not something you can say with confidence about videocassettes or QR codes. Plus, new technologies are making its data storage capacity almost infinitely scalable. Columbia University’s Yaniv Erlich and New York Genome Center’s Dana Zielinski have partnered on an approach they say can hold 215 petabytes (215 million gigabytes) in a single gram of DNA.

As Science reports, speed and cost are still big issues, but “the system could, in principle, store every bit of datum ever recorded by humans in a container about the size and weight of a couple of pickup trucks”. Now all we have to do is figure out where to park them.

The Ransomware called NotPetya – Cyber Experts have their say

Original Article Here

Tuesday’s global cyber attack caused havoc and disruption to all manners of businesses. Many within the cyber industry are debating whether the ransomware used was actually a strain of Petya or was it something completely new. With it first being detected in Ukraine, where companies updating a mechanism within an accounting program that had connections to the Ukrainian government, the malware was able to seed itself and affect systems within the government, industrial enterprises, banks, airports and transportation services.  It spread fast and caused havoc to systems at major European and American corporations with British advertising giant WPP, Danish shipping behemoth Maesk and Merck & Co the American pharmaceutical corporation among those that were hit. Cyber Security experts have offered their advice and insight around Petya or NotPetya with many saying attitudes towards cyber security need to change:

Javvad Malik, security Advocate at AlienVault:

It appears to be a new ransomware campaign impacting multiple countries and some major businesses with some manufacturing reportedly stopped. The ransomware appears to be a Petya variant that may be spreading via EternalBlue; although this is not confirmed yet. Further information is being collated at

Andrew Clarke, EMEA Director at One Identity:

The best advice to all is it is time to act now – make cyber security the number 1 item on the agenda at the next board meeting – and resolve to take proactive action to strengthen your cyber defences.    What we are seeing in the continuing battle against the cyber threats is a massive escalation that will impact anyone who is not taking this seriously and has proactively analysed, reviewed and acted upon advice for their own environments. The phrase ransomware is entering every day conversation and many people are familiar with the consequences of its impact.  The overnight escalation of a global ransomware attack serves to re-enforce the need for all of us to step up our game regarding cyber security – both at a personal level as well as a corporate level

Robery Lipovksy, Researcher at ESET:

ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world. M.E.Doc has today released a warning on their website: on our investigation, it appears the attack was launched in the morning hours of June 27, Ukrainian time.

Lee Munson, Security Researcher at

When businesses around the world woke up to the WannaCry ransomware recently, they must have thought their worst nightmares had come true. That a kill switch was found, and the damage done relatively small, was extremely fortunate but it should have painted a powerful picture of what could happen should another ransomware attack come marching over the hill. That Petya has caught major organisations unaware, including financial companies that are usually among the most secure types of business, is therefore a massive shock and a huge cause for concern. Most businesses will have learned the value of maintaining regular backups and the implementation of technical security controls to create restore points and block ransomware at the point of entry. Petya, however, highlights how staff awareness may still be an issue, giving an in to attacks of this kind, and perhaps highlights how patch management may still be lagging way behind where it needs to be.

Paul Edon, Director at Tripwire:

Tuesdays cyber-attacks that caused disruption to Ukrainian Banks, Ukrenergo Power Distribution and other Ukrainian commercial business appears to have gained initial entry via a phishing attack and then spread across systems by means of the EternalBlue exploit. Phishing attacks are common-place and currently represent the most successful entry point leading to a successful breach.  Foundational Controls such as Email and Web filtering combined with comprehensive workforce education will greatly reduce the success of these attacks. Email and Web filtering can recognise and block malicious URL access and quarantining suspicious attachments. Workforce education will help users identify phishing email, deter them from clicking on unknown or unexpected attachments, discourage the access of unknown URL’s, and assist staff in recognising unusual system activity. EternalBlue exploits a known vulnerability within the Microsoft Server Message Block (SMB v1) protocol, which allows attackers to execute arbitrary code using specially crafted packets. Microsoft originally released a patch for supported Microsoft Operating Systems in mid-March 2017.  After the WannaCry ransomware attacks which also used EternalBlue to traverse networks Microsoft released a further patch for legacy operating systems such as Windows XP and Windows Server 2003.  Patch Management is a Foundational Control that forms an important part of the technical security strategy. If for reasons of legacy or critical operations these patches cannot be deployed then it is crucial that organisations assess the risk accordingly and use further mitigating controls to monitor and protect those systems.

New Petya Distribution Vectors Bubbling to Surface

Original Article Here

Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017 at 10 a.m. Eastern time for a webinar “The Inside Story of the Petya/ExPetr Ransomware.” Click here to attend.

While Microsoft and others continue to shore up links between yesterday’s global ransomware outbreak and the update mechanism for Ukrainian financial software provider MEDoc, others are finding even more distribution vectors used by the malware.

Kaspersky Lab last night said that a government website for the city of Bakhmut in Ukraine was compromised and used in a watering hole attack to spread the malware via a drive-by download.

“To our knowledge no specific exploits were used in order to infect victims. Instead, visitors were served with a malicious file that was disguised as a Windows update,” Kaspersky Lab said in a statement. “We are investigating other leads in terms of distribution and initial attack vector.”

The ransomware, which shares similarities to the destructive Petya strain that surfaced in 2016, is also being spread using the leaked NSA EternalBlue and EternalRomance exploits, infecting machines that still have not applied the MS17-010 Microsoft update that patches a handful of SMBv1 vulnerabilities targeted by the exploit. Unlike WannaCry, which had worming capabilities that allowed it to spread rapidly across the internet, this attack spreads itself only locally using a pair of Windows utilities, PSEXEC and WMIC, to do so, allowing it to infect machines patched against the vulnerabilities exploited by EternalBlue.

Like Petya, this attack overwrites the Master File Table and Master Boot Record on computers it infects. One organization reports that one unpatched machine was the culprit at its location, adding that it lost PCs due to a corrupted MBR, while other machines were showing the ransom note.

Researcher Matt Suiche of Comae Technologies said the malware is more wiper than ransomware, akin to Shamoon, the wiper malware behind the attacks on Saudi Arabia’s Aramco oil company. Suiche said this malware destroys the first 25 sector blocks of a hard disk, and the MBR section of the disk is purposely overwritten with a new bootloader.

“The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon,” Suiche wrote in an analysis published today. “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”

Victims, meanwhile, continue to make payments in a futile attempt to recovery their lost hardware and data. German host Posteo said yesterday that it shut down the attacker’s email account,, which prevents victims from contacting the entity behind the attack in order to send them their Bitcoin wallet address and infection ID in order to verify payment of the $300 ransom.

Microsoft, meanwhile, says it has definitively linked MEDoc as an initial infection vector, which MEDoc denied in a Facebook post Tuesday.

“The development team denies this information and argues that such conclusions are clearly erroneous, because the developer of m.e.doc, as a responsible supplier of the software, monitors the safety and cleanliness of its own code,” MEDoc said.

MEDoc, which sells tax accounting software, was identified by Ukraine’s Cyber Police as the source of the outbreak. Cisco and Kaspersky Lab also implicated the company, saying that its software update system had been compromised and was serving up the ransomware in phony updates.

“We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.,” Microsoft said in a Technet blog on Tuesday. Microsoft said that the EzVit.exe process from MEDoc executed the command line: C:Windowssystem32rundll32.exe” ”C:ProgramDataperfc.dat”,#1 30

Below is a representation of the execution chain from Microsoft.

The ransomware, which has been given many names including NotPetya, ExPetr, PetrWrap, GoldenEye and others, is much more complex than WannaCry given its ability to move laterally once on a local network.

Microsoft said the ransomware begins by dropping a credential-stealing tool similar to Mimikatz looking for valid admin or domain credentials. It then scans subnets looking for open port 445 or 139 connections.

“A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services,” Microsoft said. “If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials. It then tries to execute remotely the malware using either PSEXEC or WMIC tools.”

Another scan looks for admin$ shares before the ransomware copies itself on the network and executes using PSEXEC in what amounts to pass-the-hash attacks, Microsoft said.

“In addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW function to get all the other user credentials potentially stored on the credential store. If a credential name starts with “TERMSRV/” and the type is set as 1 (generic) it uses that credential to propagate through the network,” Microsoft said. “This ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using NetEnum/NetAdd) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).”

Experts continue to stress the importance of applying the MS17-010 update to unpatched machines, and advise disabling PSEXEC and WMIC on local networks.

5 Takeaways for IT Pros from Dell EMC Canadian Customer Summit

Original Article Here

Dell EMC held its Canadian Customer Summit on Tuesday in Toronto, bringing together senior leadership across security, product innovation, and sales and marketing, to discuss digital transformation and how Dell EMC sees its own products and partners helping customers through the journey.

In addition to catching many of the sessions, IT Pro had the chance to sit down with Dell VP of product strategy and innovation, Dell Client Solutions Neil Hand, and CISO, Dell EMC Global Security Alan Daines. Based on our conversations and observations from the day, here are the top 5 takeaways for IT pros from the Dell EMC Canadian Customer Summit.

1. The PC is Not Dead

Thinking about the future is Neil Hand’s full-time job at Dell. In his role he is tasked with predicting what the workers of tomorrow will be using to get their jobs done – no simple feat when we don’t even know what many of those jobs will look like. He said that no matter what devices emerge, the PC is here to stay – it just may look different.

Dell Canvas is at least the start of this vision. First announced in January at CES 2017, Dell Canvas is a 27” QHD touch screen that sits horizontally on a desk surface, and can be paired with any Windows laptop, desktop or all-in-one.

According to Hand, Dell Canvas is the “beginning of a long-term play” for the company, who envisions the device as bringing together the work and home work surfaces through one interface. The idea is you could seamlessly go from doing your expenses, swipe your hand over your work surface, and then be in your personal workspace.

Also, be sure to watch the PCaaS space which is heating up with not just an offering from Dell, but also one from Lenovo that launched earlier this month.

2. Figure Out the Problem You’re Trying to Solve First

As technologists it can be easy to look at all of the innovations coming out and then decide how they apply to your specific business. But several experts who spoke at the event on Tuesday said this approach is backwards.

At VMware, this means “having clarity around what problems we’re solving before we define how,” Sean Forkan, Vice President and Country Manager, VMware Canada said.

Chad Sakac, president, Dell EMC, Converged Platform and Solutions Division said this approach is also supporting a trend towards consuming IT rather than building IT. “The areas that are growing are where customers are saying, ‘I just don’t want to deal with this anymore,’” he said, pointing to solutions like Azure Stack and VXRail.

3. Digital Transformation Evolves from Nice-to-Have to Must-Have

As an IT professional, you may hear the term digital transformation and think its primary use is in marketing, similar to the way cloud was stuck it in front of just about anything years ago, regardless of whether it was in fact cloud. But technology professionals are thinking about digital transformation, not just from a technical standpoint, but also from a cultural standpoint.

“Digital transformation was not in our vernacular five years ago,” Phil Vokins, Acting Country Manager, Intel Canada said in a panel discussion. Now, he said, every organization must have some kind of digital transformation initiative, which, in its simplest form means the use of technology to rapidly improve performance.

John Kennedy, VP, OEM Division, Microsoft Canada, said on the cultural side of digital transformation, its employees have had to adopt a growth mindset.

“To go through with a digital transformation, that’s a real change. Culture eats that strategy for breakfast. Our purview has been to lead with cultural change,” he said. “It’s not skill and ability in role that predict success in any endeavor, it is grit. Grit is something that is about perseverance and pursuit of a long-term goal.”

4. Hiring the Next Generation Needs to Happen Now

There are countless pieces of research that point to a woefully inadequate number of security professionals, a gap that continues to grow year after year.

Alan Daines, CISO at Dell EMC Global Security, said that he tries to attract talent in a number of ways, but the culture of Dell has makes it relatively easy, pointing to its ranking on sites like Glassdoor, the mindset of Michael Dell to constantly stay relevant, and the fact that his security team sits next to its product team and has a real impact on its business.

“The industry has gone from a behind the scenes, nobody cares about security, we are fighting this futile battle, to oh my goodness this is really real. Five years ago in an event like this today you wouldn’t have had the CISO speaking, [but now] everybody cares about security,” he said.

Hand added that millennials and post-millennials are looking for an employer who uses relevant technology and will invest in their development, including providing ongoing training.

5. Security (Still) Needs to Start with the Basics

Over his career, Daines has watched the threat landscape transition from script kiddies to organized crime to nation state. Part of this change has required a new approach: becoming more proactive in spotting security threats, including understanding where high value assets are and ensuring his team is focusing on the right areas. The bottom line is, any organization will never be 100 percent secure, and his job is to balance security risk posture of Dell Enterprise to ensure it is still able to innovate, he said.

While the threats are becoming more sophisticated, security does still need to start with the basics, which can mean doing simple tasks like applying a security patch, using Wannacry as an example.

 “If we can’t deal with something that’s been out for months with a publicly available patch, if we can’t do the basics, how are we going to protect about sophisticated attacks?” he said.

“[Wannacry] hit like a massive slap in the head a month ago, and everybody panicked. The companies that had patched against it weren’t worried. Almost the next day the researcher identified the command and control point. It almost killed it almost overnight. Because they stopped worrying they never got to do the security basics,” he said. In other words, they did a good effort, but didn’t patch across the whole organization, likely vowing to do so the next Patch Tuesday. Then Petya hit on Tuesday.

While Daines acknowledges that humans are the biggest threat to keeping an organization secure, if you take out the human element, there is no single technology that secures things properly.

“To make something completely and utterly secure is impossible. I think we’re going to continue to play cat and mouse battle in security industry. I have not seen anything that is truly game-changing,” he said.

The Law of Unintended Outbreak – Who Is at Risk from Petya?

Original Article Here

Cyber crime can impact individual users and businesses anywhere in the world.

Hot on the heels of the global WannaCry outbreak in May, yesterday saw a wave of what looked like copycat malware sweeping the globe again. However, on closer inspection there may more to this than meets the eye, more than a simple new variant of an already established ransomware borrowing propagation techniques from WannaCry.

The attack itself certainly seems to have been originally planned as a targeted attack, originating with a compromise of Ukrainian accounting software MEDoc’s update infrastructure (seemingly admitted on their website but categorically denied by MEDoc on facebook). This island-hopping attack starting with a smaller software vendor, whose product is mandated for companies paying taxes in Ukraine, may well have been targeted specifically at that country. However, as with every notionally targeted attack there has been collateral damage.

The fact that the malware was set to wait five days before triggering on the 27th June, a day before a Ukrainian public holiday celebrating the ratification of its new constitution in 1996, also lends circumstantial weight to the proposition that the attack was targeted primarily at victims in Ukraine.


Some of the names of prominent global victims, WPP, Maersk and Saint-Gobain for example all have offices and operations in Ukraine and are likely users of MEDoc, some have even posted job ads for accounting specialists with MEDoc skills. Also Rosneft, Russia’s state-owned oil company, although not necessarily corporate users of MEDoc, still have a presence in Ukraine and thus may be exposed to MEDoc within their network.

It seems that this cyber-attack is following the law of unintended consequences, with the victim population very rapidly spreading outside of Ukraine and encompassing organisations and partners of organisations who have a presence in Ukraine.


The creators of this particular malware, borrowing code from Petya, reusing exploits abused by WannaCry, adding password hash harvesting and two further network propagation techniques, using code obfuscation and fake Microsoft certificates are clearly skilled and experienced. The possibility of this latest outbreak being traditional financially-motivated online crime, at least at surface level, seem obvious but for one thing; the ransom payment mechanism.

Why does the payment mechanism rely on a single hard-coded Bitcoin wallet, and the transmission of an email containing the victim’s bitcoin wallet ID and “personal installation key” (a handy 69 characters that can’t be copy/pasted) to an email address that was always going to be rapidly shut down by the entirely reputable hosting company Posteo based in Berlin?  It’s almost as if the creators never intended to reap the financial rewards…

Am I vulnerable?

So far, all the highly-effective propagation mechanisms are finely-tuned for internal network-based spread at a rapid pace. There does not appear to have been a major external facing campaign to deliver this payload beyond the user base of MEDoc software.

If your organisation has a presence in Ukraine, or has immediate partners who do business in Ukraine, then you should consider yourselves directly at risk. Outside of this immediate group, while your risk level from this particular attack drops significantly, there’s no such thing as a cast iron guarantee and it only takes on device on your network to start a devastating outbreak. The six degrees of Kevin Bacon after all demonstrates how few links apart we all are (my own Bacon number is 3).

For technical details about this outbreak and advice on how best to mitigate please see our constantly updated Petya (2017) Ransomware Attack Information and our FAQ. For a technical analysis of the malware in question, have a look at our Security Intelligence blog.

For general advice on ransomware and access to free industrywide decryption tools, please visit

Everything you need to know about the (Goldeneye) Petya attack

Original Article Here

Some 24 hours ago, a new strain of the Goldeneye/Petya ransomware armed to the teeth with exploits swept the globe in a manner reminiscent of May’s WannaCry pandemic, hitting government agencies, banks, power companies, drug makers and shipping giants, and the list could go on.

A preliminary investigation by Bitdefender showed the malware sample responsible for the infection was an almost identical clone of the GoldenEye ransomware family. The media settled on calling it Petya, as it also shares multiple similarities with that ransomware strain.

When it was discovered, no information was available about the propagation vector. However, as with the WannaCry ransomware attack in May, Goldeneye/Petya seemed to be carried by a wormable component.

Today, we have enough information to make a more complete profile of the malware, including some juicy technicalities that will no doubt pique the interest of the geek demographic.


Reports from Ukraine, the country hit hardest by the contagion, indicate that the first wave of attacks occurred there, on June 27, around 2 PM local time.


While the ransomware initially took hold in Ukraine and Russia, it soon spread to several European countries, including Poland, Germany, Italy, Spain, and France. Subsequent reports revealed breaches at companies in India and the United States. Around the same time, British ad company WPP tweeted that its systems had fallen victim to a cyberattack.

Who got hit?

The list of companies hit by GoldenEye/Petya is more or less complete, depending on the willingness of victims to admit to the breach. However, we know its victims include:

  • Chernobyl’s radiation monitoring system
  • DLA Piper law firm
  • U.S. pharma company Merck
  • several Ukrainian banks, including National Bank of Ukraine
  • at least one Ukrainian airport
  • the Kiev metro
  • Danish shipping and energy company Maersk
  • British advertiser WPP
  • Russian oil industry company Rosnoft
  • Ukrenergo, Ukraine’s state power distributor

Who are the attackers?

It’s not yet known who the attackers are. The possibilities are so vast, speculation is futile at this point. However, we do know, based on their publicly available Bitcoin wallet, that they’ve amassed $10,000 in cryptocurrency as a result of the attack.

How does GoldenEye/Petya work?

GoldenEye/Petya is classified as ransomware, as it is designed to encrypt data on infected systems and demand ransom money in exchange for unscrambling the data.

Our analysis indicates that GoldenEye/Petya uses the same EternalBlue exploit employed by WannaCry to replicate laterally, in what IT folk refer to as the “worm” component of the malware. This component allows the malware to replicate itself on vulnerable systems across a network. Unlike last month’s infection, though, Petya has more aces up its sleeve.

Encryption Thread preparing – layer1 – one thread per drive

An additional exploit dubbed EternalRomance was used to further ensure the malware’s “wormable” nature. Finally, a credential dumping tool (sharing code similarities with an older hack tool called Mimikatz) embedded in the software allowed GoldenEye/Petya to infect even non-vulnerable (patched) systems by simply gaining administrator rights on the machines. A recent Microsoft blog post analyzes this in detail.

Another important aspect of GoldenEye/Petya is its encryption mechanism – two of them, to be precise. The malware encrypts not only individual files, but also the computer’s entire file system by compromising the Master Boot Record (MBR) – a file responsible for finding the operating system and booting the computer – and subsequently the Master File Table (MFT) of the NTFS file system.

What are the infection vectors?

Our internal telemetry shows that some infections with GoldenEye/Petya were triggered by a compromised update of the MeDOC accounting software. Bitdefender customers in Ukraine, where our solutions intercepted the attack, show explorer.exe starting up ezvit.exe (the accounting app binary) which then executes rundll32.exe with the ransomware’s DLL as parameter.

The MeDOC update therefore is a key infection vector, making Ukraine “patient zero” – where the infection spread across VPN networks to headquarters or satellite offices. In addition to the MeDOC update, some other infection vectors are under investigation.

Ransomware or just plain evil?

GoldenEye/Petya is a piece of ransomware – malware designed to infect systems, encrypt files on them and demand a ransom in exchange for the decryption keys.

However, as the situation was being contained yesterday evening, evidence began to mount that Petya was basically a data destroyer – either meant as a test, or simply to harm victims.

Here are the clues:

  • The email service used to get payment confirmations was a legitimate service called Posteo. The company suspended the email address upon catching wind of the news, essentially rendering payments made overnight invalid. Users would also never receive the decryption key. A typical ransomware attacker uses the Tor anonymity service. “This would be a poor decision for a business seeking to maximize financial gains,” explains Bogdan Botezatu, Sr. Security Analyst at Bitdefender.
  • Petya lacks automation in the payment & key retrieval department, making it difficult for the attacking party to deliver the decryption keys back to the victim.
  • The user has to manually type in an extremely long, mixed case “personal installation key” + “wallet” which is prone to typos.
  • Every victim reading the Petya ransom note was looking at the same Bitcoin address. Most pieces of ransomware (designed specifically for financial gain) use custom bitcoin payment addresses for each endpoint infected.

How to stay on the safe side

The first rule of thumb is to keep your systems up to date. Remember that GoldenEye/Petya leverages vulnerabilities patched by Microsoft with several express updates starting in March. You have no excuse to remain unpatched following the WannaCry and GoldenEye/Petya attacks.

Run a trusted AV solution. Bitdefender blocks the currently known samples of the new GoldenEye/Petya ransomware. Computers running a Bitdefender security solution for consumer or business are safe against GoldenEye/Petya and WannaCry.

Considering Petya’s “plan B” to use lateral movement through credential theft and impersonation when faced with a patched system, companies might want to consider restricting administrator rights on employee endpoints. The same advice applies to regular users as well.

Bitdefender strongly advises all companies who have offices in Ukraine to be on the lookout and to monitor VPN connections to other branches.

The Next Petya Will Be Worse – Why Software Development Must Change

Original Article Here

Another major cyberattack hit computer networks around the globe on Tuesday, beginning in the Ukraine, when a paralyzing ransomware struck websites of government agencies, banks, transportation, and power plants, before spreading to Russia, the UK, U.S., and other nations. Coming just weeks after the WannaCry ransomware wreaked havoc, this new attack – initially believed to be a strain of the Petya ransomware – has many similarities to WannaCry, and some alarming differences.

Organizations affected include the U.S. pharmaceutical manufacturer Merck, a U.S. hospital and healthcare system, the Maersk shipping company in Denmark, a state-controlled bank in the Ukraine, Russian oil giant Rosnoft, and a UK advertising company. With the ransomware continuing to spread, no industry is immune, and enterprise organizations may prove to be more vulnerable due to their larger attack surface.

The details of the attack are still hazy. Is this a new and improved version of Petya? Or something we’ve never seen before? Who was behind the attacks? There has been speculation that the intention of the ransomware was not to extort businesses, but to disrupt them and sow chaos. It’s also not entirely clear what the original attack vectors were. Some evidence points to the ransomware spreading via the same vulnerability as WannaCry – a vulnerability known as EternalBlue in a file-sharing framework in Microsoft Windows – yet computers that were patched against that vulnerability have also been infected.

Security firms will continue to conduct forensic analysis of the ransomware over the coming days and weeks, and understanding the source of the attacks and the attacker’s motivation will hopefully help us prevent similar attacks. Yet, as our economy and infrastructure increasingly depend on software applications, shared across millions of computers and users, the risks and consequences of this kind of cyberattack will continue worsen unless we change the way software is developed, updated, and accessed.

Veracode scans of thousands of applications and more than a trillion lines of code over the last decade have shown conclusively that the security of the software businesses develop and purchase from third parties is a massive liability for those organizations, their customers, and the economy as a whole. Our scans routinely find that applications fail the most basic standards that have been in place for a long time. And software produced by vendors is even less secure than applications developed in-house.

There is also systemic risk in software because of the way applications are assembled from components, rather than developed from scratch. The reliance on open source and third-party code means that vulnerabilities in components can affect thousands of other applications, and those vulnerabilities can be difficult for security teams to track down and patch when new vulnerabilities are disclosed.

As the WannaCry and Petya attacks make clear, the cost of failure to secure software is high. Vulnerable software can harm individual businesses and entire nations. Destructive attacks on critical infrastructure threaten lives and economies. Because the stakes are so high, it is incumbent upon software vendors and organizations that develop their own software to ensure their security.

So, what is the best path forward? Simply put, software needs to be designed with security in mind – it can no longer be an afterthought. High walls and sturdy locks are not enough to protect vulnerable software from being exploited. Security needs to be a built into software with rigorous testing for flaws in the code.

The burden for responsibility should not fall on security teams alone. That responsibility should be shared across the organization, from the board level down to the developers who write the code. Unfortunately, there isn’t a silver bullet to prevent vulnerabilities. Development, security, and operations teams need a combination of software testing techniques to find flaws in proprietary code and third-party components.

If we have any hope of preventing new and more dangerous attacks from exploiting vulnerable software, it will be in educating our software developers in secure coding best practices. Every computer science course should include cybersecurity. And as new languages, frameworks, and platforms take hold, organizations must train their developers to keep security at the forefront.

The digital transformation of the way we work, communicate, and consume goods and services, is a wonderful thing. Applications enable individuals, businesses, governments, and organizations of all sizes to thrive, and better serve customers. But this transformation comes with considerable risk. If we make the security of software our top priority, the potential for innovation is limited only by our imaginations. If we don’t make security an essential part of the way we create software, we are putting people and progress in harm’s way. We understand the risks. Not doing anything about them would be negligence of the worst sort.

Learn how to reduce application risk – download our Ultimate Guide to Getting Started With Application Security.

TrustArc Privacy and GDPR Compliance Research Report– Part 2 of 3

Original Article Here

Part 2 of our three part series reviews results from the TrustArc / Dimensional research report on the status of U.S. Privacy and GDPR Compliance Programs.

  • To review Part 1, the General Privacy Market Results, click here
  • Part 3 will include Privacy Program Implementation Results.
  • In Part 2 of this series, we will share the GDPR Compliance Results.

For all companies responding, approximately 40% are still designing their GDPR plan and only about 10% have GDPR plans well underway. Many companies have a significant amount of GDPR implementation ahead of them.

Responding companies have set aside relatively large budgets for GDPR compliance for 2017-2018. For all companies responding, the #1 budget amount cited was between $100,000 to $500,000 (42%), with the #2 budget cited between $500,000 and $1,000,000 (23%). GDPR compliance budgets of over $1 million accounted for 9% of small companies, 19% of mid-size companies and 23% of large companies.

Nearly 1 in 4 large companies plan to spend over $1 million on GDPR compliance.

GDPR investments will go to a wide range of initiatives including consultants, internal hiring, and additional technology and tools.

In Part 3 of this series, we will reveal program implementation results. To read the full results now, download a copy of the TrustArc “Privacy and the EU GDPR” research report, click here.

Deconstructing Petya: how it spreads and how to fight back

Original Article Here

Editor’s note: Sophos customers can follow the technical updates in this Knowledge Base Article, which includes a list of the variants we’re detecting and blocking.

Since yesterday’s Petya ransomware outbreak, folks have grappled with questions over how it spread and whether or not it represents a sequel to last month’s WannaCry surge.

Sophos researchers have found similarities in how both spread, along with some key differences. They’ve also pieced together the infection and encryption sequence, and protected customers accordingly.

Differences and similarities with WannaCry

The researchers found no internet-spreading mechanism, though like WannaCry, it uses the EternalBlue/EternalRomance exploits that target vulnerable SMB installations to spread.

But that spread is through internal networks only. Here’s the SMB exploit shellcode for Petya vs the one for WannaCry (click on image to enlarge):

Exploiting command-line tools

In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.

It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through it.)

By using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10.

The attack stage

Once the infection drops, the encryption stage begins. The ransomware scrambles your data files and overwrites the boot sector of your hard disk so that the next time you reboot, the master index of your C: drive will be scrambled too. To add insult to injury – and presumably taking account of the fact that most users only restart occasionally these days – the ransomware automatically forces a reboot after about an hour, thus activating the secondary scrambling process.

The victim knows there’s a problem because the ransom note takes over their screen (click image to enlarge):

Here’s a closer look at the ransom note:

Pain for the victim is made worse because the mailbox listed for the ransom payment has been shut down. So if the decision is made to pay the ransom, there’s no way to reliably confirm that the payment went through and that a decryption key is coming.

Is there a kill switch?

One of the most-asked questions in the security industry is whether there’s a kill switch to shut down the infection. The answer is yes, but only a local one, as outlined here:

Sophos protection

Customers using Sophos Endpoint Protection are protected against all the recent variants of this ransomware. The first protection was released June 27 at 13:50 UTC and several updates have followed since then to protect against possible future variants.

In addition, customers using Sophos Intercept X were proactively protected with no data encrypted from the moment this new ransomware variant appeared.

Further to that, customers may choose to restrict the use of PsExec and other dual-use administrative tools on their network. Sophos Endpoint Protection provides PUA detection for PsExec and other remote administration programs that don’t need to be available on every PC and to every user.

We’ve created a video to demonstrate how Intercept X works against Petya.

Defensive measures

Though Sophos customers are protected, there are several things users can do to further bolster defenses. For example:

  • Ensure systems have the latest patches, including the one in Microsoft’s MS17-010 bulletin.
  • Consider blocking the Microsoft PsExec tool from running on users’ computers. A version of this tool is used as part of another technique used by Petya to spread automatically. You can block it using a product such as Sophos Endpoint Protection.
  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
  • Download the free trial of Sophos Intercept X and, for home (non-business) users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorized encryption of files and sectors on your hard disk.

Meantime, to gain a better understanding of threats like this one, we recommend you check out the following resources: