Monthly Archives: June 2017

Microsoft looks to the cloud to make Windows 10 safer for enterprise users

We already knew that the next version of Windows 10, the Fall Creators Update, will feature a large number of new tools for consumers. While it was always clear that business users would also get their fair share of updates, Microsoft remained pretty quiet about what those would look like. That’s changing this week, as the company today announced a number of new security features for Windows 10 that will launch with the Fall Creators Updates later this year.

Rob Lefferts, the director of program management for Windows Enterprise and Security, told me that the company is obviously aware of the changing security landscape, which now often includes well-funded and supported hackers. To stay ahead of these threats, the company is doubling down on its existing security efforts, but in addition, it’s now also pushing ahead with new initiatives that emphasize cloud intelligence with AI and machine learning.

So while the team is hardening the Windows 10 platform with this new release — just like it has done with all the previous releases — it’s also building up its efforts to use the cloud to analyze security threats and prevent attacks.

As Lefferts noted, 96 percent of the attacks that Microsoft is seeing are distinct attacks. That’s partly because malware is now often polymorphic but also because the company is seeing more custom attacks.

 

 

One of the main vectors for attacking any desktop operating system is the browser. Back in 2016, Microsoft announced that it was working on a sandboxing technique — the Windows Defender Application Guard — that would allow it to stop attackers from ever getting a foothold on the machine, even if they were able to penetrate the browser’s defenses. It took the company quite a while to get this to market, but the next version of Windows 10 will now ship with support for this feature. Lefferts told me that it took the team a while to figure out the right user experience to enable this feature, which is hard when you start every browser session from zero. The team also had to ensure that it could quickly spin up these micro-containers with the Edge browser fast enough.

In addition, Microsoft is also improving the Windows Defender Exploit Guard with data it gathers from across its users. The Exploit Guard features a large set of intrusion rules and policies and Microsoft says that this feature should now help protect organizations better against quite a few advanced threats, including zero day exploits.

The company has now also built the Enhanced Mitigation Experience Toolkit (EMET), which was previously available as a stand-alone tool, right into Windows 10. Lefferts stressed that this was something that Microsoft’s users had asked for.

 

 

Microsoft is also extending the Windows Defender Advanced Threat Protection (ATP) feature that allows enterprise security teams to detect and respond to threats to include the Windows Server OS for protection across platforms. What’s more interesting, though, is that ATP is now linked to Microsoft’s cloud-based security services that use advanced analytics and machine learning to understand threats based on the huge number of signals Microsoft receives from across its users. The company is also using this cloud-based protection model to improve Windows Defender Antivirus.

Other new features include an improved version of Device Guard, the company’s service for managing which applications an enterprise user can run on a company-issued machine. Device Guard is now also integrated into Windows Defender ATP, which should make it easier to manage for IT and security teams. In addition, companies that want to opt into this can now use data from the Microsoft Intelligent Security Graph, which combines billions of data points to analyze threats, to automatically allow users to install applications that are most likely safe to install (thing Microsoft Word, Excel, etc.).

Lefferts noted that Microsoft’s goal is to bring together all of its compute, big data and machine learning smarts — combined with data it gathers from its users around the globe and traditional signature-based approaches — to protect its customer’s machines. “We think the Fall Creators update takes full advantage of Windows threat protection and we are pushing forward,” he said.

 

via: techcrunch

‘Petya’ ransomware attack strikes companies across Europe

Ukraine’s government, banks and electricity grid hit hardest by cyber-attack, but companies from Saint-Gobain in France to Rosneft in Russia also affected.

A major cyber-attack has struck large companies across Europe, with Ukraine’s government, banks, state electricity grid, telephone companies and even metro particularly badly affected.

The attack has caused serious disruption at companies including advertising multinational WPP, France’s Saint-Gobain, Russian steel, mining and oil firms Evraz and Rosneft, and the Danish shipping giant AP Moller-Maersk.

“We are talking about a cyber-attack,” Anders Rosendahl, a spokesman for the Copenhagen-based shipping group, told the Associated Press. “It has affected all branches of our business, at home and abroad.”

Seventeen shipping container terminals run by a Maersk subsidiary, APM Terminals, in the Netherlands and elsewhere around the world were also affected, the company said.

The Ukrainian deputy prime minister, Pavlo Rozenko, tweeted a picture of a darkened computer screen, saying the government’s entire computer system had been shut down.

Experts said the attack seemed consistent with ransomware described as a variant of a virus known as Petya or Petrwrap.

image

An attack by WannaCry or WannaCrypt ransomware last month affected more than 230,000 computers in over 150 countries, with the UK’s national health service, Spanish phone giant Telefónica and German state railways among those hardest hit.

Advertisement

The disruptions in Ukraine follow a rash of hacking attempts on state websites in late 2016 and a succession of attacks on Ukraine’s power grid that prompted security chiefs to call for improved cyberdefences.

The central bank said an “unknown virus” was to blame for the latest attacks. “As a result of these cyber-attacks, these banks are having difficulties with client services and carrying out banking operations,” it said in a statement.

“The central bank is confident that the banking infrastructure’s defence against cyberfraud is properly set up and attempted cyber-attacks on banks’ IT systems will be neutralised,” it said.

The state power distributor, Ukrenergo, said its computer system had been hit, but added that the attack had not affected power supplies.

Ukraine has blamed Russia for previous cyber-ttacks, including one on its power grid at the end of 2015 that left part of western Ukraine temporarily without electricity. Russia has denied carrying out cyber-attacks on Ukraine.

 

via:  theguardian

Snapchat starts sharing your (and your kids) location. Turn it off.

Snapchat has introduced a “whole new way!” (maybe new to Snap: not to Facebook, Apple and Google) for you to “explore the world” and “meet up with friends”: a location-sharing “Snap Map” that shows when nearby friends are…

…at a dance party!

…or a magic show!

…or having their privacy breached and their location leaked because they didn’t realize that Snap posts their location on Snap Map every time they open the app.

Looking at the Snap Map walkthrough you get when you update Snapchat might lead you to believe that you actually have to opt in to having your location shared when you’re at home, say, or maybe walking down a nearby dark alley, or at a best friend’s apartment… even though… huh… didn’t you say you were going out with Cindy to see a movie tonight?

Image credit: Snap Map walkthrough courtesy of Snapchat

But Snapchat is actually posting your location to Snap Map every time you open the app, not just when you share Snaps to Our Story.

Now bear in mind that Snapchat is crazy popular with children and teens.

Users aren’t limited to a map of nearby friends. They can also search for specific locations, such as schools or playgrounds, with the map displaying any public photos or videos sent by students, as pointed out by The Telegraph.

Multiple police forces and child protection services have warned parents to turn off Snap Map on their children’s phones. In the UK, Preston Police had this to say on the department’s Facebook page:

For all the snapchat users on here, in the last few days they have released a new update which connects to your GPS, and automatically (unless activated ghost mode) shows where you are on a map to anyone who is on your friends list and posts can possibly seen publically depending on your settings!!

…Obviously this may cause concern for certain users, particularly those who have young children who use the app.

The Telegraph quoted a spokesperson for the National Society for the Protection of Children:

It’s worrying that Snapchat is allowing under 18s to broadcast their location on the app where it can potentially be accessed by everyone in their contact lists.

With public accounts, this will include those who are not known to the user. This highlights why it’s vital children are automatically offered safer accounts on social media to ensure they are protected from unnecessary risks.

…and this is what the UK Safer Internet Centre had to say:

It is important to be careful about who you share your location with, as it can allow people to build up a picture of where you live, go to school and spend your time.

Given how specific this new feature is on Snapchat – giving your location to a precise pinpoint on a map – we would encourage users not to share their location, especially with people they don’t know in person.

As Preston Police noted, Ghost Mode keeps your location private.

How to turn on Ghost Mode

To change settings, open Snapchat and pinch the screen. That will load Snap Map. When you do it for the first time it should ask you if you want to activate ghost mode. If it doesn’t, click on the icon in the top right-hand corner, where you’ll be able to tick a box to turn on ghost mode, like so:

What other apps are stalkery?

Two years ago, Facebook switched off default location tracking and gave users full control over when and how they share such information.

User choice? What a concept!

In March, Facebook Messenger did, though, enable live location sharing, taking a page from the way that Apple handles it in iOS and Google in Android. Namely, users can tap on the location icon within a message to begin sharing their location. They’ll get a map of their current position and the option to share it live.

Thankfully, you can’t leave that location sharing on indefinitely: a clock starts ticking, and you get 60 minutes to share location. Facebook also gives you an estimate of how long it would take you to meet your friends if going by car and shares that ETA with others.

In February, “Live Location Tracking” was also spotted in WhatsApp, apparently in beta mode.

It was apparently switched off by default, as it should be. WhatsApp also gave users the ability to control how long the sharing continued.

Twitter likes to follow us around, too. To turn that off, this is what you do:

Twitter for iOS
  1. Go to Settings and tap Privacy
  2. Tap Location Services
  3. Locate the Twitter app and tap to select Never
Twitter for Android
  1. Tap the navigation menu or profile icon
  2. Tap Settings and privacy
  3. Under General, tap Location and proxy
  4. Deselect the checkbox next to Location

Instagram? Ah, Instagram’s interesting. We’ve seen all sorts of abuse of its location data: there was the underwear thief who used Instagram location data to find victims’ homes, for example.

Instagram at one point was also providing access to its API to Geofeedia, an app used by police to monitor activists and protesters. Geofeedia was also tapping into APIs at Twitter and Facebook to create real-time maps of social media activity in protest areas. Those maps were used to identify, and in some cases arrest, protesters shortly after their posts became public, including in the Dakota pipeline protests in the US.

In March, Facebook and Instagram turned off the data faucet for that location-fueled surveillance.

For its part, Uber has its own stalker history. In December, with the update that brought us version 3.222.4, Uber began tracking users’ locations constantly when the app’s running in the background. It also asked users to always share their address books. Up until that point, it had only collected location data if a user had the app open.

Obviously, Snapchat’s recent debut into the location-sharing, privacy-jeopardizing realm is only the most recent of a long list of apps that have concerning privacy practices. They’re all a reminder that when there’s an app update, whether to the app or to a phone OS, we should review our settings in case there’s a brand new privacy option with a default you didn’t expect.

Remember: if in doubt, don’t give it out, be it your taxpayer ID, your birth date, or your geolocation. You don’t know who will do what with that information, but we do know that plenty of people do plenty of dangerous things.

 

via:  sophos

Microsoft Boosts Ransomware Defenses for Windows 10

Users of newer, patch-supported versions of the Windows operating system aren’t the only ones to receive security updates aimed at protecting them against ransomware attacks such as last month’s WannaCry. Citing the “elevated risk for destructive cyberattacks at this time,” Microsoft said yesterday it’s also making those updates available to customers with older versions of Windows no longer supported with regular patches.

Also known as WannaCrypt, the WannaCry ransomware attack hit computer systems around the world that are still using outdated software like Windows XP and Windows 7. Among the organizations affected were FedEx and the U.K.’s National Health Service (NHS).

‘Elevated Risk for Destructive Cyberattacks’

Microsoft made the unorthodox decision to offer security updates to users with older versions of Windows after identifying some vulnerabilities that “post elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,” Adrienne Hall, general manager for the company’s Cyber Defense Operations Center, said in a blog post.

Following the WannaCry attack, some researchers said North Korea was likely to blame, although officials in that country denied the allegation. The WannaCry malware took advantage of a Windows vulnerability that had been used for surveillance by the National Security Agency before the exploit was stolen and released by the Shadow Brokers hacking group in April.

“Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,” Hall said in her blog post. However, the best defense against such malware is to update to a new platform that’s supported with regular security updates, she added.

“It is important to note that if you’re running a supported version of Windows, such as Windows 10 or Windows 8.1, and you have Windows Update enabled, you don’t need to take any action,” Hall said. “Older systems, even if fully up-to-date, lack the latest security features and advancements.”

The decision to offer updates for unsupported software “should not be viewed as a departure from our standard services policies,” Eric Doerr, general manager of the Microsoft Security Response Center, said in a separate post on Microsoft’s TechNet site.

Rising Concerns about Future Exploits

In a post last month on the site Steemit, the Shadow Brokers said that sometime this month it plans to launch a “ShadowBrokers Data Dump of the Month” subscription service that will release into the wild new exploits for Web browsers, banks and payment service providers, newer operating systems including Windows 10, and “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.”

Meanwhile, on June 1, the leak-publishing organization WikiLeaks posted online documents obtained from the Central Intelligence Agency’s “Pandemic” project, which targets Windows machines for cyberattacks.

“As the name suggests, a single computer on a local network with shared drives that is infected with the ‘Pandemic’ implant will act like a “Patient Zero” in the spread of a disease,” WikiLeaks said. “It will infect remote computers if the user executes programs stored on the pandemic file server. Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.”

Security experts are voicing concern about the potential for the next cybersecurity attack to cripple utilities, hospitals, or other vital services. The WannaCry attack, for instance, forced Britain’s NHS to postpone numerous surgeries and other procedures. Identity theft, ransomware, and nation-state hackers are posing an increasing threat to the healthcare system in particular, according a recent report on cybersecurity from the U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force.

“[T]he rise and sophistication of ransomware attacks that hold IT systems and patient-critical devices hostage continues to grow, as evidenced by hospital ransomware attacks of 2016,” the report stated. “These incidents underscore the concerns about organizations having neither the awareness of current threats nor the technical personnel to prevent or deal with these threats, many of which are not new.”

 

via:  enterprise-security-today

SEGA’s new SEGA Forever collection brings classic games to mobile for free

SEGA is bringing some of your favorite games to mobile in new, free-to-play formats that include ads as a way to drive revenue, support offline play and other more modern features like cloud saves. The games can also be rendered ad-free with a one-time $1.99 purchase, which is a really good deal given the pedigree of some of these titles, and what you might pay elsewhere to get re-released versions of classic console games.

The SEGA Forever collection already has five titles you can get at launch, including Sonic The Hedgehog, Phantasy Star II, Comix Zone, Kid Chameleon and Altered Beast. Each of these will be available on both the Google Play Store and the App Store for iOS devices (with iMessage sticker packs for each included in the bundle).

image

image

image

 

SEGA’s not stopping with those five, however – the plan is to launch new additions to the collection every two weeks, which should mean you’ll eventually see all your boxes ticked in terms of SEGA console nostalgia. This will expand to cover multiple console generations over time, SEGA says, and includes both “official emulations and ported games.”

Classic games likely have a finite shelf life, so it makes sense that we’d see companies do whatever they can to extract all of their value before that time runs out. But for gamers, this new model is a welcome change, since it means you can casually enjoy classics without putting down any money at all, and getting the ad-free upgrade isn’t going to break the bank.

 

via:  techcrunch

Do Not Disturb While Driving feature rolls out in Apple’s newest iOS 11 beta

With the release of iOS 11’s latest beta on Wednesday, testers can now get their hands on one of the new mobile operating system’s most important — if not most glamorous — new features: a long-needed “Do Not Disturb While Driving” mode. Announced in June at Apple’s Worldwide Developer Conference, the feature aims to combat the very dangerous practice of texting from behind the wheel, while also switching off other alerts that entice people to look at their phones while driving.

Distracted driving has become a national safety crisis because of the rise of smartphones. According to statistics from the U.S. Department of Transportation, 10 percent of fatal crashes, 15 percent of injury crashes and 14 percent of all police-reported motor vehicle traffic crashes were attributed to distracted driving — a blanket term that broadly encompasses cell phone use, as well as other in-car activity like adjusting the radio or climate controls, for example.

In 2015, 3,477 people were killed because of distracted driving, and 391,000 were additionally injured.

A number of third parties have approached the problem by offering mobile applications that prevent texting while the vehicle is in motion, but these can only really be integrated at the system level on Android devices. Because iOS applications run in a “sandbox” environment, they can’t interfere with iOS functions — like preventing someone from texting. Carriers have then stepped in with their own measures, like AT&T’s DriveMode, but these focus on silencing calls and text alerts, but not push notifications from apps.

Because of iOS’s lack of a built-in feature, app makers have come up with all sorts of workarounds, such as the use of external hardware, for example. But more often than not, iOS apps could only offer a monitoring solution, rather than a tool to actually block the activity. Other app makers haven’t even bothered trying to port their solution to iOS.

Apple’s “Do Not Disturb While Driving” feature isn’t a tool to fully prevent texting or alerts while in a moving vehicle. Instead, it offers to clamp down on distractions at a system level in a way that Apple has never before offered.

The feature, when active, will be able to tell if you’re in a car when your phone is connected to the car’s USB connection or Bluetooth. It will also be able to use the iPhone’s sensors to determine your speed, even if your phone isn’t connected to a car.

“It’s all about keeping your eyes on the road,” Apple Senior Vice President of Software Engineering Craig Federighi said when introducing the feature at WWDC in June. “When you’re driving, you don’t need to respond to these kind of messages. In fact, you don’t need to see them,” he said while showing a demo where the phone was receiving push notifications from apps like Twitter, Tinder and Words with Friends.

However, the iPhone itself is not on total lockdown. CarPlay functionality still works, for example. You can also still play your music or get navigation assistance through maps and other routing software. Plus, you can configure DND While Driving by choosing which contacts can always get through — similar to how iOS’s “Do Not Disturb” mode works today.

But when the car is in motion, anyone else who texts will get an automated response that reads: “I’m driving with Do Not Disturb turned on. I’ll see your message when I get where I’m going.” A second text also gives them a way to break through and get your attention in the case of an emergency by telling them, “If this is urgent, reply ‘urgent’ to send a notification through with your original message.”

The fact that there’s a way to bypass the setting is key to its adoption.

People worry about being disconnected from their devices for periods of time because they fear that someone won’t be able to reach them in case of an emergency, or other urgent situations. Though we somehow managed to get by before smartphones were ubiquitous, it’s nearly impossible to go back to that state. We’re always connected, and we can’t seem not to be — even if it’s during a short commute to work or school.

Parents also can choose to enable the new Do Not Disturb While Driving feature for their teenage drivers by enabling it in the Restrictions (parental controls) menu in iOS’s Settings. You also can turn it off and on for yourself from the newly revamped Control Center, where a widget is available that lets you enable the feature with a push of a button.

While on, your phone’s screen is dark and only critical alerts get through. The feature’s settings also let you customize the text that’s sent and specify who will receive it (Contacts, Favorites, etc.)

Plus, if you’re a passenger, you can opt to temporarily disable the feature.

Apple is fairly late to the game with this distracted driving prevention feature. Android already offers Auto Reply through Android Auto on any modern Android phone. But despite its delay in getting here, the feature is one of the most significant to arrive with iOS 11.

iOS 11 is currently in beta, and will be released to the public this September.

 

via:  techcrunch

Man Fined $4,000 for ‘Liking’ Facebook Comments

Read very carefully before hitting the Like button on Facebook — it could land you in court.

Reacting to content on Facebook can be achieved by commenting, sharing or probably the most popular method: hitting that Like button. However, a court in Switzerland just convicted a man on defamation claims simply for “Liking” libelous comments posted on the social network.

The comments posted on Facebook referred to an animal rights activist who was accused of “antisemitism, racism and fascism.” To be clear, the man in court did not write these comments, he simply hit the Like button for them. These Likes were made between July and September 2015. That’s before Facebook expanded the Like button to include several other reactions.

According to CNN, the court in Zurich decided to convict the man on several counts of defamation for hitting the Like button. The reason given was his clicking of the Like button constituted “indirectly endorsing” the comments. But further to that, the court also recognized the act of liking the comments as “further distribution” of them. A statement made by the court said, “The defendant clearly endorsed the unseemly content and made it his own.”

Reacting to content on Facebook can be achieved by commenting, sharing or probably the most popular method: hitting that Like button. However, a court in Switzerland just convicted a man on defamation claims simply for “Liking” libelous comments posted on the social network.

Although the defendant has the right to appeal, his punishment for being found guilty amounts to a $4,100 fine. As for Facebook, they are declining to comment on the court case beyond stating the social network sees “no direct link” to the company.

Regardless of what comments were made on Facebook, should the act of hitting the Like button result in a lawsuit? What’s more clear is, if the comments are libelous, then the person who wrote them can be pursued for prosecution.

However you feel about this court case, it’s important to keep in mind such action can be taken against an individual. Does the expansion of the Like button to include several types of reaction to a comment make the situation better or worse? I guess we won’t know that until another Facebook Like button lawsuit happens.

 

via:  entrepreneur

Hackers are Using Your Phone Number to Steal Your Personal Data

You’ve probably noticed that you are required to give your cell phone number when signing up for a new account on popular websites such as Facebook, Gmail, and plenty more. Intended to be an additional safety feature for your account, hackers are now using this added precaution to their advantage.

Hackers have developed “social engineering” tactics in order to gain access to your account. With just your phone number and your email, full name, or the last 4 digits of your social security number, scammers can convince customer service representatives to reset passwords, disclose personal information, and more over the phone. It is easier than ever to impersonate someone’s identity over the phone and cyber criminals are taking full advantage of this.

To protect yourself from an identity breach (as described above) it is most important that you remain aware of this threat. Stay on the lookout for suspicious activity on any of your accounts online and make sure to never disclose your phone number online or to anyone you don’t know. Anyone can use this information to breach your online accounts and steal you identity. Listed below are a few of the most popular companies that require your phone number when making an account. These are some of the most popular sites that criminals attempt to breach through the “phone number method”.

Companies are working on new ways to combat these issues but the system is not perfect. Hackers always seem to be one step ahead of everyone else, so it is impossible to rule out the possibility of one of these attacks. With more than 70% of cyber risk coming from human error, you can mitigate your cyber risk with cyber awareness training and employee education.

 

WATCH: 60 Minutes Shows How Easiliy Your Phone Can Be Hacked

 

 

via:  securable

New Mac Malware-as-a-Service offerings

A couple weeks ago, two new Malware-as-a-Service (MaaS) offerings for the Mac became available. These two offerings – a backdoor named MacSpy and a ransomware app named MacRansom – were discovered by Catalin Cimpanu of Bleeping Computer on May 25.

Cimpanu evidently had some trouble getting hold of samples, but on Friday analysis of MacRansomwas posted by Fortinet and analysis of MacSpy was posted by AlienVault.

Both of these malware programs were advertised through Tor websites, claiming them to be “The most sophisticated Mac spyware/ransomware ever, for free.” Neither programs were directly available, but could only be obtained by emailing the authors at protonmail[dot]com email addresses.

Behavior

Despite the claims of sophistication, these malware programs are not particularly advanced. The programs provided to both Fortinet and AlienSpy were simple command-line executable files that, when run, copy themselves into the user’s Library folder.

MacSpy:

~/Library/.DS_Stores/updated

MacRansom:

~/Library/.FS_Store

Because the .DS_Stores folder and the .FS_Store file both have names starting with a period, they are hidden from view unless the user has done something to show invisible files.

As part of the installation, these programs also create LaunchAgent files for persistence – a not at all original method.

MacSpy:

~/Library/LaunchAgents/com.apple.webkit.plist

MacRansom:

~/Library/LaunchAgents/com.apple.finder.plist

Some recent malware has had the capability to customize the install locations and names, but there’s no indication in the reports from Fortinet and AlienVault that such a feature is available in MacSpy or MacRansom, making these quite easy to detect.

MacRansom is created with a custom “trigger date,” after which time the malware detonates and encrypts the files in the user’s home folder, as well as on any connected volumes, such as external hard drives. As happened with KeRanger, which had a 3-day delay before encrypting, this delay will likely mean that few people who are using security software will actually be affected, as the malware will probably be detected before it encrypts anything.

Further, the encryption uses a symmetric key – meaning that the same key is used both to encrypt and to decrypt – that is only 8 bytes in length, making it rather weak and relatively easy to decrypt. However, the key creation process involves a random number and the resulting key is apparently not saved to the hard drive or communicated back to the authors in any way, making it impossible to decrypt the files except via brute force.

After encryption, the malware will display a pop-up alert informing the user of what must be done to decrypt the files, and will continue to reappear even if the user clicks the “Destroy [sic] My Mac” button. The malware does not save any copies of that information to files on the hard drive, as is typical of most ransomware.

MacSpy is fairly simple spyware, which gathers data into temporary files and sends those files periodically back to a Tor command & control (C&C) server via unencrypted http. It will exfiltrate the following data:

  • Screenshots (taken every 30 seconds)
  • Audio captured via microphone
  • Keystrokes*
  • Clipboard contents
  • iCloud photos
  • Browser data

In the case of keylogging, the malware requires an admin password, which can be provided in the email requesting a copy of the malware. This requires that the attacker knows the password for the target Mac in advance.

If the attacker pays for the malware, they will get additional capabilities, such as more general file exfiltration, access to social media, help with packaging the executable into a Trojan form (such as a fake image file), and code signing.

Analysis avoidance

Although neither of these programs is particularly sophisticated, they both do include some reasonably effective analysis avoidance features. Both include three methods for determining whether they are being analyzed by a researcher, in which case they shut down and do not display their malicious behaviors.

First, they will check to see if they are being run by a debugger, using a call to ptrace.

They will also parse the output from the shell command sysctl hw.model for the word “Mac”, terminating if that is not found. In a virtual machine, this command will not return the model identifier for the hardware, but will instead return a value specific to the virtualization software being used. Thus, if the output does not contain “Mac,” it is most likely being run in a virtual machine, and the most likely reason for that is that it’s being analyzed by a security researcher.

Another virtual machine check that is performed is a check for the number of logical and physical CPUs. Since the number of CPUs is simulated in a virtual machine, this is another fairly reliable indicator that the malware is under analysis.

If any of these checks fail, the malware terminates.

Fortunately, because the malware isn’t signed, it’s possible to hack the executables to bypass these anti-analysis checks and then analyze it in a virtual machine.

About the authors

The websites for the malware include an “About Us” section, in which the authors provide some information about their motivations:

We are engineers at Yahoo and Facebook. During our years as security researchers we found that there lacks sophisticated malware for Mac users. As Apple products gain popularity in recent years, according to our survey data, more people are switching to MacOS than ever before. We believed people were in need of such programs on MacOS, so we made these tools available for free. Unlike most hackers on the darknet, we are professional developers with extensive experience in software development and vast interest in surveillance. You can depend on our software as billions of users world-wide rely on our clearnet products.

I suspect that a lot of this is probably not accurate. I seriously doubt that they would really give away information about their former employers, which would provide a clue that could be used to help track them down and could be used as evidence in a trial. Further, as a security professional myself, it’s rather laughable that the best a security researcher could do for persistence is a launch agent.

Also, the lack of any way to decrypt files in a ransomware app is extremely amateurish. This means that 2/3 of the Mac ransomware that has ever existed has had no means for decrypting files so that users who pay will get none of their data back in return. Hopefully, this will make victims of future Mac ransomware reluctant to pay, which will, in turn, make it unprofitable to develop such malware in the future.

All these factors mean that these hackers undoubtedly do not have the qualifications they claim to have and are actually amateur developers with a tendency towards crime.

Disinfection

The presence of any of the following items is an indicator of infection:

~/Library/LaunchAgents/com.apple.webkit.plist
~/Library/LaunchAgents/com.apple.finder.plist
~/Library/.DS_Stores/
~/Library/.FS_Store

Malwarebytes for Mac will detect these as OSX.MacSpy and OSX.MacRansom.

If you were infected with MacSpy, after removing it, you should be sure to change all your passwords, as they might have been compromised by the keylogging, screen captures and/or clipboard exfiltration. If your work computer has been compromised, contact your IT department to alert them to the issue; otherwise, your accounts or other information leaked could potentially give a criminal inside access to your company’s servers.

If you had a MacRansom infection and didn’t get your data encrypted, consider yourself very lucky. Start backing up your computer regularly if you didn’t already and avoid leaving the backup drive connected all the time.

If you did have data encrypted by the ransomware, it’s possible that it could be decrypted by an expert in cryptography. Although we don’t currently have information about decrypting such files, we will update this article in the future if a method for doing so is identified.

 

via:  malwarebytes

Google launches its AI-powered jobs search engine

Looking for a new job is getting easier. Google today launched a new jobs search feature right on its search result pages that lets you search for jobs across virtually all of the major online job boards like LinkedIn, Monster, WayUp, DirectEmployers, CareerBuilder and Facebook and others. Google will also include job listings its finds on a company’s homepage.

The idea here is to give job seekers an easy way to see which jobs are available without having to go to multiple sites only to find duplicate postings and lots of irrelevant jobs.

 

With this new feature, is now available in English on desktop and mobile, all you have to type in is a query like “jobs near me,” “writing jobs” or something along those lines and the search result page will show you the new job search widget that lets you see a broad range of jobs. From there, you can further refine your query to only include full-time positions, for example. When you click through to get more information about a specific job, you also get to see Glassdoor and Indeed ratings for a company.

You can also filter jobs by industry, location, when they were posted, and employer. Once you find a query that works, you can also turn on notifications so you get an immediate alert when a new job is posted that matches your personalized query.

“Finding a job is like dating,” Nick Zakrasek, Google’s product manager for this project, told me. “Each person has a unique set of preferences and it only takes one person to fill this job.”

To create this comprehensive list, Google first has to remove all of the duplicate listings that employers post to all of these job sites. Then, its machine learning-trained algorithms sift through and categorize them. These job sites often already use at least some job-specific markup to help search engines understand that something is a job posting (though often, the kind of search engine optimization that worked when Google would only show 10 blue links for this type of query now clutters up the new interface with long, highly detailed job titles, for example).

Once you find a job, Google will direct you to the job site to start the actual application process. For jobs that appeared on multiple sites, Google will link you to the one with the most complete job posting. “We hope this will act as an incentive for sites to share all the pertinent details in their listings for job seekers,” a Google spokesperson told me.

As for the actual application process itself, Google doesn’t want to get in the way here and it’s not handling any of the process after you have found a job on its service.

It’s worth noting that Google doesn’t try to filter jobs based on what it already knows. As Zakrasek quipped, the fact that you like to go fishing doesn’t mean you are looking for a job on a fishing boat, after all.

Google is very clear about the fact that it doesn’t want to directly compete with Monster, CareerBuilder and similar sites. It currently has no plans to let employers posts jobs directly to its jobs search engine for example (though that would surely be lucrative). “We want to do what we do best: search,” Zakrasek said. “We want the players in the ecosystem to be more successful.” Anything beyond that is not in Google’s wheelhouse, he added.

Monster.com’s CTO Conal Thompson echoed this in a written statement when I asked him how this cooperation with Google will change the competitive landscape for job sites. “Google’s new job search product aligns with our core strategy and will allow candidates to explore jobs from across the web and refine search criteria to meet their unique needs,” he wrote. “Yes, as with anything, there will be some challenges and adjustments to existing job posting sites; the biggest perhaps being for those that are currently driven by SEO.”

 

via:  techcrunch