Monthly Archives: June 2017

It’s now official. After Yahoo shareholder approval last week, Verizon today announced that it has finally closed its acquisition of Yahoo, which it plans to combine with its AOL assets into a subsidiary called Oath, covering some 50 media brands (including TechCrunch) and 1 billion people globally. It will be led by Tim Armstrong, who was the CEO of AOL before this. As expected, Marissa Mayer, who had been the CEO of Yahoo, has resigned.

“Given the inherent changes to Marissa Mayer’s role with Yahoo resulting from the closing of the transaction, Mayer has chosen to resign from Yahoo. Verizon wishes Mayer well in her future endeavors,” Verizon said in a statement. You can find Marissa in her own words here on Tumblr. It’s a long list of the achievements made with her at the helm these last five years, and — alas — you will only read of the struggles that Yahoo went through between the lines.

The deal, nevertheless, brings to a close the independent life of one of the oldest and most iconic internet brands, arguably the one that led and set the pace for search — the cornerstone of doing business on the spaghetti-like internet — at least until Google came along and surpassed Yahoo many times over, and led the company into a number of disastrous and costly attempts to redefine itself, ultimately culminating in the sale we have here today.

The sale of Yahoo is another sign of the massive consolidation that continues to happen in the world of online media and content, as large companies look to bring together multiple audiences for economies of scale to build out stronger advertising businesses in competition with the likes of Google and Facebook.

“The close of this transaction represents a critical step in growing the global scale needed for our digital media company,” said Marni Walden, Verizon president of Media and Telematics (which will include Oath), in a statement. “The combined set of assets across Verizon and Oath, from VR to AI, 5G to IoT, from content partnerships to originals, will create exciting new ways to captivate audiences across the globe.”

Carriers have been an especially interesting player in this regard, as they are looking to offset declines in their legacy businesses. But don’t cry for Verizon just yet: the company employs 161,000 people and made $126 billion in revenues in 2016, with 113.9 million retail connections in its mobile business.

As we wrote last week, there will be cuts of around 15 percent of all staff associated with the acquisition of Yahoo and merger with AOL, around areas like operations and sales and marketing. Today, no word about that in the official announcement although we are asking about this.

Also not specified is who else is departing along with Mayer. As we reported last week, Adam Cahan, who had been an SVP at Yahoo very close to Mayer, was also on his way out, as was Bob Lord, the CISO who was at the head of Yahoo’s security operations when its massive breaches were revealed (although he was not there not at the time that they were taking place). That breach resulted in Verizon knocking off several hundred million dollarsfrom its original offer price for the company.

We’re trying to confirm these and other details, but in the meantime, unsurprisingly, David Filo, Eddy Hartenstein, Richard Hill, Marissa Mayer, Jane Shaw, Jeffrey Smith and Maynard Webb Jr. have already resigned from Yahoo’s board.

Those who are keeping jobs in the media division in the newly merged operation include Jared Grusd leading the News vertical (including yahoo.com, aol.com, HuffPost, and Yahoo News); Geoff Reiss leading the Sports vertical; David Karp leading the People and Community vertical (including Tumblr, Polyvore, Cabana, Yahoo Answers, Yahoo View, and Kanvas); Andy Serwer leading Finance media (including Yahoo Finance and Autoblog); Michael LaGuardia leading Finance product and utilities; Ned Desmond leading TechCrunch and Engadget; Alex Wallace leading OTT video production & distribution as well as lifestyle & entertainment (that includes BUILD, RYOT, Yahoo Celebrity, Yahoo Style, Yahoo BeuYahoo TV, Yahoo Movies, Yahoo Music, and Yahoo Entertainment); Dave Bottoms heading up distribution products (Newsroom and video OTT products) as well as growth, monetization, and syndication; Tim Tully leading all of engineering; Dave McDowell leading subscriptions, commerce, and customer care (including Yahoo Shopping and AOL Shopping); and Mary Bui-Pham leading our operations (including design, UXRA, analytics, and program management).

“We’re building the future of brands using powerful technology, trusted content and differentiated data. We have dominating consumer brands in news, sports, finance, tech, and entertainment and lifestyle coupled with our market leading advertising technology platforms,” Armstrong said in a statement. “Now that the deal is closed, we are excited to set our focus on being the best company for consumer media, and the best partner to our advertising, content and publisher partners.”

This will include not just media brands but ad tech underpinnning how to leverage these audiences. In this case, the focus in on ONE by AOL and its BrightRoll technology covering mobile, video, search, native and programmatic ads.

An internal memo from Armstrong is below.

Team,

Today is a historic day. We are bringing together some of the most important and scaled brands and products that have revolutionized the way the world works. Our combined services reach over a billion people each month. Building brands people love is our mission and that gives us a billion people to keep building for everyday.

Over the coming years, another 3 billion people will join the revolution with an overwhelming majority being mobile only consumers. With our talent, technology, and brand platforms coupled with Verizon’s strategic mobile position, we will occupy one of the best strategic positions in the global marketplace. The opportunity in front of us is not about the opinions from the pundits and it is not about the competition, it is about our ability to maniacally focus on delivering magical services to mobile enabled consumers.

The companies and platforms in our portfolio have very strong track records of building brands that consumers love. From Yahoo to TechCrunch to AOL to Yahoo Mail to HuffPost to Tumblr to Yahoo Finance to Flurry, consumers and customers across the globe choose our brands everyday to deliver their digital world experiences. Our job is to deliver three simple objectives:

• Build brands consumers love (also our mission – consumers come first in our objectives)
• Build platforms customers love
• Build a company talent loves

Many people across the combined companies have done a tremendous amount of work over the past year. The talent level at the combined companies has been on display in every area of work that has been accomplished in order to get to today. The team from Yahoo, led by Marissa, deserves a special thank you. Yahoo is an incredible brand and talent-based company and we have been impressed with the people, the products, and the spirit.

We want to bring everyone together today to talk about our future together. We are starting a journey together and that journey will be exciting and it will be challenging. Accomplishing our objectives and goals will require adjustments to the company and it will require us to provide clarity on the strategy and the integration objectives. We will start discussing that today.

Let’s make it happen – TA

More is sure to come.

via:  techcrunch

FIN7, closely associated with the notorious Carbanak group, is behind a targeted phishing campaign singling out restaurants with fileless malware that is difficult to detect.

The recent campaign incorporates, “never before seen evasive techniques that allow (malware) to bypass most security solutions,” wrote researchers at Morphisec Lab in a report release on Friday.

They said the malware attacks “pose a severe risk to enterprises” because the malware is so hard to detect.” As of Friday, there was a zero detection rate on VirusTotal for the documents used to deliver the malware.

“This means the attackers successfully bypass static analysis by most of the security solutions,” said Michael Gorelik, vice president of research and development at Morphisec.

He said the fileless attacks are currently targeting restaurants across the United States. The objective of the FIN7 attackers is to seize system control and install a backdoor to steal financial information at will. The initial attack pattern is typical of fileless malware. First, a well-crafted phishing email is sent along with a RTF Word document attached, which if opened, launches a fileless attack based on DNS queries that delivers the shellcode stage (Meterpreter).

The twist, according to Morphisec Lab researchers, is the use of DNS queries to deliver the shellcode stage. “In this new variant, all the DNS activity is initiated and executed solely from memory–unlike previous attacks which used PowerShell commands.”

In March, FIN7’s fileless malware campaign focused on financial institutions and government agencies. The previous PowerShell script opened a backdoor and grabs commands from the command-and-control server. Today’s FIN7 attacks are different. By using DNS queries and shellcode, researchers say, attackers can more effectively evade detection, mount future attacks and be more prolific. According to an analysis of OpenDNS data, FIN7 is currently carrying out large-scale attacks with peaks of more than 10,000 DNS requests per hour.

“The shellcode phase of this attack is unique and demonstrates the constantly advancing abilities of attackers. The shellcode is the primary differentiating technique between this campaign and past attacks by FIN7 and other threat actors,” Gorelik wrote.

Malicious attachments are restaurant themed and typically named “menu.rtf”, “Olive Garden.rtf” or “Chick Fil A Order.rtf”, to name a few. “The attached RTF file uses OLE and has many similarities to previous FIN7 attacks. But this attack, instead of activating HTA files (mshta.exe) from within the link, executes obfuscated JavaScript code,” researchers said.

Once the RFT document is opened, the victim is presented with a Word file that contains a large image of an envelope that instructs “Double Click Here To Unlock Contents.” According to researchers, all the target needs to do is double-click on the envelope and then press “OK” on a dialogue box to trigger the infection process.

The warning on the dialogue box reads: “The package you are about to open will run a program contained within the package. That program could anything and may harm your computer.”

The RTF document contains the JavaScript code snippets used to compile and create a scheduled task that includes the malware’s second stage code in a delayed – one minute – timeframe.

“This delayed execution helps to bypass behavior analysis since the second stage is not directly executed by the first stage,” Gorelik explained. “Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS messaging technique directly from memory. This way they can successfully evade many of the behavior based solutions,” Gorelik said.

The analysis revealed that each DNS query resulted in additional snippets of shellcode until complete. The last query is to the subdomain ihc[.]stage[.]12019683[.]ns2[.]true-deals[.]com), according to the research.

Next, a second-stage encrypted shellcode is delivered. Upon decryption more obfuscation takes place. “The shellcode deletes the ‘MZ’ prefix from within a very important part of the shellcode. This prefix indicates it may be a dll, and its deletion helps the attack to evade memory scanning solutions,” the report said.

According to the analysis of the attack, the final payload is CobaltStrike Meterpreter, which is used by many attackers and pen testers, according to researchers. “Having a Meterpreter session on a compromised computer allows for full control of the computer and exfiltration of any data, and in some cases lateral movement inside the organization,” according to the report,” they said.

via:  threatpost

Google announced increased rewards for security researchers reporting Android TrustZone or Verified Boot exploit chains. The company is now willing to pay up to $200,000 for such compromises, and will pay up to $150,000 for remote kernel exploits.

The awards are offered as part of the company’s Android Security Rewards program, which turned two this week. The Internet giant paid over $1.5 million in bounties to security researchers reporting Android vulnerabilities over the course of two years, and is looking to pay even more in the future.

During its two-year run, Android Security Rewards has attracted a large number of security researchers, and Google received over 450 qualifying vulnerability reports from the participating researchers over the past 12 months alone.

The total program payout doubled to $1.1 million dollars, and the average pay per researcher jumped by 52.3% compared to the first year, Google says.

During the program’s second year, the Internet giant paid $10,000 or more to 31 researchers, and also paid the top research team, C0RE Team, over $300,000 for 118 vulnerability reports. Over the course of a year, the company paid 115 individuals with an average of $2,150 per reward and $10,209 per researcher.

Unfortunately, none of the reports received over the two-year period included a complete remote exploit chain leading to TrustZone or Verified Boot compromise, which would have received the highest award amount available through the program.

Because no researcher claimed the top rewards in two years, the company decided to make changes to all vulnerability reports filed after June 1, 2017 and stir researchers’ interest by significantly increasing the top-line payouts for exploit chains that could claim them.

Thus, the rewards for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise were increased from $50,000 to $200,000, while those for a remote kernel exploit went from $30,000 to $150,000.

“In addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program. We collaborate with manufacturers to ensure that these issues are fixed on their devices through monthly security updates,” Mayank Jain and Scott Roberts, Android Security team, say.

According to Jain and Roberts, there are over 100 device models with a majority of devices running a security update released within the past 90 days. Furthermore, numerous models run a security update from the last two months, including Google Pixel XL, Pixel, Nexus 6P, Nexus 6, Nexus 5X, Nexus 9.

Various smartphone models from manufacturers such as BlackBerry, Fujitsu, General Mobile, Gionee, LGE, Motorola, Oppo, Samsung, Sharp, Sony, and Vivo also run security patches released over the past two months.

via:  securityweek

A malicious downloader waits for users to hover over modified text or an image file as a means of delivering a banking trojan.

Like most attack campaigns, this operation begins when a user receives a spam email. Bad actors appear to be abusing compromised websites, which they’re using as their command and control (C&C) servers, along with virtual private servers (VPS) to deliver the spam messages. These emails each come with a finance-themed subject line and a serial number, which indicates that those conducting the campaign are tracking their messages.

The attack missives masquerade as invoices. But they’re frauds, as are their Microsoft PowerPoint Open XML Slide Show (PPSX) and PowerPoint Show (PPS) file attachments. Trend Micro threat analysts Rubio Wu and Marshall Chen elaborate on this point:

“Once the would-be victim downloads and opens the file, user interaction is needed—hovering over the text or picture embedded with a malicious link (which triggers a mouseover action), and choosing to enable the content to run when prompted by a security notice pop-up. Microsoft disables the content of suspicious files by default—via Protected View for later versions of Office—to mitigate the execution of malicious routines that abuse features in Microsoft Office, such as macros and Object Linking and Embedding (OLE). Hence, a key ingredient in the infection chain is social engineering—luring the victim into opening the file and enabling the malware-laced content to run on the system.”

Payload embedded in the PPS/PPSX file. (Source: Trend Micro)

Once enabled, the content executes an embedded malicious PowerShell script that downloads the Nemucod as a JScript Encoded File. This second-stage downloader, which has spread everything from ad-clicking backdoors to ransomware, contacts the C&C and retrieves the final payload: OTLARD (aka Gootkit), a type of banking trojan known for stealing credentials and banking information in Europe. In this campaign, the number of attack emails carrying OTLARD peaked at 1,444 on 25 May before dying down four days later.

To protect themselves against malspam campaigns such as the innovative operation described above, users should mostly employ Protected View when viewing Microsoft documents they download from their emails. By extension, they should think twice before enabling content. They should also avoid clicking on suspicious email attachments and URL messages.

via:  tripwire

Another cloud storage party is over, guys: Amazon has sunsetted its unlimited cloud storage plan for Amazon Drive — although members of its Prime subscription club will still get unlimited cloud storage for photos.

People signing up for Amazon Drive will not be able to select an unlimited cloud storage option. Instead they can choose either 100 GB for $11.99 per year, or 1 TB for $59.99, with up to 30 TB available for an additional $59.99 per TB. (The prior pricing was $11.99pa for unlimited photos or unlimited everything for $59.99.)

All sign ups still get 5GB of storage gratis. Best to think of that as getting your first hit for free.

As for unlimited storage, Amazon only introduced the option in March 2015 — when it was couched as an aggressive play in an increasingly competitive consumer cloud storage market. And lo and behold, two months later Google announced its own free unlimited photo storage service.

Two years later Amazon is now tightening the screws on those who have locked their data inside its vaults — an all too familiar story in the cloud storage space.

Though the photo exception is notable, and not just because Google’s competing unlimited photo storage offer persists but because photos offer a rich stream of personal data — extractable by third parties via machine learning technology. tl;dr your personal photos are a lot more valuable than your storage-heavy digital entertainment collection.

Current Amazon Drive customers who have the old unlimited storage plan will keep it through its expiration date. After which, those with auto-renew turned on — and less than 1TB of data stored — will be automatically renewed into the 1TB plan/$60pa.

While those with auto-renew turned off, or who have more than 1TB stored, will have to visit the Manage Storage page to opt in to one of the new limited storage plans.

Those who don’t take action to switch to a new plan — and who are storing more data than their free storage quota — will find their account in “over-quota status” once their subscription expires, meaning they won’t be able to upload additional files, and can only view, download, and delete content.

Amazon says users in this position will have 180 days to either delete content to bring their total content within the free quota or else sign up for a paid storage plan. After 180 days, the company will delete data automatically to get the account back within quota — starting with the most recent uploads first. (You can read Amazon’s Data Retention Policy here.)

While Prime members don’t have to worry about their photo storage, which continues to be unlimited, non-photo content can be considered over-quota even for Prime members — so these Amazon customers may still need to take action to save some of their data.

Amazon notes that Drive users can change their plan at any time. While files from Drive can be downloaded to a computer using the Amazon Drive Desktop Application.

via:  techcrunch

In March, video game streaming site Twitch introduced a new way for its streamers to make money: by selling games directly to their fans. Initially, however, that feature was only available to Twitch’s Partners – that is, the site’s top-tier streamers with large audiences. Today, Twitch is adding game sales to its newly launched Twitch Affiliate program, as well.

The affiliate program was introduced last month as a means of giving streamers who weren’t large enough to gain “Partner” status a way to make money from their efforts. At launch, Twitch Affiliates could generate revenue through Twitch’s virtual “tipping” option, Cheering with Bits. But the company promised that more tools would become available to Affiliates in time.

Selling video games to fans will essentially work the same for Twitch Affiliates as it does for Twitch Partners. The idea is that streamers can showcase the titles they’re playing, giving fans the opportunity to purchase the games in question right from the site. That turns streamers into a crowdsourced advertising team of sorts for game publishers, while shifting Amazon-owned Twitch into more of an online retailer and game distributor, as well.

Affiliates, like Partners, will display the titles and other in-game content for sale, on their Channel pages on the site. They’ll also earn 5 percent on game purchases. (Another 70 percent goes to game publishers, and Twitch keeps the rest.)

Games are also available from the game’s detail page at any time. The games are downloaded via Twitch’s desktop app.

At launch, Twitch was offering around 50 titles available for sale from game publishers large and small.

This included titles like Ubisoft’s For Honor and Tom Clancy’s Ghost Recon: Wildlands; Telltale Games’ The Walking Dead and Minecraft: Story Mode; Hi-Rez Studios’ SMITE and Paladins; Paradox Interactive’s Tyranny; Trion Worlds’ Atlas Reactor; Double Fine Productions’ Broken Age and Psychonauts; Campo Santo’s Firewatch; Jackbox Games’ Jackbox Party Pack 3; and Digital Extremes’ Warframe, and others.

Today, Twitch tells us it has nearly doubled its lineup to include close to a hundred titles. Some of the newer additions include a Twitch exclusive Warframe Prominence bundle and Bob Ross skins for SMITE.

The company is also kicking off the expansion of game sales by giving out double the Twitch Crates for the week ahead. Crates are an incentive Twitch uses to encourage game sales on its site, by offering other content along with the game itself, like its emotes, chat badges, and Bits.

Twitch declined to say how popular game sales have been on its site since their debut, given how early the company is into this new area of its business.

The move into game sales gives streamers another way to make money – something that’s needed to grow a strong creator community. However, the changes could also have an impact on the type of content featured on Twitch – subtly shifting streamers to favor those games from publishers working with Twitch over the ones they would have otherwise chosen.

Twitch Affiliates will be a much larger group than Partners, which greatly expands Twitch’s ability to sell games. While there are only 17,000 Partners out of a total of 2.2 million unique streamers per month, Twitch invited “tens of thousands” of non-Partnered channels to its Affiliate program.

Twitch Affiliates will have the ability to sell games on the site, starting today.

Below is Twitch’s original announcement about game sales:

Twitch Games Commerce Announcement from Twitch on Vimeo.

via:  techcrunch

Multiple vulnerabilities have been found in China’s Foscam-made IP cameras. The vulnerabilities were reported to the manufacturer several months ago, but no fixes have been made available. Foscam cameras are sold under different brand names, such as OptiCam. Users are advised to check on the manufacture of any IP cameras, and if necessary, take their own mitigation steps.

The vulnerabilities, 18 in all, were discovered by F-Secure, who specifically found them in the Opticam i5 and Foscam C2 cameras. F-Secure warns, however, that these vulnerabilities will likely exist throughout the Foscam range and potentially in all 14 separate brand names that it knows to sell Foscam cameras.

The flaws include insecure default credentials, hard-coded credentials, hidden and undocumented Telnet functionality, command injection flaws, missing authorization, improper access control, cross-site scripting, and a buffer overflow. All are detailed in a report (PDF) published today.

“Security has been ignored in the design of these products,” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure — however, it makes the virtual environment less so.”

While attention on IoT device security — especially cameras — has been focused by the Mirai botnet and the largest DDoS attack against the internet infrastructure in history, the quantity and severity of the Foscam vulnerabilities is particularly concerning. “These vulnerabilities are as bad as it gets,” commented Harry Sintonen, the F-Secure senior security consultant who found the vulnerabilities. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”

F-Secure gives several example attacks against the products. For example, unauthenticated users able to access a specific port can use a command injection to add a new root user for the device and to enable a standard remote login service (Telnet). Then, when logging in through this remote login service, they have admin privileges on the device.

A second attack could take advantage of three of the individual vulnerabilities. “The empty password on the FTP user account can be used to log in,” explains the F-Secure report. “The hidden Telnet functionality can then be activated. After this, the attacker can access the world-writable (non-restricted) file that controls which programs run on boot, and the attacker may add his own to the list. This allows the attacker persistent access, even if the device is rebooted. In fact, the attack requires the device to be rebooted, but there is a way to force a reboot as well.”

Since there are no fixes yet available from Foscam, it is recommended that users only install the cameras within a dedicated network or VLAN. In this case, it notes, changing the default password will not increase security since, “because of the Foscam IP cameras’ use of hard-coded credentials, in this case an attacker can bypass unique credentials.”

Remediation responsibility, however, remains with the manufacturer. F-Secure lists 12 recommendations for Foscam, ranging from the installation of “a truly random default administrative password” with a password sticker attached to the underside of the device, to the removal of built-in credentials and the implementation of a proper iptables firewall.

In general  vendors should design security within their products from the beginning. “Having product security processes in place,” says the report, “and investing even modest resources into security is a differentiator from competitors. This can also work to vendors’ advantage when regulation enforces secure design practices.”

via:  securityweek

Regulation is coming to the world of Internet of Things (IoT), according to security expert Bruce Schneier, who used his keynote at Infosec 2017 to warn delegates of the dangers of inaction.

“Regulation is coming for us”, he told the audience, adding:

Governments are going to get involved, regardless. The stakes are too high – the real physical threats from the IoT will force them to act – we’re talking about fear. And nothing incentivises governments to do something stupid like fear. The choice is not between regulation and no regulation, like it used to be. It is between between smart government regulation and stupid government regulation.

And if we don’t want outside regulation imposed on us with little thought behind it, we need to start thinking about this. We are one disaster away from government doing something – we need to ensure it is something that is also smart.

Schneier continued to highlight the dangers of the technologies involved, comparing the current trajectory to building a giant, distributed “world-sized” robot, but without clear oversight, he said.

Back in 2011 Marc Andreessen wrote about ‘Why Software Is Eating The World’ but now what is eating the world is IoT. A lot of this cyber-physical technology has the potential to deepen inequities, widen the digital divide. For example, Wannacry’s ransomware attack in the UK resulted in people being turned away from hospitals – that is an availability attack, not a confidentiality attack. Ransomware attacks against cars and against medical systems are different, and suddenly matter much more than attacks against computers.

The remarks follow a statement in March from Maureen Ohlhausen, the head of the US Federal Trade Commission (FTC) that it would take a “wait and see” approach to regulation, in spite of large-scale DDoS attacks like the one generated by the Mirai botnet in late 2016 that knocked domain name system (DNS) host Dyn offline with an attack of historical volume.

The European Commission, in contrast, has announced plans to improve IoT security via the creation of a certification process for devices, comparable to the European energy-consumption labelling scheme, which was implemented in 1992 and covers white goods and similar products.

via:  nakedsecurity

Documents published by WikiLeaks describe a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to spread malware on a targeted organization’s network.

The tool, named “Pandemic,” installs a file system filter driver designed to replace legitimate files with a malicious payload when they are accessed remotely via the Server Message Block (SMB) protocol. Since the tool has been specifically designed to infect corporate file sharing servers and turns them into a secret carrier for delivering malware to other persons on the target network, it has been named Pandemic.

What makes Pandemic interesting is the fact that it replaces files on-the-fly, instead of actually modifying them on the device the malware is running on. By leaving the legitimate file unchanged, attackers make it more difficult for defenders to identify infected systems.

“Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the ‘replacement’ file,” the tool’s developers said.

Pandemic, which works on both 32-bit and 64-bit Windows systems, is initially installed on machines from which users download or execute files remotely via SMB. According to the documents leaked by WikiLeaks, the tool can replace up to 20 files at a time – each with a maximum size of 800Mb.

Pandemic developers also provide a DLL file that can be used to determine if the tool is installed, and uninstall it. The files published by WikiLeaks contain information that can be useful for checking a system for Pandemic infections. Experts also pointed out that there is an easy way to see if Pandemic is present on a device.

Do you wanna know if you have Pandemic? REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Null . #pandemic #WIKILEAKShttps://t.co/x5hzLyds2s pic.twitter.com/o3FSdOVlsA

— Giuseppe `N3mes1s` (@gN3mes1s) June 1, 2017

WikiLeaks has been publishing CIA files, which are part of a leak dubbed “Vault 7,” every Friday since March 23, except for last week of June. The tools exposed by the whistleblower organization include ones designed for hacking Samsung smart TVs, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

The fact that WikiLeaks delayed the last dump until the day the Russian government once again denied interfering with U.S. elections has led some members of the infosec community to believe that the leaks may be timed to serve other purposes, not just to expose the CIA’s activities.

As you read the #pandemic dumps,be mindful of the fact that you are being manipulated by whoever controls @wikileaks access to this data 7/n

— Jake Williams (@MalwareJake) June 1, 2017

Symantec and Kaspersky have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”

WikiLeaks last dump was a CIA’s spyware framework, dubbed Athena – which “provides remote beacon and loader capabilities on target computers” – that works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.

 
The spyware has been designed to take full control over the infected Windows PCs remotely, allowing the CIA to perform all sorts of things on the target system, including deleting data or uploading malicious software and stealing data.

Since March, the whistleblowing group has published 10 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:

• AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
  
• Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
  
• Scribbles – a piece of software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the spying agency to track insiders and whistleblowers.
  
• Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
  
• Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
  
• Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
  
• Weeping Angel – spying tool used by the agency to infiltrate smart TV’s, transforming them into covert microphones.
  
• Year Zero – dumped CIA hacking exploits for popular hardware and software.

via:  securityweek, thehackernews

Companies are struggling to maintain emergency patch cycles, despite the fact that enterprise reliance on legacy systems often means emergency patches are an everyday fact of life, a survey shows.

Some 53% of 500 chief information security officers polled in the UK, Germany and the US say crisis patch management is a major disruption for their IT and security teams.

Enterprises have to issue an emergency patch five times a month on average, and each crisis patch takes an average of 13 man-hours to fix, according to the survey by security firm Bromium.

The survey also revealed that 53% of businesses have had to pay overtime, or bring in a third-party issues response team, to issue patches or fire-fight a security issue in the past year, at a cost of $19,908 (£15,480) per patch.

“We can see with the recent WannaCry outbreak – where an emergency patch was issued to stop the spread of the worm – that enterprises are still having to paper over the cracks in order to secure their systems,” said Simon Crosby, Bromium chief technology officer and co-founder.

“The fact that these patches have to be issued right away can be hugely disruptive to security teams, and often very costly to businesses, but not doing so can have dire consequences.”

WannaCry is not an isolated case, said Crosby. “As ransomware and polymorphic malware become increasingly sophisticated and difficult to defend against, we are going to see many more emergency patches become a crisis – although, sadly, they will often be too late,” he said.

Verizon’s 2017 Data Breach Investigations Report shows there has been a 50% rise in ransomware in the past year. Also, a recent Webroot report showed that 97% of malware infections are polymorphic. As such, it is often too late for most to wait around for a patch, even if the organisation is fast enough to issue the patch right away.

This issue is compounded by the fact that many enterprises are still tied to legacy systems. Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, according to Kaspersky Lab, while Statcounter said Windows 7 is also the most popular version of Microsoft’s operating system, accounting for almost half (46%) of Windows computers.

Yet reasons for failing to upgrade can be multifaceted – further research shows that 40% of enterprise software is paid for, but sits unused. This is largely because upgrades are often costly, complex, disruptive and, in some instances, unachievable because of application dependencies.

After patching, security firms have been quick to advise customers to update operating systems, improve user education, and deploy better detection systems, but this advice often fails to chime with the reality of running IT for the enterprise, according to Bromium.

“WannaCry has certainly put a spotlight on a problem that has plagued enterprises for years,” said Crosby. “It is simply impractical to expect enterprise organisations to continually upgrade. Even when they have licences, the actual deployment creates huge disruption, or in some instances would require an entire hardware refresh and result in huge upfront capital costs.

“This is why so many businesses with enterprise agreements still do not upgrade. We need to accept and understand that enterprises are not in a position to constantly patch and upgrade, and apply security that meets the needs of the real world, not the ideal one.”

According to Crosby, micro-virtualisation, whereby individual web pages, documents and workloads can be performed in isolated containers, is the only practical solution to this problem.

Bromium and Glasswall Solutions are examples of security suppliers that are developing technologies with end-users in mind. The technologies are designed to enable employees to work without worrying about being tricked into triggering a malware infection.

There is a groundswell of opinion that end-users cannot be expected to spot well-crafted social engineering attacks designed to trick them into clicking on malicious links and attachments.

Bromium uses uses micro-virtualisation technology to ensure that whatever a user clicks on launches only within its own virtual machine or micro-VM so that any malicious code is not passed on to the main IT environment. Glasswall’s software is designed to strip out malicious documents and links before they ever reach employees by breaking documents down to byte level and passing on only the “known good” as defined by manufacturers’ file format standards.

via:  computerweekly