Monthly Archives: August 2017

Google’s Chrome web browser Extensions are under attack with a series of developers being hacked within last one month.

Almost two weeks ago, we reported how unknown attackers managed to compromise the Chrome Web Store account of a developer team and hijacked Copyfish extension, and then modified it to distribute spam correspondence to users.

Just two days after that incident, some unknown attackers then hijacked another popular extension‘ Web Developer‘ and then updated it to directly inject advertisements into the web browser of over its 1 million users.

After Chris Pederick, the creator of ‘Web Developer’ Chrome extension that offers various web development tools to its users, reported to Proofpoint that his extension had been compromised, the security vendor analyzed the issue and found further add-ons in the Chrome Store that had also been altered.

According to the latest report published by the researchers at Proofpoint on Monday, the expanded list of compromised Chrome Extensions are as below:

• Chrometana (1.1.3)
  
• Infinity New Tab (3.12.3)
  
• CopyFish (2.8.5)
  
• Web Paint (1.2.1)
  
• Social Fixer (20.1.1)

Proofpoint researcher Kafeine also believes Chrome extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June.

In all the above cases, some unknown attackers first gained access to the developers’ Google web accounts by sending out phishing emails with malicious links to steal account credentials.

Once the attackers gained access to the accounts, either they hijacked their respective extensions and then modified them to perform malicious tasks, or they add malicious Javascript code to them in an attempt to hijack traffic and expose users to fake ads and password theft in order to generate revenue.

In the case of the Copyfish extension, the attackers even moved the whole extension to one of its developers’ accounts, preventing the software company from removing the infected extension from the Chrome store, even after being spotted compromised behavior of the extension.

“Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users,” researchers concluded. “In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers.”

“Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions.”

At this time, it is unclear who is behind the hijackings of Chrome Web extensions.

The best way to protect yourself from such attacks is always to be suspicious of uninvited documents sent over a phishing email and never click on links inside those documents unless verifying the source.

via: thehackernews

Want those snazzy neon green and pink Switch controllers you’ve been coveting? In the U.S. and Canada, you’ll have to head to Walmart to pick up the Splatoon 2 Switch console bundle – at least initially. The bundle, announced today by Nintendo, will include Neon Pink and Neon Green right and left Switch controllers, as well as Splatoon 2, the console and the dock, along with the Switch controller holder.

The bundle will cost $379.99 and sell beginning September 8 through Wal-Mart stores. It’s basically the price of the console and the game together, since there’s also a Splatoon-themed carrying case in the mix that accounts for that extra $20. Plus it’s the only way to get those incredibly fly controllers in this part of the world (unless you can find the Japanese versions second-hand somewhere).

It sounds like those controllers could eventually get released separately in the U.S. – Nintendo says this is the “first chance” for North Americans to get the accessories, which implies it won’t be the last. But anyone who’s held out on the Switch for this long should probably consider this option anyway.

via: techcrunch

Four long years ago John O’Nolan released a content management system for bloggers that was as elegant as it was spooky. Called Ghost, the original app was a promising Kickstarter product with little pizzazz. Now the app is ready to take on your toughest blogs.

O’Nolan just released version 1.0 of the software, a move that updates the tool with the best of modern blogging tools. You can download the self-hosted version here or use O’Nolan’s hosting service to try it out free.

“About four years ago we launched Ghost on Kickstarter as a tiny little prototype of an idea to create the web’s next great open source blogging platform,” said O’Nolan. After “2,600 commits” he released the 1.0 version complete with a new editor and improved features.

The platform uses a traditional Markdown editor and a new block-based editor called Koenig. The new editor lets you edit posts more cleanly within blocks, a feature that uses something called MobileDoc and Ember.js to render complex pages quickly and easily. The team also started a journalism program to support content providers.

While tools like WordPress still rule the day, it’s good to know that there are still strong alternatives out there for the content manager. Although this software has a name that portends dark sorcery and dread magic, I still think it has a “ghost” of a chance.

via:  techcrunch

Last year Blizzard made what I felt was a huge mistake in scrapping the Battle.net brand, which gamers have associated with properties like StarCraft and Diablo for decades. The company has now reversed that decision, in what can only be a humble acknowledgment of my wisdom in these matters.

“The technology was never going away, but after giving the branding change further consideration and also hearing your feedback, we’re in agreement that the name should stay as well,” the company wrote today in a blog post.

The reasoning in 2016 was that there was “occasional confusion and inefficiencies” from Blizzard, the game development company, and Battle.net, the game launcher and matchmaking service, having different names.

I’m pretty sure that wasn’t actually a problem then, and I don’t think there’s one now. But probably to throw a bone to the marketing manager who suggested this ill-advised course of action in the first place, the service will now be known as “Blizzard Battle.net.”

Zug zug, but we’ll all still just call it Battle.net. Hopefully forever.

via:  techcrunch

Tesla’s energy unit is working with GE’s Current to install solar systems on 50 Home Depot locations in the U.S. The installation is part of a plan on Home Depot’s part to move more of its stores to clean power, with a goal of generating 135 megawatts of clean energy from its locations by 2020, Bloomberg reports.

The power generated from the installations will be sold back to Home Depot from New York, New Jersey, Connecticut, California and Washington power concerns as part of the deal, and six of the stores will also get Tesla battery storage facilities, which will make use of the company’s commercial Powerpack batteries to keep excess power generated during peak hours in reserve for later use. The installations of solar systems should cut the demand from the stores of the grid by at least one third.

Tesla’s SolarCity has worked on commercial installations of its solar panels for carport and building roofs in the pas. It’s doing more with its energy division post-acquisition, including building battery storage systems to support a number of different renewable power generation facilities around the world.

via:  techcrunch

As the nation recovers from the tragic violence caused by pro-nazi and white supremacist rallies that took place in Charlottesville, Va., Twitter users have been mobilizing to identify the participants in the weekend’s events.

Since early Sunday morning, the @YesYoureRacist account has been calling on Twitter users to identify participants in the rally.

Other accounts (like @shaunking of the NY Daily News) quickly took up the cause and within several hours one of the participants in the rallies had been fired by his employer.

Identifying participants in a public rally by name does not violate Twitter’s terms of service (something Jason Del Rey noted in a Recode article earlier today) . Twitter only suspends accounts if the poster includes private information like a phone number, social security number, or home address.

The rallies in Charlottesville, which brought together an assortment of neo-nazi, white supremacist, and “alt-right” organizations to protest the removal of a statue of Robert E. Lee ended in tragedy late Saturday afternoon when Heather Heyer, a resident of Charlottesville, Va., was struck and killed by a car driven by a participant in the white nationalist marches.

The police arrested James Alex Fields Jr., a resident of Maumee, Ohio, and charted him with second-degree murder for the attack.

The identification of participants in the white nationalist demonstrations have brought up the specter of doxing — when private information is released online to harass (or encourage the harassment of) a private citizen.

But, as Dave Weigel noted earlier today, the identification of participants in a public rally isn’t doxing.

Weigel was referring to the identification of Peter Cvjetanovic, a University of Nevada, Reno, student who was identified by @YesYoureRacist and subsequently gave an interview to a local Reno television station.

Cvetjnanovic participated in the protests, he said, because the removal of the statue was a symbol for “the slow replacement of white heritage within the United States and the people who fought and defended and built their homeland.”

Cvetjanovic also wanted people to know, “I’m not the angry racist they see in that photo.”

As the firing of Cole White indicates, the identification of participants in these protests has implications and not everyone online is comfortable with the outing of protestors (on both the right and the left).

It’s also true that the Twitterati can make mistakes — which was the case when the conservative YouTube celebrity Joey Salads was accused of attending the rallies. Salads (not his real name) was actually vacationing in Jamaica.

Companies are well within their rights to fire people for their political beliefs, as this New York Times piece from 2015 outlines.

For private employees, who account for about 85 percent of the work force, the First Amendment’s guarantee offers no protection from being fired for something you’ve said, either in the workplace or outside of it, as on social media. That’s because the amendment addresses actions by the government to impede free speech, not by the private sector.

And while federal laws bar employers from firing workers because of such variables as their race, religion and gender, there is no such protection for political affiliation or activity.

Even in states like New York and California, which have adopted laws that provide the most cover for political speech, people can be fired for expressing their views (in or out of the workplace).

As Times reporter Alina Tugend writes:

The broadest-based laws, such as those in California and New York, make it illegal to discriminate on the basis of an employees’ political activity or beliefs in or out of work, Ms. Brantner said, unless such activity interferes with the functioning of the business.

Businesses can take a broad view on what kinds of activities interfere with the functioning of a business, and the law offers little protection.

It’s that kind of legal backdrop that has made some commenters question the outing of the neo-nazi and white nationalist participants in the rallies in Charlotte.

The question seems to revolve around something that my colleague, Brian Heater, brought up earlier today.

The new generation of white nationalism seemingly does not see the need to hide behind hoods as their intellectual forebears may have done, because they do not think they will be held accountable for their views.

But there’s no anonymity online these days, and anyone who acts in public can potentially face public scrutiny. The question is whether the people marching on a weekend are willing to have their views circulated in an office on Monday morning.

via:  techcrunch

When we think of threats to our company’s cybersecurity, the first thing that comes to mind is attacks from the outside. But this line of thinking sometimes leads us to forget another crucial feature of the threat landscape: internal threats. Only about half of companies are aware of the risk of falling victim to cyberattacks due to employee negligence or even “inside jobs”. According to estimates from Haystax, however, the costs of this type of threat could reach into the millions.

Internal Threats

What dangers can arise from this kind of threat? Internal threats can usually be boiled down to negligence or malicious intent. The first case is usually more common than the second. It often occurs because of a deficiency in the organization and security plans of the company itself, which allows users or employees to open a security gap without even knowing it. For example, an e-mail with a concealed file carrying malware could be the trigger for an infection on the network and a potential danger to business cybersecurity. This has been seen in hotels, various companies, industry, and even the latest ransomware attacks that have caused millions of losses. And the beginning of the problem appears many times within the company itself.

The second case is one of the most feared, and for good reason. But it also goes underappreciated, as many companies seem to think “it can never happen to me”. It can happen, however, and it happens all the time. To give one example, Verelox, a Netherlands-based hosting service provider, suffered the loss of client data when an ex-administrator wiped their servers, causing a major setback to the company and compromising clients’ trust.

In both cases, the main players jeopardizing cybersecurity are privileged users and administrators, according to surveys, followed by consultants and temp workers. But, fortunately, both cases are easy to solve with better organization and the right tools. Tools such as Panda Adaptive Defense prevent attacks at the endpoint, the most common launching point for internal attacks, to protect the computer from any malicious process in an effective and immediate way.

Monetizing the attack

Customer data is among the most vulnerable to an internal attack, and are one of the main targets as it can later be sold for a profit. Financial data or intellectual property are also subject to such attacks, albeit to a lesser extent. Most internal cybersecurity issues stem from the monetization of data, rather than fraud or sabotage. Industrial espionage, in fact, is relegated to a lower rung in surveys dealing with the level of concern regarding internal threats. This is due to a decrease in levels of data protection, coupled with the ease of selling customer data for commercial use.

Prevention is possible

Some of the most serious predictions of the survey warn of the impact it could have on government agencies. The main difficulty lies in the fact that the threat originates from the inside, since in most cases the culprits are users with authorized credentials and a high level of clearance. The problems of corporate cybersecurity also tend to accumulate as more and more data is generated. This data sometimes escapes the iron grip of a security system with the help of an insider.

Observing and monitoring employee behavior within the network, checking server logs for suspicious activity, and leveraging specific data to perform scans to predict a potential internal threat can save a company from overwhelming losses. Solutions like Panda Adaptive Defense 360 ​​and others combine state-of-the-art protection (NG EPP) and detection and remediation (EDR) technologies, with the ability to classify 100% of running processes. These capacities translate into data that is more secure from threats both internal and external.

via: pandasecurity

Why you need to know about the new variant of Locky ransomware.

After infecting computers with recurring malicious email campaigns sent to random recipients in organizations from all over the world, Locky ransomware strikes again.

Locky’s persistence is already famous, as cyber criminals use it frequently to exploit vulnerabilities in outdated systems. The most recent campaign, which started late last night, uses a new extension called .lukitus and has been discovered by Rommel Joven. As expected, Internet users can get their files back, after paying a ransom required by attackers.

The malicious email arrives into users’ inboxes with the following subject lines:

< No Subject > or Emailing – CSI- [0-9] * _ MB_S_ [A-z0-9]

The email also includes zip or rar attachments with JS files. When these files are executed, they will download the payload from various malicious URLs, like the ones in the selection below (sanitized for your online safety):

http: // angel demon [.] com / jbYUF6D

http: // Antibody Services [.] net / jbYUF6D

http: // ttytreffdrorseder [.] net / of / jbYUF6D

http: // asliozturk [.] com / jbYUF6D

http: // antwerpiastamps [.] BE / jbYUF6D

This is another variation of the same attack, spotted yesterday as well:

Source: Bleeping Computer

To ensure that Locky can communicate with its underlying C&C servers unhindered, a DGA (Domain Generation Algorithm) is also used, which provides the following domains and many, many more (sanitized for your online safety):

http: // sorqjivpyfrwlo [.] Click / imageload.cgi

http: // dxeqiniexovy [.] org / imageload.cgi

http: // kokalgfsnepogq [.] ru / imageload.cgi

http: // kljidoejmiqx [.] org / imageload.cgi

http: // jcanepkjyu [.] biz / imageload.cgi

Once the files are downloaded and executed, they start scanning the user’s computer and encrypting system files, modifying their names with the following format:

[first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].lukitus.

After the encryption is done, Locky removes the downloaded executable, and shows a ransom note – having these names: lukitus.htm and lukitus.bmp – on users’ display on how they can pay it and get their files back.

This is how a message with the Locky Lukitus Ransom Note appears on an infected computer display:

Source: Bleeping Computer

Although there are a sum of decryption tools out there to unlock your data for free, this Locky Ransomware Lokitus variant remains still unbreakable with no possibility to decrypt .lukitus files for free.

Initially, VirusTotal showed that 7 of 53 antivirus solutions were detecting this malicious file at the time it was posted. After a new and recent analysis, more engines (20 of 53 antivirus products) also identify this threat.

Source: VirusTotal

Here’s what you can do to protect from this new ransomware attack:

• Backup, backup and backup again! Make sure you have at least 2 backups of your important data on external sources such as a hard drive or somewhere located in the cloud (Google Drive, Dropbox, etc.). This guide shows how to do it.
  
• Update, update and update again! Once again, we remind users to install all the latest updates for their apps installed on the device, including the operating system.
  
• Do not open, download email (messages) or click on suspicious links received from unknown sources that could infect your device.
  
• Make sure you have a security software product (antivirus) that is updated or use a  proactive security product to block access to infected domains or servers.

Ransomware attacks are on the rise and continue to appear in different forms. Once again, we remind you about the importance of being proactive and taking all needed security measures to protect your sensitive data.

via:  heimdalsecurity

Amazon Echo devices older than 2017 can be physically hacked and turned into a ‘wiretap.’ Researchers urge caution when buying second-hand devices.

Amazon

A 9-year-old Massachusetts boy broke into his neighbor’s apartment, not once but three times, and made off with various goodies, including an iPhone and Amazon Echo. He might have gotten away with it except his neighbor had an audio recording of his voice thanks to Alexa. She told police she recognized her young neighbor’s voice, and according to The Gloucester Times, he now faces charges of breaking and entering and larceny.

Under Settings in the Alexa app, you can check out History like she did. By tapping on items in History, you can review what has been said to Alexa, hear the audio recordings and even individually delete those voice recordings. You can wipe all voice recordings at once via the Amazon app under Your Account>Manage Voice Recordings, then select Delete.

That would not work, however, if your Echo had been rooted and turned into a “wiretap.” That’s something security researcher Mark Barnes from MWR Labs was able to do.

The Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering. Such malware could grant an attacker persistent remote access to the device, steal customer authentication tokens, and the ability to stream live microphone audio to remote services without altering the functionality of the device.

Unlikely to happen to your Echo, but be wary of buying second-hand versions

The fact that physical access is required makes it unlikely it will happen to your Echo. It also works only on 2015 and 2016 editions of Amazon Echo devices, as they had a rubber base that can be popped off to reveal 18 debug pads. Neither the 2017 Echo model, nor the Amazon Dot, are vulnerable.

If a knowledgeable attacker did have access to an older Echo, Barnes noted that rooting it is “trivial.” After rooting the Echo, the researchers wrote a script to continuously grab the raw microphone audio data.

Barnes called the physical access requirement a “major limitation.” The how-to is out there now, so maybe that should give you pause before you purchase a second-hand Echo.

Watch out for Echo devices in hotel rooms

It might also be a good idea to immediately hit the mute button on the top of any Echo found inside hotel rooms just in case it has been hacked to provide attackers 24/7 eavesdropping capabilities.

The devices being installed in hotel rooms is far from common, but when the Wynn Hotel in Las Vegas announced plans “to equip all 4,748 hotel rooms” with an Echo, the hotel said, “Alexa will be fully operational in all guest rooms by summer 2017.”

Amazon responded to the turn-Alexa-into-a-spy news by urging customers to “purchase Amazon devices from Amazon or a trusted retailer” and to “keep their software up to date.” It should be noted, however, that updated software would do nothing to prevent a hacked Echo from continuously listening in.

MWR Labs concluded:

The Amazon Echo does include a physical mute button that disables the microphone on the top of the device or can be turned off when sensitive information is being discussed (this is a hardwire mechanism and cannot be altered via software). Although the Echo brings about questions of privacy with its ‘always listening’ microphones, many of us walk around with trackable microphones in our pockets without a second thought.

via:  csoonline

A company in Singapore made half its employees work from home for two years. The results will astound you.

Working from home has got a bad rap. Many people seem to think it’s a way to avoid hard work by getting out from under management’s watchful eyes. Indeed, few pundits seemed to object when Yahoo, IBM, and Aetna rolled back their work-from-home policies.

Indeed, working from home seems like heresy if believe in the “collaborative, innovative workplace” idea, or (as I call it) the “let’s-force-everyone-to-work-in-an-office-that-looks-like-a-hotel-lobby-from-outer-space” management fad.

Well, the Open-Plan Office Nazis have it all wrong, according to Stanford Professor of Economics Nicholas Bloom. (Kudos to Qz.com for calling my attention to Bloom’s incredibly entertaining TED Talk.)

In his TED Talk, Bloom explains that work-from-home is potentially as powerful and innovative as the driverless car. And he’s dead serious.

As evidence, Bloom cites a Singapore company where half of the staff worked from home for four days a week while the other half came into the office five days a week.

The two-year study revealed that the employees who worked from home had a “massive, massive” (Bloom’s words) increase in productivity–almost equivalent to an additional workday–primarily because of fewer distractions and fewer pointless conversations.

The work-from-home employees also tended to remain in their jobs longer, thereby decreasing employee turnover, which (of course) drains management productivity and results in an expensive loss of skills and connections when an employee quits.

Finally, the work-from-home employees were happier and therefore healthier, thereby reducing sick days and absenteeism (as well as people coming into work with contagious colds and flu), all of which decreased the company’s overall health care expenses.

The experiment was so successful that the company instituted work-from-home throughout the company, which also (as a side benefit) allowed the company to grow without adding expensive office space.

These results echo a recent Gallup study showing that employees who work from home three to four days a week are far more likely (41 percent versus 30 percent) to “feel engaged” and far less likely (48 percent versus 55 percent) to feel “not engaged” than people who report to the office each day.

So there you have it. Companies that are forcing employees to come into their glitzy but noisy and distracting open-plan offices would be much better off if they instead let their employees work from home most of the time.

To which I say: duh.

https://www.inc.com/geoffrey-james/working-from-home-makes-you-happier-less-likely-to.html

via:  inc