Monthly Archives: August 2017

Tesla has already completed the first installations of its Solar Roof products, which use integrated solar panels to gather energy. The solar tiles were first introduced last year, and are designed to look essentially indistinguishable from traditional roofing materials so that they present an aesthetically attractive option to consumers who might shy away from traditional panel designs.

The first installations have been made on Tesla employee homes, which mirrors the way it’s distributing the very first Tesla Model 3 automobiles. This is partly a reward for their contribution to the immense effort represented by bringing these things to market, but it’s also likely a strategic decision that allows Tesla to test and monitor its new products early on in their production life.

“I have it on my house, [Tesla co-founder] JB [Straubel] has it on his house,” Elon Musk said on the call. He specified that the first installations were already generating energy as well as being installed.

Tesla started pre-orders for Solar Roof installations during Q2, and is offering a warranty for the lifetime of the house on which they’re installed, “or infinity, whichever comes first.”

via:  techcrunch

Minecraft’s “Better Together Update” is rolling out now in beta, for players on Windows 10 PCs and Android devices. That means players on either platform with the beta installed will be able to participate in games from either type of device, together in cross-platform play.

This update was originally revealed at E3 back in June, and includes other feature additions like community servers and a community Marketplace with paid add-ons. There are also a range of new in-game item types, multiplayer host and permission options, and more.

The beta is also set to roll out for Xbox One “soon,” Microsoft says, which will add the gaming console to the cross-platform action. Microsoft also said when the update was announced that it’ll eventually add support for the Play Together Update to iOS, Nintendo Switch and VR devices (Sony was apparently offered the chance to participate in the update for PlayStation, but declined).

To get in on the beta, players will need the Xbox Insider app for Windows 10 and Xbox One, and on Android they’ll need to have Google Play and of course everyone will need a copy of the game.

This could be huge for unifying Minecraft’s massive player community, which is already quite the club.

via:  techcrunch

For additional third-party real-time protection on a Mac, you could always install an “on demand” service which, rather than running continuously in the background, will scan your computer when you’re not trying to render animation, export a 4K video or crunch numbers, which all require vital CPU cycles.

Step up Malwarebytes for Mac 3. The previously titled Malwarebytes Anti-Malware was a huge success on the Windows platform, both as a free and premium version and it has now fully transitioned to the Mac OS.

Available as a free on-demand scanner, we’d always recommend adding Malwarebytes to your arsenal of tools to combat malware. Produced and developed in the United States, there’s an element of background history behind the brand, too. You know they have your back.

So, what’s new in v3? The first and most obvious addition is the new user-interface which has a consistent look of the Windows edition, without moving too far from Mac guidelines. Malwarebytes has added a menu bar for quick access, whilst a quarantine function will temporarily pause functionality rather than dumping files to trash. There’s also a trial mode so you can see the paid-for Premium features such as real-time protection.

Apart from that, there’s not a huge amount of new features. This of this release as a transition period to move the Mac version alongside the Windows edition for future mutual updates.

Malwarebytes for Mac v3 is available now and a Premium version is available for $39.99.

via:  betanews

Security researchers at SafeBreach have created proof-of-concept (PoC) malware that can exfiltrate data from endpoints that don’t have a direct Internet connection by exploiting cloud-enhanced anti-virus (AV) agents.

Although highly secure enterprises might employ strict egress filtering, meaning that endpoints either have no direct Internet connection or have a connection restricted to hosts required by their legitimately installed software, data can be exfiltrated if cloud AV products are in use, the security researchers argue.

Presented at BlackHat USA 2017 by Itzik Kotler and Amit Klein from SafeBreach Labs, the PoC tool relies on packing data inside an executable the main malware process creates on the compromised endpoint. Thus, if the AV product employs an Internet-connected sandbox as part of its cloud service, data is exfiltrated as soon as the AV agent uploads the newly created executable to the cloud for further inspection, although the file is executed in an Internet connected sandbox.

In a whitepaper (PDF), the researchers not only provide data and insights on AV in-the-cloud sandboxes, but their also cover the use of on-premise sandboxes, cloud-based/online scanning and malware categorization services, and sample sharing. Furthermore, they provide information on how the attack can be further enhanced and how cloud-based AV vendors can mitigate it.

Dubbed Spacebin, the proof-of-concept tool was made available on GitHub. The project includes directories with both server-side and client-side code. Instructions on how to use the tool are available on the project’s page.

What Kotler and Klein focused on was the analysis of two network architectures found in highly secure organizations: one where endpoints don’t have access to the Internet, but an AV management server does; and another where the machines have access to a closed set of hosts, meaning there’s very limited access to the Internet. In both scenarios, cloud-based AV agents are deployed across all endpoints.

“We are going to abuse the cloud AV sandboxing feature that many AV vendors use. The rationale for this feature is that it enables the AV vendor to offer lightweight agent software, and carry out the heavy-lifting security analysis work in the cloud. Specifically, in such an architecture, the AV agent needs to conduct only basic security checks against other processes and files, allowing for a grey area where a binary “malicious/non-malicious” decision cannot be determined locally. A process/file falling into this grey area is sent to the cloud for further analysis, and a security decision is obtained from the cloud (sometimes in near real time),” the researchers explain.

The sample is typically executed in an AV cloud sandbox and its behavior observed there, where a malicious program can run with no harm to real users or resources, the researchers note. They also argue that the AV cloud sandbox would normally be connected to the Internet, as this would provide better detection capabilities (for example, the malware might attempt to connect to a command and control server and the sandbox would detect that).

“The attacker process (called Rocket) contains a secondary executable (called Satellite) as part of its data. The Satellite can be encrypted/compressed to hide the fact that it is another executable, thus the Satellite can be no more than a piece of data in the Rocket memory space (and file) that does not jeopardize the Rocket. The Satellite contains a placeholder for arbitrary data (“payload”) to be exfiltrated. The location of the placeholder should be known to the Rocket,” the researchers explain.

As part of the attack, the Rocket collects the data (payload) it needs to exfiltrate, decrypts / decompresses the Satellite and embeds the payload in its image (can further compress or encrypt the payload), writes the Satellite image to disk as a file, and spawns the Satellite (from its file) as a child process.

The Satellite then performs an intentionally suspicious action to trigger endpoint AV detection and have the Satellite image file (which contains the payload) sent to the AV cloud. Next, the cloud AV executes the Satellite file in an Internet-connected sandbox and the Satellite process can attempt to exfiltrate the embedded payload using any known Internet-based exfiltration methods.

“Note that this attack is ‘noisy’ in the sense that the AV product will flag the Satellite file as suspicious and as such this may have visible impact on the user, as well as visibility in logs and records. However, for a one time exfiltration attack this will already be too late, as the payload will already be traveling to the cloud by the time this incident is investigated by flesh-and-blood analysts,” the security researchers explain.

One mitigation solution would involve blocking the AV sandboxes (both on-premise and cloud sandboxes) from accessing the Internet. This, however, may be too strict in many cases, as it would no longer allow them to observe the Internet traffic of a sample. Because of that, Internet blocking could be applied only for samples not coming from the Internet, because they do not carry enterprise endpoint-specific payloads and can’t exfiltrate anything useful from the endpoint.

“We can generalize our findings and state that sharing an executable (suspicious/malicious sample) from the organization, with the outside world in some manner (e.g. submitting the sample to a cloud analysis service or allowing such file submission) can result in data exfiltration, unless there is confidence that the sample has arrived from outside the organization and the file has not changed since its arrival,” the researchers conclude.

via:  securityweek

Several North American airlines alerted customers and employees in the past days about various types of cybersecurity incidents, including system breaches, data leaks and credential stuffing attacks.

Virgin America said it detected unauthorized access to information systems containing employee and contractor data on March 13. According to the company, a third-party accessed logins and passwords used for its corporate network.

Cybersecurity forensics experts have been called in to investigate the incident and law enforcement has been notified.

The company said roughly 3,100 employees and contractors had their login credentials compromised, and an additional 110 individuals may have had social security numbers, driver’s license or government issued IDs, addresses, and health-related information stolen.

Canada-based WestJet Airlines told customers on Friday that an unauthorized third party disclosed some WestJet Rewards member profile data. While the leaked data did not contain any payment card or other financial information, the company has notified the Calgary Police Service and the RCMP’s cybercrime unit.

The airline is in the process of notifying affected customers, and it has advised WestJet Rewards members to change their passwords on a regular basis.

Florida-based ultra low cost carrier Spirit Airlines has sent an email to customers to notify them of an incident involving their FREE SPIRIT account.

The company told customers that someone published their information on a third-party website, but pointed out that the data was obtained from a prior breach unrelated to Spirit Airlines.

Spirit’s warning comes after a hacker contacted news websites, including SecurityWeek, claiming to have obtained information on 11.7 million Spirit accounts. The individual claimed to have alerted the airline of a vulnerability in its systems, and decided to put the data up for sale on the dark web after the company ignored him.

The hacker has leaked more than 10,000 records apparently belonging to Spirit customers, including names, Spirit account numbers, passwords, dates of birth, phone numbers, addresses and email addresses. However, he refused to provide the full data set or evidence of how he breached the airline’s systems.

Spirit told SecurityWeek that the hacker actually attempted to extort the company using emails and passwords obtained previously from other sources on the Internet.

Security expert Troy Hunt, the owner of the Have I Been Pwned service, told SecurityWeek that all the email addresses he tested from the leaked data show up in Exploit.in, a list of nearly 600 million email address and password combinations compiled using data stolen from various online systems.

Cybercriminals have used the Exploit.in list for credential stuffing attacks, where attackers automatically inject username/password combinations into a website’s login page in hopes that account owners have used the same credentials on multiple online services.

via:  securityweek

Anthem Health Insurance is once again reporting a data breach, this time 18,500 members had their records emailed to the private email address of a staffer at a third-party vendor.

The first indication that there was a problem came in April when Anthem’s insurance coordination firm LaunchPoint Ventures realized one of its employees was likely involved in identity theft activities, Anthem said in a release. On May 28 LaunchPoint discovered the worker had misused another company’s data as well as having emailed a file containing the Anthem membership records to his personal account on July 8, 2016.

LaunchPoint investigated the incident and on June 12 reported the email did contain Protected Health Information and two days later reported the case to Anthem.

“The personal information on the file primarily included Medicare ID numbers (HICN) which includes a Social Security number, Health Plan ID numbers (HCID), Medicare contract numbers, and dates of enrollment. A very limited number of last names and dates of birth were also included,” Anthem reported.

The members involved are now being contacted.

The LaunchPoint employee has since been fired and arrested, but on charges unrelated to this case, Anthem said.

Security issues involving third-party vendors have been a primary reason for data breaches and is an area companies of all sizes must examine, Gaurav Banga, founder and CEO of Balbix, told SC Media.

“Businesses need to better assess risk of data exfiltration and malicious intent across the enterprise, including third party contractors. Specifically finding the data stores within the enterprise that have a high business impact and are at an increased likelihood from being attacked by infected devices or malicious users, can help predict and prevent such attacks, before they happen. Continuous risk assessment and monitoring of the enterprise attack surface can reveal such risks proactively,” he said.

In 2015 Anthem was involved in a massive hacking incident that saw 80 million customer records compromised. It recently agreed to pay $115 million to settle a class action suit centered on that incident.

via:  scmagazine

A hacker or group of hackers claimed today to have breached FireEye’s Mandiant. In a Pastebin post, they claimed, “It was fun to be inside a giant company named ‘Mandiant’… ‘Mandiant’ knows how deep we breached into its infrastructure.”

The “proof” of the breach was somewhat limited information about one Mandiant/FireEye employee, Adi Peretz (FireEye purchased Mandiant for $1 billion in January 2014). Peretz is described in the Pastebin post as ‘Victim #1’, a ‘Senior Threat Intelligence Analyst at Mandiant.’ There is no evidence of a breach deep into Mandiant’s infrastructure, and a FireEye spokesperson told SecurityWeek that the company network has not been breached.

There does not appear to be anything sensitive on Pastebin (Pastebin’s policy is to remove any such data). Instead there is a link to the full dump on megafileupload.com, from where a 32 MB zipped file can be downloaded. The content, however, is not awe-inspiring — embarrassing for Peretz, but hardly damaging to FireEye. It includes personal details from Peretz (such as a rather small Outlook contact list), emails, and freely available PDF documents such as a Cylance-produced PDF description of Cylance Protect.

This highlights a fundamental contradiction in the Pastebin announcement. The hacker announces, “This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future.” Yet from the evidence presented, there is little more than a breach of Peretz’s LinkedIn and other personal accounts.

The LinkedIn account has since been removed, but not before the hackers defaced it with the picture of a bare backside and language to suit.

In a statement emailed to SecurityWeek, FireEye confirms the apparently limited nature of the breach. “We are aware of reports that a Mandiant employee’s social media accounts were compromised. We immediately began investigating this situation and took steps to limit further exposure. Our investigation continues, but thus far we have found no evidence FireEye or Mandiant systems were compromised.”

Although the hacker says he has more, and might leak more in the future, that is not described as the primary drive behind the breach. Effectively, the hacker describes this as the first success (‘Victim #1’) of a new project: Op. #LeakTheAnalyst. The motivation is to embarrass security analysts, not to breach major companies.

“In the #LeakTheAnalyst operation,” says the hacker, “we say fuck the consequence let’s track them on Facebook, Linked-in, Tweeter, etc. let’s go after everything they’ve got, let’s go after their countries, let’s trash their reputation in the field.” For a long time, he says, “we – the 31337 hackers – tried to avoid these fancy ass “Analysts” whom trying to trace our attack footprints back to us and prove they are better than us.” No more. “Let’s unleash hell upon them.”

The clue is in the Op name: LeakTheAnalyst. The question is whether this really is a new, well-resourced hacker campaign, and that more analysts have been compromised and will be embarrassed in the future — or did one hacker get lucky, get into Peretz’s accounts, and is now trying to make it seem like a planned and coordinated campaign?

The hacker or hackers are currently unknown. The poster uses the term, ‘we — the 31337 hackers’; but that is probably a generic usage simply claiming ‘I am one of the elite hackers’.

The leakage is probably not the treasure trove of hugely sensitive internal information claimed by some. It should not, for example, surprise anyone that FireEye/Mandiant meets with the Israeli Defense Force; while a FireEye Threat Intelligence Summary from June 2016 is hardly critical.

Nevertheless, it would be a mistake to believe that the dump contains nothing of value to attackers; and at the very least it is a huge embarrassment for a senior security analyst within a major security firm. Must do better should now be his motto. It appears that he had been owned for upwards of a year — and for the moment, we cannot be certain that additional data has not been lifted.

via:  securityweek