Archiv für den Monat April 2019

Beapy uses NSA’s DoublePulsar EternalBlue & Mimikatz to collect and use passwords to mine for cryptocurrency following Coinhive

Two years after highly classified exploits built by the National Security Agency were stolen and published, hackers are still using the tools for nefarious reasons.

Security researchers at Symantec say they’ve seen a recent spike in a new malware, dubbed Beapy, which uses the leaked hacking tools to spread like wildfire across corporate networks to enslave computers into running mining code to generate cryptocurrency.

Beapy was first spotted in January but rocketed to more than 12,000 unique infections across 732 organizations since March, said Alan Neville, Symantec’s lead researcher on Beapy, in an email to TechCrunch. The malware almost exclusively targets enterprises, host to large numbers of computers, which when infected with cryptocurrency mining malware can generate sizable sums of money.

The malware relies on someone in the company opening a malicious email. Once opened, the malware drops the NSA-developed DoublePulsar malware to create a persistent backdoor on the infected computer, and uses the NSA’s EternalBlue exploit to spread laterally throughout the network. These are the same exploits that helped spread the WannaCry ransomware in 2017. Once the computers on the network are backdoored, the Beapy malware is pulled from the hacker’s command and control server to infect each computer with the mining software.

Not only does Beapy use the NSA’s exploits to spread, it also uses Mimikatz, an open-source credential stealer, to collect and use passwords from infected computers to navigate its way across the network.

According to the researchers, more than 80 percent of Beapy’s infections are in China.

Hijacking computers to mine for cryptocurrency — known as cryptojacking — has been on the decline in recent months, partially following the shutdown of Coinhive, a popular mining tool. Hackers are finding the rewards fluctuate greatly depending on the value of the cryptocurrency. But cryptojacking remains a more stable source of revenue than the hit-and-miss results of ransomware.

In September, some 919,000 computers were vulnerable to EternalBlue attacks — many of which were exploited for mining cryptocurrency. Today, that figure has risen to more than a million.

Typically cryptojackers exploit vulnerabilities in websites, which, when opened on a user’s browser, uses the computer’s processing power to generate cryptocurrency. But file-based cryptojacking is far more efficient and faster, allowing the hackers to make more money.

In a single month, file-based mining can generate up to $750,000, Symantec researchers estimate, compared to just $30,000 from a browser-based mining operation.

Cryptojacking might seem like a victimless crime — no data is stolen and files aren’t encrypted, but Symantec says the mining campaigns can slow down computers and cause device degradation.

A new cryptocurrency mining malware uses leaked NSA exploits to spread across enterprise networks

Sensorvault Googles Location Database – using cellphone users’ locations into a digital dragnet for law enforcement

The warrants, which draw on an enormous Google database employees call Sensorvault, turn the business of tracking cellphone users’ locations into a digital dragnet for law enforcement. In an era of ubiquitous data gathering by tech companies, it is just the latest example of how personal information — where you go, who your friends are, what you read, eat and watch, and when you do it — is being used for purposes many people never expected. As privacy concerns have mounted among consumers, policymakers and regulators, tech companies have come under intensifying scrutiny over their data collection practices.

The Arizona case demonstrates the promise and perils of the new investigative technique, whose use has risen sharply in the past six months, according to Google employees familiar with the requests. It can help solve crimes. But it can also snare innocent people.

https://www.seattletimes.com/nation-world/tracking-phones-google-is-a-dragnet-for-the-police/

Facebook it’s Hell Inside. Facebook Scandals. Backstabbing. Resignations. Record profits. Time Bombs. In early 2018, Mark Zuckerberg set out to fix Facebook.

The confusing rollout of meaningful social interactions—marked by internal dissent, blistering external criticism, genuine efforts at reform, and foolish mistakes—set the stage for Facebook’s 2018. This is the story of that annus horribilis, based on interviews with 65 current and former employees. It’s ultimately a story about the biggest shifts ever to take place inside the world’s biggest social network. But it’s also about a company trapped by its own pathologies and, perversely, by the inexorable logic of its own recipe for success.

Facebook’s powerful network effects have kept advertisers from fleeing, and overall user numbers remain healthy if you include people on Insta­gram, which Facebook owns. But the company’s original culture and mission kept creating a set of brutal debts that came due with regularity over the past 16 months. The company floundered, dissembled, and apologized. Even when it told the truth, people didn’t believe it. Critics appeared on all sides, demanding changes that ranged from the essential to the contradictory to the impossible. As crises multiplied and diverged, even the company’s own solutions began to cannibalize each other. And the most crucial episode in this story—the crisis that cut the deepest—began not long after Davos, when some reporters from The New York Times, The Guardian, and Britain’s Channel 4 News came calling. They’d learned some troubling things about a shady British company called Cambridge Analytica, and they had some questions.

15 Months of Fresh Hell Inside Facebook

Scandals. Backstabbing. Resignations. Record profits. Time Bombs. In early 2018, Mark Zuckerberg set out to fix Facebook. Here’s how that turned out:

https://www.wired.com/story/facebook-mark-zuckerberg-15-months-of-fresh-hell/

Tim Cook: The Genius Who Took Apple to the Next Level

 

 

Excerpted from Tim Cook: The Genius Who Took Apple to the Next Level

 

They knew that they had to respond immediately. The writ would dominate the next day’s news, and Apple had to have a response. “Tim knew that this was a massive decision on his part,” Sewell said. It was a big moment, “a bet-the-company kind of decision.” Cook and the team stayed up all night—a straight 16 hours—working on their response. Cook already knew his position—Apple would refuse—but he wanted to know all the angles: What was Apple’s legal position? What was its legal obligation? Was this the right response? How should it sound? How should it read? What was the right tone?

iOS 8 added much stronger encryption than had been seen before in smartphones. It encrypted all the user’s data—phone call records, messages, photos, contacts, and so on—with the user’s passcode. The encryption was so strong, not even Apple could break it. Security on earlier devices was much weaker, and there were various ways to break into them, but Apple could no longer access locked devices running iOS 8, even if law enforcement had a valid warrant. “Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” the company wrote on its website. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

The War Room

For the next two months, the executive floor at One Infinite Loop turned into a 24/7 situation room, with staffers sending out messages and responding to journalists’ queries. One PR rep said that they were sometimes sending out multiple updates a day with up to 700 journalists cc’d on the emails. This is in stark contrast to Apple’s usual PR strategy, which consists of occasional press releases and routinely ignoring reporters’ calls and emails.

Cook also felt he had to rally the troops, to keep morale high at a time when the company was under attack. In an email to Apple employees, titled “Thank you for your support,” he wrote, “This case is about much more than a single phone or a single investigation.” He continued, “At stake is the data security of hundreds of millions of law-abiding people and setting a dangerous precedent that threatens everyone’s civil liberties.” It worked. Apple employees trusted their leader to make the decision that was right not only for them but also for the general public.

Cook was very concerned about how Apple would be perceived throughout this media firestorm. He wanted very much to use it as an opportunity to educate the public about personal security, privacy, and encryption. “I think a lot of reporters saw a new version, a new face of Apple,” said the PR person, who asked to remain anonymous. “And it was Tim’s decision to act in this fashion. Very different from what we have done in the past. We were sometimes sending out emails to reporters three times a day on keeping them updated.”

Outside Apple’s walls, Cook went on a charm offensive. Eight days after publishing his privacy letter, he sat down for a prime-time interview with ABC News. Sitting in his office at One Infinite Loop, he sincerely explained Apple’s position. It was the “most important [interview] he’s given as Apple’s CEO,” said the Washington Post. “Cook responded to questions with a raw conviction that was even more emphatic than usual,” wrote the paper. “He used sharp and soaring language, calling the request the ‘software equivalent of cancer’ and talking about ‘fundamental’ civil liberties.

https://www.wired.com/story/the-time-tim-cook-stood-his-ground-against-fbi/

What gaming will look like in 10 years

What gaming will look like in a year or two, let alone 10, is a matter of some debate. Battle-royale games have reshaped multiplayer experiences; augmented reality marries the fantastic and real in unprecedented ways. Google is leading a charge away from traditional consoles by launching a cloud-gaming service, Stadia, later this year. Microsoft’s next version of the Xbox will presumably integrate cloud gaming as well to allow people to play Xbox games on multiple devices. Sony’s plans in this regard are still unclear—it’s one of the many things Cerny is keeping mum on, saying only that “we are cloud-gaming pioneers, and our vision should become clear as we head toward launch”—but it’s hard to think there won’t be more news coming on that front.

For now, there’s the living room. It’s where the PlayStation has sat through four generations—and will continue to sit at least one generation more.

https://www.wired.com/story/exclusive-sony-next-gen-console/

Apple to Launch Iphone 2019 Edition with 5G option

Key Points
  • Apple and Qualcomm surprisingly settled their legal dispute over chip patent payments Tuesday.
  • Meanwhile, Intel, which has been providing modems for iPhones instead of Qualcomm, announced it would abandon its plans to make 5G modems.
  • The moves on Tuesday show Apple had limited options to get to a 5G iPhone, and none of them were ideal.

Here’s the good news for Apple.

Its surprise settlement with Qualcomm on Tuesday over a yearslong patent spat means it’s now in a position to keep pace with its competitors to bring a 5G-ready iPhone to market as soon as this year.

But even though Apple may win by getting a 5G iPhone to customers sooner than most people anticipated, it lost by settling with a company it loathes. Getting the iPhone to 5G means Apple was put in a sticky situation where it had to weigh four less-than-ideal options to make it all a reality.

In the end, Apple had to choose the lesser of all evils:

Option one: Settle with Qualcomm, the leader in 5G chips. Qualcomm’s 5G chips are already shipping in some devices today, with more expected as the year rolls on.

But Apple has seen Qualcomm’s business model as detrimental to the entire industry since it uses its dominant position to squeeze large fees out of each company that uses its chips and patents. Hence that nasty lawsuit. Apple CEO Tim Cook made his disdain for Qualcomm’s practices known in a January interview with CNBC’s Jim Cramer, and even blasted Qualcomm’s decision to hire a PR firm to write fake news stories about Apple, which Business Insider reported.

Option two: Wait for Intel to catch up in 5G. Even before Intel announced Tuesday night that it would abandon its plans to make 5G modems, there was speculation that the company was running behind to deliver the chips on time. Apple has been exclusively using Intel’s 4G modems in its latest iPhones as its dispute with Qualcomm raged on. If that dispute continued, a 5G iPhone might not have been possible until 2020 or even 2021.

Option three: Choose Huawei. In an interview that ran on CNBC this week, Huawei’s CEO said the company was „open“ to talks with Apple about bringing its 5G chips to the iPhone. But a partnership with Huawei would’ve looked bad for Apple, given the stink of political and security concerns around the company. (Huawei’s CEO has denied spying allegations.)

Option four: Apple could make its own 5G chips. Apple is thought to be working on its own modems after opening an office in San Diego, Qualcomm’s hometown, and posting job listings for modem chip designers. But it would likely take Apple several years to develop its own 5G chip, putting it several years behind its rivals.

None of those options were ideal for Apple. It could’ve waited an extra year or two for Intel to get its 5G chips up to snuff. It could’ve waited several more years to develop a 5G chip of its own as competitors like Google and Samsung push out their 5G devices and market themselves as more innovative than Apple. It could’ve worked with Huawei, a company that still can’t sell products in the U.S. over security concerns.

Or it could’ve ended its dispute with Qualcomm, even if Cook is allergic to its business practices. Unfortunately for Apple, Qualcomm was the best bet.

Tuesday’s settlement could result in a 5G iPhone as soon as this fall, when Apple is expected to release its next iPhone. (For what it’s worth, timing on a 5G iPhone is still unclear. Qualcomm CEO Steve Mollenkopf said in an interview Wednesday on CNBC’s „Squawk Box “ that he couldn’t comment on Apple’s product plans that include Qualcomm chips.)

Qualcomm gets to take a victory lap this week. Its lead in 5G forced a settlement with Apple and added a massive boost to its stock. Qualcomm shares was up 12% Wednesday, adding to its 23% gain Tuesday. Intel was up about 4%. Apple was up just 1%.

The market agrees. Apple was the loser in this fight.

https://www.cnbc.com/2019/04/17/5g-why-apple-had-to-settle-its-dispute-with-qualcomm.html

 

 

 

Two-factor authentication explained: How to choose the right level of security for every account

f you aren’t already protecting your most personal accounts with two-factor or two-step authentication, you should be. An extra line of defense that’s tougher than the strongest password, 2FA is extremely important to blocking hacks and attacks on your personal data. If you don’t quite understand what it is, we’ve broken it all down for you.

Two-factor-authentication: What it is

Two-factor authentication is basically a combination of two of the following factors:

  1. Something you know
  2. Something you have
  3. Something you are

Something you know is your password, so 2FA always starts there. Rather than let you into your account once your password is entered, however, two-factor authentication requires a second set of credentials, like when the DMV wants your license and a utility bill. So that’s where factors 2 and 3 come into play. Something you have is your phone or another device, while something you are is your face, irises, or fingerprint. If you can’t provide authentication beyond the password alone, you won’t be allowed into the service you’re trying to log into.

So there are several options for the second factor: SMS, authenticator apps, Bluetooth-, USB-, and NFC-based security keys, and biometrics. So let’s take a look at your options so you can decide which is best for you.

Two-factor-authentication: SMS

2fa sms Michael Simon/IDG
When you choose SMS-based 2FA, all you need is a mobile phone number.

What it is: The most common “something you have” second authentication method is SMS. A service will send a text to your phone with a numerical code, which then needs to be typed into the field provided. If the codes match, your identification is verified and access is granted.

How to set it up: Nearly every two-factor authentication system uses SMS by default, so there isn’t much to do beyond flipping the toggle or switch to turn on 2FA on the chosen account. Depending on the app or service, you’ll find it somewhere in settings, under Security if the tab exists. Once activated you’ll need to enter your password and a mobile phone number.

How it works: When you turn on SMS-based authentication, you’ll receive a code via text that you’ll need to enter after you type your password. That protects you against someone randomly logging into your account from somewhere else, since your password alone in useless without the code. While some apps and services solely rely on SMS-based 2FA, many of them offer numerous options, even if SMS is selected by default.

2fa sms setup IDG
With SMS-based authentication, you’ll get a code via text that will allow access to your account.

How secure it is: By definition, SMS authentication is the least secure method of two-factor authentication. Your phone can be cloned or just plain stolen, SMS messages can be intercepted, and by nature most default messaging apps aren’t encrypted. So the code that’s sent to you could possibly fall into someone’s hands other than yours. It’s unlikely to be an issue unless you’re a valuable target, however.

How convenient it is: Very. You’re likely to always have your phone within reach, so the second authentication is super convenient, especially if the account you’re signing into is on your phone.

Should you use it? Any two-factor authentication is better than none, but if you’re serious about security, SMS won’t cut it.

Two-factor-authentication: Authenticator apps

2fa authenticator Authenticator apps
Authenticator apps generate random codes that aren’t delivered over SMS.

What it is: Like SMS-based two-factor authentication, authenticator apps generate codes that need to be inputted when prompted. However, rather than sending them over unencrypted SMS, they’re generated within an app, and you don’t even need an Internet connection to get one.

How to set it up: To get started with an authentication app, you’ll need to download one from the Play Store or the App Store. Google Authenticator works great for your Google account and anything you use it to log into, but there are other great one’s as well, including Authy, LastPass, Microsoft and a slew of other individual companies, such as Blizzard, Sophos, and Salesforce. If an app or service supports authenticator apps, it’ll supply a QR code that you can scan or enter on your phone.

How it works: When you open your chosen authenticator app and scan the code, a 6-figure code will appear, just like with SMS 2FA. Input that code into the app and you’re good to go. After the initial setup, you’ll be able to go into the app to get a code without scanning a QR code whenever you need one.

2fa authenticator setup IDG
Authenticator apps generate randome codes every 30 seconds and can be used offline.

How secure it is: Unless someone has access to your phone or whatever device is running your authenticator app, it’s completely secure. Since codes are randomized within the app and aren’t delivered over SMS, there’s no way for prying eyes to steal them. For extra security, Authy allows you to set pin and password protection, too, something Google doesn’t offer on its authenticator app.

How convenient it is: While opening an app is slightly less convenient than receiving a text message, authenticator apps don’t take more than few seconds to use. They’re far more secure than SMS, and you can use them offline if you ever run into an issue where you need a code but have no connection.

Should you use it? An authenticator app strikes the sweet spot between security and convenience. While you might find some services that don’t support authenticator apps, the vast majority do.

Two-factor authentication: Universal second factor (security key)

2fa security key Michael Simon/IDG
As their name implies, Security keys are the most secure way to lock down your account.

What it is: Unlike SMS- and authenticator-based 2FA, universal second factor is truly a “something you have” method of protecting your accounts. Instead of a digital code, the second factor is a hardware-based security key. You’ll need to order a physical key to use it, which will connect to your phone or PC via USB, NFC, or Bluetooth.

You can buy a Titan Security Key bundle from Google for $50, which includes a USB-A security key and a Bluetooth security key along with a USB-A-to-USB-C adapter, or buy one from Yubico. An NFC-enabled key is recommended if you’re going to be using it with a phone.

How to set it up: Setting up a security key is basically the same as the other methods, except you’ll need a computer. You’ll need to turn on two-factor authentication, and then select the “security key” option, if it’s available. Most popular accounts, such as Twitter, Facebook, and Google all support security keys, so your most vulnerable accounts should be all set. However, while Chrome, Firefox, and Microsoft’s Edge browser all support security keys, Apple’s Safari browser does not, so you’ll be prompted to switch during setup.

Once you reach the security settings page for the service you’re enabling 2FA with, select security key, and follow the prompts. You’ll be asked to insert your key (so make sure you have an USB-C adapter on hand if you have a MacBook) and press the button on it. That will initiate the connection with your computer, pair your key, and in a few seconds your account will be ready to go.

How it works: When an account requests 2FA verification, you’ll need to plug your security key into your phone or PC’s USB-C port or (if supported) tap it to the back of your NFC-enabled phone. Then it’s only a matter of pressing the button on the key to establish the connection and you’re in.

2fa security key steps IDG
Setting up your security key with your Google account is a multi-step process.

How secure it is: Extremely. Since all of the login authentication is stored on a physical key that is either on your person or stored somewhere safe, the odds of someone accessing your account are extremely low. To do so, they would need to steal your password and the key to access your account, which is very unlikely.

How convenient it is: Not very. When you log into one of your accounts on a new device, you’ll need to type your password and then authenticate it via the hardware key, either by inserting it into your PC’s USB port or pressing it against the back of an NFC-enabled phone. Neither method takes more than a few seconds, though, provided you have your security key within reach.

Two-factor authentication: Google Advanced Protection Program

What it is: If you want to completely lock down your most important data, Google offers the Advanced Protection Program for your Google account, which disables everything except security key-based 2FA. It also limits access your emails and Drive files to Google apps and select third-party apps, and shuts down web access to browsers other than Chrome and Firefox.

How to set it up: You’ll need to make a serious commitment. To enroll in Google Advanced Protection, you’ll need to purchase two Security Keys: one as your main key and one as your backup key. Google sells its own Titan Security Key bundle, but you can also buy a set from Yubico or Feitian.

Once you get your keys, you’ll need to register them with your Google account and then agree to turn off all other forms of authentication. But here’s the rub: To ensure that every one of your devices is properly protected, Google will log you out of every account on every device you own so you can log in again using Advanced Protection.

How it works: Advanced Protection works just like a security except you won’t be able to choose a different method if you forgot or lost your security key.

How secure it is: Google Advanced Protection is basically impenetrable. By relying solely on security keys, it makes sure that no one will be able to access your account without both your password and physical key, which is extremely unlikely.

How convenient it is: By nature, Google Advanced Protection is supposed to make it difficult for hackers to access your Google account and anything associated with it, so naturally it’s not so easy for the user either. Since there’s no fallback authentication method, you’ll need to remember your key whenever you leave the house. And when you run into a roadback—like the Safari browser on a Mac—you’re pretty much out of luck. But if you want your account to have the best possible protection, accept no substitute.

Two-factor authentication: Biometrics

op6t fingerprint Christopher Hebert/IDG
Nearly every smartphone made today has some form of secure biometrics built into it.

What it is: A password-free world where all apps and services are authenticated by a fingerprint or facial scan.

How to set it up: You can see biometrics at work when you opt to use the fingerprint scanner on your phone or Face ID on the iPhone XS, but at the moment, biometric security is little more than a replacement for your password after you login in and verify via another 2FA method.

How it works: Like the way you use your fingerprint or face to unlock your smartphone, biometric 2FA uses your body’s unique characteristics as your password. So your Google account would know it was you based on your scan when you set up your account, and it would automatically allow access when it recognized you.

How secure it is: Since it’s extremely difficult to clone your fingerprint or face, biometric authentication is the closest thing to a digital vault.

How convenient it is: You can’t go anywhere without your fingerprint or your face, so it doesn’t get more convenient than that.

Two-factor authentication: iCloud

2fa icloud Michael Simon/IDG
Apple sends a code to one of your trusted devices when it needs authentication to access an account.

What it is: Apple has its own method of two-factor authentication or your iCloud and iTunes accounts that involves setting up trusted Apple devices (iPhone, iPad, or Mac—Apple Watch isn’t supported) that can receive verification codes. You can also set up trusted numbers to receive SMS codes or get verification codes via an authenticator app built into the Settings app.

How to set it up: As long as you’re logged into into your iCloud account, you can turn on two-factor authentication from pretty much anywhere. Just go into Settings on your iOS device or System Preferences on your Mac, PC, or Android phone, then Security, and Turn On Two-Factor Authentication. From there, you can follow the prompts to set up your trusted phone number and devices.

How it works: When you need to access an account protected by 2FA, Apple will send a code to one of your trusted devices. If you don’t have a second Apple device, Apple will send you a code via SMS or you can get one from the Settings app on your iPhone or System preferences on your Mac.

2fa apple id code IDG
When Apple needs a code to log into an account, it sends it to one of your trusted devices.

How secure it is: It depends on how many Apple devices you own. If you own more than one Apple device, it’s very secure. Apple will send a code to one of your other devices whenever you or someone else tries to log into your account or one of Apple’s services on a new device. It even tells you the location of the request, so if you don’t recognize it you can instantly reject it, before the code even appears.

If you only have one device, you’ll have to use SMS or Apple’s built-in authenticator, neither of which is all that secure, especially since it’s likely to both be done using the same device. Also, Apple has a weird snafu that sends the 2FA access code to the same device when you manage your account using a browser, which also defeats the purpose of 2FA.

How convenient it is: If you’re using an iPhone and have an iPad or Mac nearby, the process takes seconds, but if you don’t have an Apple device within reach or are away from your keyboard, it can be tedious.

Source: https://www.pcworld.com/article/3387420/two-factor-authentication-faq-sms-authenticator-security-key-icloud.html