STE WILLIAMS

This month’s Patch Tuesday brings fixes for 99 CVEs, including one IE flaw seen exploited in the wild.

This month’s Patch Tuesday arrived with fixes for a staggering 99 CVEs, more than double the 47 fixed last month. Twelve of the February patches are categorized as Critical, including one for an Internet Explorer vulnerability for which Microsoft issued an advisory back in January.

The flaws patched today span tools and services including Microsoft Windows, Internet Explorer, Edge (Edge-HTML-based), SQL Server, Exchange Server, ChakraCore, Office and Office Services and Web Apps, Azure DevOps Server, Team Foundation Server, and its Malware Protection Engine. All 87 that weren’t classified as Critical are considered Moderate in severity.

Five of these vulnerabilities are publicly known and one – a scripting engine memory corruption vulnerability affecting Internet Explorer (CVE-2020-0674) – is under active attack. Microsoft last month issued an advisory for the remote code execution flaw, which exists in the way the scripting engine handles objects in memory in Internet Explorer. An attacker who exploits this could control a target system, install programs, view or edit data, or create new user accounts.

In a Web-based attack, an adversary might host a website designed to exploit the vulnerability through IE and trick a user into visiting the site. Alternatively, they could embed an ActiveX control marked “safe for initialization” in an app or Office doc that hosts the IE rendering engine. Even people who don’t use Internet Explorer could be affected via embedded objects.

At the time of its advisory, Microsoft only offered mitigation guidance; now a fix is available. “Details about the in-the-wild exploitation of the flaw are still not known, but it is important for organizations to apply these patches as soon as possible,” says Satnam Narang, senior research engineer at Tenable.

Aside from CVE-2020-0674, Microsoft issued fixes for four other vulnerabilities that have been publicly disclosed but are not under attack. These include Windows Installer elevation of privilege flaws (CVE-2020-0683 and CVE-2020-0686), a Microsoft Browser information disclosure vulnerability (CVE-2020-0706), and a Microsoft Secure Boot security feature bypass vulnerability (CVE-2020-0689). All of these are categorized as Important in severity.

Microsoft patched multiple flaws in Remote Desktop, including two Critical remote code execution vulnerabilities it says are likely to be exploited. CVE-2020-0681 and CVE-2020-0734 both exist in the Remote Desktop Client. An attacker would have to persuade a target to connect to a flawed server under their control or plant code onto a compromised Remote Desktop Server and wait for a user to connect. There is no way to force someone to do this; the attacker would have to use social engineering, DNS poisoning, or a man-in-the-middle attack.   

Also worth noting is CVE-2020-0688, a memory corruption vulnerability in Microsoft Exchange that exists when the software fails to properly handle objects in memory. An attacker could exploit it by sending a specially crafted email to a vulnerable Exchange server; if successful, they could run arbitrary code in the context of the System user and install programs; view, edit, or delete data; and create new accounts.

CVE-2020-0729 is a Critical remote code execution vulnerability that exists in the way Microsoft processes LNK files, which are Windows shortcut files ending with the .lnk extension. An attacker could use this by presenting a target with a removable drive or remote share that contains a malicious .lnk file and associated malicious binary. If successful, they could have the same rights as the local user. This affects Windows 8 and 10, and Windows Server 2008-2012.

“Microsoft considers exploitation of the vulnerability unlikely, however, a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September,” Recorded Future intelligence analyst Allan Liska points out.

Related Content:

• Cybercriminals Swap Phishing for Credential Abuse, Vuln Exploits
• 6 Factors That Raise The Stakes For IoT Security
• 6 Traits to Develop for Cybersecurity Success
• Macs See More Adware, Unwanted Apps Than PCs

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “From 1s 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-patches-exploited-internet-explorer-flaw-/d/d-id/1337022?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers found the total cost far exceeded the amount of ransom paid to attackers.

Ransomware attacks have cost US healthcare organizations more than $157 million since 2016, and that’s only counting ransomware that had an impact on more than 500 people. And according to a new report, the dollars and cents only scratch the surface of the true cost to the nation’s healthcare.

Comparitech researchers reviewed a variety of sources to correlate data on incidents compiled by different organizations. Once this data was compiled, the researchers applied that data to studies on the cost of downtime and other effects to calculate the likely total cost of ransomware.

The researchers looked at 172 ransomware attacks that hit a total of 1,446 healthcare organizations. They found that the downtime, which ranged from hours to months, had an impact on 6,649,713 patients. And the total impact of roughly $157 million was far in excess of the approximately $640,000 paid to attackers in the time period studied.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “From 1s 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/healthcare-ransomware-damage-passes-$157m-since-2016/d/d-id/1337024?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Last Friday, in full glare of the world, Facebook admins suddenly found themselves in an unseemly struggle to wrestle back control of the company’s Twitter accounts from attackers that had defaced them.

Normally, these accounts trumpet new platform features or other assorted worthy accomplishments. But on Friday afternoon, a different type of tweet suddenly appeared:

Hi, we are OurMine

Well even Facebook is hackable but at least their security better than Twitter.

The now deleted message continues by offering the services of OurMine to anyone wanting to improve their account security.

The same group’s logo also appeared on Facebook’s Instagram account:

Facebook’s Instagram account also hacked into by OurMine.

Bad Times.

It reportedly took the admins around 30 minutes to retake control of the feed, with one observer recording how messages from the hijackers were posted, deleted, and reposted several times before Facebook’s admins gained the upper hand.

Weakest link

Despite some headlines suggesting otherwise, this may not have been a direct hack of Facebook’s Twitter account.

As with the recent OurMine attack on the US National Football League (NFL), it looks as if the tweets were posted via third-party marketing platform called Khoros that had access to the accounts.

Created in 2018 from the merger of two previous companies, Spredfast and Lithium, Khoros is a platform used by large companies to manage multiple social media accounts while analysing the impact of the campaigns they run.

Khoros hasn’t officially admitted its involvement, but it has disabled access after what it described as a “phishing attack that allowed a bad actor access to our platform.” And mobile access to the platform remains suspended while Khoros works “to align the recent security enhancements to our platform with the app.”

OurMine has a history of finding these sorts of weaknesses. Until recently, the group had been quiet since 2017, having earlier successfully hijacked the Twitter accounts of Wikipedia co-founder Jimmy Wales, Google CEO, Sundar Pichai, Facebook’s Mark Zuckerberg and even Twitter’s own co-founder, Jack Dorsey.  Some of those were connected to link-shortening service, Bitly.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BzYBIavuyPc/

Officials raised the alarm on Thursday over the volume of Chinese cyber activity against the US.

Commentators, including US Attorney General William Barr, pointed to ongoing cyberthreats against US businesses and academic institutions, painting a dire picture of concerted hacking efforts to support broad Chinese economic goals.

The officials gathered for the China Initiative Conference, an event that explored Chinese intellectual property transgressions. China engages in a broad spectrum of trade theft activity, including not just hacking but also physical theft, inappropriate use of materials licensed from joint ventures, and information fed to it by insiders working at western companies, they said.

Barr said that China has been supporting its Made In China 2025 initiative with trade theft. This policy, drafted by the Ministry of Industry and Information Technology in China over two-and-a-half years, is a ten-year effort officially started in 2015. It seeks to upgrade Chinese industry, producing 40% of targeted components domestically by 2020 and 70% by 2025. The initiative prioritises 10 sectors ranging from advanced IT through to biopharma. Barr said:

Since the announcement of Made In China 2025, the Department has brought trade secret theft cases in eight of the ten technologies that China is aspiring to dominate. In targeting these sectors the PRC employs a multi prong approach engaging in cyber intrusions co-opting private sector insiders through its intelligence services and using non-traditional collectors such as graduate students participating in university research projects.

The Department of Justice announced the China Initiative on 1 November 2018, partly in response to a report from US Trade Representative Robert Lighthizer, which said that China had been sponsoring hacking into American businesses and commercial networks. As part of that announcement, the DoJ cited China’s commitment, made with President Obama during 2015, that it would “not be engaged in or knowingly support online theft of intellectual properties”. China has since broken that agreement, the DoJ said.

The China Initiative set out to identify priority Chinese trade theft cases and ensure that the US government devoted appropriate resources to them. It added that China was targeting not just commercial organisations but universities and research labs.

During the event, FBI director Chris Wray repeated an assertion that he made in July 2019 that there were 1,000 ongoing investigations into Chinese espionage in the US. At the time he also noted that China represented the biggest foreign threat to the US.

Jeremie Waterman, president of the China Center and vice president for Greater China in the US Chamber of Commerce, said at the China Initiative Conference that the recent phase one trade agreement between the US and China, announced in January, could be a good opportunity for the US to address some past trade theft case. He explained:

There’s clearly an opportunity there because the Chinese have made some very clear commitments – explicit commitments. Certainly the US government is well-positioned to hold China accountable with regard to cases that have occurred.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oi3tJfEjikw/

The man arrested for running what was once believed to be the largest child abuse hosting provider on the dark web, has pleaded guilty in a US court to the charge of advertising child pornography.

That service was Freedom Hosting and the man who operated it from its founding in 2008 until his arrest in Ireland in 2013 was dual US-Irish national, Eric Eoin Marques.

Extradited to the US last year, what Marques has admitted to carries a mandatory sentence of 15 years, with up to double that possible when he is sentenced by a Maryland court in May. He has already spent nearly seven years in custody.

Said the Justice Department’s Assistant Attorney General, General Brian A. Benczkowski:

The defendant’s anonymous web service hosted dozens of insidious criminal communities dedicated to the sexual exploitation of children and spread millions of images of that abuse.

Marques undoubtedly made a lot of money from the hosting business, to the extent that police seized $155,000 in US currency during his arrest.

The volume of child abuse images and videos hosted on Freedom Hosting is said to have reached a combined total of over 10 million, uploaded to a range of hosted sites by individuals who assumed that being on the dark web accessed via Tor protected them from discovery.

Far from it. It later emerged that the FBI was using a previously unknown vulnerability in Firefox 17 (also used by the Tor browser) to serve JavaScript code used to unmask the real IP addresses of users who visited sites hosted by Freedom Hosting.

Until that point, Freedom Hosting’s most troublesome foe had been Anonymous, which in 2011 had launched DDoS attacks against one of its prominent child abuse sites, Lolita City, which also had the account details of its 1,589 members publicised.

That has always been the prize for enemies and the police alike – not just the hosting company itself, but the people using its services.

In 2017, hackers claimed they’d accessed a large volume of data connected to a more recent site, Freedom Hosting II, unconnected to Marques.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8Yu2ZOyFsWg/

Safer Internet Day is here!

Note that it’s more than just One Safe Internet Day, where you spend 24 hours taking security seriously, only to fall back on bad habits the day after.

As the old saying goes, “Cybersecurity is a journey, not a destination,” and that’s why we have SAFER internet day – it’s all about getting BETTER at cybersecurity, no matter how safe you think you are already.

So here are five things you can do in your business, regardless of its size, to help you and your colleagues keep ahead of the cybercrooks.

1. PATCH EARLY, PATCH OFTEN

We’ve won part of this battle already, because most businesses these days do install security patches.

At least, they install updates eventually. But there are still many organisations out there that take their time about it, putting off updates for weeks or even months “in case something goes wrong”.

The problem is that once crooks know about new security holes, they don’t put off using them – so the longer you lag behind, the more vulnerable your business becomes. Learn how to test updates quickly – you can start with one computer and make notes from there – and have a plan for rolling back in the rare event that something does go wrong.

2. KNOW WHAT YOU’VE GOT

Whether you call it an asset register, an IT inventory, or just a plain old list of computers and software you’re using, make an effort to know what’s on your network – even if you’re a small company where everyone works remotely from home.

It’s good to be able to say, “We have 10 laptops and I’ve upgraded them all from Windows 7 to Windows 10.” But it’s much better also to be able to say, “And I found an old XP computer down in the storeroom that everyone had forgotten about, and I’ve upgraded that one, too.”

Cybercrooks go looking for old, unloved, unpatched computers, because they know that they could be easy stepping stones to bigger things.

3. SET UP A SECURITY HOTLINE

Even the tiniest business can do this: make it easy for your users to report things that don’t look right. You don’t need a dedicated phone number or a call centre – an easy-to-remember email address might be all you need.

If your users don’t have anywhere to report common cybercrime precursors such as dodgy emails, suspicious phone calls or unsolicited attachments, then the only thing you can be sure of is that you are never going to get an early warning that could protect your business.

Remember that cybercrooks often fail at their first attempt, which is why they typically send phishing emails to many different recipients, or call round every company phone number they can find until someone makes a mistake and says or does something they shouldn’t. Make it easy for the first person to raise the alarm and thereby protect everyone else.

4. REVISIT YOUR BACKUP STRATEGY

As with patching, this is a battle that we’ve won in part: many companies do know that backups are important, and make at least some effort to keep secondary copies of vital data. But be very careful that you aren’t wasting time making backups that won’t be much use.

It’s easy to rely entirely on real-time backups where files automatically get copied “live” onto network shares or into the cloud whenever they’re changed. But today’s cybercriminals often take the time to search-and-destroy your online backups before unleashing their attacks.

Make sure your strategy also includes backups that you keep offline and offsite, even if that’s as simple as an encrypted, removable drive kept at home. Backups aren’t just there to protect against ransomware attacks – they’re also about disaster recovery if you can’t get into your business premises at all, for example because of fire or flood.

5. PICK PROPER PASSWORDS

We left this advice until last, because lots of people seem to take offence if we lead with it – mainly because it sounds so old and obvious that they’re tired of hearing it.

But we’re saying it anyway.

Remember that “proper passwords” don’t just mean not using your cat’s name every time. In a business, it also means knowing who’s supposed to have access to what; it means promptly cancelling accounts when employees leave; and it means encouraging your staff to let you know (see point 3!) if their password lets them see data they shouldn’t, so you can reduce the risk of a data breach.

Be safer still

Chances are you’re doing some, many or all of these things already – but why not use Safer Internet Day as a reason to revisit your attitude to cybersecurity at work… and see if you can be safer still!

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vYTPCX9ndtk/

No matter how safe and secure you feel when you use your computer, there’s always room for improvement.

Why not make Safer Internet Day the excuse you need to do all those cybersecurity tweaks you’ve been putting off…

…such as picking proper passwords, turning on two-factor authentication, downloading the latest security updates, making backups of your most important files, and revisiting your privacy settings in case you’re oversharing by mistake?

So, let’s go through those five tweaks one-by-one – they’re easier than you think, and much less hassle than you might fear.

1. PICK PROPER PASSWORDS

Yes, we say this every year and we’ve been doing so for years. But we still see plenty of people – at work and at home – taking needless shortcuts with passwords, using “secrets” that any crook could easily guess, such as 12345678 or nameofcat. (By the way, nameofcat99 isn’t any better – the crooks can figure that one out, too.)

If you’re struggling to come up with decent passwords (and to remember them) then you aren’t alone; consider getting yourself a password manager that can help you pick passwords properly.

2. TURN ON TWO-FACTOR AUTHENTICATION (2FA)

2FA usually takes the form of those 6-digit codes that get texted to your phone or generated by a special app. As well as your username and password, which are the same every time you login, you also have to put in the one-time code, which is different every time.

We know that many people don’t like 2FA, and we know why – it’s a bit of a hassle, and if you’re logging in from your laptop it means you’d better not leave your phone at home or you could be locked out.

But 2FA is a lot of extra hassle for the crooks, because they can’t just grab your password from a data breach any more and then go wandering into your account at will.

3. GET THOSE PATCHES

Most software patches these days aren’t just cosmetic – they typically close security holes that could let crooks sneak in without you even realising. So if you don’t patch, you’re much more likely to encounter a crook, because lots of attacks will succeed against you when they’ll fail against everyone who has patched.

So why leave yourself in the at-risk group if you don’t need to?

Remember, however, it’s not just your laptop that needs patches these days – you also need to keep your eye out for updates for your apps, your phone, your home router, and any of those cool “connected devices” you might have, such as internet doorbells, webcams and home assistants.

4. MAKE YOUR BACKUPS

Backups aren’t just for protection against ransomware, where the crooks scramble your files and squeeze you for money to unscramble them again.

Backups are there to help get you going again no matter what – whether it’s a lost or stolen laptop, phone left in a taxi, tablet computer dropped into Sydney Harbour (it happens!), fire, flood or plain-and-simple user error.

Remember: the only backup you will regret is the one you didn’t make.

5. REVISIT YOUR PRIVACY SETTINGS

Your operating system, your phone, many of the apps you use, and almost all of the online services such as Facebook and Twitter, have a range of privacy and security settings that help you to control how widely your personal data gets shared and indexed.

Unfortunately, every app and website does it differently, and it’s a bit of a science project to comb through the privacy menus in every one of them to make sure you’re as safe as you’d like.

But we urge you to make the time to do so – the only thing worse than realising you accidentally overshared your phone number or other personal information is to realise that you could have turned on an option that would have kept you safe.

Have a safer day

If all the tips above sound too much for one day, here are five words that you can say to yourself whenever you are online, to help you have a Safer Internet Day:

“Be aware before you share.”

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ldlF5qE1ttI/

Dell has copped to a flaw in SupportAssist – a Windows-based troubleshooting program preinstalled on nearly every one of its newer devices running the OS – that allows local hackers to load malicious files with admin privileges.

The company has issued an advisory about the flaw, warning that a locally authenticated low-privilege user could exploit the vuln to load arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of malware.

SupportAssist scans the system’s hardware and software, and when an issue is detected, it sends the necessary system state information to Dell for troubleshooting to begin.

This type of vulnerability is fairly common, but typically requires admin privileges to exploit, so isn’t generally considered a serious security threat. But Cyberark’s Eran Shimony, who discovered the bug, said that in this case, SupportAssist attempts to load a DLL from a directory that a regular (non-admin) user can write into.

“Therefore, a malicious non-privileged user can write a DLL that would be loaded by DellSupportAssist, effectively gaining code execution inside software that runs with NT AUTHORITYSystem privileges,” Shimony told The Reg.

“This is because you can write a code entry inside a function called DLLMain (in the malicious DLL) that would be called immediately upon loading. This code piece would run in the privilege level of the host process.”

The flaw (CVE-2020-5316), which has a severity rating of “high”, affects Dell SupportAssist for business PCs version 2.1.3 or earlier and for home PCs version 3.4 or earlier.

Business users need to update to version 2.1.4 for and home desk jockeys should roll over to version 3.4.1 to get the fixes.

The flaw requires local access, meaning a potential wrong’un would have to be logged into the network. But once a miscreant is in, even at an unprivileged level, they can use the vulnerability to run their own code at elevated privileges, which can be used to gain further control of the device.

“Alternatively the flaw could be exploited to gain access to sensitive data or indeed to steal the credentials of other accounts, such as the domain administrator account,” Brian Honan, founder of BH Consulting, told The Reg.

Millions of Windows Dell PCs need patching: Give-me-admin security gremlin found lurking in bundled support tool

READ MORE

This isn’t the first security flaw that has been discovered in SupportAssist. In June 2019, Dell warned of another privilege-escalation vulnerability, CVE-2019-12280. Like the current vuln, it meant attackers could take advantage of SupportAssist’s SYSTEM-level privileges, by leaving malware or their own DLL files in a path and letting SupportAssist load and execute the code within an admin context. That particular flaw emanated from a third-party component of SupportAssist produced and maintained by PC Doctor.

Just months before, in late April 2019, the company warned of “multiple vulnerabilities” in the software (CVE-2019-3718 and CVE-2019-3719), allowing a baddie to trick a user into downloading and executing arbitrary executables “via [the] SupportAssist client from attacker hosted sites”.

“The discovery of yet another flaw in Dell’s SupportAssist software highlights that software which runs with elevated privileges will always be targeted and underlies why it is so important the companies who produce such software have robust security testing and vulnerability management processes in place,” Honan told us.

Organisations also might want to consider removing anything non-critical from their setup, he opined. “The more software and services installed on a system, the bigger target presented to those wishing to attack it,” said Honan.

Dell shipped 46.5 million PCs last year, according to industry analyst IDC. We have contacted Dell EMC for comment. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/11/dell_supportassist_flaw/

Swiss encryption machine company Crypto AG was secretly owned by the US CIA and a West German spy agency at the height of the Cold War, according to explosive revelations in the Swiss and German media today.

Although rumours had swirled for decades around Crypto AG and the backdooring of its products by the West – cough, cough, NSA – and not forgetting careless remarks by former US prez Ronald Reagan, today’s publications by Swiss broadcaster SRF and German broadcaster ZDF confirm those old suspicions.

And who could forget that lovely list of words that caused Five Eyes’ spying machine Echelon to switch on? “Crypto AG”, along with “kill the president”, could summon the black ‘copters to your front door.

The encryption machine maker was secretly bought by a Lichtenstein front company that was 50/50 owned by the CIA and German spy agency the BND. The two nations agreed to let Swiss spies in on their secret, while only a tiny handful of top Crypto AG personnel knew about the intentional weakening of its products.

Operation Rubikon, as the Swiss and Germans called it, “was one of the boldest and most scandalous operations, because over a hundred states paid billions of dollars for their state secrets to be stolen,” Warwick University political science professor Richard Aldrich reportedly said.

Quoting from secret documents it says it obtained, ZDF said: “Certain people [at Crypto AG] knew something about the role that the Germans and Americans played in Crypto AG and were ready to protect this relationship.”

ZDF claimed today that through Crypto AG’s sales abroad, the NSA and West Germany’s BND spy agency were both able to spy upon hostile and allied countries alike, with spied-upon allies including NATO members Portugal, Spain and Ireland, among others.

Professor Alan Woodward of the University of Surrey was fascinated by today’s revelations, telling The Register: “The original suspicions were raised because Reagan went on TV and talked about diplomatic cables that had been encrypted using a Crypto AG C52 machine. I think it was Der Speigel who ferreted out the allegations [in 1996, years before today’s revelations] by talking to certain Crypto AG staff.”

Woodward explained the old rumours to El Reg: “In essence, what had happened was not so much that there was a back door but that the CEO was passing the full tech specs to the NSA, which allowed them to use similar mechanisms to the Bombe used at Bletchley to break the codes. It’s one of the many reasons the story of Enigma was kept quiet for a lot longer than people thought it might otherwise have been.”

Infosec veteran Bruce Schneier guessed years ago that Crypto AG had been compromised, blogging in 2004 about the 1992 arrest of salesman Hans Buehler in Iran over allegations that Crypto AG knew its equipment was compromised. Schneier speculated: “It’s also possible that the NSA installed a ‘back door’ into the Iranian machines.”

Today he shrugged off the news that it was true all along, telling The Register: “I thought we knew this for decades.”

On the Buehler arrest, described in detail in today’s story, ZDF said: “A Swiss secret service employee informed CIA that they would be able to control the result of the investigation [into Buehler’s arrest] so that it shows no tampering with the equipment.”

The Cold War-era backdooring of Crypto AG’s machines ended with the reunification of Germany in 1993, when the BND sold its 50 per cent shareholding to the CIA. In 2018, the company was split in half, with Crypto International Group AB acquiring its international business.

The Swedish-owned company that acquired the brand name and other assets in 2018 said in a statement today that it has “no connections to the CIA or the BND” and “never had”. According to Crypto International Group, it is a “different company” with a “different owner, different management and a different strategy” and found the reports very “distressing”. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/11/crypto_ag_backdoored_german_swiss_news_allegs/

Software nasties targeted at MacOS are on the increase faster than ones for Windows, according to antivirus biz Malwarebytes.

Malicious software targeting users of Apple Macs has leapt over the last year, the security outfit said in its latest State of Malware report.

Describing this as an “exponential” increase, the firm said that detections of nasties targeted against innocent Apple fanbois were up 400 per cent year-on-year, while adding the caveat that its Mac userbase had also grown a bit.

In its report the company said: “In 2019, we detected an average of 11 threats per Mac endpoint — nearly double the average of 5.8 threats per endpoint on Windows.” This should be read in light of Malwarebytes having a relatively smaller number of Mac users than Windows users.

Malwarebytes’ Thomas Reed, director of Mac and mobile, told The Register: “The increase in Mac endpoints with Malwarebytes installed only increased around 40 per cent (not 400 per cent) from 2018 to 2019. So, although this growth is definitely a factor, it is far too small to account for the growth in malware.”

He added: “If you look at data on the detections per endpoint, which eliminates any bias caused by growth in the number of endpoints, you’ll see that it’s still significantly higher in 2019 than in 2018.”

The two Mac threats highlighted in the report were NewTab, a fake browser extension that loads ads instead of doing anything useful, and potentially unwanted programs (PUPs) from shady Mac developer PCVARK. NewTab was picked up by its products around 30 million times last year, Malwarebytes said.

Aside from Mac malware, Malwarebytes said trojans-turned-botnets Emotet and Trickbot continued to “hammer” businesses across the globe, with Trickbot infections having increased by 50 per cent over 2018. The notorious Emotet banking malware steals information including login details for financial services. Trickbot works in a broadly similar fashion.

Meanwhile, detections of ransomware favourites Ryuk and Sodinokibi were up by several hundred percentage points year-on-year.

British, French and German users of Malwarebytes are most likely to find themselves infected with adware if something goes awry, while Brit businesses tend to find registry keys set by malware to prevent security software from running effectively, rounded up under the Malwarebytes term Hijack.SecurityRun.

The report can be downloaded from the Malwarebytes website as a 57-page, full-colour PDF. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/11/mac_malware_growing_malwarebytes/