STE WILLIAMS

Researchers have discovered a significant software flaw in the energy grid equipment sold by General Electric (GE) that could allow even lone attackers with limited resources to “disconnect sectors of the power grid at will”.

Until last week, this alarming sentence was little more than a one part of a placeholder for July’s Black Hat conference, advertising a session by three researchers from New York University.

Last week, however, GE suddenly announced that it had issued fixes for five of the six flaws, with the last on its way.

Black Hat sessions specialise in telling the world about new flaws and proof-of-concept attacks, but it is unusual in this sector for the mere publication of a public presentation to spur PR into action like this.

The researchers have only released the barest details of the issue but we know it is in the General Electric Multilin product line. Boasts the Black Hat briefing note:

Essentially, we completely broke the homebrew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations.

This doesn’t sound good, nor the fact that the researchers promise a live demo of the compromise as part of a “budget” attack.

The importance of this being the fact that “to date, cyber-attacks against power systems are considered to be extremely sophisticated and only within the reach of nation-states”.

The two best documented energy grid attacks – the 2015 and 2016 attacks on Ukrainian power stations – were pinned on hackers backed by the resources of a nation state. If the sessions serves up something that would be possible by anyone, even that that assumption will start to wilt.

GE reacted by telling Reuters:

We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue.

The flaw had not been used to cause power outages and only involved GE protection relays dating from the 1990s, “before current industry expectations for security”.

One might point out that energy infrastructure installed in the 1990s by vendors such as GE will still affect a lot of equipment in the US and beyond. Finding and patching that equipment could take a lot of effort for an industry not used to the luxury of downtime.

The counter-argument is that compromising energy systems still requires a lot of understanding of the target. It’s not clear that a bedroom attacker would have the ability to do this, nor the ability to exploit all aspects of the attack remotely.

It does at least serve to remind us how security researchers have gone from being nuisance to saviour.  Patching energy grid systems is the sort of problem the world must find a way to live with.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/14EW0DvZv_M/

As everyone in TV-land knows, established broadcasters have been losing eyeballs to streaming companies such as Netflix and Amazon and their big-budget “event” shows.

The upstarts look unstoppable but might an obscure hacker called The Dark Overlord, previously connected to health sector data extortion, have spotted an important flaw in the model?

Last week, Netflix found itself on the receiving end of a ransom demand from the individual or group, making unconfirmed demands in return for not releasing the unseen series 5 of the hit Orange Is the New Black, starring Dascha Polanco (pictured, at Toronto Pride) to the web.

The company, understandably, refused to play ball and on Saturday reports emerged that a number of episodes had appeared on a popular torrenting service, the name of which it behoves us not to mention for reasons including the high risk of encountering malware.

Visiting that resource, we managed to find one file with mention of a “press release” that has since been expunged, including from web caches. It reportedly read:

We’ve decided to release Episodes 2-10 of “Orange Is The New Black” Season 5 after many lengthy discussions at the office where alcohol was present.

Separately, the group’s Twitter feed crowed:

And so let it be read that the loathsome giants do too fall. Hello Netflix, we’ve arrived.

The account threatened the release of material stolen from other media companies, including ABC, National Geographic and Fox.

Netflix acknowledged the leak, which it said was caused by a breach at a “production vendor” also used by other TV studios. Netflix is cleverly covering its back by pointing the level of integration – and vulnerability – in the TV industry, but there is no question the breach still lands at its door.

It’s not clear whether the way streaming services process digital content is that different or less secure from established broadcasters but the minute a show exists in a form that can be copied it becomes vulnerable to theft.

The BBC found this out to its cost when an episode of the Russian version of Sherlock found its way on to the internet before it was due to be broadcast.

And yet, defying cybersecurity breach orthodoxy, perhaps this particular breach isn’t so bad after all: on Monday, Netflix’s share price even rose.

One reason might be that content breaches aren’t the same as ones involving customer data. The latter will cost the victim organisation money, court time and, in most countries, regulatory investigation.

A few people watching a Netflix show earlier than normal seems minor by comparison as long as it doesn’t happen too often. Assuming the company patches the hole that let its show be thieved, it’s not stretching it to suggest The Dark Overlord’s leaking could even have given Orange Is the New Black an unintended publicity jump.

Presumably that’s not what The Dark Overlord intended although it’s also possible this has always been about self-regarding publicity as much as simple extortion for money. If so, Netflix is starting to look like the winner on that front too.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ab-jbsVfOeU/

Have you ever lost your mobile phone?

If so, you already know that your mobile provider will happily sell you a new phone and give you a brand new SIM card to activate the handset.

Lo and behold, when you fire up the new phone, it has your old number, so you don’t need to give all your friends and colleagues a new one.

A new phone can take over your old number because the number is actually tied to your SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

You may also need to get a new SIM from your mobile provider if you switch to a phone that requires a differently sized SIM card to the one in your current device.

Indeed, if you’ve ever done such an upgrade, you’ll know that the old SIM suddenly stops working, leaving you in an “emergency calls only” situation on your old phone…

…and a short while later, the new SIM in your new phone automatically comes alive, at which point your usual calls and text messages start arriving there instead.

The important point here is this: most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM to take over your identity.

The jargon term you’ll most commonly hear for this process is SIM swapping.

SIM swapping and security

When someone steals your phone, a SIM swap is a fantastic security benefit because you can quickly invalidate the SIM in the stolen phone, preventing the crook from racking up calls on your account or from receiving private calls and messages intended for your ears and eyes only.

But if the crook is the one perpetrating the SIM swap, a SIM swap is a serious security liability, because now it’s your phone that goes dead and the crook who gets access to your incoming calls and messages.

You can see where this is going.

Many banks and other online services send out SMSes or make voice calls to give you those one-time logon codes you need to complete sensitive transactions, giving you a level of security that is, at least in theory, stronger than just using a username and password.

The process of using one-off authorisation codes for each logon or transaction is popularly known as 2FA or 2SV, short for two-factor authentication or two-step verification, and it means that your password is no use on its own.

Additionally, even if a crook can steal one of your 2FA or 2SV codes, it’s no good next time, unlike a password that may be valid for months or even years.

But with a fraudulent SIM swap, the crooks have – temporarily, at least – as good as stolen all your 2FA codes: this one, the next one, the one after that, and so on.

Worse still, any SIM PIN or phone lock code you’d applied on your old SIM and your own phone are now irrelevant: the new SIM will have a default PIN, and your own lock code obviously doesn’t apply to the crook’s phone.

Worst of all, your phone is dead, so you can’t even phone your provider to raise the alarm.

Why SIM swaps matter

Crooks have been using SIM swaps for years to perpetrate on-line fraud, typically using their window of opportunity to:

• Change as many profile settings on your account as they can.
• Add new payment recipient accounts belonging to accomplices.
• Pay money out of your account where it can be withdrawn quickly in cash, never to be seen again.

By changing settings on your account, they make it more difficult both for the bank to spot that fraud is happening and for you to convince your bank that something has gone wrong.

After all, once the account has been “claimed” by someone else, apparently with the added security measure of 2FA, you start looking like the imposter when you call up saying you’re the real owner of the account.

Suddenly the ball is in your court to prove you’re the real deal to both your mobile provider and your bank.

Sadly, this scam is still sufficiently commonplace that ActionFraud UK, part of the National Fraud Intelligence Bureau (NFIB), warned about it only last week.

ActionFraud UK refers to this scam as SIM splitting, the only place we’ve ever heard it called by that name, but it’s the same crime: fraudulently persuading a mobile phone shop to re-issue someone else’s SIM, perhaps using fake ID, by guessing at security questions, or by colluding with a corrupt employee. In Australia, you’ll sometimes hear this process called number porting.

What to do?

• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s logon page, then springs into action to record what you type while you’re logging on. A good real time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they are having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service centre in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of logon codes.

Before we go, however, don’t forget that switching from SMS to app-based authentication isn’t a panacea.

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

If in doubt, don’t give it out!

Policing and preventing unauthorised SIM swaps is hard – as we mentioned above, most mobile phone shops can initiate the process, so that unscrupulous or careless operators put us all at risk. For this reason, the United States National Institute for Standards and Technology (NIST) recently published new guideliness forbidding SMS-based authentication for the US public service.

LEARN MORE: NIST’s new password rules – what you need to know ►

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7f1f9bOmgV8/

Your daily round-up of some of the other stories in the news

China to create its own Wikipedia

China, which partially blocks its citizens’ access to Wikipedia, is to create its own version of the user-created and edited encyclopedia, saying it had hired more than 20,000 people to write articles for what editor-in-chief Yang Muzhi called a “Great Wall of Culture”, the South China Morning Post reported at the weekend.

Unlike Wikipedia, which anyone can contribute to and edit, the Chinese Encyclopedia will be written by academics: this version, the third edition and first online edition, will have more than 300,000 entries.

The encyclopedia is due to go online next year, and it’s a result of what Yang Muzhi said was pressure from the international community to create a resource to “guide and lead the public and society”.

Social media firms could face huge fines

Facebook, Twitter and other social media companies should face heavy fines for not removing hate speech, extremist content and child abuse material, British MPs have warned, saying that they are “shamefully far” from taking sufficient action.

That’s the conclusion of an inquiry by the Commons Home Affairs committee set up after the murder last year of Labour MP Jo Cox.

Yvette Cooper, the chair of the committee, said the social media companies failure to tackle hate speech and illegal content was “a disgrace”, adding: “These are among the biggest, richest and cleverest companies in the world … this isn’t beyond them to solve and yet they are failing to do so.”

British lawmakers aren’t the first to sabre-rattle in the direction of social media companies: Germany has approved rel=”nofollow”a plan to fine social networks up to €50m for not taking down hate speech posts quickly enough.

TalkTalk pair plead guilty

If you were a victim of the TalkTalk data breach in October 2015 you might get some sense of satisfaction at the news that two men have admitted their part in the £42m hack at London’s Old Bailey criminal court.

Matthew Hanley, 22, and his friend Connor Allsopp, 20, both from Tamworth in Staffordshire, admitted to charges relating to the data breach, which led to the telecoms company being fined £400,000 – the biggest fine ever imposed by the ICO, the UK data regulator.

The two men were part of a group of four who were arrested last year over the breach. Hanley and Allsopp are due to be sentenced on May 31.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OPZnGXGx6xA/

Startup Olé 2017 Hardware tech and companies from across the world came together at the EU-backed Startup Olé conference in Salamanca, western Spain, last week.

Roughly 150 startups had stands and 50 participating in different pitches during the well-attended two-day event in the historic university town. Similar events in the UK would be dominated by app developers but in Spain it was a mixed bag of homegrown and far-flung talent, including representatives of 10 Armenian startups.

For example, Armenian firm BeSafe is applying proxy re-encryption technology to offer a cloud-based encryption technology that allows small businesses such as lawyers and accountancy firms to safely share encrypted documents through services such Dropbox and Slack.

Tristan William, a lynchpin in organising the conference, explained: “The invitation of Armenia along with an initiative from the European Commission (Eastern Partnership) was to connect the EU to close neighbours and encourage trade and scaling up across borders. This was similar for the other network launches like LATAM, China, Korea, Africa etc. Startup Europe and we [Startup Olé] want to build a more global economy for startups and make it easier to both access and provide products or services internationally.”

The Spanish crop featured diverse companies across a range of technologies including food, travel, energy and consumer hardware, as well as information technology. Among the firms we met were Cleandrone, which is using UAVs to wash windows of high-rise building or panels on solar farms.

The third annual Startup Olé showcase also featured Drone Hopper, a startup that wants to use drones for firefighting and pesticide spraying. Several firms were based on harnessing 3D printing technology, among them a company making casts for both people and pets with broken bones.

Joe Haslam, professor at IE Business School in Madrid and founder of Hot Hotels, told El Reg that Spanish startups were gravitating towards B2B technologies.

“While you still get the B2C startups (like photo sharing, e-commerce etc), an encouraging number are B2B in the new area of exponential technologies (AI, robotics, drones, VR/AR, 3D printing),” Haslam said. “The coming generation don’t have as many hangups about speaking English or hustling as the previous generation had. And with the Fondico there is money available.

“What Spain is still missing is scaleup mentors (guys like Bernardo Hernandez) who can support entrepreneurs going from startup to scaleup. Silicon Valley still has that advantage but Spain now has the money, the knowhow and the ambition.”

The Spanish government was mandated to put money into startups as part of the 2008 bank bailout by the EU, and Startup Olé is among the results.

The development of tech startups is very much market – rather than government – driven in the UK and (to an even greater extent) the US. Haslam acknowledged this while noting that “picking winners has worked well in Asia”, arguing it isn’t necessarily a bad approach, especially for countries such as Spain.

“I think the model is for the big companies (on the CAC40, IBEX55, DAX30 etc) to stop funding incubators and accelerators,” Halam said. “Instead they should set up tech-scouting units to hunt for technology. What startups need most is for people to buy their products, a ‘purchase order and proof of concept’ is more useful to them than just money and PR.”

Startup Olé incorporates Startup Europe, the European Commission’s initiative for startups. Panels on fintech, how corporates interact with startups, and universities’ role in startup ecosystems featured during the show as well as a pitching competition. Your correspondent took part in a 30-minute panel on media for startups during the conference.

With a nod to the upcoming French presidential run-off, one panel was entitled “Global Trend Against Globalisation: What Does It Mean for Enterpreneurship and Fintech”. Talk of the Payments Service Directive 2 and whether it might lead to Amazon and Google’s entry to the consumer banking space dominated the fintech panel. PSD2, an open architecture framework for banking due to come into force next year, raises security issues but is likely to be a boon for fintech firms. The globalisation panel agreed that Brexit will have a huge impact on the finical services market.

The best fintech pitch was by WeTech (Wearable Technologies SL) with their products that combine jewellery and fashion with payment tech and other wireless services. More details of the conference can be found on its website here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/02/startup_ole_2017/

A game hacker who admitted involvement in a plot to steal millions from Electronic Arts was sentenced to probation by a Texas court on Monday.

Ricky Miller, 23, who pleaded guilty to conspiracy to commit fraud last October, was involved in a plot to steal in-game currency worth $16m from a football video game that was subsequently sold for cash on a secondary gamer market.

Miller admitted working with three others to hack into servers behind EA’s FIFA video game in order to siphon off virtual funds into accounts controlled by the quartet, who operated under the name RANE Developments LLP. Under a plea bargaining deal, Miller faced a possible sentence of anywhere between probation and five years’ imprisonment. US District Judge Reed O’Connor spared Miller prison by sentencing him only to probation while ordering the miscreant to pay $1.5m in restitution, Law360 reports.

The hackers allegedly reverse-engineered the FIFA video game before working out a “cheat” that allowed them to fake the competition of thousands of FIFA matches within a matter of seconds, triggering an unearned payment of “FIFA coins” (virtual funds). The group began running the scam through a modified video game console before graduating to use of a cloud computing-based system. The scam ran from sometime in 2013 until mid-September 2015, when the FBI raided the suspects’ homes.

Anthony Clark, 24, of Whittier, California, was found guilty of wire fraud conspiracy over the same scam back in November. Clark created the FIFA hacking application. After the guilty verdict, prosecutors sought forfeiture ordered against a range of assets that Clarke amassed using his ill-gotten gains, including a $840,000 house purchased in 2014, $6m deposited in a range of bank accounts, and two cars.

The case is US v. Miller et al., case number 4:16-cr-00205-O, in the US District Court for the Northern District of Texas. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/02/video_game_hacker_probation/

Here’s what you really need to know about adversaries.

In the past few years, the topic of “attribution” has often come up. As more large-scale breaches occur and issues concerning cybersecurity become more mainstream, people want to know who is responsible. Among cybersecurity practitioners, there are two general camps — some believe that identifying the perpetrators is important, and some see this as fruitless.

Those in the former group like associating a face or a specific organization to the problem because it makes the attacker “known” and makes them feel more empowered to fight back. Those on the opposite side don’t care about attribution at all. They believe it’s a waste of time and money because unless you’re a casualty of a major crime spree, with law enforcement engaged to bring down the perpetrator, there isn’t much value in knowing an individual’s name.

Is there a middle ground? What value does putting a name to an adversary bring to the table? It really comes down to the level of attribution and the trade-offs you must make as you build your dossier, because generally, organizations don’t need to be able to pin a photo of their attackers on the wall to stop them.

Levels of Attribution
Sometimes attribution means identifying the actual group or person. You want to know what they look like, where they live and work, their schedules, and how to reach them — either electronically or physically. Other times, attribution can be obfuscated to protect sources and methods. Those with a need to know have access to the full details, while others only hear about “source B” or “sensitive source 12345.” Most frequently, attribution is based on what the adversary is actually doing. A code name is assigned to indicate an individual or group responsible for a certain attack, like APT 1, Comment Panda, or Comment Crew. Sometimes a name is assigned to a specific campaign, like Angler, Locky, and Sundown.

Government organizations typically seek the highest level of attribution. But for businesses, the level of attribution should be predicated on what security professionals need to achieve as their end goal: enabling the enterprise to be as secure as possible, given resource limitations, in order to drive business growth.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Living by the 80/20 Rule
Attribution doesn’t come easy, and the law of diminishing returns comes into play. There is a cost associated with attribution and you can get 80% of the way there for 20% of the cost. So with minimal time and effort, you can get basic but important information.

What starts with raw threat data becomes groups of campaigns and malware families based on the code base or indicators, how the malware and campaigns are used, and the infrastructure involved. Tying adversaries to campaigns and generically named adversary groups is typically sufficient so that multiple teams across the enterprise can utilize the threat intelligence. As you try to get more detail — the base of operations and individual names — costs increase exponentially, but to what end? An arrest is highly unlikely. If the goal is to protect the business, your employees, and customers, this approach of defining campaigns and adversary groups usually works very well.

Know Your User Groups
When it comes to security operations, consider what level of attribution the different groups involved in protecting your organization need to be successful.

• The intel team is typically the group assigned to determine attribution and is responsible for pulling all this information together. To make the best use of their resources, this team typically creates a one-size-fits-all solution for attribution. They provide the information about the indicators and codebase involved, the malware and campaigns, the infrastructure used, typical targets by geography or industry, and then tie that information together to identify adversary groups. Other teams then tap into that attribution information for their needs. 
• The incident response team needs context around campaigns to validate that something bad is really happening, and isn’t a false positive so that they can remediate incidents and breaches. Campaigns can be grouped by attribution. When you have these groupings, it allows the incident response team to start with an indicator found on the network and learn more about the attack so they can look for related indicators that those adversaries use. Knowledge of how adversaries and campaigns operate and the infrastructure used can help them accelerate response and make sure it doesn’t happen again.
• The vulnerability management team needs to know which vulnerabilities are being targeted, if there is an exploit that is being deployed, and if any groups have successfully targeted that vulnerability already. This information provides the team with some level of confidence that someone is targeting the organization so that they can prioritize patching accordingly.
• The security operations center is looking to threat intelligence for validation and verification. For example, with attribution grouped according to a campaign and how that campaign operates down to the command and control server, the exfiltration server, and a specific type of malware, the team knows how the adversary operates. This gives the team a high level of confidence that an attack is occurring and lets them quickly take action.
• The hunt team takes the attribution information — in particular, the details of campaigns being run — to determine if they’ve seen that type of activity before. Understanding what an adversary targets, how they execute, their motivation, and any specific industries affected, the hunt team can see if there is some activity the SIEM may have missed.

For each of these functions, knowing if the team is fighting Joe or Jane doesn’t matter. What matters is having intelligence grouped in a logical manner so that they can build confidence around knowing what these attackers are doing, how, when, and to whom. Whether it’s knowing what to look for or understanding what they’re seeing, they can then launch a better fight and apply a better fix. Organizations benefit from attribution, but at the level that makes sense for the business. 

Related Content:

• The Attribution Question: Does It Matter Who Attacked You?
• Attribution the Nation-State Malware Market (video)
• Threat Attribution: Misunderstood Abused

As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/whats-in-a-name-breaking-down-attribution-/a/d-id/1328715?_mc=RSS_DR_EDT

What’s This?

This variant of the OSX.Dok dropper behaves altogether differently, and installs a completely different payload.

On Friday, a sophisticated Mac Trojan was discovered called OSX.Dok, which installs malware designed to intercept all HTTP and HTTPS traffic. This morning, Adam Thomas, a Malwarebytes researcher, found a variant of the OSX.Dok dropper that behaves altogether differently and installs a completely different payload.

Distribution Method
This variant has the same form as the dropper for OSX.Dok – a zipped app named Dokument.app, masquerading as a document. It is signed with the same (now revoked) certificate as the previous OSX.Dok dropper and it was first uploaded to VirusTotal around the same time.

OSX.Dok.B SHA-256:
54ee71f6ad1f91a6f162bd5712d1a2e3d3111c352a0f52db630dcb4638101938

As with the previous variant, this one also copies itself to /Users/Shared/AppStore.app, and displays the same alert claiming that the app is damaged. However, this variant never displays the fake “OS X Updates Available” window, covering the entire screen. After a minute or so, it simply closes and deletes itself.

Instead of installing OSX.Dok, this dropper installs an open-source backdoor named Bella, created by someone who identifies himself on GitHub only as “Noah.”

Behavior Analysis
Noah has been creating Python scripts to attack various macOS data, such as stealing iCloud authorization tokens, or password and credit card information from Chrome. In February of this year, he released Bella, which combines functionality from previous scripts with new functionality:

• Exfiltration of iMessage and SMS chat transcripts
• Location of devices via Find My iPhone and Find My Friends
• Phishing of passwords
• Exfiltration of the keychain
• Capture of data from the microphone and webcam
• Creation and exfiltration of screenshots
• Remote shell and screen sharing

Bella even includes the capability to escalate to root privileges via vulnerabilities in the system (which only work on macOS 10.12.1 and earlier), or phishing to obtain an admin user password. Some of the above capabilities rely on gaining root privileges, while others do not.

Bella can be customized in some aspects. This copy uses the following command server:

host = ‘185.68.93.74’ #Command and Control IP (listener will run on)
port = 4545 #What port Bella will operate over

This address is owned by a hosting company located in Moscow, Russia.

The malware has also been set to install the script, database, and launch agent files in the following locations:

~/Library/Containers/.bella/Bella
~/Library/Containers/.bella/bella.db
~/Library/LaunchAgents/com.apple.iTunes.plist

If root access can be achieved, it will instead be placed in the corresponding locations in the root library folder, rather than the user’s library folder.

Conclusion
Although this particular delivery app is dead at this point, Bella is open-source and surprisingly powerful for a Python script. It’s quite likely that it will be dropped by other malicious installers in the future.

Malwarebytes for Mac detects this malware as OSX.Bella. If you’ve been infected with this malware, after removing it, be sure to change all your passwords as well. Business users should be aware that this malware could exfiltrate a large amount of company data, including passwords, code signing certificates, hardware locations and much more. If you’ve been infected, contact your IT department.

Related Content:

OSX.Dok: New Sophisticated Mac Malware Strikes

Thomas Reed is a self-trained developer and Apple security expert, and is director of Mac offerings at Malwarebytes. View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/malwarebytes/osxbella-mac-malware-strikes-again/a/d-id/1328777?_mc=RSS_DR_EDT

CenturyLink’s former data centers and colocation business were combined with Medina Capital’s cybersecurity and analytics holdings to create new secure data center infrastructure firm.

Cyxtera Technologies, a secure data center infrastructure and security services company, was unveiled today, following the close of a $2.8 billion deal that combined assets from communications company CenturyLink and private equity firm Medina Capital.

Under the deal, CenturyLink’s data centers and related colocation business were merged with Medina’s security and data analytics holdings. The combined assets allow Cyxtera to offer a secure infrastructure platform to handle and support both private and public cloud customers and deliver software and services that could also extend security to their on-site environments.

Cyxtera will operate 57 data centers across the globe with software-based perimiter security and identity and context-aware controlled access, as well as network analytics. The company will focus on delivering fraud prevention and authentication services for specific industries such as financial institutions and government agencies.

Miami-based Cyxtera will operate with 1,100 employees worldwide and serve 3,500 customers across the globe.

Read more about Cyxtera here.  

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/centurylink-medina-capital-deal-closes-with-launch-of-cyxtera-technologies/d/d-id/1328781?_mc=RSS_DR_EDT

Born out of a partnership of information sharing and analysis centers and organizations, Global Resilience Federation launches today to share intelligence and information across a number of industry sectors.

With the growing trend of cybercriminals simultaneously targeting multiple industries at once, the Global Resilience Federation launches today to share security intelligence across a broad swath of industry sectors.

The Global Resilience Federation (GRF) will act as a hub to coordinate cross-sector intelligence among the Financial Services Information Sharing and Analysis Center (FS-ISAC), Legal Services Information Sharing and Analysis Organization (LS-ISAO), and the Energy Analytic Security Exchange (EASE).

Previously, the FS-ISAC, one of the oldest and most established ISACs, held that role of coordinating information among various industries, but it was determined it was time for a change. The FS-ISAC via a formal partnership will transfer its sector services team to the GRF for its initial staff.

“The time is right to launch the GRF community of communities,” said Bill Nelson, FS-ISAC president and CEO, and chairman of the GRF board, in a statement. “With the cross-pollination and wide-range of intelligence sources we deal with every day, across many industries, it makes sense that FS-ISAC no longer coordinate intelligence for all our partner organizations, but instead pass the torch to GRF and then join the community as one member among many.”

Read more about the GRF here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/new-global-resilience-federation-will-share-threat-intel-across-industries/d/d-id/1328782?_mc=RSS_DR_EDT