New ransomware campaign pilfers passwords before encrypting gigabytes of data

A new wave of crypto ransomware is hitting Windows users courtesy of poorly secured websites. Those sites are infected with Angler, the off-the-shelf, hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack.

The latest round is especially nasty because before encryption, the drive-by attacks first use malware known as Pony to harvest any login credentials stored on the infected computer, according to a blog post published by a firm called Heimdal Security. The post explains:

The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers.

The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.

In the second phase, the drive-by campaigns unfolds via the victim being moved from the legitimate website, which has been compromised, to a heap of dedicated domains which drop the infamous Angler exploit kit.

The Angler exploit kit will then scan for vulnerabilities in popular third-party software and in insecure Microsoft Windows processes, if the system hasn’t been updated. Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim’s system.

To consider just how insidious attacks like these are, consider this: earlier this week, Ars reported that the Reader’s Digest website was actively infected by Angler. A reader promptly replied that someone in his organization had visited the site in early November—four weeks before the article was published—and was infected by CryptoWall after reading an article. The target’s only mistake, it seems, was failing to update one of several apps.

Read 3 remaining paragraphs | Comments

Ballmer: Microsoft’s cloud revenue numbers are “bullshit”

Microsoft today held its annual shareholder meeting, leaving one significant Microsoft shareholder—former CEO Steve Ballmer—less than happy with the way the company reports the financial performance both of its nascent hardware business and of its cloud business, according to Dina Bass at Bloomberg.

That’s because the company hasn’t disclosed profit margins or sales figures for either business. Ballmer says that revenue is a “key metric” and that if these businesses are important then the company “should report it.” Rather than reporting these figures, Microsoft has reported its annualized revenue run rate—a hypothetical value that describes what the company’s revenue would be if the current level of sales were sustained over the full year. Ballmer’s view of the run rate: “Bullshit. They should report the revenue, not the run rate.”

Margin is also important because of the shifting revenue base of the company. Margins for software (which can be duplicated at zero cost) tend to be very high; margins for hardware and cloud services tend to be lower. As Microsoft shifts more revenue from software, such as Office, to cloud services, such as Office 365, its margins will change. Ballmer wants these margins to be reported to make this visible. This lack of transparency means that Ballmer has no idea how the company is really doing.

Read 2 remaining paragraphs | Comments

Adobe to kill off Flash in January’s Creative Cloud update

Adobe’s embrace of HTML5 has created its first big casualty: Flash. Not the Flash Player browser plugin—Adobe said in 2012 that it would continue supporting the plugin for the next five to 10 years—but Flash Professional, the main authoring tool used to create Flash animations.

With the Creative Cloud update coming in January, Flash Professional will sport a new name: Adobe Animate CC. It will still be able to produce Flash (SWF) files and will also continue to support Adobe’s standalone AIR runtime, but it also supports building for HTML5 Canvas and WebGL. Adobe says that a third of all content produced in Flash Professional is now HTML5-based, showing that the shift away from its proprietary browser technology is well underway. Flash Professional isn’t just for Flash; it’s for all kinds of timeline-based interactive animations. The name change makes sense.

Read 6 remaining paragraphs | Comments

Mozilla: we’re not getting money from Google any more but we’re doing fine

For many years, Firefox developer Mozilla generated substantial income from a sponsorship deal with Google; the search and advertising firm paid Mozilla in return for Firefox making Google its default search engine. That deal was ended last year, with Firefox defaulting to Yahoo in the US, Yandex in Russia, and Baidu in China.

Given the prior dependence on the Google deal this was a big shift for the open source browser developer. Mozilla has just released its 2014 financial report; last year it had just shy of $330 million of revenue, 98 percent of which came from its search deals.

In 2014 that meant the Google deal, but now the organization says that it isn’t receiving anything from Mountain View. Although Google remains the default search engine within Europe, Denelle Dixon-Thayer, Mozilla’s chief business and legal officer, told CNET that “We don’t have a commercial relationship with Google at this point.”

Read 2 remaining paragraphs | Comments

Windows 10 November Update mysteriously pulled, as concerns about bugs grow

Downloadable versions of Windows 10 version 1511, the November 2015 update, appear to have been removed after their release earlier this month.

Initially, Microsoft let people download full copies of the installer using the Media Creation Tool (MCT). Media produced with the MCT can be used to perform both upgrades and clean installations, and it’s especially convenient when updating multiple systems, as it ensures that only a single download is required. But the version 1511 MCT has been removed, and replaced with the original July version. Systems can still be upgraded to the November update, but direct installation is no longer possible. Instead, the original RTM version must be installed, and the upgrade to 1511 performed through Windows Update.

This is both inconvenient and mysterious. The ability to install 1511 on clean systems is obviously quicker than going via the RTM version. It means one large download instead of two. Upgrading multiple systems with the MCT is also obviously preferable. It’s mysterious because it’s not really clear why the 1511 installer has been pulled. Microsoft’s official comment explains nothing:

Read 6 remaining paragraphs | Comments

Updated Windows privacy policy a little more reassuring

Windows 10 collects more data and has more cloud connections than any version of Windows before—a design that has many privacy implications. One of the continued complaints around this is a lack of clarity around what gets collected and how it gets used. Ed Bott spotted that the privacy statement, the lengthy document covering all of Microsoft’s major online services, was updated in October.

Some of the changes are straightforward corrections or updates to accommodate new service names. Others, however, are a bit more meaningful. For example, on consumer systems the encryption keys used for BitLocker drive encryption by default get backed up to OneDrive online. These enables data recovery in certain situations. The description of this in the privacy statement has been updated to note that “Microsoft doesn’t use your individual recovery keys for any purpose” making clear that while the keys may be stored on OneDrive, Microsoft will not use them and is not interested in decrypting your disk.

Another alteration clarifies language that was being misinterpreted. The original privacy statement read that Microsoft “will access […] your content (such as […] files in private folders)” in response to law enforcement demands, to ensure safe operation of its services, and a few other situations. This led some to believe that private folders on users’ hard disks were vulnerable to inspection and distribution by Microsoft. The new text makes it explicit that only files stored on OneDrive and e-mails stored in Outlook.com are covered by this statement.

Read 2 remaining paragraphs | Comments

Password-pilfering app exposes weakness in iOS and Android vetting process

Highlighting crucial weaknesses in Apple’s and Google’s processes for admitting new titles into their competing app stores, both companies have ejected a third-party Instagram app after discovering it probably pilfered user passwords and pictures.

InstaAgent, as the app was called, marketed itself as a program that tracked people who visited a user’s Instagram account. It had between 100,000 and 500,000 downloads from Google’s Play Store and was in the top charts of the iOS App Store. But behind the scenes, an app developer said earlier this week, the app sent users’ Instagram login credentials to a server controlled by the InstaAgent developer. Google was the first to pull the app. Apple later followed.

According to a blog post published Thursday by the iOS developer:

Read 2 remaining paragraphs | Comments

Microsoft to offer UK-based Azure, Office 365 from late 2016

Microsoft will spend $2 billion building out its European cloud infrastructure, and the company will create a new UK cloud region that will offer Azure and Office 365 from late 2016 and Dynamics CRM later.

Many in the UK are already using services operated out of Ireland and the Netherlands, and Microsoft is expanding both of these operations to provide additional capacity. UK-based hosting will open up Microsoft’s cloud services to the UK government, with the UK Ministry of Defence quoted as intending to make use of the UK facility. The new offering will also appeal to companies that need to keep data within the UK due to regulatory requirements, such as some of those operating in banking and finance.

Microsoft already boasts more distinct regions around the world—currently 24—than any other major cloud provider, with more than $15 billion already invested. This presence arguably gives the company an edge for any business with legal compliance concerns, as it’s more likely that Microsoft will have a data center subject to the right laws. The lower latency that comes with geographic proximity can also be important, such as Microsoft’s own use of Azure for hosting Xbox game servers.

Read on Ars Technica | Comments

Microsoft considers blocking SHA-1 certificates after cost of collisions slashed

Microsoft may phase out support for TLS certificates that use the SHA-1 hashing algorithm as early as June 2016. The decision comes in the wake of recent calculations that suggest generating collisions is quicker and cheaper than previously anticipated.

SHA-1 is a hash algorithm, used to derive a 128-bit value from an arbitrary input. Its intent is for collisions—different inputs that hash to the same 128-bit value—to be hard to generate. As compute power has steadily grown over the years, it becomes quicker and cheaper to generate collisions. It was previously projected by Bruce Schneier, based on the observed growth of compute power, that creating SHA-1 collisions would be within reach of criminals by 2018 at a cost of about $173,000. On this basis, Microsoft intended to cease supporting the use of new SSL/TLS certificates using SHA-1 on January 1, 2016 and all SHA-1 SSL/TLS certificates on January 1, 2017.

The new cost and performance estimates, however, suggest that the cost is both drastically lower—$75,000 to $120,000—and that the compute resources are immediately available through cloud services such as Amazon EC2. This has given browser vendors little option but to reconsider the previous 2017 timetable for retiring support of SHA-1.

Read 2 remaining paragraphs | Comments

Hackers use anti-adblocking service to deliver nasty malware attack

More than 500 websites that used a free analytics service inadvertently exposed their visitors to a nasty malware attack made possible by a hack of PageFair, the anti-adblocking company that provided the analytics.

The compromise started in the last few minutes of Halloween with a spearphishing e-mail that ultimately gave the attackers access to PageFair’s content distribution network account. The attacker then reset the password and replaced the JavaScript code PageFair normally had execute on subscriber websites. For almost 90 minutes after that, people who visited 501 unnamed sites received popup windows telling them their version of Adobe Flash was out-of-date and prompting them to install malware disguised as an official update.

“If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now,”. PageFair CEO Sean Blanchfield wrote in a blog post published Sunday. “For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file. I am very sorry that this occurred and would like to assure you that it is no longer happening.”

Read 2 remaining paragraphs | Comments