Home Tags Concert

Tag: concert

Carbanak Using Google Services For Command And Control

Carbanak certainly has not sat idly by after years of advanced criminal campaigns targeting primarily financial institutions.

The outfit, alleged to have stolen from more than 100 banks worldwide, has popped up again with a new means of managing command and control over its malware and implants. Researchers at Forcepoint said Tuesday that an investigation into an active exploit sent in phishing messages as a RTF attachment led them to discover the group has been using hosted Google services for command and control. Services such as Google Forms and Google Sheets are being co-opted by the group, allowing Carbanak traffic to essentially hide in plain sight among Google traffic that is unlikely to be blocked by an organization. Forcepoint said that each time a victim is infected by the group’s malware, a Google Sheets spreadsheet is created along with a unique ID for the victim, which is used to manage interactions with the infected machine.

The attacker then manually goes into the spreadsheet, collects any data sent back from the target’s computer and loads the spreadsheet with commands and additional malware that is pulled to the compromised machine. Forcepoint said it was not aware of how many of these command and control channels were open on Google services, but said it is something that was privately disclosed to Google.

A request for comment from Google was not returned in time for publication. “The Carbanak actors continue to look for stealth techniques to evade detection,” Forcepoint said in its report published yesterday. “Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.” Researchers said their investigation was prompted in part by a new campaign disclosed by tr1adx, a scarcely populated website that has published four pieces of “intelligence,” primarily focusing on state-sponsored groups. On Jan. 1, it published a piece on a Carbanak campaign it was calling Digital Plagiarist.

The main tactic exposed in the report was the group’s use of tainted Office documents hosted on sites mirroring legitimate sites such as the U.S.

Food and Drug Administration, Department of the Treasury, Zyna, Atlantis Bahamas, Waldorf Astoria and many others across sectors such as manufacturing, hospitality, media and health care.

The group, which tr1adx calls the TelePort Crew, is likely Carbanak based on domains and malware used in this campaign that are similar to another disclosed by researchers at Trustwave last year. Forcepoint took a look at a RTF file previously used exclusively by Carbanak that includes crafted VBscript.

The document, Forcepoint said, contains an embedded OLE object disguised as an image asking the victim to click on it to view the attachment.

The image is hosting the VBscript, and if the victim clicks on the image, a dialogue box appears instructing the users to open the file, which executes the attack. “We decoded the script and found hallmarks typical of the Carbanak group’s VBScript malware, however we also found the addition of a new ‘ggldr’ script module,” Forcepoint said. “The module is base64 encoded inside the main VBScript file along with various other VBScript modules used by the malware. When we analyzed the script we noticed that it is capable of using Google services as a C&C channel.” Carbanak’s activities were exposed in 2015 by researchers at Kaspersky Lab who published an extensive report explaining was using advanced malware to attack more than 100 banks, stealing anywhere from $2.5 million to $10 million per bank, putting potential losses at $1 billion. Carbanak used spear phishing to infiltrate banks, laterally moving across compromised bank networks until they landed on the right system that allowed them to steal money. On some instances, Kaspersky Lab said, Carbanak would record video of system operators, which were used in concert with data obtained by implanted keyloggers to fully understand what the victim was doing on the infected machine. Kaspersky Lab said Carbanak would cash out in a number of ways: “ATMs were instructed remotely to dispense cash without any interaction with the ATM itself, with the cash then collected by mules; the SWIFT network was used to transfer money out of the organization and into criminals’ accounts; and databases with account information were altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.”

Got microservices? You'd better secure them

One of the toughest parts of being a computer security pro is trying to figure out what to hang your career on every two to five years. Which new buzzwords will stick to become a new paradigms, and which will disappear into the ether? Keeping up with the latest and greatest enterprise tech is part of my job, and no source does it better than InfoWorld, but some “new” trends still end up surprising me. In 2016, we learned that the emerging ecosystem of containers, microservices, and cloud scalability is not a fad.

But it does present new security problems. Securing containers In 2015, I talked about securing containers, which were popularized by Docker, and are now used throughout the industry and supported by most industry players. Often inaccurately described as “micro-VMs,” containers hold packaged pieces of software that contain all the components (the software itself, system libraries, the file system) needed to run that software.

Containerized applications share a single instance of the OS, rather than running copies of an OS like VMs do. Since that 2015 article, a handful of companies have offered solutions to help you secure containers, including more default security and support from Docker itself. How hard is it to secure containers? The short answer: It depends on the scenario. Because applications can be abstracted from the operating system, it's easier to patch one without necessarily impacting the other.

At the same time, containers introduce an additional layer of complexity, so container deployments are harder to secure. For one thing, a great benefit of containers is that developers can create and share images much more easily than ever before -- raising the risks of propagating images containing flaws or malware.

Also, root access to the host OS provides an access to all containerized apps. Read this article by Amir Jerbi of Aqua Security for an excellent rundown of these issues. Securing microservices You need to add microservices to your security planning, too. Microservices are the modern method to create web and mobile applications: You break down functionality into separate mini-applications that are loosely coupled by RESTful APIs. Martin Fowler, one of the earliest proponents, describes microservices as “suites of independently deployable services.” Microsoft Azure CTO Mark Russinovich has a great article on microservices as well. You can think of microservices as an outgrowth of object-oriented coding, where each programming component is coded in such a way that, given the required inputs, it can function with any other component. Yet microservices are stand-alone services that, working in concert, power one or more applications. One of the best aspects of microservices is the ability to have multiple, redundant services, each of which can stand in for each other.

Administrators can remove, insert, stop, or start related microservices without impacting the whole application. You can patch or update one or more microservice components, and the larger supported application should hum along without a hiccup. Securing it all Let's review: We have physical computers and virtual machines. We have public and private clouds. We have containers and microservices.
It’s all running across physical and software-defined networks. Now imagine them all working in concert together to deliver a service or set of services.
In a full redundant model, you have containers running microservices in VMs in public clouds and/or on in your datacenter. How are computer security pros supposed to secure it all? You start by breaking it down into its individual components. You secure all the involved physical computers and networks as you have always traditionally done. You look at the threats along the OSI model and address your needs. Virtual machines have their own security issues (guest-to-guest, guest-to-host, and host-to-guest risks). Microservices are best handled using Security Development Lifecycle methods and tools.

At their base, microservices are simply software and should be treated like any software that needs to be securely programmed. Like VMs, containers have their own issues, but each container scenario demands a different security approach.

Be sure to check out the Docker security blog and the aforementioned InfoWorld article. The most important recommendation I can give you is that identity is the new security boundary.
I’m not talking user or device logon identities alone, though they play a major role.
I’m also talking about the identities and security contexts that run each of the individual components. Do they share the same namespace? If so, do multiple components run under the same shared identity? If they share different namespaces, do the involved identities still share common authentication credentials? That would be like someone using the same password across two different, completely unrelated websites. You have to know what libraries and components are shared by different microservices or containers.
If one of the subcomponents has a vulnerability, that means every dependent, upper-layer component has the same vulnerability.

Can you even patch the dependent subcomponent? Like the trials and tribulations of computer security people trying to patch Java clients, containers and microservices can open the door to the same patching hell. If you don’t know much about containers and microservices, start learning more about them today. Done right, containers and microservices can simplify security. Manage them poorly, and you're inviting another security nightmare.

Congress passes BOTS Act to ban ticket-buying software

Enlarge / Did they compete with the bots to get their tickets?Mat Hayward/Getty Images reader comments 94 Share this story Using software bots to buy concert tickets will soon be illegal, thanks to a bill passed by Congress yesterday. The Better Online Ticket Sales (BOTS) Act makes it illegal to bypass any computer security system designed to limit ticket sales to concerts, Broadway musicals, and other public events with a capacity of more than 200 persons. Violations will be treated as "unfair or deceptive acts" and can be prosecuted by the Federal Trade Commission or the states. Sen. Jerry Moran (R-Kansas), who sponsored the bill, told The Associated Press that he intends to "level the playing field" for people buying tickets. "The need to end this growing practice is reflected in the bill's widespread support," Moran said. The bill passed the Senate by unanimous consent last week, and the House of Representatives voted yesterday to pass it as well.
It now proceeds to President Barack Obama for his signature. Computer programs that automatically buy tickets have been a frustration for the concert industry and fans for a few years now.

The issue had wide exposure after a 2013 New York Times story on the issue. Earlier this year, the office of New York Attorney General Eric Schneiderman completed an investigation into bots.

The New York AG's ticket sales report (PDF) found that the tens of thousands of tickets snatched up by bots were marked up by an average of 49 percent. "I want the thousands of tickets for shows, concerts, and sporting events that are now purchased by bots and resold at higher prices to go into the general market so that you have a chance to get them," wrote Lin-Manuel Miranda, creator of the hit musical Hamilton, in a New York Times op-ed in June. "You shouldn’t have to fight robots just to see something you love." The Senate took up the matter a few months ago, holding a September hearing at which Jeffrey Seller, the producer of Hamilton, testified.
Seller told legislators that bots quickly buy up tickets, which are then resold on platforms like StubHub and TicketsNow for big markups.

Group policies, meet EMM: New and old Windows 10 management unite

One of Windows 10's biggest internal changes is support for management and security APIs à la enterprise mobile management (EMM).
It uses APIs similar to those in iOS, Android, and MacOS.

But Windows 10's EMM policies are limited compared to what traditional Windows management tools can do.

Thus, a lot of what IT does to manage PCs today can't be done in Windows 10 via EMM, such as set up kiosk mode or enable local encryption.
Instead, old-school tools like System Center Configuration Manager (SCCM) must be used instead. EMM provider MobileIron has an answer: MobileIron Bridge, an add-on to its EMM tools that lets IT apply their familiar -- and often extensive -- group policy objects (GPOs) to Windows 10 PCs managed via EMM. Applying GPOs via EMM lets IT manage Windows 10 PCs using both legacy and modern techniques from one console (MobileIron's EMM), filling in the API gaps Windows 10 currently has. Some vendors let IT install listener apps on PCs to locally apply some GPOs, a technique that could be used with traditional Windows 10 tools in parallel with an EMM tool.

But MobileIron is the first to provide GPO support directly via EMM -- there's no local client app to install, and all the GPO settings go through the same channel as the other EMM policies. MobileIron Bridge's support of GPOs is done by supporting PowerShell, VBScript, and registry scripts.
IT can take existing scripts, as well as create new ones, and bundle them into policies that MobileIron Bridge then deploys like any EMM policy.  For example, Windows 10's EMM APIs can detect a PC where BitLocker encryption is disabled, rendering the PC noncompliant with corporate security policy.

But those APIs can't be used to enable BitLocker. With MobileIron Bridge, PowerShell-driven GPOs can be used to enable BitLocker remotely, so IT can detect noncompliant PCs, then turn them compliant -- all remotely. MobileIron Bridge lets IT run bundled scripts to implement group policy objects and other system management commands on Windows 10 PCs managed via EMM. Here, BitLocker encryption is enabled on a noncompliant PC. As another example, MobileIron Bridge can be used to run scripts to set up kiosk mode on Windows 10 PCs, which essentially locks a specified user to specified apps and can seal off their data from that of other people using the same PC.

A retailer might use kiosk mode for a shared Windows laptop or tablet, giving each employee a separate kiosk account and retiring the accounts as employees leave. Another scenario that MobileIron Bridge supports is setting up multiple user accounts on a PC, such as one used by contractors, for job-sharers, across shifts involving different departments in a "hoteling" workplace, or even by employees working from home on a personal PC. Working in concert with Azure Active Directory, IT can use MobileIron Bridge to remotely set up the multiple accounts, determine which accounts can share data with each other, and which accounts run in kiosk mode, then retire accounts as users leave. MobileIron Bridge also lets IT install .exe apps onto Windows 10 PCs; Microsoft's EMM APIs support installation only of .msi and .appx software, which means most legacy apps aren't supported for remote, policy-based installation. MobileIron comes with a graphical interface to install such .exe apps, but it also can install other binaries using a command-line interface, again using scripts as it does for GPO deployment. MobileIron Bridge can install legacy .exe apps onto Windows 10 PCs via EMM policies; example apps are highlighted here. Ojas Rege, MobileIron's chief strategy officer, notes that when iPhones entered the enterprise in the late 2000s, IT couldn't reuse any of the many policies they had painstakingly set up in BlackBerry Enterprise Service for their BlackBerrys.

Thus, they had to start from scratch. MobileIron Bridge's GPO support gives an IT an easier path to transition Windows 10 PCs from traditional management approaches to the EMM one used on other devices, he says. However, Rege suggests that IT shops not deploy all their existing GPOs as is on Windows 10 PCs; they should use the EMM transition to evaluate what policies they still really need -- BlackBerry shops soon realized they didn't need all 450 BES policies, for example -- and deploy those in a staged approach. "It should be done with a change-management process," he says. MobileIron Bridge will support Windows 10 Professional and Enterprise Editions, though some supported Windows 10 capabilities such as kiosk mode require the Enterprise Edition. Licenses will cost $3 per PC.
It's now in prerelease at some customers, and the company hopes to make it generally available by January 2017.

ISF Intros Consulting Services, Report on Protecting Key Assets

The International Security Forum's latest reports are aimed at helping CISOs identify and protect essential assets, and the ISF offers consulting services to aid in adoption. The Information Security Forum (ISF) announced a new series of reports designed to help organizations protect their most essential assets.
In concert with the release, it also announced a new component to its business—short-term consultancy services to help ISF members implement its advice."There's probably no one better-equipped to deliver these services than we are," Steve Durbin, managing director of the ISF, told eWEEK. "We developed the tools, and we have the ability to help members use them."The ISF, founded in 1989, is a not-for-profit organization that helps member enterprises around the world and from every vertical market understand and act on cyber-security risks.Durbin added that the ISF won't be "doing the work of the Deloittes—it's not about putting a large number of people on the case." Rather, what it aims to do is provide independent evaluations and validations of members' security arrangements; assess information risk; help senior staff build effective "cyber-resilience" programs; provide pragmatic, vendor-neutral advice; translate security risks into board-level reporting; and securely deliver business-essential projects. Because the ISF is a not-for-profit, fees will be well below what companies would pay a "Big Four" firm," Durbin added. "It's a very natural next step for us." Protecting the 'Crown Jewels' According to the ISF, information assets can represent 80 percent of an organization's total value.

The new reports, collectively titled, "Protecting the Crown Jewels: How to Secure Mission-Critical Information Assets," are the largest the organization has offered in a while, according to Durbin.
It's the ISF's belief that while business leaders may understand what constitutes their so-called crown jewels—the assets most likely to attract motivated, well-funded and organized threats—few understand the extent to which their assets are exposed to threats.The reports explain how to identify mission-critical information assets; identify the greatest threats to them; determine the right protections to put in place; determine how to implement those protections; and determine how to counter adversarial threats."To me, the most challenging piece of that is identification," said Durbin, explaining that the mission-critical components of a business may exist in different places."If you sell ketchup, your recipe is mission-critical.

That's easy," said Durbin. "But if you're a smartphone maker, your marketing plan is also a mission-critical item, until the launch, anyway. Mission-critical items can have varying life spans.

And they can be things that not everyone may right away identify as mission-critical."And even then, a corporate information security officer's (CISO) work isn't always done."If you look across the enterprise, who's most attractive to a hacker?" asked Durbin. "Probably someone in the board room, who's storing information on a tablet.

These people have so much information, from the mundane to the hugely confidential."Such a person also may be disinclined to fully honor an enterprise's security protocols, or to believe they present much of a threat—which can be where the ISF's consulting services come in.
Security is no longer just a technology issue in the old sense; gone are the days when any worker had the luxury of existing within a stereotype—the communication-averse IT person, in this case."Today it's just as much about people skills," said Durbin. "If you can't understand a guy [and his tech jargon], you're not going to talk to him."The ISF's old framework was self-help oriented."We'd give you the tools to do a job.

Even if you may not have the resources in your organization to the job effectively," said Durbin. "Now, we're providing a convenient way to make sure your business needs are met."ISF Consultancy Services were soft-launched over the last few months, and the response has been good, said Durbin, adding that particular interest has come from the finance and retail industries.

A hard launch will arrive in October.

Trend Micro Antivirus+ Security (2017)

Some vendors blur the line between a simple antivirus utility and a small security suite.

The plus sign in the name of Trend Micro Antivirus+ Security refers to the fact that it includes spam filtering and a firewall booster component, items more commonly seen in full-scale security suites.
It earns great scores in all of our hands-on tests, though not all of the independent labs give it top ratings.
It's definitely worth your consideration. This product costs $39.95 per year for a single computer, a price that seems to be the standard these days. You pay the same for Bitdefender Antivirus Plus 2016, Webroot SecureAnywhere AntiVirus, and many other competing products. During installation, you must create or log in to your Trend Micro account online.

This account lets you manage your subscriptions and even view security reports remotely.
Immediately after installation, it prompts you to enable the Folder Shield ransomware protection component; more about that shortly.
It also installs browser extensions for Chrome, Firefox, and Internet Explorer. The main window's lively, quirky appearance hasn't changed since the previous edition.

A large, round Scan button dominates the squarish window, and icons across the top represent Device, Privacy, Data, and Family (though clicking Family just gets you an invitation to upgrade to the security suite).

The icons bounce as you mouse over them.
If that's not lively enough for you, you can change the background of the window's top half to any of eight predefined skins, or use a photo of your own, perhaps that selfie you took at the Insane Clown Posse concert. Ransomware ProtectionMalware coders are in it for the money, and distributing ransomware is a great way to rake in cash.
It's an instant payoff, not like using a Trojan to steal credit card numbers and sell them cheaply on the black market. New in the latest Trend Micro antivirus is a strong focus on ransomware protection. Most PC-based ransomware focuses on encrypting your essential documents and making you pay to get the decryption key.

The new Folder Shield component foils such attacks by preventing any unknown application from modifying documents in its protected folder.

By default, it protects the Documents folder and all of its subfolders.
If you habitually keep important documents in other folders, consider moving those folders into the Documents folder.

A similar feature in Panda's suite protects multiple folders, but that feature isn't included in Panda Antivirus Pro 2016. I tried to test this feature with a real-world ransomware sample, but the antivirus wiped it out. When I turned off antivirus protection, I found that doing so also turned off Folder Shield.
I created my own simple-minded file-encryption tool and tried to encrypt files in the Documents folder, but even that was blocked by the antivirus component due to its malware-like behavior.

Finally, I wrote a tiny text editor and tried to use it to modify protected files.

Folder Shield kicked in to warn that an unknown program was attempting to open protected files.
It works! I also found in my testing that ransomware samples got called out specifically, instead of the generic "Threat Detected" warning. Likewise, ransomware-hosting websites were identified as such. Trend Micro has also set up a ransomware hotline that even non-customers can call on for help.

The information page includes links to ransomware-removal utilities. One type defeats ransomware that simply locks the screen so you can't use the computer.

The other type decrypts files encrypted by some (but not all) older file-encrypting ransomware. Mixed Lab ResultsMost of the independent antivirus testing labs that I follow include Trend Micro's technology in their testing, and some of them rate it quite highly.

AV-Test Institute scores antivirus products on protection, performance, and usability, with that last category meaning a low rate of false positives.

A product can earn up to six points in each category, for a maximum total of 18.

Trend Micro took 5.5 for protection, 6.0 for performance, and 6.0 for usability.
Its total score of 17.5 makes it a "top product." Only Kaspersky Anti-Virus did better in the latest test, with a perfect 18 points. I follow five of the many tests performed regularly by the diligent researchers at AV-Comparatives.

A product that passes one of these tests earns Standard certification; those that go above and beyond can earn Advanced or Advanced+ certification.

Trend Micro participates in three of these five tests.
It took an Advanced rating in two malware-detection tests and Standard in a test of performance. (In a more recent priate test commissioned by Trend Micro, that performance score improved.) Bitdefender and Kaspersky managed Advanced+ in all five tests. The grueling real-world antivirus testing performed by Simon Edwards Labs requires a lot of time and resources, and necessarily includes fewer products.

Trend Micro is among those few, and it earned an impressive AA certification. Norton, ESET NOD32 Antivirus 9, and a few others took this lab's top rating, AAA. Earlier this year I added MRG-Effitas to the list of labs that I follow.
I particularly look at a test specific to banking Trojans and another that's meant to cover all kinds of malware.

These tests are a bit different, as the majority of products fail the all-kinds test, and fail or receive partial credit for the banking Trojans test.

Trend Micro failed both, but due to the pass-fail nature of the test I don't give this lab's results as much weight in my aggregate rating. Very Good Malware BlockingTrend Micro performed significantly better in my hands-on tests than it did with some of the labs. When I opened the folder containing my current sample collection, it quickly eliminated 68 percent of them. Rather than display multiple popups reporting its discoveries, it showed the total number of samples found in a single popup, with a link to view details. Normally I launch the samples that remain after this initial onslaught, selecting three or four at a time for processing and deleting the rest.
I was surprised to discover that Trend Micro caught a number of files as I was deleting them.
I reverted the virtual machine to an earlier state and copied the surviving files to a new folder, at which point the antivirus wiped out another 26 percent, for a total of 94 percent eliminated before ever being launched.

Trend Micro's overall detection rate was 97 percent, and it scored 9.7 of 10 possible points, just as Norton did.

Tested with this same collection, Webroot SecureAnywhere AntiVirus earned a perfect 10 points. While wiping out malware files from your PC is good, keeping them from ever landing on the PC is even better.

To test the product's ability to keep users from accidentally downloading malware, I challenged it with a collection of very recent malware-hosting URLs supplied by MRG-Effitas.

For each URL, I noted whether Trend Micro blocked access to the URL, eliminated the downloaded malware, or did nothing.
I kept at it until I had recorded data for 100 malicious URLs. Trend Micro blocked 89 percent of the malware downloads, the vast majority by replacing the dangerous page in the browser with a big warning.
In a couple of cases, it specifically identified the site as hosting ransomware.

This score is quite a bit better than the current average of 69 percent.

Avira Antivirus 2016 holds the top score in this test, with 99 percent protection, and Norton managed 98 percent. As a false-positives sanity check, I install 20-odd PCMag utilities and note any reaction from the antivirus.

Folder Shield did quite reasonably warn about one utility that creates a database in the Documents folder. Otherwise, Trend Micro kept mum…except in one case.
Its heuristic analysis actively identified one of the utilities as malware, and deleted it. Looking back at the independent lab tests, I noted that Trend Micro lost points for false positives in one test by AV-Comparatives, too. Excellent AntiphishingPhishing URLs are actually more insidious than URLs that host malware.

These frauds masquerade as PayPal, eBay, bank sites, even online gaming sites, and try to trick you into entering your login credentials.
If you do, you're hosed.

The fraudsters can clean out your bank account, or steal your level 110 Paladin.

And as soon as they've scammed a few people, they take down the site and pop up another. To test phishing protection, I gather hundreds of reported phishing URLs, ones too new to have been analyzed and blacklisted.
I launch each one simultaneously in five browsers, one protected by the product under evaluation, one by antiphishing leader Symantec Norton AntiVirus Basic, and one each by the built-in protection in Chrome, Firefox, and Internet Explorer. Because the URLs are necessarily different for every test, I report results not as the raw detection rate but as the difference between the product's detection rate and that of Norton and the browsers.

Trend Micro lagged just two percentage points behind Norton and handily beat all three browsers.
It's right up there in the winner's circle. See How We Test Security Software Web and Social MarkupMany people these days get their news via Facebook or other social media.

Friends post links, Facebook suggests links, and you click, click, click.

But what if the link is bogus? What if your friend's social media account were taken over by a hacker? What if a clueless friend unknowingly shared a malicious site? Trend Micro has you covered.

By default, it automatically highlights links in social media: green for safe, yellow for iffy, red for dangerous, and gray for untested.
If the link isn't green, don't click it! Each link also displays a small icon. Pointing to the icon gets a popup that explains the rating, but there's no link to a detailed report online such as you get from Norton. The browser extension also rates links in popular search engines. You can optionally enable it to rate links on any webpage when you hover the mouse over a link. Firewall BoosterTrend Micro doesn't include a firewall component as such in its security suite products, but the suites and antivirus all offer a component called Firewall Booster.

This component specifically aims to detect botnets. In the past, I've found no way to see the booster in action.

This time I got a little help from my Trend Micro contacts.

They supplied a file that the booster detects as the Nimda worm, though it's actually innocuous.
I used network tools to send the file to the test system, and, sure enough, I got a Network Threats Blocked popup. I also ran my exploits test, figuring those might also trigger a response from the Firewall Booster (even though my Trend Micro contacts said they would not).
Indeed, I got no reaction from the booster component, but the regular Web-protection system blocked access to over half of the exploits. Norton's Intrusion Prevention System blocked nearly two-thirds of these at the network level, identifying many by name. Spam FilterThese days, most consumers get their spam filtered by the email provider.
It's gotten to the point where some vendors are considering dropping the antispam component from their security suites.

Bucking that trend, Trend Micro includes antispam in the standalone antivirus product. The spam filter integrates with Windows Mail, Windows Live Mail, and Microsoft Outlook (2003-2016).
Since all of this component's configuration takes place in the toolbar it installs, you simply can't use it with a different email client.
It filters POP3 and Exchange email, but not IMAP. The first time you launch your email client after enabling the spam filter, it offers to import your contacts into its whitelist, so their messages will never be blocked.

By default, it whitelists any address to which you send mail. You can also manually import contacts into the whitelist at a later time. The main page of this component's settings dialog features a big slider for spam filter sensitivity. Most users should leave it set to the default Medium setting.
If you wish, you can enable the Link Filter feature, which discards messages containing dangerous links. On the Blocked Languages tab, you can set the filter to discard messages written in any language you don't speak. A Definite PlusWhile Trend Micro Antivirus+ Security didn't earn top scores with all of the independent labs, it scored very well in all of my hands-on tests.
Its ransomware protection doesn't go as far as Webroot's, which claims the ability to reverse encrypting ransomware after the fact, but it should be effective.
If ransomware has you in a panic, and especially if you also need spam filtered from your email, this is an excellent choice for antivirus software. Even so, I'd suggest you consider our Editors' Choice products in this area.

As noted, Webroot SecureAnywhere Antivirus also handles ransomware, and it's the tiniest antivirus around.
Symantec Norton AntiVirus Basic, back after a two-hear hiatus, is a dependable favorite. McAfee AntiVirus Plus costs a little more, but protects all of your devices, not just one.

Bitdefender Antivirus Plus and Kaspersky Anti-Virus and both score top marks with the independent labs across the board. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

Microsoft Intune to support Android for Work

Microsoft announced late Tuesday that it has joined Google's Android for Work program and will support Google's container technology for mobile application management in a future release of Intune, Microsoft's own enterprise mobility management (EMM) server.

The Microsoft blog post gave no timeline. Android for Work, initially released in winter 2015 as part of an Android 5.0 Lollipop update, brought to Android the same level of enterprise-grade protection for mobile apps that had previously been available only to Apple's iOS devices or Samsung's Android devices running Samsung's own Knox technology. Among the Android for Work capabilities that Microsoft said Intune would initially support are the following: Support for work policies, those that apply to the separate container for corporate apps that Android for Work creates on Android devices. Unified deployment of Android apps both from the Google Play Store and of private corporate apps developed by or for an enterprise.  Support for Android for Work policies, which go beyond what the standard Android application policies provide for consumer apps, in IT-developed apps. Until recently, Intune seemed designed to force enterprises to ditch their existing EMM tools in favor of Microsoft's, such as by not letting other EMM tools access Microsoft's proprietary information management APIs.
Intune also did not support Macs, which compete with its Windows operating system. However, this summer Microsoft began quietly supporting some Mac management APIs in Intune.

And since last fall it has allowed enterprises to use its Enterprise Management Suite, of which Intune is an optional component, in concert with other vendors' EMM servers. That shift let enterprises keep their existing EMM vendor relationships while being able to use the proprietary Office 365 information management APIs. Microsoft has also worked with the leading EMM providers to have them support Azure Active Directory in their identity management capabilities.

Video surveillance recorders RIDDLED with 0-days

Kit from NUUO, Netgear has face-palm grade stoopid There are multiple Web interface vulnerabilities in a network video recorder under Netgear's ReadyNAS brand and various devices by video recording company NUUO. The affected NUUO units are NVRmini 2, NVRsolo, and Crystal. The CERT advisory lists six Common Vulnerabilities and Exposures (CVE) notices attacked to the affected products, ranging from input validation issues to buffer overruns. Under CVE-2016-5674, there's a hidden page in the Web management interface that looks like someone wrote it while the product was under development, and forgot to take it out. An attacker can pass arbitrary “log” parameters to PHP's system(): http://<IP>/__debugging_center_utils___.php?log=something%3b<payload> – and it executes as root.

There's a second hidden page, __nvr_status___.php (assigned CVE-2016-5677), with an information exposure risk.
Since it's accessed via the hard-coded credentials nuuoeng:qwe23622260, it's yet another debugging tool that the engineers forgot to remove.
Slap them head-wise. Under CVE-2016-5675, the handle_daylightsaving.php page does not sanitise the NTPServer parameter, letting attackers run code as root. The cgi system binary in affected units can be called directly by anyone running the Web interface (CVE-2016-5676); CVE-2016-5678 describes yet more hard-coded credentials specific to NUUO devices (not Netgear); while CVE-2016-5679 describes a local operating system command vulnerability (only admins can attack it remotely). If by now the kit hasn't qualified for The Register's “SOHOpeless” tag, there's also a buffer overrun, CVE-2016-5680, yet another arbitrary code execution bug. The bugs were discovered by Pedro Ribeiro of Agile Information Security, and can be read in full at Full Disclosure. Ribeiro explains that in concert with CERT, the disclosure was made because the vendors have turned turtle. ® Sponsored: 2016 Cyberthreat defense report

Phisherfolk phlock to Rio for the Olympics

Virtually, that is. Zeus trojan ported to bash Brazil banks Criminals are ramping up their online presence in Rio de Janeiro, where the Olympic Games will open on Friday, August 5 – with IBM and Fortinet reporting new banking trojans and cyber crime activity in Brazil. Big Blue has reported a variant of the Zeus trojan has emerged on crime forums targeting local banks and exploiting financial habits of users in the country in what is evidence the trojan is not a mere copy-and-paste effort. The Panda Banker trojan began in Europe and the US hitting banks in the region earlier this year before being ported to smash the home of the looming 2016 Olympics. The Brazilian variant targets 10 unnamed national banks and localised payment services and is being flogged by the original developers under a subscription payment model. Panda can also raid Bitcoin exchange credentials, airline loyalty programmes, prepaid cards and gambling sites, IBM X-Force researchers say. Its customisation continues: the trojan has been written to target a local security firm, a supermarket chain, and even law enforcement. Researchers suggest the possibly Russian-speaking designers are worked in concert with Brazil locals to develop the latest variant. "Panda grabs login credentials on the fly, is capable of injecting malicious code into ongoing web sessions to trick users with social engineering, and its operators are versed in the use of automated transaction panels," researchers say. "Panda’s operators’ favoured fraud methodology is account takeover, in which victim credentials are robbed and then used by the attacker to initiate a transaction from another device." Most infection comes via Word documents and poisoned macros with pop-up windows used to capture one-time banking passwords. Meanwhile Fortinet is warning of a huge 83 per cent spike in malicious domains and phishing URLs in Brazil across June compared to the global average of 16 per cent. Researchers with the company write in its latest threat report [PDF] that some 3,800 malicious government (gov.br) sites have spun up that target bureaucrats and Olympics officials. "As the 2016 Rio Olympics unfold, the history of increased attacks will undoubtedly continue and FortiGuard Labs is already seeing indicators of repeat techniques such as domain lookalikes for payment fraud and malicious websites or URLs targeting event and government officials," security strategist Ladi Adefala says. The findings are similar to those affecting previous major sporting events like the soccer World Cup and previous Olympic Games. In January Trend Micro found as part of its series of analysis on regional cybercrime markets that Brazil's underground was booming. Researchers at the firm said the South American nation had an "influx" of new criminals to its online communities who shirk anonymity when draining user bank accounts with malware and openly boast of their success. ® Sponsored: 2016 Cyberthreat defense report

Norks hacks 90 Southern officials, journalists

Bad security advice ensures endless joy for the North South Korea is accusing the North of using online attacks to target 90 diplomats, security officials, and journalists and of breaching 56 accounts run by such folk. The attacks were thought-out and well constructed.

Email account credentials were stolen through targeted spear-phishing linked to 27 domains setup to lure specific targets, rather than a generic wave of phishing containing broadly enticing subject matter. Seoul has not yet confirmed if sensitive state secrets have been compromised, local news agency YonHap reports. Supreme Prosecutors' Office officials said Monday the attacks occurred between January and June with attacks targeting the ministries of Foreign Affairs, and Defense and Unification. Journalists posted to those agencies were targeted along with those investigating Pyongyang. Seoul officials reckon the attacks reek of the North as threat fingerprints mirror those of a confirmed Pyongyang hack in 2014. They blame the North's General Bureau of Reconnaissance, otherwise known as the nation's state-sponsored offensive hacking unit. South Korea's National Security Service and the Korea Internet and Security Agency worked in concert with prosecutors to kill the phishing sites. "It is important (for government officials) to refrain from using private email accounts for official work, and they should frequently change their email passwords," one prosecution official said. "When officials carry out important tasks, it is desirable for them to take some security steps such as temporarily shutting down the internet." That advice is off centre. Regular password resets have been long shown to do little to bolster defence or boot intruders, and can actually soften systems since users are generally inclined to select weaker and more cliche passwords as the need to constantly select new codes wears thin. Shutting off the internet on a machine otherwise open to the public web would be little more than a chance coffee break for attackers. North Korea attacks include hacks against Seoul defence contractors, social networks, and major online retailers, all of which have exposed sensitive documents and the personal information of tens of millions of residents. ® Sponsored: Global DDoS threat landscape report

Dark Patterns are designed to trick you (and they’re all over...

reader comments 148 Share this story
Allow Harry Brignull to explain. It happens to the best of us.

After looking closely at a bank statement or cable bill, suddenly a small, unrecognizable charge appears.

Fine print sleuthing soon provides the answer—somehow, you accidentally signed up for a service. Whether it was an unnoticed pre-marked checkbox or an offhanded verbal agreement at the end of a long phone call, now a charge arrives each month because naturally the promotion has ended.
If the possibility of a refund exists, it’ll be found at the end of 45 minutes of holding music or a week’s worth of angry e-mails. Everyone has been there.
So in 2010, London-based UX designer Harry Brignull decided he’d document it.

Brignull’s website, darkpatterns.org, offers plenty of examples of deliberately confusing or deceptive user interfaces.

These dark patterns trick unsuspecting users into a gamut of actions: setting up recurring payments, purchasing items surreptitiously added to a shopping cart, or spamming all contacts through prechecked forms on Facebook games. Dark patterns aren’t limited to the Web, either.

The Columbia House mail-order music club of the '80s and '90s famously charged users exorbitant rates for music they didn’t choose if they forgot to specify what they wanted.
In fact, negative-option billing began as early as 1927, when a book club decided to bill members in advance and ship a book to anyone who didn’t specifically decline.

Another common offline example? Some credit card statements boast a 0 percent balance transfer but don’t make it clear that the percentage will shoot up to a ridiculously high number unless a reader navigates a long agreement in tiny print. “The way that companies implement the deceptive practices has gotten more sophisticated over time,” said UX designer Jeremy Rosenberg, a contributor to the Dark Patterns site. “Today, things are more likely to be presented as a benefit or obscured as a benefit even if they’re not.” When you combine the interactive nature of the Web, increasingly savvy businesses, and the sheer amount of time users spend online, it’s a recipe for dark pattern disaster.

And after gaining an awareness for this kind of deception, you’ll recognize it’s nearly ubiquitous. Enlarge / The lowest flight prices are listed up top, right? Right??! DarkPatterns.org Shades of grey With six years of data, Brignull has broken dark patterns down into 14 categories.

There are hidden costs users don’t see until the end.

There’s misdirection, where sites attract user attention to a specific section to distract them from another. Other categories include sites that prevent price comparison or have tricky or misleading opt-in questions. One type, Privacy Zuckering, refers to confusing interfaces tricking users into sharing more information than they want to. (It’s named after Facebook CEO Mark Zuckerberg, of course.) Though perhaps the worst class of dark pattern is forced continuity, the common practice of collecting credit card details for a free trial and then automatically billing users for a paid service without an adequate reminder. But while hackers and even SEO firms are often distinguished as “white hat” or “black hat,” intent isn’t always as clear when it comes to dark patterns. Laura Klein, Principal at Users Know and author of UX for Lean Startups, is quick to point out that sometimes it’s just a really, really poor design choice. “To me, dark patterns are very effective in their goal, which is to trick the user into doing something that they would not otherwise do,” she said.
Shady patterns, on the other hand, simply push the company’s agenda over the user’s desires without being explicitly deceptive. Examples of bad design choices that may be accidental aren’t hard to find.

British Airways lists flights that are the second-lowest price as the lowest, and it’s hard to tell whether this misdirection is intentional.

And examples of deceptive patterns that are, strictly speaking, completely legal are a dime a dozen.

There’s the unclear language hidden in 30-page Terms of Service agreements, which lull users into a sense of complacency as they hit “agree” on every page.
Sometimes users agree to allow apps to post on their Twitter feed or Facebook walls but later forget that this feature is enabled.

The app doesn’t let them know at the moment it’s going to post, of course. “The companies that know what they’re doing operate in sort of a safe zone where they’re not likely to be prosecuted or get into trouble legally,” Brignull explained. Over time, users have been desensitized to these permissions.

There are subscription sites that renew without a reminder a few days in advance or ones that are very easy to sign up for online but then force users to cancel by phone during business hours.

And the vicious cycle of online advertising is even more difficult to pierce.

There are those ads that follow you around the Web, known as behavioral targeting, or those ads based directly on things like your Web history or search terms. Opting out of this is so difficult that UX designer and Dark Patterns contributor James Offer considers that a dark pattern in its own right. Even though the line between outright deception and poor user design is often hard to distinguish, Brignull said “there are some sites where it’s clearly intentional—they’re doing too many things for it to be by accident.” As an example, he points to The Boston Globe, which was recently called out for multiple dark patterns.

Among the offenses, the site didn’t inform subscribers of price increases and buried rates in the site’s FAQ. Listing image by Flickr user: g_cowan Enlarge / This sleight of hand is not as fun nor as harmless as 1980s British magician Paul Daniels. Gary Stone / Getty Images Gripped by numbers Dark patterns may create short-term benefits for companies, but don’t they erode consumer trust over time? Why do this? UX designers told Ars that Dark Patterns are likely a response to company cultures focused on number-based metrics above all else. “I am a huge fan of metrics, but it is one of the dangers of entirely metric-driven companies,” said Klein. “If you’re too metrics-driven, you’re only going to be focused on what moves a particular metric, and you will use any hack or any trick or any deceptive technique to get there.” Klein believes many of the worst dark patterns are pushed by businesses, not by designers. “It’s often pro-business at the expense of the users, and the designers often see themselves as the defender or advocate of the user,” she explained.

And although Brignull has never been explicitly asked to design dark patterns himself, he said he has been in situations where using them would be an easy solution—like when a client or boss says they really need a large list of people who have opted in to marketing e-mails. “The first and easiest trick to have an opt-in is to have a pre-ticked checkbox, but then you can just get rid of that entirely and hide it in the terms of conditions and say that by registering you’re going to be opted in to our e-mails,” Brignull said. “Then you have a 100-percent sign-up rate and you’ve exceeded your goals.
I kind of understand why people do it.
If you’re only thinking about the numbers and you’re just trying to juice the stats, then it’s not surprising in the slightest.” “There’s this logical positivist mindset that the only things that have value are those things that can be measured and can empirically be shown to be true, and while that has its merits it also takes us down a pretty dark place,” said digital product designer Cennydd Bowles, who is researching ethical design. “We start to look at ethics as pure utilitarianism, whatever benefits the most people. Yikes, it has problems.” You can check out anytime you like, but you can never leave Perhaps the most frustrating thing about dark patterns is how difficult it is to get companies to make changes.

They are often unresponsive to user concerns, and it’s much easier (and more profitable) to placate individuals than it is to change an unethical design for the masses.

But when Offer received a refund after accidentally purchasing cancellation protection with a concert ticket, he didn’t think that was good enough. He considered contacting the UK’s Citizen Advice Bureau, but then thought it would just be so much work to try to do so. Sometimes even when users are aware of strange charges, they don’t think the amount of time it would take to fix the issue is worth it.

After all, companies often have a ready response—there are opt outs available, even if the process is obscure and far from transparent, or perhaps users should read the Terms of Service agreement closer despite 4-point font.

About six months ago, I complained to my cable company that I was being charged for Starz—which I didn’t recall signing up for.

The bill was misleading and made it seem like I was not being charged to boot.

The customer service representative was ready: if I’d downloaded the PDF version of the bill rather than the one that’s viewable on the website, the price breakdown would have been more obvious. It’s true that users with eagle eyes and knowledge of these nuances can sometimes circumvent misleading opt-ins. Klein recently did just that when she got a push notification on her phone from Verizon letting her know that she had a voicemail message. Ultimately, the notification was trying to get her to sign a giant terms and conditions page. “It was apparently asking me if I want to see my visual voicemail—and by the way, we’ll charge you $2.99 a month,” she said. "They had given me a free month that I didn’t ask for, and when I went to check my voicemail it asked me to sign up, but it wasn’t clear.
It was a wall of text I had to read.” Just checking a voicemail and clicking “yes” would sign a user up for the service, but Klein was able to recognize what happened. Others aren’t so lucky.
In fact, some users who don’t check their statements closely may not even be aware of surreptitious charges. Oh, sure I'll sign up for a one-month free trial from Stamps.com (thanks podcast!). Wait, what's this charge? Why was I auto-enrolled in month two and now unable to close my account online??? DarkPatterns.org Legal solutions If dark patterns are better designed and more abundant than ever, is there any way to slow the practice down? One possible solution is a legal one. “I’ve recently started to find the idea of better regulation appealing,” said Brignull. “If you put consumer laws in place that’ll prevent a company from doing something, they’ll follow the laws, but as soon as it’s just down to ethics, it’s anybody’s guess how they choose to behave, or to rationalize things in their mind to see something as ethical when maybe it’s not, or the consumer wouldn’t see it that way.” The Federal Trade Commission Act’s prohibition on unfair and deceptive acts or practices does extend to online advertising, marketing, and sales. Regulation is tricky, however, because—again—many dark patterns are technically legal, skirting the rules without breaking them.
Some deceptive patterns that are used in the US are illegal in other countries even. That said, lawsuits can be effective. Lately, subscription sites have been coming under legal fire. JustFab (the owner of ShoeDazzle and Fabletics) paid a $1.88 million fine to settle allegations of deceptive marketing.

After the legal settlement, JustFab now posts a total of 14 notifications about its subscription service and requires readers to affirm their decision to become members two times, according Bloomberg. Other sites are following suit.
Stamps.com paid out $2.5 million in a lawsuit similar to JustFab; Blue Apron and Birchbox are facing lawsuits as well.

A site called AdoreMe.com has also been hit with a lawsuit that even prompted design action.

The site opts first-time users into a VIP membership with a recurring monthly subscription, but now the company has made changes to its website to make it easier for users to cancel… which led to a 30-percent increase in refunds and a 15-percent decrease in subscriptions.
Still, the negative option billing—which requires users to opt out of specific sales to avoid a charge—remains.

The practice continues to be legal with some stipulations. Generally, the problem with litigation is that it often is so specific that it only dissuades one type of problem while leaving others in play. Last October, LinkedIn paid $13 million to settle a lawsuit after its “add connections” feature led users to send multiple spammy e-mails to their business contacts.

Although users had agreed to let LinkedIn scrape their e-mail address book, they had only agreed to send one message asking someone to connect on the site.

A judge said that the second and third e-mails “could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts.” However, that settlement did nothing to end a separate LinkedIn dark pattern.

The site recently touted two-step verification in response to its own password sloppiness as login credentials for as many as 117 million accounts popped up on the Dark Web.

These days LinkedIn continually solicits users who have not shared their phone number to do so in the name of added security and the ability to reset passwords if locked out of an account. What the site doesn’t tell users is that doing so will make the phone number discoverable to others by default. Only after a user starts the process does any notification appear: “Your phone number helps us keep your account secure.
It also helps people who already have your number discover and connect with you.” It’s not initially clear whether there’s an option to turn off this discoverability—but there is an option.

Buried under Privacy and Settings, users can use 2FA while also disabling discoverability.
So just because a specific company stops spamming users doesn’t mean it won’t sneakily use phone numbers given for security reasons to push a feature many won’t realize they’re signing up for. “It’s a bit like the Wild West, isn’t it?” said Brignull. “Technologies move much faster than people who try to do consumer protection for society.” Other fixes If legal means prove ineffective, advocates are now pushing for a technical solution.

This is playing out right now in the battle between tracking blockers, such as Privacy Badger, and sites that seek to track users—even ones who have specifically requested not to be tracked through the universal Web tracking opt out Do Not Track. In the face of public pressure, Facebook cracked down on unwanted game invites from games like Candy Crush, which have pre-selected checkboxes for players to invite all of their friends. “It’s very easy if you’re not paying attention to accidentally spam all of your friends on Facebook, and it makes it easier to do the thing you wouldn’t want to do than the thing you would want to do,” said Klein.

But since Facebook enabled changes, users can now block specific games from sending them invitations and requests (and see the game if other people have it installed).

They can ignore app invites from specific people as well. The key to reining in Candy Crush was not the backend of Facebook, however—it was that consumer pressure.

Take for instance, Ryanair.
In many ways, the company was the poster child for dark patterns.

The budget European airline’s website previously required users to opt out of purchasing priority boarding, airport transfers, sightseeing tours, cabin bags, phone cards, and more.

Even when the controversial corporation was forced to stop opting people in for travel insurance, it still hid a “do not insure” option within its menu. Today, insurance is offered as a separate opt-in, and a marketing team is slowly revamping the company’s website. What changed? Net profit plummeted. “Their well-known dark patterns started to work against them eventually. Now they’ve stopped using them,” Brignull said. Still, there’s no clear solution to the dark pattern problem in the near future.

A public looking for more speed and ease will simply continue to butt heads with companies wanting more and getting better at finding digital sleight of hand.

But sites like Brignull’s and advocate designers like Klein are at least raising awareness. Now we know, and knowing is half the battle.

The other half is just finding the checkboxes in those dense Terms of Service. Yael Grauer (@yaelwrites) is an independent tech journalist based in Phoenix.
She's written for WIRED, Slate, Forbes, and others. Her PGP key and other secure channels are available here: https://yaelwrites.com/contact/.
She previously wrote about VPNs for Ars.

Petition urges Apple not to release technology for jamming phone cameras

Over 11,000 people have signed a petition asking Apple not to deploy technology that would allow third parties like the police to use it to disable cameras on user phones under certain circumstances. Apple got a patent for this infrared technology in J...