Home Tags Website

Tag: Website

Symantec partners with hosting providers to offer free TLS certificates to...

Symantec wants to see the encrypted Web grow and will offer free basic SSL/TLS certificates to domain owners through Web hosting companies that join its new Encryption Everywhere program. The company has already signed partnerships with more than ten hosting providers, including InterNetX, CertCenter, Hostpoint and Zoned in Europe, and is close to finalizing deals with ten others.

The customers of those companies will receive a basic website encryption package that includes a standard TLS certificate valid for one year. Depending on their needs, customers will also be able to opt for paid premium packages that include extended validation (EV) certificates or wildcard certificates that are valid for multiple websites hosted on different subdomains. According to Symantec, which now operates one of the world's largest certificate authorities (CAs) after acquiring Verisign's certificate business in 2010, only around 3 percent of all Internet websites are currently using SSL/TLS encryption. From a business perspective, Symantec is, for the first time, adopting the freemium pricing model, where a product with basic functionality is offered for free on the premise that a percentage of users will later decide to pay for more advanced features. "The need for privacy for legitimate individuals and companies is growing and it's that need that we are responding too," said Roxane Divol, general manager for the Website Security division at Symantec. "This in turn generates a need for good governance and a swift mechanism for when certificates need to be revoked, and that is also something that we pay a lot of attention to." In recent years, security and privacy experts have called for widespread encryption of Internet communications following the revelations of bulk Internet surveillance by intelligence agencies like the U.S. National Security Agency or the U.K.'s Government Communications Headquarters. Cryptography and security expert Bruce Schneier, who had access to the cache of secret documents leaked by former NSA contractor Edward Snowden, believes that ubiquitous encryption would make eavesdropping expensive and could force intelligence agencies to abandon the wholesale collection of data in favor of targeted collection. Symantec is not the first CA to offer free certificates in an attempt to encourage website owners to encrypt their users' traffic. Let's Encrypt, a certificate authority run by the ISRG (Internet Security Research Group) and backed by Mozilla, Cisco, Akamai, Facebook and others, has already issued over a million free certificates in three months since it launched. According to Divol, Symantec has been working on its Encryption Everywhere program for a long time, but focused on the seamless integration with the management platforms used by hosting providers. Unlike Let's Encrypt, which requires users to have some know-how about certificate deployment and management, Encryption Everywhere's integration with hosting panels makes it easy for people without such technical knowledge to obtain and use certificates.

Therefore, the two projects address slightly different audiences. The problem with making it easy for website owners to deploy encryption is that it also lowers the entry bar for cybercriminals.

Buying TLS certificates to encrypt malicious traffic didn't make much business sense for criminals, because they typically switch domain names at a fast pace to evade detection by security companies.

But now that certificates can be acquired for free and in an automated manner, security solutions will likely have to deal with an increase in malicious encrypted traffic. However this will play out in the long term, the general thinking is that improving everyone's security and privacy by widespread use of encryption on the Web outweighs any potential risk of attacks becoming harder to detect.

Encryption project issues 1 million free digital certificates in three months

Let's Encrypt, an organization set up to encourage broader use of encryption on the Web, has distributed 1 million free digital certificates in just three months. The digital certificates cover 2.5 million domains, most of which had never implemented SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts content exchanged between a system and a user.

An encrypted connection is signified in most browsers by "https" and a padlock appearing in the URL bar. "Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress," according to a blog post by the Electronic Frontier Foundation, one of Let's Encrypt's supporters. The organization is run by the ISRG (Internet Security Research Group) and is backed by Mozilla, Cisco, Akamai, Facebook and others. There's been a push in recent years to encourage websites to implement SSL/TLS, driven in part by a rise in cybercrime, data breaches and government surveillance. Google, Yahoo, and Facebook have all taken steps to secure their services. SSL/TLS certificates are sold by major players such as Verisign and Comodo, with certain types of certificates costing hundreds of dollars and needing periodic renewal.

Critics contend the cost puts off some website operators, which is in part why Let's Encrypt launched a free project. "It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default," the EFF wrote.

ThreatTrack Vipre Antivirus 2016

ByNeil J. Rubenking Vipre has been a name to conjure with in the antivirus business for quite some time.

The product has changed over the years, bouncing from company to company and, at one point, incorporating spyware protection from the well-regarded CounterSpy. Perhaps all that moving around wasn't the best for its health.

The current incarnation, ThreatTrack Vipre Antivirus 2016, isn't your best choice for comprehensive protection.
It did improve its antiphishing and malicious URL blocking scores significantly over the tests we ran on last year's edition, but it fared poorly in tests by independent antivirus labs. You have plenty of purchase options with Vipre. You can pick one, three, five, or 10 licenses and subscribe for one, two, three, or four years.

There's a discount for more licenses and longer subscriptions, of course. Protecting a single PC for one year costs $39.99, while a 10-license four-year subscription goes for $269.99, quite a bit less than what you'd pay for 40 single licenses (almost $1,600!). Installation is simple, if not precisely quick. You fire up the installer, copy and paste your license key, and click a button labeled Agree & Continue.

That's it.

The installer checks for program updates, performs the installation, downloads the latest virus definitions, and runs a scan for active malware. You don't have to do a thing, except perhaps get some coffee or a snack.
I found the full installation process took about 10 minutes. Vipre's main window retains the look introduced with the previous edition.

Buttons let you launch or schedule a scan.

A status panel reports on the latest scans and updates.

A couple of links let you manage your account or the program's settings.
It's very slick and simple. So-So Malware BlockingA full system scan with Vipre took 46 minutes, just a little longer than the current average.

Clearly the program performs some kind of optimization during that first scan, as a repeat scan completed in just five minutes.

AVG AntiVirus Free (2016) took 27 minutes for an initial scan on this system and two minutes for a repeat scan.

F-Secure Anti-Virus 2016 cut the time even more, with a 15-minute first scan and just over one minute to repeat the scan. Of course, speed means little unless it's coupled with accuracy. My hands-on malware blocking test starts when I open a folder that contains a few dozen known malware samples.
Vipre immediately leapt into the fray, eliminating 79 percent of the samples on sight. When I launched the surviving samples, it detected a few, but didn't completely prevent installation of executable files.
It managed 86 percent detection and an overall score of 8.1 points in this test. Two products share the top overall score.

Avast Pro Antivirus 2016 detected 100 percent of these same samples, and Bitdefender Antivirus Plus 2016 detected 93 percent.

Because Avast didn't completely prevent installation of malware traces, it earned 9.3 points, the same as Bitdefender.
Vipre's score puts it well below the median for this test. Of necessity, my samples in that hands-on test get used for many months. However, in my malicious URL blocking test the samples (provided by MRG-Effitas) are as new as I can manage, typically no more than a day or two old.

The test is simple enough.
I take the sample URLs and launch each in a browser protected by the product under testing.
I note whether it steers the browser away from the dangerous URL, eliminates the executable payload during download, or sits idly, doing nothing to prevent the download.
I continue until I have data for 100 malware-hosting URLs. When I tested Vipre's previous edition, it blocked just 38 percent, all of them during the download process.

This time around, Vipre's Search Guard and new Edge Protection components stepped up to raise the protection level impressively.

Between the two components, Vipre blocked access to 84 percent of the malware-hosting URLs.

Edge Protection did most of the work, though Search Guard (the one place you can still see Vipre's old snake icon) lent a hand. Vipre's 84 percent protection rate is pretty darn good; only five products have done better.

At the top of the heap are McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium, each of which managed 91 percent protection. See How We Test Malware Blocking Improved Phishing Detection Malware-hosting websites are definitely dangerous, but you can also get into serious trouble by voluntarily entering your login credentials on a fraudulent website.
Imagine if a phishing site snagged your Amazon password, or the credentials for your online banking! Last year Vipre tanked this test.

This year's results are much, much better. To start my antiphishing test, I visit a number of sites that track these frauds.
Specifically, I scrape URLs that have been reported as fraudulent but not yet classified and blacklisted.
I open each URL simultaneously in a browser protected by the product under test and by antiphishing veteran Norton.
I also try each URL against the native protection of Chrome, Firefox, and Internet Explorer.

There's a lot of variation in the types of phishing URLs, and in their cleverness, so I report the difference between the detection rate of the various products, rather than hard numbers. Vipre's detection rate was just 6 percentage points behind Norton's, the same score managed by BullGuard Antivirus (2016).
Vipre also handily beat all three browsers. Roughly two-thirds of current products failed to beat at least one of the browsers, and half of those performed worse than all three browsers. See How We Test Antiphishing Sad Lab Results Vipre's scores in my own tests ranged from so-so malware blocking to excellent phishing protection.
It didn't fare as well with the independent testing labs.
ICSA Labs does certify Vipre for malware detection and cleaning, and West Coast Labs certifies it for detection.
It managed VB100 certification in eight of the last 10 tests by Virus Bulletin.

But the scores go downhill from there. In the latest three-part test by AV-Test Institute, Vipre earned 3 points for protection, 3 for performance, and 6 points for usability.

This last figure means that Vipre avoided screwing up by identifying valid apps and URLs as malicious.

But with 6 points possible in the important protection category, a score of 3 points is pretty bad.

Avira Antivirus 2015, Bitdefender, and Kaspersky Anti-Virus (2016) all managed a perfect 18 points in this same test. Vipre's one success with AV-Test involved avoiding false positives, but in tests by AV-Comparatives false positives proved problematic.

This lab tags products with Standard certification as long as they meet all essential capabilities.

Better products can earn Advanced or Advanced+ certification, while those that don't make the grade just rank as Tested.

And whatever the basic rating, enough false positives can drag it down. I follow five tests out of the many performed by this lab.
In latest instances of those tests, Vipre earned Advanced once and Standard twice, but failed the other two tests, both times due to false positives.

That looks especially bad compared with Bitdefender and Kaspersky, which took Advanced+ ratings in all five. See How We Interpret Antivirus Lab Tests Bonus FeaturesThe Email and Privacy settings pages demonstrate that Vipre offers a number of features above and beyond the basics of antivirus.
It checks your incoming and outgoing email for malware, quarantining any problems it finds.

And it quarantines phishing messages—but not spam; antispam is reserved for the Vipre suite.

The email protection works with desktop clients only, not Web-based email, and if your email client uses non-default ports you'll need some technical skills to make it work. Vipre's Social Watch component scans your Facebook page for malicious links. Naturally you have to log in to Facebook in order for it to work. You can stay logged in and set it to scan every so often, or log out for privacy.  When you enable the secure file eraser feature, it adds an item to the right-click menu for files and folders.

After you confirm that you want a particular file or folder gone forever, it overwrites the file's data before deletion, to prevent forensic recovery of sensitive data.
I'm just as happy that it doesn't let you configure this feature, since most users aren't remotely qualified to select between the available algorithms. As you browse the Web and use your computer, you leave behind a trail of clues that a nosy person could use to reconstruct your activities.
If that bothers you, the history cleaner component can help.
It will wipe out browsing traces for many popular browsers, recent file lists for popular applications, and a number of Windows-based traces.

There's a checkbox to show only programs that you actually have installed, but in my testing it did not seem to work.
I definitely don't have Safari, Opera, or ICQ in the test system, yet they remained visible even when I checked the box. Some Ups, Some Downs ThreatTrack Vipre Antivirus 2016 performed significantly better than the 2015 edition in some areas.
It scored quite a bit better in my antiphishing and malicious URL blocking tests, probably thanks to the new Edge Protection.
Its score in my hands-on malware-blocking test was so-so, much the same as last year, but if I see top scores from the labs, I give them more weight than my own test. Unfortunately, Vipre's labs scores aren't good at all. Antivirus is a big field, and I've identified a number of Editors' Choice products.

Bitdefender Antivirus Plus and Kaspersky Anti-Virus routinely take top honors from all of the independent labs. McAfee AntiVirus Plus does well in lab tests and my own tests, and one subscription protects all of your Windows, Mac OS, and mobile devices.

And Webroot SecureAnywhere Antivirus remains the tiniest antivirus around, with an especial focus on ransomware.

Any one of these will be a better choice for your system's antivirus protection.

US taxmen pull plug on anti-identity-theft system used by identity thieves

That's not how this works, that's not how any of this works The US Internal Revenue Service (IRS) has suspended its Identity Protection PIN tool, designed to safeguard people at risk from identity theft, because scammers are using it for identity theft. American taxpayers can request a six-digit PIN code from the IRS that is supposed to lock down their account with the taxmen: no valid code, no login.

For example, when the IRS admitted last month that 700,000 people's old tax returns – which are full of sensitive personal information – had been sent to scammers, it enrolled those affected in the PIN system. In total this year, the IRS has issued 2.7 million PIN codes.

But the scammers got wise, and used 800 of them to file fraudulent tax returns to redirect people's refunds to the criminals' bank accounts. Now the IRS has stopped the system. "As part of its ongoing security review, the Internal Revenue Service temporarily suspended the Identity Protection PIN tool on IRS.gov," the agency said in a statement. "The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool." The problem appears to stem from getting a PIN code from the IRS website.

Applicants have to answer four questions about themselves to get a number, but if the scammer already has some of their personal data, and does some digging online, then they can guess the answers, get the code, and file a fraudulent return. The IRS is in something of a bind with this one. On the one hand, its security systems need work, but on the other it is the logical target for scammers because, to quote bank robber Willie Sutton, "that's where the money is." ® Sponsored: Network monitoring and troubleshooting for Dummies

What are you doing to spot a breach?

It’s probably already happened, but you just haven't seen it... Technology moves quickly, not just in legitimate business, but in the cybercriminal world too.

Advanced attack tools are now available on the black market, lowering the barrier to entry for the average online lowlife.

They are happy to target large and small organizations alike, and they only have to be lucky once. Security pros have been forced to prepare for a world of constant, sustained attack by understanding the threats and choosing the right measures to prepare for them.

Companies are realising the extent of the threat and gearing up for it, say experts. “We have seen information security budgets increasing in the last 12 months to address the challenges that cyber crime is bringing to the organisation,” said Steve Durbin, managing director of the Information Security Forum. So what kinds of threats are they dealing with, and how can they prepare? What are the threats and where are they coming from? The cyberthreats facing modern companies fall into various categories, and they’re loosely linked to the type of cybercriminal that you’re dealing with and the kind of information that they’re after. Hacktivism has traditionally been characterised by attacks with a relatively low barrier to entry such as DDoS and web site defacements, for example. While hackers’ motives are frequently political or ideological, financial cybercriminals are interested purely in money, and are adept in their pursuit of it.
Some will attempt to transfer money out of an organization, while others will focus on saleable information. Malware typically underpins a financial cybercrime attack. One notable recent example is Carbanak, an extensive attack on financial institutions that netted $1bn in stolen assets.
It was a devilish attack, starting with a backdoor sent as an attachment that then moved through the network until it found an administrative machine. Then, the malware intercepted clerks’ computers, recording their sessions, and subsequently used that information to transfer money fraudulently using online banking sessions and to dispense money from ATMs. Carbanak was a sophisticated attack that sought to directly manipulate systems, but cybercriminals typically look to steal specific types of information such as personally identifiable information (PII) when they attack. Malware delivery via phishing and drive-by downloads is still a highly effective tool to steal this data.

Exploit kits designed to target enterprise clients with malicious payloads are on the rise.
In its 2015 Threat Report, Forcepoint found three times more exploit kits in circulation than it had in 2013. This information can be about your customers or your employees.

The latter can be just as damaging, because you’re likely to have financial and other data about the people who work for you. One of the most egregious attacks on employee data recently must be the Office of Personnel and Management hack that compromised 5.6 million fingerprint records, and more than 21 million former and government employees, harvesting social security numbers and addresses. PII isn’t the only threat category, though.
Intellectual property is another rich seam for online criminals to mine. Often the subject of targeted attacks, this information can take many forms, from email archives through to launch plans for new products, or details of new products currently under development. “We see a lot of intellectual property theft out there, coming from assumed nation states based on the IPs that they’re coming from, and from industry, too,” said Eric Stevens, director of strategic security consulting services at Forcepoint. “It’s a lot cheaper to steal development time than it is to do that development yourself,” he pointed out. While these different groups will typically seek different types of information, there is also an increasing amount of overlap. Hacktivists have begun targeting both customer data and intellectual property where it suits their needs.

Anonymous was behind the theft of ticketholder data for the 2012 F1 Grand Prix in Montreal, which was posted online. Hacktivist faction Lulzsec mined intellectual property from private security firm Stratfor in 2011. How do you live with attackers getting in, and continue to fight them? Over the years, the focus on keeping attackers out at all costs has shifted towards managing them when they break into an organization.
Security professionals seem to be tacitly admitting that network intrusion is a question of ‘when’, rather than ‘if’. “15 years ago, the focus was keeping them out.

Today, organizations are starting to realize they have to deal with a certain degree of compromise,” explained Stephen Northcutt, director of academic advising for the SANS Technology Institute. This is something that at least one of the three-letter agencies has understood for years.
In 2010, Deborah Plunkett, then-head of the Information Assurance Directorate at the NSA, said that the agency assumed that there were already intruders inside its network.

Considering itself already compromised forced it to protect critical data inside the network, rather than relying on a single ring of iron. The Open Group’s Jericho Forum focused on containing rather than preventing threats with its de-perimeterization principle, first espoused in the mid-2000s, which stated that the traditional trusted network boundary had eroded. One of the group’s commandments to survive in a de-perimeterized future was the assumption that your network was untrusted. Clearly, the NSA didn’t protect its resources especially well, though.

Ed Snowden, working for third party contractor Booz-Allen Hamilton, happily vacuumed up gigabytes of sensitive data for a sustained trickle-feed campaign to the media. No matter what side of the Snowden debate you’re on, for CISOs his case highlights the need for controls to stop the theft of information through authorized accounts. “Over the next few years, you will see a lot of growth in privilege and identity management,” said Northcutt. “At the network level you are going to see more segmentation and isolation.” To fully protect themselves with these techniques, though, organizations need a deep understanding of the data that they have and how it is used in their business, said Stevens.

There are many roles and sets of responsibilities in an organisation.
Some of them may even transcend internal employees altogether. “You have to understand what your business processes are surrounding that data,” he said.
It’s necessary to understand what a normal process looks like.

A hospital may send data to a third party company that produces its invoices for it. How can you distinguish between a legitimate business process like that, and an illegitimate one that is sending sensitive data to bad people? How do you distinguish between normal behaviour/threats Distinguishing between these different modes of behaviour is an important skillset for IT departments trying to spot attackers inside their network, but it’s doable with the right tools, say experts.
It’s all a question of mathematics, said Northcutt. “Twenty years ago the US Navy spent about a million dollars for a bunch of PhD statisticians to determine that like groups of people using like systems have a very similar network traffic footprint,” he said, adding that we have been using statistical techniques to baseline normal behaviour for years now. One form of attack involves malware that enters a network and then moves laterally, trying to find any data it can, and then exfiltrating it.
Software designed to baseline regular employee behaviour and then spot anything that deviates from the norm may be able to spot the unusual patterns that this malware may generate. Is a user account sending large amounts of data from an account that normally doesn’t? Is it encrypting that data, when it is normally sent over the internal company network in plain text? Why is it sending it at 2am when all employees are normally long gone? All of these things can raise flags in a suitably-equipped system. Where do you start when choosing tools Training people to be security aware is an important part of stopping breaches, but CISOs will never eradicate those problems entirely.

A technology layer provides a vital layer of protection.

Don’t be distracted by emotions or industry buzzwords when choosing these tools, said Stevens. He recommends first identifying what data you want to protect (adding that this is more difficult than you’d imagine for many companies).

Talk to compliance managers and line of business owners to identify this information, and then work out what category of tool would best block the egress of that data. Companies can hone their priorities by focusing on a security framework like NIST’s, using it to establish areas where they need to improve. “Then it’s about ensuring that those purchases are improving your security posture as well as catering to compliance requirements that you may have,” he said. At the very least, though, he recommends a web and email security gateway, along with a data leak prevention (DLP) tool to monitor and prevent things from leaving. “Essentials are always going to be network monitoring tools,” said the ISF’s Durbin, adding that companies can build out their tool sets as they become more sophisticated. “The more advanced will focus on big data and trying to anticipate breaches and identify weaknesses in the security perimeter. Best of breed vs holistic approach Should companies buy a single security platform offering a holistic approach, or focus on point solutions instead? “I would always vote on holistic, mainly because we aren’t seeing point channel solutions that are very effective,” said Stevens.

The main problem with best of breed solutions is visibility, he argued.
If you’re purchasing point solutions from multiple vendors, then integrating them to create a coherent view of your organizations’ security incidents can be challenging. Your view of security needs to be watertight, not least because incidents in one domain that seem incongruous might suddenly gain more significance if you’re able to correlate them with other incidents happening elsewhere. A single pane of glass can help to ensure a consistent view of everything that’s happening across the various aspects of your infrastructure, from email scanning through to web gateways. The good news is that while many of the threats facing companies are sophisticated, many of them rely on the least amount of effort to infiltrate a company.

Attackers will go for unpatched, out of date software versions and misconfigured machines if they can, to avoid giving away their zero-day secrets. Using tools to keep a watchful eye on your network, endpoints and data is one part of the solution.

Good threat intelligence is another. Just as important, though, are proper conversations with business counterparts to understand what data you should be trying to protect in the first place. ®

You’re invited to Security SOS Week

Free webinar series from the folks at Sophos Promo Registration is open for Security SOS Week, a short series of live webinars each featuring Sophos expert IT security practitioners.

The events range from protecting your business against social engineering to embracing the Internet of Things without letting crooks into your network. You can find out more and sign-up at Security SOS Week, but in the meantime here is a handy synopsis for you. The 30-minute webinars kick off each day from 14 March 2016 to 18 March 2016 at 2pm to 2.30pm UK time. (14:00-14:30 UTC.) Naked Security writer Paul Ducklin hosts each event and his brief is to interview Sophos experts to help you cut through the jargon and understand the big issues in computer security today. Each webinar consists of 20 minutes of live interview, followed by 10 minutes of Q&A. Paul promises: “No sales pitches, no product demos, no PowerPoint slide decks - just informed answers to tricky problems.” Check out the running order below: Social Engineering – when charming crooks talk to helpful users Monday 14 March 14:00 GMT Sophos Global Security IT Manager Ross McKerchar takes you into the murky world of targeted attacks and shows how to build defences that will prevent one well-meaning employee from giving away the keys to the castle. Can you strengthen security by weakening it? Tuesday 15 March 14:00 GMT Some regulators want stronger security for the data you hold while others want to deliberately exploit "backdoors" in case they need to access your data in an investigation. What to do? John Shaw, Sophos Vice President, Product Management, discusses. Malvertising: When trusted websites go rogue Wednesday 16 March 14:00 GMT Crooks don't need to hack into a mainstream website to infect it with malware.

They can get away with hacking just one ad served up by one ad network.

This is "Malvertising", and John Shier.
Sophos IT Security Specialist, explains how it works, why crooks love it, and what we can do to stamp it out. Inside a hacker's toolkit Thursday 17 March 14:00 GMT Join SophosLabs Principal Researcher Fraser Howard for an insight into what cybercrime tools the hackers have up their sleeves, how they work together, and what we can do to get the better of them. What's next for the Internet of Things? Friday 18 March 14:00 GMT Chet Wisniewski, Sophos Senior Security Advisor, tells you how you can dip your toes in the IoT water without plunging straight into trouble - as well as explaining how you can help us make the next generation of "things" secure by design. Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy

First Mac Ransomware Poses Little Risk for Users

Quick detection by Palo Alto Networks, Apple and the affected open-source project means most users likely disabled the software before it started to run. A ransomware group targeted Mac users with the first fully functional malware program capable of encrypting data and demanding a ransom of 1 Bitcoin, about $412, for providing the key to unlock the data, Palo Alto Networks said on March 7.Users of the open-source Transmission Bittorrent client, who downloaded the latest version of that software on March 4, may have infected their system with the malware, dubbed KeRanger by Palo Alto.

Because the security firm identified the threat within six hours of its posting and warned Apple and the developers that the open-source software had been infected, the ransomware's impact will likely be blunted, Ryan Olson, director of threat intelligence for Unit 42, the research group at Palo Alto Networks, told eWEEK."We will see now whether people report whether they had files encrypted, but we think the impact will be small because we were able to work quickly to find this and work with our peers in the industry to remove the threat before it had an impact," Olson said.KeRanger is designed to encrypt more than 300 different file types on Macs and to replace the files with encrypted versions.

After installation, however, KeRanger waits three days before starting its encryption cycle, a technique that can foil some defenders' attempts to detect potentially malicious files.
In this case, Palo Alto hoped the delay allowed users to uninstall the malicious program before it started its encryption routine, Olson said. While ransomware is a very successful attack on Windows systems, making criminals millions of dollars in payments, the Mac had not seen a significant ransomware attack. However, the advent of KeRanger shows that criminals are targeting the operating system. The ransomware attack took a lot of effort, Olsen said. Not only did the criminals write the malware, but they also had to steal a legitimate software certificate to bypass Apple's Gatekeeper software for blocking non-legitimate apps.In addition, the criminals behind the malware had to somehow gain access to the site from which the Transmission Bittorrent client could be downloaded. On March 4, the criminals replaced the Transmission client with a copy infected with the KeRanger malware.

Any users who downloaded version 2.90 of the program are at risk of being infected by the malware, Palo Alto Networks warned on March 6.The Transmission project posted a warning on its Website for its users."Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file," the company stated. "This new version will make sure that the 'OSX.KeRanger.A' ransomware … is correctly removed from your computer."KeRanger is not the first attempt to use ransomware against Mac OS X users.
In June 2014, antivirus firm Kaspersky Lab found an unfinished program on malware-classification site VirusTotal.

The ransomware, dubbed FileCoder, appeared to have been an early test version of a program that had not been completed."At this point, it became totally clear that (FileCoder) is a relatively harmless program, which could be turned into a fully functioning Trojan encrypter demanding money from its victims, but for some reason this had not been done," Kaspersky Lab stated at the time.

In blow to inmates’ families, court halts new prison phone rate...

Jenn VargasPrison phone companies today were granted a judicial stay that halts implementation of new, lower rate caps on inmate calls.

The court did not halt new limits on certain ancillary fees related to inmate calls, though, so the overall price of prison calling should go down. Global Tel*Link (GTL) and Securus Technologies had asked the US Court of Appeals in the District of Columbia to stay new price regulations until a lawsuit against the Federal Communications Commission is decided, arguing that they have a high likelihood of prevailing in the case.

The companies argue that the FCC overstepped its authority and that the new limits fall short of what prison phone companies are contractually obligated to pay in "site commissions" to correctional facilities.

Despite protest from the FCC, the court today partially granted the stay request. "While the DC Circuit stayed implementation of new, lower rate caps, and a related rule limiting fees for certain single call services, the Court otherwise declined to delay critical reforms including implementation of caps and restrictions on ancillary fees," the FCC said in a response to the ruling. New ancillary fee limits will take effect on March 17 in prisons and on June 20 in jails. Interim rate caps set by the commission in 2013 also remain in place, the FCC said, but those limits only address calls that cross state lines.

The FCC's latest vote on inmate calling rates in October 2015 went further, with lower rate caps on interstate calls and new caps on the intrastate calls that happen within a state.

The newest caps were supposed to cut the cost of most calls almost in half, to 11¢ per minute.

But in some extreme cases, prison phone calls can cost $14 per minute, the FCC said. FCC Chairman Tom Wheeler and Commissioner Mignon Clyburn, both Democrats, said they regret the delay of the new, lower rate caps but that they believe the court will ultimately uphold them. In the meantime, the new limits on ancillary charges will make a difference, they said. "These fees can increase the cost to consumers of a call by nearly 40 percent, compounding the burden of rates that are too high," Wheeler and Clyburn said in a written statement. New limits on fees include $3 for making automated payments by phone or website; $5.95 for making payments with a "live agent;" and $2 for "paper bill fees." The FCC said it set these limits based on cost data it collected. Republican FCC Commissioner Ajit Pai, who voted against the new rate limits, said the court's decision is "no surprise." "This case captures well how the FCC in recent years has done business," Pai said. "Political expedience trumps everything else; the rule of law is ridiculed rather than respected; and bipartisan compromise is rejected in favor of a party-line vote.

Thankfully, we can still count on the federal courts to rebuke an agency untethered to the rule of law."

Apple Macs Hit By Ransomware 'For The First Time'

A type of malware that locks computer files and demands a fee for their release has successfully targeted Apple computers.The security researchers from Palo Alto Networks believe it is the first time ransomware has appeared on Macs.The KeRangers m...

Apple shuts down first-ever ransomware attack against Mac users

With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware. The incident is believed to be the first Apple-focused attack using ransomware, which typically targets computers running Windows. Victims of ransomware are asked to pay a fee, usually in bitcoin, to get access to the decryption key to recover their files. Security company Palo Alto Networks wrote on Sunday that it found the "KeRanger" ransomware wrapped into Transmission, which is a free Mac BitTorrent client.  Transmission warned on its website that people who downloaded the 2.90 version of the client "should immediately upgrade to 2.92." It was unclear how the attackers managed to upload a tampered version of Transmission to the application's website.

But compromising legitimate applications is a commonly used method. "It’s possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto wrote on its blog. The tainted Transmission version was signed with a legitimate Apple developer's certificate.
If a Mac user's security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple's GateKeeper that the application could be dangerous. Apple revoked the certificate after being notified on Friday, Palo Alto wrote.

The company has also updated its XProtect antivirus engine. After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system.
It is coded to encrypt more than 300 types of files. The ransom is 1 bitcoin, or about $404. There are few defenses against ransomware.

Antivirus programs often do not catch it since the attackers frequently make modifications to fool security software. The best method is to ensure files are regularly backed up and that the backup system is isolated in a way to protect it from being infected as well. Disturbingly, KeRanger appears to also try to encrypt files on Apple's Time Machine, its consumer backup drive, Palo Alto wrote. Ransomware schemes have been around for more than a decade, but over the last few years have spiked. At first the attacks struck consumer computers, with the aim of extracting a few hundred dollars.

But it appears attackers are targeting companies and organizations that may pay a much larger ransom to avoid disruption. Last month, a Los Angeles hospital said it paid a $17,000 ransom after saying it was the quickest, most effective way to restore its systems.

The ransomware had affected its electronic medical records. Although Apple's share of the desktop computing market is much lower than Windows, cyberattackers have been showing increasing interest in it.

But so far, ransomware hasn't been a problem, although some researchers have created proof-of-concept file-encrypting malware for Macs. Last November, Brazilian security researcher Rafael Salema Marques published a video showing how he coded ransomware for Mac in a couple of a days. He didn't release the source code. Also, OS X security expert Pedro Vilaca posted proof-of-concept code on GitHub for Mac ransomware he wrote, another experiment showing how simple it would be for attackers to target the platform.

First working Apple Mac ransomware infects Transmission BitTorrent app downloads

If you downloaded 2.90, you've got a few hours to get rid of it The first "fully functional" ransomware targeting OS X has landed on Macs – after somehow smuggling itself into downloads of the popular Transmission BitTorrent client. Transmission's developers have warned in a notice splashed in red on the app's website that if you fetched and installed an afflicted copy of the software just before the weekend, you must upgrade to a clean version. Specifically, downloads of version 2.90 were infected with ransomware that will encrypt your files using AES and an open-source crypto library, and demand a payment to unscramble the documents. Transmission has millions of active users.
It is possible the app's website was compromised, and the downloads tampered with to include the KeRanger nasty. Those who have had files encrypted will be asked by the malware to cough up US$400 in Bitcoins, paid to a website hidden in the Tor network, to get their files back. "Everyone running [version] 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file," the Transmission authors posted on Sunday. Palo Alto Networks researchers Claud Xiao and Jin Chen found the KeRanger ransomware hidden in the BitTorrent software on Friday, and warned the Transmission team of the infection. The pair and a group of seven others from Palo Alto Networks detected the infiltration hours after miscreants somehow injected the malware into the downloads.

They noted that KeRanger is programmed to encrypt victims' files three days after the infected Transmission client is installed. The website warning Mac fans who installed Transmission for OS X 2.90 from the official website between March 4 and March 5 are probably at risk.

Those who upgrade to the latest clean and ransomware-free version of Transmission – version 2.92 – by Monday, 11am PT (7pm UTC) should avoid having their files encrypted. The malicious code has a process name of kernel_service, which can be killed, and it stores its executable in ~/Library/kernel_service, which should be deleted.

The latest safe version of Transmission, v2.92, includes a tool to remove the KeRanger ransomware. "On March 4, we detected that the Transmission BitTorrent installer for OS X was infected with ransomware, just a few hours after installers were initially posted," Xiao and Chen wrote. "As FileCoder (earlier Mac ransomware) was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform. "It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred." Attackers could potentially alter the ransomware through its command-and-control server so that KeRanger immediately encrypts files rather than lying in wait for a few days. KeRanger was cryptographically signed using a now-revoked Apple-issued developer certificate, but will still be accepted by OS X's Gatekeeper protection system.

That means if an OS X system is configured to only run software from trusted developers, KeRanger will be allowed to start as it is signed by a developer cert.

Apple has added the ransomware's signature to OS X's XProtect mechanism, which screens downloads and blocks malicious code. KeRanger also contains other dormant features that could encrypt Mac TimeMachine backups preventing users from restoring their machines.

As an interesting aside, the malware's executable was smuggled in an .RTF README file within Transmission. ® Sponsored: Managing business risk

First Mac-targeting ransomware hits Transmission users, researchers say

nrkbeta A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines. "This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Ryan Olson, of Palo Alto Networks, told Reuters.The KeRanger malware, which imposes a 72-hour lockout window unless the victim pays 1 bitcoin ($410 as of this writing), appears to have been first discovered via a rogue version of Transmission, a popular BitTorrent client. For some time now, ransomware has primarily targeted Windows machines—threatening total data destruction if the ransom isn't paid. Recently, even a Los Angeles hospital was infected, which resulted in the payment of a $17,000 ransom.
In June 2015, the FBI said it had been contacted by 992 victims of CryptoWall, a similar ransomware scheme, who have sustained combined losses totaling over $18 million. On Saturday evening, some Transmission users noticed the strange activity on a discussion board—users concluded that the 2.90 version of Transmission was infected with the ransomware.
It appears that somehow the Transmission website may have been compromised as it was served via HTTP rather than the primary HTTPS Transmission website. Soon after, Transmission posted this message on its website: "Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file." In a technical analysis, Palo Alto Network’s Claud Xiao and Jin Chen wrote: The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.
If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network.

The malware then begins encrypting certain types of document and data files on the system.

After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data. Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4.

Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems. Apple did not immediately respond to Ars’ request for comment. Palo Alto Networks also added: Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.
If the Transmission installer was downloaded earlier or downloaded from any third-party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now. This story is developing. Please check back for updates.