Tag Archives: against

Software Reviews | Computer Software Review

MSRP: $150.00


Bottom Line: Against standard malware, Webroot SecureAnywhere Business Endpoint Protection is an excellent product. But we found it has trouble detecting more bleeding-edge attacks, such as the newer scripting attacks. Still, with an excellent overall set of tools, Webroot is definitely worth checking out after this problem is patched.

Read Full Review

Software Reviews | Computer Software Review

MSRP: $150.00


Bottom Line: Against standard malware, Webroot SecureAnywhere Business Endpoint Protection is an excellent product. But we found it has trouble detecting more bleeding-edge attacks, such as the newer scripting attacks. Still, with an excellent overall set of tools, Webroot is definitely worth checking out after this problem is patched.

Read Full Review

CyberSight RansomStopper

Your antivirus or security suite really ought to protect you against ransomware, along with all other kinds of malware. There might be an occasional slipup with a never-before-seen attack, but those unknowns rapidly become known. Unfortunately, ex post facto removal of ransomware still leaves your files encrypted. That’s why you may want to add a ransomware protection utility to your arsenal. The free CyberSight RansomStopper stopped real-world ransomware in testing, but can have a problem with ransomware that only runs at boot time.

Similar Products

RansomStopper is quite similar to Cybereason RansomFree, Trend Micro RansomBuster, and Malwarebytes Anti-Ransomware Beta. All four are free, and all detect ransomware based on its behavior. Since they rely on behavior, it doesn’t matter whether the ransomware is an old, known quantity or a just-created zero-day attack. Like RansomFree, RansomStopper uses bait files as part of its detection methodology. However, RansomStopper hides its bait files from the user.

Getting Started

Installation went quickly in my testing. After the download, I completed the process by entering my first and last name and email address. Once I responded to the confirmation email, the product was up and running.

The product’s simple main window reports that “You are protected from ransomware.” Buttons across the bottom let you view security alerts, processes RansomStop has blocked, and processes you’ve chosen to allow. Another button lets you check for updates, if you didn’t select automatic updates during installation. Simple!

CyberSight also offers a business edition. Added features include email alerts, centralized administration, and detailed reports. The business edition costs $29.99 for a single license, though the price drops to as low as $10 per seat with volume licensing.

Ransomware Protection

When RansomStopper detects a ransomware attack, it terminates the offending process and pops up a warning in the notification area. Clicking the warning lets you see what file caused the problem. There’s an option to remove programs from the blocked processes list—along with a warning that doing so is a bad idea.

Waiting to detect ransomware behavior can sometimes mean that the ransomware encrypts a few files before termination. When I tested Malwarebytes, it did lose a few files this way. Check Point ZoneAlarm Anti-Ransomware actively recovers any encrypted files. In my testing, it did so for every ransomware sample. ZoneAlarm’s only error was one instance of reporting failure when it had actually succeeded.

For a quick sanity check, I launched a simple fake ransomware program that I wrote myself. All it does is look for text files in and below the Documents folder and encrypt them. It uses a simple, reversible cipher, so a second run restores the files. RansomStopper caught it and prevented its chicanery. So far so good.

Caution, Live Ransomware

The only sure way to test behavior-based ransomware protection is by using live ransomware. I do this very cautiously, isolating my virtual machine test system from any shared folders and from the internet.

This test can be harrowing if the anti-ransomware product fails its detection, but my RansomStopper test went smoothly. Like ZoneAlarm and Malwarebytes, RansomStopper caught all the samples, and I didn’t find any files encrypted before behavioral detection kicked in. Cybereason RansomFree did pretty well, but it missed one.

I also test using KnowBe4’s RanSim, a utility that simulates 10 types of ransomware attack. Success in this test is useful information, but failure can simply mean that the behavior-based detection correctly determined that the simulations are not real ransomware. Like RansomFree, RansomStopper ignored the simulations.

Boot-Time Danger

Keeping under the radar is a big deal for ransomware. When possible, it does its dirty deeds silently, only coming forward with its ransom demand after encrypting your files. Having administrator privileges makes ransomware’s job easier, but getting to that point typically requires permission from the user. There are workarounds to get those privileges silently. These include arranging to piggyback on the Winlogon process at boot time, or set a scheduled task for boot time. Typically, the ransomware just arranges to launch at boot and then forces a reboot, without performing any encryption tasks.

I mention this because I discovered that ransomware can encrypt files at boot time before RansomStopper kicks in. My own fake encryption program managed that feat. It encrypted all text files in and below the Documents folder, including RansomStopper’s bait text file. (Yes, that file is in a folder that RansomStopper actively hides, but I have my methods…)

I reverted the virtual machine and tried again, this time setting a real-world ransomware sample to launch at startup. It encrypted my files and displayed its ransom note before RansomStopper loaded. From my CyberSight contact I learned that they’re “testing several solutions” for this problem, and that an update in the next few weeks should take care of it. I’ll update this review when a solution becomes available.

RansomFree runs as a service, so it’s active before any regular process. When I performed the same test, setting a real-world ransomware sample to launch at startup, RansomFree caught it. Malwarebytes also passed this test. RansomBuster detected the boot-time attack and recovered the affected files.

To further explore this problem, I obtained a sample of the Petya ransomware that caused trouble earlier this year. This particular strain crashes the system and then simulates boot-time repair by CHKDSK. What it’s actually doing is encrypting your hard drive. Malwarebytes, RansomFree, and RansomBuster all failed to prevent this attack. RansomStopper caught it before it could cause the system crash—impressive! To be fair to the others, this one is not a typical file encryptor ransomware. Rather, it locks the entire system by encrypting the hard drive.

Querying my contacts, I did learn that boot-time ransomware attacks, including Petya, are becoming less common. Even so, I’m adding this test to my repertoire.

Other Techniques

Behavior-based detection, when implemented properly, is an excellent way to fight ransomware. However, it’s not the only way. Trend Micro RansomBuster and Bitdefender Antivirus Plus are among those that foil ransomware by controlling file access. They prevent untrusted programs from making any change to files in protected folders. If an untrusted program tries to modify your files, you get a notification. Typically, you get the option to add the unknown program to the trusted list. That can be handy if the blocked program was your new text or photo editor. Panda Internet Security goes even farther, preventing untrusted programs from even reading data from protected files.

Ransomware crooks need to take care that they’ll be able to decrypt files when the victim pays up. Encrypting files more than once could interfere with recovery, so most include a marker of some kind to prevent a second attack. Bitdefender Anti-Ransomware leverages that technique to fool specific ransomware families into thinking they’ve already attacked you. Note, though, that this technique can’t do a thing about brand-new ransomware types.

When Webroot SecureAnywhere AntiVirus encounters an unknown process, it starts journaling all activity by that process, and sending data to the cloud for analysis. If the process proves to be malware, Webroot rolls back everything it did, even rolling back ransomware activity. ZoneAlarm and RansomBuster have their own methods for recovering files. When the anti-ransomware component of Acronis True Image kills off a ransomware attack, it can restore encrypted files from its own secure backup if necessary.

Give It a Try

CyberSight RansomStopper detected and blocked all my real-world ransomware samples without losing any files. It also detected my simple hand-coded ransomware simulator. And it blocked an attack by Petya, where several competing products failed.

RansomStopper did exhibit a vulnerability to ransomware that only runs at boot time, but my sources say this type of attack is becoming less common, and CyberSight is working on a solution. Other free products had their own problems. RansomFree missed one real-world sample, and Malwarebytes let another sample encrypt a few files before its detection kicked in. RansomBuster fared worse, missing half the samples completely (though its Folder Shield component protected most files).

Check Point ZoneAlarm Anti-Ransomware remains our Editors’ Choice for dedicate ransomware protection. It’s not free, but at $2.99 per month it’s also not terribly expensive. If that still seems too steep, give the three free utilities a try, and see which one you like best.

Salesforce small-business customers can tap into AI, too

Salesforce competes against numerous boutique CRM, marketing and service-oriented cloud vendors catering to SMBs that don’t have the overhead Salesforce requires to do business. It might be argued that many SMBs don’t need all the bells and whistles Salesforce has to offer.

Marie Rosecrans, Salesforce’s senior vice president who leads SMB outreach, discussed at Dreamforce 2017 how SMBs can capitalize on the rich app and feature choices, as well as free training materials, that only Salesforce small-business customers can access.

What are the main challenges Salesforce small-business customers face that you’re trying to help solve?

Marie Rosecrans: One of the biggest challenges is just … time. They don’t have a lot of time. One of the things that we look to do as a technology vendor is save time by creating solutions that are easy to set up, easy to use and easy to scale. We get a lot of feedback from customers saying they want something they can set up immediately because they are so time- and resource-constrained.

With that simplicity in mind, and knowing that AI requires large data sets to derive usable insights, how can small businesses use Einstein, which is a complicated technology under the hood?

Rosecrans: One of the best tools we make available to all of our customers — but is most valuable to SMBs — is Trailhead. It’s a fun, easy, interactive way to learn. It gives everyone access to a lot of information and knowledge, and I would use that as a starting point to get educated around what you need as a small business. It’s not just for Salesforce; it’s, ‘What should I be considering as a small business around investing in CRM?’

Marie Rosecrans, Salesforce small-business leadMarie Rosecrans

Artificial intelligence is a topic that is getting a lot of momentum these days. I think small businesses feel daunted by the whole notion of AI. We launched a product called Essentials for folks just dipping their toe into CRM. We have incorporated elements of artificial intelligence directly into Essentials to help SMBs realize the benefits of that. As our customers work in email and calendars, all of that info is being captured into their CRM without data entry. That’s AI at work for them, right away.

There have been some low-code/no-code do-it-yourself Salesforce app-building tools released earlier this year and more announcements here. Is that feasible for Salesforce small-business customers? At the same time, might that cut into longtime partnerships Salesforce has with app developers who connect with SMBs?

As our customers work in email and calendars, all of that info is being captured into their CRM without data entry. That’s AI at work.
Marie Rosecranssenior vice president for SMB outreach at Salesforce

Rosecrans: Salesforce started as an SMB. SMBs have been core to our company, and so we keep that user experience top of mind. I absolutely agree that small businesses should be looking at low-code/no-code, declarative programing as a solution to accelerate their technology investments.

No two small businesses are alike. Each has its unique business challenges that they are looking to solve. One of the things that we look to make available to all of our customers is the AppExchange, the world’s largest business applications marketplace.

Finding, winning and keeping customers aren’t the only business challenges that small businesses have. So, by making the AppExchange available, we know there are going to be partner solutions out there that may more specifically fix or solve [those] business challenges. We want small businesses to use or embrace technology, because that will set them along that growth path.

Botched ERP implementation project leads to National Grid lawsuit

National Grid, an electric and gas utility company, has filed a lawsuit against IT services provider Wipro Ltd., alleging it delivered an ERP implementation project “that was of virtually no value to National Grid.” It said the contractor was paid $140 million for its work.

This lawsuit, filed Dec. 1 in the U.S. District Court in New York, described a series of problems with an SAP deployment. 

For instance, National Grid alleged the “new SAP system miscalculated time, pay rates and reimbursements, so that employees were paid too little, too much or nothing at all.” 

With respect to the supply chain functions, the ERP implementation project “devastated” the utility’s procurement, inventory and vendor payment processes. Two months after going live, “National Grid’s backlog of unpaid supplier invoices exceeded 15,000, and its inventory record keeping was in shambles.”

Wipro, a global IT services provider based in India, with about $8.5 billion in revenue and nearly 170,000 employees, quickly refuted the lawsuit’s allegations in a securities filing.

“National Grid has been a valued customer of Wipro in the U.S. and U.K. for several years,” the firm said in its filing. “Wipro strongly believes that the allegations misstate facts and the claims are baseless. Wipro will vigorously contest the allegation in court.”

Wipro said the ERP implementation project began in 2009 and had multiple vendors. The provider said it joined the project in 2010, and “the post go-live process was completed in 2014.”

“During the course of this ERP implementation project, National Grid gave Wipro many positive evaluations. Wipro also received an award from National Grid U.S. with respect to this project in 2014,” the firm said in its statement. 

It is not unusual to see a large ERP project end up in court. Earlier this year, MillerCoors filed a lawsuit against IT services firm HCL Technologies, an India-based IT services firm, over problems relating to a $100 million ERP implementation.

MillerCoors, in court papers, accused HCL of failing to provide leadership and to adequately staff the project. In its counterclaim, HCL said MillerCoors’ leadership team “did not understand the operations of their own business.”

National Grid is a multinational firm that provides utility services in the U.K. and in Massachusetts, New York and Rhode Island. The ERP deployment project began with the goal of upgrading back-office systems that run financials, HR, supply chain and procurement.

National Grid alleged that Wipro designed an “overly complex” SAP project.

“Rather than taking advantage of certain design and configuration options available within the out-of-the-box SAP software to minimize system complexity and reduce risk, Wipro’s inexperienced consultants engaged in excessive customization of the base SAP system,” according to the lawsuit.

The lawsuit claimed by September 2013, the continuing efforts to stabilize the new SAP system were costing approximately $30 million per month, totaling over $300 million.

National Grid did not respond by press time to a request for comment about the current usefulness of its SAP system.

Yahoo data breach hacker pleads guilty to cybercrime charges

A Canadian hacker pleaded guilty to the charges made against him following his involvement in the 2014 Yahoo data breach.

Karim Baratov is one of four men indicted and accused of being behind the Yahoo data breach that affected 3 billion user accounts. The other three men are still at large in Russia with no expectation that they will be extradited. Two of the three are officers in the Russian Federal Security Service and the other is a known hacker who is already wanted in the United States on other charges.

Baratov admitted to his involvement in the Yahoo data breach, which included hacking more than 11,000 webmail accounts from 2010 until his arrest earlier this year. He advertised on a Russian hacker-for-hire website and said he mostly spear phished his victims by sending them emails that linked to legitimate-looking websites where they would be prompted to provide their username and password. Once he received payments from his customers, Baratov would then send them the victims’ credentials.

In the case of the Yahoo data breach, Baratov pleaded guilty to one count of violating the Computer Fraud and Abuse Act by stealing information off of protected computers and causing damage to them. He also pleaded guilty to eight counts of aggravated identity theft.

“This case is a prime example of the hybrid cyber threat we’re facing, in which nation states work with criminal hackers to carry out malicious activities,” said Paul Abbate, the FBI’s Executive Assistant Director of Criminal, Cyber, Response and Services in a press release. “Today’s guilty plea illustrates how the FBI continues to work relentlessly with our private sector, law enforcement and international partners to identify and hold accountable those who conduct cyberattacks against our nation, no matter who they’re working with or where they attempt to hide.”

Baratov was arrested in Canada in March 2017 and indicted shortly after.

“The illegal hacking of private communications is a global problem that transcends political boundaries,” said Brian Stretch, U.S. Attorney for the Northern District of California. “Cybercrime is not only a grave threat to personal privacy and security, but causes great financial harm to individuals who are hacked and costs the world economy hundreds of billions of dollars every year. These threats are even more insidious when cyber criminals such as Baratov are employed by foreign government agencies acting outside the rule of law. With the assistance of our law enforcement partners in Canada, we were able to track down and apprehend a prolific criminal hacker who had sold his services to Russian government agents. This prosecution again illustrates that we will identify and pursue charges against hackers who compromise our country’s computer infrastructure.”

Baratov is being held in California without bail and is scheduled to be sentenced in February 2018.

In other news

  • A group of NATO allies are considering using offensive cyberattack measures in response to the growing threat of state-sponsored cyberwarfare. The U.S., Britain, Germany, Norway, Spain, Denmark and the Netherlands are looking to come to an agreement by 2019 on cyberwarfare principles for the military use of cyberattacks. Currently, NATO uses only defensive measures to deal with cybercrime, but recently cyberthreats have become a bigger priority for the organization as state-sponsored cyberattacks have played a bigger role in international relations. “There’s a change in the (NATO) mindset to accept that computers, just like aircraft and ships, have an offensive capability,” U.S. Navy Commander Michael Widmann told Reuters. This follows a move by the organization earlier this year to establish cyber as a military domain and join the ranks of land, air and sea — meaning that a cyberattack on one NATO ally would mean an attack on all NATO allies.
  • The China-based security research company Qihoo 360 Netlab has issued an early warning of a new variant of the Mirai malware that is spreading quickly on port 23 and 2323. Starting Nov. 22, Netlab wrote in a blog post, “we noticed big upticks on port 2323 and 23 scan traffic, with almost 100k unique scanner IP came from Argentina (sic). After investigation, we are quite confident to tell this is a new mirai variant (sic).” The researchers wondered whether this new attack was focusing on specific types of internet of things devices, similar to what happened in the 2016 Mirai attack on Deutsche Telekom, which took down the internet for approximately 1 million customers of the German telecom. The Mirai botnet attacks, and several variants after them, have plagued IoT devices globally since 2016.
  • According to an investigation by the Associated Press (AP), the FBI failed to notify U.S. government officials that they were targeted by the Russian hacking group Fancy Bear, despite having the information for the last year. AP received a list from cybersecurity firm SecureWorks of targeting data and was able to identify 500 U.S. targets on this list. Of the 500, AP contacted 190 of them and interviewed 80. Of those contacted, only two were notified by the FBI that they were targets. Even some senior officials were only informed that they were targeted by Fancy Bear when AP contacted them. According to AP, there is an FBI policy that says the Bureau should notify victims of ongoing and future hacking attempts as a means of protection. Many of the U.S. officials targeted by the Fancy Bear attacks had their email accounts compromised and inboxes posted on the DCLeaks website.