Tag Archives: Group

British Airways data breach may be the work of Magecart

The British Airways data breach may have been the handiwork of the threat actor group known as Magecart.

Security researchers at the threat intelligence company RiskIQ Inc., reported that they suspect Magecart was behind the late August British Airways data breach, based on their analysis of the evidence. The Magecart group focuses on online credit card skimming attacks and is believed to be behind the Ticketmaster data breach discovered in June 2018.

British Airways reported it had suffered a breach on Sept. 6 that affected around 380,000 customers. The company said personal and payment information were used in payment transactions made on the website and the mobile app between Aug. 21 and Sept. 5.

In a blog post published a week later, RiskIQ researcher Yonathan Klijnsma said that because the British Airways data breach announcement stated that the breach had affected the website and mobile app but made no mention of breaches of databases or servers, he noticed similarities between this incident and the Ticketmaster breach.

The Ticketmaster breach was caused by a web-based credit card skimming scheme that targeted e-commerce sites worldwide. The RiskIQ team said that the Ticketmaster breach was the work of the hacking group Magecart, and was likely not an isolated incident, but part of a broader campaign run by the group.

The similarities between the Ticketmaster breach and the reports of the British Airways data breach led Klijnsma and the RiskIQ team to look at Magecart’s activity.

“Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart,” Klijnsma wrote. “The same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident.”

Klijnsma said they were able to expand the timeline of the Ticketmaster activity and discover more websites affected by online credit card skimming.

“Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits,” Klijnsma explained. “Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code.”

He noted that in the instance of the British Airways data breach, the research team had no notifications of Magecart’s activity because the hacking group customized their skimmer. However, they examined British Airways’ web and mobile apps specifically and noticed the similarities — and the differences.

The fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.
Yonathan Klijnsmathreat researcher, RiskIQ

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” Klijnsma wrote. “This particular skimmer is very much attuned to how British Airway’s (sic) payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

Klijnsma also said it was likely Magecart had access to the British Airways website and mobile app before the attack reportedly started.

“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” he wrote.

Magecart, RiskIQ noted, has been active since 2015 and has been growing progressively more threatening as it customizes its skimming schemes for particular brands and companies.

In other news

  • President Donald Trump signed an executive order this week that imposes sanctions on anyone who attempts to interfere with U.S. elections. After Russian interference in the 2016 U.S. presidential election, there are fears that there will be further interference in the upcoming 2018 midterm election. In response to those fears, Trump signed an executive order that sanctions would be placed on foreign companies, organizations or individuals who have interfered with U.S. elections. The order says that government agencies must report any suspicious, malicious activity to the director of national intelligence, who will then investigate the report and determine its validity. If the director of national intelligence finds that the suspect group or individual has interfered, there will be a 45-day review and assessment period during which the Department of Justice and Homeland Security will decide whether sanctions are warranted. If they are, the foreign group or individual could have their U.S. assets frozen or be banned from the country.
  • A vulnerability in Apple’s Safari web browser enables attackers to launch phishing attacks. Security researcher Rafay Baloch discovered the vulnerability and was also able to replicate it in the Microsoft Edge browser. Baloch published the proof of concept for both browser vulnerabilities early this week, and while Microsoft had addressed the issue in its August Patch Tuesday release — citing an issue with properly parsing HTTP content as the cause — Apple has yet to issue any patches for it. The vulnerability in Safari iOS 11.3.1 could thus still be used to spoof address bars and trick users into thinking they are visiting a legitimate site that is actually malicious.
  • The hacker known as “Guccifer” will be extradited to the U.S. to serve a 52-month prison sentence. A Romanian court ruled that the hacker, who is known for exposing the misuse of Hillary Clinton’s private email server before the 2016 U.S. presidential election and whose real name is Marcel Lehel Lazar, will be extradited to America to serve his 52-month sentence after finishing his seven-year sentence in Romania — his home country. Lazar pleaded guilty in May 2016 to charges of unauthorized access to a protected computer and aggravated identity theft. Lazar is believed to have hacked into the accounts of around 100 people between 2012 and 2014, including former Secretary of State Colin Powell, CBS Sports’ Jim Nantz and Sidney Blumenthal, a former political aide to Bill Clinton and adviser to Hillary Clinton.

Lazarus Group hacker charged in Wannacry, Sony attacks

The Department of Justice has officially charged one member of the North Korean Lazarus Group for his role in the Wannacry attacks, the Sony Pictures breach, theft on the SWIFT banking system and more.

Nathan Shields, special agent for the FBI, filed an affidavit of complaint against the Lazarus Group hacker, Park Jin Hyok, on June 8, 2018, but the charges were made public Sept. 6.

Park was charged with conspiring to commit “unauthorized access to computer and obtaining information, with intent to defraud, and causing damage, and extortion related to computer intrusion” and wire fraud.

“The evidence set forth herein was obtained from multiple sources, including from analyzing compromised victim systems, approximately 100 search warrants for approximately 1,000 email and social media accounts accessed internationally by the subjects of the investigation, dozens of orders issued … and approximately 85 formal requests for evidence to foreign countries and additional requests for evidence and information to foreign investigating agencies,” Shields wrote in the affidavit.

Shields wrote that the affidavit was “made in support of a criminal complaint against, and arrest warrant” for Park, but there is no indication the DoJ knows where Park is currently located. The last mention in the affidavit noted Park returned to North Korea in 2014 after spending three years working for North Korean company Chosun Expo in China.

Although Park was the lone Lazarus Group hacker named in the filing, the entire North Korean team was implicated in the 2014 Sony Pictures breach, the 2016 theft of $81 million from Bangladesh Bank via the SWIFT network, the 2017 Wannacry ransomware attack as well as “numerous other attacks or intrusions on the entertainment, financial services, defense, technology and virtual currency industries, as well as academia and electric utilities.”

“In 2016 and 2017, the conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea,” the U.S. Attorney’s Office for the Central District of California wrote in its  press release. “The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.”

Confirmation of North Korean involvement

Park is the first Lazarus Group hacker named and officially charged by the U.S. government, but the Lazarus Group and North Korea has been connected to attacks before.

As far back as Dec. 2014, the FBI stated there was enough evidence to conclude that North Korea was behind the attack on Sony Pictures. And, in Dec. 2017 both the U.S. and U.K. governments blamed the Wannacry attacks on North Korea.

The affidavit detailed the use of the Brambul worm, which was malware attributed to the Lazarus Group in a US-CERT security alert issued by the FBI and Department of Homeland Security in May 2018.

However, while the confirmation of North Korean involvement was generally praised by experts, not all were happy that Park was the only Lazarus Group hacker to be named and charged.

Jake Williams, founder and CEO of Rendition Infosec, based in Atlanta, wrote on Twitter that it was a “human rights issue” to charge Park because the Lazarus Group hacker “likely had zero choice in his actions.”

M12 announces $4 million global competition for women entrepreneurs – Stories

Microsoft’s venture fund, M12, partners with EQT Ventures and SVB Financial Group to accelerate funding for women leaders

REDMOND, Wash. — July 26, 2018 M12, Microsoft Corp.’s venture fund, in collaboration with the EQT Ventures fund and SVB Financial Group, on Thursday announced the Female Founders Competition, seeking to accelerate funding for top women-led startups focused on enterprise technology solutions. Two winners will share $4 million in venture funding, as well as access to technology resources, mentoring and more.

Women entrepreneurs receive a disproportionately small amount of venture funding, with only 2.2 percent of the total invested in 2017 going to women-founded startups. Studies have shown that investing in companies founded by women delivers significantly higher returns than the market average. By shining a light on this highly talented, but underfunded group of entrepreneurs, M12 and its partners seek to not only fund innovative female entrepreneurs, but to spotlight the funding gap that exists and the benefits of more equitable distribution of capital.

“We formed M12 to make smart bets on innovative people and their ideas, and the Female Founders Competition is an extension of that mandate,” said Peggy Johnson, executive vice president of Business Development at Microsoft. “This isn’t about checking a box; it’s an opportunity to remind the VC community that investing in women is more than just good values, it’s good business.”

“The EQT Ventures team is all about backing founders with the ambition, drive and vision to build a global success story,” said Alastair Mitchell, partner and investment advisor at EQT Ventures. “This competition reflects this and offers women entrepreneurs a great platform from which to launch their business, providing them with access to capital and mentorship. It also raises awareness of the funding gap between male and female founders, and the EQT Ventures team wants to play an active role in bridging that gap.”

Submissions will be accepted from July 26, 2018, to Sept. 30, 2018, and open across three regions: Europe, Israel, and North America (U.S., Canada and Mexico). Companies will be eligible to apply if they have at least one woman founder, have raised less than $4 million in combined equity funding and/or loans at day of application, and offer or intend to release a product, service or platform that addresses a critical business problem.

“At SVB, we strive to help innovative companies succeed,” said Tracy Isacke, head of Corporate Venture at Silicon Valley Bank. “Research tells us diverse teams are more successful. We believe this is true for our business, our clients’ businesses and the innovation economy at large. Our partnership with Microsoft has created a great opportunity for SVB to engage in this competition and is one of the many ways we are supporting diverse representation in the global innovation ecosystem.”

Up to 10 finalists will pitch in person for the chance to be one of the two startups that earn a $2 million investment as well as access to technology resources, mentoring and additional support. The competition also seeks to drive greater awareness for both finalists and winners, with the potential for future funding from the broader VC community. Full guidelines and contest information can be found on M12’s application page.

About EQT Ventures

EQT Ventures is a European VC fund with commitments of just over €566 million. The fund is based in Luxembourg and has investment advisors stationed in Stockholm, Amsterdam, London, San Francisco and Berlin. Fueled by some of Europe’s most experienced company builders, EQT Ventures helps the next generation of entrepreneurs with capital and hands on support. EQT Ventures is part of EQT, a leading investment firm with approximately EUR 50 billion in raised capital across 27 funds. EQT funds have portfolio companies in Europe, Asia and the US with total sales of more than EUR 19 billion and approximately 110,000 employees.

About SVB Financial Group

For 35 years, SVB Financial Group (NASDAQ: SIVB) and its subsidiaries have helped innovative companies and their investors move bold ideas forward, fast. SVB Financial Group’s businesses, including Silicon Valley Bank, offer commercial and private banking, asset management, private wealth management, brokerage and investment services and funds management services to companies in the technology, life science and healthcare, private equity and venture capital, and premium wine industries. Headquartered in Santa Clara, California, SVB Financial Group operates in centers of innovation around the world. Learn more at svb.com.

About M12

As the corporate venture arm for Microsoft, M12 (formerly Microsoft Ventures) invests in enterprise software companies in the Series A through C funding stage. As part of its value-add to portfolio companies, M12 offers unique access to strategic go-to-market resources and relationships globally. Visit https://m12.vc/ to learn more.

For more information, press only:

Microsoft Media Relations, WE Communications for Microsoft, (425) 638-7777, rrt@we-worldwide.com

Lucy Wimmer, PR for EQT Ventures, +44(0) (755) 128-9177, lucy@eqtventures.com

Julia Thompson, PR for Silicon Valley Bank, (415) 764-4707, jthompson3@svb.com

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.

Evergreen Services Group: New deal to up MSP revenue to $40M

Evergreen Services Group, a holding company focused on purchasing managed service providers, is on the cusp of its fifth acquisition, a move that will bring the investor’s MSP revenue to more than $40 million.

The company, based in San Francisco, launched in 2017 as a spinoff of Alpine Investors, a private equity firm. Evergreen has received a $100 million equity commitment from Alpine to launch its acquisition campaign, which got underway seven months ago, according to Ramsey Sahyoun, head of M&A at Evergreen.

Evergreen’s investments include Executech, an MSP in the Salt Lake City area; Wolf Consulting and Jenlor, MSPs in greater Pittsburgh; and Interlaced LLC, an MSP in San Diego specializing in Apple environments.

Next up is an acquisition of an Austin, Texas, MSP that Evergreen Services Group expects to announce next week.

M&A in the MSP market

Evergreen’s acquisitions are in line with the general consolidation trend ongoing in the MSP market. A number of investment groups, including Fusion Agiletech, Converge Technology Partners and Great Hill Partners in conjunction with Reliam Inc., for example, are in the process of building IT services company platforms.

Sahyoun said Evergreen offers a different opportunity for MSPs in the M&A landscape. He said Evergreen purchases 100% of a company and generally pays in cash upfront, noting that other investors strike deals based on earn-outs or seller notes.

In addition, Evergreen takes a long-term view as it acquires companies, Sahyoun said.

“We are not going to smash a few MSPs together and sell in three or four years,” he said. “We are fortunate … to have a long-term financial backer behind this vision of ‘Let’s do this over many years and not just try to make a quick buck.'”

The long-range view enables Evergreen to invest in its acquired companies. Sahyoun said investments in sales and marketing, as well as in service delivery, sets up the acquired companies to have sustainable growth.

The companies Evergreen has acquired thus far will operate as stand-alone, independent platforms, he explained. Evergreen’s approach is to treat companies above the $1 million EBITDA threshold as platforms and those below that mark as add-on acquisitions that would be tucked into one of Evergreen’s platforms.

While Evergreen Services Group doesn’t plan to integrate the platform companies, there will be coordination among its holdings. Sahyoun said Evergreen recently started to bring executives from the companies together in a peer-group format in which they can share best practices and discuss business challenges. In addition, Evergreen provides a subject-matter expert directory and playbook on its website to help companies through such tasks as selecting an IaaS provider or collecting accounts receivable.

Chart showing recent transactions in the IT services industry
Evergreen Services Group is among the investment organizations looking to do deals in the MSP market.

Looking for SMB focus, MRR

Evergreen’s acquisition approach is to look for MSPs serving the small and medium-sized business market that have more than half of their business coming from monthly recurring revenue (MRR).

We look for companies that have a good, predictable stream of revenue.
Ramsey Sahyounhead of M&A, Evergreen Services Group

“That is what we value and what gets us excited about this industry,” Sahyoun said of MRR. “We look for companies that have a good, predictable stream of revenue.”

Customer satisfaction and high retention rates are also important factors in assessing acquisition candidates. To determine customer satisfaction, Evergreen Services Group goes through a process of talking to a subset of an acquisition candidate’s customers as part of its post-letter-of-intent due diligence.

Sahyoun said the company uses a third-party vendor to conduct the customer surveys, which yield such information as net promoter scores.

In general, Sahyoun suggested the recent uptick in acquisition activity in the MSP market signals a greater confidence in the companies following the MSP business model.

“The business has gotten fundamentally better over time,” he said, noting the shift from break-fix to MMR revenue. “That is a big part of what is driving investor interest.”

Other news

  • Microsoft made several announcements ahead of its annual partner conference, Microsoft Inspire. Among the disclosures is a free version of Microsoft Teams; a Whiteboard app for Windows 10 that is also slated for iOS; an expanded Azure Data Box offering; and new programs and resources that aim to help partners take advantage of Microsoft’s global customer and partner ecosystems. Microsoft also unveiled an Azure Expert MSP program, two Cloud Practice Playbooks and four Digital Transformation eBooks. Microsoft Inspire will run July 15 to 19 in Las Vegas.
  • Accenture has acquired Kogentix, a Schaumburg, Ill., company that focuses on big data and AI services. Kogentix employs about 220 big data engineers, data scientists, machine learning engineers and software developers, according to Accenture.
  • IT management software company SolarWinds has acquired Trusted Metrics, a threat monitoring and management vendor. SolarWinds said it will launch SolarWinds Threat Monitor, a tool for MSPs and managed security services providers, as a result of the buyout. In related news, private equity investment firm and SolarWinds backer Thoma Bravo revealed plans to purchase a majority interest in identity and access management player Centrify.
  • More than half of North American channel partners expect to see an increase in IT spending in 2018 compared with last year, according to a mid-year survey of 363 partner companies undertaken by OneAffiniti, a channel marketing solutions provider.
  • Dataguise, a data privacy protection and compliance vendor, unwrapped the DgSecure Partner Program for selling the company’s data governance enablement software. The program provides training and certification; incentives; demo software; sales leads and sales enablement tools; and market development funds (MDF). Partners can also access deal registration and marketing materials through the Dataguise partner portal, the vendor said.
  • Networking vendor Ruckus Networks unveiled a program for enabling partners to sell Ruckus Cloud Wi-Fi. The Cloud-Ready Specialization Program offers tools, training, technical support and incentives and is open to Select- and Elite-level Ruckus Ready partners, the vendor said. Ruckus also provides Smart Cities, Large Public Venue and Education specializations.
  • Yamaha Unified Communications, an audio and video conferencing vendor, introduced a global partner program. The program features three tiers — Basic, Emerging and Prime — with incremental benefits and incentives. At the Basic level, partners can access deal registration, a demo program, special discounts, product training and post-sales technical support. Emerging and Prime partners can tap volume incentive rebates and marketing support such as MDF, according to Yamaha UC.
  • WhiteHat Security, an application security provider, and RiskIQ, a digital threat management firm, are integrating their platforms. The integration gives joint customers “a detailed inventory of web-facing properties, which we can onboard into WhiteHat Sentinel for continuous scanning,” according to John Atkinson, vice president of strategic alliances at WhiteHat Security. As a result, channel partners can provide a “comprehensive solution for dynamic application security testing.”
  • Cybersecurity vendor Bitdefender expanded its security offerings for MSPs. New products include Patch Management, Advanced Threat Security, and Endpoint Detection and Response, available within the Bitdefender Cloud Security for MSP endpoint security suite. The three new offerings can be purchased via monthly usage-based licensing, Bitdefender said.
  • LogiGear, a software-testing vendor, said Royal Cyber, a solution provider based in Naperville, Ill., has joined its roster of value-added resellers. Royal Cyber will provide automation testing using LogiGear’s TestArchitect technology, LogiGear said.

Market Share is a news roundup published every Friday.

Digital transformation process: Align business and IT, shake legacy

At the Strongbow Consulting Group, founder and managing partner Cathy Horst Forsyth and her team help large enterprises digitally transform — specifically around network and infrastructure. From her experience with Fortune 500 companies, legacy applications and systems and misalignment of technology and business strategies can cause significant setbacks in the digital transformation process.

In this SearchCIO interview from the MIT Sloan CIO Symposium, Horst Forsyth details the trends and challenges that she’s seeing in enterprises that are going through the digital transformation process and what’s needed to be successful.

Editor’s note: This transcript has been edited for clarity and length.

What parts of the enterprise are leading the charge in the digital transformation process?

Cathy Horst Forsyth: You see it all on the edges of the business where we have lines of business working directly with their customers, with their individual goals. I think where we see digital transformation being most progressive and most successful is when those lines of business — at the front end of the business — are working closely with their technology partners. What doesn’t seem to work well, or at least what can fall back and have negative consequences is when the lines of business are transforming and driving digital transformation that does not align with a corporate strategy and isn’t compliant with [an organization’s] technology strategy. So, where we see the most success, whether it’s marketing, sales or any particular functional area within the firm, is really that alignment with the business executive and the technology team to make sure the execution is both successful and compliant with the overall goals of the organization.

What parts of the enterprise are less far along in the digital transformation process?

You really can’t underestimate the [extent to which] legacy infrastructure systems and applications tether large companies down.
Cathy Horst Forsythfounder and managing partner, Strongbow Consulting Group

Horst Forsyth: Again, it’s kind of hard to generalize from my perspective. I can’t say one department or function is necessarily behind. But I would say that with organizations that are tethered to legacy applications, legacy infrastructure or legacy systems, it’s very difficult to dig themselves out of that. It’s probably not for lack of wanting to transform digitally, but you really can’t underestimate the [extent to which] legacy infrastructure systems and applications tether large companies down. Again, that’s one of the reasons [Strongbow] focuses specifically on the largest of enterprises. It is a lot easier to start ‘greenfield’ and to drive innovation when you haven’t been a classic Fortune 500 company for the past 50 or 100 years. Even though it’s about culture, leadership and many other things, the legacy infrastructure really can be an impediment. Where there are sunk costs or where it’s difficult to even understand where that infrastructure resides — which is an issue at times — we really see those organizations being hindered.

What kinds of strategies are effective in getting the entire enterprise to the same level of digital prowess?

Horst Forsyth: Once again, I go back to the top executives and the executive committee and [having the ability to] really understand and articulate business strategies. So, what are we trying to accomplish? Why are we trying to accomplish it? Anything can be framed in terms of opportunity or threat. Having everyone understand that simplistic business strategy is definitely a forerunner to then understanding how to leverage technology and achieving [digital transformation]. I think that, to some extent, technology strategy should be driven across the business — including on the front lines — but it needs to be monitored so that it’s consistent and compliant with corporate standards. And I think that the executives need to monitor and keep track of what’s going on, but allow it to go on and grow in a flexible fashion.

The case for cloud storage as a service at Partners

Partners HealthCare relies on its enterprise research infrastructure and services group, or ERIS, to provide an essential service: storing, securing and enabling access to the data files that researchers need to do their work.

To do that, ERIS stood up a large network providing up to 50 TB of storage, so the research departments could consolidate their network drives, while also managing access to those files based on a permission system.

But researchers were contending with growing demands to better secure data and track access, said Brent Richter, director of ERIS at the nonprofit Boston-based healthcare system. Federal regulations and state laws, as well as standards and requirements imposed by the companies and institutions working with Partners, required increasing amounts of access controls, auditing capabilities and security layers.

That put pressure on ERIS to devise a system that could better meet those heightened healthcare privacy and security requirements.

“We were thinking about how do we get audit controls, full backup and high availability built into a file storage system that can be used at the endpoint and that still carries the nested permissions that can be shared across the workgroups within our firewall,” he explained.

Hybrid cloud storage as a service

At the time, ERIS was devising security plans based on the various requirements established by the different contracts and research projects, filling out paperwork to document those plans and performing time-intensive audits.

It was then that ERIS explored ClearSky Data. The cloud-storage-as-a-service provider was already being used by another IT unit within Partners for block storage; ERIS decided six months ago to pilot the ClearSky Data platform.

“They’re delivering a network service in our data center that’s relatively small; it has very fast storage inside of it that provides that cache, or staging area, for files that our users are mapping to their endpoints,” Richter explained.

From there, automation and software systems from ClearSky Data take those files and move them to its local data center, which is in Boston. “It replicates the data there, and it also keeps the server in our data center light. [ClearSky Data] has all the files on it, but not all the data in the files on it; it keeps what our users need when they’re using it.”

Essentially, ClearSky Data delivers on-demand primary storage, off-site backup and disaster recovery as a single service, he said.

All this, however, is invisible to the end users, he added. The researchers accessing data stored on the ClearSky Data platform, as well as the one built by ERIS, do not notice the differences in the technologies as they go about their usual work.

ClearSky benefits for Partners

ERIS’ decision to move to ClearSky Data’s fully managed service delivered several specific benefits, Richter said.

He said the new approach reduced the system’s on-premises storage footprint, while accelerating a hybrid cloud strategy. It delivered high performance, as well as more automated security and privacy controls. And it offered more data protection and disaster recovery capabilities, as well as more agility and elasticity.

Richter said buying the capabilities also helped ERIS to stay focused on its mission of delivering the technologies that enable the researchers.

“We could design and engineer something ourselves, but at the end of the day, we’re service providers. We want to provide our service with all the needed security so our users would just be able to leverage it, so they wouldn’t have to figure out whether it met the requirements on this contract or another,” Richter said.

He noted, too, that the decision to go with a hybrid cloud storage-as-a-service approach allowed ERIS to focus on activities that differentiate the Partners research community, such as supporting its data science efforts.

“It allows us to focus on our mission, which is providing IT products and services that enable discovery and research,” he added.

Pros and cons of IaaS platform

Partners’ storage-as-a-service strategy fits into the broader IaaS market, which has traditionally been broken into two parts: compute and storage, said Naveen Chhabra, a senior analyst serving infrastructure and operations professionals at Forrester Research Inc.

[Cloud storage as a service] allows us to focus on our mission, which is providing IT products and services that enable discovery and research.
Brent Richterdirector of ERIS at Partners HealthCare

In that light, ClearSky Data is one of many providers offering not just cloud storage, but the other infrastructure layers — and, indeed, the whole ecosystem — needed by enterprise IT departments, with AWS, IBM and Google being among the biggest vendors in the space, Chhabra said.

As for the cloud-storage-as-a-service approach adopted by Partners, Chhabra said it can offer enterprise IT departments flexibility, scalability and faster time to market — the benefits that traditionally come with cloud. Additionally, it can help enterprise IT move more of their workloads to the cloud.

There are potential drawbacks in a hybrid cloud storage-as-a-service setup, however, Chhabra said. Applying and enforcing access management policies in an environment where there are both on-premises and IaaS platforms can be challenging for IT, especially as deployment size grows. And while implementation of cloud-storage-as-a-service platforms, as well as IaaS in general, isn’t particularly challenging from a technology standpoint, the movement of applications on the new platform may not be as seamless or frictionless as promoted.

“The storage may not be as easily consumable by on-prem applications. [For example,] if you have an application running on-prem and it tries to consume the storage, there could be an integration challenge because of different standards,” he said.

IaaS may also be more expensive than keeping everything on premises, he said, adding that the higher costs aren’t usually significant enough to outweigh the benefits. “It may be fractionally costlier, and the customer may care about it, but not that much,” he said.

Competitive advantage

ERIS’ pilot phase with ClearSky Data involves standing up a Linux-based file service, as well as a Windows-based file service.

Because ERIS uses a chargeback system, Richter said the research groups his team serves can opt to use the older internal system — slightly less expensive — or they can opt to use ClearSky Data’s infrastructure.

“For those groups that have these contracts with much higher data and security controls than our system can provide, they now have an option that fulfills that need,” Richter said.

That itself provides Partners a boost in the competitive research market, he added.

“For our internal customers who have these contracts, they then won’t have to spend a month auditing their own systems to comply with an external auditor that these companies bring as part of the sponsored research before you even get the contract,” Richter said. “A lot of these departments are audited to make sure they have a base level [of security and compliance], which is quite high. So, if you have that in place already, that gives you a competitive advantage.”

RAMpage attack unlikely to pose real-world risk says expert

A group of researchers developed a proof of concept for a variant of the Rowhammer exploit against Android devices and proved that Google’s protections aren’t enough, but one expert said the RAMpage attack is unlikely to pose a real-world threat.

A team of researchers from Vrije Universiteit Amsterdam, the University of California at Santa Barbara, Amrita University of Coimbatore, India and EURECOM — including many of the researchers behind the Drammer PoC attack upon which RAMpage was built — and created both the RAMpage attack against ARM-based Android devices and a practical mitigation, called GuardION.

According to the researchers, the most likely method for attacking a Rowhammer vulnerability on a mobile device is through a direct memory access (DMA) based attack.

As such, they developed the RAMpage attack, “a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses,” researchers wrote in their research paper. “To mitigate Rowhammer exploitation on ARM, we propose GuardION, a lightweight defense that prevents DMA-based attacks — the main attack vector on mobile devices — by isolating DMA buffers with guard rows.”

The researchers said a successful RAMpage attack could allow a malicious app to gain unauthorized access to the device and read secret data from other apps, potentially including “passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.” However, lead researcher Victor van der Veen was careful to note it is unclear how many devices are at risk because of differences in software.

“With RAMpage, we show that the software defenses that were deployed to stop Drammer attacks are not sufficient. This means that the only remaining requirement is having buggy hardware. Since we have seen bit flips on devices with LPDDR2, LPDDR3, and LPDDR4 memory, we state that all these devices may be affected, although it is uncertain how many,” van der Veen wrote via email. “Local access is required. This means that the attacker must find a way to run code (e.g., an app) on the victim’s device. A second requirement is that the device needs to be vulnerable for the Rowhammer bug: it is unclear what percentage of devices expose this issue.”

In a statement, Google downplayed the dangers of the RAMpage attack: “We have worked closely with the team from Vrije Universiteit and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.”

Google also asserted that newer devices include protections against Rowhammer attacks and “the researcher proof of concept for this issue does not work on any currently supported Google Android devices,” though Google did not specify what qualified as a “currently supported Google Android device.” 

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said this could mean “that ‘currently supported devices’ refers to Android builds to which Google still issues security patches, which means that Android Marshmallow (6.0.) and above may not be susceptible” to the RAMpage attack. According to Google’s latest platform numbers, more than 62% of Android devices in the wild are above this threshold.

However, van der Veen thought Google might be referring to its own handsets.

“I believe they hint at the devices that fall under their Android Reward program, which is basically the Pixel and Pixel 2. We did manage to flip bits on a Pixel, and I think that it is likely that there are Pixel phones out there on which the attack will work,” van der Veen wrote. “I don’t see criminals exploiting the Rowhammer bug in a large-scale fashion. It is more likely to be used in a targeted attack. I do think that Google can do a bit more though.”

Arsene agreed that the RAMpage attack does appear “very difficult and unlikely to happen on a mass scale.”

“Attackers would have to know in advance the type of device the target owns, because some manufacturers and OS builds implement different row sizes (e.g. 32KB, 64KB, 128KB), making the attack significantly more complex and less reliable,” Arsene wrote via email. “Google may be right in saying the attack should not be of concern to average users, but it could be used in highly targeted attacks that involve stealthily compromising the device of a high priority individual. For mass exploitation of Android devices there are likely other, less sophisticated methods, for compromise. Attackers will often go for the path of least resistance that involves maximum efficiency and minimum effort to develop and deploy.”

GuardION defense

Despite the relatively low likelihood of the RAMpage attack being used in the wild, researchers developed a mitigation based on protecting Google’s ION DMA buffer management APIs, which were originally added to Android 4.0.

“The main reason for which defenses fail in practice is because they aim to protect all sensitive information by making sure that they are not affected by Rowhammer bit flips. Hence, they are either impractical or they miss cases,” the researchers wrote in their paper. “Instead of trying to protect all physical memory, we focus on limiting the capabilities of an attacker’s uncached allocations. This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data.”

I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts.
Victor van der VeenPhD candidate in the VUSec group at Vrije Universiteit Amsterdam

Van der Veen added via email, “I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts. I think there is also (scientific) value in our breakdown of other proposed mitigation techniques and how they apply to mobile devices, plus our proposed defense, GuardION.”

GuardION may not be real-world ready either though. The researchers noted that Google said the mitigation technique resulted in too much “performance overhead” in apps, but they continue to work with the Android security team “to figure out what a real-world benchmark looks like so that we can hopefully improve our implementation.”

Arsene said “the existence of security research that exploits hardware vulnerabilities does not necessarily mean that users will be more at risk than before.”

“Some of it is purely academic and the practical applications of weaponizing this type research may never become a reality for the masses,” Arsene wrote. “However, users should realize that unpatched, outdated, and unsupported devices and operating systems will always involve significant security risks to their privacy and data.”

M12 and VC partners award $3.5 million to most innovative companies harnessing the power of artificial intelligence

Madrona Venture Group, Notion and Vertex Ventures present in partnership with M12 the winners of Innovate.AI, a global startup competition

NEW ORLEANS — May 1, 2018 — On Tuesday, M12, Microsoft Corp.’s venture fund (formerly known as Microsoft Ventures), announced at Collision Conference the four winners of its global startup competition, Innovate.AI: Envisagenics, Hazy, ZenCity and Voiceitt. Together with Madrona Venture Group, Notion and Vertex Ventures, M12 awarded the four winners a combined $3.5M in venture funding and up to $2M in Microsoft Azure credits to help progress the future of artificial intelligence.

In October, M12 and its venture partners kicked off a global competition called Innovate.AI in a bid to find undiscovered startups around the world working to transform the future through AI. Hundreds of startups across North America, Europe and Israel applied to compete for their region’s respective prizes and demonstrate how artificial intelligence can advance how we live and work.

“From revolutionizing health practices to matching job seekers with skill-based careers, entrepreneurs across the globe captivated us with technologies that bring to life AI’s transformative potential,” said Nagraj Kashyap, corporate vice president, global head of M12. “The number of impressive applicants we received painted a clear picture of how AI can be used to change the way we work, play and live, signaling a bright future for continued AI innovation.”

Winners of each region were awarded a total of $1M in venture funding from M12 and its partners and up to $500K in Azure credits. The winning companies include:

North America: New York-based Envisagenics integrates AI and RNA therapeutics to unlock previously inaccessible cures for hundreds of diseases caused by splicing errors.

“Envisagenics takes a critical issue of disease caused by cancer and genetic irregularities and applies AI to drive the discovery of new drugs,” said S. Somasegar, managing director, Madrona Venture Group. “It is just this type of big and world-changing thinking that we are looking for in startups as they apply this incredibly powerful technology to the core problems in our society. We are excited to work with them as they help drug companies save lives.”

Europe: London-based Hazy uses AI to automate data anonymization to help businesses share data more securely.

“High-profile leaks and regulatory changes risk turning a company’s data from its biggest asset into its greatest liability,” said Alex Flamant, vice president, Notion. “We are excited to be working with the Hazy team as they build the internet’s anonymization layer to secure sensitive datasets.”

Israel: Tel Aviv-based ZenCity uses artificial intelligence to analyze data from conversations on social media, city hotlines and other communication channels to surface trends in real time to city officials to improve citizen’s lives.

“ZenCity can impact the lives of billions of people,” said Emanuel Timor, general partner at Vertex Ventures. “The company is utilizing AI to help city managers provide a better service to their citizens and to understand in real time what their citizens care about. We were highly impressed by the technical solution of the company and its proven ability to have real impact on the decisions of municipal policymakers and their citizens.”

AI for Good: Tel Aviv-based Voiceitt was awarded the AI for Good prize, which included $500K in funding from M12 and $500K in Microsoft Azure credits for best exemplifying the use of AI to improve society, aligned to the mission of M12’s AI Fund. Voiceitt builds speech recognition technology designed to understand nonstandard and dysarthric speech, assisting people who suffer from diseases and disorders such as cerebral palsy, autism, stroke, ALS and Parkinson’s to communicate.

Microsoft’s mission is to make AI more accessible and valuable to everyone. With the help of M12 and its partners, these startups are primed to further that end.

More on Innovate.AI can be found at Innovate.AI.

About Madrona Venture Group

Madrona (www.madrona.com) has been investing in early-stage technology companies in the Pacific Northwest since 1995 and has been privileged to play a role in some of the region’s most successful technology ventures. The firm invests predominately in seed and Series A rounds across the information technology spectrum. Madrona manages more than $1.3 billion and was an early investor in companies such as Amazon.com, Apptio, Rover.com, and Redfin.

About Notion

Notion invests in the enterprise tech of the future, in the teams and companies that have what it takes to solve the biggest problems facing the business world, transforming entire industries in the process. The Notion team founded, built and exited two highly successful SaaS businesses — Star and MessageLabs and invests exclusively in enterprise tech and SaaS with the ambition to build category leaders. The Notion portfolio includes Brightpearl, Dealflo, GoCardless, MOVE Guides, NewVoiceMedia, Currencycloud, Tradeshift, Triptease and Workable. For more information visit: https://notion.vc/

About Vertex Ventures Israel

Vertex Ventures is a leading global venture capital group supporting entrepreneurs to transform their innovative ideas into world-class businesses. With cumulative committed capital in excess of $2.5 billion, Vertex invests in early-stage IT and healthcare opportunities in Silicon Valley, China, India, Israel, and South East Asia. Since 1988, Vertex is honored to have partnered with the founders of global leaders such as Waze, 91, Grab, IGG, CyberArk, Reebonz, SolarEdge, Force10, FirstCry, Yatra and Changba. Vertex Ventures Israel is one of the pillars of the Vertex Group’s network of Funds focusing on early stage opportunities in the Information Technology sector in Israel. Learn more here.

About M12

M12, formerly Microsoft Ventures, is the corporate venture arm of Microsoft (Nasdaq “MSFT” @microsoft), the leader of digital transformation in the era of an intelligent cloud and an intelligent edge. M12 partners with visionary entrepreneurs looking to drive digital transformation. As part of its promise to portfolio companies, M12 offers unrivaled access to go-to-market resources and strategic relationships globally. M12 currently operates in London, New York, San Francisco, Seattle and Tel Aviv. Learn more here.

For more information, press only:

Microsoft Media Relations, WE Communications for Microsoft, (425) 638-7777, rrt@we-worldwide.com

Erika Shaffer, Madrona Venture Group, (206) 674-6330, erika@madrona.com

Kate Hyslop, Notion, +447795 260286, khyslop@notion.vc

Naama Zalzman-Dror, Vertex Ventures Israel, +972 (524) 375 188,

naama@vertexventures.com

 

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.

 

 

The post M12 and VC partners award $3.5 million to most innovative companies harnessing the power of artificial intelligence appeared first on Stories.

Hackers use ATM jackpotting technique to steal $1M in US

A group of hackers stole over $1 million through ATM jackpotting in the United States.

The hacking group, believed to be an international cybercrime gang, used a technique seen in other countries over the past few years to get ATMs to rapidly spit out cash on demand. Called “jackpotting” because the cash shoots out of the machine the way winnings do on a slot machine, the attack requires the hackers to have physical access to the ATM. Once they have physical access, the hackers can use malware or they can replace the hard drive with an infected one and take control over the system.

ATM jackpotting attacks have happened in other parts of the world — including Central America, Europe and Asia — for several years, but now the attacks have made their way to America, according to a warning sent out to financial organizations by the U.S. Secret Service.

The confidential Secret Service alert, which investigative cybersecurity journalist Brian Krebs reported on, said that ATMs running Windows XP were at the greatest risk of being jackpotted and the hackers were targeting ATMs located in pharmacies, big box retailers and drive-thrus. The Secret Service recommended that ATM operators upgrade to Windows 7 to minimize the risk.

According to Krebs, the Secret Service alert explained that once the hackers have physical access to an ATM, they use an endoscope — an instrument typically used in medicine — to locate where they need to plug a cord into the inside of the cash machine to sync their laptop with the ATM.

The attackers then use an advanced strain of malware called Ploutus.D, which was first reported to have been used in jackpotting attacks in 2013 in Mexico.

[embedded content]

How ATM jackpotting works

The hackers reportedly disguise themselves as ATM maintenance crews to gain access to the machines without raising suspicion. Once the malware has been installed on the compromised ATM it will appear to be out of order to potential users. Then, one attacker can go up to the machine while remote hackers trigger the malicious program, and the hacker who appears to be an ordinary ATM user receives the outpouring of cash. The Secret Service report said that in an average Ploutus.D attack, the money is continuously dispensed at a rate of 40 bills every 23 seconds until the machine is totally empty.

After they’ve emptied the ATM, the hackers disguised as the maintenance crew come back and remove their tools to return the ATM to normal operations — without any available cash.

In his blog post about the recent wave of ATM jackpotting attacks, Krebs noted that the hacking group has been targeting Diebold Nixdorf ATMs, which are vulnerable to the Ploutus.D malware. Specifically, Secret Service warned that the attacks have focused on the Opteva 500 and 700 series from Diebold.

Krebs also said the Secret Service had evidence that further attacks were being planned across the country.

Diebold issued a warning about the attacks and suggested that countermeasures to ATM jackpotting should include limiting physical access to the ATM, making sure the firmware for the machines are up to date with the latest security updates, and monitoring the physical activity of the machines. Without physical access, ATM jackpotting is not possible.

In other news

  • A fitness tracking app accidentally exposed the location of military bases around the world. Strava, an app that logs walking, running and other movements, published an interactive map with over 13 trillion GPS points from its users a few months ago. The map has since been used to confirm the location of military bases, which show extra activity along specific routes in otherwise remote areas. These are believed to be jogging routes and even patrol routes at military bases. An analyst at the Institute for United Conflict Analysts, Nathan Ruser, noticed the data last week and Twitter has since taken to posting now-confirmed locations of the military bases. The data exists because military personnel didn’t turn off their fitness trackers while on base, despite Strava’s customizable privacy settings.
  • Google Cloud has teamed up with enterprise mobility management company MobileIron to build a new cloud service. The companies announced that they will combine Google Cloud’s Orbitera commerce platform and MobileIron’s enterprise mobility management and app distribution platform. The enterprise applications and services portal is expected to be released later in 2018 and will mostly be built on top of the security assertion markup language standard. The service will enable resellers, enterprises and others to buy cloud services and distribute them to customers and employees. It will include customized service bundles, customized branding, unified billing, secure cloud access, and usage analytics, according to Google. “We hope this collaboration simplifies and streamlines enterprise application management for businesses, and helps them unlock additional value for their employees and customers,” the companies said in a blog post announcing the joint effort.
  • Researchers discovered that Oracle Micros point-of-sale (POS) systems have been breached. ERPScan researchers published details of the vulnerability, which affects its Micros POS terminals and enables an attacker to read any file and receive information without authentication from the devices. The vulnerability was discovered in September 2017 by Dmitry Chastuhin, security researcher at ERPScan, and was fixed and disclosed this month. “[The flaw is] a directory traversal vulnerability in Oracle MICROS EGateway Application Service,” ERPScan explains in its blog post. “In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.” This means the attacker can run a brute force login attack against the POS devices to gain full access. Micros is used on more than 330,000 cash registers across 180 countries.

What is happening with AI in cybersecurity?

Jon Oltsik, an analyst with Enterprise Strategy Group in Milford, Mass., wrote about the growing role of AI in cybersecurity. Two recent announcements sparked his interest.

The first was by Palo Alto Networks, which rolled out Magnifier, a behavioral analytics system. Second, Alphabet deployed Chronicle, a cybersecurity intelligence platform. Both rely on AI in cybersecurity and machine learning to sort through massive amounts of data. Vendors are innovating to bring AI in cybersecurity to the market, and ESG sees growing demand for these forms of advanced analytics.

Twelve percent of enterprises have already deployed AI in cybersecurity. ESG research found 29% of respondents want to accelerate incident detection, while similar numbers demand faster incident response or the ability to better identify and communicate risk to the business. An additional 22% want AI cybersecurity systems to improve situational awareness.

Some AI applications work on a stand-alone basis, often tightly coupled with security information and event management or endpoint detection and response; in other cases, machine learning is applied as a helper app. This is true of Bay Dynamics’ partnership with Symantec, applying Bay’s AI engine to Symantec data loss prevention.

Oltsik cautioned that most chief information security officers (CISO) don’t understand AI algorithms and data science, so vendors will need to focus on what they can offer to enhance security. “In the future, AI could be a cybersecurity game-changer, and CISOs should be open to this possibility. In the meantime, don’t expect many organizations to throw the cybersecurity baby out with the AI bath water,” Oltsik said.

Read more of Oltsik’s ideas about AI in cybersecurity.

Simplify networks for improved security and performance

Russ White, blogging in Rule 11 Tech, borrowed a quote from a fellow blogger. “The problem is that once you give a monkey a club, he is going to hit you with it if you try to take it away from him.”

In this analogy, the club is software intended to simplify the work of a network engineer. But in reality, White said, making things easier can also create a new attack surface that cybercriminals can exploit.

To that end, White recommended removing unnecessary components and code to reduce the attack surface of a network. Routing protocols, quality-of-service controls and transport protocols can all be trimmed back, along with some virtual networks and overlays.

In addition to beefing up security, resilience is another key consideration, White said. When engineers think of network failure, their first thoughts include bugs in the code, failed connectors and faulty hardware. In reality, however, White said most failures stem from misconfiguration and user error.

“Giving the operator too many knobs to solve a single problem is the equivalent of giving the monkey a club. Simplicity in network design has many advantages — including giving the monkey a smaller club,” he said.

Explore more from White about network simplicity.

BGP in data centers using EVPN

Ivan Pepelnjak, writing in ipSpace, focused on running Ethernet VPN, or EVPN, in a single data center fabric with either EVPN or MPLS encapsulation. He contrasts this model with running EVPN between data center fabrics, where most implementations require domain isolation at the fabric edge.

EVPN is used as a Border Gateway Protocol address family that can be run on external BGP or internal BGP connections. For single data center fabrics, engineers can use either IBGP or EBGP to build EVPN infrastructure within a single data center fabric, Pepelnjak said.

He cautioned, however, that spine switches shouldn’t be involved in intra-fabric customer traffic forwarding. The BGP next-hop in an EVPN update can’t be changed on the path between ingress and egress switch, he said. Instead, the BGP next-hop must always point to the egress fabric edge switch.

To exchange EVPN updates across EBGP sessions within a data center fabric, the implementation needs to support functionality similar to MPLS VPN. Pepelnjak added many vendors have not boosted integration for EVPN, and users often run into issues that can result in  numerous configuration changes.

Pepelnjak recommended avoiding vendors that market EBGP between leaf-and-spine switches or IBGP switches on top of intra-fabric EBGP. If engineers are stuck with an inflexible vendor, it may be best to use Interior Gateway Protocol as the routing protocol.

Dig deeper into Pepelnjak’s ideas on EVPN.