Experts are urging organizations to immediately patch a dangerous DNS vulnerability known as SigRed after proof-of-concept exploits have emerged on the internet.
SigRed, a 17-year-old Windows DNS server vulnerability that was assigned a CVSS score of 10.0 was discovered by Check Point Research. In response, Microsoft released a patch Tuesday.
“SigRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response,” Check Point’s blog post on the vulnerability reads. “As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.”
The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) released an advisory Thursday directing users and administrators to “review Microsoft’s Security Advisory and Blog for more information, and apply the necessary update and workaround” by 2 p.m. EST Friday.
CISA director Christopher Krebs said in a blog post Thursday that it was critical for agencies to patch SigRed or implement a mitigation within 24 hours. “Though we are not aware of active exploitation, it is only a matter of time for an exploit to be created for this vulnerability,” he wrote.
Johannes Ullrich of the SANS Institute’s Internet Storm Center noted Thursday that there is at least one “real” proof-of-concept (PoC) exploit for SigRed available online, and while it doesn’t execute code on target systems, he said it could cause DNS servers to crash. Additional PoC exploits have been discovered online, though their effectiveness has not been verified.
Ullrich told SearchSecurity that this vulnerability offers the potential to break entire network architectures.
“The problem is that it potentially allows a remote code execution on the DNS server, which is in itself bad but often the DNS server in the Windows architecture is running on your domain controller, which is the keys to the kingdom, so owning the domain server often means owning of the network,” he said. ” This vulnerability can potentially break entire network architectures that are built around the standard Windows setup.”
Paul Vixie, developer of the DNS protocol and founder and CEO at Farsight Security, argued that the level of attention CVE-2020-1350 received is appropriate because of the nature of DNS architecture and the wormable capability of the flaw.
“When you’re talking about remote code execution and you’re talking about elevated privilege, that gives you a CVSS score of a perfect 10. It is not possible to measure the risk of a vulnerability as being higher than this,” Vixie said, adding that entire network infrastructure can be disrupted by infecting one PC inside an environment. “Once you can do that, you can cause the Sig query to be made and then you can cause an adjacent infection in addition to the one you entered the network with,” he said. “So, this is important.”
However, Vixie added that the “true importance” of SigRed probably won’t be known for a while.
While tracking a new security threat known as “GuLoader,” researchers at Check Point Software Technologies discovered more than just a malicious software installer.
GuLoader has been on the radar of a number of security vendors this year. According to a new report this week, Check Point Research said the installer or network dropper “has been very actively distributed in 2020 and is used to deliver malware with the help of cloud services such as Google Drive,” with hundreds of attacks using GuLoader being observed every day.
An investigation into GuLoader led the security vendor to the website of an Italian security software company which offered a product called CloudEye. While their operations and clearnet website appeared to be legitimate, providing software to protect Windows applications, they actually sell a product comparable to GuLoader and undetectable to antivirus software, according to Check Point.
In its report titled “GuLoader? No, CloudEye,” Check Point estimates the Italian company makes a monthly income of $500,000 from sales to cybercriminals. And, according to Maya Levine, Check Point’s technical marketing engineer for cloud security, it’s been a legally registered Italian company operating a publicly available website for years. This form of sales is unusual because attackers commonly do their business on the dark web, Levine said. Though they aren’t hiding on the dark web, finding CloudEye wasn’t a simple process.
“While monitoring GuLoader we repeatedly encountered samples that our systems detected as GuLoader, but they didn’t have the URL in it for downloading the payload,” Levine said. “When we looked at it manually and analyzed it, we found the payload is embedded in the sample itself. It was slightly different than GuLoader — it was something called DarkEye.”
After a search for DarkEye on the dark web, Check Point researchers found multiple advertisements that described it as a cryptor that could be used with a variety of malware that would make it fully undetectable for antivirus. A closer look at who posted the advertisements led to a website whose URL was mentioned in the ads.
Maya LevineTechnical marketing engineer for cloud security, Check Point Software Technologies
“It was connected to DarkEye but it was selling a product they called CloudEye. They pretended to be legitimate and aboveboard, but they are selling basically the same thing as GuLoader,” Levine said. “When we looked at the sample from CloudEye and the same we had for GuLoader, we found it almost identical. The only difference came from code randomization techniques but the actual important information in the code, the import functions, were all identical.”
Check Point’s report cited CloudEye’s website, which states “DarkEye evolved into CloudEye! Next generation of Windows executables’ protection!” Earlier versions of the website on the Internet Archive’s Wayback Machine show the company was previously called DarkEye.
Not only did Check Point find CloudEye was offering a commodity downloader strikingly similar to GuLoader, it also provided video tutorials on its website of how to use it.
“Basically what they’re selling is the ability to bypass cloud drive antivirus checking because Google and all those [cloud services] don’t allow you to upload malware. What they’re selling uses techniques to avoid being detected by a lot of these security products,” Levine said.
CloudEye and cloud-based attacks
A new trend is what jumpstarted Check Point’s inquiry into GuLoader initially. Earlier this year, the security vendor determined that the delivery of malware through cloud drives is one of the fastest-growing trends of 2020. Research into the trend led to the discovery of GuLoader, which has become very prevalent in the threat landscape, Levine said. According to Levine, up to 25% of all packed malware samples are GuLoader.
“We looked at how these attacks usually work. Usually there’s a dropper that’s sent in the form of an email, spam emails, that have an embedded attachment. An ISO file has the malicious executable then that dropper will download the malicious payload from a well-known cloud service and execute it,” Levine said.
Email security vendor Proofpoint has also been tracking GuLoader. Researchers first observed it being used in December 2019 to deliver Parallax RAT and began looking into the malware in conjunction with that research. Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, says GuLoader is interesting for three reasons.
“First, it’s written in Visual Basic 6.0, a version of Visual Basic Microsoft stopped supporting in 2008. Second, we found that while it was new, it was being adopted very quickly by multiple threat actors. Third, it stores its encrypted payloads on Google Drive or Microsoft OneDrive, showing that threat actors are leveraging the cloud just like businesses are,” DeGrippo said.
One reason attackers are turning to this method of malware delivery is the fact that it can fool a lot of humans and a lot of firewalls, Levine said.
“If humans look at the network activity and all they see is Google Drive, they’ll probably dismiss that activity as legitimate even though it’s contacting Google Drive to download something malicious,” Levine said. “Same thing with firewalls, because the antivirus signatures aren’t always distributed on a daily basis; sometimes it’s a weekly basis so there’s a lag these kind of attacks could take advantage of.”
Evasion and disguises
Hiding under a legitimate front isn’t the only sneaky part of the CloudEye dropper.
“There’s a spam email with an embedded attachment; usually it’s an ISO file with the malicious executable, and then they disguise the payload as a picture. The key here is that it’s encrypted while it’s in cloud storage; it only gets decrypted on the victim’s machine,” Levine said. “And what that does is make it so the cloud host can’t really kick off the malicious payload because it’s decrypted while it’s on their servers, so they don’t really know what it is.”
The image file may appear as a jury summons, for example. Once it’s opened and the dropper is activated, it fetches the malware payload and only stores it in memory, Levine said.
While there is some technology like sandboxing that will detect these malicious droppers, Levine said CloudEye has been a common denominator in thousands of attacks over the past year.
While this instance of threat actors standing up a “fake” company is not very common, Check Point’s head of cyber research Yaniv Balmas says it is not the first case in which a cybercrime tool was sold publicly on the internet.
“In most cases it is very difficult to link the tool to a specific company, or to a specific person. In this case however it seems the amount of connections we found linking this site to the ‘real world’ were significant. This might mean the owners are not concerned from being exposed, as they probably believe the ‘legitimacy cover’ is providing them with the required legal umbrella allowing them to continue their actions even if it will be brought to the public eye,” Balmas said. “The sad fact is they may be right.”
SearchSecurity contacted CloudEye for comment but the company has not responded. Attempts by Check Point to reach CloudEye were also unsuccessful.
CloudEye’s website was updated Wednesday with a statement from Sebastiano Dragna and Ivano Mancini, who were named in the Check Point report:
“We learned from the press that unsuspecting users would use our platform to perpetrate abuses of all kinds. Our protection software was created and developed to protect intellectual works from the abuse of hackers and their affiliates, not to sow malware around the network. Although we are not sure that what is reported by the media is true, we believe it appropriate to suspend our service indefinitely. We are two young entrepreneurs, passionate about IT security and our goal is to enrich the scientific community with our services, not to allow a distorted use of our intellectual work. We thank all our customers, who have legally used our services since 2015. Customers will be reimbursed for purchased and unused license days. For more information contact us by e-mail [email protected], you will receive an answer within 24 hours.”
Oracle’s latest release of the Java language and platform, Java 14 — also known as Oracle JDK14 — brings a series of features focused on helping developers code faster and more efficiently.
The latest Java Development Kit (JDK) provides new developer-focused features including Java language support for switch expressions, new APIs for continuous monitoring of JDK Flight Recorder data, and extended availability of the low-latency Z Garbage Collector to macOS and Windows.
In addition, Java 14 includes three preview features that come out of the JDK Enhancement Proposals (JEP) process. These are Pattern Matching, or JEP 305; Records, or JEP 359; and Text Blocks, also known as JEP 368.
Java 12 introduced switch expressions in preview, and it is now standard in Java 14. This feature extends the Java switch statement so it can be used as either a statement or an expression. “Basically, we converted the switch statement into an expression and made it much simpler and more concise,” said Aurelio Garcia-Ribeyro, Oracle’s Sr. Director of Product Management, Java Platform.
Oracle will give developers a way to spot errors by continuously monitoring the JDK Flight Recorder, a tool integrated into the Java Virtual Machine for collecting diagnostic and profiling data about a running Java application.
Finally, the z Garbage Collector, also known as ZGC, is a scalable, low-latency garbage collector. Garbage collection is a form of automatic memory management that frees up memory that is no longer in use or needed by the application. Prior to the Windows and MacOS support introduced with Java 14, the z Garbage collector was available only on Linux/x64 platforms.
As for the preview features, Oracle has developed pattern matching for the Java “instanceof” operator. The instanceof operator is used to test if an object is of a given type. In turn, the introduction of Java Records cuts down on the verbosity of Java and provides a compact syntax for declaring classes.
“Records will eliminate a lot of the boilerplate that has historically been needed to create a class,” Garcia-Ribeyro said.
Text Blocks, initially introduced in Java 13 as a preview, returns as an enhanced preview in Java 14. Text Blocks make it easy to express strings that span several lines of source code. It enhances the readability of strings in Java programs that denote code written in non-Java languages, Garcia-Ribeyro said.
Oracle needs to give Java developers the types of tools they need to evolve with the marketplace, said Bradley Shimmin, an analyst at Omdia in Longmeadow, Mass.
“When I look at what they’re doing with Java 14, they’re adding features that make the language more resilient, more performant and that make developers more productive in using the language,” he said.
Oracle takes iterative approach to Java updates
Java 14 also includes a new Packaging Tool, introduced as an incubator feature, that provides a way for developers to package Java applications for distribution in platform-specific formats. This tool is introduced as an incubator module to get developer feedback as the tool nears finalization.
Among the more obscure features in this release are Non-Volatile Mapped Byte Buffers, which add a file mapping mode for the JDK when using non-volatile memory. Also, Helpful NullPointerExceptions improves the usability of NullPointerExceptions by describing precisely which variable was null. NullPointerExceptions are exceptions that occur when you try to use a reference that points to no location in memory as though it were referencing an object. And the Foreign-Memory Access API allows Java programs to safely access foreign memory outside of the Java heap. The Java heap is the amount of memory allocated to applications running in the JVM.
Java 14 is another new release of the language under the six-month cadence Oracle instituted more than two years ago. The purpose of the quicker cadence of releases is to get “more bite-size pieces that are easier to deploy and manage and that get the features to app developers in the enterprise to benefit from these new capabilities,” said Manish Gupta, Oracle’s Vice President of Marketing for Java and GraalVM.
Overall, Oracle wants to advance the Java language and platform to make it work well for new cloud computing applications as well as platforms such as mobile and IoT. In 2017, Oracle spun out enterprise Java, known as Java Enterprise Edition or JavaEE, to the Eclipse Foundation. Eclipse has since created a new enterprise Java specification called Jakarta EE.
“When I think about Java 14, what I’m seeing is that Oracle is not only staying true to what they promised back when they acquired Sun Microsystems, which was to do no harm to Java, but that they are trying to now evolve Java in such a way that it can remain relevant into the future,” Shimmin said.
A VMware VM template — also known as a golden image — is a perfect copy of a VM from which you can deploy identical VMs. Templates include a VM’s virtual disks and settings, and they can not only save users time but help them avoid errors when configuring new Windows and Linux VMs.
VM templates enable VMware admins to create exact copies of VMs for cloning, converting and deploying. They can be used to simplify configuration and ensure the standardization of VMs throughout your entire ecosystem. Templates can also be used as long-term backups of VMs. However, you can’t operate a VM template without converting it back to a standard VM.
VSphere templates can be accessed through your content library. The content library wizard will then walk you through configuration steps, such as publishing and optimizing templates. It designates roles and privileges that you can then assign to users, and it eases VM deployment options.
Best practices for Hyper-V templates
You can create and deploy VMware VM templates through Hyper-V, as well. Hyper-V templates enable users to deploy VMs quickly with greater security, such as with shielded VMs, and reduce network congestion. They rely on System Center Virtual Machine Manager (SCVMM) and require specific configurations.
To create a Hyper-V template, select a base object from which you want to create the template — an extant VM template, a virtual hard disk or a VM. Assign a name to the new template and configure the virtual hardware and operating settings the deployed VM will use.
Keep in mind that not every VM is a viable template candidate. If your system partition is not the same as your Windows partition, you won’t be able to use that VM as a template source.
To create a shielded VM — one that protects against a compromised host — run the Shielded Template Disk Creation Wizard. Specify your required settings in the wizard and click Generate to produce the template disk, then copy that disk to your template library. The disk should appear in your content library with a small shield icon, which signifies that it has shielded technology.
How to create a VMware VM template with Packer
Packer is a free tool that can help you automate vSphere template creation and management. It features multiple builders optimized for VMware Fusion, Workstation Pro or Workstation Player. The vmware-iso Packer plugin builder supports using a remote ESXi server to build a template, and the vsphere-iso plugin helps you connect to a vCenter environment and build on any host in a cluster.
When you use Packer to make a VM template, you use two main file types. The JSON file makes up the template, and the autounattend.xml file automates Windows installation on your VM. Once your scripts, JSON file and autounattend file are ready, you can build a VM template in Packer. When the build is complete, Packer converts the VM to a template that you can view and deploy through PowerCLI.
Use PowerCLI to deploy a template
You can use PowerCLI to deploy new VMs from a template. Create an OS customization specification through PowerCLI to start the deployment process and to ensure that when you create your VMs from a template, you can still change certain settings to make them unique. These settings would include organization name, security identifier, local administrator password, Active Directory domain, time zone, domain credentials, Windows product key and AutoLogonCount registry key. The PowerCLI cmdlet might resemble the following:
There are a few common mistakes to VM template creation and deployment that you’ll want to avoid.
Creating a VMware template directly from a VM ends up destroying the VM. Always create a clone of a VM prior to creating a template from one. Even if you create a VM solely to become a template, template creation could fail and destroy your VM. A common reason for template creation failure is trying to create a template from a Linux VM. In that case, the template creation process wants to Sysprep a VM but Sysprep is designed for Windows OSes.
You also need to ensure that the model VM you want to turn into a template isn’t domain-jointed. Joining a VM to an Active Directory domain can cause the system to create a computer account for the VM, which then leaves that computer account orphaned during the template creation process. To work around this issue, have the template itself handle the domain join and secure the library share in a way that prevents anyone other than VM admins from having access.
Finally, don’t include any preinstalled applications on a VM template. The Sysprep process often breaks such applications. You can instead use an application profile or configure a VM template to run a script for automated application installation.
“Wi-Fi 6 is most definitely a game-changer technology,” said Abel Nevarez, an analyst at IHS Markit Technology. “Not only will it increase capacity, interoperability and efficiency, but it’ll also make Wi-Fi access more secure, which will allow for new and innovative monetization schemes.”
Nevarez added that the Wi-Fi Alliance’s Sept. 16 rollout of the certification program is a big milestone for getting Wi-Fi Certified 6 handsets and routers into the hands of data-hungry consumers.
Why Wi-Fi Certified 6 matters
The certification itself is important because it helps guarantee that there will be a certain base level of interoperability among devices and infrastructures, said Anshel Sag, an analyst with Moor Insights and Strategy.
The IEEE 802.11ax standard that Wi-Fi Certified 6 is based on has many features, but not everyone will implement them all, Sag noted. The result could be interoperability problems, so by creating a minimum spec and certain set of interoperability expectations, the Wi-Fi Alliance has created a certification that helps both consumers and businesses.
Kevin Robinson, vice president of marketing for the Wi-Fi Alliance, noted that his organization had been working for many years on the certification effort leading up the formal rollout on Sept. 16.
Abel NevarezAnalyst, IHS Markit Technology
Robinson noted that Wi-Fi Alliance certification programs supporting new generations of Wi-Fi, are generally announced every five to seven years. The last was Wi-Fi Certified ac in 2013, which supported the IEEE 802.11ac standard.
He said that certification typically serves as an inflection point for industry adoption of a technology.
“We expect service providers, both fixed and mobile, to deploy the technology and expect users will very soon begin seeing the benefits of the technology, which includes 4x capacity and speeds of Wi-Fi 5,” Robinson said.
Wi-Fi Certified 6 in the enterprise
Meanwhile, one of the main advantages of Wi-Fi 6 is the improved efficiency of the Wi-Fi medium — that’s the reason why the standard uses the term High Efficiency, or HE, according to Anil Gupta, co-founder and CTO of Wi-Fi assurance vendor Wyebot, based in Marlborough, Mass.
Places that would benefit from Wi-Fi 6 are high-density areas like a cafeterias, stadiums and auditoriums. Other workspaces within an enterprise may not necessarily have the density of people or enough people or Wi-Fi devices to justify a full rip-and-replace upgrade to access points with Wi-Fi 6 technology.
“The most common applications within enterprises and different verticals that may require high-speed performance are video and web-conferencing,” Gupta said. “However, the speeds offered by 802.11ac (Wi-Fi 5) are more than enough to support such applications.”
In the view of Abhijit Sunil, a Forrester analyst, Wi-Fi Certified 6 will open up many use cases that can benefit from more reliable and faster connections, especially in closed spaces that were attributed or similar tothose touted for 5G— such as office collaboration spaces and smart homes.
“Wi-Fi 6 will in no way replace 5G, but this milestone enables many use cases to be tested and when 5G matures in the near future, to complement high-speed connectivity to the internet,” Sunil said.
Amazon CTO Werner Vogels is known for his work with Amazon Web Services, but he actually leads technology innovation across the entire company. In a keynote talk at this week’s AWS Summit event in New York City, he outlined new product directions and his philosophy for the future of cloud computing.
Vogels sat down with TechTarget to discuss a wide range of issues, from transparency into future development of AWS services to customers’ multi-cloud plans.
In December 2018, AWSposted a public roadmapfor its container strategy on GitHub. This was seen as an unusual, maybe unprecedented move. Talk about transparency in terms of a philosophy — will we see more of this kind of thing out of AWS?
Werner Vogels: As always, with respect to customer interaction, we try to experiment. The whole thing with roadmaps is that once you produce it, you have to stick with it. And historically, we’ve always tried to be more secretive. We’ve always tried to keep the roadmap with customers under NDA. Mostly so we could have the opportunity to change our minds.
Because once you promise customers you’re going to deliver X, Y and Z in September, you have to deliver X, Y and Z in September for them.
And so I think given the tremendous interest of developers in containers, this seems like a really great space to start with giving the community access to a roadmap, knowing what’s coming. And I think definitely given our close cooperation with that group we need this sort of ecosystem. I think it was really important to show what our plans are there.
One critique of AWS is that CloudFormationlags too muchwith regard to support for new AWS features.In response, AWS pledged toprovide more transparencyaround CloudFormation, including a roadmap.What’s going on from your perspective with CloudFormation?
Vogels: Often we have a number of innovations scheduled for CloudFormation, but as you can see we put a lot of effort into the Cloud Development Kit, or CDK. One thing we’ve gotten from developers is that they prefer to write code instead of these large, declarative JSON and XML files. I showed it onstage this morning, with the demo that we did. We’ve put most of our effort in actually going the CDK route more than sort of extending CloudFormation.
Most customers have asked for new features in CloudFormation to get sort of parity with what Terraform is doing. I have great respect for HashiCorp and the speed at which they’re innovating. They’re a great partner. And as such, we’re working with CloudFormation to take it in the direction that customers are asking for.
I think overall, we’re on a good path, the right path. But I love the fact that there is a long list of requests for CloudFormation. It means that customers are passionate about it and want us to do more.
There is a sense these days that enterprises should look to be multi-cloud, not tied to a single provider, for reasons such as cost, vendor management and richer opportunities for innovation. One of your competitors, Google, hopes to be a middleman player with its Anthosmulti-cloud deployment platform. What is your stance on multi-cloud, and can we see something like Anthos coming out of AWS someday?
Vogels: It depends a bit on how you define multi-cloud. If you think about if you have this one application that you want to run on any of the providers, you pretty quickly go to a lowest common denominator, which is to use a cloud as a data center. You just use instances as a service. Now you get some elasticity, you get some cost savings out of it, maybe some more reliability, but you get none of the other benefits. You can’t use any of the security tools that Amazon is giving you. Plus, you need to have your workforce, your development force able to be proficient in each and every one of these clouds that you’re using, which seems like a waste.
Werner VogelsCTO, Amazon
The few companies that I’ve seen being slightly successful with having a multi-cloud approach are ones that say, oh this is one particular thing that this particular provider is unique in and I really want to make use of that. Well, sometimes that’s as some sort of a vertical, or it might be in a particular location.
The other thing that we’re working with most of our enterprise customers is, what is an exit strategy? What do I need to do, if one moment I decide that I would like to move over to another provider? That for any large enterprise is just good due diligence. If you start using a [SaaS application], you want to know about what do we need to do to get my data out of there, if I want to move let’s say from Salesforce to Workday.
It’s the same for most large enterprises. They want to know how much work is it actually for me to actually move if I decide to go from cloud provider A to cloud provider B, or maybe bring it back on premises.
That’s something that we’ve been working on with most of our large customers, because that’s just good due diligence.
You talked about your strategy for developers today [in the AWS Summit keynote]. Are you satisfied with where AWS is with regard to developer experience?
Vogels: I’m never satisfied. I think this is mostly focused on serverless. Anything serverless is still so much in flux. We see customers building more and more complex and larger applications using only serverless components, and we’re learning from that. What are the kinds of things that customers want?
For example, when we launched [Lambda] Layers, that was purely from feedback from customers saying, ‘Hey you know, we have this whole set of basic components that we are always using for each of our applications, but it doesn’t allow us to actually easily integrate them.’ So we built Layers for customers.
We continue to look at how we can do these things. The same goes for building Custom Runtimes. There [are] only so many languages you can do yourself, but if there’s someone else that wants to do Haskell or Caml, or any let’s say, less popular language, we should be able to enable them. And so we built Custom Runtimes.
Part two of TechTarget’s Q&A with Amazon CTO Werner Vogels will touch on AWS Outposts, AWS’ pace of innovation, and how customers can control cloud costs.
BOSTON — Since its inception, HubSpot has been known as a software company for SMBs, providing low-cost or free versions of marketing automation and CRM software, eventually adding sales and service tools.
Now the inbound marketing automation software vendor is targeting the enterprise market, with new products that the company said are commercially available now.
At its annual user conference, Inbound 2018, HubSpot unveiled a lineup of HubSpot enterprise tools aimed at helping companies that have outgrown the vendor’s initial products stay with HubSpot.
HubSpot had to expand reach
HubSpot “was losing customers, so it needed to expand,” said Predrag Jakovljevic, principal analyst at Technology Evaluation Centers.
Jakovljevic said with the HubSpot enterprise products, the company can target larger companies that need more scalability. He said HubSpot enterprise products can scale up to companies with up to about 2,000 employees.
The launch was not without its glitches. Early Sept. 6, the morning after HubSpot introduced the enterprise platform, an outage occurred. Tweeters quickly exposed it via the #HubSpotDown hashtag. HubSpot got it back online, blaming “configuration code” issues in a company blog.
HubSpot also released a video creation tool and a CMS product.
The branding could be seen as slightly confusing, as the term “enterprise” is commonly used to refer to the largest of organizations — ones with multiple departments scattered across locations, said Laurie McCabe, an analyst and partner at SMB Group. HubSpot, however, is using enterprise in terms of scaling up an organization’s processes.
“In the tech industry, we’ve taken the word ‘enterprise’ to mean large businesses,” McCabe said. “HubSpot is just continuing to grow with its customers.”
Moving to enterprise
Among the new HubSpot enterprise offerings are Sales Hub Enterprise and Service Hub Enterprise.
Sales Hub Enterprise offers the capability to build out best practices and resources for a sales team — useful for enterprises trying to get large sales teams working in the same direction. Service Hub Enterprise includes features to help teams track against service-level agreements and other service metrics.
The existing Marketing Hub Enterprise received upgrades around analytics and custom bot capabilities. HubSpot now offers three levels of sales, marketing and service products: starter, professional and enterprise.
Users at Inbound 2018 expressed enthusiasm about some of the new features, but also wondered whether HubSpot enterprise products were right for their organization.
“We’re trying to embrace tech and bring an old-fashioned niche market into the modern world,” said Chad Wiertzema, creative marketing manager at ITM TwentyFirst, an independent life insurance firm. “We’ve used [HubSpot Marketing Hub] for about a year now at the professional level, and we’re wondering if it makes sense for us to use the enterprise product.”
Wiertzema said he spoke to a HubSpot rep about the enterprise product and whether ITM TwentyFirst would benefit from it, as the company has grown over the past five years.
“We’re getting close to it,” he said, referring to his company’s growth and whether it is ready for larger scale platform from HubSpot.
HubSpot adds video creation
HubSpot said it hopes that its new suite of products will enable its customers to better sell customer experiences, rather than products or services.
“The product used to win,” said Brian Halligan, co-founder and CEO of HubSpot, in a keynote. “Now the customer experience is what wins.”
HubSpot’s CTO and other co-founder, Dharmesh Shah, echoed that sentiment from the conference stage.
“Improving your experience by 10 times is much easier than improving your product by 10 times,” Shah said.
HubSpot also released a video feature available across its suite of products. HubSpot Video — powered by partner Vidyard — will include video hosting, in-video forms and a video creation tool.
HubSpot Video enables marketers to host and manage video files for campaigns, according to the company. Sales reps can create and share personalized videos from the CRM and service teams can help customers more completely with personalized service videos.
“Videos are what customers want,” McCabe said. “And they are sometimes easier to produce than blog posts.”
Video for creating content
Other users spoke positively about the potential for HubSpot Video, with creating content becoming a bigger priority for many companies.
Meanwhile, other features across all three HubSpot enterprise products include Slack integrations, machine learning for predictive lead scoring and Conversations — HubSpot’s communication unifier, previewed a year ago and commercially released in August 2018.
HubSpot also released a stand-alone CMS tool to help with website creation, as well as a Service Hub Starter product, which helps organizations do entry-level service requests like ticketing, help desk services and connecting with customers through live chat.
Pricing for HubSpot products varies depending on whether an organization licenses the starter, professional or enterprise level.
Amanda Rousseau, the senior malware researcher at Endgame who is also known as Malware Unicorn, began her career working for the Department of Defense Cyber Crime Center performing computer forensics investigations before moving into the private sector.
At Black Hat USA 2018, Rousseau talked about her experiences with dead box computer forensics investigations — studying a device after a crime has been committed in order to find evidence — how to de-stress after spending a week reverse engineering malware encryption, and how to tell the difference between code written by a script-kiddie and a nation-state actor.
This interview was edited for length and clarity.
What was your role in computer forensics investigations?
Amanda Rousseau: When I did forensics, I did criminal investigation. So if there was a murder, if there was domestic terrorism or something like that, they would give me the hard drive and I would analyze it.
It was very specific; it’s not really intrusions, right? Intrusions are more dynamic. But even when you talk about attribution, I cringe because no one really wants to put their finger on where it came from, exactly. If you get it wrong, you could start a war.
I was never on threat intel, thank goodness. I was mainly doing case-by-case, just looking at a certain thing in malware, writing a report on it, giving it up to someone else so that they can do the groundwork. I was more behind the scenes.
Even now, I feel like it’s my job to take out all of the interesting information for them to put the clues together on there. Because when you think about when an FBI agent, or someone that’s doing the investigation, [they know] much more that I don’t know outside of what I see. I can only give my nonbiased results from what I’ve analyzed. And they can put the clues together themselves.
It takes a team. It takes a team to do that kind of stuff.
When it comes to computer forensics investigations, what were the challenges in ensuring the evidence was accurate?
Amanda Rousseausenior malware researcher, Endgame
Rousseau: We had to prove that that person was at the computer at that time. Because there would be incidents where the wife’s husband, boyfriend, or whatever would be at her computer or vice versa. So you really couldn’t put that person at the computer doing that thing. Maybe there was a camera that took a picture that [proved] they were there, or maybe their alibi would prove that they were at the computer. But it’s really hard, even for that tiny moment in time, for dead box forensics.
For intrusion forensics, it’s completely different. You can trace the IP [address] to the server, and it’s another jump server, and then you see who owns the server, and then the people on the ground have to go trace who’s at that address who owns the server and you get all the credit card accounts that paid for that server.
What was the most difficult thing that you had to do in dead box cyber forensics investigations?
Rousseau: One difficult thing was when I was learning; it was just a learning curve. All you had to do was do it more and practice. It’s kind of like reversing; the more you do it, the more experience you get and [you] see quicker ways to do things.
I think when I did intrusions investigation, the hardest thing to do was encryption, because you have to sit there and try to identify encryption algorithms backwards. And so you’re sitting there with pen and paper like, ‘OK. This bit gets flipped here.’ And you’re writing the whole algorithm down and trying to visualize it. And then you’d identify, ‘Oh, it’s doing this.’ And that’s like a week’s worth of work. But it’s fun. It’s like a puzzle to me.
A week-long puzzle, though. It sounds taxing.
Rousseau: Yeah. You really have to time-manage your brain. Like, ‘OK, it’s the end of the day. I’ll put my notes down.” Next day, pick it back up, figure it out.
What’s a good way to decompress when trying to reverse encryption like that?
Rousseau: You know, it’s funny because there’s a lot of reverse engineers that are runners, or triathletes. So I haven’t done a lot of running this year, but before, I was marathon training. Because you’re sitting there for hours and hours … just staring at code. We forget to stand up and move around and everything. But running was my only way to …
Overcompensate with marathons.
Rousseau: Yeah, exactly.
Now, rather than cyber forensics investigations, you’re mainly doing reverse engineering of malware. Can you walk us through that process?
Rousseau: Pretty much my day-to-day job is looking at malware, taking it apart, writing a detection for it, doing the research. It’s either short term or long term, depending on what the product needs, or what the customer needs at that time, pretty much.
There’s a process. If you’re looking at thousands of samples, you’ve got to have a way to triage all of that and bubble up the things that are important, or the ones that you should be looking at. Same with the file itself. I don’t want to just start from the beginning. I want to look at a clue and start there.
A lot of the research that I did for my Black Hat talk was triage analysis. My boss asked me to do 1,000 samples in three days, manual analysis. I’m like, ‘I can do one sample in a few hours, but I don’t know if I can do all 1,000 samples in three days.’
So I developed this tool that helped me print out all the stuff that I needed in order to look at samples. I don’t have to look at every single sample, but just the ones that are important because otherwise I would be there forever.
How do you determine what is important?
Rousseau: In a binary, you have these things called libraries that load — imports, pretty much. And a lot of these imports give you an idea of what the program is doing. So as an indicator, say it is loading user32.dll. What that is, is it could be doing user-related actions on the system. If you load in Winsock, it’s for sockets, right?
All of these different clues as to what libraries are loading, you can kind of get a sense of what it’s actually going to do, even the function that it’s going to call. Because then you kind of build in, ‘OK, well, it’s going to do something to the file system, it’s going to open up a socket and connect out to some IP address. I’m going to have to look for an IP address, I’m going to have to look for some strings creating a file in the file system.’ That kind of stuff.
But in order to that, I need to disassemble it and see when that happens, in what order it happens. Because goodware can do the same thing, but depending on the context — the order — is it doing it all in one function, or is it spread out? Some of those little clues pinpoint the ones that you need to look at.
And these clues help you understand what kind of malware you’re studying?
Rousseau: Yeah, and it depends on the motive. If you’re ransomware, you’re going to do encryption; you’re going to do file system activity; you’re going to call out to some onion server for the Bitcoin. If you’re spyware, you’re going to be doing keylogging; you’re going to be accessing the camera; you’re going to be trying to take screenshots of the desktop. So those are all different libraries to look.
If you’re just a regular Trojan or a remote access Trojan, you’re going to be calling back out to your [command-and-control network]. You’ll receive instructions to do stuff. So if you know what kind of class they are, you’re looking for those indicators to place them into that class of malware.
Have you seen any trends in the code across different malware types?
Rousseau: Yeah, it’s funny because with ransomware, there were two main libraries that a lot of the ransomware stemmed off of. It’s kind of like this growing tree of variations of the same code. And because some idiot posted it on GitHub somewhere, all these little 19-year-old to 26-year-olds are playing with this code and making ransomware to make a quick buck.
The ones that do well are the crimeware people that adopt ransomware and make it more like a business, a little large-scale business.
Rousseau: Right, right. But when you’re reversing, you can see different code, kind of a mishmash of someone writing it this way and another. It’s like handwriting. You can tell when there’s two different types of handwriting on a page. It’s like that in code for me.
If you look at enough of it you can identify, ‘OK, this is kind of weird. Someone wrote it backwards,’ or that kind of thing. Even with WannaCry, the code for the exploit is completely different than the actual ransomware code. Actual ransomware code is really crappily done, but the exploit code was beautiful. So you know they were kind of mishmashed together.
I guess we know that the government has really good coders. I guess that’s the key there.
Rousseau: Yeah, the nation-state stuff, you can tell the level of expertise in that developer because usually, that whole thing will look similar. If it’s one or two guys, maybe it will look different. But the more common malware, they buy that stuff off of black market deployment and it comes in a kit. And these kits, they add on their own pictures or whatever they want in the thing. So it kind of has this variant of this s—– code with whatever s—– code that they add in, pretty much.
Microsoft has long been known for suites of products, Smith said, and the company is now bringing that approach to a new suite of programs, AI for Good. This initiative’s first program, AI for Earth, was started in 2017 and brings advances in computer science to four environmental areas of focus: biodiversity, water, agriculture and climate change.
Under this program, Microsoft is committing $50 million over five years to provide seed grants to nongovernmental organizations, startups and researchers in more than 20 countries, Smith said. The most promising projects will receive additional funding, and Microsoft will use insights gleaned to build new products and tools. The program is already showing success, Smith said — the use of AI helped farmers in Tasmania improve their yields by 15 percent while reducing environmental runoffs. And in Singapore, AI helped reduce electrical consumption in buildings by almost 15 percent.
“We’re finding that AI, indeed, has the potential to help solve some of the world’s most pressing problems,” he said.
Improving accessibility for people with disabilities
Computers can see and hear. They can tell people what’s going on around them. Those abilities position AI to help the more than one billion people worldwide who have disabilities, Smith said.
“One of the things we’ve learned over the last year is that it’s quite possible that AI can do more for people with disabilities than for any other group on the planet,” he said.
Recognizing that potential, Microsoft in May announced AI for Accessibility, a $25 million, five-year initiative focused on using AI to help people with disabilities. The program provides grants of technology, AI expertise and platform-level services to developers, NGOs, inventors and others working on AI-first solutions to improve accessibility. Microsoft is also investing in its own AI-powered solutions, such as real-time, speech-to-text transcription and predictive text functionality.
Smith pointed to Seeing AI, a free Microsoft app designed for people who are blind or have low vision, as an example of the company’s efforts. This app, which provides narration to describe a person’s surroundings, identify currency and even gauge emotions on people’s faces, has been used over four million times since being launched a year ago.
“AI is absolutely a game-changer for people with disabilities,” Smith said.
Governing AI: a Hippocratic Oath for coders?
For AI to fulfill its potential to serve humanity, it must adhere to “timeless values,” Smith said. But defining those values in a diverse world is challenging, he acknowledged. AI is “posing for computers every ethical question that has existed for people,” he said, and requires an approach that takes into account a broad range of philosophies and ethical traditions.
University students and professors have been seeking to create a Hippocratic Oath for AI, Smith said, similar to the pledge doctors take to uphold specific ethical standards. Smith said a broader global conversation about the ethics of AI is needed, and ultimately, a new legal framework.
“We’re going to have to develop these ethical principles, and we’re going to have to work through the details that sometimes will be difficult,” he said. “Because the ultimate question is whether we want to live in a future of artificial intelligence where only ethical people create ethical AI, or whether we want to live in a world where, at least to some degree, ethical AI is required and assured for all of us.
“There’s only one way to do that, and that is with a new generation of laws.”
The court saga of Marcus Hutchins, a security researcher from England also known as MalwareTech, will continue after a superseding indictment filed by the U.S. government added new charges to his case.
Hutchins was originally arrested in August 2017 on charges of creating and distributing the Kronos banking Trojan. The superseding MalwareTech indictment, filed on Wednesday, adds four new charges to the original six, including the creation of the UPAS kit malware, conspiracy to commit wire fraud, and lying to the FBI.
Hutchins first gained prominence in May 2017 for being one of the researchers who helped slow the spread of the WannaCry ransomware, and he recently mused on Twitter at the connection between that act and the new MalwareTech indictment.
While this all sucks a lot, I can’t stop laughing at the irony of the superseding indictment coming exactly on the 1 year anniversary of me receiving an award for stopping WannaCry.
Hutchins also had strong language to describe the supplemental indictment, but one of his lawyers, Brian Klein was more measured.
@marciahofmann and I are disappointed the govt has filed this superseding indictment, which is meritless. It only serves to highlight the prosecution’s serious flaws. We expect @MalwareTechBlog to be vindicated and then he can return to keeping us all safe from malicious software https://t.co/E1M0qod3CN
The UPAS Kit described in the new filing was a form grabber that Hutchins admitted to creating, but he asserted it was not connected to Kronos. Marcy Wheeler, national security and civil liberties expert, questioned how this was included in the new MalwareTech indictment because of the time frames related to those charges.
The indictment noted that the UPAS Kit was originally sold and distributed in July 2012 and it alleged Hutchins developed Kronos “prior to 2014” and supplied it to the individual who sold the UPAS Kit. However, Wheeler pointed out in a blog post that there should be a five year statute of limitations related to such charges and even if the government could avoid that, Hutchins would have been a minor in 2012 when these actions allegedly took place.
Additionally, Wheeler noted that Hutchins admitted to creating the UPAS form grabber — although he denied it was part of Kronos — when he was first arrested by the FBI. The new MalwareTech indictment claims Hutchins lied to the FBI about creating Kronos which would put into question the new charge that Hutchins lied to the FBI.