The attack campaign, called Stegano, has been spreading from malicious ads in a “number of reputable news websites,” ESET said in a Tuesday blog post. It’s been preying on Internet Explorer users by scanning for vulnerabilities in Adobe Flash and then exploiting them.
The attack is designed to infect victims with malware that can steal email password credentials through its keylogging and screenshot grabbing features, among others.
The attack is also hard to detect. To infect their victims, the hackers were essentially poisoning the pixels used in the tainted banner ads, ESET said in a separate post.
The hackers concealed their malicious coding in the parameters controlling the pixels’ transparency on the banner ad. This allowed their attack to go unnoticed by the legitimate advertising networks.
Hackers have used similar so-called malvertising tactics to secretly serve malicious coding over legitimate online advertising networks. It’s an attack method that has proven to be a successful at quickly spreading malware to potentially millions.
The makers behind the Stegano attack were also careful to create safeguards to prevent detection, ESET said. For instance, the banner ads will alternate between serving a malicious version or a clean version, depending on the settings run on the victim’s computer. It will also check for any security products or virtualization software on the machine before proceeding with the attack.
ESET declined to name the news websites that were found unknowingly displaying the malicious ads, but cautioned that the attack was widespread, and could have been hosted through other popular sites as well.
The first report came Sunday from an Indian security researcher named Hemanth Joseph, who started investigating possible bypasses after being confronted with a locked iPad he acquired from eBay.
The activation lock gets enabled automatically when users turn on the Find My iPhone feature via iCloud. It links the device to their Apple IDs and prevents anyone else from accessing the device without entering the associated password.
One of the few things allowed from the activation lock screen is connecting the device to a Wi-Fi network, including manually configuring one. Hemanth had the idea of trying to crash the service that enforces the lock screen by entering very long strings of characters in the WPA2-Enterprise username and password fields.
The researcher claims that, after awhile, the screen froze, and he used the iPad smart cover sold by Apple to put the tablet to sleep and then reopen it. This is supposed to restore the state of the tablet from where it was left off, in this case, loading the WPA2 screen again with the long strings of characters filled in.
“After 20-25 seconds the Add Wifi Connection screen crashed to the iPad home screen, thereby bypassing the so-called Find My iPhone Activation Lock,” he said in a blog post.
Hemanth said he reported the issue to Apple on Nov. 4, and the company is investigating it. He tested the bypass on iOS 10.1, which was released on Oct. 24.
Last week, a researcher named Benjamin Kunz Mejri, from German outfit Vulnerability Lab, posted a video showing the same bypass, but on the newer iOS 10.1.1 version.
Kunz Mejri’s method is similar and also involves overflowing the Add Wi-Fi form fields with long strings of characters but also requires rotating the tablet’s screen in order to trigger the crash after the smart cover trick.
Apple has not yet confirmed that issue and did not immediately respond to a request for comment.
An e-commerce site will typically block a credit card number after 10 or 20 failed attempts to enter the corresponding expiry date and CVV (card verification value), making life difficult for fraudsters who don’t have a full set of credentials.
But there are plenty of e-commerce sites out there, and it’s possible to obtain missing account details by submitting slightly different payment requests to hundreds of them in parallel.
It takes less than six seconds to perform the “distributed guessing attack,” according to the researchers at Newcastle University in the U.K. who figured out how to do it.
Guessing the expiry date of a valid card isn’t all that difficult: Cards are typically issued for five years at most, so sending the 60 possible values to different websites will get a confirmation from one of them. The three-digit CVV is a little harder, involving spreading 1,000 requests across multiple websites.
“Practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts,” wrote researchers Mohammed Aamir Ali, Budi Arief, Martin Emms, and Aad van Moorsel.
The title of their paper asked the question: “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?”
Their answer is emphatically yes — at least for Visa cards, for which they were able to submit sufficient requests to obtain the missing values.
MasterCard’s centralized payment network, on the other hand, detected their attack on a card account after fewer than 10 authorization attempts.
Ali and colleagues studied 389 websites drawn from the 400 most-visited according to Alexa.com. Of those, just 47 used the 3D Secure authorization system, making them immune to the attack.
The weak links in the system were the 26 sites that required only the card number and the expiry date to validate payment. The 20 of them allowing at least six guesses provided ample capacity for guessing such an easy answer.
A further 291 sites would validate a card number with just the expiry date and CVV — but with 238 of them allowing six or more guesses, the CVV could soon be obtained.
The number of games on Steam continues to rise at a daunting rate. According to new data from Steam Spy, the number of full games released on the store this year rose 40% over 2015.
Steam Spy founder Sergey Galyonkin published a chart on Twitter that indicated a total of 4207 games launched on Steam in 2016, up from 2964 last year. If accurate, that means 38% of all games on Steam were released within the last 12 months – a sobering thought for any developer trading on Valve’s market leading platform.
Of course, the notion that Steam is crowded with product is hardly new, but Steam Spy’s chart – republished above – clearly illustrates the pace at which the trend is playing out.
The only small consolation is that the 40% rise over last year is actually lower than the 67% increase in new games between 2014 and 2015. Galyonkin noted that the chart doesn’t include movies and non-game software, but it also filters out relevant content like DLC packs and “games without owner data.”
Valve is certainly cognisant of the issues that Steam’s teeming inventory has created for both developers and consumers. It has responded with two “Discovery Updates” that gave more control over the experience to both groups, the first in 2014 and the second little more than a month ago.
Following the second Discovery Update, GamesIndustry.biz talked to developers about the “huge impact” of the changes.
“We believe that it is the largest Google account breach to date,” the security firm said in blog post.
The malware, called Gooligan, has been preying on devices running older versions of Android, from 4.1 to 5.1, which are still used widely, especially in Asia.
Gooligan masquerades as legitimate-looking Android apps. Checkpoint has found 86 titles, many of which are offered on third-party app stores, that contain the malicious coding.
Of the 1 million Google accounts breached, 19 percent were based in the Americas, 9 percent in Europe, while 57 percent were in Asia, according to Checkpoint.
As the numbers from Black Friday and Thanksgiving weekend continue to trickle in, many analysts are examining how the holiday sales picture is coming together this year. While The NPD Group is not ready to give its full assessment just yet, the firm did note to GamesIndustry.biz that digital promotions on PlayStation Network and Xbox Live were much more aggressive this year and may have impacted the retail channel. Digital aside, the sector that seemed to struggle the most is virtual reality, according to SuperData, which said VR has been the “biggest loser.”
Thanks to “notably fewer units sold than expected due to a relatively fragmented title line-up and modest marketing effort,” VR headsets are now expected to sell even fewer than previously thought. SuperData’s revised forecast for 2016 calls for under 750k PlayStation VR units sold (their previous estimate was 2.6 million) with Google’s Daydream selling just 261k (down from 450k). Previous estimates for HTC Vive, Oculus Rift and Gear VR remain unchanged at 450k, 355k and 2.3 million, respectively.
As you can see, expectations for PSVR have seen the most dramatic shift. Stephanie Llamas, director of research and insights at SuperData, explained to us, “PSVR had the best opportunity to benefit from the holidays but their supply inconsistencies and lack of marketing have put them behind their potential. They did not offer any first-party deals this weekend, restock bundles or market the device, pushing instead for the PS 4 Pro. They have also pointed out that VR looks even better on a Pro than a standard or slim PS 4, so the message to most gamers is: Get the Pro now, then the PSVR later. As a result, we won’t see them break 1M shipments until well into the new year.”
Llamas added that Sony may be deliberately limiting PSVR supply until it can do a better job with supporting the platform. “Had Sony pushed the PSVR the way they’ve been pushing their other new hardware, the demand would have certainly fulfilled a supply of over 2 million. However, given its quiet release it’s clear they’re being cautious before fully investing in the tech. Without the ‘killer app’ and the slow, steady release of AAA content, they will release less than 1 million devices until they have content they feel confident will bring in the praise they want. They can afford to take it slow since they have no competition for now, so their supply and sales will rise steadily into 2017 as opposed to riding the seasonal wave,” she said.
As for Oculus, Llamas believes they’ve taken a risk by possibly splitting their own user base. “The Rift’s Touch controllers are an opportunity for Oculus to penetrate, but not many headsets have moved, especially with their round-about deal where purchasers earned $100 Oculus credit rather than just getting $100 off. Oculus’s hardware release strategy has also slowed them down and split their user base, so developers are having to make some choices around whether they should develop for both Touch and non-Touch users. This means development has slowed and is becoming another barrier to growth,” she remarked.
Looking at the non-VR games market, Nintendo may actually prove to be the biggest winner, thanks to updates both to Pokémon GO and selling out of its NES mini. “On mobile we recorded a spike in earnings as players made the most of the Thanksgiving special for Pokémon GO. The game’s ability to stay in the forefront of people’s minds as we approach the release date for Super Mario Run may prove beneficial for Nintendo, which has yet to make a convincing claim on the $38 billion mobile games market,” said Joost van Dreunen.
Overall digital game sales this holiday are down 2% from 2015 so far, but the impact of digital has grown tremendously in just a few years. “In 2012 full game downloads accounted for only 6% of total unit sales around the Thanksgiving holiday in the United States. For 2016E that number was four times higher at 24%,” van Dreunen said.
The other big contributor to the slow holiday start has been big discounting, according to Wedbush Securities’ Michael Pachter. “We saw greater discounting of high-profile new video games this Black Friday compared to last year. Last year’s top sellers, Activision Blizzard’s Call of Duty: Black Ops III , Bethesda Softworks’ Fallout 4, and EA’s Star Wars Battlefront, saw sticky pricing on Black Friday, with the $60 price point remaining largely intact. While discounting of sports games happens each year, many other titles that maintain pricing on Black Friday were listed at discounts of 40% or more this weekend,” he observed.
“For example, Walmart had EA’s Battlefield 1 and Titanfall 2 at $27, and Microsoft’s Gears of War 4 and Take-Two’s Mafia III at $35. Walmart also had Activision Blizzard’s Call of Duty: Infinite Warfare Legacy Edition, which includes Modern Warfare Remastered , for $57, a $23 discount. Discounting of Call of Duty: Infinite Warfare began earlier in the week, with widespread discounts of roughly $20 for the different versions of the game. Hardware discounting for the PS4 and Xbox One was largely consistent with 2015, as $50 discounts were commonplace.”
Pachter also agreed that the “pace of the mix shift to digital full game downloads continues to be brisk,” but we probably won’t know whether digital sales fully made up for retail declines until we get the complete NPD report for 2016 sometime in January.
In October 2015, the U.S. launched a plan to hire 6,500 people with cybersecurity skills by January 2017, according to White House officials. It had hired 3,000 by the first half of this year. As part the ongoing hiring effort, it held a job fair in July.
At the Department of Homeland Security (DHS), “We set out to dispel certain myths regarding cybersecurity hiring,” wrote Angela Bailey, chief human capital officer at DHS in a blog post Monday.
One myth is this: “There is not a lot of cyber talent available for hire,” said Bailey. “Actually, over 14,000 people applied for our positions, with over 2,000 walking in the door. And while not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event.
“The amount of talent available to hire was so great, we stayed well into the night interviewing potential employees,” said Bailey.
The experience of the U.S. government seems counter to what industry studies say is actually going on.
For instance, a report released one day before the government’s job fair in July, Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), pointed to a “talent shortage crisis” of cybersecurity skills.
David Foote, co-founder and chief analyst at Foote Partners, is skeptical of the government’s findings, and says there’s really no unemployment among people with cybersecurity skills, “so why would they go to a job fair?”
In particular, asked Foote, why would someone take a government job that will pay less than a beltway consulting firm?
The salary for a senior cyber security specialist, with five or more years experience, in the Washington D.C. metro area is is $132,837, said Foote.
The salary range for an IT specialist in cybersecurity ranges from about $65,000 to to $120,000, depending on skills, experience and educational attainment.
Foote said the appeal of getting a security clearance may have motivated some to apply for a government job. A security clearance can open up subsequent private sector jobs.
But Foote suspects that the U.S. is focusing on hiring people it can train, and not on hiring someone with experience and who would command much higher salaries than can government offer.
In cybersecurity, experience is critical, said Foote. “Cybersecurity is something you have to do, you have a develop an instinct and you only do that with hands on,” he said.
It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said.
“The Navy takes this incident extremely seriously – this is a matter of trust for our sailors,” Chief of Naval Personnel Vice Admiral Robert Burke said in a statement.
Burke said the investigation of the breach was in its early stages.
“At this stage of the investigation, there is no evidence to suggest misuse of the information that was compromised,” the Navy said.
Symantec’s security software often comes bundled with personal computers. As a result, the company has suffered as consumers use mobile devices more than traditional computers. While Norton remains profitable, its sales have been falling.
“(Norton) had been declining with the declines in PC market share. This acquisition brings $660 million in revenue to the consumer business and returns it to longer sustainable growth,” Symantec Chief Executive Greg Clark said in an interview.
Symantec’s purchase of LifeLock is in line with its efforts to diversify its offerings. In August, it bought Blue Coat Inc, which helps firms maintain security over the internet, in a $4.65 billion deal. Clark previously held the top job at Blue Coat, and made the switch after the deal closed.
Based in Tempe, Arizona, LifeLock offers services such as monitoring new account openings and credit-related applications in order to alert consumers about unauthorized use of their identity. It also works with government agencies, merchants and creditors to remediate the impact of identity theft.
Fran Rosch, executive vice president of Norton Business Unit, said that Symantec had dabbled in identity security but had nowhere near Lifelock’s 4.4 million members.
“We had to extend our value proposition. It was a no brainer for us to get back to growth,” Rosch said.
Symantec expects to finance the transaction with cash on balance sheet and $750 million of new debt.
The Mountain View, California-based company has been moving away from what is sees as more commoditized services, selling its data storage business Veritas in January to private equity firm Carlyle Group LP for $7.4 billion. Technology-focused firm Silver Lake Partners has also made a $1 billion investment in the company in two parts this year.
Symantec said the LifeLock deal is not expected to have a material impact on its financial results next year, and reaffirmed its fiscal year 2017 and 2018 guidance. The deal also represents a victory for activist hedge fund Elliott Management Corp, which had pushed LifeLock to explore its options.
One of the things that we are noticing is that all the leaks and other information coming out of Intel, suggests that the outfit is getting excited about the overclocking market.
A lot of the marketing buzz about Kaby Lake architecture on the desktop by focusing on overclocking performance. Intel has several unlocked processors based on Kaby Lake, and they are not just at the high end.
Already overclockable Kaby Lake Core i7 and Core i5 processors have been leaked but the trend is suggesting that Intel will target cash strapped system builders with at least one unlocked Core i3 series processor, that is the dual-core processor Core i3-7350K. The retail box version will be sold for $177 which means that street pricing could end up being anywhere from $150 to $180.
The Core i3-7350K will have Hyper Threading support and is fast already with a base clock speed of 4GHz and a boost frequency of 4.2GHz. It is unclear how much overclocking you will get on top of that. But if you can get a couple of of hundred MHz with air cooling and a TDP rating of 61W as expected you could get a cost-effective chip, if it does not turn into a pile of molten plastic in your computer.
Kaby Lake is not that exciting to enthusiasts, but Intel seems to want to get a few more overclockers interested at the lower end of the market. A sub-$200 part that could open overclocking to a wider audience might just work.
It is a moot point if this will do much for sales. Overclocking is useful if you know what you are doing, and most buying at that price range either don’t know what they are doing, or are too scared to try it.
One of the most popular means of communication, Facebook’s WhatsApp, had included fully encrypted video calling to its messaging app as of Monday, a move that comes as privacy advocates worry about the potential for stepped-up government surveillance under a Trump administration.
WhatsApp, which boasts more than a billion users worldwide, adopted end-to-end encryption early this year, making it technically impossible for the company or government authorities to read messages or listen to calls.
The new video calling service will thus provide another means for people to communicate without fear of eavesdropping though WhatsApp does retain other data such as an individual’s list of contacts.
“We obviously try to be in tune with what our users want,” Koum said at the company’s unmarked Mountain View, California headquarters building. “We’re obsessed with making sure that voice and video work well even on low-end phones.”
Koum told Reuters that improvements in phone cameras, battery life and bandwidth had made the service viable for a significant proportion of WhatsApp users, even those using inexpensive smartphones.
Apple Inc offers its FaceTime video calls to iPhone users, and Microsoft Corp’s Skype offers video calls on multiple platforms. But WhatsApp has built a massive installed base of mobile customers and has been steadily adding more features to what began as a simple chat applications.
Over 412 million accounts on dating and entertainment website FriendFinder Networks have reportedly been exposed, the second time that the network has been breached in two years, according to a popular breach notification website.
The websites that have been breached include adultfriendfinder.com, described as the “world’s largest sex and swinger community,” which accounted for over 339.7 million of the 412 million accounts exposed, LeakedSource said Sunday.
Other network sites that had user accounts exposed were cams.com with 62.6 million exposed, penthouse.com with 7 million, stripshow.com with 1.4 million, icams.com with about 1 million and an unidentified website adding 35,372 users whose accounts were exposed.
The sites were hacked in October through a local file inclusion vulnerability on FriendFinder Networks that was reported at about the same time by a researcher. Soon after disclosing the vulnerability, the researcher, who used the Twitter handle 1×0123 and is also known as Revolver, stated on Twitter that the issue was resolved, and “…no customer information ever left their site,” according to CSO’s Salted Hash.
FriendFinder did not immediately comment. The network, however confirmed to ZDNet that it identifed and fixed a vulnerability that “was related to the ability to access source code through an injection vulnerability.”
LeakedSource said it found that passwords were stored in plain visible format or using the weak SHA1 hashed (peppered) algorithm, increasing the possibility of their misuse. LeakedSource claimed it had cracked over 99 percent of all the passwords from the databases to plain text.
It also found that about 15 million users had an email in the format of: email@example.com@deleted1.com, suggesting that information on users who earlier tried to delete their accounts was still around.
The FriendFinder Networks hack, if confirmed, would outstrip that of Myspace in its impact. The exposure of an estimated 360 million accounts of Myspace users was reported earlier this year. The FriendFinder hack also has the potential of being more embarrassing for a number of users, because of the sensitive transactions on its sites.
Analyst outfit Susquehanna Financial Group gave Intel the thumbs up for its newly developed “laser chips” saying the development could be a game changer that will give the company the data center chip market for years.
Susquehanna analyst Christopher Rolland said that the ‘chip-scale silicon photonics,’ which Intel has developed was one of the most important developments of our generation.
Intel has developed a miniaturized on-die version of its silicon photonics technology to be used as a super-high-speed optical interconnect between its Xeon server processor and an Altera field-programmable gate array, Rolland said.
It is a chip-to-chip, super high-speed, in-package optical interconnect that could revolutionize the semiconductor industry, he said.
Intel has “proof of concept” chips with the new technology and is looking to improve current low production yields. A commercial product could be ready in three to five years, Rolland said.
“This technology is nothing short of miraculous and we view it as a potential game changer for Intel and the semiconductor industry,” Rolland said.
Data transfer rates may start at 50 to 100 gigabits per second with the new chips, but could increase to a half terabit or 2 terabits by early next decade.
Intel is expected to first use the optical interconnect technology to connect CPUs to Altera FPGAs. Then other technologies, including GPUs, ASICs, Xeon Phi, memory, and other CPUs will start using it.
Moving from electrical communication to optical communication technology has several advantages in chips. They include bandwidth density, low latency, energy efficiency and lower cost, Rolland said.
Law enforcement authorities on Monday also “began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data,” the company said in a regulatory filing to the U.S. Securities and Exchange Commission. Yahoo said it would “analyze and investigate the hacker’s claim.” It isn’t clear if this data is from the 2014 hack or from another breach.
Forensic experts are also investigating whether an intruder, which it believes is the same “state-sponsored actor” responsible for the security incident, “created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” according to the filing.
“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access…,” the company said in the filing Wednesday.
A source familiar with the matter described the investigation as ongoing and said via email it wasn’t yet clear “who knew what/when/what they shared to whom if at all.”
The person also said that the company does not believe it is currently possible for the attackers to forge valid Yahoo Mail cookies.
Yahoo disclosed in late September that the account information was stolen in 2014 by what it described as a state-sponsored actor, though some security experts said it could have been done by a criminal hacker or group of hackers working on their own.
The disclosure of the hack followed an announcement by Verizon Communications that it planned to acquire Yahoo’s operating business for $4.8 billion, but the communications company has said it is evaluating whether the hack had a material impact. Yahoo said in the filing that there are risks that as a result of facts relating to the security incident, Verizon may seek to terminate or renegotiate the terms of its purchase.
The company is facing 23 proposed consumer class-action lawsuits following the hack both in the U.S. and abroad. The company recorded expenses of $1 million related to the hack in the quarter ended Sept. 30.
It has been rumored that Dell is working on a PC class x86 Windows smartphone, but it looks like a picture has finally tipped up, just as the project was abandoned.
Evan Blass has found a snap of what appears to be the PC phone that Dell was supposed to be shipping with an Intel processor. Some thought it was Microsoft’s much-anticipated Surface Phone but it turned out that it was Dell’s rather cool, but abandoned project.
Specifications of the cancelled phone are thin on the ground, but the fact it had a x86 processor suggests that it would be the most powerful smartphone in history.
It would have run Windows 10 Mobile which already supports Intel X86 processors and Vole’s Continuum feature could have taken advantage of the beefy specs. Continuum feature works with the HP Elite x3. It means that the x3 can have a full desktop experience by virtue of connecting an external display, a dedicated keyboard and a mouse.
Now if Dell had got all this to go on a mobile with Continuum it would mean a perfect desktop on a phone. There would be no need for a separate laptop, because all you would need is a laptop dock.
It is not clear why Dell walked away from what would have changed everything in the mobile world. It might have been that it would have been because it could have killed its PC business, but it is also possible that Chipzilla shafted the project with its cancellation of Intel’s low-end segment as a restructuring move in May.
Either way it is rather sad.