LA warns of ‘juice-jacking’ malware, but admits it has no cases

Los Angeles’ district attorney is warning travelers to avoid public USB charging points because “they may contain dangerous malware.”

Reading the advisory, you might be forgiven for thinking that every USB outlet you see is just waiting for you to plug in your phone so it can steal your data. This so-called “juice-jacking” attack involves criminals loading malware “on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” it reads. “The malware may lock the device or export data and passwords directly to the scammer.”

But the county’s chief prosecutor’s office told TechCrunch said that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast.When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”

Which begs the question — why?

Security researcher Kevin Beaumont tweeted that he hasn’t seen “any evidence of malware being used in the wild on these things.” In fact, ask around and you’ll find very little out there. Several security researchers have dropped me messages saying they’ve seen proof-of-concepts, but nothing actively malicious.

Juice-jacking is a real threat, but it’s an incredibly complicated and imperfect way to attack someone when there are far easier ways.

The idea, though — that you can plug in your phone and have your secrets stolen — is not entirely farfetched. Over the years there have been numerous efforts to demonstrate that it’s possible. As ZDNet points out in its coverage of the juice-jacking warning, the FBI sent out a nationwide alert about the threat after security researcher Samy Kamkar developed an Ardunio-based implant designed to look like a USB charger to wirelessly sniff the air for leaky key strokes. And just earlier this year, a security researcher developed an iPhone charger cable clone that let a nearby hacker run commands on the vulnerable computer.

LA recommend using an AC power outlet and not a charging station, and to take your cables with you. That’s sound advice, but it’s just one of many things you need to do to keep your devices and data safe.

CTO.ai’s developer shortcuts eliminate coding busywork

There’s too much hype about mythical “10X developers”. Everyone’s desperate to hire these ‘ninja rockstars’. In reality, it’s smarter to find ways of deleting annoying chores for the coders you already have. That’s where CTO.ai comes in.

Emerging from stealth today, CTO.ai lets developers build and borrow DevOps shortcuts. These automate long series of steps they usually have to do manually thanks to integrations with GitHub, AWS, Slack, and more. CTO.ai claims it can turn a days-long process like setting up a Kubernetes cluster into a 15-minute task even sales people can handle. The startup offers both a platform for engineering and sharing shortcuts, and a service where it can custom build shortcuts for big customers.

What’s remarkable about CTO.ai is that amidst a frothy funding environment, the 60-person team quietly bootstrapped its way to profitability over the past two years. Why take funding when revenue was up 400% in 18 months? But after a chance meeting aboard a plane connected its high school dropout founder Kyle Campbell with Slack CEO Stewart Butterfield, CTO.ai just raised a $7.5 million seed round led by Slack Fund and Tiger Global.

“Building tools that streamline software development is really expensive for companies, especially when they need their developers focused on building features and shipping to customers” Campbell tells me. The same way startups don’t build their own cloud infrastructure and just use AWS, or don’t build their own telecom APIs and just use Twilio, he wants CTO.ai to be the ‘easy button’ for developer tools.

Teaching snakes to eat elephants

“I’ve been a software engineer since the age of 8” Campbell recalls. In skate-punk attire with a snapback hat, the young man meeting me in a San Francisco mission district cafe almost looked too chill to be a prolific coder. But that’s kind of the point. His startup makes being a developer more accessible.

After spending his 20s in software engineering groups in the Bay, Campbell started his own company Retsly that bridged developers to real estate listings. In 2014, it was acquired by property tech giant Zillow where he worked for a few years.

That’s when he discovered the difficulty of building dev tools inside companies with other priorities. “It’s the equivalent of a snake swallowing an elephant” he jokes. Yet given these tools determine how much time expensive engineers waste on tasks below their skill level, their absence can drag down big enterprises or keep startups from rising.

CTO.ai shrinks the elephant. For example, the busywork of creating a Kubernetes cluster such as having to the create EC2 instances, provision on those instances, and then provision a master node gets slimmed down to just running a shortcut. Campbell writes that “tedious tasks like running reports can be reduced from 1,000 steps down to 10” through standardization of workflows that turn confusing code essays into simple fill-in-the-blank and multiple-choice questions.

The CTO.ai platform offers a wide range of pre-made shortcuts that clients can piggyback on, or they can make and publish their own through a flexible JavaScript environment for the rest of their team or the whole community to use. Companies that need extra help can pay for its DevOps-As-A-Service and reliability offerings to get shortcuts made to solve their biggest problems while keeping everything running smoothly.

5(2X) = 10X

Campbell envisions a new way to create a 10X engineer that doesn’t depend on widely mocked advice on how to spot and capture them like trophy animals. Instead, he believes 1 developer can make 5 others 2X more efficient by building them shortcuts. And it doesn’t require indulging bad workplace or collaboration habits.

With the new funding that also comes from Yaletown Partners, Pallasite Ventures, Panache Ventures and Jonathan Bixby, CTO.ai wants to build deeper integrations with Slack so developers can run more commands right from the messaging app. The less coding required for use, the broader the set of employees that can use the startup’s tools. CTO.ai may also build a self-service tier to augment its seats plus complexity model for enterprise pricing.

Now it’s time to ramp up community outreach to drive adoption. CTO.ai recently released a podcast which saw 15,000 downloads in its first 3 weeks, and it’s planning some conference appearances. It also sees virality through its shortcut author pages, which like GitHub profiles let developers show off their contributions and find their next gig.

One risk is that GitHub or another core developer infrastructure provider could try to barge directly into CTO.ai’s business. Google already has Cloud Composer while GitHub launched Actions last year. Campbell says its defense comes through neutrally integrating with everyone, thereby turning potential competitors into partners.

The funding firepower could help CTO.ai build a lead. With every company embracing software, employers battling to keep developers happy, and teams looking to get more of their staff working with code, the startup sits at the intersection of some lucrative trends of technological empowerment.

“I have 3-year-old at home and I think about what it will be like when he comes into creating things online” Campbell concludes. “We want to create an amazing future for software developers, introducing automation so they can focus on what makes them such an important aspect. Devs are defining society!”

[Image Credit: Disney/Pixar via WallHere Goodfon]

How you shouldn’t handle your data breach

So you’ve had a data breach. Don’t worry, it’s not just you. These days it happens to everyone, no matter how large or small your company is. It’s almost inevitable, some might say, and not a case of if but when.

A lot is already out of your control. Whether a hacker broke in and stole customer data or someone on staff left a cloud server exposed without a password, the incident alone is bad enough. But then you’ll also face a stream of headlines, flack from your customers, and endless tweets and social media posts. Trust will invariably suffer, your brand will hurt, and recovery seems like a million miles away.

But as breaches become more commonplace, few companies remember the actual incident itself — or even the number of users or customers affected. No matter what kind of security incident you’re thrown into, what happens afterward is how you will be remembered.

Get it right, you can save face. Get it wrong, and you’ll never live it down. Here’s what not to do when you have a data breach.

Don’t try to cover it up

Police hijack a botnet and remotely kill 850,000 malware infections

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.

The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer.

Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America.

According to a blog post announcing the bust, security firm Avast confirmed the operation was successful.

The security firm got involved after it discovered a design flaw in the malware’s command and control server. That flaw, if properly exploited, would have “allowed us to remove the malware from its victims’ computers” without pushing any code to victims’ computers, the researchers said.

The exploit would have dismantled the operation, but the researchers lacked the legal authority to push ahead. Because most of the malware’s infrastructure was located in France, Avast contacted French police. After receiving the go-ahead from prosecutors in July, the police went ahead with the operation to take control of the server and disinfect affected computers.

The French police called the botnet “one of the largest networks” of hijacked computers in the world.

The operation worked by secretly obtaining a snapshot of the malware’s command and control server with cooperation from its web host. The researchers said they had to work carefully as to not be noticed by the malware operators, fearing the malware operators could retaliate.

“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”

With a copy of the malicious command and control server in hand, the researchers built their own replica, which disinfected victim computers instead of causing infections.

“[The police] replaced the malicious [command and control] server with a prepared disinfection server that made connected instances of Retadup self-destruct,” said Avast in a blog post. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.”

In doing so, the company was able to stop the malware from operating and remove the malicious code to over 850,000 infected computers.

Jean-Dominique Nollet, head of the French police’s cyber unit, said the malware operators generated several million euros worth of cryptocurrency.

Remotely shutting down a malware botnet is a rare achievement — but difficult to carry out.

Several years ago the U.S. government revoked Rule 41, which now allows judges to issue search and seizure warrants outside of their jurisdiction. Many saw the move as an effort by the FBI to conduct remote hacking operations without being hindered by the locality of a judge’s jurisdiction. Critics argued it would set a dangerous precedent to hack into countless number of computers on a single warrant from a friendly judge.

Since then the amended rule has been used to dismantle at least one major malware operation, the so-called Joanap botnet, linked to hackers working for the North Korean regime.

Malicious websites were used to secretly hack into iPhones for years, says Google

Security researchers at Google say they’ve found a number of malicious websites which, when visited, could quietly hack into a victim’s iPhone by exploiting a set of previously undisclosed software flaws.

Google’s Project Zero said in a deep-dive blog post published late on Thursday that the websites were visited thousands of times per week by unsuspecting victims, in what they described as an “indiscriminate” attack.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a security researcher at Project Zero.

He said the websites had been hacking iPhones over a “period of at least two years.”

The researchers found five distinct exploit chains involving 12 separate security flaws, including seven involving Safari, the in-built web browser on iPhones. The five separate attack chains allowed an attacker to gain “root” access to the device — the highest level of access and privilege on an iPhone. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on an iPhone owner without their knowledge or consent.

Google said based off their analysis, the vulnerabilities were used to steal a user’s photos and messages as well as track their location in near-realtime. The “implant” could also access the user’s on-device bank of saved passwords.

The vulnerabilities affect iOS 10 through to the current iOS 12 software version.

Google privately disclosed the vulnerabilities in February, giving Apple only a week to fix the flaws and roll out updates to its users. That’s a fraction of the 90 days typically given to software developers, giving an indication of the severity of the vulnerabilities.

Apple issued a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and later.

Beer said it’s possible other hacking campaigns are currently in action.

The iPhone and iPad maker in general has a good rap on security and privacy matters. Recently the company increased its maximum bug bounty payout to $1 million for security researchers who find flaws that can silently target an iPhone and gain root-level privileges without any user interaction. Under Apple’s new bounty rules — set to go into effect later this year — Google would’ve been eligible for several million dollars in bounties.

A spokesperson for Apple did not immediately comment.

Justice Department indicts 80 individuals in massive business email scam bust

The Justice Department have indicted dozens of individuals accused of involvement in a massive business email scam and money laundering scheme.

News of the early-morning raids were first reported by ABC7 in Los Angeles.

Thom Mrozek, a spokesperson for the U.S. Attorneys Office for the Central District of California, confirmed more than a dozen individuals had been arrested during the raids on Thursday — mostly in the Los Angeles area. A total of 80 defendants are allegedly involved in the scheme.

The 145-page indictment, unsealed Thursday, said the 80 named individuals are charged with conspiracy to commit mail and bank fraud, as well as aggravated identity theft and money laundering.

Most of the individuals are based in Nigeria, said the spokesperson.

It’s not immediately known if the Nigerian nationals will be extradited to the U.S., however a treaty exists between the two nations making extraditions possible.

U.S. Attorney Nicola Hanna is expected to issue a statement shortly.

These business email compromise scams rely partly on deception and in some cases hacking. Scammers send specially crafted spearphishing emails to their targets in order to trick them into turning over sensitive information about the company, such as sending employee W-2 tax documents so scammers can generate fraudulent refunds, or tricking an employee into making wire transfers to bank accounts controlled by the scammers. More often than not, the scammers use spoofing techniques to impersonate a senior executive over email to trick the unsuspecting victim, or hack into the email account of the person they are impersonating.

The FBI says these impersonation attacks have cost consumers and businesses more than $3 billion since 2015.

The alleged fraudsters are accused of carrying out several hundred “overt” acts of fraud against over a dozen victims, generating millions of dollars worth of fraud over several months. In some cases the fraudsters would hack into the email accounts of the person they were trying to impersonate to try to trick a victim into wiring money from a business into the fraudster’s bank account.

Several bank accounts run by the fraudsters contained over $30 million in stolen funds.

Developing… more soon.

This hacker’s iPhone charging cable can hijack your computer

Most people don’t think twice about picking up a phone charging cable and plugging it in. But one hacker’s project wants to change that and raise awareness of the dangers of potentially malicious charging cables.

A hacker who goes by the online handle MG took an innocent-looking Apple USB Lightning cable and rigged it with a small Wi-Fi-enabled implant, which, when plugged into a computer, lets a nearby hacker run commands as if they were sitting in front of the screen.

Dubbed the O.MG cable, it looks and works almost indistinguishably from an iPhone charging cable. But all an attacker has to do is swap out the legitimate cable for the malicious cable and wait until a target plugs it into their computer. From a nearby device and within Wi-Fi range (or attached to a nearby Wi-Fi network), an attacker can wirelessly transmit malicious payloads on the computer, either from pre-set commands or an attacker’s own code.

Once plugged in, an attacker can remotely control the affected computer to send realistic-looking phishing pages to a victim’s screen, or remotely lock a computer screen to collect the user’s password when they log back in.

MG focused his first attempt on an Apple Lightning cable, but the implant can be used in almost any cable and against most target computers.

“This specific Lightning cable allows for cross-platform attack payloads, and the implant I have created is easily adapted to other USB cable types,” MG said. “Apple just happens to be the most difficult to implant, so it was a good proof of capabilities.”

In his day job as a red teamer at Verizon Media (which owns TechCrunch), he develops innovative hacking methods and techniques to identify and fix security vulnerabilities before malicious attackers find them. Although a personal project, MG said his malicious cable can help red teamers think about defending against different kinds of threats.

“Suddenly we now have victim-deployed hardware that may not be noticed for much longer periods of time,” he explained. “This changes how you think about defense tactics. We have seen that the NSA has had similar capabilities for over a decade, but it isn’t really in most people’s threat models because it isn’t seen as common enough.”

“Most people know not to plug in random flash drives these days, but they aren’t expecting a cable to be a threat,” he said. “So this helps drive home education that goes deeper.”

MG spent thousands of dollars of his own money and countless hours working on his project. Each cable took him about four hours to assemble. He also worked with several other hackers to write some of the code and develop exploits, and gave away his supply of hand-built cables to Def Con attendees with a plan to sell them online in the near future, he said.

But the O.MG cable isn’t done yet. MG said he’s working with others to improve the cable’s functionality and expand its feature set.

“It really just comes down to time and resources at this point. I have a huge list in my head that needs to become reality,” he said.

(via Motherboard)

With warshipping, hackers ship their exploits directly to their target’s mail room

Why break into a company’s network when you can just walk right in — literally?

Gone could be the days of having to find a zero-day vulnerability in a target’s website, or having to scramble for breached usernames and passwords to break through a company’s login pages. And certainly there will be no need to park outside a building and brute-force the Wi-Fi network password.

Just drop your exploit in the mail and let your friendly postal worker deliver it to your target’s door.

This newly named technique — dubbed “warshipping” — is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy, or when hackers drove up to TJX stores and stole customer data by breaking into the store’s Wi-Fi network. But security researchers at IBM’s X-Force Red say it’s a novel and effective way for an attacker to gain an initial foothold on a target’s network.

“It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal’s location,” wrote Charles Henderson, who heads up the IBM offensive operations unit.

IBMXFR Warship 2

A warshipping device. (Image: IBM/supplied)

The researchers developed a proof-of-concept device — the warship — which has a similar size to a small phone, into a package and dropped it off in the mail. The device, which cost about $100 to build, was equipped with a 3G-enabled modem, allowing it to be remote controlled so long as it had cell service. With its onboard wireless chip, the device would periodically scan for nearby networks — like most laptops do when they’re switched on — to track the location of the device in its parcel.

“Once we see that a warship has arrived at the target destination’s front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively, or actively, attack the target’s wireless access,” wrote Henderson.

Once the warship locates a Wi-Fi network from the mailroom or the recipient’s desk, it listens for wireless data packets it can use to break into the network. The warship listens for a handshake — the process of authorizing a user to log onto the Wi-Fi network — then sends that scrambled data back over the cellular network back to the attacker’s servers, which has far more processing power to crack the hash into a readable Wi-Fi password.

With access to the Wi-Fi network, the attacker can navigate through the company’s network, seeking out vulnerable systems and exposed data, and steal sensitive data or user passwords.

All of this done could be done covertly without anyone noticing — so long as nobody opens the parcel.

“Warshipping has all the characteristics to become a stealthy, effective insider threat — it’s cheap, disposable, and slides right under a targets’ nose –all while the attacker can be orchestrating their attack from the other side of the country,” said Henderson. “With the volume of packages that flow through a mailroom daily — whether it be supplies, gifts or employees’ personal purchases — and in certain seasons those numbers soar dramatically, no one ever thinks to second guess what a package is doing here.”

The team isn’t releasing proof-of-concept code as to not help attackers, but uses the technique as part of its customer penetration testing services — which help companies discover weak spots in their security posture.

“If we can educate a company about an attack vector like this, it dramatically reduces the likelihood of the success of it by criminals,” Henderson said.

StockX was hacked, exposing millions of customers’ data

It wasn’t “system updates” as it claimed. StockX was mopping up after a data breach, TechCrunch can confirm.

The fashion and sneaker trading platform pushed out a password reset email to its users on Thursday citing “system updates,” but left users confused and scrambling for answers. StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning.

A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further.

But that wasn’t the whole truth.

An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data, but promised to soon put the stolen records for sale on the dark web.

The seller provided TechCrunch a sample of 1,000 records. We contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size. Every person who responded confirmed their data as accurate.

The stolen data contained names, email addresses, hashed passwords, and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version. Several other internal flags were found in each record, such as whether or not the user was banned or if European users had accepted the company’s GDPR message.

Under those GDPR rules, a company can be fined up to four percent of its global annual revenue for violations.

When reached prior to publication, neither spokesperson Katy Cockrel nor StockX founder Josh Luber responded to a request for comment.

StockX was last month valued at over $1 billion after a $110 million fundraise.

Clothing marketplace Poshmark confirms data breach

Poshmark, an online marketplace for buying and selling clothes, has reported a data breach.

The company said in a brief blog post that user profile information, including names and usernames, gender and city data was taken by an “unauthorized third party.” Email addresses, size preferences, and scrambled passwords were also taken.

Poshmark said it used the bcrypt hashing algorithm to scramble the passwords — one of the stronger algorithms available.

The company also said “internal” preferences, such as email and push notifications, were taken.

Financial data and physical address information was not compromised, the company said.

The marketplace said it retained outside forensics firm Kroll to investigate the breach. It also said it has rolled out “enhanced security measures” without elaborating. Spokesperson Sera Michael said law enforcement was contacted but not state regulators “because the nature of the information was not financial.”

Poshmark is said to have some 50 million users.

Read more: