Hitachi Vantara acquires what’s left of Containership

Hitachi Vantara, the wholly owned subsidiary of Hitachi that focuses on building hardware and software to help companies manage their data, today announced that it has acquired the assets of Containership, one of the earlier players in the container ecosystem, which shut down its operations last October.

Containership, which launched as part of our 2015 Disrupt New York Startup Battlefield, started as a service that helped businesses move their containerized workloads between clouds, but as so many similar startups, it then moved on to focus solely on Kubernetes and helping enterprises manage their Kubernetes infrastructure. Before it called it quits, the company’s specialty was managing multi-cloud Kubernetes deployments. The company wasn’t able to monetize its Kubernetes efforts quickly enough, though, the company said at the time in a blog post that it has now removed from its website.

Containership enables customers to easily deploy and manage Kubernetes clusters and containerized applications in public cloud, private cloud, and on-premise environments,” writes Bobby Soni, the COO for digital infrastructure at Hitachi Vantara. “The software addresses critical cloud native application issues facing customers working with Kubernetes such as persistent storage support, centralized authentication, access control, audit logging, continuous deployment, workload portability, cost analysis, autoscaling, upgrades, and more.”

Hitachi Vantara tells me that it is not acquiring any of Containership’s customer contracts or employees and has no plans to keep the Containership brand. “Our primary focus is to develop new offerings based on the Containership IP. We do hope to engage with prior customers once our new offerings become commercially available,” a company spokesperson said.

The companies did not disclose the price of the acquisition. Pittsburgh-based Containership only raised about $2.6 million since it was founded in 2014, though, and things had become pretty quiet around the company in the last year or two before its early demise. Chances are then that the price wasn’t all that high. Investors include Birchmere Ventures, Draper Triangle and Innovation Works.

Hitachi Vantara says it will continue to work with the Kubernetes community. Containership was a member of the Cloud Native Computing Foundation. Hitachi never was, but after this acquisition, that may change.

FBI Arrests Alleged Owner of Deer.io, a Top Broker of Stolen Accounts

FBI officials last week arrested a Russian computer security researcher on suspicion of operating deer.io, a vast marketplace for buying and selling stolen account credentials for thousands of popular online services and stores.

Kirill V. Firsov was arrested Mar. 7 after arriving at New York’s John F. Kennedy Airport, according to court documents unsealed Monday. Prosecutors with the U.S. District Court for the Southern District of California allege Firsov was the administrator of deer.io, an online platform that hosted more than 24,000 shops for selling stolen and/or hacked usernames and passwords for a variety of top online destinations.

An example seller’s panel at deer.io. Click image to enlarge.

The indictment against Firsov says deer.io was responsible for $17 million worth of stolen credential sales since its inception in 2013.

“The FBI’s review of approximately 250 DEER.IO storefronts reveals thousands of compromised accounts posted for sale via this platform and its customers’ storefronts, including videogame accounts (gamer accounts) and PII files containing user names, passwords, U.S. Social Security Numbers, dates of birth, and victim addresses,” the indictment states.

In addition to facilitating the sale of hacked accounts at video streaming services like Netflix and Hulu and social media platforms like Facebook, Twitter and Vkontakte (the Russian equivalent of Facebook), deer.io also is a favored marketplace for people involved in selling phony social media accounts.

For example, one early adopter of deer.io was a now-defunct shop called “Dedushka” (“grandpa” in transliterated Russian), a service offering aged, fake Vkontakte accounts that was quite popular among crooks involved in various online dating scams.

The indictment doesn’t specify how prosecutors pegged Firsov as the mastermind behind deer.io, but there are certainly plenty of clues that suggest such a connection. 

Firsov’s identity on Twitter says he is a security researcher and developer who currently lives in Moscow. Previous tweets from that account indicate Firsov made a name for himself after discovering a number of serious security flaws in Telegram, a popular cross-platform messaging application.

Firsov also tweeted about competing in and winning several “capture the flag” hacking competitions, including the 2016 and 2017 CTF challenges at Positive Hack Days (PHDays), an annual security conference in Moscow.

Isis’ profile on antichat.

Deer.io was originally advertised on the public Russian-language hacking forum Antichat by a venerated user in that community who goes by the alias “Isis.” A Google Translate version of that advertisement is here (PDF).

In 2016, Isis would post to Antichat a detailed writeup on how he was able to win a PHDays hacking competition (translated thread here). In one section of the writeup Isis claims authorship of a specific file-dumping tool, and links to a Github directory under the username “Firsov.”

In another thread from June 2019, an Antichat user asks if anyone has heard from Isis recently, and Isis pops up a day later to inquire what he wants. The user asks why Isis’s site — a video and music search site called vpleer[.]ru — wasn’t working at the time. Isis responds that he hasn’t owned the site for 10 years.

According to historic WHOIS records maintained by DomainTools.com (an advertiser on this site), vpleer was originally registered in 2008 to someone using the email address hm@mail.ru.

That same email address was used to register the account “Isis” at several other top Russian-language cybercrime forums, including Damagelab, Zloy, Evilzone and Priv-8. It also was used in 2007 to register xeka[.]ru, a cybercrime forum in its own right that called itself “The Antichat Mafia.”

A cached copy of the entry page for xeka[.]ru. Image courtesy archive.org.

More importantly, that same hm@mail.ru email address was used to register accounts at Facebook, Foursquare, Skype and Twitter in the name of Kirill Firsov.

Russian hacking forums have taken note of Firsov’s arrest, as they do whenever an alleged cybercriminal in their midst gets apprehended by authorities; typically such a user’s accounts are then removed from the forum as a security precaution. An administrator of one popular crime forum posted today that Firsov is a 28-year-old from Krasnodar, Russia who studied at the Moscow Border Institute, a division of the Russian Federal Security Service (FSB).

Firsov is slated to be arraigned later this week, when he will face two felony counts, specifically aiding and abetting the unauthorized solicitation of access devices, and aiding and abetting trafficking in “false authentication features.” A copy of the indictment is available here (PDF).

Microsoft Patch Tuesday, March 2020 Edition

Microsoft Corp. today released updates to plug more than 100 security holes in its various Windows operating systems and associated software. If you (ab)use Windows, please take a moment to read this post, backup your system(s), and patch your PCs.

All told, this patch batch addresses at least 115 security flaws. Twenty-six of those earned Microsoft’s most-dire “critical” rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.

Given the sheer number of fixes, mercifully there are no zero-day bugs to address, nor were any of them detailed publicly prior to today. Also, there were no security patches released by Adobe today. But there are a few eyebrow-raising Windows vulnerabilities worthy of attention.

Recorded Future warns exploit code is now available for one of the critical bugs Redmond patched last month in Microsoft Exchange (CVE-2020-0688), and that nation state actors have been observed abusing the exploit for targeted attacks.

One flaw fixed this month in Microsoft Word (CVE-2020-0852) could be exploited to execute malicious code on a Windows system just by getting the user to load an email containing a booby-trapped document in the Microsoft Outlook preview pane. CVE-2020-0852 is one just four remote execution flaws Microsoft patched this month in versions of Word.

One somewhat ironic weakness fixed today (CVE-2020-0872) resides in a new component Microsoft debuted this year called Application Inspector, a source code analyzer designed to help Windows developers identify “interesting” or risky features in open source software (such as the use of cryptography, connections made to a remote entity, etc).

Microsoft said this flaw can be exploited if a user runs Application Inspector on a hacked or booby-trapped program. Whoops. Animesh Jain from security vendor Qualys says this patch should be prioritized, despite being labeled as less severe (“important” versus “critical”) by Microsoft.

For enterprises, Qualys recommends prioritizing the patching of desktop endpoints over servers this month, noting that most of the other critical bugs patched today are prevalent on workstation-type devices. Those include a number of flaws that can be exploited simply by convincing a Windows user to browse to a malicious or hacked Web site.

While many of the vulnerabilities fixed in today’s patch batch affect Windows 7 operating systems, this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

Update, 7:50 p.m.: Microsoft has released an advisory about a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. Critical SMB (Windows file-sharing) flaws are dangerous because they are typically “wormable,” in that they can spread rapidly to vulnerable systems across an internal network with little to no human interaction.

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,” Microsoft warned. “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Microsoft’s advisory says the flaw is neither publicly disclosed nor exploited at the moment. It includes a workaround to mitigate the flaw in file-sharing servers, but says the workaround does not prevent the exploitation of clients.

macOS Malware Researchers | How To Bypass XProtect on Catalina

In macOS 10.15 Catalina, Apple have made a number of security improvements, including hardening the system by making all executable files subject to scanning by XProtect, regardless of whether the file is tagged with the com.apple.quarantine bit or not. For security researchers, this means it’s now no longer possible to run malware known to XProtect just by removing the quarantine bit with the xattr utility, as has always been the case on older versions of macOS. This is great news for users, but potentially a problem for researchers who want to explore the finer details of how a sample known to XProtect actually behaves. In this post, we’ll look at the ways researchers can bypass this hardening and still run known malware on Catalina if they need to.

Why You Might Want to Run Known Malware on Catalina

Not so long ago, researchers probably wouldn’t have cared much about malware known to XProtect, as XProtect was updated only infrequently and didn’t cover a lot of threats known to the macOS research community. On top of that, prior to Catalina, XProtect was always easy to bypass anyway. 

Times have changed, however, and Apple have belatedly come to recognize that Macs are being targeted in the wild by a variety of different threat actors. In recent months, Apple have not only been updating their internal security tools more frequently but also discovering some threats ahead of other researchers. It’s great to see Apple taking a lead, but Apple rarely shares threat intel, and if the threat is blocked by XProtect on Catalina, it prevents researchers from diving deeper into how the threat works. That deep dive is necessary for at least two reasons. First, we want to develop mitigations and blocks that are more effective than the legacy methods used by XProtect; and second, we want to be able to analyse malware behavior and track campaigns in order to get ahead of threat actors. That’s only possible when we have a deep understanding of what threat actors are doing.

How To Run Known Malware Samples on Catalina

Given that we can no longer just remove the com.apple.quarantine bit to allow malware to run on Catalina, researchers must resort to other tactics. There are a number of options.

First, we could just run the sample on an earlier version of macOS, like 10.14 for example, where we can use the usual XProtect bypass. That might be fine for some situations, but it means that we cannot test Catalina-specific behavior. Moreover, once we move on to 10.16 and beyond, the OS on our test machines will be increasingly behind those actually in use and targeted by malware authors. Eventually, we’ll end up with an OS that doesn’t even support the malware at all, so in the long-term, another solution is needed.

A second possibility is to disable SIP and modify the XProtect file (such as by removing all the signatures). While there’s no problem doing that in a lab machine or a VM used specifically for testing malware, it’s what I would call a ‘dirty’ solution. OK, as a last resort, but the problem is that with SIP turned off, you may run into further issues with malware behaving differently in such an unusual environment. Malware authors know that real users rarely run with SIP disabled, and one easy anti-analysis technique they can use is to run csrutil status then quit or alter behavior accordingly.

The third possibility is to determine what rule the sample is triggering, and then modify the sample to avoid the rule. XProtect long-ago became much more than just a simple hash-based file scanner. It now uses Yara rules, so just appending a byte or two to the end of the sample to change the computed file hash won’t work. However, as we’ll see, it’s still possible to get around XProtect with a little work, but there are a couple of ‘gotchas’ to watch out for, as I’ll explain below. 

How to Damage Your Computer on macOS 10.15 and Higher

Of course, we mean “damage” your disposable VM instance that you have isolated properly before running malware! Once you’re in a safe, disposable environment, the first task is to determine what rule our malware is rubbing up against. For the purposes of this post, I’m going to use this sample, which at the time of posting is undetected by any of the static engines on VT:

174c5712759c4abd2bdfc1b93f4c990011c45aeed236e89c1c864b1e8379c54d

image of sample showing no detections on Virus Total malware repository site

On Catalina, we still have to remove the com.apple.quarantine bit to get past both Gatekeeper and Notarization requirements.

$ xattr -rc ~/mdworker_share.app

However, as we see when we try to detonate the sample, although VT does not know about this malware, XProtect does. 

image showing alert dialog from XProtect on Catalina blocking the sample

That means we first have to examine our malware and compare it against the rules in XProtect.yara to find a match. I’ve written before about how to reverse XProtect’s signature definitions, so refer to that post for the skinny on that. 

If you are trying to test malware that is already known on VT or other repository, then you may get a clue by looking at the malware’s detection name there, but Apple’s newer signatures do not use common malware names. Nowadays, Apple prefer to use meaningless alphanumeric identifiers like those shown below to obscure what they are detecting:

image of new rules added

If, like the sample we’re using here, your malware is unknown to reputation engines and it is being blocked by XProtect, then look through the newer XProtect rules first. At least at present, newer rules tend to be at the top of the file, but I find it useful to keep a regular eye on changes to XProtect in order to see what’s changed each time, which makes the process faster and easier. 

You may have to grep strings from the rules against your sample’s binary till you find a match. 

image of grepping a binary for a particularly string

In the case of this example, it turns out that the strings match the rule for what Apple call MACOS.b264ff6, which was added in XProtect v2112.

image showing yara rule for the sample

We can load the malware sample into a hex editor and search for the rules in hex to confirm if our sample matches the requirements:

image showing finding a hex string in hex fiend application
Of course, ensure your sample meets the exact condition specified, not just one string. For this rule, we need one hit each from a string in the sets of $a and $b, as well as a hit on the string $c.

Macho and filesize < 3000000 and (1 of ($a*)) and (1 of ($b*)) and $c

How to Patch a Binary to Bypass XProtect Yara Rules

Given that this rule has a filesize in the condition, we can choose either to append junk data to the end of the binary or to modify one of the strings specified in the rule. This rule says the executable must be under 3MB, and in fact our sample is only 86Kb, so that’s a lot of junk to add. Nevertheless, appending junk to the binary is easy enough. Doing it this way may take a few minutes, but it’s easy to just substitute the number in the condition for the second number in parentheses below, and the code will bloat the file to way over the size required:

 for i in {1..3000000}; do echo '0' >> mdworker_share; done

image of how to bloat a file

Although this method works fine on this particular sample, it’s both clumsy and may cause a different sample to alter its behavior if, for example, it conducts self-checks on its own file size. Also, although currently pretty much all XProtect rules specify a filesize in the conditions, that may not hold true in the future. Thus, we should also think about patching the binary rather than just appending junk data to it.

There are a few ‘gotchas’ to look out for when patching binaries, which I’ll list in the next section, but the first and most immediate one you have to look out for is making sure you don’t change something that will break or alter the malware’s behavior. For example, suppose our sample has the $b4 string specified in the rule for MACOS.b264ff6:

 $b4 = { /usr/sbin/system_profiler }

We shouldn’t just change that to some junk string, as that may prevent our malware from working properly or at all on execution. Instead, we could change that path to another path (of equal length) and put a copy of the system_profiler binary there on our test machine. For example, we could create /tmp/sbin/system_profiler, then patch usr to say tmp in the binary. When the malware runs, it will get what it expects.

The patching itself is just a case of using a hex editor like Hex Fiend and doing a search and replace on every occurrence of the unique strings or hex bytes in the rule. Where you have a choice, choose code that ideally only appears in one place to reduce the risk of breaking the sample. 

This particular sample we’re using matches strings $a1, $b2 and $c. We only need to change one of them to break the match. String $b2 looks like a method name that will only be called if the user cancels the request for authorization. 

        $b2 = { didCancelAuthenticationChallenge }

As I don’t plan to do that on my test, I’ll just change the first few characters of this method name in Hex Fiend and then save the binary.

image of replace after find in hex fiend

In the worst case scenario, where the malware conducts internal checks on its own code integrity or you cannot find a value to change without affecting the malware’s behavior, you may have to make such a patch to first get the launch through XProtect, then unpatch the binary in the debugger to return it to its original state before the internal checks or patched code is executed. This involves setting a breakpoint on your patched code (remember you have to patch/unpatch it everywhere it appears) and then supplying the original value before continuing. 

Some ‘Gothchas’ When Patching Binaries

My sample is now ready to run, but before we launch it let’s just go over some gotchas to make sure we’ve done everything right.

First, make sure you only replace and not add bytes within the binary. While it’s fine to append junk onto the end of the binary, any patches you make within it should not add extra bytes, or you’ll shift all the offsets and the code won’t run.

Second, make sure your patch tools can save binaries without corrupting them. Ghidra, for example, doesn’t seem able to patch and save without corrupting the binary. Hex Fiend is probably your best friend here, but of course other tools should work also.

Third, when you patch, you’ll break any code signing that might exist. That’s normally not a problem, since you’re going to disable code signing checks anyway by removing the com.apple.quarantine bit, but if you do need the binary to be validly code signed (e.g., if it checks its own code signature) either use an ad hoc signature to re-sign it after patching, or patch or jump the method that returns the code signing check in the binary.

Fourth, if you run a sample on Catalina and it gets blocked by XProtect, don’t patch the same instance that got blocked. It looks like Catalina, either via XProtect or LaunchServices, remembers a file that has been blocked, and won’t run it after that no matter how much you patch it. Thus, patch a clean copy of the malware on another machine or VM then transfer it over. Remember to remove the quarantine bit before you try to launch.

If you avoid all the above ‘gotchas’, you should now be able to detonate your malware and happily continue your macOS reverse engineering explorations of its behavior!

SAMPLES

mdworker_share.app.zip

791157ca6a1f10ee209ea71ffa0f8c9109028f4d1013d092276a6a7e50e1b2a4
174c5712759c4abd2bdfc1b93f4c990011c45aeed236e89c1c864b1e8379c54d
46724f195ea18e82d833ed92637a20ed95f9afe1ef749aa06c9156f2719ce389

helper.app.zip

0ac25a8dd9134284406248110ad66dbdb7f4ec557570be02fb9f92bee93727bf
fa88ca779f16e7adbe0702db8473883c20b0aaa69a2345d07c81d322ff2bc990

terninal.app.zip

cbc7751d5fcca12d9e7ea2fd90862d14af8d024710ff22f5457a2f8d427b7fee


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Box is now letting all staff work from home to reduce coronavirus risk

Box has joined a number of tech companies supporting employees to work remotely from home in response  the outbreak of the novel coronavirus.

It’s applying the policy to all staff, regardless of location.

Late yesterday Box co-founder Aaron Levie tweeted a statement detailing the cloud computing company’s response to COVID-19, the name of the disease caused by the coronavirus — to, as he put it, “ensure the availability of our service and safety of our employees”.

In recent days Twitter has similarly encouraged all staff members to work from home. While companies including Amazon, Google, LinkedIn and Microsoft have also advised some staff to work remotely to reduce the risk of exposure to the virus.

In its response statement Box writes that it’s enacted its business continuity plans “to ensure core business functions and technology are operational in the event of any potential disruption”.

“We have long recognized the potential risks associated with service interruptions due to adverse events, such as an earthquake, power outage or a public health crisis like COVID-19, affecting our strategic, operational, stakeholder and customer obligations. This is why we have had a Business Continuity program in place to provide the policies and plans necessary for protecting Box’s operations and critical business functions,” the company writes.

In a section on “workforce resilience and business continuity” it notes that work from home practices are a normal part of its business operations but says it’s now extending the option to all its staff, regardless of the office or location they normally work out of — saying it’s doing so “out of an abundance of caution during COVID-19”.

Other measures the company says it’s taken to further reduce risk include suspending all international travel and limiting non-essential domestic travel; reducing large customer events and gatherings; and emphasizing health and hygiene across all office locations — “by maintaining sanitation supplies and encouraging an ‘if you are sick, stay home’ mindset”.

It also says it’s conducting all new hire orientation and candidate interviews virtually.

Box names a number of tools it says it routinely uses to support mobility and remote working, including its own service for secure content collaboration; Zoom’s video communication tool; the Slack messaging app; Okta for secure ID; plus additional unnamed “critical cloud tools” for ensuring “uninterrupted remote work for all employees”.

Clearly spying the opportunity to onboard new users, as more companies switch on remote working as a result of COVID-19 concerns, Box’s post also links to free training resources for its own cloud computing tools.

This report was updated with a correction to clarify that COVID-19 is the disease caused by the novel coronavirus; rather than another name for the virus

TFLiving, with $4.8M in seed funding, wants to be the Uber for amenities

TFLiving, looking to bring amenities to residential and commercial spaces, has today announced the close of a $4.8 million seed financing led by Camber Creek. Courtside Ventures, and other strategic investors, also participated in the round.

TFLiving uses technology to connect service providers, like massage therapists, yoga instructors and dog walkers, with property managers and their residents. The service allows residents to sign up for classes or services, as well as request other community events or services, directly from an app.

The most popular use case of the service is fitness, both classes and individual trainings, but TFLiving offers a relatively broad variety of services and experiences to residents at its 300 partnered properties.

Here’s how it works.

TFLiving signs partnerships with property managers of buildings that don’t currently offer amenities, or want to complement existing amenity offerings. After checking out the building, TFLiving determines if there is any under-utliized space in the building, such as a rooftop or a vacant unit, that could be repurposed for community classes.

After evaluating the space, TFLiving surveys residents and determines what they’re interested in via the app, which then serves up options from actual service providers on the service within the guidelines of the property manager’s financial guidelines.

One of the strengths of the business, according to founder and CEO Devin Wirt, is that the cost structure of the platform is highly customizable. Who pays is a question that can be answered by the property manager. If the building has a huge budget for community engagement and the property manager sees value in offering five classes/month and unlimited on-demand massage, they can choose to do so. The property manager can also grant TFLiving access to the building without paying a dime, passing on the full cost of the service to residents.

In most cases, property managers will foot the bill for community events, while residents pay for their own individual services like massage and dog walking.

Because TFLiving’s pricing is based on service and not calculated by number of units, the product can be priced at an affordable cost within the budget of the property and based on demand from the residents.

TFLiving also allows property managers to mark up the class or service and keep a cut of the profit. For example, if a property manager doesn’t have the budget for community classes or services, but doesn’t mind letting residents book individual personal training in the on-site gym, that property manager can mark up the cost of fitness classes by 20% and generate some revenue that could eventually go toward community events.

“One of the things that we stay pretty stringent on is just how far they’re able to market the prices,” said Wirt. “As a core mission of staying affordable to all asset classes, we understand that because we’re not paying a lease, we’re able to charge below market pricing. We still want to stay true to our core mission that we want to provide affordable services.”

Unlike ClassPass, which also connects service providers to users in the fitness space, TFLiving does not dynamically price its various classes and services based on popularity or quality. Fitness classes, for example, are always between $50 and $80, with geography being the main determining factor on specific price.

The company declined to share the revenue breakdown between the company and service providers, but noted that it varies by vertical and that service providers receive a majority of the revenue.

TFLiving currently has agreements with properties across 29 states, with contracts at more than 800 properties, soon covering more than 200,000 units.

Wirt says that he sees the potential to implement TFLiving in commercial spaces as well, such as offices.

Moreover, TFLiving has worked on the tech side to be as useful, not necessarily as prominent, as possible. TFLiving integrates with a variety of property management platforms, from mobile doorman apps to platforms for paying rent to maintenance requests. Residents using those apps can request and book TFLiving amenities straight from those platforms.

How the information system industry became enterprise software

If you were a software company employee or venture capitalist in Silicon Valley before 1993, chances are you were talking about “Information Systems Software” and not “Enterprise Software.” How and why did the industry change its name?

The obvious, but perplexing answer is simple — “Star Trek: The Next Generation.”

As befuddling and mind-numbingly satisfying as it is to your local office Trekkie, the industry rebranded itself thanks to a marketing campaign from the original venture-backed system software company, Boole & Babbage (now BMC software).

While the term “Enterprise” was used to describe complex systems for years before 1993, everything changed when Boole & Babbage signed a two-year licensing agreement with the then-highest-rated show in syndication history to produce an infomercial.

Star Trek fans have been talking about this crazy marketing agreement for years, and you can read the full details about how it was executed in TrekCore. But even Trekkies don’t appreciate its long-term impacts on our industry. In this license agreement with Paramount, Boole & Babbage had unlimited rights to create and distribute as much Star Trek content as they could. They physically mailed VHS cassettes to customers, ran magazine ads and even dressed their employees as members of Starfleet at trade shows. Boole & Babbage used this push to market itself as the “Enterprise Automation Company.”

Commander Riker says in the infomercial, “just as the bridge centralizes the functions necessary to control the USS Enterprise, Boole’s products centralize data processing information to allow centralized control of today’s complex information systems.” This seemed to scratch an itch that other systems companies didn’t realize needed scratching.

Not to be outdone, IBM in 1994 rebranded their OS/2 operating system “OS/2 Warp,” referring to Star Trek’s “warp drive.” They also tried to replicate Babbage’s licensing agreement with Paramount by hiring the Enterprise’s Captain Picard (played by actor Patrick Stewart) to emcee the product launch. Unfortunately, Paramount wouldn’t play ball, and IBM hired Captain Janeway (played by actress Kate Mulgrew) from Star Trek: Voyager instead. The licensing issues didn’t stop IBM from also hiring Star Trek’s Mr. Spock (played by actor Leonard Nimoy) to tape a five-minute intro to the event:

Outside of OS/2, IBM’s 1994 announcement list included 13 other “enterprise” initiatives. Soon, leading software companies began to rebrand themselves and release products using the term “enterprise software” as a valuable identifier. MRP software makers like SAP and Baan began embracing the new “Enterprise” moniker after 1993 and in 1995, Lotus rebranded itself as an “Enterprise Software Company.”

“Enterprise” was officially the coolest new vernacular and after industry behemoth IBM bought Lotus in 1996, they incorporated “Enterprise” across all of their products. And while Gartner’s 1990 paper “ERP: A Vision of the Next-Generation MRP II” by Wylie is the technical birth of ERP software, no one cared until Commander Riker told Harold to “monitor your entire Enterprise from a single point of control.” The ngram numbers don’t lie:

Almost 30 years later, we live in a world in which business is run on enterprise software and the use of the term is ubiquitous. Whenever I see a software business plan come across my desk or read an article on enterprise software, I can’t help but give Commander Riker a little due credit.

China Roundup: Enterprise tech gets a lasting boost from coronavirus outbreak

Hello and welcome back to TechCrunch’s China Roundup, a digest of recent events shaping the Chinese tech landscape and what they mean to people in the rest of the world. This week, a post from Sequoia Capital sounding the alarm of the coronavirus’s impact on businesses is reaching far corners of tech communities around the world, including China.

Many echo Sequoia’s observation that the companies that are the “most adaptable” are the likeliest to survive. Others cling to the hope of “[turning] a challenging situation into an opportunity to set yourself up for enduring success.”

Two weeks ago I wrote about how the private sector and the government in China are working together to contain the epidemic, bringing a temporary boost to the technology industry. This week I asked a number of investors and founders which of these changes will stand to last, and why.

B2B on the rise

The business-to-business (B2B) space was rarely a hot topic in China until online consumer businesses became relatively saturated in recent times. And now, the COVID-19 epidemic has unexpectedly breathed life into the once-boring field, which stretches from virtual meetings, online education, digital healthcare, cybersecurity, telecommunications, logistics to smart cities, analysis from investment firm Yunqi Partners shows.

For one, there is an obvious opportunity for remote collaboration tools as people work from home. Downloads of indigenous work apps like Dingtalk, WeChat Work, TikTok’s sister Lark as well as America’s Zoom jumped exponentially amid the health crisis. While some argue that the boom is overblown and will dissipate as soon as businesses are back to normal, others suggest that the shift in behavior will endure.

Like other work collaboration services, Zoom soared in China amid the coronavirus outbreak, jumping from No. 180 in late January to No. 28 as of late February in overall app installs. Data: App Annie 

“People are reluctant to change once they form a new habit,” suggests Joe Chan, partner at Hong Kong-based Mindworks Ventures. The virus outbreak, he believes, has educated the Chinese masses to work remotely.

“Meeting in person and through Zoom both have their own merits, depending on the social norm. Some people are used to thinking that relationships need to be established through face-to-face encounters, but those who don’t hold that view will have fewer meetings. [The epidemic] presents a chance for a paradigm shift.”

But changes are slow

Growth in enterprise businesses might be less visible than what China witnessed over the SARS epidemic that fueled internet consumer verticals such as ecommerce. That’s because software-as-a-services (SaaS), cloud computing, health tech, logistics and other enterprise-facing services are intangible for most consumers.

“Compared to changes in consumer behavior, the adoption of new technologies by enterprises happen at a slower pace, so the impact of coronavirus on new-generation innovations [B2B] won’t come as rapidly and thoroughly as what happened during SARS,” contended Jake Xie, vice president of investment at China Growth Capital.

Xie further suggested that the opportunities presented by the outbreak are reserved for companies that have been steadily investing in the field, in part because enterprise services have a longer life cycle and require more capital-intensive infrastructure. “Opportunists don’t stand a chance,” he concluded.

As for changing consumer behavior, such as the uptick in grocery delivery usage by seniors trapped indoors, the impact might be short-lived. “The only benefit that the epidemic brings to these apps is getting more people to try their services. But how many of them will stay? The argument that people will keep using these apps over concerns of getting sick in offline markets is unsubstantiated. The strength of a business lies in its ability to solve user problems in the long term, for example, providing affordability and convenience,” suggested Derek Shen, chairman of Danke Apartment, the Chinese co-living startup slated to list on NYSE.

Summoned by Beijing

The adjacent sector of enterprise services — at-scale technologies tailored to energizing government functions — has also seen traction over the course of the epidemic. Private firms in China have teamed up with regional authorities to better track people’s movements, ramp up facial recognition capacities aimed at a mask-wearing public, develop contact-free consumer experience, among other measures.

Tech firms touting services to the government are no stranger to criticisms concerning the lack of transparency in how user data is used. But the appeal to private firms is huge, not only because state contracts tend to provide a steady stream of long-term revenue, but also that certain public-facing projects can be billed as a fulfillment of corporate social responsibilities. Following the virus outbreak, Chinese tech companies of all sizes hastened to offer contributions, with efforts ranging from making monetary donations to building tools that keep the public informed.

On the flip side, the government also needs private help in emergency management. As prominent Chinese historian Luo Xin poignantly pointed out in podcast SurplusValue’s recent episode [1:00:00], some of the most efficient and effective responses to the public health crisis came not from the government but the private sector, whether it is online retailer JD.com or logistics firm SF Express delivering relief supplies to the epicenter of the outbreak.

That said, Luo argued there are signs that some local authorities’ tendency to centralize control is getting in the way of private efforts. For example, some government offices have stumbled in their attempts to develop crisis management systems from scratch, overlooking a pool of readily available and proven infrastructure powered by the country’s tech giants.

U.S. Govt. Makes it Harder to Get .Gov Domains

The federal agency in charge of issuing .gov domain names is enacting new requirements for validating the identity of people requesting them. The additional measures come less than four months after KrebsOnSecurity published research suggesting it was relatively easy for just about anyone to get their very own .gov domain.

In November’s piece It’s Way Too Easy to Get a .gov Domain Name, an anonymous source detailed how he obtained one by impersonating an official at a small town in Rhode Island that didn’t already have its own .gov.

“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source said. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

While what my source did was technically wire fraud (obtaining something of value via the Internet through false pretenses), cybercriminals bent on using fake .gov domains to hoodwink Americans likely would not be deterred by such concerns.

“I never said it was legal, just that it was easy,” the source told KrebsOnSecurity. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”

Now, Uncle Sam says in a few days all new .gov domain applications will include an additional authorization step.

“Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain,” reads a notice published March 5 by the U.S. General Services Administration, which overseas the .gov space.

“This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain,” the statement continues. “This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations.”

The GSA didn’t say whether it was putting in place any other safeguards, such as more manual verification of .gov domain applications. It certainly hadn’t followed up on the fraudulent application from my source before granting him the .gov domain name he sought (exeterri[.]gov). The GSA only did that four days after I asked them for comment, and approximately 10 days after they’d already granted the phony domain request.

“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” the agency said in a written statement at the time, without elaborating on what those additional controls might be.

But I’m left to wonder: If I’m a bad guy who’s willing to forge someone’s signature and letterhead in a fraudulent application for a .gov domain, why wouldn’t I also be willing to fake a notarization? Especially when there are plenty of services in the cybercrime underground that specialize in spoofing these phony attestations for a small fee.

“This is a classic case of ‘we must do something’ and this is certainly something,” said John Levine, a domain name expert, consultant and author of the book The Internet for Dummies.

Levine said it would not be terribly difficult for the GSA to do a slightly more thorough job of validating .gov domain requests, but that some manual verification probably would be required. Still, he said, it’s not clear how big a threat fake .gov domains really are.

“As far as we know, only one person tried to fake a .gov,” Levine said. “Maybe this is good enough?”

The Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, has argued that more needs to be done to secure the .gov domain space, and is making a play to wrest control over the process from the GSA.

The DOTGOV bill, introduced in October 2019, would “ensure that only authorized users obtain a .gov domain, and proactively validate existing .gov holders,” according to a statement CISA shared with this author last year.

The Good, the Bad and the Ugly in Cybersecurity – Week 10

The Good

International crime rings are responsible for the worst type of criminal activities. Perhaps the most hideous of these is Child Sexual Exploitation and Abuse. The internet in general, and the dark web in particular, has allowed the “consumers” (pedophiles, sex offenders) and the “producers” to interact in a stealthy manner, and to escape the long hand of law enforcement agencies. Moreover, since these crimes involve multiple geographies it was assumed that the chances of perpetrators being caught and brought to justice were slim. That’s why we are so pleased to hear that member states of the “Five Eyes” (Australia, Canada, New Zealand, the UK, and the US ) and six major tech firms (Facebook, Google, Microsoft, Roblox, Snap and Twitter) are working together to combat online child exploitation and abuse. This week, the tech firms signed up to implementing a new framework, published in the document “Voluntary Principles to Counter Online Child Sexual Exploitation and Abuse”, across all their platforms.

The framework consists of 11 principles grouped into seven categories; together, they aim to reduce the potential malicious use of social media and internet technologies to search for and distribute such materials. Cooperation between tech giants and law enforcement agencies is not trivial, and we hope it will foster an atmosphere of trust and information sharing that will have a substantial impact on reducing if not eliminating the very worst kind of all cyber crimes.   

image containing information about targeting live streaming from the framework document

Indeed, while international cooperation is imperative for fighting global criminal activities in general, alone it’s not enough. When it comes to battling cyber crime and offensive cyber activities, speed and knowledge sharing are of the essence. This is why Estonia, Lithuania, Croatia, Poland, the Netherlands and Romania have joined forces and agreed to create European Union Cyber Rapid Response Teams (CRRTs), led by Lithuania. The CRRT teams will be ready to intervene in the “neutralization and investigation of dangerous cyber incidents virtually or, if necessary, physically,” the Lithuanian Defense Ministry said in a press release. A great week for the good guys.

The Bad

It is almost two years since the introduction of GDPR (May 2018), but it seems that some companies have yet to grasp the full damage resulting from data breaches. The regulation was intended to improve the state of data security and privacy, but judging by recent events, it seems that companies still need more time to implement the right safeguards or that they have chosen to simply pay the associated fines instead of achieving high levels of security to prevent such breaches. Carrier T-Mobile has announced a data breach that exposed personal and financial information of some of its customers. The breach was caused by an email vendor being hacked, and the data leak contained social security numbers, financial information, government ID numbers, billing information, and rate plans. Affected customers were informed via text message.

image of text message alert from T-Mobile to customers stating that a data breach had occurred

This is not the first time T-Mobile has suffered such an incident. The previous one happened less than 2 years ago. Not to be outdone, the British media giant Virgin Media has announced that a massive database, containing the personal details of 900,000 people, was left unsecured and accessible online for 10 months. During this time, it was accessed at least once. Not that it took any hacking skills to do it; the company admits that the database was not protected due to human error which led to “misconfiguration”. It was compiled for marketing purposes and contained phone numbers, home and email addresses.

The Ugly

The world seems to be in turmoil nowadays, with more and more countries entering the “Corona Impact Zone”. As if that wasn’t bad enough, there will always be people who try to capitalize from the situation. And where best to test and gain from this epidemic than in Italy, the country hit the hardest (so far) outside of Asia.

A recent malware campaign reached about 10% of all the organizations in Italy by disguising a malicious attachment as an official document by the World Health Organization containing all the necessary precautions to take against coronavirus infection.

image of request from MS Office to enable macros Source

Opening the document results in a request to “Enable Editing” and “Enable Content”. If granted, the TrickBot banking trojan installs itself on the user’s machine. It is yet another example of how cybercriminals will cynically exploit whatever opportunity comes their way. The good news is that unlike the actual virus, this pest can easily be avoided by practicing good cyber hygiene.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security