U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.

A memo seen by KrebsOnSecurity that the Secret Service circulated to field offices around the United States on Thursday says the ring has been filing unemployment claims in different states using Social Security numbers and other personally identifiable information (PII) belonging to identity theft victims, and that “a substantial amount of the fraudulent benefits submitted have used PII from first responders, government personnel and school employees.”

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” the Secret Service warned. “The primary state targeted so far is Washington, although there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.”

The Secret Service said the fraud network is believed to consist of hundred of “mules,” a term used to describe willing or unwitting individuals who are recruited to help launder the proceeds of fraudulent financial transactions.

“In the state of Washington, individuals residing out-of-state are receiving multiple ACH deposits from the State of Washington Unemployment Benefits Program, all in different individuals’ names with no connection to the account holder,” the notice continues.

The Service’s memo suggests the crime ring is operating in much the same way as crooks who specialize in filing fraudulent income tax refund requests with the states and the U.S. Internal Revenue Service (IRS), a perennial problem that costs the states and the U.S. Treasury hundreds of millions of dollars in revenue each year.

In those schemes, the scammers typically recruit people — often victims of online romance scams or those who also are out of work and looking for any source of income — to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators.

A federal fraud investigator who spoke with KrebsOnSecurity on condition of anonymity said many states simply don’t have enough controls in place to detect patterns that might help better screen out fraudulent unemployment applications, such as looking for multiple applications involving the same Internet addresses and/or bank accounts. The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.

The alert follows news reports by media outlets in Washington and Rhode Island about millions of dollars in fraudulent unemployment claims in those states. On Thursday, The Seattle Times reported that the activity had halted unemployment payments for two days after officials found more than $1.6 million in phony claims.

“Between March and April, the number of fraudulent claims for unemployment benefits jumped 27-fold to 700,” the state Employment Security Department (ESD) told The Seattle Times. The story noted that the ESD’s fraud hotline has been inundated with calls, and received so many emails last weekend that it temporarily shut down.

WPRI in Rhode Island reported on May 4 that the state’s Department of Labor and Training has received hundreds of complaints of unemployment insurance fraud, and that “the number of purportedly fraudulent accounts is keeping pace with the unprecedented number of legitimate claims for unemployment insurance.”

The surge in fraud comes as many states are struggling to process an avalanche of jobless claims filed as a result of the Coronavirus pandemic. The U.S. government reported Thursday that nearly three million people filed unemployment claims last week, bringing the total over the last two months to more than 36 million. The Treasury Department says unemployment programs delivered $48 billion in payments in April alone.

A few of the states listed as key targets of this fraud ring are experiencing some of the highest levels of unemployment claims in the country. Washington has seen nearly a million unemployment claims, with almost 30 percent of its workforce currently jobless, according to figures released by the U.S. Chamber of Commerce. Rhode Island is even worse off, with 31.4 percent of its workforce filing for unemployment, the Chamber found.

“The banks targeted have been at all levels including local banks, credit unions, and large national banks,” the Secret Service alert concluded. “It is extremely likely every state is vulnerable to this scheme and will be targeted if they have not been already.”

Kustomer acquires Reply.ai to enhance chatbots on its CRM platform

Last December, when CRM startup Kustomer was announcing its latest round of funding — a $60 million round led by Coatue — its co-founder and CEO Brad Birnbaum said it would use some of the money to build more RPA-style automations into its platform to expand KustomerIQ, its AI-based product that helps understand and respond to customer enquiries to take some of the more repetitive load off of agents. Today, Kustomer is announcing some M&A that will help in that strategy: it is acquiring Reply.ai, a startup originally founded in Madrid that has built a code-free platform for companies to create customised chatbots to handle customer service enquires that use machine learning to, over time, become better at responding to those inbound contacts.

Kustomer, which has raised more than $170 million and is now valued at $710 million (per PitchBook), said it is not disclosing the financial terms of the deal.

Reply .ai — whose customers include Coca-Cola, Starbucks, Samsung, and a number of retailers and major ad and marketing agencies working on behalf of clients — had by comparison raised a modest $4 million in funding (with the last round back in 2018). Its list of investors included strategic backers like Aflac and Westfield (the shopping mall giant), as well as Seedcamp, Madrid’s JME Ventures, and Y Combinator, where Reply.ai was a part of its Startup School cohort in 2017.

Birnbaum said that the conversation for acquiring Reply.ai started before the global health pandemic — the two already worked together, as part of Reply.ai’s integrations with a number of CRM platforms. But active discussions, due diligence, and the closing of the deal were all done over Zoom. “We were fortunate that we got to meet before corona, but for the most part we did this remotely,” he said.

Reply.ai was founded back in 2016 — the year when chatbots suddenly became all the rage — and it managed to make it through that and then the subsequent trough of disillusionment, when a lot of the early novelty wore off after they were discovered to be not quite as effective as many had hoped or assumed they would be. One of the reasons for Reply.ai’s survival was that it had proven to be a builder of effective applications in one of the only segments of the market to become a willing customer and user of chatbots: customer service.

While a large part of the CRM industry — estimated to be worth some $40 billion in 2019 —  is still based around human interactions, there has been a growing push to leverage advances in AI, cloud services, and use of the internet as a point of interaction to bring more automation into the process, both to help those who are agents deal with more tricky issues, and to help bring overall costs down for those who rely on customer support as part of their service proposition.

That trend, if anything, is only getting a boost right now. In some cases, agents are unable to work because of social distancing rules in cases where customer queries cannot be handled by remote workers. In others, companies are seeing a lot of financial pressure and are looking to reduce expenses. But at the same time, with more people at home and unable to make physical queries at stores, the whole medium of customer support is seeing new levels of usage.

Kustomer has been taking on the bigger names in CRM, including Salesforce (where Birnbaum and his cofounder Jeremy Suriel previously worked), Zendesk and Oracle, by providing a platform that makes it easier for human agents to handle inbound “omnichannel” customer requests — another big trend, leveraging the rise of multiple messaging and communications platforms as potential routes to both speaking to customers and seeing them complain for all the world to see. So moving deeper into chatbots and other AI-powered tools is a natural progression.

Birnbaum said that one of its key interests with Reply.ai was its focus on “deflection” — the term for using non-human tools and services to help resolve inbound requests before needing to call in a human agent. Reply.ai’s tools have been shown to help deflect 40% of initial inbound queries, he noted.

“Some companies have been dealing with a significant increase in inbound volume, and it’s been hard to scale their teams of agents, especially when they are remote,” he said. “So those companies are looking for ways to respond more rapidly. So anything they can do to help with that deflection and let their agents be more productive to drive higher levels of satisfaction, anything that can enable self-service, is what this is about.”

Other tools in the Reply toolkit, in addition to its chatbot-building platform and deflection capabilities, include agent-assistant tools for suggesting relevant answers, as well as suggestions for tagging (for analytics) and re-routing.

“We are excited for Reply to join Kustomer and share its mission to make customer service more efficient, effective and personalized,” said Omar Pera, one of Reply.ai’s founders, in a statement. “As a long-time partner of Kustomer, we are able to seamlessly integrate our deflection and chatbots technologies into Kustomer’s platform and help brands more cost-effectively increase efficiency. We look forward to working with Brad and the entire team.”

Google makes it easier to migrate VMware environments to its cloud

Google Cloud today announced the next step in its partnership with VMware: the Google Cloud VMware Engine. This fully managed service provides businesses with a full VMware Cloud Foundation stack on Google Cloud to help businesses easily migrate their existing VMware-based environments to Google’s infrastructure. Cloud Foundation is VMware’s stack for hybrid and private cloud deployments.

Given Google Cloud’s focus on enterprise customers, it’s no surprise that the company continues to bet on partnerships with the likes of VMware to attract more of these companies’ workloads. Less than a year ago, Google announced that VMware Cloud Foundation would come to Google Cloud and that it would start supporting VMware workloads. Then, last November, Google Cloud acquired CloudSimple, a company that specialized in running VMware environments and that Google had already partnered with for its original VMware deployments. The company describes today’s announcement as the third step in this journey.

VMware Engine provides users with all of the standard Cloud Foundation components: vSphere, vCenter, vSAN, NSX-T and HCX. With this, Google Cloud General Manager June Yang notes in today’s announcement, businesses can quickly stand up their own software-defined data center in the Google Cloud.

“Google Cloud VMware Engine is designed to minimize your operational burden, so you can focus on your business,” she notes. “We take care of the lifecycle of the VMware software stack and manage all related infrastructure and upgrades. Customers can continue to leverage IT management tools and third-party services consistent with their on-premises environment.”

Google is also working with third-party providers like NetApp, Veeam, Zerto, Cohesity and Dell Technologies to ensure that their solutions work on Google’s platform, too.

“As customers look to simplify their cloud migration journey, we’re committed to build cloud services to help customers benefit from the increased agility and efficiency of running VMware workloads on Google Cloud,” said Bob Black, Dell Technologies Global Lead Alliance Principal at Deloitte Consulting. “By combining Google Cloud’s technology and Deloitte’s business transformation experience, we can enable our joint customers to accelerate their cloud migration, unify operations, and benefit from innovative Google Cloud services as they look to modernize applications.”

Why we’re doubling down on cloud investments right now

Years from now, people will look back on the COVID-19 pandemic as a watershed moment for society and the global economy.

Wearing a mask might be as common as owning a phone; telework, telemedicine and online education will be more of a norm than a backup plan; and for the global economy, the cloud will have transformed the underlying infrastructure of businesses and entire industries.

COVID-19 is a turning point for the cloud and cloud company founders. For its computing power and as a delivery model of software, the cloud has been embraced as a solution to many challenges that businesses face during today’s economic downturn and recovery. Not only is the cloud industry more resilient than other industries, but the cloud model offers businesses a promising future in the age of social distancing and beyond.

We believe that once founders find shelter in the cloud, they’ll never go back.

Cloud’s resiliency amid historic volatility

Over the past decade, there’s been a massive market shift from on-premises to cloud, as 94% of enterprises use at least one cloud service today. 2020 was already a milestone year for the cloud industry, as aggregate SaaS and IaaS run-rate revenue each crossed $100 billion, and the BVP Nasdaq Emerging Cloud Index (^EMCLOUD) market cap crossed $1 trillion in early February. Yet in a matter of days, as the COVID-19 pandemic spread, fear tore through financial markets.

In early March, public markets experienced the steepest crash in history with volatility we haven’t seen since the Great Recession. The cloud index market cap dropped to ~$750 million and cloud multiples returned close to their historical averages of ~7x while the VIX volatility index spiked to the mid-80s. Both at global highs in February 2020, the ^EMCLOUD and the S&P 500 traded off by roughly 35% by mid-March. Over the next two months, though, the ^EMCLOUD recouped those losses, charging to a new all-time high on May 7.

The cloud index has continued its rise since then, and as of the close on May 11 has a market cap above $1.2 trillion and has returned to the lofty 12x forward run rate revenue multiples from 2019. Similar to Adobe in 2012, we expect many enterprises to transition over to the cloud model, and the index will continue to expand. As we predicted in this year’s State of the Cloud 2020, by 2025 we expect the cloud to penetrate 50% of enterprise software.

Adobe announces AI toolbox for Experience Platform

Most companies don’t have the personnel to do AI well, so they turn to platform vendors like Adobe for help. Like other platforms, it has been building AI into its product set for several years now, but wanted to give marketers a set of tools that take advantage of some advanced AI capabilities out of the box.

Today, the company announced five pre-packaged AI solutions specifically designed to give marketers more intelligent insight. Amit Ahuja, VP of ecosystem development at Adobe, says even before the pandemic, customers were struggling to deal with the onslaught of data and how they could use it to understand their customers better.

“There is so much data coming in, and customers are struggling to leverage this data — and not just for the purpose of analytics and insights, which is a huge part of it, but also to do predictive optimization,” Ahuja explained.

What’s more, we’ve known for some time that when there is so much data, it becomes impossible to make sense of it manually. Given that AI deals best with tons of data, Adobe wanted to take advantage of that, while packaging some popular data scenarios in a way that makes it easy for marketers to get insights.

That data comes from the Adobe Experience Platform, which the is designed to pull data not only from Adobe products, but from a variety of enterprise sources to help marketers build a more complete picture of their customers and get answers to key questions.

Customer Insights AI helps users understand their customers better. Image Credit: Adobe

The company is announcing a total of five AI tools today, two of which are generally available with the remainder in Beta for now. For starters, Customer AI helps marketers understand why their customers do what they do. For instance, why they keep coming back or why they stopped. Attribution AI helps marketers understand how effective their strategies are, something that’s always important, but especially in this economy where effectively deploying spend is more important than ever.

The first of the Beta tools is Journey AI, which helps marketers decide the best channel to engage customers. Content and Commerce AI looks at the most effective way to deliver content and finally Leads AI looks at the visitors most likely to convert to customers.

These five are just a start, and the company plans to add new tools to the toolbox as customers look for additional insights from the data to help them improve their marketing outcomes.

Venafi acquires Jetstack, the startup behind the cert-manager Kubernetes certificate controller

It seems that we are in the middle of a mini acquisition spree for Kubernetes startups, specifically those that can help with Kubernetes security. In the latest development, Venafi, a vendor of certificate and key management for machine-to-machine connections, is acquiring Jetstack, a U.K. startup that helps enterprises migrate and work within Kubernetes and cloud-based ecosystems, which has also been behind the development of cert-manager, a popular, open-source native Kubernetes certificate management controller.

Financial terms of the deal, which is expected to close in June of this year, have not been disclosed, but Jetstack has been working with Venafi to integrate its services and had a strategic investment from Venafi’s Machine Identity Protection Development Fund.

Venafi is part of the so-called “Silicon Slopes” cluster of startups in Utah. It has raised about $190 million from investors that include TCV, Silver Lake and Intel Capital and was last valued at $600 million. That was in 2018, when it raised $100 million, so now it’s likely Venafi is worth more, especially considering its customers include the top five U.S. health insurers, the top five U.S. airlines, the top four credit card issuers, three out of the top four accounting and consulting firms, four of the top five U.S., U.K., Australian and South African banks and four of the top five U.S. retailers.

For the time being, the two organizations will continue to operate separately, and cert-manager — which has hundreds of contributors and millions of downloads — will continue on as before, with a public release of version 1 expected in the June-July time frame.

The deal underscores not just how Kubernetes -based containers have quickly gained momentum and critical mass in the enterprise IT landscape, in particular around digital transformation, but specifically the need to provide better security services around that at speed and at scale. The deal comes just one day after VMware announced that it was acquiring Octarine, another Kubernetes security startup, to fold into Carbon Black (an acquisition it made last year).

“Nowadays, business success depends on how quickly you can respond to the market,” said Matt Barker, CEO and co-founder of Jetstack . “This reality led us to re-think how software is built and Kubernetes has given us the ideal platform to work from. However, putting speed before security is risky. By joining Venafi, Jetstack will give our customers a chance to build fast while acting securely.”

To be clear, Venafi had been offering Kubernetes integrations prior to this — and Venafi and Jetstack have worked together for two years. But acquiring Jetstack will give it direct, in-house expertise to speed up development and deployment of better tools to meet the challenges of a rapidly expanding landscape of machines and applications, all of which require unique certificates to connect securely.

“In the race to virtualize everything, businesses need faster application innovation and better security; both are mandatory,” said Jeff Hudson, CEO of Venafi, in a statement. “Most people see these requirements as opposing forces, but we don’t. We see a massive opportunity for innovation. This acquisition brings together two leaders who are already working together to accelerate the development process while simultaneously securing applications against attack, and there’s a lot more to do. Our mutual customers are urgently asking for more help to solve this problem because they know that speed wins, as long as you don’t crash.”

The crux of the issue is the sheer volume of machines that are being used in computing environments, thanks to the growth of Kubernetes clusters, cloud instances, microservices and more, with each machine requiring a unique identity to connect, communicate and execute securely, Venafi notes, with disruptions or misfires in the system leaving holes for security breaches.

Jetstack’s approach to information security came by way of its expertise in Kubernetes, developing cert-mananger specifically so that its developer customers could easily create and maintain certificates for their networks.

“At Jetstack we help customers realize the benefits of Kubernetes and cloud native infrastructure, and we see transformative results to businesses firsthand,” said Matt Bates, CTO and co-founder of Jetstack, in a statement. “We developed cert-manager to make it easy for developers to scale Kubernetes with consistent, secure, and declared-as-code machine identity protection. The project has been a huge hit with the community and has been adopted far beyond our expectations. Our team is thrilled to join Venafi so we can accelerate our plans to bring machine identity protection to the cloud native stack, grow the community and contribute to a wider range of projects across the ecosystem.” Both Bates and Barker will report to Venafi’s Hudson and join the bigger company’s executive team.

Microsoft is acquiring Metaswitch Networks to expand its Azure 5G strategy

Just weeks after announcing a deal to acquire 5G specialist Affirmed Networks, Microsoft is making another acquisition to strengthen its cloud-based telecoms offering. It’s acquiring Metaswitch Networks, a U.K.-based provider of cloud-based communications products used by carriers and network providers (customers include the likes of BT in the U.K., Sprint and virtual network consortium RINA.

Terms of the deal were not disclosed in today’s announcement. Metaswitch’s investors included the PE firms Northgate and WRV, Francisco Partners and Sequoia, but it’s unclear how much it had raised nor its last valuation. (The company has been around since 1981.)

The deal speaks to a growing focus from tech companies leveraging cloud architectures and the adoption of new networking technologies — specifically 5G — to capitalise on a bigger role in becoming service providers both to carriers and to those who would like to build carrier-like services (potentially bypassing telcos in the process), through the offering of virtualised products delivered from its cloud.

It comes just one day after Rakuten, the Japanese e-commerce and streaming services giant, announced that it would be acquiring Innoeye, another specialist in cloud-based communications services. Others like Amazon have also been building up their offerings in AWS serving the same market.

Microsoft describes the Metaswitch portfolio of cloud-native services — which include 5G data, voice and unified communications (contact center) products — as “complementary” to Affirmed.

“Microsoft intends to leverage the talent and technology of these two organizations, extending the Azure platform to both deploy and grow these capabilities at scale in a way that is secure, efficient and creates a sustainable ecosystem,” the company said. 

The migration to 5G represents a window of opportunity to companies that provide services to carriers. The latter have long been saddled with expensive, ageing equipment and now have the potential to replace some or all of that with software-based services, delivered via the cloud, that can be more easily updated and modified with market demand. That is the hope, at least. The reality may be that many carriers sweat out their assets and upgrade in small increments, as operational expenditure still represents a big investment and cost.

Microsoft is all too aware of that reality and also of the prospect of appearing like a threat, not a saviour.

“We will continue to support hybrid and multi-cloud models to create a more diverse telecom ecosystem and spur faster innovation, an expanded set of unique offerings and greater opportunities for differentiation,” it notes. “We will continue to partner with existing suppliers, emerging innovators and network equipment partners to share roadmaps and explore expanded opportunities to work together, including in the areas of radio access networks (RAN), next-generation core, virtualized services, orchestration and operations support system/business support system (OSS/BSS) modernization. A future that is interoperable has never been more important to ensure the success of customers and partners.”

Indeed, Microsoft’s been providing services to, and selling its own IT through, carriers for years before this. These latest acquisitions, however, represent a growing focus on what role it can play in that enterprise vertical in the years to come.

Hackers on Macs | What Are the Must-Have Apps & Tools?

Are you relatively new to the Mac platform and wondering what kind of tools are available for security research, malware analysis, reverse engineering and Mac infosec in general? While Macs share a heritage with Linux and thus have many common tools (although often with different implementations), there is also a whole bunch of macOS specific tools that you might not be aware of yet. In this post, I cover some of the essential tools that will help you with security-related work on macOS, from text editors and process monitors to disassemblers and networking tools. Most are free or inexpensive, and all are tools that I use on a regular basis. 

Running macOS on a Virtual Machine

If you’re planning on doing any kind of investigation into Mac malware, want to set up a lab for attacking Mac clients or simply want to investigate macOS internals with System Integrity Protection turned off, then you’re going to need to set up some VMs (Virtual Machines), and for that you need some good virtualization software.

VMWare is probably the most well-known commercial virtualization product out there, and of course it has a Mac version, called Fusion. Oracle’s VirtualBox is a capable alternative if you’re looking for free, but has some serious limitations, such as no snapshot feature. If you’re primarily interested in running Mac VMs on a Mac host, my personal recommendation is Parallels. Although VMWare Fusion runs macOS guests perfectly well, I find Parallels has somewhat smoother graphics performance. It’ll also run Windows and Linux guests just as well as VMWare. The price and feature set are otherwise comparable.

General Purpose Text Editors for Mac

Nothing causes more controversy than a debate on “which is the best text editor”, so let’s get this one out of the way early! If you already have a favorite text editor you’ll hopefully find it’s already available on macOS. Atom, Brackets, and Sublime are all available on Apple’s desktop platform, but if you haven’t picked a favorite yet, then I’d recommend BBEdit from Bare Bones software. This Mac-specific text editor comes in a free version with no time restrictions, and offers a polite upsell for the extra features if you want them. I say ‘polite’ because there are no nags or reminders once you’ve passed the initial “trial” stage during which time all the extra features are enabled. You’ll only want to pay for it if you find the extra features are things you need (or you want to support the developers good work!).

BBEdit has lots of useful features, like easy diffing, multi-file search, line processing, grep and project workspaces, to name a few. Of course, it has all the usual things you’d expect in a good text editor from column selection and multiple cursors to syntax highlighting, cold folding and snippet management. It also has great automation features with Python-based text filters and the ability to run user-defined scripts on selected text or the entire document. Conveniently, you can also run scripts that you’re editing within BBEdit itself. This editor has pretty much every feature I can imagine. A true workhorse.

It’s also worth-mentioning for those that are not familiar with the Mac that you also have the powerful Vi text editor built-in for free on the command line. Vi is a multi-purpose tool that’s great for coding and reverse engineering. Because it includes a command line interface, you can call shell commands within (and on) your current editing session, which is extremely useful. For example, if you open a binary file in Vi, you can dump it to hex without leaving the editor by issuing the command

:%!xdd

After making your edits, revert back to binary before saving:

:%!xxd -r

The % character ensures that the command is applied to the contents of the file, while the ! is used to call the external command line utility xxd. We use xxd‘s -r switch to revert the hex dump back to binary format. Vi can have a steep learning curve, but it will pay you back in spades. Start here for a quick intro. 

For Hex editing specifically, I find the native hexdump and xxd utilities sufficient for my needs, but Hex Fiend is a useful GUI alternative.

IDEs and Code Editors on the Mac

All of the above text editors can be used for coding, but if you’re looking for a rich-featured development environment there are other options. The default on the Mac is of course Xcode, which is free and available for download from the Apple Mac App Store. As I’ll say more about later, you will want to install Xcode’s command line tools regardless of whether you have a need for the IDE or not.

Microsoft’s Visual Studio Code is also available on the Mac (and is also free) and provides a very nice, slick and powerful editor with tonnes of plug-ins. If you’re coming to macOS from the Linux world, you’ll be pleased to know that Geany is also available on the Mac. 

I don’t really have a favorite among these. I use all three of them from time to time depending on what language I’m working with: typically, Xcode for Objective C and Swift; Geany for pure C and Go; Visual Studio for Python, PowerShell (yes, PowerShell is available on the Mac, too!), JavaScript and everything else.

Finally, if you plan on working with AppleScript in any shape or form, and there’s a few good reasons for doing that from a security perspective, ignore the built-in Script Editor (located at /Applications/Utilities/Script Editor if you can’t!) and grab a copy of Script Debugger, which will save you endless hours of headaches. Like BBEdit, this software has an open-ended free version and non-aggressive upsell for the extra features.

How to Install Xcode Command Line Tools

The Xcode Command Line Tools are an absolute must-have and one of the first things I always load up on any macOS install, virtual or bare metal. Installing the command line tools is simple. Just open a Terminal window and type:

$ xcode-select --install

Click “Install” to download and install Xcode Command Line Tools. You can choose to include or ignore downloading the Xcode IDE at the same time.

There’s over a hundred tools packaged here, including such essentials as strings, nm, python3, otool and lldb.

Package, Archive and Disk Image Inspectors

If you were wondering what tool I used in the previous screenshot to inspect the Command Line Tools package, let me introduce you to Pacifist, one of two essential tools for inspecting packages, archives and disk images. Pacifist is shareware and free to use with a time delay on launch, but only costs $20 to support.

Another useful tool you should have in your armoury for inspecting .pkg files is the free SuspiciousPackage tool from developers Mothers Ruin software. What I particularly love about this application is the robust AppleScript support, which makes it possible to automate searching packages for specific capabilities, items and strings.

Disassemblers and Debuggers for macOS

All the major reversing tools from other platforms are available on macOS. These include Ida Pro, radare2, Binary Ninja and Ghidra. There’s also the built-for-Mac Hopper disassembler

There’s also the GUI version of radare2, Cutter, as yet another alternative.

If you download the free Xcode Command Line tools as suggested above, you’ll gain access to otool and lldb, which along with Hopper and radare2, are my personal favorites for macOS static and dynamic reversing work. 

Mac Tools for Process and File Monitoring

Process and File monitoring are basic functions you need for any kind of malware dynamic analysis, bug hunting or software reverse engineering. If you execute 

$ apropos snoop

on the command line, you’ll see there’s a few built-in utilities based on DTrace for file and process monitoring.

Unfortunately, these have been somewhat castrated by System Integrity Protection, so you really have to run them on a SIP-less VM client to get much value out of them on recent versions of macOS.

The native command line  fs_usage utility is still useful for displaying system calls relating to the filesystem, and to that end FSMonitor provides a convenient graphical interface. Once free, the tool is now proprietary, but it’s very reasonably priced (~$19 at the time of writing).

FSEvents are written to disk by the OS and can be found in the root of each volume in a hidden directory called /.fseventsd. In order to access them, you’ll have to drop down to root and CD in to the dir, but inside you’ll be met by some very unfriendly gzip compressed data. Fortunately, FSEventsParser comes to the rescue here. This free tool allows you to parse and extract data relevant to specific enquiries. You can define your own but lots of pre-made queries are available that will help you to report on most aspects of file activity. 

Process monitoring on the Mac can of course be achieved through Activity Monitor.app and the command line tools ps and top. Jaron Bradley’s TrueTree repo offers a more nuanced look at process hierarchies while Patrick Wardle’s TaskExplorer offers a convenient way to explore processes and see the signature status, loaded dylibs, open files, network connections and even VirusTotal status for each file backing a running process. 

For a far more informative utility than the native top, try Jonathan Levin’s Process Explorer, which has a more useful interactive mode than the native tool. For example, pressing the Enter key on a process line will reveal more details about it, and processes can be filtered by name using the “/” key and specifying the process name.

Networking Tools For macOS

Being Unix based, you’ll find most of the standard network tools already present in macOS, including nc (aka netcat), ping, trace, ipconfig and so on. Note that both ftp and telnet are not available by default on the Mac since 10.13, High Sierra.

There is a useful built-in utility Network Utility.app (located at /System/Library/CoreServices/Applications/Network Utility.app) that combines a number of useful functions like Netstat, Whois and Port Scanning.

A version of the packet analyzer Wireshark is available for the Mac, and there is also the free, Mac-specific CocoaPacketAnalyzer tool as an alternative.

The venerable Little Snitch undoubtedly remains the de facto standard firewall / network monitoring tool on the platform. Although it isn’t free, it’s not expensive either (less than $50 at the time of writing), and even if you never use its many excellent features, just having it running on your system is a good deterrent for a number of macOS malware strains that exit when they detect that Little Snitch is present. 

SQL Database Viewers

If you’re doing any kind of investigation into macOS itself or Incident Response, you’re going to need to be comfortable with SQLite. The Mac comes with a sqlite3 command line utility built-in, a front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. 

For GUI interfaces, the commerical TablePlus offers a modern, slick interface and can be used for free, but the free version limits you to no more than three open databases at a time. Personally, I prefer the open source DB Browser for SQLite. Though not particularly pretty, it’s robust, feature-rich and is well-maintained.

Miscellaneous Tools

In this section I list a few other utilities that I find very useful but which don’t fall into an easy category.

The first is a free little application called RBAppChecker Lite. This provides a GUI front end to system codesign and spctl utilities, and provides a very quick, nice and informative overview of the validity of an application bundle’s codesigning status. Unfortunately, the app appears to be in legacy status, but it still works well enough on the current version of macOS Catalina. 

The Mach-O Explorer is a graphical Mach-O viewer for macOS that aims to provide a feature set similar to the venerable MachOView application. 

In similar vein, dsdump is a modern replacement for the older class-dump utility for displaying the compiled Swift types and Objective-C classes in a Mach-O binary.

Finally, one of every reverse engineer’s basic tools is the strings utility. It’s worth noting that the macOS version of this tool is a little different from its Linux cousin, and in particular does not handle the same range of encodings. Fortunately, there is a great, free alternative called Floss that will serve you much better. 

Conclusion

In this guide, I’ve tried to focus on tools that are particularly useful for those engaged in security research and infosec on the Mac platform. I’ve covered some tools that may be familiar from other platforms, but tried primarily to highlight macOS-specific tools that newcomers to the platform might not be familiar with yet or might not easily discover on their own. There should be enough here to get you set up with most of what you need for any macOS security research task, but of course, there’s plenty more to be discovered. Undoubtedly, as with any guide of this nature, I’ll have overlooked someone’s favorite essential tool (sorry!). If so, by all means hit me up on Twitter and let me know, and perhaps we can include it in an update to this guide. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

SirionLabs raises $44M to scale its contract management software

SirionLabs, a startup that provides contract management software to enterprises, has raised $44 million in a new financing round as it looks to expand and handle surge in demand from clients.

Tiger Global and Avatar Growth Capital led the Seattle-headquartered startup’s Series C round. The eight-year-old startup, which was founded in India, has raised $66 million to date. The new round values the startup at about $250 million. Indian VC fund Avatar has long invested in SaaS startups in India, an area that Tiger Global has also made serious bets on in recent quarters.

Enterprises broadly handle two kinds of contracts, one when they are buying things from a supplier for which they use a procurement contract, and the other when they are selling things to customers, when a sales contract comes into play.

A significant number of companies today handle these contracts manually with different teams within an organization often dealing with the same entity, which leads to discrepancies in their promises. Teams work in silos and often don’t know the terms others in the organization have already agreed upon.

That’s where SirionLabs comes into the picture. “We use artificial intelligence and natural language processing to connect the dots between contracts and what happens after the contract has been signed,” explained Ajay Agrawal, cofounder, chairman and chief executive of the startup, in an interview with TechCrunch.

“For us, it’s not just creating a contract, but also realizing the promises that have been made in those contracts,” he said. SirionLabs also audits the invoice of suppliers, which has enabled its customers to save a significant amount of money.

SirionLabs today hosts contracts in over 40 languages for more than 200 of the world’s largest companies including Credit Suisse, Vodafone, EY, Unilever, Abbvie, BP, and Fujitsu.

Agrawal said the startup has seen a 4X growth in the number of customers it has signed up in the last 18 months. Part of the new capital would go into handling their demand. He said the coronavirus crises has resulted in many companies becoming more cautious about what they promise in their contracts.

The startup, which just opened a technology center in Seattle, also plans to open an AI laboratory in the Washington state to fuel technology innovation and grow sales.

It has also hired several industry veterans including the appointment of Amol Joshi as chief revenue officer, Anu Engineer as chief technology officer, Mahesh Unnikrishnan as chief product officer, and Vijay Khera, who will serve as chief customer officer.

Vishal Bakshi, founder and managing partner at Avatar Growth Capital, said he expects SirionLabs, which competes with Apttus and Icertis among other firms, to “capture massive network effects as the platform continues to scale.”

Expel lands $50M Series D as security operations increase in importance

Even in these trying economic times, there are some services that companies can’t do without. Having good security tools is one of them. Expel, a four-year-old startup that offers security operations as a service, announced a $50 million Series D financing today.

CapitalG led the round with participation from existing investors Battery Ventures, Greycroft, Index Ventures, Paladin Capital Group and Scale Venture Partners. The company has now raised almost $117 million, according to PitchBook data.

It’s never easy finding quality security talent to help protect a large organization. The idea behind Expel is to give customers a set of tools to help use automation to reduce the number of people required to keep an organization safe.

Most companies struggle to find experienced security employees, so it’s using automation to solve a real pain point for them. While co-founder and CEO Dave Merkel says you still need to staff the security operations center, you can do it with fewer people with his platform.

“You may have a 24×7 Security Operations Center, but you don’t need the number of people everybody else does to protect your customers because Workbench does all of the heavy lifting for you. So instead of a SOC with 100 people, maybe you’ve got one with 15 people, and that gives tremendous leverage through this platform, and the platform ensures that you can provide high quality security without having to continually grow headcount,” Merkel explained.

Merkel sees the same economy everyone else does, but he believes that companies will continue to invest in security because they have to.

“Security tends to be a need as opposed to a want in many organizations, and so we still do see business happening. We will be using some of the money to continue to invest smartly in sales and marketing, but we’ll just need to be deliberate to make sure that we’re picking the right things that are still effective right now,” he said.

One thing that’s remarkable about this round is that Expel didn’t go looking for this new money. In fact, CapitalG came knocking, according to CapitalG general partner Gene Frantz.

“We sought out Expel, first and foremost. It wasn’t that Expel sought out to raise money and they called a bunch of people. We called them, and that was in response to a bunch of thematic work that we continually do in the security space,” Frantz told TechCrunch.

That work involved three main areas, where Expel happened to check all the boxes. The first was the threat landscape becoming ever more treacherous. The second was information overload from a variety of security products, and finally the dearth of experienced security personnel to deal with the first two problems.

“And so our bet is that this is the company in the space that actually will take on and address these challenges,” Frantz said.

Merkel describes having a company like CapitalG come to him as a humbling experience for him and his co-founders, especially under the current circumstances.

“It’s tremendous validation, but it is also humbling. We’re pretty thankful to be in that position, and we want to make sure that we do the right things to continue to honor the opportunity that we see in front of us.”