Want to survive the downturn? Better build a platform

/0 Comments/in /by

When you look at the most successful companies in the world, they are almost never just one simple service. Instead, they offer a platform with a range of services and an ability to connect to it to allow external partners and developers to extend the base functionality that the company provides.

Aspiring to be a platform and actually succeeding at building one are not the same. While every startup probably sees themselves as becoming a platform play eventually, the fact is it’s hard to build one. But if you can succeed and your set of services become an integral part of a given business workflow, your company could become bigger and more successful than even the most optimistic founder ever imagined.

Look at the biggest tech companies in the world, from Microsoft to Oracle to Facebook to Google and Amazon. All of them offer a rich complex platform of services. All of them provide a way for third parties to plug in and take advantage of them in some way, even if it’s by using the company’s sheer popularity to advertise.

Michael A. Cusumano, David B. Yoffie and Annabelle Gawer, who wrote the book The Business of Platforms, wrote an article recently in MIT Sloan Review on The Future of Platforms, saying that simply becoming a platform doesn’t guarantee success for a startup.

“Because, like all companies, platforms must ultimately perform better than their competitors. In addition, to survive long-term, platforms must also be politically and socially viable, or they risk being crushed by government regulation or social opposition, as well as potentially massive debt obligations,” they wrote.

In other words, it’s not cheap or easy to build a successful platform, but the rewards are vast. As Cusumano, Yoffie and Gawer point out their studies have found, “…Platform companies achieved their sales with half the number of employees [of successful non-platform companies]. Moreover, platform companies were twice as profitable, were growing twice as fast, and were more than twice as valuable as their conventional counterparts.”

From an enterprise perspective, look at a company like Salesforce . The company learned long ago that it couldn’t possibly build every permutation of customer requirements with a relatively small team of engineers (especially early on), so it started to build hooks into the platform it had built to allow customers and consultants to customize it to meet the needs of individual organizations.

Eventually Salesforce built APIs, then it built a whole set of development tools, and built a marketplace to share these add-ons. Some startups like FinancialForce, Vlocity and Veeva have built whole companies on top of Salesforce.

Rory O’Driscoll, a partner at Scale Venture Partners, speaking at a venture capitalist panel at BoxWorks in 2014, said that many startups aspire to be platforms, but it’s harder than it looks. “You don’t make a platform. Third-party developers only engage when you achieve a critical mass of users. You have to do something else and then become a platform. You don’t come fully formed as a platform,” he said at the time.

If you’re thinking, how you could possibly start a company like that in the middle of a massive economic crisis, consider that Microsoft launched in 1975 in the middle of recession. Google and Salesforce both launched in the late 1990s, just ahead of the dot-com crash, and Facebook launched in 2004, four years before the massive downturn in 2008. All went on to become tremendously successful companies

That success often requires massive spending and sales and marketing burn, but when it works, the rewards are enormous. Just don’t expect that it’s an easy path to success.

How Salesforce paved the way for the SaaS platform approach

Zoom will enable waiting rooms by default to stop Zoombombing

/0 Comments/in /by

Zoom is making some drastic changes to prevent rampant abuse as trolls attack publicly shared video calls. Starting April 5th, it will require passwords to enter calls via Meeting ID, as these may be guessed or reused. Meanwhile, it will change virtual waiting rooms to be on by default so hosts have to manually admit attendees.

The changes could prevent “Zoombombing,” a term I coined two weeks ago to describe malicious actors entering Zoom calls and disrupting them by screensharing offensive imagery. New Zoombombing tactics have since emerged, like spamming the chat thread with terrible GIFs, using virtual backgrounds to spread hateful messages or just screaming profanities and slurs. Anonymous forums have now become breeding grounds for organized trolling efforts to raid calls.

Just imagine the most frightened look on all these people’s faces. That’s what happened when Zoombombers attacked the call.

The FBI has issued a warning about the Zoombombing problem after children’s online classes, Alcoholics Anonymous meetings and private business calls were invaded by trolls. Security researchers have revealed many ways that attackers can infiltrate a call.

The problems stem from Zoom being designed for trusted enterprise use cases rather than cocktail hours, yoga classes, roundtable discussions and classes. But with Zoom struggling to scale its infrastructure as its daily user count has shot up from 10 million to 200 million over the past month due to coronavirus shelter-in-place orders, it’s found itself caught off guard.

Zoom CEO Eric Yuan apologized for the security failures this week and vowed changes. But at the time, the company merely said it would default to making screensharing host-only and keeping waiting rooms on for its K-12 education users. Clearly it determined that wasn’t sufficient, so now waiting rooms are on by default for everyone.

Zoom communicated the changes to users via an email sent this afternoon that explains “we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy.”

The company also explained that “For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL.” Some other precautions users can take include disabling file transfer, screensharing or rejoining by removed attendees.

NEW YORK, NY – APRIL 18: Zoom founder Eric Yuan reacts at the Nasdaq opening bell ceremony on April 18, 2019 in New York City. The video-conferencing software company announced it’s IPO priced at $36 per share, at an estimated value of $9.2 billion. (Photo by Kena Betancur/Getty Images)

The shift could cause some hassle for users. Hosts will be distracted by having to approve attendees out of the waiting room while they’re trying to lead calls. Zoom recommends users resend invites with passwords attached for Meeting ID-based calls scheduled for after April 5th. Scrambling to find passwords could make people late to calls.

But that’s a reasonable price to pay to keep people from being scarred by Zoombombing attacks. The rash of trolling threatened to sour many people’s early experiences with the video chat platform just as it’s been having its breakout moment. A single call marred by disturbing pornography can leave a stronger impression than 100 peaceful ones with friends and colleagues. The old settings made sense when it was merely an enterprise product, but it needed to embrace its own change of identity as it becomes a fundamental utility for everyone.

Technologists will need to grow better at anticipating worst-case scenarios as their products go mainstream and are adapted to new use cases. Assuming everyone will have the best intentions ignores the reality of human nature. There’s always someone looking to generate a profit, score power or cause chaos from even the smallest opportunity. Building development teams that include skeptics and realists, rather than just visionary idealists, could keep ensure products get safeguarded from abuse before rather than after a scandal occurs.

For the First Time Ever, Cybersecurity Workers are Hailed as “Essential”

/0 Comments/in /by

The Coronavirus outbreak has left authorities with no choice but to limit personal movement to slow down the spread of the disease. Many countries have shut down all non-essential workplaces and businesses, forcing their employees to work from home. But in order to keep the country running, some services have been deemed essential, and the staff providing those services are exempt from the state order to stay home.

In the US, the Cybersecurity and Infrastructure Security Agency (CISA) released Guidance on the Essential Critical Infrastructure Workforce.

CISA developed a list of “Essential Critical Infrastructure Workers” to help State and local officials as they work to protect their communities, while ensuring continuity of functions critical to public health and safety, as well as business continuity and national security.

CISA defines an essential worker as: “workers who conduct a range of operations and services that are essential to continued critical infrastructure viability, including staffing operations centers, maintaining and repairing critical infrastructure, operating call centers, working construction, and performing management functions, among others”.

The logic behind this is clear: for these critical sectors to continue operating, they need to be secured. If hospitals suffer from cyber attacks – as they frequently do – the effectiveness of all the medical and supporting staff (also considered essential) is greatly reduced.

Here are the main industries identified by CISA and the associated cybersecurity roles highlighted as “essential”.

Healthcare

    Workers performing cybersecurity functions at healthcare and public health facilities who cannot practically work remotely.
    Workers performing security, incident management, and emergency operations functions at or on behalf of healthcare entities including healthcare coalitions, who cannot practically work remotely.

Energy

    Petroleum security operations center employees and workers who support emergency response services.
    Natural gas security operations center operators.
    IT and OT technology staff – for EMS (Energy Management Systems) and Supervisory Control and Data Acquisition (SCADA) systems, and utility data centers; Cybersecurity engineers; Cybersecurity risk management.

Information Technology

    Workers who support command centers including, but not limited to, Network Operations Command Center, Broadcast Operations Control Center and Security Operations Command Center.
    Workers responding to cyber incidents involving critical infrastructure, including medical facilities, SLTT governments and federal facilities, energy and utilities, and banks and financial institutions, and other critical infrastructure categories and personnel.
    Data center operators, including system administrators, HVAC & electrical engineers, security personnel, IT managers, data transfer solutions engineers, software and hardware engineers, and database administrators.

Communications

    Customer service and support staff, including managed and professional services as well as remote providers of support to transitioning employees to set up and maintain home offices, who interface with customers to manage or support service environments and security issues, including payroll, billing, fraud, and troubleshooting.

Financial Services

    Workers who support financial operations, such as those staffing data and security operations centers.

 

Adoption of CISA’s Recommendations

Some states were quick to follow CISA’s recommendations. In California, many businesses, jobs and operations were exempt from the governors’ order to stay home to prevent the spread of the coronavirus. Governor Newsom’s action orders “all individuals living in the state of California to stay home or at their place of residence, except as needed to maintain continuity of operation of the federal critical infrastructure sectors”. Among these are cybersecurity professionals who work in critical infrastructure, as stipulated in the CISA guidance.

Looking Ahead

The CISA guidance focuses on two cyber “roles”: SOC operator and incident responders, mostly working in on-prem settings where no remote connection is possible or feasible. In the future, we think this should be extended to include MSSPs, who themselves secure thousands of smaller and medium businesses. MSSPs do this with a small number of operators, so the risks of mass infection due to their continued operation is small, and the security benefits are great. This is one case where decision makers should look at the “Infection Vs. Protection” ratio, where the likelihood of infection (for example, people working in a crowded environment) in comparison to the level of protection these individuals provide to society in general is taken into account. 

We can hope that this crisis will help elevate the status of cybersecurity professionals among the general public, perhaps even to the same status as firefighters, police and emergency service providers.

We owe it to them.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Collibra nabs another $112.5M at a $2.3B valuation for its big data management platform

/0 Comments/in /by

GDPR and other data protection and privacy regulations — as well as a significant (and growing) number of data breaches and exposées of companies’ privacy policies — have put a spotlight on not just the vast troves of data that businesses and other organizations hold on us, but also how they handle it. Today, one of the companies helping them cope with that data in a better and legal way is announcing a huge round of funding to continue that work. Collibra, which provides tools to manage, warehouse, store and analyse data troves, is today announcing that it has raised $112.5 million in funding, at a post-money valuation of $2.3 billion.

The funding — a Series F, from the looks of it — represents a big bump for the startup, which last year raised $100 million at a valuation of just over $1 billion. This latest round was co-led by ICONIQ Capital, Index Ventures, and Durable Capital Partners LP, with previous investors CapitalG (Google’s growth fund), Battery Ventures, and Dawn Capital also participating.

Collibra was originally a spin-out from Vrije Universiteit in Brussels, Belgium and today it works with some 450 enterprises and other large organizations. Customers include Adobe, Verizon (which owns TechCrunch), insurers AXA and a number of healthcare providers. Its products cover a range of services focused around company data, including tools to help customers comply with local data protection policies and store it securely, and tools (and plug-ins) to run analytics and more.

These are all features and products that have long had a place in enterprise big data IT, but they have become increasingly more used and in-demand both as data policies have expanded, as security has become more of an issue, and as the prospects of what can be discovered through big data analytics have become more advanced.

With that growth, many companies have realised that they are not in a position to use and store their data in the best possible way, and that is where companies like Collibra step in.

“Most large organizations are in data chaos,” Felix Van de Maele, co-founder and CEO, previously told us. “We help them understand what data they have, where they store it and [understand] whether they are allowed to use it.”

As you would expect with a big IT trend, Collibra is not the only company chasing this opportunity. Competitors include Informatica, IBM, Talend, and Egnyte, among a number of others, but the market position of Collibra, and its advanced technology, is what has continued to impress investors.

“Durable Capital Partners invests in innovative companies that have significant potential to shape growing industries and build larger companies,” said Henry Ellenbogen, founder and chief investment officer for Durable Capital Partners LP, in a statement (Ellenbogen is formerly an investment manager a T. Rowe Price, and this is his first investment in Collibra under Durable). “We believe Collibra is a leader in the Data Intelligence category, a space that could have a tremendous impact on global business operations and a space that we expect will continue to grow as data becomes an increasingly critical asset.”

“We have a high degree of conviction in Collibra and the importance of the company’s mission to help organizations benefit from their data,” added Matt Jacobson, general partner at ICONIQ Capital and Collibra board member, in his own statement. “There is an increasing urgency for enterprises to harness their data for strategic business decisions. Collibra empowers organizations to use their data to make critical business decisions, especially in uncertain business environments.”

Zoom freezes feature development to fix security and privacy issues

/0 Comments/in /by

Zoom has been widely criticized over the past couple of weeks for terrible security, a poorly designed screensharing feature, misleading dark patterns, fake end-to-end-encryption claims and an incomplete privacy policy. Despite that, the video conferencing service has attracted a ton of new users thanks to the coronavirus lockdowns around the world — the company reached 200 million daily active users last month.

Zoom, an enterprise product designed for boring corporate meetings, has become a mainstream product with all the risks that it involves.

That’s why the company’s CEO Eric S. Yuan has written a lengthy blog post to address some of the concerns around Zoom. He starts by sharing some metrics. Zoom has been used by 90,000 schools around 20 countries. Daily meetings participants jumped from 10 million in December to 200 million in March.

But some companies are starting to reconsider using Zoom for video conferences. For instance, SpaceX, Elon Musk’s rocket company, has banned its employees from using the service.

For the next 90 days, Zoom is enacting a feature freeze, which means that the company isn’t going to ship any new feature until it is done fixing the current feature set. Zoom will also work with third-party experts and prepare a transparency report.

“For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus,” Yuan writes. “However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”

As expected, Yuan says that mainstream adoption has led to unforeseen issues. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” he writes.

In addition to keeping up with the massive influx of customer support requests, Zoom has already shipped a few updates to solve some issues. The company released a new version of its iOS app to remove Facebook’s SDK as the company’s privacy policy never said that you consent to sharing data with Facebook. The company updated its privacy policy as well.

Zoom removed the attendee attention tracker feature, a controversial feature that lets hosts see if the Zoom window is currently in focus. The company has also shipped security updates after Patrick Wardle uncovered vulnerabilities.

Zoom wrote a dedicated K-12 privacy policy and changed some default settings for schools (waiting rooms are on by default, only teachers can share content, etc.).

The company is far from done. Don’t forget that it claimed that calls are end-to-end encrypted even though they’re not at all. More importantly, the fact that Zoom is fixing issues as quickly as it can isn’t enough. Something is wrong at Zoom — there’s a corporate culture issue that leads to all those missteps. It’ll take much longer than 90 days.

CIOs are dead tired of dumb tech. Pulse has $6.5M to help them help each other

/0 Comments/in /by

The technology that runs our companies these days is staggering in its complexity. We have moved from a monolith to a microservices world, from boxes to SaaS, and while that has added agility to the enterprise, it has come at the cost of a metric f-ton of services and software platforms required by every team in the building.

CIOs need a place to commiserate and get better recommendations on what tech works well and what should be placed in the proverbial recycle bin. Meanwhile, salespeople and investors want to hear these decision-makers’ views on emerging products to identify rich veins to invest in.

At the core of Pulse is a community of vetted CIOs and other tech procurers, currently numbering more than 15,000. On top of this core group of users, Pulse has built a series of products to help exploit their collective wisdom, including several new products the company is announcing today.

In addition to new product launches, the company is announcing a $6.5 million Series A round from AV8 Ventures, which is exclusively backed by mega-insurer Allianz Group and launched last year with a debut $170 million fund. This round closed in December according to the company and brings the startup’s total funding to $10.5 million.

AV8 Ventures launches with $170M to invest in digital health, mobility and enterprise tech

Pulse’s existing product offerings assist product marketers and investment researchers who want to get a “pulse” on the marketplace for tech products by polling CIOs and testing out language around new features and initiatives.

“As an example, Microsoft will come to us and say, ‘Hey, we want to test our messaging and positioning before we sort of blow it up as a campaign. We’d like to do that very quickly through your community.’ And then we facilitate that through a series of questions through surveys and get back the insights to them very quickly,” co-founder and CEO Mayank Mehta explained.

“We think about this as truly becoming a Bloomberg terminal for marketers and investors,” he said. Researchers “can use this as a great way to get a real-time pulse on their buyers and understand how the market is moving, so they can make appropriate investments and ship strategies in real time.”

He said that the company worked with 50 customers last year and delivered some 150 reports. As for the CIOs themselves, “The community is open so long as you are a director level or above,” Mehta said.

In addition to this product for investors and market researchers, the company is also announcing the launch of Product IQ today, which takes the needs of a particular CIO user into account to offer them “personalized” product recommendations for their companies. Those recommendations are surfaced from the continuous data that CIOs are adding into the system through polls and opinion surveys.

“We’re trying to imagine and rethink how decision-making is done for technology executives, especially in a world like this where teams are changing so dramatically,” Mehta said.

Crowdsourced research platforms in the tech industry have become a popular area for VC investment in recent years. StackShare, which raised $5.2 million from e.Ventures, has focused on helping engineers learn from other engineers about the tech they have chosen for their infrastructure. Meanwhile, startups like Wonder and NewtonX, which raised $12 million from Two Sigma Ventures, have focused less on technical solutions and instead answer business questions such as market sizing or competitive landscape.

Pulse was founded in 2017 and is based in San Francisco, and previously raised a seed from True Ventures, according to Crunchbase.

‘War Dialing’ Tool Exposes Zoom’s Password Problems

/0 Comments/in /by

As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.

zWarDial, an automated tool for finding non-password protected Zoom meetings. According to its makers, zWarDial can find on average 110 meetings per hour, and has a success rate of around 14 percent.

Each Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Naturally, hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits.

Security experts at Check Point Research did exactly that last summer, and found they were able to predict approximately four percent of randomly generated Meeting IDs. The Check Point researchers said enabling passwords on each meeting was the only thing that prevented them from randomly finding a meeting.

Zoom responded by saying it was enabling passwords by default in all future scheduled meetings. Zoom also said it would block repeated attempts to scan for meeting IDs, and that it would no longer automatically indicate if a meeting ID was valid or invalid.

Nevertheless, the incidence of Zoombombing has skyrocketed over the past few weeks, even prompting an alert by the FBI on how to secure meetings against eavesdroppers and mischief-makers. This suggests that many Zoom users have disabled passwords by default and/or that Zoom’s new security feature simply isn’t working as intended for all users.

New data and acknowledgments by Zoom itself suggest the latter may be more likely.

Earlier this week, KrebsOnSecurity heard from Trent Lo, a security professional and co-founder of SecKC, Kansas City’s longest-running monthly security meetup. Lo and fellow SecKC members recently created zWarDial, which borrows part of its name from the old phone-based war dialing programs that called random or sequential numbers in a given telephone number prefix to search for computer modems.

Lo said zWarDial evades Zoom’s attempts to block automated meeting scans by routing the searches through multiple proxies in Tor, a free and open-source software that lets users browse the Web anonymously.

“Zoom recently said they fixed this but I’m using a totally different URL and passing a cookie along with that URL,” Lo said, describing part of how the tool works on the back end. “This gives me the [Zoom meeting] room information without having to log in.”

Lo said a single instance of zWarDial can find approximately 100 meetings per hour, but that multiple instances of the tool running in parallel could probably discover most of the open Zoom meetings on any given day. Each instance, he said, has a success rate of approximately 14 percent, meaning for each random meeting number it tries, the program has a 14 percent chance of finding an open meeting.

Only meetings that are protected by a password are undetectable by zWarDial, Lo said.

“Having a password enabled on the meeting is the only thing that defeats it,” he said.

Lo shared the output of one day’s worth of zWarDial scanning, which revealed information about nearly 2,400 upcoming or recurring Zoom meetings. That information included the link needed to join each meeting; the date and time of the meeting; the name of the meeting organizer; and any information supplied by the meeting organizer about the topic of the meeting.

The results were staggering, and revealed details about Zoom meetings scheduled by some of the world’s largest companies, including major banks, international consulting firms, ride-hailing services, government contractors, and investment ratings firms.

KrebsOnSecurity is not naming the companies involved, but was able to verify dozens of them by matching the name of the meeting organizer with corporate profiles on LinkedIn.

By far the largest group of companies exposing their Zoom meetings are in the technology sector, and include a number of security and cloud technology vendors. These include at least one tech company that’s taken to social media warning people about the need to password protect Zoom meetings!

The distribution of Zoom meetings found by zWarDial, indexed by industry. As depicted above, zWarDial found roughly 2,400 exposed meetings in less than 24 hours. Image: SecKC.

A GREMLIN IN THE DEFAULTS?

Given the preponderance of Zoom meetings exposed by security and technology companies that ostensibly should know better, KrebsOnSecurity asked Zoom whether its approach of adding passwords by default to all new meetings was actually working as intended.

In reply, Zoom said it was investigating the possibility that its password-by-default approach may fail under certain circumstances.

“Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join,” the company said in a written statement shared with this author.

“Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out,” the statement continues. “We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made.

The acknowledgment comes amid a series of security and privacy stumbles for Zoom, which has seen its user base grow exponentially in recent weeks. Zoom founder and chief executive Eric Yuan said in a recent blog post that the maximum number of daily meeting participants — both paid and free — has grown from around 10 million in December to 200 million in March.

That rapid growth has also brought additional scrutiny from security and privacy experts, who’ve found plenty of real and potential problems with the service of late. TechCrunch’s Zack Whittaker has a fairly comprehensive breakdown of them here; not included in that list is a story he broke earlier this week on a pair of zero-day vulnerabilities in Zoom that were publicly detailed by a former NSA expert.

Zoom CEO Yuan acknowledged that his company has struggled to keep up with steeply growing demand for its service and with the additional scrutiny that comes with it, saying in a blog post that for the next 90 days all new feature development was being frozen so the company’s engineers could focus on security issues.

Dave Kennedy, a security expert and founder of the security consultancy TrustedSec, penned a lengthy thread on Twitter saying while Zoom certainly has had its share of security and privacy goofs, some in the security community are unnecessarily exacerbating an already tough situation for Zoom and the tens of millions of users who rely on it for day-to-day meetings.

“What we have here is a company that is relatively easy to use for the masses (comes with its challenges on personal meeting IDs) and is relatively secure,” Kennedy wrote. “Yet the industry is making it out to be ‘this is malware’ and you can’t use this. This is extreme. We need to look at the risk specific applications pose and help voice a message of how people can leverage technology and be safe. Dropping zero-days to the media hurts our credibility, sensationalizes fear, and hurts others.”

“If there are ways for a company to improve, we should notify them and if they don’t fix their issues, we should call them out,” he continued. “We should not be putting fear into everyone, and leveraging the media as a method to create that fear.”

Zoom’s advice on securing meetings is here. SecKC’s Lo said organizations using Zoom should avoid posting the Zoom meeting links on social media, and always require a meeting password when possible.

“This should be enabled by default as a new customer or a trial user,” he said. “Legacy organizations will need to check their administration settings to make sure this is enabled. You can also enable ‘Embed password in meeting link for one-click join.’ This prevents an actor from accessing your meeting without losing the usability of sharing a link to join.”

In addition, Zoom users can disable “Allow participants to join the meeting before the host arrives.”

“If you have to have this feature enabled at least enable “notify host when participants join the meeting before them,” Lo advised. “This will notify you that someone might be using your meeting without your knowledge. If you must keep your meeting unprotected you should enable ‘Mask phone number in the participant list.’ Using the waiting list feature will prevent unwanted participants from accessing your meeting but it will still expose your meeting details if used without a password.”

Some of the security settings available to Zoom users. These and others can be found at https://www.zoom.us/profile/settings/

Is SearchMine Adware Teeing Up Your Endpoints For Other Threat Actors?

/0 Comments/in /by

Notorious macOS adware nuisance SearchMine had a small but interesting update recently as it continues to plague macOS users with browser hijacking, search redirections and system slowdowns. The name SearchMine refers to a particular browser hijacker, but it rarely travels alone and is typically found installed alongside a bundle of other potentially unwanted applications, adware offerings, bundle installers, and sketchy ‘cleaner’ or fake AV software like Advanced Mac Cleaner and Mac Cleanup Pro. 

As SearchMine has been around for quite some time, even legacy security software will detect some versions of SearchMine and other elements of its family that go by various names such as ‘Bundlore‘, ‘Crossrider’ and ‘Bnodlero’. However, the developers behind this nuisance, which saps resources and harms user productivity, are always looking for new ways to persist, reinfect and escape detection. In this post, we discuss a recent change to SearchMine and describe how the adware collects and uploads detailed device information to its own servers even though it appears to have little use for that data itself.

What is SearchMine Adware?

SearchMine is part of a larger family of adware that is propagated with brand names like ‘MyCouponSmart‘, ‘MyMacUpdater’, ‘MMInstall’ and many others. The main aim of the SearchMine component is to redirect the user’s search traffic to its own landing page at www[.]searchmine[.]net. The adware primarily looks to infect Safari and Chrome browsers, but Firefox has also been targeted in some infections. 

What makes SearchMine particularly concerning for enterprise security is not just the nuisance value to staff and the drain on resources and productivity but also the fact that the adware collects and exfiltrates a lot of information about the host machine. This includes a unique machine ID, versions of the OS and browsers, a list of installed applications, global LaunchAgents and LaunchDaemons and, interestingly, the installed version of Apple’s MRT.app (Malware Removal Tool.app).

Although in our test machine (shown below) this amounted to very little as we use only a barebones VM, on an enterprise device this is likely to contain a lot more interesting data. A list of installed apps, agents and daemons is valuable intel to threat actors as it indicates both possibilities for exploiting vulnerable software and whether a machine contains security software that could catch malware. Exactly why these particular adware developers are interested in collecting and exporting this information isn’t known, but at least one reason might be to sell it on to other threat actors in DarkNet forums or other digital marketplaces.

image of script showing how adware scrapes device data and exports it to their own servers

Other reasons to be concerned about this adware pest from a security perspective include the fact that it also requests elevated privileges on installation, and then modifies the sudoers file to allow the current user to run as root without further password challenges. . When certain people argue whether adware is really malware, we find that behaviours such as this blur the line to the point that, at least from the enterprise point of view, that is a distinction that really doesn’t matter.

image of how a malicious script manipulates the sudoers file on macOS

UpToDateMac – SearchMine’s Latest Update Mechanism

As with most commodity adware and malware, SearchMine leverages multiple LaunchAgents and LaunchDaemons for persistence. It will also typically install user-level Profiles to lockdown Chrome and Safari preferences so that regardless of what the user sets in the browser for things like home page and preferred search engine, these will be overridden by the global Managed Preferences determined by the installed Profile .mobileconfig file.

One of SearchMine’s user LaunchAgents typically has the following program arguments, where User1 is the current user’s shortname.

image of malicious launch agent's program arguments on macOS

Note that the executable being pointed to, MyMacUpToDate in this case, is in the non-standard location of ~/Applications rather than /Applications. The base64 decodes as follows.

image of malicious base64 decoded

In a recent incident, we noticed both this file and a newer, second LaunchAgent that took the following form:

image showing launch agent program arguments in new variant of SearchMine adware

Again, note the non-standard Applications folder location, but also the -E flag for sudo. This flag indicates that the program should be launched while preserving the user’s existing environment variables, which itself suggests the executable is likely a shell script – something that is becoming increasingly favored by macOS threat actors – rather than an application or machO executable.

On further investigation, it turns out that UpToDateMac is indeed a shell script that makes heavy use of environment variables and has a few other interesting features worth noting.

Digging Deeper into the UpToDateMac Shell Script

Although a copy of the shell script was blocked and deleted on the user’s machine before it could execute, a quick search on VirusTotal returned us a copy that had been uploaded in early February.

4ab52dd99ecf269cf74ff9334dec015ad0184659ba848fd762dabc650e00a575

image of malicious adware script UpToDateMac being detected on VirusTotal

One of the first interesting features we noticed about the script was that it includes a kill mechanism.

image of how adware script checks for existence of a touch file before running

The script aborts its malicious behavior if it finds a 0-byte file in ~/Library/Application Support/ with the filename .upd2006. If the file doesn’t exist, the script writes the file with touch and continues with its execution. 

The script then creates an MD5 hash from the Mac’s serial number and collects the version numbers of Safari and Chrome browsers.

image showing how the adware script collects browser version data

Making good use of LOLBins (Living off the Land binaries) the script then downloads a Profile template via curl, modifies it with the sed stream text editing utility, and installs it with the native profiles command. As mentioned earlier, this serves to lock down the user’s browsers so that they cannot change the home page and other preferences from within the browser.

image showing how the adware script downloads a template mobile config file and populates it with data to lock down the user's browser preferences

Among other operations aimed at updating the installation, the script goes on to gather the list of applications on the user’s machine, the list of Profiles, LaunchAgents, LaunchDaemons and the MRT version. The whole bunch is then concatenated and uploaded in JSON format to the mmp[.]myshopcouponmac[.]com domain.

image showing how the adware script gather version data on Apple's built-in Malware Removal Tool

Although the domain was apparently registered in 2018, there are unsurprisingly few details about it. It runs on an old and (ironically) vulnerable version of nginx on an Ubuntu server.

image of DNSDumpster showing minimal info for the attackers server

Perhaps equally unsurprisingly, however, is that the domain has been queried a couple of dozen times in the last few months on VirusTotal.

image of submissions on Virus Total about the threat actors ip address

Conclusion

In this post, we’ve taken a quick look at a recent update to one of the Mac’s most prevalent browser hijackers, SearchMine, and its related adware family MyShopcoupon and friends. The key takeaway here for enterprise security is to be aware that these actors are not just annoying your users and impacting their productivity, they are also gathering detailed information about devices on your network, their installed applications and legitimate persistence mechanisms in the form of LaunchAgents and LaunchDaemons. 

Since such information is beyond the first order need of simply making money from browser redirections, it seems the actors may be building a datalake out of such information, presumably with intent to monetize that further down the road. Although at a research level there is some utility in distinguishing between ‘malware’ and ‘adware’, at the endpoint level, they both represent a compromise to your organization’s integrity.

The key to preventing device data ending up in criminals’ hands is to prevent such malicious software from executing on your endpoints to begin with. If you would like to see how the SentinelOne platform can protect your organization from adware, malware and other threats contact us today or request a free demo

SAMPLE

SHA 256: 4ab52dd99ecf269cf74ff9334dec015ad0184659ba848fd762dabc650e00a575

INDICATORS OF COMPROMISE

~/Library/Application Support/.upd2006 ~/Library/LaunchAgents/com.MyMacUpToDate.agent ~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist ~/Applications/MyMacUpToDate
~/Applications/UpToDateMac/UpToDateMac

URLs

mmp[.]myshopcouponmac[.]com
request[.]mymacuptodate[.]com/macCheckForUpdates

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Okta launches Lifecycle Management Workflows to make building identity-centric processes easy

/0 Comments/in /by

Okta, the popular identity and access management service, today used its annual (and now virtual) user conference to launch Lifecycle Management Workflows, a new tool that helps IT teams build and manage IFTTT-like automated processes with the help of an easy to use graphical interface.

The new service is an extension of Okta’s existing automation tools. But the key here is that IT teams and developers can now easily build complex identity-centric workflows across a wide range of applications. With this, these teams can easily automate an onboarding process, where setting up a new Okta account also immediately kicks off processes on third-party services like Box, Salesforce, ServiceNow and Slack to set up accounts there. The same goes for offboarding workflows and username creation. A lot of companies still do this manually, which is not just a hassle but also error-prone.

“Adopting more technology is incredibly beneficial for enterprises today, but complexity is a significant side effect of a changing technology ecosystem and workforce. There is no better example of the potential challenges it can create than with lifecycle management,” said Diya Jolly, chief product officer at Okta. “Okta’s vision of enabling any organization to use any technology goes deeper than just access; it’s about improving how organizations use technology. Okta Lifecycle Management Workflows improves the efficiency and security of enterprises through its simple user experience and broad applicability, keeping organizations secure and efficient without requiring the complexity of writing code.”

Okta, of course, had lifecycle management features before, but now it is also putting its acquisition of Azuqua to work and using that company’s graphical interface and technology for making it easier to create these automation processes. And while the focus right now is on processes like provisioning and de-provisioning accounts, the long-term plan is to expand Workflows with support for more identity processes.

As Okta also stresses, administrators can also manage very granular access across the supported third-party tools like assigning territories in Salesforce or access to specific group channels in Slack, for example. For temporary employees, admins can also set up automatic de-provisioning workflows that revoke access to some tools but maybe leave access to payroll services open for a while longer. There are also built-in tools for automatically managing conflicts when two people have the same name.

“Millions of people rely on Slack every day to make their working lives simpler, more pleasant and more productive,” said Tamar Yehoshua, chief product officer at Slack, one of the early adopters of this service. “Okta Lifecycle Management Workflows has significantly increased efficiency for us by automating the provisioning and de-provisioning of users from applications in our environment, without us ever having to write a line of code.”

This new feature is part of Okta’s new Platform Services, which the company also debuted today and which currently consists of core technologies like the Okta Identity Engine, Directories Integrations, Insights, Workflow and Devices. The core idea behind Platform Services is to give Okta users the flexibility to manage their unique identity use cases but also to give Okta itself a platform on which to innovate. One other new product that sits on top of the platform is Okta Fastpass, for example, which allows for passwordless authentication on any device.

Okta to acquire workflow automation startup Azuqua for $52.5M

A former chaos engineer offers 5 tips for handling online disasters remotely

/0 Comments/in /by
Kolton Andrus
Contributor

Kolton is co-founder and CEO of Gremlin, the chaos engineering company helping the world build a more reliable internet.

I recently had a scheduled video conference call with a Fortune 100 company.

Everything on my end was ready to go; my presentation was prepared and well-practiced. I was set to talk to 30 business leaders who were ready to learn more about how they could become more resilient to major outages.

Unfortunately, their side hadn’t set up the proper permissions in Zoom to add new people to a trusted domain, so I wasn’t able to share my slides. We scrambled to find a workaround at the last minute while the assembled VPs and CTOs sat around waiting. I ended up emailing my presentation to their coordinator, calling in from my mobile and verbally indicating to the coordinator when the next slide needed to be brought up. Needless to say, it wasted a lot of time and wasn’t the most effective way to present.

At the end of the meeting, I said pointedly that if there was one thing they should walk away with, it’s that they had a vital need to run an online fire drill with their engineering team as soon as possible. Because if a team is used to working together in an office — with access to tools and proper permissions in place — it can be quite a shock to find out in the middle of a major outage that they can’t respond quickly and adequately. Issues like these can turn a brief outage into one that lasts for hours.

Quick context about me: I carried a pager for a decade at Amazon and Netflix, and what I can tell you is that when either of these services went down, a lot of people were unhappy. There were many nights where I had to spring out of bed at 2 a.m., rub the sleep from my eyes and work with my team to quickly identify the problem. I can also tell you that working remotely makes the entire process more complicated if teams are not accustomed to it.

There are many articles about best practices aimed at a general audience, but engineering teams have specific challenges as the ones responsible for keeping online services up and running. And while leading tech companies already have sophisticated IT teams and operations in place, what about financial institutions and hospitals and other industries where IT is a tool, but not a primary focus? It’s often the small things that can make all the difference when working remotely; things that seem obvious in the moment, but may have been overlooked.

So here are some tips for managing incidents remotely:

There were many nights where I had to spring out of bed at 2 a.m., rub the sleep from my eyes and work with my team to quickly identify the problem… working remotely makes the entire process more complicated if teams are not accustomed to it.