Workplace, Facebook’s service for business teams, is raising its prices for the first time since launch

Three years into its life with 2 million paying users signed up, Workplace — Facebook’s platform for businesses and other organizations to build internal communities and communications — is about to make a significant business shift of its own. Come September 2, Workplace is changing its pricing tiers, how it charges its users and the services that it provides customers.

Up to now, Facebook has taken a very simple approach to how it charges for Workplace, unique not just because of it being a paid service (unlike Facebook itself, which is free), but for how it modeled its pricing on the basic building block of Facebook-the-consumer product: a basic version was free, with an enhanced premium edition costing a flat $3 per active user, per month.

In September, that will change. The standard (basic) tier is getting rebranded as Workplace Essential, and will still be free to use. Meanwhile, the premium tier is being renamed Workplace Advanced and getting charged $4 per person, per month. And Facebook is introducing a new tier, Workplace Enterprise, which will be charged at $8 per person, per month, and will come with a new set of services specifically around guaranteed, quicker support and first-look access at new features. (Those who are already customers have the option of being grandfathered for a year, the company said, before switching to a new plan.)

Screenshot 2019 07 16 at 14.16.02

Those are not the only changes. Two other notable shifts are getting introduced with these new tiers. First, these prices will be for all users, regardless of whether they are active in the month.

And second, they are specifically prices for people who access Workplace as general “knowledge workers” — marked by having email addresses and specific job functions. Frontline workers — for example, cashiers or baristas or others mostly on their feet all day helping customers — will be an add-on at $1.50 per person per month, also regardless of whether they are active or not.

For now, the rest of the features in the different tiers are remaining the same.

Screenshot 2019 07 16 at 14.16.33

The changes at Workplace come amid a number of other developments among workforce collaboration and communication platforms.

First and foremost, Slack has gone public, subjecting it and its ups and downs to a lot more public scrutiny, but also putting it on the map as a business of some standing, helping it make a bigger move into brokering more deals with the larger enterprises that Workplace has been winning over. The latter’s customers include the likes of Walmart, the world’s biggest employer; as well as Nestlé, Vodafone, GSK, Telefonica, AstraZeneca and Delta Airlines, and Facebook says there are more than 150 companies signed up with more than 10,000 employees each.

Teams, meanwhile, has now passed Slack in user numbers, and in a way is a more direct competitor: it has positioned itself (like Workplace) as a tool for both knowledge and frontline workers, helping with actual back-office collaboration, as well as a way to broadcast communications to a wider group of employees.

Julien Codorniou, the VP of Workplace, said the changes in pricing tiers was not a reaction to competition, but rather a reaction to customers. Although the pricing for Workplace was an interesting twist on how enterprises tend to procure IT, it turned out to be too novel by half: it turned out that most actually like the predictability of paying the same amount for a service upfront, rather than having the pricing change each month depending on usage.

“Today, customers’ bills change every month, for example when a co-worker goes on vacation or whatever,” he said. “It’s a nightmare for the accounting department, who needs to know how much to pay two years out.”

He added that this doesn’t mean you can’t change how much you pay: you could change the pricing each month if necessary.

So far, no one has made the shift to the new tiers, so it will be interesting to see how and if they have much of an impact. I do know that from retail theory, customers in stores are more likely to select a middle-priced product if they are given an option of something cheap and something expensive at either end, and so this could be an interesting way to drive more users to Workplace’s paid tier.

What is more clear is that this is also a way for Facebook to raise its prices for the first time since the service launched, and lays the groundwork for more differentiation between different kinds of offerings.

ContractPodAi scores $55M for its ‘AI-powered’ contract management software

ContractPodAi, a London-based startup that has developed what it describes as AI-powered contract lifecycle management software, is disclosing $55 million in Series B funding. The round is led by U.S.-based Insight Partners, with participation from earlier backer Eagle Investment.

Founded in 2012, ContractPodAi offers an “end-to-end” solution spanning the three main aspects of contract management: contract generation, contract repository, and third-party review. Its AI offering, which uses IBM’s Watson, claims to streamline the contract management process and reduce the burden on corporate in-house legal teams.

“The legal profession has been historically behind the curve in technology adoption and our objective here is to support to digital transformation of legal departments via our contract management platform,” ContractPodAi co-founder and CEO Sarvarth Misra tells TechCrunch.

“Our business focusses on providing in-house counsel of corporations across the world with an easy to use, out of the box and scalable end to end contract management platform at a fixed fee SaaS licence model”.

With regards to ContractPodAi’s target customer, Misra says its solution is industry agnostic but is typically sold to large international businesses, including FTSE 500 and Fortune 2000 corporations. Customers include Bosch Siemens, Braskem, EDF Energy, Total Petroleum, Benjamin Moore and Freeview.

Armed with new capital, ContractPodAi says it plans to “significantly” scale up its product development, sales, and customer success teams globally. The company already has offices in San Francisco, New York, Glasgow and Mumbai, in addition to its London HQ.

Adds Misra: “We believe that market for contract management solutions is fragmented with providers focussing one or two aspects of contract management functionality. ContractPodAi’s objective has been to provide one contract management ecosystem which covers all aspects of contract management functionality… This, along with our fixed, transparent pricing and ability to provide full implementation as part of the annual SaaS, differentiates us the from the rest of the providers”.

AlphaSense, a search engine for analysis and business intel, raises $50M led by Innovation Endeavors

Google and its flagship search portal opened the door to the possibilities of how to build a business empire on the back of organising and navigating the world’s information, as found on the internet. Now, a startup that’s built a search engine tailored to the needs of enterprises and their own quests for information has raised a round of funding to see if it can do the same for the B2B world.

AlphaSense, which provides a way for companies to quickly amass market intelligence around specific trends, industries and more to help them make business decisions, has closed a $50 million round of funding, a Series B that it’s planning to use to continue enhancing its product and expanding to more verticals.

Today, the company today counts some 1,000 clients on its books, with a heavy emphasis on investment banks and related financial services companies. That’s in part because of how the company got its start: Finnish co-founder and CEO Jaakko (Jack) Kokko he had been an analyst at Morgan Stanley in a past life and understood the labor and time pain points of doing market research, and decided to build a platform to help shorted a good part of the information gathering process.

“My experience as an analyst on Wall Street showed me just how fragmented information really was,” he said in an interview, citing as one example how complex sites like those of the FDA are not easy to navigate to look for new information an updates — the kind of thing that a computer would be much more adept at monitoring and flagging. “Even with the best tools and services, it still was really hard to manually get the work done, in part because of market volatility and the many factors that cause it. We can now do that with orders of magnitude more efficiency. Firms can now gather information in minutes that would have taken an hour. AlphaSense does the work of the best single analyst, or even a team of them.”

(Indeed, the “alpha” of AlphaSense appears to be a reference to finance: it’s a term that refers to the ability of a trader or portfolio manager to beat the typical market return.)

The lead investor in this round is very notable and says something about the company’s ambitions. It’s Innovation Endeavors, the VC firm backed by Eric Schmidt, who had been the CEO of none other than Google (the pace-setter and pioneer of the search-as-business model) for a decade, and then stayed on as chairman and ultimately board member of Google and then Alphabet (its later holding company) until just last June.

Schmidt presided over Google at what you could argue was its most important time, gaining speed and scale and transitioning from an academic idea into full-fledged, huge public business whose flagship product has now entered the lexicon as a verb and (through search and other services like Android and YouTube) is a mainstay of how the vast majority of the world uses the web today. As such he is good at spotting opportunities and gaps in the market, and while enterprise-based needs will never be as prominent as those of mass-market consumers, they can be just as lucrative.

“Information is the currency of business today, but data is overwhelming and fragmented, making it difficult for business professionals to find the right insights to drive key business decisions,” he said in a statement. “We were impressed by the way AlphaSense solves this with its AI and search technology, allowing businesses to proceed with the confidence that they have the right information driving their strategy.”

This brings the total raised by AlphaSense to $90 million, with other investors in this round including Soros Fund Management LLC and other unnamed existing investors. Previous backers had included Tom Glocer (the former Reuters CEO who himself is working on his own fintech startup, a security firm called BlueVoyant), the MassChallenge incubator, Tribeca Venture Partners and others. Kokko said AlphaSense is not disclosing its valuation at this point. (I’m guessing though that it’s definitely on the up.)

There have been others that have worked to try to tackle the idea of providing more targeted, and business focused search portals, from the likes of Wolfram Alpha (another alpha!) through to Lexis Nexis and others like Bloomberg’s terminals, FactSet, Business Quant and many more.

One interesting aspect of AlphaSense is how it’s both focused on pulling in requests as well as set up to push information to its users based on previous search parameters. Currently these are set up to only provide information, but over time, there is a clear opportunity to build services to let the engines take on some of the actions based on that information, such as adjusting asking prices for sales and other transactions.

“There are all kinds of things we could do,” said Kokko. “This is a massive untapped opportunity. But we’re not taking the human out of the loop, ever. Humans are the right ones to be making final decisions, and we’re just about helping them make those faster.”

Meet the World’s Biggest ‘Bulletproof’ Hoster

For at least the past decade, a computer crook variously known as “Yalishanda,” “Downlow” and “Stas_vl” has run one of the most popular “bulletproof” Web hosting services catering to a vast array of phishing sites, cybercrime forums and malware download servers. What follows are a series of clues that point to the likely real-life identity of a Russian man who appears responsible for enabling a ridiculous amount of cybercriminal activity on the Internet today.

Image: Intel471

KrebsOnSecurity began this research after reading a new academic paper on the challenges involved in dismantling or disrupting bulletproof hosting services, which are so called because they can be depended upon to ignore abuse complaints and subpoenas from law enforcement organizations. We’ll get to that paper in a moment, but for now I mention it because it prompted me to check and see if one of the more infamous bulletproof hosters from a decade ago was still in operation.

Sure enough, I found that Yalishanda was actively advertising on cybercrime forums, and that his infrastructure was being used to host hundreds of dodgy sites. Those include a large number of cybercrime forums and stolen credit card shops, ransomware download sites, Magecart-related infrastructure, and a metric boatload of phishing Web sites mimicking dozens of retailers, banks and various government Web site portals.

I first encountered Yalishanda back in 2010, after writing about “Fizot,” the nickname used by another miscreant who helped customers anonymize their cybercrime traffic by routing it through a global network of Microsoft Windows computers infected with a powerful malware strain called TDSS.

After that Fizot story got picked up internationally, KrebsOnSecurity heard from a source who suggested that Yalishanda and Fizot shared some of the same infrastructure.

In particular, the source pointed to a domain that was live at the time called mo0be-world[.]com, which was registered in 2010 to an Aleksandr Volosovyk at the email address stas_vl@mail.ru. Now, normally cybercriminals are not in the habit of using their real names in domain name registration records, particularly domains that are to be used for illegal or nefarious purposes. But for whatever reason, that is exactly what Mr. Volosovyk appears to have done.

WHO IS YALISHANDA?

The one or two domain names registered to Aleksandr Volosovyk and that mail.ru address state that he resides in Vladivostok, which is a major Pacific port city in Russia that is close to the borders with China and North Korea. The nickname Yalishanda means “Alexander” in Mandarin (亚历山大).

Here’s a snippet from one of Yalishanda’s advertisements to a cybercrime forum in 2011, when he was running a bulletproof service under the domain real-hosting[.]biz:

-Based in Asia and Europe.
-It is allowed to host: ordinary sites, doorway pages, satellites, codecs, adware, tds, warez, pharma, spyware, exploits, zeus, IRC, etc.
-Passive SPAM is allowed (you can spam sites that are hosted by us).
-Web spam is allowed (Hrumer, A-Poster ….)

-Forbidden: Any outgoing Email spam, DP, porn, phishing (exclude phishing email, social networks)

There is a server with instant activation under botnets (zeus) and so on. The prices will pleasantly please you! The price depends on the specific content!!!!

Yalishanda would re-brand and market his pricey bulletproof hosting services under a variety of nicknames and cybercrime forums over the years, including one particularly long-lived abuse-friendly project aptly named abushost[.]ru.

In a talk given at the Black Hat security conference in 2017, researchers from Cisco and cyber intelligence firm Intel 471 labeled Yalishanda as one the “top tier” bulletproof hosting providers worldwide, noting that in just one 90-day period in 2017 his infrastructure was seen hosting sites tied to some of the most advanced malware contagions at the time, including the Dridex and Zeus banking trojans, as well as a slew of ransomware operations.

“Any of the actors that can afford his services are somewhat more sophisticated than say the bottom feeders that make up the majority of the actors in the underground,” said Jason Passwaters, Intel 471’s chief operating officer. “Bulletproof hosting is probably the biggest enabling service that you find in the underground. If there’s any one group operation or actor that touches more cybercriminals, it’s the bulletproof hosters.”

Passwaters told Black Hat attendees that Intel471 wasn’t convinced Alex was Yalishanda’s real name. I circled back with Intel 471 this week to ask about their ongoing research into this individual, and they confided that they knew at the time Yalishanda was in fact Alexander Volosovyk, but simply didn’t want to state his real name in a public setting.

KrebsOnSecurity uncovered strong evidence to support a similar conclusion. In 2010, this author received a massive data dump from a source that had hacked into or otherwise absconded with more than four years of email records from ChronoPay — at the time a major Russian online payment provider whose CEO and co-founders were the chief subjects of my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime.

Querying those records on Yalishanda’s primary email address — stas_vl@mail.ru — reveal that this individual in 2010 sought payment processing services from ChronoPay for a business he was running which sold counterfeit designer watches.

As part of his application for service, the person using that email address forwarded six documents to ChronoPay managers, including business incorporation and banking records for companies he owned in China, as well as a full scan of his Russian passport.

That passport, pictured below, indicates that Yalishanda’s real name is Alexander Alexandrovich Volosovik. The document shows he was born in Ukraine and is approximately 36 years old.

The passport for Alexander Volosovyk, a.k.a. “Yalishanda,” a major operator of bulletproof hosting services.

According to Intel 471, Yalishanda lived in Beijing prior to establishing a residence in Vladivostok (that passport above was issued by the Russian embassy in Beijing). The company says he moved to St. Petersburg, Russia approximately 18 months ago.

His current bulletproof hosting service is called Media Land LLC. This finding is supported by documents maintained by Rusprofile.ru, which states that an Alexander Volosovik is indeed the director of a St. Petersburg company by the same name.

ARMOR-PIERCING BULLETS?

Bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country (or perhaps within the confines of the former republics of the Soviet Union, known as the Commonwealth of Independent States).

That’s doubly so for bulletproof operators who are careful to follow the letter of the law in those regions — i.e., setting up official companies that are required to report semi-regularly on various aspects of their business, as Mr. Volosovik clearly has done.

However, occasionally big-time bulletproof hosters from those CIS countries do get disrupted and/or apprehended. On July 11, law enforcement officials in Ukraine announced they’d conducted 29 searches and detained two individuals in connection with a sprawling bulletproof hosting operation.

The press release from the Ukrainian prosecutor general’s office doesn’t name the individuals arrested, but The Associated Press reports that one of them was Mikhail Rytikov, a man U.S. authorities say was a well-known bulletproof hoster who operated under the nickname “AbdAllah.”

Servers allegedly tied to AbdAllah’s bulletproof hosting network. Image: Gp.gov.ua.

In 2015, the U.S. Justice Department named Rytikov as a key infrastructure provider for two Russian hackersVladimir Drinkman and Alexandr Kalinin — in a cybercrime spree the government called the largest known data breach at the time.

According to the Justice Department, Drinkman and his co-defendants were responsible for hacks and digital intrusions against NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

Whether AbdAllah ever really faces justice for his alleged crimes remains to be seen. Ukraine does not extradite citizens, as the U.S. authorities have requested in this case. And we have seen time and again how major cybercriminals get raided and detained by local and federal authorities there, only to quickly re-emerge and resume operations shortly thereafter, while the prosecution against them goes nowhere.

Some examples of this include several Ukrainian men arrested in 2010 and accused of running an international crime and money laundering syndicate that used a custom version of the Zeus trojan to siphon tens of millions of dollars from hacked small businesses in the U.S. and Europe. To my knowledge, none of the Ukrainian men that formed the core of that operation were ever prosecuted, reportedly because they were connected to influential figures in the Ukrainian government and law enforcement.

Intel 471’s Passwaters said something similar happened in December 2016, when authorities in the U.S., U.K. and Europe dismantled Avalanche, a distributed, cloud-hosting network that was rented out as a bulletproof hosting enterprise for countless malware and phishing attacks.

Prior to that takedown, Passwaters said, somehow an individual using the nickname “Sosweet” who was connected to another bulletproof hoster that occurred around the same time as Avalanche got a tip about an impending raid.

“Sosweet was raided in December right before Avalanche was taken down, [and] we know that he was tipped off because of corruption [because] 24 hours later the guy was back in service and has all his stuff back up,” Passwaters said.

The same also appears to be true for several Ukrainian men arrested in 2011 on suspicion of building and disseminating Conficker, a malware strain that infected millions of computers worldwide and prompted an unprecedented global response from the security industry.

So if a majority of bulletproof hosting businesses operate primarily out of countries where the rule of law is not strong and/or where corruption is endemic, is there any hope for disrupting these dodgy businesses?

Here we come full circle to the academic report mentioned briefly at the top of this story: The answer seems to be — like most things related to cybercrime — “maybe,” provided the focus is on attempting to interfere with their ability to profit from such activities.

That paper, titled Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bulletproof Hosting, was authored by researchers at New York University, Delft University of Technology, King Saud University and the Dutch National High-Tech Crimes Unit. Unfortunately, it has not yet been released publicly, and KrebsOnSecurity does not have permission yet to publish it.

The study examined the day-to-day operations of MaxiDed, a bulletproof hosting operation based in The Netherlands that was dismantled last summer after authorities seized its servers. The paper’s core findings suggest that because profit margins for bulletproof hosting (BPH) operations are generally very thin, even tiny disruptions can quickly push these businesses into the red.

“We demonstrate the BPH landscape to have further shifted from agile resellers towards marketplace platforms with an oversupply of resources originating from hundreds of legitimate upstream hosting providers,” the researchers wrote. “We find the BPH provider to have few choke points in the supply chain amenable to intervention, though profit margins are very slim, so even a marginal increase in operating costs might already have repercussions that render the business unsustainable.”

eCommerce Security: 13 Best Practices to Prevent Threats

Ecommerce retail sales are predicted to account for nearly 14% of global retail sales this year: that’s around $500bn of sales conducted across an estimated 18 million ecommerce sites, worldwide. With such vast amounts of data and money flowing through internet retailers, it’s no surprise that ecommerce platforms like Shopify and Magento have become an attractive target for hackers and cybercriminals. In this post, we review some of the most important ecommerce security issues and suggest best practices for retailers to prevent those threats affecting your online retail payments.

eCommerce Security_ 13 Best Practices to Prevent Threats

Why are Hackers Attacking Ecommerce Sites?

Ecommerce sites store customer data such as credit card and bank account information, as well as PII (personally identifiable information) data that typically includes at the minimum a home address, email and phone number that can be used for fraud and identity theft. 

In contrast to physical stores, digital retail stores are highly susceptible to fraudulent transactions since fraudsters incur a much lower risk of discovery. Also, the same advantages that make ecommerce attractive to customers make it equally attractive to hackers: access outside of regular business hours and the ability to connect from any location.

As technology becomes more complex, it is also increasingly harder for retailers to ensure they’ve locked down every vulnerability. At the same time, more powerful malware and exploit kits are falling into the hands of cybercriminals lowering the barrier to entry for those with malicious intent.

How are Hackers Attacking Ecommerce Sites?

Like other businesses, ecommerce sites are vulnerable to the usual infection vectors, but the aim is often very specific: to skim payment details that can then be sold on the dark net. Online skimming can occur without either the customer or provider being aware for many months, perhaps not until the customer notices their payment details being used for unauthorized transactions on a completely different site. Online scams have affected digital payment sites across all sectors, from auto makers like Audi, fashion outlets like Guess, NGOs such as the Washington Cathedral Science Museum and even the Malaysian government. Some of the biggest names in retail like Macy’s, Adidas, and Sears have also fallen victim.

The primary aim of an attack on an ecommerce payment platform is to infect the payment provider’s servers with malware that can scrape live payment data from users as they engage in a transaction. An encoded script like this is likely to go unnoticed by untrained or unaware site admins.

image of encoded magento malware

A bit of reverse engineering by one researcher shows the script for what it really is, an attempt to scrape the card details and PII from any customer making an online purchase:

image of decoded magento malware

And it’s not just the “big box” retailers that are targeted. With many small businesses using low-cost or open-source platforms like the Adobe-owned Magento, failing to maintain and patch these platforms can make any business the low-hanging fruit for criminals. 

The Magecart campaign, first seen in 2015 and still going strong, exploits known vulnerabilities in the popular open source Magento platform. In the final quarter of last year, researchers reported that at least 40,000 online stores had fallen victim to Magecart.

image of tweet about 40 thousand magento infections

Earlier this month, 900 unique infections were detected by security researchers using web bots or crawlers to hunt for malicious Magecart scripts.

image of 900 new magento infections

The same researchers have pointed out that the number of hacked stores using Magento 2 has been rising rapidly since April 2019, with their detections increasing from 50 in April to 100 in May and to nearly 300 in June.

The most recent security vulnerability in Magento, CVE-2019-7139, allowed an unauthenticated user to execute arbitrary code via an SQL injection that resulted in data leakage. While that was patched in Magento 2.3.1, 75 further security enhancements were announced with the release of the latest version, 2.3.2, just last month. These figures underline the necessity of keeping up with regular security updates and applying them in a timely fashion. 

Magento is not the only platform that has vulnerabilities. An API flaw, publicly disclosed in April of this year but patched last November, made it possible for hackers to access revenue data from thousands of stores running Shopify, arguably the most popular ecommerce payment platform in use.

What is the True Cost of a Data Breach?

The situation for online retailers has got more serious with regulatory authorities increasing fines for companies that do not secure their users’ data. The European Union’s GDRP (General Data Protection Regulation), which came into force in 2018, has been used to punish companies that fail to comply with heavy fines.

While companies such as Sony, Yahoo, and Facebook have faced fines in the region of $300,000 – $500,000, the most recent case involving British Airways could see the company face a fine in the region of $200 million. In a breach of British Airways’ online payment site last year, users were diverted to a fraudulent site where hackers harvested up to 500,000 customer payment details. Stolen information included names, email addresses, credit card numbers, expiry dates and the three-digit CVV code used to verify the card’s authenticity during online shopping. 

Aside from financial loss incurred by regulatory fines, an ecommerce security breach can also negatively affect your brand reputation and cause a loss of consumer confidence. 

13 Common Ecommerce Threats and Solutions

Consumers provide retailers with a lot of valuable PII during online payment transactions, which they expect to be kept safe. Keeping your online digital payments secure, and avoiding the pains of a breach, is less of a burden if you follow these best practices to avoid ecommerce security issues.

1. HTTPS is the Default, Not the Ultimate Defence

Any online payment system needs to be using the secure https protocol, but it’s a mistake to think that just because you’re using an encrypted connection that your security concerns are met. All of the breaches noted above occurred on sites that were also using https, so while it’s a mandatory requirement, there’s still a lot more you need to do.

2. Secure Your Servers and Admin Panels

Ensure you lock down your cPanels and check that directories and folder have the correct permissions. Nothing on your site should have 777 permissions, which allow anyone to read, write and execute. Permissions for directories should never exceed 755 or rwxr-xr-x, while for most if not all files 644 or rw-r--r-- should be sufficient.

Your cPanels should not be accessible from just any IP address whatsoever. You can lock down access to your cPanel and other services so that only certain IP addresses are allowed to use it.

3. Payment Gateway Security

Payment gateways stand between your website and the payment processor – the bank or credit card company that will ultimately authorize the payment. The payment gateway’s job is to ensure that the transaction is secure and that you are not defrauded by customers without the ability to pay.

Your payment gateway should be using point-to-point encryption (P2PE), tokenization to reduce payment fraud from stolen data, and be PCI DSS compliant.

4. Antivirus and Anti-Malware Software

Malware attacks can’t be stopped by legacy Anti-Virus solutions any more, as attackers’ tools have become more sophisticated than the software many enterprises are using to detect them. Fileless malware that doesn’t drop executables for AV scanner’s to check, living off the land techniques that use trusted operating system processes to do the malware’s “dirty work” and escape detection, along with supply chain attacks and other tricks, means ecommerce needs more sophisticated security solutions with behavioral AI detection and autonomous response capabilities.

5. Use Firewall Control

Application firewalls can keep out communications from known malicious domains, and a good security solution should also allow you fine-grained control of both incoming and outgoing traffic. This is security 101, so make sure your security software both supports it and makes it easy to do.

6. Secure Your Site with SSL Certificates

Like using https, this should be a default on any site that’s engaged in internet commerce. Be sure that all your logins including to the backend require users to use SSL or TLS. Specifically, avoid logins over ports 2082 ,2086 or 2095, which send passwords in clear text, making them ripe for theft.

7. Employ Multi-Layer Security

We’ve said it before, but it never gets old: defence in depth is the only way to protect against modern malware and threat actors. Even technologically unsophisticated criminals are obtaining nation state level malware, and the idea that you can plug every whole with a subscription to a legacy AV vendor is asking for trouble. The threat landscape is complex, from malicious insiders to supply chain attacks, to known bypasses of common AV security products. Good security means avoiding the pitfall of a single point of failure. 

8. Use Security Plugins

Whether you’re using Shopify, Magento or some other platform, there should be a range of security plugins available that can fortify your ecommerce platform. Plugins can do specific tasks to beef up your defenses like detect bots, blacklist visitors from particular locations and even protect the content on your webpages by preventing things like right-click interactions or drag-and-drop actions.

9. Backup Your Data

The recent spate of ransomware attacks on City council’s, hospitals and other public services should have put this basic security principle at forefront of everybody’s mind by now. Use the 3-2-1 principle: have at least three recent backups at all times, keep two of those on different storage media, and ensure that one of them is located off-site.

10. Stay Updated

As the recent Magecart campaign and MagentoCore malware attacks show, you need to patch often and patch early. With 75 security vulnerabilities fixed in the most recent Magento 2 update, you can’t afford complacency when it comes to staying ahead of hackers.

11. Opt for a Hosted Ecommerce Platform

You can solve a lot of security problems by choosing a hosted ecommerce platform rather than trying to roll your own. Choose a PCI compliant hosting provider to get the best protection. That of course comes at a cost, but that could actually turn out to be a huge saving if you’re not prepared to deal with the added security issues that come with self-hosting. 

12. Train Your Staff Better

Educating your staff about security is one of the best “soft” defences that you can employ and will reap benefits for both the business and your customers. Be aware most vectors that result in online skimming malware infecting your system come through phishing attacks. 

Spammers may leave phishing links in your site’s blog comments or contact forms to tempt your customer service staff. Likewise, your customer-facing teams can be prone to phishing and spear-phishing attacks that urge them to “take actions” or to enrol in some vital HR exercise. Simulated phishing campaigns can help raise awareness, as can directing your staff to articles like this in your workplace communication channels.

13. Keep an Eye Out for Malicious Activity

Detection is required in the modern enterprise, and aside from using a capable NGAV solution as mentioned above, consider devoting resources to actively engaging in threat hunting. This is a methodical process in which your IT or security team look for gaps in your layered defenses, with the aim of spotting any malware that has evaded your other layers early enough to prevent it from reaching its objective.

Conclusion

Implementing ecommerce security measures such as those described above is vital to any business that is engaged in online retailing and digital payments. Exploiting ecommerce security issues can reward hackers with a treasure trove of information to be sold on the dark net or on “carder” trading forums, and it can lead to hefty punishments for businesses that have failed to secure customer data from electronic theft. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

48-hour, buy-one-get-one free — TC Sessions: Enterprise 2019

Every startupper we’ve ever met loves a great deal, and so do we. That’s why we’re celebrating Prime day with a 48-hour flash sale on tickets to TC Sessions: Enterprise 2019, which takes place September 5 at the Yerba Buena Center for the Arts in San Francisco.

We’re talking a classic BOGO — buy-one-get-one — deal that starts today and ends tomorrow, July 16, at 11:59 p.m. (PT). Buy one early-bird ticket ($249) and you get a second ticket for free. But this BOGO goes bye-bye in just 48 hours, so don’t wait. Buy your TC Sessions: Enterprise tickets now and save.

Get ready to join more than 1,000 attendees for a day-long, intensive experience exploring the enterprise colossus — a tech category that generates hundreds of new startups, along with a steady stream of multibillion-dollar acquisitions, every year.

What can you expect at TC Sessions: Enterprise? For starters, you’ll hear TechCrunch editors interview enterprise software leaders, including tech titans, rising founders and boundary-breaking VCs.

One such titan, George Brady — Capital One’s executive VP in charge of tech operations — will join us to discuss how the financial institution left legacy hardware and software behind to embrace the cloud. Quite a journey in such a highly regulated industry.

Our growing speaker roster features other enterprise heavy-hitters, including Aaron Levie, Box co-founder and CEO; Aparna Sinha, Google’s director of product management for Kubernetes and Anthos; Jim Clarke, Intel’s director of quantum hardware; and Scott Farquhar, co-founder and co-CEO of Atlassian.

Looking for in-depth information on technical enterprise topics? You’ll find them in our workshops and breakout sessions. Check out the exhibiting early-stage enterprise startups focused on disrupting, well, everything. Enjoy receptions and world-class networking with other founders, investors and technologists actively building the next generation of enterprise services.

TC Sessions: Enterprise 2019 takes place September 5, and we pack a lot of value into a single day. Double your ROI and take advantage of our 48-hour BOGO sale. Buy your ticket before July 16 at 11:59 p.m. (PT) and get another ticket free. That’s two tickets for one early-bird price. And if that’s not enough value, get this: we’ll register you for a free Expo-only pass to Disrupt SF 2019 for every TC Sessions: Enterprise ticket you purchase (mic drop).

Interested in sponsoring TC Sessions: Enterprise? Fill out this form and a member of our sales team will contact you.

Amazon adds Hindi to the Alexa Skills Kit

Users of Amazon’s voice assistant will soon be able to talk to Alexa in Hindi. Amazon announced today that it has added a Hindi voice model to its Alexa Skills Kit for developers. Alexa developers can also update their existing published skills in India for Hindi.

Amazon first revealed that it would add fluent Hindi to Alexa last month during its re: MARS machine learning and artificial intelligence conference. Before, Alexa was only able to understand a few Hinglish (a portmanteau of Hindi and English) commands. Rohit Prasad, vice president and head scientist for Alexa, told Indian news agency IANS that adding Hindi to Alexa posed a “contextual, cultural as well as content-related challenge” because of the wide variety of dialects, accents and slang used in India.

Along with English, Hindi is one of India’s official languages (Google Voice Assistant also offers Hindi support). According to Citi Research, Amazon holds about a 30 percent market share, about the same as its main competitor, Walmart-backed Flipkart.

Is ‘REvil’ the New GandCrab Ransomware?

The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.”

“We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on May 31. “We are a living proof that you can do evil and get off scot-free.”

However, it now appears the GandCrab team had already begun preparations to re-brand under a far more private ransomware-as-a-service offering months before their official “retirement.”

In late April, researchers at Cisco Talos spotted a new ransomware strain dubbed Sodinokibi that was used to deploy GandCrab, which encrypts files on infected systems unless and until the victim pays the demanded sum. A month later, GandCrab would announce its closure.

A payment page for a victim of REvil, a.k.a. Sodin and Sodinokibi.

Meanwhile, in the first half of May an individual using the nickname “Unknown” began making deposits totaling more than USD $130,000 worth of virtual currencies on two top cybercrime forums. The down payments were meant to demonstrate the actor meant business in his offer to hire just a handful of affiliates to drive a new, as-yet unnamed ransomware-as-a-service offering.

“We are not going to hire as many people as possible,” Unknown told forum members in announcing the new RaaS program. “Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is guaranteed USD 10,000. Your cut is 60 percent at the beginning and 70 percent after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals.”

Asked by forum members to name the ransomware service, Unknown said it had been mentioned in media reports but that he wouldn’t be disclosing technical details of the program or its name for the time being.

Unknown said it was forbidden to install the new ransomware strain on any computers in the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.

The prohibition against spreading malware in CIS countries has long been a staple of various pay-per-install affiliate programs that are operated by crooks residing in those nations. The idea here is not to attract attention from local law enforcement responding to victim complaints (and/or perhaps to stay off the radar of tax authorities and extortionists in their hometowns).

But Kaspersky Lab discovered that Sodinokobi/REvil also includes one other nation on its list of countries that affiliates should avoid infecting: Syria. Interestingly, latter versions of GandCrab took the same unusual step.

What’s the significance of the Syria connection? In October 2018, a Syrian man tweeted that he had lost access to all pictures of his deceased children after his computer got infected with GandCrab.

“They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money,” the victim wrote. “How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?”

That heartfelt appeal apparently struck a chord with the developer(s) of GandCrab, who soon after released a decryption key that let all GandCrab victims in Syria unlock their files for free.

But this rare display of mercy probably cost the GandCrab administrators and its affiliates a pretty penny. That’s because a week after GandCrab released decryption keys for all victims in Syria, the No More Ransom project released a free GandCrab decryption tool developed by Romanian police in collaboration with law enforcement offices from a number of countries and security firm Bitdefender.

The GandCrab operators later told affiliates that the release of the decryption keys for Syrian victims allowed the entropy used by the random number generator for the ransomware’s master key to be calculated. Approximately 24 hours after NoMoreRansom released its free tool, the GandCrab team shipped an update that rendered it unable to decrypt files.

There are also similarities between the ways that both GandCrab and REvil generate URLs that are used as part of the infection process, according a recent report from Dutch security firm Tesorion.

“Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,” Tesorion observed.

My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.

The Good, the Bad and the Ugly in Cybersecurity – Week 28

The Good

Microsoft has addressed 77 vulnerabilities in its July Patch Tuesday update, with 15 of them rated as critical and two known to be under active exploit.

Adobe has issued a small group of updates, with surprisingly none for Acrobat Reader or Flash.

Eleven of the critical bugs are for scripting engines and browsers, and the four others affect the DHCP Server, GDI+, the .NET Framework and the Azure DevOps Server/Team Foundation Server.

The Bad

Zoom is a success story. The small startup was able to disrupt the giants that repeatedly failed to solve a growing need for Enterprise – allow a flawless video conference. So many have tried before; Cisco, GoToMeeting and even Google and Uber, but only Zoom got it right. Zoom was able to become profitable and went public.

This week, we learned the Apple Mac version contained a software vulnerability that could lead to remote command execution (RCE) on any macOS device, even if the Zoom app had been uninstalled. Zoom has pushed out an emergency patch to address the zero-day vulnerability for Mac users that could potentially expose a live webcam feed to an attacker, launching the user into a Zoom video chat they’d never intended to join.

The move is a surprise reversal of Zoom’s previous stance, in which the company treated the vulnerability as “low risk” and defended its use of a local web server that incidentally exposed Zoom users to potential attacks.

Meanwhile, Apple have taken things into their own hands and released an update to their malware removal tool (MRT.app) that removes the affected Zoom components. Apple users need to restart the Mac first, however, as Apple’s MRT protection is only run once at each boot time.

The Ugly

Back in 2018, the Singapore-based company Broadcom tried to acquire Qualcomm as part of its plans to relocate its headquarters to the United States. They failed after President Donald Trump said he had “credible evidence” that the deal had the potential to threaten the national security of the United States. Symantec, who is still protecting (too) many enterprises, suffered in recent years from financial instability and executables turnouts.

Will Broadcom be able to fix these leadership problems that the well funded Symantec could not? If you look at the history of similar attempts with Symantec’s traditional rival McAfee, which was bought by Intel and then sold to TPG Capital and Thoma Bravo, the answer is nothing great should be expected.

Not that that’s stopping McAfee from trying again. In an attempt to join the rush of security companies going public, McAfee has announced that they might announce a listing later this year. Or they might not. Wat? It seems the owners are also considering the possibility of an outright sale. Confused? Watch this space!

 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

With $34B Red Hat deal closed, IBM needs to execute now

In a summer surprise this week, IBM announced it had closed its $34 billion blockbuster deal to acquire Red Hat. The deal, which was announced in October, was expected to take a year to clear all of the regulatory hurdles, but U.S. and EU regulators moved surprisingly quickly. For IBM, the future starts now, and it needs to find a way to ensure that this works.

There are always going to be layers of complexity in a deal of this scope, as IBM moves to incorporate Red Hat into its product family quickly and get the company moving. It’s never easy combining two large organizations, but with IBM mired in single-digit cloud market share and years of sluggish growth, it is hoping that Red Hat will give it a strong hybrid cloud story that can help begin to alter its recent fortunes.

As Box CEO (and IBM partner) Aaron Levie tweeted at the time the deal was announced, “Transformation requires big bets, and this is a good one.” While the deal is very much about transformation, we won’t know for some time if it’s a good one.

Transformation blues