As GE and Amazon move on, Google expands presence in Boston and NYC

NYC and Boston were handed huge setbacks this week when Amazon and GE decided to bail on their commitments to build headquarters in the respective cities on the same day. But it’s worth pointing out that while these large tech organizations were pulling out, Google was expanding in both locations.

Yesterday, upon hearing about Amazon’s decision to scrap its HQ2 plans in Long Island City, New York City Mayor de Blasio had this to say: “Instead of working with the community, Amazon threw away that opportunity. We have the best talent in the world and every day we are growing a stronger and fairer economy for everyone. If Amazon can’t recognize what that’s worth, its competitors will.” One of them already has. Google had already announced a billion-dollar expansion in Hudson Square at the end of last year.

In fact, the company is pouring billions into NYC real estate, with plans to double its 7,000-person workforce over the next 10 years. As TechCrunch’s Jon Russell reported, “Our investment in New York is a huge part of our commitment to grow and invest in U.S. facilities, offices and jobs. In fact, we’re growing faster outside the Bay Area than within it, and this year opened new offices and data centers in locations like Detroit, Boulder, Los Angeles, Tennessee and Alabama, wrote Google CFO Ruth Porat.”

Just this week, as GE was making its announcement, Google was announcing a major expansion in Cambridge, the city across the river from Boston that is home to Harvard and MIT. Kendall Square is also home to offices from Facebook, Microsoft, IBM, Akamai, DigitalOcean and a plethora of startups.

Google will be moving into a brand new building that currently is home to the MIT Coop bookstore. It plans to grab 365,000 square feet of the new building when it’s completed, and, as in NYC, will be adding hundreds of new jobs to the 1,500 already in place. Brian Cusack, Google Cambridge Site lead points out the company began operations in Cambridge back in 2003 and has been working on Search, Android, Cloud, YouTube, Google Play, Research, Ads and more.

“This new space will provide room for future growth and further cements our commitment to the Cambridge community. We’re proud to call this city home and will continue to support its vibrant nonprofit and growing business community,” he said in a statement.

As we learned this week, big company commitments can vanish just as quickly as they are announced, but for now at least, it appears that Google is serious about its commitment to New York and Boston and will be expanding office space and employment to the tune of thousands of jobs over the next decade.

Uncovering Apple’s Mysterious Malware Removal (MRT) Tool Update

Apple’s little known malware removal tool gets a signature update. But what is this new malware family MACOS.35846e4? Find out on this journey inside MRT

MRT macoS

We’ve noted before that Apple’s built-in security technologies have been missing some updates of late, and we weren’t the only ones. So, when Apple dropped a couple of updates to MRT and XProtect last week, the macOS community raised a collective eyebrow of interest. With XProtect having hardly seen a significant update since March of 2018, there were high hopes that Apple were finally playing catch-up with the rounds of macOS malware that have appeared since XProtect’s last update.

mrt app in coreservices

As it turned out, the updates were underwhelming on the one hand and curious on the other. XProtect merely received a bump for the minimum Flash player plug-in (now, minimum required version is 32.0.0) but otherwise added no new malware families, while MRT only added a single new malware family to its search-and-remove definitions, an item Apple designated MACOS.35846e4.

The addition to MRT caused some consternation among macOS security enthusiasts as this nomenclature is unfamiliar to the wider macOS research community: what is the mysteriously named MACOS.35846e4? Were Apple discovering new malware and keeping the details from the wider security community? It wouldn’t be the first time they’ve been accused of such.

We decided to take a look at the MRT.app and find out for ourselves.

Inside MRT.app

The Malware Removal Tool (MRT.app) is an Apple application that lives in the CoreServices folder located in /System/Library, rather than the Applications or Utilities folders where user level programs are typically located. MRT.app is not intended for users to launch, and in fact has even been known to trigger a false positive from Apple’s own XProtect in certain circumstances.

mrt app in coreservices

However, it does possess some command line options which allow it to be invoked either as an agent or daemon, and interestingly also may generate an error message related to the mysterious new malware family:


The error message doesn’t give us any clue as to what MACOS.35846e4 is though. Figuring out what MRT looks for requires a couple of different approaches. The first thing we need to do is grab a copy of the binary to play with. Even though we don’t plan to write to the binary and it’s protected by System Integrity Protection (which is designed to prevent modifications), working with a copy of a binary during analysis is just a habit that you should always adopt when reverse engineering. We can grab a copy of the binary by executing ditto to write a copy of the binary to the Desktop.

sudo ditto MRT ~/Desktop/MRT_COPY

Pulling Strings

The first step in reverse engineering an executable file is usually to dump the plain text ASCII characters embedded in the file. Simply dumping the strings from the binary will often reveal hardcoded file paths. There’s a couple of ways to achieve this, but the built-in macOS utility, conveniently called strings, is probably the easiest. The strings utility contains a stub by default that actually installs the full utility the first time you use it. Pass the -a flag and the path to the file name, and output the strings to a new file:

strings -a ~/Desktop/MRT_COPY > ~/Desktop/MRT_Strings.txt

You can scroll and search through the new file in a text editor of your choice. Note that the output is just a dump of every string in the binary, and there’s no way to automatically determine from this which strings are actually malware definitions and which are just strings used for other purposes in the binary. That said, many are obvious given a little experience, but it’s important to treat the output with caution until or unless you can verify a file path is related to malware from further checks.

 strings from mrt

Aside from the fact that there’s no intrinsic way to distinguish the strings from one another, there’s another problem: the strings don’t contain all of the definitions. And although we can search through the strings for the family name MACOS.35846e4, the output doesn’t give us any clear indication of the malware that it refers to.

grep for malware family

It’s time to dive a bit deeper.

Static Code Analysis

For this, you need a disassembler like Cutter or Hopper. In this example, we’ll use Hopper because it gives a slightly cleaner and easier to read output.

We begin by searching for references to the string 35846e4 in Hopper’s string’s section.

Hopper disassembly

From here, we find a reference to the string being loaded into the rdi register. That’s interesting! One of the uses of the  rdi register is to hold the first argument in a call to an Objective-C function. Switching to Hopper’s pseudocode view shows us that the string is being loaded into the register from within another function sub_1000ca9a0, where we find a treasure trove of ASCII characters hidden in byte code. This image shows one collection of 13 characters found in the function, each held in a separate variable:

byte codes

We can do a quick-and-dirty check to see if they’re interesting on the command line:

The string turns out to be sendLogEvent: which looks like an Objective-C method call due to the presence of the colon on the end. That’s enough to peek our interest. Scanning through the rest of the method, we see lots more individual variables holding hex values that map to ASCII character codes. To see what they hold, we’ll just dump the whole function into a text file and do some text manipulation to isolate and translate the hex values. This results in the following strings:

more strings

We recognize some of these as classic adware strings, so it seems that MACOS.35846e4 is some form of new adware. Let’s check out VirusTotal and see if we get any matches.

Old Adware, New Variant

Fortunately for us in this case, we get a bunch of hits:

virustotal hits

This is a family of adware that’s been around a long time but was updated after the release of macOS 10.14 Mojave to take into account Apple’s implementation of new user protections. The adware appears to users under various names like “MacSecurityPlus” and “MacOSDefender.

adware adapted for mojave

There’s a hidden folder at ~/Library/Application Support/.dir that contains an application called “CompanyUpdater”. A persistence agent in the user’s Library LaunchAgents folder executes a process called “Dock” to ensure the infection is reinstalled if removed. The adware will also try to install browser extensions in Chrome, Firefox and Safari, typically called something like “AnySearch” or “DefaultSearch”.

Conclusion

In this post, we’ve gotten to the bottom of the mystery of Apple’s update to Malware Removal Tool, though not to why Apple tried to obscure this particular detection. It also remains a mystery why Apple are continuing to update MRT while leaving XProtect practically moribund. For users and endpoints, given the amount of new malware that has arisen in the last year that neither XProtect nor MRT recognizes, it remains a wise choice to ensure you have a more robust security solution installed on your Mac computers.


Like this article? Follow us on LinkedInTwitter, YouTube or Facebook to see the content we post.

Read more about macOS Security

A Review of Malware affecting macOS in 2018

Mojave’s security “hardening” | User protections could be bypassed

Inside Safari Extensions | Malware’s Golden Key to User Data

The Weakest Link: When Admins Get Phished | MacOS “OSX.Dummy” Malware

Evaluating Endpoint Security Products: 15 Dumb Mistakes to Avoid

Spending on cybersecurity is growing and, according to Gartner, is expected to hit the $124 billion mark by end of 2019. This creates an incentive for even more vendors to join the race with alternative security solutions. How should one select a product that will answer an organization’s security needs, be suitable for the enterprise, won’t require too many hands to manage, and provide piece-of-mind from cyber threats? IT managers don’t want persistent complaints from users about their AV software, and the business can’t afford a security solution that impacts productivity. If you find yourself selecting security products, here are some of the common pitfalls many buyers make when evaluating them.

15 Dumb Mistakes to Avoid When Evaluating Endpoint Security Products

1. Overlooking What Users Are Saying

The first major pitfall to avoid is not knowing what the market thinks. If you don’t have the resources to test yourself, see what real customers are saying – the most credible place to check that out is Gartner Peer Insights for Endpoint Protection Products and Endpoint Detection and Response solutions, where you can find a dedicated score and real users comments for both EPP and EDR.

Tip: Go with products with the most reviews on well-established platforms like Gartner Peer Insights.

2. Evaluating Without Clear Success Criteria

Success may look different to different enterprises. One might care about supporting legacy devices as they have a long tail of unpatched devices, others may care more about macOS security and visibility while a third may want to ensure the current IT workforce can handle the solution with ease.

Tip: Define your success criteria carefully, so if a vendor meets it, buy it and get all your needs fulfilled.

3. Relying On Claims That Promise the Earth

The cybersecurity market includes many solutions that were designed to solve different problems but to survive some may claim more than they deliver. The result is too many products claims to protect you from any threat, any attack vector, and without any impact on your users. In the midst of all that, there is the buyer, who in some cases needs guidance rather than an all-inclusive pitch.

Tip: Invest some time and define your needs. Then, find the best product that can resolve them.

4. Believing A Breach Won’t Happen To You

For enterprises hoping to safeguard their critical data, the question is not if they are going to get hacked—but when. According to the Verizon Data Breach Investigations Report (DBIR) 2018, 76% of breaches were financially motivated and showed little regard for the circumstances of the victim. EMA’s Security MegatrendS 2019 report, sponsored by SentinelOne, makes the reality even more clear: 73% of respondents have been affected by some form of endpoint attack, and only 58% of organizations are highly confident they could detect an important security incident before it caused significant impact.

Given that the majority of organizations will face a security breach over their lifetime, it is incumbent on organizations to have a fallback position.

5. Expecting It To Solve All Needs

av suite

In the spring of 2014, Brian Dye, Symantec’s senior vice president for information security, famously said that AV is dead. In fact, Dye told WSJ that he estimated traditional antivirus detected a mere 45 percent of all attacks. Considering that one data breach is enough, how can it be that Symantec has over 25% of the market share and legacy AV is still sold on the market?

One of the trends that helped these security solutions to survive was to provide additional features. Hence, the “AV Suite” was born. Offering many additional features that address a mixed-bag of IT needs suits these vendors as it makes replacing their legacy AV a complex process.

The “AV Suite” increased the attachment rates for legacy solutions, but do you really want to risk your enterprise with a less effective security solution because it also offers a backup solution bundle? The reality is that some IT needs will not – arguably, should not – be answered by your endpoint vendors.

Tip: Choose a solution that doesn’t compromise on security.

6. Setting an Unrealistic Budget

The lack of efficiency from legacy AV vendors also triggered a reduction in security budgets. If something does not work, why should one pay so much? In the era of zero-trust networks, you can still see cases where the budget for network security is higher than protection for endpoints. Nobody wants to waste money on an ineffective solution.

The question is: can you get an effective solution that won’t keep you awake at night and will secure your most important assets for as little as the cost of a cup of coffee? For a year?

7. Failing To Integrate

Cyber Security is not a one-trick pony. The risks come in different shapes and sizes and staying on the safe side requires more than one product. Network security, emails, access control, logging, and SIEM usually live under the same roof. If your security products do not talk to one another and cannot contribute to each other’s efficiency, that’s a bad sign. What you want is a solution that can integrate with all the parts of your security apparatus, making each more effective. For example:

  1. When your firewall gateways determine a file as malicious, you want to immunize your endpoints from it, as they are not always behind a firewall.
  2. When the endpoint solution identifies a bad URL, you want to block it across your gateway protection.
  3. When malicious activity is detected, you want to consolidate all the related information from all your security products to ease the process of identifying the impact and implementing the steps to follow.

For all that to happen, you need solutions that can be automated and which have APIs to facilitate that. There are two basic approaches vendors takes in regards to APIs:

  1. Build the product first, see it mature and then scramble to implement API calls at the request of customers. Ad hoc approaches like this typically lead to bugs.
  2. Build the APIs and the product on top – this way, all APIs are working and functioning, are constantly updated with new capabilities, and the overall integration gives you the means to automate everything.

8. Testing Only File-based Malware

There’s more to modern malware than just malicious files. In the early days of viruses, most malware came in the form of executables, and malware authors needed to use social engineering techniques to trick users into running them. Such techniques are widely used even now and are still a highly effective way to compromise devices. However, malware authors have found ways to get code running without having to trick users. As a result, a growing number of malware campaigns are now file free, either using lateral movement techniques or sometimes documents running macros. This is expected to grow due to the effectiveness of such techniques to compromise at scale.

9. Testing Only Known Malware

There is a difference between downloading a piece of malware from a public source and malware that has never been seen before. When testing known malware, consider that any security product can run a query against public repositories like VirusTotal and return those results as their own, so detection of known malware is a low barrier for a product to pass. Testing malware that is unknown may indicate that this solution can handle novel threats that may be seen in the future.

The challenge starts when you want to find such malware to test, as samples by definition will not be publicly available, and most enterprises don’t have cybersecurity experts to create their own proof-of-concept malware.

The little secret here is that most reputation engines rely on the exact hash of a file. What is a hash? A digested footprint or signature that represents a file using algorithms such as MD5 or SHA. The nature of a hash is that no two non-identical files should resolve to the same hash, so if a security product deems a file to be malicious by its hash, there is no risk of blaming a benign file and producing a false positive.

For security engines that rely on hashes, there’s an easy way for adversaries (and product testers) to produce fresh malware samples. If you download a file-based malware, it’s enough to append a single char to the end of it, and… you got a new hash, a malware that is “unknown” to reputation services like VirusTotal and others.

Tip: Modifying a file’s hash is a good way to differentiate between solutions relying on signatures and those using behavioral AI (changing the hash should not affect AI detection).

10. Skip Testing Benign Applications

Another mistake to avoid is assuming that a candidate solution will recognize all your company software as safe. Let your IT users run a candidate solution on their devices as well as run it on your own. It is not uncommon for large enterprises to run their own software, sometimes even signed by a valid certificate authority. Then you can really see what the solution is worth. No one else is knowledgeable of your network as your own employees.

11. Trusting Samples from Security Vendors

Every security software on earth can be programmed to block specific files, malicious or not. If you take samples from a vendor, and magically find that they are the only ones who detect it, beware. Samples tailor-made to be detected by a single engine are easy to create, and a good sign that your prospective vendor may not be trustworthy.

12. Not Testing With Real-World Deployment Settings

Feasibility tests usually involve some malware testing, comprising of test criteria and a review by IT and the cyber experts in the organization. Cyber experts will try their most advanced scenarios, but you should remember that the solution will be enabled on all your devices, on all your users, all of the time. While protection is the most important aspect of implementing endpoint security products, your users must be able to work with it without interruption and be able to do their jobs.

So, while a test may look impressive when everything is set to trigger alerts by default, will your organization be able to live with those settings on a daily basis. It’s fairly easy for a product to prevent malware when it’s set to its strictest settings. Everything that is new, or running from the downloads folder or unsigned can just be blocked from running. But such strict policies aren’t always suitable for an organization’s day-to-day needs and can lead to a negative impact on productivity.  

As vendors want you to test their solutions and are incentivized to meet your requirements, they might be willing to offer some public repository links. As long as they are not links to files created by the vendor themselves, that’s a good sign of the integrity of that vendor.

13. Counting On The Number Of Alerts For Success

A solution that overwhelms you with hundreds of alerts for a single attack isn’t effective or usable. The idea that more alerts equal more security is a misconception. Ask Target, who suffered a major breach while an alert was hiding in a pile of others, and as such remained undetected for over 120 days.

There’s nothing worse than drowning in alerts and not being able to see real threats through the noise. Do you want hundreds of alerts for one attack or one alert that shows you the hundreds of linked processes? While detection is cheap, prevention will take its toll as your IT team struggle to piece together the whole attack story.

Tip: invest in positive testing. How will the solution work in the day-to-day running of your organization? How will it fit in with your IT team’s workload and practices?

14. Overburdening Your Current IT Team

Managing Cyber Security products can be a real pain. People need to be trained, understand all the bells and whistles and learn how to manage the solution effectively in the context of your organization. In fact, the complexity of managing such solutions causes some products to have a blank policy, just to avoid the hassle of managing it, and that is dangerous.  

Tip: Look for a solution that you can manage with your existing team, which can be deployed quickly and does not require much training.

15. Overlooking Ongoing Maintenance

Antivirus signatures, MS updates, and all the ongoing maintenance can be painful, especially if your organization is not using a single image. Different OSs add more dimensions to the complex task of keeping everything up to date and take their toll on your IT staff members.

AV solutions that require user interaction to perform updates or download emergency patches doesn’t contribute to effective problem management. Installing buggy patches can also result in disruptions and lost productivity, and may require yet more intervention from your IT team.

Tip: Look for solutions that have a consistent upgrade cadence and which can self-manage maintenance from the cloud.

Conclusion

Evaluating security software isn’t easy, and there are no shortcuts to ensuring you get the right product that will fit your organization’s needs, staffing levels, and budget. Buying “off-the-shelf” is sure to lead to headaches down the line. The key to everything we’ve said here is to do your own research and do your own tests. Treat vendor claims with a healthy dose of skepticism until you’ve proven them in your own real-world setting.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Zoho’s office suite gets smarter

As far as big tech companies go, Zoho is a bit different. Not only has it never taken any venture funding, it also offers more than 40 products that range from its online office suite to CRM and HR tools, email, workflow automation services, video conferencing, a bug tracker and everything in-between. You don’t often hear about it, but the company has more than 45 million users worldwide and offices in the U.S., Netherlands, Singapore, Dubai, Yokohama and Beijing — and it owns its data centers, too.

Today, Zoho is launching a major update to its core office suite products: Zoho Writer, Sheet, Show and Notebooks. These tools are getting an infusion of AI — under Zoho’s “Zia” brand — as well as new AppleTV and Android integrations and more. All of the tools are getting some kind of AI-based feature or another, but they are also getting support for Zia Voice, Zoho’s conversational AI assistant.

With this, you can now ask questions about data in your spreadsheets, for example, and Zia will create charts and even pivot tables for you. Similarly, Zoho is using Zia in its document editor and presentation tools to provide better grammar and spellchecking tools (and it’ll now offer a readability score and tips for improving your text). In Zoho Notebook, the note-taking application that is also the company’s newest app, Zia can help users create different formats for their note cards based on the content (text, photo, audio, checklist, sketch, etc.).

“We want to make AI helpful in a very contextual manner for a specific application,” Raju Vegesna, Zoho’s chief evangelist, told me. “Because we do AI across the board, we learned a lot and were are able to apply learnings on one technology and one piece of context and apply that to another.” Zoho first brought Zia to its business intelligence app, for example, and now it’s essentially bringing the same capabilities to its spreadsheet app, too.

It’s worth noting that Google and Microsoft are doing similar things with their productivity apps, too, of course. Zoho, however, argues that it offers a far wider range of applications — and its stated mission is that you should be able to run your entire business on its platform. And the plan is to bring some form of AI to all of them. “Fast-forward a few months and [our AI grammar and spellchecker] is applied to the business application context — maybe a support agent responding to a customer ticket can use this technology to make sure there are no typos in those responses,” Vegesna said.

There are plenty of other updates in this release, too. Zoho Show now works with AppleTV-enabled devices for example, and Android users can now use their phones as a smart remote for Show. Zoho Sheet now lets you build custom functions and scripts and Zoho Writer’s web, mobile and iPad versions can now work completely offline.

The broader context here, though, is that Zoho, with its ridiculously broad product portfolio, is playing a long game. The company has no interest in going public. But it also knows that it’s going up against companies like Google and Microsoft. “Vertical integration is not something that you see in our industry,” said Vegesna. “Companies are in that quick mode of getting traction, sell or go public. We are looking at it in the 10 to 20-year time frame. To really win that game, you need to make these serious investments in the market. The improvements you are seeing here are at the surface level. But we don’t see ourselves as a software company. We see ourselves as a technology company.” And to build up these capabilities, Vegesna said, Zoho has invested hundreds of millions of dollars into its own data centers in the U.S., Europe and Asia, for example.

AWS announces new bare metal instances for companies who want more cloud control

When you think about Infrastructure as a Service, you typically pay for a virtual machine that resides in a multi-tenant environment. That means, it’s using a set of shared resources. For many companies that approach is fine, but when a customer wants more control, they may prefer a single tenant system where they control the entire set of hardware resources. This approach is also known as “bare metal” in the industry, and today AWS announced five new bare metal instances.

You end up paying more for this kind of service because you are getting more control over the processor, storage and other resources on your own dedicated underlying server. This is part of the range of products that all cloud vendors offer. You can have a vanilla virtual machine, with very little control over the hardware, or you can go with bare metal and get much finer grain control over the underlying hardware, something that companies require if they are going to move certain workloads to the cloud.

As AWS describes it in the blog post announcing these new instances, these are for highly specific use cases. “Bare metal instances allow EC2 customers to run applications that benefit from deep performance analysis tools, specialized workloads that require direct access to bare metal infrastructure, legacy workloads not supported in virtual environments, and licensing-restricted Tier 1 business critical applications,” the company explained.

The five new products, called m5.metal, m5d.metal, r5.metal, r5d.metal, and z1d.metal (catchy names there, Amazon) offer a variety of resources:

Chart courtesy of Amazon

These new offerings are available starting today as on-demand, reserved or spot instances, depending on your requirements.

Peltarion raises $20M for its AI platform

Peltarion, a Swedish startup founded by former execs from companies like Spotify, Skype, King, TrueCaller and Google, today announced that it has raised a $20 million Series A funding round led by Euclidean Capital, the family office for hedge fund billionaire James Simons. Previous investors FAM and EQT Ventures also participated, and this round brings the company’s total funding to $35 million.

There is obviously no dearth of AI platforms these days. Peltarion focus on what it calls “operational AI.” The service offers an end-to-end platform that lets you do everything from pre-processing your data to building models and putting them into production. All of this runs in the cloud and developers get access to a graphical user interface for building and testing their models. All of this, the company stresses, ensures that Peltarion’s users don’t have to deal with any of the low-level hardware or software and can instead focus on building their models.

“The speed at which AI systems can be built and deployed on the operational platform is orders of magnitude faster compared to the industry standard tools such as TensorFlow and require far fewer people and decreases the level of technical expertise needed,” Luka Crnkovic-Friis, of Peltarion’s CEO and co-founder, tells me. “All this results in more organizations being able to operationalize AI and focusing on solving problems and creating change.”

In a world where businesses have a plethora of choices, though, why use Peltarion over more established players? “Almost all of our clients are worried about lock-in to any single cloud provider,” Crnkovic-Friis said. “They tend to be fine using storage and compute as they are relatively similar across all the providers and moving to another cloud provider is possible. Equally, they are very wary of the higher-level services that AWS, GCP, Azure, and others provide as it means a complete lock-in.”

Peltarion, of course, argues that its platform doesn’t lock in its users and that other platforms take far more AI expertise to produce commercially viable AI services. The company rightly notes that, outside of the tech giants, most companies still struggle with how to use AI at scale. “They are stuck on the starting blocks, held back by two primary barriers to progress: immature patchwork technology and skills shortage,” said Crnkovic-Friis.

The company will use the new funding to expand its development team and its teams working with its community and partners. It’ll also use the new funding for growth initiatives in the U.S. and other markets.

Zendesk just hired three former Microsoft, Salesforce and Adobe execs

Today, Zendesk announced it has hired three new executives — Elisabeth Zornes, former general manager of global support for Microsoft Office, as Zendesk’s first chief customer officer; former Adobe executive Colleen Berube as chief information officer and former Salesforce executive Shawna Wolverton as senior vice president, product.

The company emphasized that the hirings were about expanding the executive suite and bringing in top people to help the company grow and move into larger enterprise organizations.

From left to right: Shawna Wolverton, Colleen Berube and Elizabeth Zornes

Zornes comes to Zendesk with 20 years of experience at Microsoft working in a variety of roles around Microsoft Office. She says that what attracted her to Zendesk was its focus on the customer.

“When I look at businesses today, no matter what size, what type or what geography, they can agree on one thing: customer experience is the rocket fuel to drive success. Zendesk has positioned itself as a technology company that empowers companies of all kinds to drive a new level of success by focusing on their customer experience, and helping them to be at the forefront of that was a very intriguing opportunity for me,” Zornes told TechCrunch.

New CIO Berube, who comes with two decades of experience, also sees her new job as a chance to have an impact on customer experience and help companies that are trying to transform into digital organizations. “Customer experience is the linchpin for all organizations to succeed in the digital age. My background is broad, having shepherded many different types of companies through digital transformations, and developing and running modern IT organizations,” she said.

Her boss, CEO and co-founder Mikkel Svane, sees someone who can help continue to grow the company and develop the product. “We looked specifically for a CIO with a modern mindset who understands the challenges of large organizations trying to keep up with customer expectations today,” Svane told TechCrunch.

As for senior VP of product Wolverton, she comes with 15 years of experience, including a stint as head of product at Salesforce. She said that coming to Zendesk was about having an impact on a modern SaaS product. “The opportunity to build a modern, public, cloud-native CRM platform with Sunshine was a large part of my decision to join,” she said.

The three leaders have already joined the organization — Wolverton and Berube joined last month and Zornes started just this week.

Bomb Threat Hoaxer Exposed by Hacked Gaming Site

Federal authorities this week arrested a North Carolina man who allegedly ran with a group of online hooligans that attacked Web sites (including this one), took requests on Twitter to call in bomb threats to thousands of schools, and tried to frame various online gaming sites as the culprits. In an ironic twist, the accused — who had fairly well separated his real life identity from his online personas — appears to have been caught after a gaming Web site he frequented got hacked.

On Feb. 12, the U.S. Justice Department announced the arrest of Timothy Dalton Vaughn, a 20-year-old from Winston-Salem, N.C. Vaughn is alleged to have been a key member of the Apophis Squad, a gang of ne’er-do-wells who made bomb threats against thousands of schools and launched distributed denial-of-service (DDoS) attacks against Web sites — including KrebsOnSecurity on multiple occasions.

The feds say Vaughn used multiple aliases on Twitter and elsewhere to crow about his attacks, including “HDGZero,” “WantedByFeds,” and “Xavier Farbel.” Among the Apophis Squad’s targets was encrypted mail service Protonmail, which reached out to this author last year for clues about the identities of the Apophis Squad members after noticing we were both being targeted by them and receiving demands for money in exchange for calling off the attacks.

Protonmail later publicly thanked KrebsOnSecurity for helping to bring about the arrest of Apophis Squad leader George Duke-Cohan — a.k.a. “opt1cz,” “7R1D3n7,” and “Pl3xl3t,” — a 19-year-old from the United Kingdom who was convicted in December 2018 and sentenced to three years in prison. But the real-life identity of HDGZero remained a mystery to both of us, as there was little publicly available information at the time connecting that moniker to anyone.

The DDoS-for-hire service run by Apophis Squad listed their members.

That is, until early January 2019, when news broke that hackers had broken into the servers of computer game maker BlankMediaGames and made off with account details of some 7.6 million people who had signed up to play “Town of Salem,” the company’s browser-based role playing game. That stolen information has since been posted and resold in underground forums.

A review of the leaked BlankMediaGames user database shows that in late 2018, someone who selected the username “hdgzero” signed up to play Town of Salem, registering with the email address xavierfarbel@gmail.com. The data also shows this person registered at the site using a Sprint mobile device with an Internet address that traced back to the Carolinas.

The Justice Department indictment against Vaughn and Duke-Cohan released this week alleges the pair were equally responsible for sending spoofed bomb threat emails to 2,000 schools in the United States and more than 400 in the U.K., falsely warning that various explosive devices were planted at the schools and would be detonated unless a ransom demand was paid.

In this snippet from a January 2018 online chat taken from a channel maintained by HDGZero, the accused can be seen claiming credit for the bomb threats and posting links to stories in various local media outlets about schools evacuating students in response to the threats. The bomb threat emails were made to look like they were sent by different high-profile squads of online gamers competing against one another in the wildly popular game Minecraft.

One of the many private Twitter messages I received from the Apophis Squad following DDoS attacks on KrebsOnSecurity.

The government maintains that, through their various Twitter handles, Duke-Cohan and Vaughn even offered to take requests for shutting down specific schools with bomb threats.

“We are OPEN for request for school lockdowns / evacs,” read a tweet from the Twitter account @apophissquadv2, which the Justice Department says Duke-Cohan and Vaughn shared. “Send us your request to apophissquad@tuta.io (FREE).”

The government alleges that Vaughn also participated with Duke-Cohan in reporting the hijack of a United Airlines flight bound for the United States. That flight, which had almost 300 passengers on board, was later quarantined for four hours in San Francisco pending a full security check.

The indictment charges Vaughn and Duke-Cohan with conspiracy and eight additional felony offenses, including making threats to injure in interstate commerce and making interstate threats involving explosives. Vaughn is additionally charged with intentionally damaging a computer and interstate threat to damage a protected computer with intent to extort.

A Justice Department press release on the indictment states that if convicted of all 11 charges, Vaughn would face a statutory maximum sentence of 80 years in federal prison. If convicted of the nine charges in the indictment in which he is named, Duke-Cohan would face a statutory maximum sentence of 65 years in federal prison.

Fiverr acquires ClearVoice to double down on content marketing

Fiverr is acquiring ClearVoice, a company that helps customers like Intuit and Carfax find professionals to write promotional content.

The two companies seem like a natural fit, as they both operate marketplaces for freelancers. Fiverr covers a much broader swath of freelance work, but CEO Micha Kaufman (pictured above) said the marketplace’s professional writing category grew 220 percent between the fourth quarters of 2017 and 2018, and he predicted that the need for content marketing will only increase.

“The types of channels that brands and companies need to be involved in and engaging in conversation with their audience are just growing,” Kaufman said. “I think any brand today that wants to be relevant needs to create a lot of engaging, interesting, creative content in their space, and I think that that creates a high demand for good content writers.”

Kaufman also noted that this is Fiverr’s third acquisition in two years, and he said he’s a “big believer … in the consolidation of vertical businesses into horizontal businesses such as ours — the fact that we cover over 200 categories gives us a tremendous amount of power to serve customers across many different types of needs.”

So what does the acquisition bring to the table that Fiverr wasn’t offering already? Kaufman said the ClearVoice team has “a lot of know how, both in technology side and the actual content side,” which will allow Fiverr to “cater to customers of all sizes and all needs.”

ClearVoice editorial calendar

ClearVoice editorial calendar

More specifically, he said most of Fiverr’s content marketing customers are small businesses, while ClearVoice is able to work with large enterprises, especially with its collaboration and workflow tools that allow those enterprises to create content at “high velocity.”

Founded in 2014 by Jay Swansson and Joe Griffin (who still serve as co-CEOs), ClearVoice has raised a total of $3.1 million in funding from investors, including PC Ventures, Desert Angels, Peak Ventures and Service Provider Capital, according to Crunchbase.

Fiverr is not disclosing the financial terms of the acquisition. The company says ClearVoice will continue to operate as an independent subsidiary.

“We are thrilled to be joining a company that is changing how people and companies work together in the modern era,” Swansson said in a statement. “This new chapter is a chance for us to use Fiverr’s depth and knowledge to globally scale our business and advance our mission of creating a platform that allows for worldwide creative collaboration.”

Block Kit helps deliver more visually appealing content in Slack

Slack has become a critical communications tool for many organizations. One of the things that has driven its rapid success has been the ability to connect to external enterprise apps inside of Slack, giving employees what is essentially a centralized work hub. This ability has led to some unintended consequences around formatting issues, which Slack addressed today with two new tools, Block Kit and Block Kit Builder.

Block Kit lets developers present dense content in a much more visually appealing way, while Block Kit Builder is a prototyping tool for building more attractive apps inside Slack. The idea is to provide a way to deliver content inside of Slack without having to do workarounds to make the content look good.

Before and after applying Block Kit. Screen: Slack

Bear Douglas, who is Slack’s director of developer of relations, says developers have been quite creative up until now when it comes to formatting, but the company has been working to simplify it. Today’s announcement is the culmination of that work.

“Block Kit makes it easier for people to quickly design a customized app in Slack. We’ve launched a no-code builder that will let people design the messages that they show inside Slack,” she explained.

She said that while this tool is really designed for people with some programming or Slack admin-level knowledge, the ultimate goal is to make it easy enough for non-technical end users to build apps in Slack, something that is on the road map. What enhancing these tools does, however, is show people just what is possible inside of Slack.

“When people see Block Kit in action, it is illuminating about what can be done, and it helps them understand that it doesn’t just need to be your communications center or [something that pings you] when your website blows up. You can actually get work done inside of Slack,” she said.

One other advantage of using Block Kit is that apps will display messages consistently, whether you are using the web or mobile. Prior to having these tools, workarounds might have looked fine on the web, but the spacing might have been off on mobile or vice versa. Block Kit lets you design consistent interfaces across platforms.

Among the tools Slack is offering, none is actually earth-shattering, but in total they provide users with the ability to format their content in a way that makes sense using common design elements like image containers, dividers and sections. They are also offering buttons, drop-down menus and a calendar picker.

Both of these tools are available starting today in the Block Kit hub.