source: cnet.com

After Microsoft learned about a flaw that let hackers disguise attacks in Word documents, it only took the company half a year to release a patch.

The exploit, which Microsoft reportedly learned about in October 2016, hid malware in .doc files and put Windows and Office users at risk. When a victim opened the .doc file, it would automatically connect to a server and download an HTML application that gave hackers full control of the device. The exploit worked on every version of Office.

Microsoft released a patch for the issue on April 11. Between the time that Microsoft learned about the flaw and actually fixed it, the Chicago Cubs won the World Series, the Samsung Galaxy Note 7 was recalled (twice), President Donald Trump was sworn into office and NASA found seven exoplanets likely to host life. Yeah, a lot of things can happen in six months.

Ryan Hanson, a security consultant for Optiv, first notified Microsoft about the vulnerability in October, Reuters reported on Thursday, before any hackers had used the exploit. Microsoft told Reuters that fixing the problem was tricky because it couldn't warn users without tipping off hackers.

"There are many factors that affect the length of time between the discovery of an issue and the release of a security update, as every vulnerability is different with its own unique challenges," a Microsoft representative said in a statement. "Ultimately, developing a security update is a delicate balance between timeliness and best quality."

 

Companies take a risk by dragging their feet on informing users about exploits. Yahoo is still dealing with a potential Senate hearing after Sen. Mark Warner argued the internet giant didn't inform users quickly enough about a breach that affected 500 million accounts. In Microsoft's case, hackers caught wind of the Office exploit before a patch had been released.

In January, McAfee noticed the first attacks using the vulnerability, which put up to 1.2 billion people using Microsoft Office at risk. Microsoft didn't learn about active attacks until March, when security firm FireEye shared its discoveries with the company.

Attacks skyrocketed after McAfee disclosed details of the bug on April 7, four days before Microsoft released its patch.

"We did not observe widespread activity until after information was disclosed by McAfee," a Microsoft spokesperson said.

The saga finally ended when Microsoft released its patch earlier this month. However, users who haven't updated Office remain vulnerable.

 

source: digitaltrends.com

Never short of an innovative idea or two, researchers at the Massachusetts Institute of Technology developed a new robotic system capable of 3D printing an entire building.

The system involves a tracked vehicle that carries a giant robot arm with a smaller precision-motion arm at one end, able to extrude concrete or spray insulating material. It also has additional digital fabrication end effectors, such as a milling head.

“For this project, we designed a robotic system that’s mobile so that it can go on site, gather its own energy through photovoltaics, and gather its own material to carry out fabrication using local materials like compressed earth or even ice,” Steven Keating, a mechanical engineering graduate who worked on the project, told Digital Trends. “Most importantly, we wanted to make sure that this could integrate into a construction site tomorrow — and would have incredible benefits compared to regular construction techniques.”

These benefits are numerous. For one thing, it can produce structures faster and cheaper than traditional construction methods. It could also be used to make more customized creations, based both on the local materials available and environmental conditions. 

source: eweek.com

We hear a lot about hacking these days, but in fact, hacking is nothing new. Even long before computers existed, people have tried to hack things. The public became aware of hacking as early as 1903, when Marconi’s wireless telegraph was hacked just as the technology’s capabilities were about to be demonstrated to a large crowd gathered at London’s Royal Institution.

Today, hacking has evolved into a wide-ranging web of cybercrime that is hard to avoid, with perpetrators carrying out their misdeeds for a variety of motives – selling data for profit, hacktivism, stealing state secrets, and revenge against former employers or enemies. But make no mistake, the prime motive is profit. The cost of cybercrime will top $2 trillion by 2019, according to Juniper Research.

The expansion of the Internet of Things (IoT), and its potential to connect every device that can be connected, creates even more opportunities for hackers. We’ve already seen hacks involving WiFi-connected insulin injectors, automobiles, baby monitors and webcams. The massive Oct. 21 DDoS (distributed denial of service) against DNS provider Dyn used hundreds of thousands of connected devices, including webcams, to block access to a host of popular websites, including Twitter, Netflix and the New York Times.

A Fact of Life

Hacking is a fact of life and it’s only going to become more widespread. The sooner we accept that, the better we can defend ourselves. Pretending it doesn’t exist, that it’s somebody else’s problem or some technical genius somewhere will come up with a silver bullet against cybercrime is unrealistic and dangerous.

Everyone has a responsibility to defend against cybercrime because it affects us all. With that in mind, here are six recommendations to protect against hackers and assorted cybercriminals:

  1. Be vigilant

Vigilance starts with awareness, so we all need to do our level best to learn the risks, their potential consequences, and how to avoid them. When it comes to logging on a WiFi network or a website, or connecting a new device at home or the office, follow this simple rule: Stop. Think. Connect. It’s the basis for a national cybersecurity campaign championed by the Department of Homeland Security encouraging everyone to be cyber-aware.

 

source:  cyberdefensemagazine.com

Experts at Recorded Future have discovered a cheap RaaS, the Karmen Ransomware that deletes decryptor if detects a sandbox.

Security experts from threat intelligence firm Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. The service allows customers to easy create their ransomware campaign in a few steps and without specific skills.

Wannabe-crooks also track infected systems via a “Clients” tab, the Dashboard implements an efficient and easy to use cockpit that include various information such as the number of infected machines, earned revenue, and available updates for the malware.

The Karmen RaaS is very cheap, it costs just $175, buyers can decide the ransom prices and the duration of the period in which the victims can pay the ransom.

The Karmen ransomware is based on the open-source ransomware Hidden Tear, which was released in August 2015 by the Turkish security researchers Utku Sen for educational purposes.

The first Karmen infections were reported in December 2016, the malware infected machines in Germany and the United States.

The Karmen ransomware is a multi-threaded and multi-language ransomware that supports .NET 4.0 and uses the AES-256 encryption standard.

The malware is .NET dependent and requires PHP 5.6 and MySQL.

“On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.” reported a blog post published by Recorded Future.

“Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.”

“However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.”