Microsoft claims it has patched most of the exploited bugs
Updated The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.
The toolkit puts into anyone's hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.
The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets.
The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway.
"The shadow brokers not wanting going there. Is being too bad nobody deciding to be paying the shadow brokers for just to shut up and going away," the group said in a typically garbled blog post.
"The Shadow Brokers rather being getting drunk with McAfee on desert island with hot babes. Maybe if all surviving WWIII the shadow brokers are seeing you next week. Who knows what we having next time?"
For IT managers and normal folks, the Windows-hacking arsenal, which dates to around mid-2013, is the most concerning. It contains exploits for vulnerabilities that can be used to hack into unpatched Windows systems, from Windows 2000 to Windows 8 and Server 2012. In some cases this can be done across the network or internet via SMB, RDP, IMAP, and possibly other protocols.
If you have a vulnerable aging machine with those services running, it is possible they can be hijacked using today's dumped tools – if not by strangers on the 'net then potentially by malicious employees or malware already on your network. If you're running the latest up-to-date gear, such as Windows 10, none of this will directly affect you – but not everyone is so lucky. There are plenty of organizations out there that cannot keep every box up to date, for various reasons.
The leaked archive also contains the NSA's equivalent of the Metasploit hacking toolkit: FUZZBUNCH.
Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.
"This is a nation-state toolkit available for anyone who wants to download it – anyone with a little bit of technical knowledge can download this and hack servers in two minutes," Hickey said. "It's as bad as you can imagine."
He pointed out that the timing of the release – just before Easter – is also significant. With much of the Western world taking it easy on Zombie Jesus weekend, some organizations may be caught short by the dumped cache of cyber-arms.
U.S. stocks would seem to be expensive. Markets are at historic highs. Investors are currently paying more than 21 times what companies in the Standard & Poor’s 500 have earned over the past 12 months, according to operating earnings from S&P Dow Jones Indices. Investors are paying well above the 18.8 average multiple they’ve paid for stocks since 1988, S&P data shows.
Don’t take this as a signal to sell, though, says Darrell Spence, an economist at Capital Group. Reading too much into this one data point could cause long-term investors to miss out on future gains. “It could be possible for the S&P 500 to post an increase in 2017, despite the full starting valuation,” he says.
Here are four reasons why long-term investors should look beyond the price-to-earnings (P/E) ratio:
1.The P/E ratio isn’t always a predictor of future stock movements.
Just because the market’s P/E ratio is high doesn’t mean stocks must fall. Several bull markets had plenty of life left even when the P/E ratio topped 20. You don’t have to go back far to find an example. The S&P 500’s P/E ratio has been above 20 since the end of the fourth quarter of 2015. But since then, stocks have added more than 10% as investors priced in better corporate profit growth. Even in the third quarter of 1992, the market might have seemed richly priced with a P/E of 21. But that was just the beginning of a major bull run that propelled stocks 157% higher, including dividends, in the following five years.
2. P/E ratios must be put into context.
When interest rates are low and the economy is healthy, investors can justify paying higher valuations for stocks, according to Spence. Companies’ future earnings are more valuable when rates are low. There’s little evidence rates are about to move higher soon, given the aggressive moves the U.S. central bank undertook to buy Treasuries, he says.
3. Companies can “grow into” valuations.
Market prices are only one part of the math that determines stock valuations. Corporate profits are the other. If earnings growth resumes, as Spence expects it will in 2017, stocks can justify their current valuations and then some. S&P 500 companies could boost their operating earnings per share this year by 13%, he forecasts. At current prices, if earnings grew 13% in 2017, stocks would be trading at 18.6 times trailing earnings.
4. Economic tailwinds can make stocks more valuable.
Higher valuations can be justified by a number of factors. Economic activity in the U.S., for instance, is improving. Risks of economic distress are low and the new presidential administration is promising stimulative fiscal spending on infrastructure projects, not to mention tax cuts.
But perhaps most importantly, the Federal Reserve has been slow to increase interest rates while other central banks around the world are still working to keep their interest rates low to stoke economies. Low bond rates translate into higher P/E ratios when the economy is healthy, Spence says.
There are risks. A sharp rise in interest rates could change the math and make stocks suddenly look more expensive. A change in direction by the world’s central banks to take away the monetary stimulus could also make stocks more pricey. A strong U.S. dollar could also hurt U.S. companies’ exports.
So despite valuations that would appear stretched, there’s still opportunity in the market. Investors might have to just mute their expectations. What’s reasonable? Add the economy’s hypothetical growth of 2.5% to the expected inflation rate of 2.5% and the S&P 500’s dividend yield of 2%, and that could correspond to a 7% expected total return for U.S. stocks.
“Is the P/E ratio a perfect indicator of the future? The answer is no,” Spence says. “But higher valuations still appear sustainable.”
Good news: Warm temperatures, backyard barbecues and trips to the beach are probably all in your near future.
Bad news: All those wonderful things mean you’ll be exposing yourself to the sun – and, maybe, raising your risk of skin cancer. May is Skin Cancer Awareness Month, and today, the first Monday in May, is Melanoma Monday. That means it’s a good time to make sure you’re taking steps to protect yourself from all kinds of skin cancer, including melanoma, which kills an estimated one person every hour in the United States.
It’s key to use sunscreen year-round to guard yourself from the sun’s harmful UV rays, says Katy Burris, MD, assistant professor of dermatology at Hofstra Northwell School of Medicine -- but it’s especially important when you’re spending more time outside and wearing less clothing. Unfortunately, she says, many people don’t get the full benefit of their sunscreen, thanks to some common mistakes. Here’s what Burris sees many of her patients doing wrong, and how to make it right.
The wrong way: You put it on and forget it.
To make it right: Reapply…and then do it again.
“The number-one mistake people make is that they think sunscreens are a one-and-done sort of thing,” says Burris. But sunscreen loses its potency quicker than you think. If you’re spending the day outdoors, reapply sunscreen to exposed skin every two hours. If you’re swimming or sweating, make that every hour.
The wrong way: You ration out your sunscreen.
To make it right: Don’t be stingy.
Think you can make a bottle of sunscreen last through an entire week at the beach? Bad idea. “The average bottle of sunscreen should only last two to three days for a single person when applied correctly,” says Burris. The rule of thumb when you’re using a sunscreen lotion: To cover your whole body, use at least enough to fill a shot glass.
The wrong way: You’re using a product you don’t like.
To make it right: Find one you won’t skip.
Sunscreen comes in lots of forms -- spray, lotion, stick. Any kind will do the job so long as you use enough, Burris says. “Some people under-apply because their sunscreen feels or looks greasy. It’s important to find one you like.” (You can find non-greasy formulas specifically for your face, for example.) Whatever form you choose, make sure your pick is labeled “broad-spectrum” and has an SPF of at least 30.
The wrong way: You wait until you’re in the sun to put your sunscreen on.
To make it right: Slap it on early.
Don’t wait until you’re lying on your beach towel to put on your sunscreen; it takes time for your skin to absorb its protective ingredients so they can go to work. Apply sunscreen at least 20 minutes before you’re exposed to the sun.
The wrong way: You think your dark skin will keep you safe.
To make it right: Always protect yourself.
Having naturally dark skin – or a tan -- doesn’t reduce your risk of developing skin damage from UV rays. Have you skipped sunscreen before without ending up burned? Even if your skin didn’t turn red, it may have suffered damage on a cellular level, raising your long-term risk of skin cancer. No matter what your complexion, it’s best to play it safe. Use sunscreen daily, check your skin regularly for physical changes and get an annual exam from your dermatologist.
A $1 billion Russia-based criminal gang has been bilking online advertisers by impersonating high-profile Web sites like ESPN, Vogue, CBS Sports, Fox News and the Huffington Post and selling phony ad slots, but that’s about to end.
Online fraud-prevention firm White Ops is releasing data today that will enable online advertisers and ad marketplaces to block the efforts of the group, which is cashing in on its intimate knowledge of the automated infrastructure that controls the buying and selling of video ads.
The group has been ramping up its activities since October so that it now reaps roughly $3 million to $5 million per day from unsuspecting advertisers and gives them nothing in return, says White Ops, which discovered the first hints of the scam in September.
When someone clicks on a video that’s posted to a Web page, the video is often preceded by a short advertising video known as pre-roll. The pre-roll slot is sold realtime – within 100 milliseconds – via an automated auction. That click to request the video is what initiates the ad auction, and the browser directly receives the pre-roll from the advertiser that wins, says White Ops CEO Michael Tiffany.
The system relies on information provided by the browser to verify what site the browser user is visiting and that it actually receives the pre-roll ad. “The ecosystem believes what the browser says about what site you’re at,” he says.
The gang, which Tiffany calls AFT13, has created a robo-browser called Methbot that spoofs all the necessary interactions needed to initiate, carry out and complete the ad transactions. So Methbot contacts an ad exchange and says it needs a pre-roll for a video on Vogue.com, for example. The system runs an instant auction, settles on an ad and sends it to Methbot, which verifies that it received it and played it.
Then the advertiser pays the entity the website that the browser claimed to be visiting, but that entity resolves ultimately to AFK13, not to Voguecom, in this example, he says.
Beyond this, AFK13 spoofs the geolocation of the IP addresses that the Methbot servers use so it seems they are all owned by U.S. internet service providers. The proxy IP addresses mask the fact that Methbot traffic is generated by servers as opposed to individual personal computers generating legitimate traffic. It also hides that the servers are located in data centers in Dallas and Amsterdam.
This helps Methbot duck detection mechanisms that look for a few IP addresses that generate enormous volumes of requests Tiffany says, enabling AFK13 to sell 200 million to 300 million false ad impressions per day for 1.3 cents per view on average, White Ops says. The fraud network does its work from an estimated 800 to 1,000 nodes in its data centers and operates 24 hours per day, with a sales cycle of 5 seconds per impression.
Methbot further avoids detection by selling the ads on more than 6,000 domains representing about 250,000 URLs.
To pull this all off, AFK13 has amassed an impressive infrastructure that includes:
• The servers that generate all the Methbot browser activity.
• A bank of 500,000 IPv4 addresses (worth about $4 million if sold on the open market).
• A means of registering those IP addresses so they appear to be allocated to U.S. ISPs.
• Methbot software.
The software has been upgraded over the period that White Ops became aware of it, Tiffany says. For example, White Ops first caught on to the scam when it noted a small error in an HTTP header used by the group. One value, known as Cache-Control, contained a colon, which violated the specification for that value. Since then the error has been corrected.
White Op has been blocking Methbot traffic for its customers, but the only way to stop it entirely is to release the list of URLs indicative of Methbot, the IP addresses used by AFK13 and the list of publisher domains it forges.
Tiffany says White Ops has also notified the FBI about the scam.
Global retailers can expect 12 per cent growth in online fraudulent activity in the upcoming holiday season, compared with the same period last year — and lower ticket prices on fraudster-targeted gifts and products.
That’s the analysis which falls out of new benchmark data from ACI Worldwide.
The data, based on hundreds of millions of transactions from retailers globally, provides advice that merchants can leverage to protect against fraudulent activity this holiday season.
• Card Not Present (CNP) global online fraud attempt rates are expected to increase 12 per cent by volume over the same peak holiday period in 2015 — with sales to increase by nearly the same rate (13 per cent) in 2016.
o Fraud and new business growth are rising at the same rate globally.
• S. CNP fraud attempt rates are expected to increase by 43 per cent by volume.
o Following the US adoption of EMV chip cards, which protects card data through encryption, fraud is shifting online as fraudsters are more effectively deterred from in-store fraud.
• The 2015 trend of lower ticket prices will continue in 2016, due to alternative shipping methods (e.g. buy online/pick-up in-store), low-priced electronics and promotions.
o In the US, attempted fraud average ticket value (ATV), or a retailer’s average size of individual sales by credit card, is expected to decline from $239 to $219, an 8 per cent decrease.
o Fraudsters are expected to focus on cosmetics, cordless headphones, sneakers and other lower-priced items (including ‘Gift with Purchase’ products) that can be easily resold on the black market or via auction websites
According to Mike Braatz, chief product officer, ACI Worldwide, “Fraud is increasing at a rate nearly equal to general retail growth globally — and is exponentially increasing in the US, due to a seismic shift from in-store to online activity.”
He added, “Because fraudulent activity is now considered to be an everyday occurrence, consumers and merchants must take every precaution as we head into peak holiday shopping season.”
Fraud will peak on Christmas Eve with nearly 2.5 per cent fraud, due to the popularity of gift cards and last-minute shopping via buy online-pick up in-store
“Merchants need to understand their peak days and the sales that drive those high velocity times to ensure risk strategies are effective and efficient,” said Braatz. “It’s important to prioritize real-time fraud detection without alienating the consumer experience.”
From internal threats to creative ransomware to the industrial Internet of Things, security experts illuminate business cybersecurity threats likely to materialize in the next year.
If 2016 was the year hacking went mainstream, 2017 will be the year hackers innovate, said Adam Meyer, chief security strategist at SurfWatch Labs. Meyer analyzes large and diverse piles of data to help companies identify emerging cyber-threat trends. "2017 will be the year of increasingly creative [hacks]," he said. In the past, cybersecurity was considered the realm of IT departments, Meyer explained, but no longer. As smart companies systematically integrate security into their systems, the culture hackers too will evolve.
"Cybercriminals follow the money trail," Meyer said, and smart companies should adopt proactive policies. Ransomware attacks grew quickly, he said, because the attacks are "cheap to operate, and many organizations are not yet applying the proper analysis and decision-making to appropriately defend against this threat."
It's equally cheap to identify internal vulnerability to hacks and to apply preventative best practices, Meyer said. But for many companies it's not as easy to understand the cybersecurity threats most likely to impact business. To help, TechRepublic spoke with a number of prominent security experts about their predictions for near-future cybersecurity trends likely to impact enterprise and small business in 2017.
Cyber-offense and cyber-defense capacities will increase - Mark Testoni, CEO at SAP's national security arm, NS2
We will see an increased rate of sharing of cyber capabilities between the commercial and government spaces. Commercial threat intelligence capabilities will be adopted more broadly by organizations and corporations... High performance computing (HPC), in conjunction with adaptive machine learning (ML) capabilities, will be an essential part of network flow processing because forensic analysis can't stop an impending attack. HPC + adaptive ML capabilities will be required to implement real-time network event forecasting based on prior network behavior and current network operations... [Companies will] use HPC and adaptive ML to implement real-time behavior and pattern analysis to evaluate all network activity based on individual user roles and responsibilities to identify potential individuals within an organization that exhibit "out of the ordinary" tendencies with respect to their use of corporate data and application access.
Ransomware and extortion will increase - Stephen Gates, chief research intelligence analyst at NSFOCUS
The days of single-target ransomware will soon be a thing of the past. Next-generation ransomware paints a pretty dark picture as the self-propagating worms of the past, such as Conficker, Nimda, and Code Red, will return to prominence—but this time they will carry ransomware payloads capable of infecting hundreds of machines in an incredibly short timespan. We have already seen this start to come to fruition with the recent attack on the San Francisco Municipal Transport Agency, where over 2,000 systems were completely locked with ransomware and likely spread on its own as a self-propagating worm. As cybercriminals become more adept at carrying out these tactics, there is a good chance that these attacks will become more common.
As more devices become internet-enabled and accessible and the security measures in place continue to lag behind, the associated risks are on the rise. Aside from the obvious risks for attacks on consumer IoT devices, there is a growing threat against industrial and municipal IoT as well. As leading manufacturers and grid power producers transition to Industry 4.0, sufficient safeguards are lacking. Not only do these IoT devices run the risk of being used to attack others, but their vulnerabilities leave them open to being used against the industrial organizations operating critical infrastructure themselves. This can lead to theft of intellectual property, collecting competitive intelligence, and even the disruption or destruction of critical infrastructure. Not only is the potential scale of these attacks larger, most of these industrial firms do not have the skills in place to deal with web attacks in real-time, which can cause long-lasting, damaging results. This alone will become one of the greatest threats that countries and corporations need to brace themselves for in 2017 and beyond.
At no time in the history of human civilization have we suffered more respiratory diseases than when we began using the combustion engine at the start of the Industrial Revolution. Today, the levels of pollution in major cities around the world have reached extreme levels. Think of such cities like LA, Mexico, Bangkok and Beijing and you can imagine the thousands of people who suffocate under the fumes expelled by millions of vehicles into the atmosphere.
With the introduction of alternative energy sources to operate vehicles, however, we are beginning to cope with this growing menace to human health. In the meantime, new techniques have been developed to minimize the effects of exhaust fumes from combustion engines.
Here are some ways in which proper exhaust control can help:
1. Reduce noise level
A professional car servicing company can provide reduction of noise (which is a form of pollution) through proper design and installation of an exhaust pipe system. A broken exhaust pipe, a result of accidents or improper care, can increase noise levels. Immediate repair is required.
2. Direct exhaust away from passengers
The exhaust from a car is designed to be directed away passengers; hence, it is at the tail end of the car or raised high up to facilitate escape into the atmosphere. Any clogging or leaks will cause the exhaust to enter through windows or holes in the chassis. Determining this seemingly minor yet unhealthy fault can help owners experience a more comfortable ride.
3. Improve engine performance
A defective exhaust pipe decreases the ability of the engine to maximize its burning capability, hence, diminishing its power and performance. In fact, a big percentage of an engine’s power is lost due to the inefficient disposal of the waste gases resulting from the combustion process. Think of a person’s sinusitis which prevents one from breathing out the carbon dioxide from the lungs. What we expel is as important as what we take in. So it is with a car.
4. Improves fuel consumption
With proper burning, fuel consumption becomes more efficient. It also means maximizing your money spent on petrol. A defective exhaust system reduces the mileage you get out of a liter of petrol you buy.
In short, not only do we pollute the atmosphere with a faulty exhaust pipe system, we are practically burning money that virtually escapes from our pockets and enters ours lungs in the form of toxic gases and black soot. Controlling the quantity and the quality of exhaust fumes is every person’s responsibility to maintain a healthy environment.