Archive for December, 2019

Facebook can track you when you opt out.

December 19th, 2019

In a letter US senatorsdated December 12 that was released Tuesday, Facebook explained how it is able to estimate users’ locations used to target ads even when they’ve chosen to reject location tracking through their smartphone’s operating system The letter was widely shared on social media Tuesday
The Facebook social network, which was responding to a request for information by two senators, contended that knowing a user’s whereabouts has benefits ranging from showing ads for nearby shops to fighting hackers and battling misinformation.Facebook said that clues for figuring out a user’s location include being tagged in a photo at a specific place or a check-in at a location such as at a restaurant during a dinner with friends.People may share an address for purchases at a shopping section at Facebook, or simply include it in their profile information.

Along with location information shared in posts by users, devices connecting to the internet are given IP addresses and a user’s whereabouts can then be noted.Those addresses include locations, albeit a bit imprecise when it comes to mobile devices linking through telecom services that might only note a town or city.Facebook said knowing a user’s general location helps it and other internet firms to protect accounts by detecting when suspicious login behavior occurs, such as by someone in South America when a user lives in Europe. IP addresses also help companies such as Facebook battle misinformation by showing the general origin of potentially nefarious activity, such as a stream of politically oriented posts which might be aimed at a particular country.

The California Consumer Privacy Act (CCPA) will give internet users the right to see what data big tech companies collect and with whom it is shared.

At the end of October Australia’s consumer watchdog sued Google on Tuesday alleging the technology giant broke consumer law by misleading Android users about how their location data was collected and used. The Australian Competition and Consumer Commission accused Google of collecting information on users’ whereabouts even after they had switched off the location setting.

An Associated Press investigation last year revealed that several Google apps and websites stored user location even if the user had turned off the Location History setting. To stop Google from saving these location markers, users had to turn off another setting, Web and App Activity. That setting, enabled by default, does not specifically reference location information.Google later clarified in a help page how the Location History works, but it didn’t change the location-tracking practice.

Huge tech companies are under increasing scrutiny over their data practices, following a series of privacy scandals at Facebook and new data-privacy rules in Europe. Critics say Google’s insistence on tracking its users’ locations stems from its drive to boost advertising revenue. It can charge advertisers more if they want to narrow ad delivery to people who’ve visited certain locations. The Australian commission began proceedings in the Federal Court of Australia alleging Google breached the law through a series of on-screen representations made as users set up Google accounts on their Android phones and tablets.

The AP investigation found that even with Location History turned off, Google stores user location when, for instance, the Google Maps app is opened, or when users conduct Google searches that aren’t related to location. Automated searches of the local weather on some Android phones also store the phone’s whereabouts.

Earlier, the business news site Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were off. Google changed the practice and insisted it never recorded the data anyway.

RYUK nasty and expensive ransomware

December 17th, 2019

The Ryuk Ransomware is a data encryption Trojan that was first identified on August 13th, 2018. The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK, Threat actors were reported of infecting organizations in the USA and Germany. Initial analysis suggests the threat was injected in systems through compromised RDP accounts, but it is possible that there is a parallel spam campaign that carries the threat payload as macro-enabled DOCX and PDF files.

Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom. The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By carrying out these actions, the attackers could disable the Windows System Restore option, making it impossible for users to recover from the attack without external backups. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. A recent flash update from the FBI revealed that over 100 organizations around the world have been beset by Ryuk

The origins of Ryuk ransomware can be attributed to two criminal entities: Wizard Spider and CryptoTech. The former is the well-known Russian cybercriminal group and operator of TrickBot; the latter is a Russian-speaking organization found selling Hermes 2.1 two months before the $58.5 million cyber heist that victimized the Far Eastern International Bank (FEIB) in Taiwan.

Unlike other ransomware, Ryuk is distributed by common botnets, such as Trickbot and Emotet, which have been widely used as banking trojans.
Analysis. Ryuk dropper contains both 32-bit and 64-bit payloads. The dropper checks whether it is being executed in a 32-bit or 64-bit OS by using the “IsWow64Process” API a. It also checks the version of the operating system. Next, it executes the payload using the ShellExecuteW API.

Persistence mechanism
Ryuk adds the following registry key so it will execute at every login. It uses the command below to create a registry key:
“”C:\Windows\System32\cmd.exe” /C REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos” /t REG_SZ /d “C:\Users\Public\{random-5 char}.exe” /f”

Process injection
Ryuk injects its main code into several remote processes. Ryuk enumerates the process by calling the CreateToolhelp32Snapshot API and injecting its code in all the processes except the ones named explorer.exe, lsaas.exe and csrss.exe, telling it that it should not be executed by the NT AUTHORITY.
Ryuk ransomware terminates processes and stops services contained on a predefined list. These processes and services are mostly antivirus tools, databases, backups, and other software. The screenshot below shows the list of services stopped by Ryuk. Ryuk also deletes shadow copies and other backup storage files by using a .BAT file so that the infected system can’t restore data. Below is the list of commands used by Ryuk to perform these deletions.

Encryption and similarity with Hermes ransomware
Ryuk uses a combination of RSA (asymmetric) and AES (symmetric) encryption to encrypt files. Ryuk embeds an RSA key pair in which the RSA private key is already encrypted with a global RSA public key. The sample generates an AES-256 key for each file and encrypts the files with an AES key. Further, the AES key is encrypted with an embedded public key and is appended at the end of the encrypted file. If all the samples contain the same RSA key pair, then after getting access to one private key, it’s easy to decrypt all of the files. But Ryuk contains a different RSA key pair for every sample. Some samples append the “.RYK” extension and some don’t append any extensions after encrypting the files.
Ryuk has a common feature with Hermes ransomware. During encryption, Ryuk adds a marker in the encrypted file using the keyword “HERMES”.
Ryuk checks for the HERMES marker before encrypting any file to know if it has been already encrypted.

Ryuk encrypts files in every drive and network shared from the infected system. It has whitelisted a few folders, including “Windows, Mozilla, Chrome, Recycle Bin, and Ahnlab” so it won’t encrypt files inside these folders. Ryuk drops its ransom note, named RyukReadMe.txt, in every directory. Ryuk asks for the ransom in bitcoin, providing the bitcoin address in the ransom note. Ryuk contains different templates for the ransom note. After completing the encryption, Ryuk creates two files. One is “Public” and contains an RSA public key while the second is “UNIQUE_ID_DO_NOT_REMOVE” and contains a unique hardcoded key.

Malwarebytes Labs director Adam Kujawa said that, while instances of consumer ransomware infections are down 25 per cent over the last year, attacks on businesses are skyrocketing, up a whopping 235 per cent over the same period.Overall, the numbers would show that ransomware numbers have fallen. After peaking at more than 5.7 million total detections in August of 2018, just over 3 million attacks by lockup malware were detected in June 2019.This is not, because criminals are losing interest in using ransomware. Rather, they are getting a much better return from fewer attempts on higher-value targets: namely, enterprises.

Prior to running any ransomware decryptor – whether it was supplied by a bad actor or by a security company – be sure to back up the encrypted data first. Should the tool not work as expected, you’ll be able to try again Ryuk is a particularly horrible software nasty. It works by finding and encrypting network drives as well as wiping Windows volume snapshots to prevent the use of Windows System Restore points as an easy recovery method.

Whatever the size of your company and whatever industry you’re in, we recommend you follow these best practices to minimize your risk of falling victim to a ransomware attack:
• Educate your users. Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can.
• Protect access rights. Give user accounts and administrators only the access rights they need and nothing more.
• Make regular backups – and keep them offsite where attackers can’t find them. They could be your last line of defense against a six-figure ransom demand.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down your RDP. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Ensure tamper protection is enabled. Ryuk and other ransomware attempt to disable your endpoint protection. Tamper protection is designed to prevent this from happening.
• Educate your team on phishing. Phishing is one of the main delivery mechanisms for ransomware.
• Use anti-ransomware protection
• Ensure tamper protection is enabled. Ryuk and other ransomware attempt to disable your endpoint protection. Tamper protection is designed to prevent this from happening.”


Microsoft yesterday announced plans to establish a new cloud datacenter region in Qatar

December 15th, 2019

Microsoftannounced plans to establish a new cloud datacenter region in Qatar to deliver its intelligent, trusted cloud services and expand the Microsoft global cloud infrastructure to 55 cloud regions in 20 countries. The new region is anticipated to be available starting with Microsoft Azure in 2021, and Office 365, Dynamics 365 and Power Platform to follow.

The announcement was made by HE Minister of Transport and Communications Jassim Saif Ahmed Al-Sulaiti and EVP and President, Microsoft Global Sales, Marketing and Operations, Microsoft Corp., Jean-Philippe Courtois. HE the Minister said in his opening remarks, “This collaboration with Microsoft comes as part of accelerating the efforts led by the Government of Qatar to implement the country’s digital transformation agenda and build a knowledge-based economy as laid down in the Qatar National Vision 2030.”

Government entities, organizations, public and private enterprises and developers will have access to scalable, highly available, and resilient cloud services to accelerate their digital transformation journeys – better engage customers, empower employees, optimize operations, and transform products and services – from the new cloud region in Qatar. The new cloud region is anticipated to play a pivotal role in bridging the skills gap in Qatar. Microsoft is also collaborating with the Qatar Digital Government to launch a nationwide upskilling program that will train government employees enhancing their technical acumen in cloud technologies.

The new cloud region will adhere to Microsoft’s trusted cloud principles and become part of one of the largest cloud infrastructures in the world, already serving more than a billion customers and 20 million businesses. Microsoft’s cloud services are compliant with the European Union’s General Data Protection Regulation (GDPR) and are certified for a large portfolio of international security and privacy standards, some of which form the basis of Qatar government policies, including the Ministry of Transport and Communications’ National Information Assurance Policy and the Cloud Security and Information Privacy Protection regulations.

The new Microsoft region in Qatar will offer Microsoft’s scalable, trusted and reliable cloud services combined with in-country customer data residency. Microsoft will help empower customers through its deep expertise in protecting customer data to meet extensive security and privacy requirements as well as the broadest set of compliance certifications and attestations in the industry.

This news follows the recent announcement at QITCOM 2019, where MOTC announced its choice of Azure as its preferred cloud platform – a collaboration the two sides see as an opportunity to encourage government entities and institutions in Qatar to embark on or continue their digital transformation journey.
Microsoft Azure is an ever-expanding set of cloud services that offers computing, networking, databases, analytics, and Internet of Things (IoT) services. Office 365 enables cloud-based productivity with email, collaboration, conferencing, enterprise social networking and business intelligence. Dynamics 365 and Power Platform is the next generation of intelligent business applications that enable organizations to grow, evolve and transform to meet the needs of customers and capture new opportunities.

Microsoft has accelerated the pace of global expansion with the opening of cloud regions in five new markets in 2019, including being the first global cloud provider to deliver services from datacenter regions located in Africa.

SQL 2016 Sp2 CU11 release

December 15th, 2019

The 11th cumulative update release for SQL Server 2016 SP2 is now available for download at the Microsoft Downloads site.
Please note that registration is no longer required to download Cumulative updates.
CU11 KB Article:
• Microsoft® SQL Server® 2016 SP2 Latest Cumulative Update:
• Update Center for Microsoft SQL Server:

Forrester sees SnapLogic as a strategic for Enterprise integration – hybrid- cloud and on premise

December 14th, 2019

SnapLogic iPaaS provides integration in continuously evolving data environments,

According to Forrester, “The strategic iPaaS/HIP market is growing because more EA professionals see strategic iPaaS/HIP as a key element of their digital transformation agility.” Forrester adds that “vendors that can make integration easier as well as provide a broad set of integration scenarios position themselves to successfully deliver in any public, private, hybrid, and/or multicloud environment.”

In the report, SnapLogic has received the highest score possible in the “market approach” criterion.

SnapLogic’s intelligent integration platform uses AI-powered workflows to automate all stages of IT integration projects – design, development, deployment, and maintenance – whether on-premises, in the cloud, or in hybrid environments.

The platform’s easy-to-use, self-service interface enables both expert and citizen integrators to manage all application integration, data integration, and data engineering projects on a single, scalable platform.

With SnapLogic, you can connect all of your enterprise systems quickly and easily to automate business processes, accelerate analytics, and drive transformation.

For more details of why ask SnapLogic Partner Synergy Software Systems 009714 3365589

Malware, Deepfakes, Snatch ……the threats keep coming

December 12th, 2019

Over the last decade when malware exploded from a casual semi-amateur landscape into highly organised criminal operations, capable of generating hundreds of millions of US dollars per year.Malware strains like Necurs, Andromeda, Kelihos, Mirai, or ZeroAccess have made a name for themselves after they’ve infected millions of devices across the globe.

The next couple of years will bring a new range of threats that will take tech security far beyond its traditional boundaries and will require a whole new set of skills and alliances. One example: tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m.

There’s the risk to your share price if someone creates a deepfake of your CEO apparently resigning from the company. Alternatively, a convincing deepfake of a celebrity well known for using your products seemingly being rude about your brand could easily hurt sales if it spreads widely. But there’s also the risk that deepfakes could be added to the toolkits used by phishing gangs. There have already been a few cases of crooks using AI tools to fake the voices of CEOs to trick workers into transferring money to their accounts. The next step would be to create a convincing video of an executive asking for an emergency funds transfer.

If employees are regularly tricked into handing money over to fraudsters on the strength of a bogus email (and they still are), imagine how easy it would be to be fooled by a deepfaked video chat with the CEO instead?

The Internet of Things will greatly increase the number of devices and applications that security teams will have to protect. That’s hard for teams that have used to protecting just PCs and servers to have to worry about everything from smart air-conditioning units or vending machines in the canteen, right through to power plants and industrial machinery.

A new threat has arisen with Snatch ransomware which uses a new trick to bypass antivirus software and encrypt victims’ files without being detected – it relies on rebooting an infected computer into Safe Mode, and to run the ransomware’s file encryption process within Safe mode.The reason is that most antivirus software does not start in Windows Safe Mode, a Windows state that is meant for debugging and recovering a corrupt operating system. Snatch uses a Windows registry key to schedule a Windows service to start in Safe Mode. This service ill run the ransomware in Safe Mode without the risk of being detected by antivirus software, and having its encryption process stopped. Snatch sets itself up as a service that will run even during a Safe Mode reboot, then reboots the box into Safe Mode. This effectively neuters the active protection of most endpoint security tools. Devious! and evil.

The Safe Mode trick was discovered by the incident response team at Sophos Labs, who were called in to investigate a ransomware infection in the past few weeks. Its research team says this is a big deal, and a trick that could be rapidly adopted by other ransomware..

Snatch never targeted home users and was not spread by use of mass-distribution methods like email spam campaigns or browser-based exploit kits — that get a lot of attention from cyber-security firms. Snatch targets a small list of carefully selected companies and public or government organizations.This type of targeting and methodology is known in the cyber-security field as “big-game hunting” and is a strategy that’s been widely adopted by multiple ransomware.
The idea behind big-game hunting is that instead of going after the small ransom fees malware authors can extract from home users, crooks go after large corporations and government organizations, from where they can ask for ransom fees that are hundreds of thousands of times bigger.
Ransomware like Ryuk, SamSam, Matrix, BitPaymer, and LockerGoga are big-game hunters.

The group buys their way into a company’s network. Researchers tracked down ads the Snatch team has posted on hacking forums, to recruit partners for their scheme. According to a translation of the ad, the Snatch team was “looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies.” the Snatch team will buy access to a hacked network, or work with another hacker to breach a desired company. Once in, they rarely install the ransomware and encrypt files right away. Instead, the Snatch team bide their time and slowly escalate access to internal domain controllers, from where the spread to as many computers on an internal network as possible. To do this, the Snatch crew use legitimate sysadmin tools and penetration testing toolkits to get the job done, tools such as Cobalt Strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowerTool, and PsExec. Since these are common tools, most antivirus products failed to raise any alarms.

Once the Snatch gang has all the access they need, they add the registry key and Windows service that starts Snatch in Safe Mode on all infected hosts, and force a reboot of all workstations — reboot that begins the file encryption process.Unlike most ransomware gangs who are primarily focused on encrypting files and asking for ransoms, the Snatch crew also engaged in data theft. This makes Snatch cunique and highly dangerous, and companies also stand to lose from their data being sold or leaked online at a later date, even should they pay the ransom fee and decrypted their files. This type of behavior makes Snatch one of today’s most dangerous ransomware strains.

Combing a company’s internal network for files to steal takes time, and a reason why Snatch has not made the same amount of victims as other “big game hunting” strains/gangs. The number of Snatch victims is very small. The only known public case of a Snatch ransomware infection was SmarterASP.NET, a web hosting company that boasted to have around 440,000 customers.

Secure ports and services that are exposed on the internet with either strong passwords or with multi-factor authentication. Snatch may experiment with e.g. VNC, TeamViewer, or SQL injections, so securing a company’s network for these attack points is also a must.

Ask us about our security solutions.


Encrypt or not encrypt that is the question?

December 12th, 2019

U.S. senators grilled Apple Inc and Facebook Inc executives over their encryption practices on Tuesday and threatened to regulate the technology unless the companies make encrypted user data accessible to law enforcement.

Democrats and Republicans presented united front against encryption that can bloc access to key evidence and stymie investigations.

You’re going to find a way to do this or we’re going to go do it for you,” said Senator Lindsey Graham. “We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.”

Facebook has been at odds with multiple governments since announcing its plan to extend end-to-end encryption across its messaging services earlier this year. The WhatsApp messaging app is already encrypted. In October, U.S. Attorney General William Barr, and law enforcement chiefs of the United Kingdom, and Australia all called on the world’s biggest social network not to proceed with its plan unless law enforcement officials are given backdoor access.

Facebook rejected that call in a letter signed by WhatsApp head Will Cathcart and Messenger head Stan Chudnovsky which it released along with the company’s written testimony. “The ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes,” they wrote. “That is not something we are prepared to do.”

What will happen to your Windows 7 PCs on 15 January 2020?

December 12th, 2019

Microsoft pushed a full-screen warning to Windows 7 users who are still running the OS after January 14. . After14 January 2020, they’ll get no more security updates to the operating system for free. Even though users will be able to continue to run Windows 7 after that date, they’ll be more susceptible to potential security problems. Microsoft delivered this new, nag notification, to Windows 7 users by making it part of a patch rollup. The coming notification was embedded in monthly rollup KB4530734, which Microsoft made available to Windows 7 SP1 users on December 10 as part of its Patch Tuesday set of updates.

Those who see the full-screen warning will have three options: Remind me later; Learn more; or Don’t remind me again. If users don’t click on the “Don’t remind me again” button and just dismiss the screen, they will continue to get nag warnings.

Dynamics HR, and Talent, recent updates- December 2019

December 7th, 2019

Microsoft will continue investing in operational HR solutions with the erp version with a Dynamics 365 Human Resources to be released early next year on February 3, 2020.

This builds on the current core HR capabilities that are in Dynamics 365 Talent today
. It’s a branding and marketing change for core HR capabilities.
Microsoft will also be incorporating the ‘Ax’ partner adds on from Dynamics partners Four Vision, and Elevate, to further enhance the offering within leave and absence, time and attendance, and benefits administration. These new capabilities will begin rolling out within Dynamics 365 Human Resources in early 2020.

Expected updated licensing.

Microsoft recently announced, via a blog post. the decision to retire the Dynamics 365 Talent: Attract and Dynamics 365 Talent: Onboard apps on February 1, 2022, They will transition Attract and Onboard customers to a solution of their choice. This does not affect those who only use the core Talent module.

To allow time to opt-in, Dynamics 365 customers that are entitled to but are not currently using Attract or Onboard will have until February 3, 2020 to notify Microsoft that they intend to implement Attract and/or Onboard. You can opt- at any point between December 6, 2019 and February 1, 2020. If you are not currently using Attract and/or Onboard and want to opt-in to ensure service availability until February 1, 2022, submit a support ticket before 1 Feb 2020.

Meanwhile Synergy Software Systems continues to implement and support its own GCC localised HR and Payroll module built inside both Dynamics Ax 2012 and Dynamics 365 , and proven with around 50 company implementations.

Power BI update -Gateway recovery key, move to .Net framework 4 – Ask Synergy Software Systems, Dubai’s Power App specialist.

December 5th, 2019

The November update for the On-premises data gateway (version 3000.14.39) is released.

Change Gateway Recovery Key
The recovery key provided by gateway admins during installation of on-premises data gateways in a standard mode could not be changed in the past. This key is used to create the symmetric key which in turn is used for encrypting credentials in data sources/connections using that gateway. With the November release of Data Gateways, you will now be able to rotate this key. More information about recovery keys, detailed description on how to perform this change and associated limitations can be found in the data gateway docs.

November version of the mashup engine
This month’s Gateway update also includes an updated version of the Mashup Engine. This will ensure that the reports that you publish to the Power BI Service and refresh via the Gateway will go through the same query execution logic/runtime as in the latest Power BI Desktop version.

Please note that this upcoming change may impact you:
PB1 will be using .NET 4.8 framework for gateways February 2020 version or higher hence some of the operating systems it used to support may no longer be supported. i.e. for many this change will also force a Windows update.

All .NET Framework versions since .NET Framework 4 are in-place updates, so only a single 4.x version can be present on a system.
In addition, particular versions of the .NET Framework are pre-installed on some versions of the Windows operating system. This means that:
• If there’s a later 4.x version installed on the machine already, then you can’t install a previous 4.x version.
• If the OS comes pre-installed with a particular .NET Framework version, then you can’t install a previous 4.x version on the same machine.
• If you install a later version, you don’t have to first uninstall the previous version.
• The .NET Framework requires administrator privileges for installation.