In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.
The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer.
Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America.
According to a blog post announcing the bust, security firm Avast confirmed the operation was successful.
The security firm got involved after it discovered a design flaw in the malware’s command and control server. That flaw, if properly exploited, would have “allowed us to remove the malware from its victims’ computers” without pushing any code to victims’ computers, the researchers said.
The exploit would have dismantled the operation, but the researchers lacked the legal authority to push ahead. Because most of the malware’s infrastructure was located in France, Avast contacted French police. After receiving the go-ahead from prosecutors in July, the police went ahead with the operation to take control of the server and disinfect affected computers.
The French police called the botnet “one of the largest networks” of hijacked computers in the world.
The operation worked by secretly obtaining a snapshot of the malware’s command and control server with cooperation from its web host. The researchers said they had to work carefully as to not be noticed by the malware operators, fearing the malware operators could retaliate.
“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”
With a copy of the malicious command and control server in hand, the researchers built their own replica, which disinfected victim computers instead of causing infections.
“[The police] replaced the malicious [command and control] server with a prepared disinfection server that made connected instances of Retadup self-destruct,” said Avast in a blog post. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.”
In doing so, the company was able to stop the malware from operating and remove the malicious code to over 850,000 infected computers.
Jean-Dominique Nollet, head of the French police’s cyber unit, said the malware operators generated several million euros worth of cryptocurrency.
Remotely shutting down a malware botnet is a rare achievement — but difficult to carry out.
Several years ago the U.S. government revoked Rule 41, which now allows judges to issue search and seizure warrants outside of their jurisdiction. Many saw the move as an effort by the FBI to conduct remote hacking operations without being hindered by the locality of a judge’s jurisdiction. Critics argued it would set a dangerous precedent to hack into countless number of computers on a single warrant from a friendly judge.
Since then the amended rule has been used to dismantle at least one major malware operation, the so-called Joanap botnet, linked to hackers working for the North Korean regime.
There’s no doubt that Apple’s self-polished reputation for privacy and security has taken a bit of a battering recently.
On the security front, Google researchers just disclosed a major flaw in the iPhone, finding a number of malicious websites that could hack into a victim’s device by exploiting a set of previously undisclosed software bugs. When visited, the sites infected iPhones with an implant designed to harvest personal data — such as location, contacts and messages.
As flaws go, it looks like a very bad one. And when security fails so spectacularly, all those shiny privacy promises naturally go straight out the window.
And while that particular cold-sweat-inducing iPhone security snafu has now been patched, it does raise questions about what else might be lurking out there. More broadly, it also tests the generally held assumption that iPhones are superior to Android devices when it comes to security.
Are we really so sure that thesis holds?
But imagine for a second you could unlink security considerations and purely focus on privacy. Wouldn’t Apple have a robust claim there?
On the surface, the notion of Apple having a stronger claim to privacy versus Google — an adtech giant that makes its money by pervasively profiling internet users, whereas Apple sells premium hardware and services (including essentially now ‘privacy as a service‘) — seems a safe (or, well, safer) assumption. Or at least, until iOS security fails spectacularly and leaks users’ privacy anyway. Then of course affected iOS users can just kiss their privacy goodbye. That’s why this is a thought experiment.
But even directly on privacy, Apple is running into problems, too.
To wit: Siri, its nearly decade-old voice assistant technology, now sits under a penetrating spotlight — having been revealed to contain a not-so-private ‘mechanical turk’ layer of actual humans paid to listen to the stuff people tell it. (Or indeed the personal stuff Siri accidentally records.)
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.
Apple has sent out invites confirming rumors that its next major press event will happen on September 10. The event is expected to focus on the iPhone 11, unveiling three different models — the standard 11, as well as two Pro options.
If this happens, it would mark a subtle-but-significant shift in the way Apple structures its phone lineup. With a lower-priced flagship replacing the budget XR, the company could appeal to consumers who’ve been turned off by the rising prices for higher-end options.
In the event that California’s Assembly Bill 5 passes — forcing Uber and Lyft to make their drivers W-2 employees — each company is putting in $30 million to fund a 2020 ballot initiative that would enable them to keep their drivers as independent contractors.
Anyone wondering if Alphabet might reprimand its chief legal officer David Drummond for a long-ago extramarital affair with a former subordinate (which recently resurfaced in a much-discussed blog post), the answer seems to be . . . not right now.
Most new TVs come with a bunch of random junk turned on by default; things like motion smoothing that makes epic movies look like soap operas, or noise reduction that can wash out details and make an actor’s skin look cyborg-y. With Filmmaker Mode, you’ll be able to push a button and all that crap gets turned off.
Slowly but surely, Nike has made its self-lacing motor technology more accessible. The next step: Bringing the tech to its Huarache line next month.
To put it succinctly, Andela is a startup — backed by $180 million in venture capital — that trains and connects African software developers to global companies for a fee. (Extra Crunch membership required.)
Benioff is coming to TechCrunch Disrupt in San Francisco to discuss how to build a highly successful business while giving back to the community.
Google said it will pay security researchers who find “verifiably and unambiguous evidence” of data abuse using its platforms.
It’s part of the company’s efforts to catch those who misuse user data collected through Android apps or Chrome extensions — and to avoid its own version of a scandal like Cambridge Analytica, which saw millions of Facebook profiles scraped and used to identify undecided voters during the U.S. presidential election in 2016.
Google said anyone who identifies “situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent” is eligible for its expanded data abuse bug bounty.
“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store,” read a blog post. “In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed.” The company said abuse of its developer APIs would also fall under the scope of the bug bounty.
Google said it isn’t providing a reward table yet but a single report of data misuse could net $50,000 in bounties.
News of the expanded bounty comes in the wake of the DataSpii scandal, which saw browser extensions scrape and share data from millions of users. These Chrome extensions uploaded web addresses and webpage titles of every site a user visited, exposing sensitive data like tax returns, patient data, and travel itineraries.
Google was forced to step in and suspend the offending Chrome extensions.
Instagram recently expanded its own bug bounty to include misused user data following a spate of data incidents,
It’s back-to-school season, and we’ve lined up a special Extra Crunch promotion for students. We are offering students a special subscription rate of $50 per year (regular price: $150) with similar discounts for international members. All you have to do is send an email using your school address to email@example.com and our founder success team will get you all squared away. We also offer volume discounts for student groups.
It seems like every week there is a well-funded team launching another new direct-to-consumer (D2C) brand. From mattresses to pet treats, digital-native vertical brands are seeing peak attention and funding from both founders and VCs. Part of the reason for all that attention is that it has never been easier to use the tools of the internet to build these brands from the ground up, opening up formerly closed markets.
Ecommerce consultancy VMG Ignite’s Matt Altman and Tyler Elliston discuss their framework to using Amazon as a commerce platform with Facebook ads to build a new D2C brand. It’s a deep and lengthy piece filled with actionable insights that can really help jumpstart your new product or category, or at the very least, giving you insight into how many of these modern brands come into being.
3. Product display ads (Limited to Amazon advertising console users only)
PDAs live on each product page below the buy box and a few other spaces on the product page. These ads can be used in a variety of ways since they allow up to a 50 character headline and a logo.
Three great ways to use them are for defense, frequently bought together, and competitor targeting.
– Defense – You can buy placements on your own product pages to keep competitors off your listings. These are great to keep customers focused on buying your product since there are several ads featured on each product page.
– Frequently bought together (FBT)– This is a great opportunity most sellers don’t take advantage of. On every product page, there is an unpaid placement of items that are FBT. With the click of a button, all of these items will be added to your cart and it takes very few actual sales to claim these positions. FBT can be used to target your own products to increase basket size or complementary products to drive incremental sales from future placements on product pages.
– Competitor targeting– You can also target competitor ASINs (Amazon Standard Identification Number) to be the last ad a person sees before adding a competitor’s product to their cart. Make sure to use your 50 character headline to call out why your product is the better choice. Bonus Tip: Add coupons to the products you feature in these ads to grab attention and increase click-through.
Microsoft just sent out invites for its next big event. Set for October 2 in New York, the unveiling comes exactly a year after the company’s last major Surface hardware launch. The timing is certainly right for one last major product push ahead of the holidays, as well.
Last year’s big event featured the launch of the Surface Pro 6 hybrid, Surface Studio 2, some software announcements and the launch of the Surface Headphone line. There are plenty of entries in Microsoft’s line that are due for a refresh, including Surface laptop and miniature Surface Go tablet.
The company also likes to launch at least one new product line at these things. As the Verge notes, the company’s long-rumored dual-screen tablet certainly seems overripe at this point, which at least two years of product research under its belt.
The above save the day invite, which was sent out to reporters today, subtly alludes to the inclusion of several convertible form factors, while paying homage to the Windows 10 logo.
Online education startup Udacity has hired former LendingTree executive Gabriel Dalporto as its new CEO, an appointment that follows months of layoffs and a restructuring directed by the company’s co-founder and executive chairman Sebastian Thrun.
Dalporto comes to Udacity after seven years at LendingTree, where he served in numerous positions, including chief marketing officer and chief financial officer. Dalporto stepped down as CFO in 2017 to join the company’s board and become executive advisor to the CEO. Dalporto left the executive advisor job in 2018, but remains on the board.
Thrun, who stepped in as CEO after Vishal Makhijani left the top post in October 2018, will stay on as executive chairman.
“He’s extremely strategic and pragmatic,” Thrun said in a recent interview, describing Dalporto.
Dalporto is known for his turnaround skills. But the new CEO says his focus at Udacity won’t be slashing costs and other activities often associated with that skill set.
“I was hired as a growth executive; I was not hired to be a turnaround executive,” Dalporto told TechCrunch.
Dalporto isn’t ready to provide details of his plans as CEO. Monday is his first day at the startup. But he will likely focus on growth areas such as the startup’s enterprise and government programs, as well as retaining and recapturing students into the Udacity ecosystem. Udacity’s enterprise clients include AT&T, Airbus, Audi, BMW, Capital One, Cisco and the Royal Bank of Scotland. It also has government relationships with Australia, the MENA region and New Zealand.
Dalporto is coming into a startup that is leaner and more productive, in terms of launching new nanodegrees, than it was a year ago. It’s also cash-flow positive, according to Thrun, who has spent 2019 revamping the company.
When Thrun took over the CEO post, he found a company that had grown too quickly and was burdened by its own bureaucracy. Udacity, which specializes in “nanodegrees” on a range of technical subjects that include AI, deep learning, digital marketing, VR and computer vision, was struggling because of runaway costs and other inefficiencies. Its nanodegree programs, which had grown in 2017, became sluggish in 2018.
Staff reductions soon followed as Thrun sought to get a handle on costs. About 130 people were laid off and other open positions were left vacant. Thrun then cut further in April. About 20% of the staff was laid off and operations were restructured in an effort to bring costs in line with revenue without curbing growth. The company streamlined its marketing efforts and downsized and consolidated office space. As of April, the startup employs 300 full-time equivalent employees and about 60 contractors.
Other changes included the launch of a global technical mentoring program, switching its direct-to-student business from fixed to monthly subscription pricing to incentivize individuals to move through courses faster. Lalit Singh, who joined Udacity in February as chief operating officer, has been critical to the turnaround, according to Thrun.
Its productivity has also improved. In first six months of 2019, Udacity launched 12 new nanodegree programs compared to just 8 in all of 2018.
“In the three months since we’ve initiated these changes, the consumer business has grown by more than 60%,” Thrun wrote in a blog post Monday announcing the changes.
Udacity’s enterprise and government programs have also grown, with bookings increasing by more than 100% year over year.
Hostinger said it has reset user passwords as a “precautionary measure” after it detected unauthorized access to a database containing information on millions of its customers.
The breach is said to have happened on Thursday. The company said in a blog post it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database containing customer usernames, email addresses, and scrambled passwords. It’s not known which kind of hashing algorithm was used. Depending on the algorithm used, an attacker may be able to unscramble user passwords.
Hostinger said the API database stored about 14 million customers records. The company has more than 29 million customers on its books.
“We have restricted the vulnerable system, and such access is no longer available,” said Daugirdas Jankus, Hostinger’s chief marketing officer.
“We are in contact with the respective authorities,” said Jankus.
News of the breach broke overnight. According to the company’s status page, affected customers have already received an email to reset their passwords.
The company said that financial data was not compromised, nor was customer website files or data affected.
But one customer who was affected by the breach accused the company of being potentially “misleading” about the scope of the breach.
A chat log seen by TechCrunch shows a customer support representative telling the customer it was “correct” that customers’ financial data can be retrieved by the API but that the company does “not store any payment data.” Hostinger uses multiple payment processors, the representative told the customer, but did not name them.
“They say they do not store payment details locally, but they have an API that can pull this information from the payment processor and the attacker had access to it,” the customer told TechCrunch.
We’ve reached out to Hostinger for more, but a spokesperson didn’t immediately comment when reached by TechCrunch.
The rumors have been suggesting it for a while now, and fans have been pretty much begging for it… and it’s happening: Ewan McGregor will return to the role of Obi-Wan for a new Disney+ series.
Disney dropped the news at a panel during D23 this evening, almost immediately after premiering the trailer for its other live action Star Wars series, The Mandalorian.
Details are still remarkably light. There’s not even an official name for the series yet. Beyond McGregor’s involvement, the only details mentioned are that the scripts are written, and that shooting should begin in 2020.
The UK’s health data watchdog, the National Data Guardian (NDG), has published correspondence between her office and the national privacy watchdog which informed the ICO’s finding in 2017 that a data-sharing arrangement between an NHS Trust and Google-owned DeepMind broke the law.
The exchange was published following a Freedom of Information request by TechCrunch.
In fall 2015 the Royal Free NHS Trust and DeepMind signed a data-sharing agreement which saw the medical records of 1.6 million people quietly passed to the AI company without patients being asked for their consent.
The scope of the data-sharing arrangement — ostensibly to develop a clinical task management app — was only brought to light by investigative journalism. That then triggered regulatory scrutiny — and the eventual finding by the ICO that there was no legal basis for the data to have been transferred in the first place.
Despite that, the app in question, Streams — which does not (currently) contain any AI but uses an NHS algorithm for detecting acute kidney injury — has continued being used in NHS hospitals.
DeepMind has also since announced it plans to transfer its health division to Google. Although — to our knowledge — no NHS trusts have yet signed new contracts for Streams with the ad giant.
In parallel with releasing her historical correspondence with the ICO, Dame Fiona Caldicott, the NDG, has written a blog post in which she articulates a clear regulatory position that the “reasonable expectations” of patients must govern non-direct care uses for people’s health data — rather than healthcare providers relying on whether doctors think developing such and such an app is a great idea.
The ICO had asked for guidance from the NDG on how to apply the common law duty of confidentiality, as part of its investigation into the Royal Free NHS Trust’s data-sharing arrangement with DeepMind for Streams.
In a subsequent audit of Streams that was a required by the regulator, the trust’s law firm, Linklaters, argued that a call on whether a duty of confidentiality has been breached should be judged from the point of view of the clinician’s conscience, rather than the patient’s reasonable expectations.
Caldicott writes that she firmly disagrees with that “key argument”.
“It is my firm view that it is the patient’s perspective that is most important when judgements are being made about the use of their confidential information. My letter to the Information Commissioner sets out my thoughts on this matter in some detail,” she says, impressing the need for healthcare innovation to respect the trust and confidence of patients and the public.
“I do champion innovative technologies and new treatments that are powered by data. The mainstreaming of emerging fields such as genomics and artificial intelligence offer much promise and will change the face of medicine for patients and health professionals immeasurably… But my belief in innovation is coupled with an equally strong belief that these advancements must be introduced in a way that respects people’s confidentiality and delivers no surprises about how their data is used. In other words, the public’s reasonable expectations must be met.”
“Patients’ reasonable expectations are the touchstone of the common law duty of confidence,” she adds. “Providers who are introducing new, data-driven technologies, or partnering with third parties to help develop and test them, have called for clearer guidance about respecting data protection and confidentiality. I intend to work with the Information Commissioner and others to improve the advice available so that innovation can be undertaken safely: in compliance with the common law and the reasonable expectations of patients.
“The National Data Guardian is currently supporting the Health Research Authority in clarifying and updating guidance on the lawful use of patient data in the development of healthcare technologies.”
We reached out to the Royal Free NHS Trust and DeepMind for comment on the NDG’s opinion. At the time of writing neither had responded.
In parallel, Bloomberg reported this week that DeepMind co-founder, Mustafa Suleyman, is currently on leave from the company. (Suleyman has since tweeted that the break is temporary and for “personal” reasons, to “recharge”, and that he’s “looking forward to being back in the saddle at DeepMind soon”.)
The AI research company recently touted what it couched as a ‘breakthrough’ in predictive healthcare — saying it had developed an AI model for predicting the same condition that the Streams app is intended to alert for. Although the model was built using US data from the Department of Veterans Affairs which skews overwhelmingly male.
As we wrote at the time, the episode underscores the potential value locked up in NHS data — which offers population-level clinical data that the NHS could use to develop AI models of its own. Indeed, a 2017 government-commissioned review of the life sciences sector called for a strategy to “capture for the UK the value in algorithms generated using NHS data”.
The UK government is also now pushing a ‘tech-first’ approach to NHS service delivery.
Earlier this month the government announced it’s rerouting £250M in public funds for the NHS to set up an artificial intelligence lab that will work to expand the use of AI technologies within the service.
Last fall health secretary, Matt Hancock, set out his tech-first vision of future healthcare provision — saying he wanted “healthtech” apps and services to support “preventative, predictive and personalised care”.
So there are certainly growing opportunities for developing digital healthcare solutions to support the UK’s National Health Service.
As well as — now — clearer regulatory guidance that app development that wants to be informed by patient data must first win the trust and confidence of the people it hopes to serve.