Month: September 2017

Enlarge

A software package update for a Windows utility product distributed by antivirus vendor Avast has been spreading an unsavory surprise: a malware package that could allow affected computers to be remotely accessed or controlled with what appears to be a legitimate signing certificate. The malware, which was distributed through the update server for the Windows cleanup utility CCleaner, was apparently inserted by an attacker who compromised the software "supply chain" of Piriform, which was acquired by Avast in July. There have been more than 2 billion downloads of CCleaner worldwide, so the potential impact of the malware is huge.

Software updates are increasingly being targeted by distributors of malware, because they provide a virtually unchecked path to infect millions—or even billions—of computers. A compromised software update server for Ukraine software vendor M.E.Doc was used to distribute the NotPetya ransomware attack in July. "Watering hole" attacks, such as the ones used against Facebook, Apple, and Twitter four years ago, are often used to compromise the computers used by software developers. When successful, they can give malware authors what amounts to the keys to the software developer's kingdom—their compilation tools and signing certificates, as well as access to their workflow for software updates.

In a blog post this morning, Cisco Talos Intelligence's Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams reported that Talos had detected the malware during beta testing of a new exploit-detection technology. The malware was part of the signed installer for CCleaner v5.3 and included code that called back to a command-and-control server as well as a domain-generation algorithm intended to find a new C&C server if the hard-coded IP address of the primary server was lost. Copies of the malicious software installer were distributed to CCleaner users between August 15 and September 12, 2017, using a valid certificate issued to Piriform Ltd by Symantec.

TheNorwegian

After bringing the Google Assistant to third-party speakers, Google has been slowly gearing up to bring the Assistant to another sound-producing device: headphones. While, officially, Google hasn't made a peep about the project, inside the Google App there have been references to a new "Bisto" device type: a pair of headphones with the Google Assistant built in. Partners apparently aren't waiting for Google's announcement, as one of the first Google Assistant headphones, the Bose QuietComfort 35 II, is already showing up at Best Buy.

The functionality of "Google Assistant headphones" seems to be about what you would expect: the same Google Assistant commands you get on Google Home or on a phone but strapped to your head. Users can issue commands, ask questions, send text messages by voice, make phone calls, and access third-party voice apps via the headphones.

Enlarge / Hurricane Jose will soon begin to feel the effects of cooler water. (credit: NOAA)

This year, the Atlantic tropics are reminding the United States and Caribbean Islands how brutal September can be when it comes to hurricanes. Perhaps coastal residents have forgotten, as the Atlantic tropics have slumbered in recent Septembers, according to a widely used metric that calculates the total energy of storms during their lifetimes—Accumulated Cyclone Energy.

The Atlantic basin's combined Accumulated Cyclone Energy for the last four Septembers, from 2013 to 2016, was lower than it had been over a four-year period since 1911 to 1914, according to Phil Klotzbach, a hurricane scientist at Colorado State University. This year it has been among the ten most potent. This is also just the ninth year on record with seven or more hurricanes by September 17 in the last century and a half.

So it's busy out there. And for some people, more pain lies ahead. Here's a look at the threats posed by hurricanes Jose and Maria.

Enlarge / The Waymo self-driving car prototype. (credit: Waymo)

After receiving a report with a trove of details critical to their case, Waymo lawyers have asked to delay their impending trial against Uber.

The motion (PDF), filed Saturday afternoon, says that Waymo lawyers need more time to sift through the "due diligence" report and the related communications and documents, which are only now being produced.

"With so much material only now seeing the light of day, Waymo would be unfairly prejudiced if the trial proceeds as initially scheduled on October 10 without additional time to pursue this mountain of new evidence," Waymo attorneys write in the motion. "The evidence Uber and Ottomotto attempted to shield from discovery goes to the heart of the case."

I'm not a fan of SUVs. I think they're big and cumbersome. They hog the road and barely squeeze down narrow roads. They consume too much fuel, they're not much fun to drive, and of course they cost much more than something sensible like a hatchback.

But then I climb up into the new Land Rover Range Rover Velar, sit down on my plush leather throne, push the start button, and all of those concerns just melt away. Maybe that's why SUVs are so popular right now; perhaps there are millions of people out there who hate SUVs until they actually sit in one.