STE WILLIAMS

Cisco has announced plans to buy privately held authentication firm Duo Security for $2.35bn (£1.80bn).

How much do you think Cisco’s paying erstwhile Brit PM David Cameron?

READ MORE

The Michigan firm markets unified access security and multi-factor authentication delivered through the cloud. The technology is designed to verify the identity of users and the cyber hygiene of their devices before granting them access to applications.

Under the terms of the agreement, Cisco will pay $2.35bn in cash and assumed equity awards for Duo Security’s outstanding stocks and shares.

Switchzilla plans to integrate Cisco’s network, device and cloud security platforms with Duo Security’s zero-trust authentication and access products to bolster application and network security. This integration will “enable our customers to address the complexity and challenges that stem from multi-and hybrid-cloud environments,” according to David Goeckeler, executive vice president and general manager of Cisco’s networking and security business.

Cisco already provides on-premises network access control via its Identity Services Engine (ISE) product. Duo’s software as a service-based (SaaS) model will be integrated with Cisco ISE to extend ISE to provide cloud-delivered application access control.

In addition, Duo’s tech will add trusted identity awareness into Cisco’s Secure Internet Gateway, Cloud Access Security Broker, Enterprise Mobility Management, and several other cloud-delivered products.

This is about security for multi-cloud environments that goes beyond your brother’s BYOD. It’s about securing access for “all users, with any device, connecting to any application, on any network” – it’s trying to be the Martini Rosso of network security tech.¹

The acquisition is expected to close during the first quarter of Cisco’s fiscal year 2019, subject to customary closing conditions and required regulatory approvals. Duo Security, which will continue to be led by Dug Song, will join Cisco’s networking and security business led by EVP and GM Goeckeler.

Cisco is, of course, no stronger to security acquisitions. Previous borg buys have included OpenDNS (June 2015) and Sourcefire (July 2013), among several others. ®

Vermouth note

¹ Martini Rosso was promoted in aspirational 1980s TV ads as the drink you could have any time, any place, anywhere.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/cisco_duo/

Regulatory penalties that exceed the cost of an extortion payout may lead to a new form of ransomware. These four steps can keep you from falling into that trap.

Businesses have gone to extreme lengths to become ready for the EU’s General Data Protection Regulation (GDPR). Some have flooded in-boxes with opt-in requests. Others have swarmed mobile screens with pop-ups that users are forced to click through. There has been no shortage of website banners that consumers have been required to acknowledge.

Estimates from a Forbes article show that Fortune 500 companies have invested as much as $9 billion to achieve compliance. Other analyst firms and research groups estimate that readiness spending varies between $4 million and $25 million per business, depending on size.

Despite all of these efforts, early indications show that organizations still aren’t compliant: Regulators already have hit Google and Facebook with more than $9 billion in fines. Some major news outlets, including the Los Angeles Times, ceased online operations in the EU due to noncompliance. UK officials are warning that 5.7 million small businesses there may be in violation of the law.

News outlets have published thousands of stories about GDPR unreadiness. It’s hard to imagine that there is anything new to read about. There is. It’s the reality of how criminals are going to use the size of GDPR fines to successfully bribe IT workers, with privileged users being their primary targets. A privileged user is an employee, contractor, or partner with access to almost every corner of the corporate network. Edward Snowden is one of the most notable examples of what happens when a privileged user goes rogue. Why is this class of insider going to become a bribery problem? Great question — read on …

GDPR mandates hefty penalties for companies that are breached. Penalties can reach as high as 4% of a violators’ annual revenue. (Remember, Google and Facebook are already facing $9 billion in fines). This means that in many cases, penalties will far outweigh the actual cost of a breach, which criminals know.

Rather than auction stolen data to fellow crooks for pennies or try and exact a ransom to unencrypt it, criminals will start to ransom stolen data back to the organizations they heist it from in exchange for not exposing it publicly. The extortion price will be substantially higher than what could be earned on the Dark Web but significantly lower than an actual GDPR breach fine. Paying extortion may create an ethical dilemma for companies, but it will make smart business sense as it will be much lower than financial penalties.

Bribing Insiders
Privileged insiders are central to this scenario. Cybercriminals will be motivated to bribe them, as holders of the kingdom’s keys, into giving up their credentials. Once criminals have hold of these, they will have an opportunity to earn payouts way beyond anything ever seen in the past.

Bribing insiders will only get easier. According to Ian Thornton-Trump, cyber vulnerability and threat-hunting lead at Ladbrokes Coral Group, writing in Tripwire, GDPR privacy regulations will actually shield criminals’ operations in some cases. Other studies have shown that employees are willing to sell passwords. The promise of a reduced risk of getting caught combined with getting a piece of a substantial extortion payment may be more than many people can resist. Luckily, there are steps that organizations can take to avoid falling into this trap. Here are four:

Step 1: Visibility. Privileged users have greater and deeper access to organizations’ IT assets and data than anyone else. They also tend to be the savviest when it comes to understanding how systems work and, especially, how security controls and policies can be circumvented. Five years ago this month, The Guardian broke the story about the National Security Agency’s powerful surveillance programs based on top-secret information supplied by Edward Snowden. It was eventually proven that Snowden used his technical expertise to avoid detection as he moved deeper and deeper into the agency’s systems. Businesses that want to avoid becoming victims of GDPR-era Snowdens need to keep an eye out for what their privileged users are doing, both on and off the network.

Step 2: Alerts. Organizations need to have an early-warning system in place. Forensic investigations add value, but they follow incidents. To stop privileged users who may decide to go rogue before it’s too late, businesses need tools that sound alarms when suspicious behaviors occur. There are some caveats. Many times, alarms end up being false positives. Effective early warnings must be powered by technologies that understand behavioral context and that know the difference between what’s normal and what’s not.

Step 3: Communicate. In the modern global enterprise, thousands of employees are spread across as many business units. Distributed employees include privileged users. Anyone with a stake in security and compliance within their organizations should work with HR and other divisions to understand how many privileged users there are, what they are responsible for, and how they are accessing data.

Step 4: Account. Knowing who and where privileged users are is only a first step. Organizations also need to know how many privileged user accounts they have and how they are being protected. In a recent survey published by privileged access account security provider Thycotic, it was revealed that up to 70% of respondents fail to fully discover privileged user accounts.

In most businesses, the vast majority of privileged users would never even think about cooperating with cybercriminals. Most are trusted, well-intentioned individuals who recognize the importance and sensitivity of the role they fill. The sad reality, though, is that there are some who will opt for a weighty payout. Security and compliance professionals need to be ready to defend against this scenario.

Related Content:

• 6 Ways to Tell an Insider Has Gone Rogue
• GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?
• GDPR, WHOIS the Impact on Merchant Risk Security Monitoring
• A Data Protection Officer’s Guide to the Post-GDPR Deadline Reality

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info. 

Mark Coates is vice president of EMEA for Dtex Systems. Mark is a seasoned leader with many years of experience in developing new markets, building high performance teams, and in helping global organizations to overcome cybersecurity and insider threat challenges. Prior to … View Full Bio

Article source: https://www.darkreading.com/endpoint/how-gdpr-could-turn-privileged-insiders-into-bribery-targets-/a/d-id/1332406?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The developer of WireGuard has laid the groundwork for pouring his open-source privacy tool directly into the Linux kernel in hope of making secure communications easier to deploy and manage.

Jason Donenfeld, creator of WireGuard and the founder of Edge Security, on Tuesday submitted a proposed set of patches to the Linux kernel project to integrate the secure VPN tunnel software as an official network driver. The code is now awaiting review by the kernel maintainers. Initially released and still available as an optional kernel module for Linux, WireGuard is also available for Android, macOS, Windows, and other platforms.

“Even as an out-of-tree module, WireGuard has been integrated into various userspace tools, Linux distributions, mobile phones, and data centers,” said Donenfeld in the notes accompanying his patches. “There are ports in several languages to several operating systems, and even commercial hardware and services sold integrating WireGuard. It is time, therefore, for WireGuard to be properly integrated into Linux.”

WireGuard was developed as an alternative to secure tunneling protocols like IPSec and OpenVPN. Donenfeld has described these older protocols as “overwhelmingly difficult.” WireGuard, at just under 4,000 lines of code, aspires to be simpler and more easily audited.

Compare that to 100,000 lines of code for OpenVPN, which also requires OpenSSL, another 500,000 lines of code. Or consider Linux XFRM, an IPsec implementation that spans about 13,000 lines of code and may be used alongside StrongSwan for the key exchange, which runs about 400,000 lines of code.

Under the hood

WireGuard guards layer 3, the network layer, in the OSI networking model. It uses Curve25519 for key exchange, BLAKE2s for hashing, and ChaCha20 and Poly1305 for authentication – full details can be found here [PDF].

In lieu of the complexity of IPsec and XFRM, WireGuard presents a virtual interface – wg0 – that can be configured using familiar networking utilities like ip(8) and ifconfig(8). After setting up private key and public keys, WireGuard should just work.

“This is in a sense sort of blasphemous,” said Donenfeld in late 2016 during a Code Blue Conference presentation about the technology, “because in achieving this simplicity we’ve done away with all the academically pure layering assumptions.”

It’s not quite heresy: WireGuard has been subject to formal verification for its crypto implementation. But it’s still characterized as a work-in-progress and includes a list of things to do.

Setting up your own VPN node is considered by many security experts to be preferable to free or commercial options, which have been known to leak information and to sell your browsing histories and private data to partners.

Other attempts to make secure communication more accessible have made progress as well. Noteworthy efforts include Trail of Bits’ Algo (which now supports WireGuard), Jigsaw’s Outline and Streisand (which also supports WireGuard). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/linux_kernel_wireguard/

Analysis Intriguing news for anyone who believes that FIDO two-factor authentication keys are the obvious way to stop phishing attacks that not enough people use – Google is launching its own authentication token.

Called the Titan Security Key (not to be confused with Google’s Titan security chip), its announcement at Google’s Cloud Next 2018 conference in July may explain why the web giant was keen some days ago to boast that its 85,000 employees have not suffered a single successful account takeover since the company mandated the use of these keys in early 2017.

When Google bragged that factoid, it seemed more likely than not that the keys in question were Yubikeys simply because the company that makes them, Yubico, has mentioned how many Google has bought from it in recent years. Now it appears as if some or even many of those keys were Google’s Titans, which wouldn’t be entirely surprising given that Google (along with Yubico) was instrumental in pushing the industry FIDO Alliance and co-developing protocols – such as U2F – that underpin their use.

From the product images, it appears that there are two versions: one designed to plug into a USB port and a second for mobile users which works via Bluetooth.

The Titan can also be used to authenticate on other sites supporting FIDO U2F tokens such as GitHub, Facebook, Dropbox, various password managers, and a selection of others.

Google Cloud customers can get their hands on one now, with everyone else able to buy them for about $20 (£15) from the Google online store in most countries “soon”.

The good bit

FIDO U2F authentication tokens have been around for years and yet from anecdotal evidence (Amazon sales numbers, Google’s own estimate of its users), few beyond a small number of business sectors use them.

They should be an easy sell because they stop attackers from compromising accounts without having physical access to the key, even if they have somehow phished the user’s password.

One reason is that they are still surprisingly expensive, particularly outside the US. For example, for most of this year on Amazon UK, the Yubikey has been sold as an import for up to £30 ($40), which is a lot to ask someone to pay for something whose benefits they possibly don’t understand.

That’s the other glaring issue – barely anyone has heard of these tokens, a reflection of the fact that nobody with a big enough marketing budget has taken the time to tell them.

If that was ever going to change it was Google that was going to do it. It helped develop the technology after all, and has the resources to promote them to a wider audience.

From launch the USB Titan will cost around $20-$25, or both keys for $50. Not terribly enticing perhaps but with Google in the game sales volumes will rise and unit costs fall.

Yubikey maker Yubico now has competition from one of the biggest companies on Earth, which prompted a blog that took issue with Google’s decision to base the wireless key on Bluetooth rather than NFC.

“Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” wrote CEO Stina Ehrensvard.

That design decision boosts compatibility with mobile devices, not all of which have NFC, but comes with the disadvantage that, “BLE does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience.”

It’s also true that Yubico’s NFC products, the Neo, is expensive at $50 (or £50), which might be why it’s rarer than a unicorn amongst consumers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/google_titan_security_key/

Study Dealing with regulated data and applying strict controls to ensure compliance is life as usual in many industries.

If you work in a highly regulated sector, though, things are not quite as straightforward as they used to be. Those old silos of controlled data – the big-iron document management systems of yesteryear, for example – don’t sit well in today’s collaboration-centric work environments. Professional staff routinely involved in research, analysis, planning, management and/or authoring activities often need to work with regulated and confidential material alongside non-sensitive information. At the same time they need/want to share information both internally and externally.

The potential for things to go wrong is obvious.

Against this background, we are interested in the views of anyone working in a more regulated environment on how information needs are evolving, the kinds of challenges and opportunities that are emerging, and how well traditional systems are keeping up with demands and expectations.

Is this something you can help us with?

YES, LET’S GET CRACKING

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/do_you_work_in_a_regulated_industry/

The British government has sunk £100m into efforts to link up cops’ IT systems, boost resource-sharing and develop digital forensics.

The UK’s police forces have been battling to improve outdated systems for years. Multiple annual reports into the state of policing have concluded that cops lag far behind in their use of tech, and that failure to fix this puts public safety at risk.

In a bid to address the problem, the Home Office launched a Police Transformation Fund in 2016, and this week announced the second phase of investment.

Lack of governance on new police tech leaves ‘worrying vacuum’ – Brit biometrics commish

READ MORE

Most of the budget, some £70m for 2018-19, is for four national police-led programmes, which emphasise the lack of interoperability and collaboration within and between forces.

They include projects to create a unified IT system that encourages joined-up work across forces, which is led by the City of London force, and to improve resource sharing between forces in key areas like cyber crime, which is being led by the Metropolitan Police.

There is also cash for a single online hub where people can report low-level incidents, so police officers don’t have to spend time manually recording that information.

The final project is in a more controversial area, being aimed at boosting the use of biometrics and digital forensics. The police’s use of such technologies has come under fire from civil rights groups and the biometrics commissioner Paul Wiles.

In his latest annual report, Wiles voiced concerns that the police’s use of new biometric tech isn’t always organised or systemic, with a “worrying vacuum” in governance and lack of oversight.

The latest funding round also hands out £42.7m to 15 other projects over the two years 2018-19 and 2019-20.

A Met-led project to develop a national technical capability and infrastructure for law enforcement agencies rakes in the most, some £14.8m over the two years.

The National Crime Agency pulls in £6m for three projects, including £4m for a National Data Exploitation Centre, while the West Midlands won £4.5m to develop a national analytics solution.

The Police ICT Company has been awarded £1m for the 100-day foundation phase of its ICT transformation programme, while Derbyshire police were handed £4.8m for work on cyber crime.

The first phase of the overall programme, which ran from 2016-17 to 2017-18, awarded more than twice as much cash as has so far been announced in phase 2 – some £223m – to 98 projects. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/ukgov_ploughs_cash_into_creaky_police_tech/

A Kiwi high school has learned the “don’t click on the link” lesson the hard way, with a ransomware attack locking down its student’s course work.

The Hāwera High School is being asked for US$5,000 to unlock the ransomed files. According to New Zealand’s Taranki Daily News, the attack didn’t affect staff or student records, and the school has disconnected its network while it works out what to do.

Because the school was in the process of migrating storage to the cloud, the attacker didn’t lock out everything, principal Rachel Williams told Radio New Zealand. She added that the school is conducting a full audit to work out what’s been lost.

The worst hit, she said, will be students in photography and some technology subjects, who were more likely to be storing their work locally.

The government’s school Internet provider N4L had already decided better protection is needed at a national level, and has announced security enhancements as part of an upgrade to be completed by October 2019.

Fortinet has landed the job of providing firewalls and content filtering for the upgrade, with N4L taking on administration of the kit as a managed service. The upgrade will cover all 2,450 schools and 800,000 students in New Zealand.

New Zealand’s Fairfax outlet Stuff reported that, as well as the country’s education ministry, the school is getting help from the New Zealand Qualifications Authority in auditing what’s been lost. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/new_zealand_school_hit_by_ransomware_scum/

Naff computer security at an e-commerce provider potentially exposed the details of more than a million unique accounts on British clothing and accessory shopping websites, infosec experts have confirmed.

Sub-optimal security at Fashion Nexus meant a white-hat hacker, Taylor Ralston, was able to access databases containing personal details of customers of various online fashion stores that used the e-commerce outfit’s technology.

And if he was able to spot the vulnerable data store, potentially anyone could have, too. The databases have since been hidden from sight, we’re told.

The exposed data included names, email addresses, IP addresses, physical addresses, phone numbers, password hashes (MD5 and SHA-1, both salted) and dates of birth. Product orders also featured in the mix, mapped to customers and including addresses. There’s no evidence payment card information was at risk.

El Reg learned of the cockup via infosec veteran Graham Cluley, and confirmed details of what had been left open to access with Troy Hunt, the security researcher behind the haveibeenpwned.com notification website.

The Register approached White Room Solutions, the sister firm of Fashion Nexus, for comment. The company disputed the enormity of the blunder, and initially would not confirm which brands were affected before relenting and issuing this notice on Tuesday:

We can confirm that, on or around the 9th July 2018, a White Hat Hacker obtained access to one of our servers leading to the breach of several thousand customer records belonging to our clients. We will present a quantitive breakdown of those records in due course, however no payment information of any kind is recorded by Fashion Nexus Ltd or our clients, and therefore not compromised.

We would suggest that people change their passwords if they’ve been a customer of AX Paris (axparis.com), Granted London (grantedldn.com), Jaded London (jadedldn.com), ElleBelle Attire (ellebelleattire.com), or Traffic People (trafficpeople.co.uk).

Whilst DLSB (dlsb.co.uk) is named online, customer data was not taken from our server.

The breach was quickly identified and the vulnerability removed. The ICO has been informed…

The “several thousand” figure cited in the Fashion Nexus statement rather understates matters. Troy Hunt has seen the data, passed to him by the white hat, and has confirmed there are almost 1.3 million unique records in total. Of these 280,000 are perhaps test accounts of some sort. However, that still leaves close to a million unique email addresses and records that were at risk of theft.

“This breach was reported to our clients and the ICO [UK’s Information Commissioner’s Office] as soon as we found out and we are working with them to establish [the] fact[s] and, if required (and once we know the full facts), for our clients (as Data Controller) to contact those affected,” a representative of White Room Solutions told El Reg. ®

Bootnote

In the case of DLSB, aka Dirty Little Style Bitch – another Fashion Nexus customer mentioned in Cluley’s blog – we understand its database was not compromised but customer info did nonetheless leak due to SMTP config information left there by White Room.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/fashion_nexus_breach/

British shipping services firm Clarksons has revealed a high profile data breach last year stemmed from a hack on a “single and isolated user account”.

Hacked Brit shipping giant Clarksons: A person may release some of our data today

READ MORE

Criminal hackers stole employee information from the shipping firm before unsuccessfully attempting to blackmail it. In an update this week on its progress in dealing with the previously disclosed breach, Clarksons said it has been “able to successfully trace and recover the copy of the data that was illegally copied from its systems”.

The breach itself ran for more than five months – between 31 May 2017 until November 4 of ’17 – the update (pdf) also revealed.

Clarksons is in the process of notifying potentially affected individuals, some of whom have had a complete portfolio of their personal information laid bare by the breach. Judging by the types of information exposed, employees and (perhaps) contractors are among those most exposed by the breach. Clarksons has consistently refused to clarify whether or not customer data was exposed, and we still can’t be sure on that point.

While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver’s license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors.

Affected individuals are urged to “remain vigilant against incidents of identity theft and fraud by reviewing personal account statements for suspicious activity”. The scope of the data theft opens the door to all manner of ID theft scams. Fraudsters who happen to obtain copies of the stolen data might be able to mount highly plausible social engineering or phishing scams, for one thing.

Clarksons was compromised in the UK by hackers who made off with data before demanding a ransom for its safe return. It responded by notifying the police and regulators as well as launching an investigation of its own, aided by external forensics experts. Partial results of this computer forensics effort are covered in its update.

Through the forensic investigation, Clarksons quickly learned that the unauthorized third party had gained access to its system from May 31, 2017 until November 4, 2017.

Clarksons learned that the unauthorized access was gained via a single and isolated user account. Upon discovering this access, Clarksons immediately disabled this account.

Through the investigation and legal measures, Clarksons were then able to successfully trace and recover the copy of the data that was illegally copied from its systems.

We know that Clarksons resisted this attempted blackmail, going so far as to obtain an injunction against unnamed criminals back in March. It’s unclear how many records were exposed or whether any criminal prosecution has been initiated in the case.

Unidentified hax0rs told not to blab shipping biz Clarksons’ stolen data

READ MORE

Clarksons has yet to respond to requests from The Register for information on these as-yet unanswered questions. We’ll update this story as when more information comes to hand.

Single point of pwnage

Joseph Carson, chief security scientist at privileged account management tech firm Thycotic, told El Reg that it wasn’t particularly significant that a single user account was to blame for the breach at Clarksons.

“Many organisations have failed to implement privileged access security and in failing to do so, they typically allow single user accounts to access sensitive information directly with only a single password protecting the sensitive data,” Carson explained. “Many cybercriminals use techniques that first target user accounts through phishing and social engineering, then move laterally to find those privileged accounts that provide them with full access to the network and sensitive data.”

He added: “However, in this particular instance it appears they hit the jackpot account with their first try – or they have a good passive assessment so they knew which user account to target.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/clarksons_breach_update/

In a Wednesday mea culpa, Reddit – the online chat board that got a little out of hand and became the sixth most visited website on the internet – has admitted it was raided by hackers unknown.

For four days, specifically June 14 to June 18, miscreants managed to break into the website’s cloud hosting and source-code repository accounts of several Reddit employees, despite their accounts being locked down with two-factor authentication via SMS. It looks at this stage as though a man-in-the-middle attack was used to snatch the SMS tokens, allowing the accounts to be taken over. The staffers’ phones themselves weren’t hacked, it is claimed.

“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” the Reddit team said in a statement on Wednesday. “We point this out to encourage everyone here to move to token-based 2FA.”

El Reg also highly recommends hardware tokens for multi-factor authentication rather than SMSes. Text messages can, for example, be intercepted by scumbags hijacking phone accounts in so-called port-out scams, or through SS7 tricks, or through browser-based attacks, or potentially eavesdropped over the air.

US standards lab says SMS is no good for authentication

READ MORE

In this instance, it is not known exactly how the login SMSes were grabbed – they could have been phished, after all.

The attackers managed to snaffle a backup database of information that was submitted to the site from its launch in 2005 until May 2007, including usernames, passwords (although these were salted and hashed), email addresses, and all content including public and private messages.

That sounds bad, however, there are mitigating factors. Reddit wasn’t that big for the first year or so of operation, and the founders have admitted that many of the accounts were sock puppets intended to drive initial traffic. The loss of private messages may be more serious, although they are all over a decade old.

Reddit also said that some email digests sent out between June 3 and June 17 have been stolen, showing which safe-for-work subreddits some email addresses were following. Affected users will be contacted by the biz if they were caught up in the theft.

The statement also mentions that the Reddit source code, internal logs, configuration files, and other employee workspace files were accessed.

“In other news, we hired our very first Head of Security, and he started 2.5 months ago,” said Reddit CTO Christopher Slowe. “I’m not going to out him in this thread for obvious reasons, and he has been put through his paces in his first few months. So far he hasn’t quit.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/reddit_hacked_sms_2fa/