adm – Page 727 – STE WILLIAMS

Mimecast Snaps Up Solebit for $88 Million

library
crime | hacking | security

Purchase of threat detection firm closely follows company’s acquisition of security training platform Ataata.

Email and data security firm Mimecast has agreed to buy threat detection company Solebit for approximately $88 million in cash, the two announced today.

Solebit, headquartered in San Francisco, was founded in 2014 by a team of cybersecurity experts who graduated from elite technology units in the Israeli Defense Force. Its focus is on helping users detect advanced threats without signatures or sandboxes, instead recognizing malicious code embedded within active content and data files.

Mimecast already uses Solebit threat detection in its Targeted Threat Protection products. It appears this is the latest in a series of acquisitions intended to protect clients against phishing: According to research from Mimecast and Vanson Bourne, more than 80% of businesses have seen the number of targeted and untargeted phishing attempts stay the same or increase over the past year. Mimecast also recently bought security awareness and training platform Ataata.

10 More Women in Security You May Not Know But Should

library
crime | hacking | security

The second installment in a series highlighting women who are driving change in cybersecurity but may not be on your radar – yet.

(Image: Syda Productions via Shutterstock)

Kelly Jackson Higgins contributed to this article.

The gender disparity plaguing cybersecurity – and the tech industry as a whole – isn’t new, but it is particularly discouraging when the few women in the space aren’t recognized for their work.

Women make up 11% of cybersecurity professionals around the world, researchers report, and even fewer hold leadership positions. Change in the industry has been slow-going, and it doesn’t help that most male security pros believe women have the same opportunities for career advancement as they do. About half of women feel the same way, data indicates.

However, women can take steps to raise their visibility in the security industry – a sector in which most women are underpaid compared with their male colleagues and are more likely to face discrimination in the workplace. Raising awareness of the problem, embracing their roles as security experts, and serving as mentors to younger women are among the best practices.

The industry can also do more to support them. Plenty of women in the industry are making moves and changing cybersecurity for the better. Earlier this summer, for example, former Twistlock strategy officer and Forrester vice president Chenxi Wang debuted the first female-led cybersecurity venture capital firm, Rain Capital, a product of her security expertise and interest in investing in early-stage startups.

Wang isn’t the only woman who is driving change in cybersecurity. In an effort to acknowledge the work women are doing to shape the industry, Dark Reading is publishing a series of articles about women who are making key contributions but aren’t quite as well-known (yet), and who we think will make a difference in the future.

The first installment was published earlier this year, putting the spotlight on 10 women across all sectors of security. In this second installment, 10 more women were chosen based on research and recommendations from industry peers, experts, and colleagues. (Their profiles are in no particular order.)

We are always looking to learn about women in cybersecurity whose work is poised to make a difference. If you know someone who belongs on this list, please send their names and any information about them and their work to [email protected].

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/10-more-women-in-security-you-may-not-know-but-should/d/d-id/1332433?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Yale Discloses Data Breach

library
crime | hacking | security

The university discloses that someone stole personal information a long time ago.

Yale University has just disclosed that it suffered a data breach including names, Social Security numbers, dates of birth, and, in some cases, email addresses and physical addresses of certain individuals. And that is nearly as specific as the disclosure from the university gets.

According to Yale, sometime between April 2008 and January 2009 someone gained access to a database and exfiltrated information. The database was purged of personally identifiable information in 2011, but it wasn’t until June 2018 that the university discovered a breach had taken place.

The university says that, due to the time that has passed, there is no way of knowing who the attacker was. The school has, it says, notified all affected individuals and offered credit monitoring to U.S. residents on the list.

Read herehttps://www.nbcconnecticut.com/news/local/Social-Security-Numbers-Accessed-in-Yale-University-Data-Breach-489556661.html for more.

Article source: https://www.darkreading.com/attacks-breaches/yale-discloses-data-breach/d/d-id/1332439?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dixons Carphone: Yeah, so, about that hack we said hit 1.2m records? Multiply that by 8.3

library
crime | hacking | security

Dixons Carphone today admitted that the data breach it discovered last month affected nine times as many people as first believed.

The retailer ‘fessed up to the hack in June this year, saying that it had involved 5.9 million payment cards and 1.2 million personal data records.

However, in a statement issued today (PDF), Dixons Carphone revised this number, saying about 10 million records may have been accessed.

The firm said that it now had evidence that “some of this data may have left our systems”, but that the records don’t contain payment card or bank account details. “There is no evidence that any fraud has resulted,” it added.

Dixons to shutter 92 UK Carphone Warehouse shops after profit warning

The biz – which owns Carphone Warehouse and Currys PC World – has now nearly completed a full investigation of the unauthorised access that it said took place in 2017.

As a result, Dixons Carphone said it was contacting all of its customers “as a precaution” to apologise and advise them on how to reduce the risk of fraud.

“We have taken action to close off this access and have no evidence it is continuing,” it said.

“We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”

The incident is being investigated by the Information Commissioner’s Office, which earlier this year fined Carphone Warehouse £400,000 for a 2015 data breach that hit 3 million customers.

The admission of further impact comes at a bad time for Dixons Carphone, which last month reported a 24 per cent dive in annual pre-tax profits, and has recently announced plans to shutter 92 of its 650 stores.

In today’s statement CEO Alex Baldock, who only started in April, said: “We’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/31/dixons_carphone_breach_10m_records/

Pentagon ‘do not buy’ list says нет to Russia, 不要 to Chinese code

library
crime | hacking | security

The US military is drawing up a list of overseas organizations – primarily in Russia and China, funnily enough – that the Pentagon and its contractors shouldn’t buy software from, citing security concerns.

In a briefing with journalists on Friday, Ellen Lord, US defense undersecretary for acquisition and sustainment, said officials have spent the past six months crafting the so-called “do not buy” list. The aim is to stop code with Russian and Chinese origins or connections from being purchased and/or used by America’s armed forces and its contractors in case the stuff can be remotely hijacked and spied on.

The list is being compiled with the help of US defense contractor organizations including the Aerospace Industries Association, the National Defense Industrial Association, and the Professional Services Council.

“We had specific issues … that caused us to focus on this,” said Lord. “What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance. Quite often that’s difficult to tell at first glance because of holding companies.”

The US government has been locking down its supply chain to thwart attempts by foreign intelligence to insert vulnerabilities or backdoors into imported technology installed in American computers networks – y’know, the sort of backdoors the NSA hid in some of Cisco‘s devices. The most high-profile crackdowns to date have been against Russian security software vendor Kaspersky and Chinese hardware supplier Huawei, with officials citing security concerns.

Uncle Sam’s treatment of Huawei is world-class hypocrisy – consumers will pay the price

Given Lord’s background, some are going to question if this latest list is really a security issue or just protectionism in the defense industry. Lord was appointed last year after a 30-year career in the US defense contracting industry, latterly at Textron, which owns Bell Helicopters. On the other hand, no one sane would not put it past Chinese and Russian intelligence to leverage tools and products exported to the US to snoop on Uncle Sam. Spies gotta spy.

While America turns its back on Chinese and Russian software, Cisco, IBM, HP, McAfee, and SAP have reportedly handed over the source code and blueprints for their kit to Kremlin investigators to pore over in search for backdoors and other malware before allowing the gear to be sold and used in the former Soviet Union.

This move sparked some serious concerns, not least because some of these companies are major suppliers to America’s military. Exposing the source code to Moscow’s agents would show Russian spies where to attack installed equipment and software to eavesdrop on the US administration.

China has made similar demands for source code access. So far, Microsoft, IBM, and Intel have said they are not playing ball, but that may change.

To complicate matters further, folks in Russia and China have been trying to buy stakes in key American software companies, as well as setting up holding and shell companies to obfuscate the origin of code. Sorting out what is and isn’t acceptable to the Pentagon may take some time. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/30/pentagon_russia_china_software_ban/

Australians almost immune from ransomware, topping lists for data safety

library
crime | hacking | security

Take a bow, Australians: we may have had 242 breaches sent to the information commissioner this quarter, but almost nobody fell victim to ransomware attacks.

Of all the data breaches reported to the Office of the Australian Information Commissioner (OAIC) between April and June this year, only two were ransomware attacks.

However, given the MyHealth Record debate in Australia, the statistics paint a grim picture: the health sector recorded the most notifiable breaches from April to June.

The OAIC data, published today, is the first full quarter of data breach statistics since the notification regime came into force on 22 February 2018.

Breach notifications rose in each of the months covered by the report, which probably indicates rising business awareness of the legislation: there were 65 notifications in April, 87 in May, and 90 in June, a total of 242 in the quarter.

Only one reported breach affected more than a million customers. While the OAIC doesn’t identify which organisations were breached, the only large-scale candidate Vulture South is aware of in those three months was the Commonwealth Bank’s misplaced backup tapes, which became public in May.

At the time, we argued that the practical impact of the breach is probably limited. The tapes were supposed to be destroyed, and may have been, but even if they weren’t, recovering useful data from them would be difficult.

Most of the breaches – 223 of them – affected fewer than 5,000 individuals and 93 breaches affected 10 people or fewer.

Vulture South would note that a data breach affecting a single person (51 incidents reported) is likely to be targeted at that individual, and may have a far greater affect on the victim than a mass-leak of e-mail addresses.

The health sector had 29 breaches due to “human error” and 20 due to “criminal attack,” both breach sources topping the five industry sectors reported by the OAIC.

The OAIC’s analysis of data breaches by industry

This is worrying for two reasons: first, Australians are already extremely touchy about health data security in light of the MyHealth Record debate; and second, because the OAIC data could underestimate the number of breaches in the sector.

That’s because public hospitals aren’t covered by the scheme, and the data also excludes notifications covered by the MyHealth Record Act, as noted by analyst Justin Warren:

The top industry for notifiable data breaches was healthcare, and that *excludes* public hospitals because they’re not covered by the Privacy Act. It also excludes notifications required by the #MyHealthRecord Act: https://t.co/Fv50DtBAKq

— Justin Warren (@jpwarren) July 30, 2018

The government believes there have been no MyHealth Record breaches yet.

MyHealth Record rollout saga shambles on: ALP wants it put on hold

Most of the breaches in the health sector were attributed to human error (learn to use the bcc: field, people, and don’t trust autocomplete), while the finance sector had the dubious honour of topping the list for “cyber incidents”. Out of the 14 reported breaches in the finance sector, 13 were attributed to credentials, compromised either via phishing or “method unknown,” with a single breach attributed to a successful brute-force attack against someone’s credentials.

Across all industries, 59 per cent of incidents were attributed to malicious attacks; 36 per cent to human error and 5 per cent to some kind of system failure. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/30/oz_orgs_good_at_fending_off_ransomware_health_tops_breach_league_table/

Pentagon ‘do not buy’ list says nyet to Russia, 没有 to Chinese software

library
crime | hacking | security

Uncle Sam’s treatment of Huawei is world-class hypocrisy – consumers will pay the price

China has made similar demands for source code access. So far, Microsoft, IBM, and Intel have said they are not playing ball, but that may change.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/30/pentagon_russia_china_embargo_software/

$5 Million in Cryptocurrency Stolen in SIM Hijacking Operation

library
crime | hacking | security

College student is arrested for his alleged involvement.

A college student from Boston was arrested this month at Los Angeles International Airport for his alleged role in a SIM hijacking scheme that resulted in the theft of more than $5 million in cryptocurrency.

Joel Ortiz, 20, allegedly hacked the SIM cards of 40 victims, Motherboard reports. He and others involved in the hack targeted people associated with cryptocurrency investment and blockchain operations. SIM hijacking occurs when a wireless provider is duped into moving the victim’s phone number to a SIM held by the attacker, who then uses the number to reset passwords and hack other online accounts of the victim.

Article source: https://www.darkreading.com/endpoint/privacy/$5-million-in-cryptocurrency-stolen-in-sim-hijacking-operation/d/d-id/1332422?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Spectre Variant Hits the Network

library
crime | hacking | security

A new proof of concept is a reminder that complex systems can be vulnerable at the most basic level.

Spectre is back, and this time in a variant that adds something truly new: remote access to cached data. The good news is that access comes at a snail’s pace.

In a research paper published last week, four researchers from Graz University of Technology detailed NetSpectre, “a generic remote Spectre variant 1 attack.”

“In theory, it’s a big deal, and they made it sound like a big deal” says Chris Morales, head of security analytics at Vectra. “It’s a proof of concept showing it’s feasible to leak information over the network, but it’s so slow it’s unusable.”

Just how slow is NetSpectre? In the original proof of concept, the researchers at Graz were able to exfiltrate 15 bits per hour using a “bit-leak gadget” that they developed for use over a network. They were able to push data transfer up to 60 bits per hour when they employed a “novel high-performance AVX-based covert channel.”

Obviously, no actor is going to attempt to steal a database of millions of credentials through an exploit with this performance. “These Spectre attacks are designed to extract data from memory, which would include user passwords and small bits of personal information,” Morales said. “This is a reconnaissance technique, not a data exfiltration technique.”

Major Actors
In a real-world scenario, the data transfer would likely be even slower than the proof of concept indicates. “If you’re a remote attacker, you’re talking three to six bits per hour, but it’s a really low number of bits you can extract in a day,” says Mounir Hahad, head of threat research at Juniper Networks. “And since you’re blind to the memory layout of the target machine, it’s going to take a long time.”

The nature of NetSpectre limits its real interest to a small handful of players, he adds. “This is beyond the capability of cybercrime. This is for well-funded state actors who can afford to have teams go out and find the economical applications of the technique,” Hahad explains.

In fact, Hahad predicts, “Five to 10 years from now, we’ll have a leak that says people have been using [Spectre vulnerabilities] for several years.”

Even so, both Morales and Hahad say that their researchers look at NetSpectre and see an interesting proof of concept that has little practical use. The reason is that other, simpler exploits are far more productive and economical. Spear-phishing, for example, remains the researchers’ weapon of choice when it comes to extracting user credentials from an organization. But NetSpectre is “low-level, close to the hardware, and very complex,” Hahad says. Spear-phishing is none of those.

Warnings And Precautions
According to Morales, NetSpectre includes one obvious spot for more development: “The bit-leak gadget is the key here,” he says. “I’m sure there’s going to be more work. The first step was proving that it was feasible.”

Hahad agrees, saying that more useful gadgets may be closer than we think. “The gadgets are out there, and the bad guys are going to find them,” he says.

In the meantime, organizations should perform the basic security steps necessary to protect their systems from all the Spectre variants. “Make sure the patches for Spectre are in place,” Morales says. “Next, evaluate whether you have any systems where the patch can’t be deployed.”

Other security professionals echo Morales’ advice. “By now, organizations should have already taken the necessary steps to reduce the risk of this vulnerability by patching susceptible systems, limiting network access, and protecting privileged access to critical systems that are still exploitable,” says Joseph Carson, chief security scientist at Thycotic.

As with many other exploits, a primary worry is systems that can’t be patched or updated because they’re part of embedded process control or dedicated application environments.

Intel- or ARM-based control systems that could remain unpatched do have one saving grace, according to experts: They’re not likely to be host to mountains of sensitive information. Still, NetSpectre, like the Spectres that have come before it, is a reminder that complex systems can be vulnerable at the most basic level, and that legions of researchers are out there eager to demonstrate just where those vulnerabilities lie.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-spectre-variant-hits-the-network/d/d-id/1332431?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Russian National Sentenced to 70 Months For $4 Million Debit Card Fraud

library
crime | hacking | security

Mikhail Malykhin’s actions drove one company out business.

A Russian national responsible for a debit card fraud scheme that cost his victims over $4.1 million in losses and drove one company out of business has been sentenced to 70 months in federal prison.

Mikhail Malykhin, 36, will also forfeit about $1.3 million in cash, more than $22,000 in gift cards, several gold bars, and a 1966 Ford Mustang that the FBI previously seized from him.

Malykhin in 2016 had pleaded guilty to conspiring to use stolen debit cards and unauthorized access to a protected computer. At his sentencing last week, United States District Judge Dolly Gee of the Central District of California described Malykhin actions as “reprehensible” and “ruining the lives of many,” a statement issued by the Justice Department Friday noted.

Court documents associated with the case show that in December 2015 Malykhin illegally accessed a computer belonging to Polestar Benefits, a Lake Oswego, Oregon-based healthcare company that administers flexible spending accounts (FSAs) and COBRA services to other companies.

In that role, the company creates and manages FSA’s, which are accounts into which employees can deposit pre-tax money for out of pocket healthcare expenses. Polestar also administers dependent care accounts, which are another type of special account to pay for elderly and dependent care.

Like other administrators of FSA accounts, Polestar issues a restricted type of debit card that an FSA account holder can use to pay for certain types of medical expenses. When the holder of a dependent care account spends money on dependent care, Polestar reimburses them from the account holder’s previously funded account.

Malykhin used his access to Polestar’s systems to reactivate the dormant accounts of 43 previous employees at Lane Community College, a Eugene, Oregon-based client of Polestar. He created new dependent care accounts for those employees, fraudulently funded several of them, and had debit cards linked to those accounts mailed to associates in various locations.

Malykhin set limits ranging from $500,000 to a staggering $5 million for the debit cards and modified them in such a way that the usual restrictions on the use of such cards were removed. In other words, debit cards that normally could have been used only to pay for qualified medical expenses were modified so they could be used as high-limit payment cards at any location.

Five associates of Malykhin — four Russian and one identified only as East European — used the fraudulent cards to buy hundreds of thousands of dollars worth of electronic goods, expensive furniture, and other big-ticket items from retail stores in California. In several cases, the associates then returned the fraudulently purchased goods for cash or for gift cards. Malykhin himself, who was the head of what prosecutors have described as a Russian organized crime syndicate, got to keep his share of the luxury goods, cash, and debit cards.

All five of his associates were subsequently arrested and sentenced to periods ranging from one year to three years in federal prison.

The court papers filed in connection with Malykhin’s arrest show that he was responsible also for breaking into FlexMagic Consulting, another third-party administrator like Polestar, and similarly defrauding them of $3.5 million. The March 2016 break-in later forced FlexMagic out of business, leaving responsibility for the losses to Alegeus, the maker of a software platform that both Polestar and FlexMagic used for creating and managing FSA accounts for clients.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russian-national-sentenced-to-70-months-for-$4-million-debit-card-fraud/d/d-id/1332432?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple