STE WILLIAMS

Shareholders are suing FedEx execs for allegedly dumping stocks and lying about the extent of damage caused by the attack of NotPetya encrypting ransomware.

The complaint, filed last week in the US state of Delaware, accuses the shipping giant and its head honchos of giving “materially false and misleading statements” about the damage inflicted by the infection on FedEx’s European subsidiary TNT Express in June 2017.

At the time, we gave a detailed teardown of the malware, plus an analysis of its devastating worm-ransomware and disk-disabling behavior.

Besides FedEx/TNT Express, other large companies hobbled by NotPetya included British consumer products company Reckitt Benckiser, chocolate maker Mondelez, advertising group WPP, shipping giant Maersk, and Nuance Communications.

This isn’t the first NotPetya-spawned lawsuit. FedEx was hit with a similar lawsuit in July 2019, when shareholders accused the package giant of making “false and misleading” statements about minimal impacts on TNT; about recovery being on track; about the anticipated costs and timeframe it would take to integrate and restore the TNT network; and for allegedly failing to disclose important details of TNT’s deteriorating business, including slowed down overall package volume growth, an increased shift in product mix from higher-margin parcel services to lower-margin freight services, and more.

According to the lawsuit filed in July, as a result of the true extent of the damage becoming public, FedEx stock dropped over 12%.

Following the TNT attack, FedEX said that while its operations and communications systems were disrupted, it didn’t lose any data, and other FedEx companies were unaffected. It also halted trading of its shares on the New York Stock Exchange. A few months later, FedEx announced a $300m loss because of the attack.

Downplayed the damage?

That wasn’t enough, shareholders are now arguing. The executive team downplayed the extent of the damage, they claim. The suit names 19 FedEx execs, 10 of whom sold shares that netted them profits totaling more than $40m.

From the stockholder derivative complaint:

The Individual Defendants participated in the issuance and preparation of materially false and/or misleading statements by FedEx, including press releases and SEC filings. Because of the Individual Defendants’ positions with FedEx, they were aware of the adverse material non-public information about the business of FedEx, as well as its finances, markets, and present and future business prospects, via access to internal corporate documents, conversations and connections with other corporate officers and employees, attendance at management and/or Board meetings and committees thereof, and via reports and other information provided to them in connection therewith.

According to the complaint, investors didn’t understand the full extent of FedEx’s “misrepresentations and omissions” about TNT until 18 December 2018, when it reported a big profit miss due to lower package volumes in Europe, as customers fled to competitors – permanently.

Other companies victimized by NotPetya have also jumped into lawsuits. In January 2019, Mondelez, the US company that makes Oreo cookies and Cadbury chocolates, sued its insurance company, Zurich, which had declined to pay its $100m claim for NotPetya damage. Zurich had deemed the attack “a hostile or warlike action”, and, as such, excluded from coverage.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DZkjtO37crE/

Google has again been reprimanded for not spotting fake extensions impersonating popular brands in its Chrome Web Store.

The victims this time were AdBlock by AdBlock Inc (easily confused with legitimate extension AdBlock by getadblock) and uBlock by Charlie Lee (similar-sounding to uBlock.org’s uBlock or Raymond Hill’s uBlock Origin).

The impersonation was made public in a blog by rival adblocker maker, AdGuard, whose Andrey Meshkov decided to take a closer look at the fake software’s behaviour.

The short and surprising answer – they block ads – perhaps not a huge ask given that both appear to have been based on the same code as the original AdBlock.

However, according to Meshkov, 55 hours after installation, they start doing something called ‘cookie stuffing’, a common ad fraud technique.

Cookie stuffing

Normally, an eCommerce website will check cookies to work out how that user arrived at their site, paying a fee to the affiliate responsible when a purchase is made.

It’s a hidden cornerstone of the internet economy which criminals subvert by ‘dropping’ floods of cookies on to a computer to make it appear the user clicked on an affiliate ad when they didn’t.

Because only a small number of users will make a purchase from a site, the fraudsters need to sneak their cookie stuffing programs on to as many computers as possible. Writes Meshkov:

These two add-ons have more than 1.6 Million ‘weekly active users’, who were stuffed with cookies of over 300 websites from Alexa Top 10,000. It is difficult to estimate the damage, but I’d say that we are talking about millions of USD monthly.

Unchecked, it’s easy to see how this sort of scam could cost large brands a lot of money which explains why a handful of people accused of this scam in the US have ended up in jail.

Extension confusion

If stuffing has been going on forever, why does it keep happening?

Remember, this affects everyone – the users who end up with possibly dangerous software on their computers, the brands paying for bogus clicks, and the legitimate extension makers who have their brands hijacked.

It’s a problem that nobody seems to have the answer to, least of all Google, which is often caught flat-footed by fakes sitting in plain sight. Meshkov says Google ignored his reports until the story went public and the rogue extensions were finally taken down.

That brings to mind the weeks it took Google to take down a rogue version of AdBlock Plus in 2017, to pick just one example – this is certainly not a one-off.

Obviously, the buck should stop with Google on its own site but identifying legitimate software is often very difficult. For example, adblockers  all tend to look the same, right down to their names, the colours and appearance of their branding.

Even the gold standard of judging an extension or app from the number of users wouldn’t have worked once the fakes themselves have been downloaded hundreds of thousands of times.

No matter how hard Google says it’s working to stop them, the most effective extension detectives are still researchers, security companies and the users themselves, acknowledged by Google when it recently expanded its Developer Data Protection Reward Program (DDPRP) and Google Play Security Reward Program (GPSRP).

As far as we can tell, these don’t reward the simple issue of calling out fakes when it’s not clear what they might be doing at a deeper level.

That’s a shame because finding malicious or fake programs is also about finding them quickly. Google should be edging towards a system that incentivises users to report suspect extensions, even if it means getting set up to handle a flood of false positives.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bENpOujBKCo/

Security roundup Here are a handful of security happenings in the past week that are worth noting – aside from what The Reg has already covered.

Microsoft extends Windows 7 support*

With everyone up in arms about the potential for hackers to influence the upcoming 2020 US presidential elections, Microsoft is offering to help local governments secure their older voting machines that are based on the obsolete Windows 7 platform.

This will allow admins to download and install all security updates for Windows 7 ahead of the elections to close up potential entry points for hackers wishing to tamper with vote totals.

*But only for voting machines.

US Air Force opens cloud security contract for bidding

Government cloud contractors will be happy to hear the US Air Force is open to bids for a new IT modernization program worth $95m.

NextGov reports the deal will look to create a single system capable of monitoring and cataloguing information on cybersecurity incidents.

The new project is parter of a larger Air Force IT overhaul program known as LevelUP, which is aimed at bringing the military branch’s systems into the cloud.

Facebook wipes out even more data-slurping devs

The Social Network has emitted an update on its ongoing purge of developers who use its platform to harvest the personal information of users.

“It is important to understand that the apps that have been suspended are associated with about 400 developers,” Facebook said on Friday.

“This is not necessarily an indication that these apps were posing a threat to people. Many were not live but were still in their testing phase when we suspended them.”

Some, including Oregon’s tech-savvy Democratic Senator “Silicon” Ron Wyden, weren’t particularly impressed.

Sen. @RonWyden: “This wasn’t some accident. Facebook put up a neon sign that said ‘Free Private Data,’ and let app developers have their fill of Americans’ personal info. The FTC needs to hold Mark Zuckerberg personally responsible” https://t.co/V8mWdrftxd w/ @TonyRomm

— Drew Harwell (@drewharwell) September 20, 2019

ESET details Stealth Falcon backdoor

Researchers with ESET this week introduced a newly discovered backdoor being used with the Falcon hacking operation.

The backdoor is notable in that it uses a little-known function in Windows called BITS (background intelligent transfer services) to quietly handle communications between the infected machines and the command and control servers.

“Compared to traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus is harder to detect,” ESET explained.

“Moreover, this design is reliable and stealthy, and more likely to be permitted by host firewalls.”

It is an attack you most likely will never face. The Stealth Falcon attacks have been primarily looking to infect political activists and journalists operating out of the Middle East.

Still, if you want a more detailed look into a very interesting piece of malware, ESET’s full report can be read here.

Windows NTFS prone to file-guessing bug

One bug not addressed in this month’s Patch Tuesday bundle was this file enumeration error in the Windows NT File System.

Researcher John “hyp3rlinx” Page discovered that anyone with an ordinary user account on a drive using NTFS could potentially take advantage of a quirk in the error reporting system of Windows to figure out what protected files are on a machine.

“Standard account users attempting to open another users files or folders that do not contain a valid extension or dot ‘.’ in its filename are always issued the expected ‘Access is denied’ system error message,” Page explained.

“However, for files that contain a (dot) in the filename and that also don’t exist, the system echoes the following attacker friendly warning: ‘The system cannot find the file’.”

“This error message inconsistency allows attackers to infer files EXIST, because any other time we would get ‘The system cannot find the file’.”

While the flaw could be useful to hackers performing recon by trying to map out what files are on a machine and where, it wasn’t quite severe enough to qualify as a security vulnerability in Microsoft’s book and Page was told his discovery “does not meet the bar for security servicing.”

Online pizza order ends in SWAT team call

A prankster looking to pull a fast one may have gotten more than they bargained for (or perhaps exactly what they wanted) when a phony message hidden within a pizza order ended in a massive police incident.

A Domino’s Pizza shop in San Diego received a seemingly normal mobile order on September 10, until one of the employees noticed that someone had put a message into the order claiming that a person was being held hostage at the pizza’s destination (a home in nearby Sherman Heights.)

This led the outlet to notify the police, who sent officers in tactical gear to clear out and search the home. They eventually concluded the call was a hoax and the people at the house had no idea what was going on.

No word on whether they got the pizza.

US-CERT dissects new North Korean malware

The United States Computer Emergency Readiness Team (US-CERT) has said it has a new sample of malware appearing to have originated in North Korea. Known as “Badcall” and “Electricfish”, the malware is believed to be the work of the Hidden Cobra hacking operation campaign that has sought to plunder cash to funnel in to North Korea.

Suspected “hack” was a Fortnite update

Security writer Stilgherrian uncovered this story from the 2018 Commonwealth games: days before the games were set to start, admins noticed an unusually high spike in network traffic and figured someone was attacking the event’s network with a DDoS flood.

As it turned out, the spike was actually just nearby users downloading a larger-than-usual update to the MMO shooter Fortnite, both a testament to the popularity of the game at the time and the interesting traffic patterns it generated.

Researcher uncovers Uber security hole

AppSecure has detailed a flaw it discovered in Uber that could have potentially allowed a determined attacker to hijack a user’s account.

It turns out the API Uber uses to handle the Uber user ID (UUID) numbers is insecure. An attacker who was able to get the user’s phone number or email address could create an API request that would return the UUID. That UUID could then be used to potentially steal authentication tokens that would allow the attacker to hijack the user’s account.

Or, they could use the phone number and email address to phish/socially engineer the user into just handing over their password.

The bug has since been patched by Uber without any reports of in-the-wild exploits.

Twitter axes thousands of accounts in political influence crackdown

Twitter has said it wiped around 10,000 accounts in Europe, the Middle East, Asia, and South America that were attempting to spread disinformation and sway public opinion on political topics.

“Going forward, we will continue to enhance and refine our approach to disclosing state-affiliated information operations on our service,” the blue bird tweeted.

The eBay eBabe returns

Almost a fortnight ago, Microsoft and eBay found themselves in an embarrassing spot when an Outlook bug resulted in a mostly naked woman appearing as the avatar for eBay UK’s mail account.

Those who “missed out” on the incident got treated to a repeat performance last week, it seems.

She’s returned with today’s update! pic.twitter.com/CCXnthkCPP

— Matthew (@matthew_r_1987) September 18, 2019

Microsoft advised anyone still having this problem to update the App via the App Store. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/23/security_roundup_130919/

Furious parents have lashed out at Her Majesty’s Revenue and Customs after the UK tax authority let a key HTTPS certificate expire on its childcare tax credit portal.

Numerous people contacted us almost immediately when the HTTPS certificate on childcare.tax.service.gov.uk expired at 00:59:59 on Sunday 22 September.

As Reg reader Cian put it, the web app at that address “will let you pay a certain amount of your childcare bill before tax,” adding that “it can be worth a few hundred quid a month if you have a high childcare bill.”

HTTPS certificates are used to encrypt connections between your browser and the website you are accessing as a means of securing you against criminals trying to eavesdrop and gather financial details or other information for nefarious purposes.

Any web page not running HTTPS with a valid TLS certificate has shown a “not secure” warning in the Chrome address bar since version 68, and Mozilla’s Firefox, Microsoft’s Edge and Apple’s Safari will likewise warn you that they may not be able to establish a secure connection to the server.

The screen greeting visitors to https://childcare.tax.service.gov.uk/ on a Chromium-based browser this morning

HMRC has at least got its security posture right by enforcing HSTS, which prevents people from accessing the site other than through a secured HTTPS connection. The idea there is to prevent connection-downgrading attacks by online mischief-makers. Unfortunately, that also means you can’t power on through the “Are you sure?” checks built into most modern browsers and take the risk for yourself.

Bewilderingly, at the time of writing, HMRC hadn’t organised itself sufficiently to install a new certificate, with a corporate mouthpiece admitting he wasn’t aware of the outage but promised a full statement in due course. However, all seemed to be working as intended after lunchtime.

We will update this article if HMRC gets itself into gear. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/23/hmrc_childcare_tax_site_https_cert_expired/

A project intended to move a small robot around a hazardous board teaches some solid security lessons.

Put six adults together for 41 hours with a pile of parts and a vague goal and what do you get? In my case, amplified lessons in secure software development — and a game where you take a robot to do battle.

So last weekend I participated in a make-a-thon. Described as “like a walk-a-thon with less walking and more making,” it was a fund-raiser and a way for me to scratch my ongoing geek itch. Since mechanical engineering isn’t my forte, I was assigned to be half the programming team. And, as is true for so many real-world dev projects, we began on Friday night with only a vague sense of what the hardware would ultimately look like.

So the first thing I did was sit down, write careful specifications, and start hand-crafting the finest in artisinal code, right? Of course not: I headed for the Internet and started grabbing routines described as doing what I wanted to do. And just like that, I was neck-deep in the reality of most agile and dev-ops software shops.

Now, I was lucky in several respects: I was doing classic OT stuff in a variant of C — I could look at the code and tell what was going on. But the thing that struck me in retrospect was just how easily I was grabbing routines and throwing them into my application, and just how little regard I was giving the variables and code that didn’t have an immediate impact on my job.

So that’s the first amplified lesson: do a security scan on downloaded code before you slap it into your application. GitHub’s Semmle acquisition should make this easier for a lot of open source projects, but it’s got to be considered a critical step regardless of where the code comes from.

The next amplified lesson comes straight out of the instructions for blue jeans: Shrink to fit. At times during the development process we had great herds of unused variables and function names roaming across the rolling plains of our code. The combination of code from repositories and debugging routines left detritus that we ultimately had to clean up late in the process because things were getting confusing.

Unused variables and routines left in code are catnip for attackers. In the heat of a sprint (or a 41-hour deadline), it’s too easy to leave things in place rather than cleaning up as you go. But even in cases where you go back at project end and clean up the code, be careful — it’s all too easy to miss lines tucked up under comments or buried in the middle of complex routines.

As the hardware specs matured, we were able to do more testing and pruning, but we were also passing code back and forth more and more frequently. And that brings up the third amplified lesson: be sure your team communication mechanisms are secure.

In our case, security wasn’t a great concern — in the worst case of intrusion, a toy robot would get whacked by a wooden hammer. But where we ended up tossing code back and forth on our team’s Slack channel, code that truly matters to, oh, anyone, should be shared in a secure private repository. Since there were only two of us, we also didn’t have a lot of trouble figuring out who had last touched a given piece of code. With a larger team a more rigorous change process is critical for both security and reliability.

The last amplified lesson I learned is the one that will, I think, have the longest impact: It’s important to get out there and do stuff. It had been a while since I buckled down to a software project with a deadline and expectations that came from someone other than me. It was fun, it was exhausting, and it was educational in all the best ways. It’s easy to fall into a pattern of tossing out opinions gathered from other sources, but it’s important to get some hands-on time to check your assumptions and find out just why those opinions are right (or wrong).

Oh, and the make-a-thon? My team won, largely because the teammates who took on those mechanical engineering roles were really good. As for the code — well, we’ve still got two months before the next time the project shows up in public and there’s some display driver code that needs serious attention…

Related content:

• A Safer IoT Future Must Be a Joint Effort
• MITRE Releases 2019 List of Top 25 Software Weaknesses
• A Definitive Guide to Crowdsourced Vulnerability Management
• Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT
• To Navigate a Sea of Cybersecurity Solutions, Learn How to Fish

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/playing-around-can-teach-serious-security-lessons/b/d-id/1335867?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Logging that is turned on, captured, and preserved immediately after a cyber event is proof positive that personal data didn’t fall into the hands of a cybercriminal.

One of the first questions I ask in my role as an attorney responding to a cybersecurity incident is typically: Do you have any logs?

All too often, the answer is no.

The sad truth is that even a simple ransomware event becomes legally complicated without logging mechanisms. Why? Because a cybersecurity attorney’s job is to navigate the statutory framework applicable to a cyber event. That includes determining whether the client needs to give notice under any applicable law to a client’s customers, employees, patients, or other affected individuals.

The legal implications of notice can be intense. A standard breach notice contains a brief summary of the incident along with specific language from the relevant breach notification statute. But beyond the piece of paper, the breach notice can give rise to affected individuals bringing lawsuits or making demands related to the cyber event. Notice to customers or other affected persons can also then require notice to regulators. Notice is often the last thing a company will want to do unless it is absolutely forced to do so under the law.

For most businesses, there is no uniform breach notification protocol that must be followed. Instead, it is left to me, the lawyer, to piece together the myriad applicable statutes potentially at play and to determine whether notice is required under those statutes.

Here are three important examples to consider in a breach context:

HIPAA (Health Insurance Portability and Accountability Act), governing protected health information, requires that a healthcare provider (or business associate) presume that an impermissible use or disclosure has occurred unless the entity can demonstrate that there is a low probability that the protected health information has been compromised based on a factor-by-factor analysis.

Virginia’s breach notification statute defines a breach as “the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.”

New York’s data breach notification statute was recently amended to apply beyond the notification of the unauthorized acquisition of computerized data to both unauthorized access to or acquisition of such data.

What do these arcane legal regulations mean in the context of network logs? It means that if an organization is victimized by a ransomware attack, for example, a lawyer can use the logs to show that personal or protected information did not leave the client’s systems.

On the other hand, the lack of network logs would lead me to recommend that the company undertake complicated forensic steps — at significant cost — including the procurement of forensic images and assessments of those images as circumstantial evidence that information did not leave the safety of a client’s network. Not only that, but network logs insulate a client from a regulator’s watchful eye after an event. Having the logs to show a regulator that personal identifying information did not leave the client’s systems is proof that may assist in shutting a regulatory inquiry down.

While notice to consumers or affected individuals can be necessary and unavoidable in certain cyber scenarios, it is never a decision that I as an attorney make lightly. As mentioned above, notice alerts a consumer to a potential negligence claim against a company for failure to provide adequate security protections. Notice can lead to lawsuits and lawsuits can lead to liability. Notice is, in short, the legal nuclear option.

Ensuring that logging is turned on, captured, and preserved immediately after a cyber event is critical to mitigating legal risk. Having proof that information did not get into the hands of a cybercriminal after a simple cyber event will avoid significant expense and exposure. So, turn the logs on. Your lawyer will thank you.

Related Content:

• 6 Questions to Ask Once You’ve Learned of a Breach
• The California Consumer Privacy Act’s Hidden Surprise Has Big Legal Consequences
• A Lawyer’s Guide to Cyber Insurance: 4 Basic Tips
• Incident Response: 3 Easy Traps How to Avoid Them

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Beginner’s Guide to Microsegmentation.”

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she … View Full Bio

Article source: https://www.darkreading.com/risk/how-network-logging-mitigates-legal-risk-/a/d-id/1335828?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

VPNs are critical pieces of the security infrastructure, but they can be vulnerable, hackable, and weaponized against you. Here are seven things to be aware of before you ignore your VPN.

VPNs are critical pieces of the enterprise cybersecurity infrastructure. When it comes to protecting data in motion, there’s really no good substitute. And that’s why it can be so devastating to learn that this mandatory tool can carry vulnerabilities.

Before going any further, it’s important to note that nothing here is intended to suggest that your organization ditch its VPNs. Networking with VPNs is vastly more secure than networking without them. With that said, there’s no part of the enterprise IT infrastructure that qualifies as “set it and forget it,” and VPNs are not exceptions to this rule.

The dangers represented in this article fall into two broad categories; first are the vulnerabilities that are “designed in,” featuring problems with the logic, installation, or basic features of the VPN’s client or server.

Vulnerabilities in the second group are “classic” vulnerabilities — inadvertent errors in the code running on one side or other of the VPN, an issue with how a protocol is implemented, or something similar.

A number of the vulnerabilities listed in this article have been patched in recent versions of the software, illustrating once again the importance of keeping software updated and fully patched. More than that, the vulnerabilities listed here are a reminder that cybersecurity means looking at every piece of the IT infrastructure, whether it’s provided by the business or brought in by the employee. That goes for services as much as for products, and for security services as much as personal productivity applications.

(Image: Bits and Splits via Adobe Stock)

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, but Definitely ‘Well Done’.”

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/7-ways-vpns-can-turn-from-ally-to-threat/d/d-id/1335833?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An accused Russian hacker has claimed Kaspersky’s former head of investigations blackmailed him into stealing approximately £150,000 from local banks.

Dmitry Popelysh is on trial in Moscow over allegations that he helped pinch more than 12 million roubles from financial institutions including Sberbank and VTB. But he told the court that one-time Kaspersky staffer Ruslan Stoyanov made him do it.

“Popelysh claims that the evidence in his case was fabricated, and that Ruslan Stoyanov, the former head of the Kaspersky Lab’s computer incident investigation department, forced him to break into [the bank accounts],” reported local news agency RBC today. Popelysh made his courtroom statement on 5 September.

In February, former police major Stoyanov was sentenced to 14 years in prison for treason after allegedly passing details of an FSB (post-Soviet spy agency) investigation to the US FBI.

Popelysh had been found guilty of hacking in 2012 but was given a suspended sentence. He claimed that Stoyanov, whom he said initially contacted him anonymously, had blackmailed him by threatening to activate his sentence and have him sent to prison unless he co-operated.

The accused further claimed that Stoyanov, whom he said had posed as an anonymous law enforcement person, demanded that Popelysh give him precise details of all the malware, access methods and login credentials used to hack the banks.

“In the course of further communication,” Popelysh claimed, “he reminded me that I was convicted of fraudulent acts against VTB24 Bank and that there were episodes of Sberbank that were not included in the case, but he ‘will give them a go’ if I contact the law enforcement bodies or I won’t co-operate with him.”

At his arrest for a fresh batch of bank hacks in May 2015, the anonymous person’s identity was revealed as Stoyanov, who was “personally present… and said that he was always faithful to his words and that I would now be in prison,” Popelysh told the court.

“Remember me? If you say a word about how we worked, I’ll find you in prison too, take everything on yourself and I will pull you out,” Stoyanov reportedly told Popelysh at his arrest, via Google Translate.

Stoyanov told the RBC news agency, through his lawyer, that Popelysh’s claims were untrue and said the hacker had told him personally that he intended to break into more banks’ systems and buy himself luxury goods with the proceeds.

Popelysh was charged in 2016 with hacking banks again. Although found guilty and sentenced to eight years, his conviction was overturned in March this year and a retrial was ordered.

RBC also reported that one Konstantin Kozlovsky, another convicted hacker currently serving a prison sentence, “claimed that he had been cooperating with the FSB for about 10 years” and said his FSB handler had ordered him to hack the US Democratic National Committee, Hilary Clinton’s private email server and the World Anti-Doping Agency. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/20/kaspersky_man_blackmailed_me_into_hacking_court_told/

The purchase will bring new isolation and threat intelligence capabilities to the HP portfolio.

HP has announced its acquisition of Bromium, an anti-malware startup firm that works by providing isolation and containment for browsers and applications. Already part of HP’s Sure Click, Bromium’s technology is slated to become part of the broader HP platform in the future.

According to the release announcing the purchase, Bromium’s protection and real-time threat intelligence will combine with HP’s Sure Sense, Sure View, and Sure Start as part of a comprehensive security solution. The release quotes statistics of 1 in 13 Web requests leading to malware and more than 500,000 new malware attacks every day as reasons why new security solutions are still needed.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Beginner’s Guide to Microsegmentation.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/hp-purchases-security-startup-bromium/d/d-id/1335873?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security surveys tend to confirm what we already knew a few months ago and the 2019 Global Cyber Risk Perception Survey (PDF) from Marsh and Microsoft does not disappoint.

This roller-coaster ride through the deepest thoughts of 1,500+ business leaders during February and March covers topics such as organisational confidence, approaches to adopting new technology and cyber security resilience.

Inevitably, much of it reads like a masterclass in stating the bleeding obvious.

Cyber risk had heightened since 2017, said 56 per cent of respondents. While 9 per cent expected to be done in by terrorists and 12 per cent were getting flustered over industrial espionage, 79 per cent felt cyber attacks should be their top business concern at the moment. Who’d have guessed?

In other questions, respondents said their governments should do more about the cyber threat, but that they had no confidence in government’s ability to do it right. Again, yup.

Much more fun was watching those in various supply chains point the finger at each other. A significant 39 per cent were concerned by the level of cyber risk posed to their organisations by their supply chain vendors. But when asked whether they themselves could be a risk to everyone else, only 19 per cent admitted they might.

Either way, a worrying 43 per cent said they probably wouldn’t be able to protect themselves from cyber threats if they came from their third-party partners.

If nothing else, the survey lays bare the fragility of the supply chain and that while participants are all too aware of it, they don’t know what they can do about it.

The survey concluded that supply chain risks should be managed as a collective issue, sharing security standards across the entire network, each organisation honestly evaluating its own cyber impact on its partners. A bit of joined-up thinking is what’s called for.

At the same time as Microsoft was reminding business leaders how scary cyber threats can be, its president Brad Smith was telling the US to stop blacklisting Huawei so that it can start supplying it with Windows software again. This must be some of that joined-up thinking in action. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/20/supply_chain_actors_agree_that_everyone_is_a_security_risk_except_themselves/