Farewell, Dear Password? The Future of Identity and Authorization
User authentication doesn’t get much easier than the password.
But for organizations across the globe, poor password hygiene has become one of the most challenging security issues. According to Troy Hunt, creator of HaveIBeenPwned, an increasing number of data breaches and data leaks are a direct result of weak passwords and password reuse.
Verizon puts a number to that: More than 80% of breaches leverage stolen or weak passwords, according to its “2019 Data Breach Investigations Report.”
“[Yet] despite their faults, passwords are enormously effective at one thing,” Hunt says. “Everybody knows and understands how to use them. Above everything else, passwords are a very, very low barrier to entry.”
Perhaps, but many organizations, along with their tech teams, are questioning whether eliminating passwords as an authentication tool might augment their overall security posture.
New Mentality
For that to happen, organizations need to understand that password elimination in and of itself is a journey rather than a destination, says Phillip Dunkelberger, CEO of Nok Nok Labs.
As a first step, organizations must determine what they are trying to accomplish. “Why are people eliminating passwords in the first place? If it’s not protecting anything, why do I care if I have to use passwords or not?” Dunkelberger says.
If the goal is to make the user experience more convenient, the paradigm needs to shift from password authentication to a more seamless authentication. Organizations are typically looking at eliminating passwords either to improve the user experience or to improve security, but security and convenience don’t need to be mutually exclusive.
The reality is, keeping user information secure while ensuring privacy at a cost that fits within an organization’s budget has made transitioning away from passwords to an alternative authentication solution a challenge. Even though people tend to think passwords are free, “password reset is very costly,” Dunkelberger says.
A recent study from OneLogin found that resetting passwords set businesses in the UK back at a loss of 2.5 months per year. Businesses large and small are struggling under the strain of poor password management practices, and this failure of managing passwords and the mundane administrative tasks is costing businesses time and money.
According to Dunkelberger, the key to eliminating passwords is reducing the cost of alternative authentication solutions while providing privacy and using the best security in order to open a whole new world to the experience of the user. “The industry agrees that usernames and passwords need to be retired,” Dunkelberger says.
Modern Thinking
One vehicle for transformation comes courtesy of the Fast IDentity Online Alliance (FIDO), which formed in 2012 to address interoperability issues in authentication devices as well as the growing password fatigue.
Increasingly, biometrics also are changing the way passwords are used and reducing the number of times users actually have to enter them. Rather than having to repeatedly enter a username and password, the FIDO standards leverage user devices combined with biometrics in order to authenticate Web services that have been FIDO-enabled in both mobile and desktop environments.
Using standard public key cryptography, “the FIDO protocol allows you to do three key things: discover what is on a device, enroll the user, and select the most convenient way to login. Then it provisions you with public/private key pair,” Dunkelberger says.
FIDO’s newest set of specifications, FIDO2, which consists of a WebAuthn and a Client to Authenticator Protocol (CTAP) standard, is being used by tech giants from Google to Microsoft in order to build out platforms with stronger credentials through the use of private keys. These private keys are said to be more secure than passwords because “there is always a server to keep a copy of your password,” explains Dana Huang, director of engineering for Windows Security.
Microsoft recently announced that Windows 10 is going passwordless. “Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN,” the company said.
This development follows in the footsteps of Apple, which released its facial identification technology, Face ID, on the iPhoneX. FaceID is reportedly 20 times less likely to be hacked than a Touch ID fingerprint.
A Dose of Reality
As much as some might hope, the evolution of authentication technologies doesn’t necessarily mean passwords will disappear. But it does mean the mechanisms of authentication are becoming both more secure and more user friendly as these tools evolve.
In fact, Hunt says he’d make a gentleman’s bet that five years from now we’ll have more passwords than we do today. “The interesting nuance, though, is what will it look like in terms of how we use passwords?” he asks. “How different will that be?”
As organizations continue to navigate the problem of passwords, it’s also important to think about human behavior, Hunt says. Regardless of how authentication and identity solutions evolve, human behavior will more than likely stay the same.
“People are continuously finding these human ways to get around the technical barriers to entry. The really important thing for organizations to understand is that human behavior causes people to find the path of least resistance,” Hunt says.
Related Content:
- 8 Ways to Authenticate Without Passwords
- FIDO Alliance to Tackle Identity Verification and IoT Authentication
- 70% of Consumers Want Biometrics in the Workplace
- New Chrome Extension Takes Aim at Password Security
(Image by MiaStendal via Adobe Stock)
Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio
Sextortion Email Scams Rise Sharply
Email scams in which cybercriminals attempt to extort money from victims by threatening to reveal something embarrassing about them are on the rise.
According to Symantec, between January and the end of May this year, it blocked some 289 million scam emails, many of them involving so-called “sextortion” attempts. Of these, about 30% were sent during a 17-day period around Valentine’s Day. The blocked emails were written in English and a dozen other languages, including Chinese, German, Italian, and Japanese.
Sextortion is a type of email scam where cybercriminals attemps to extort money from individuals by claiming to have a recording of them engaged intimate acts. Often the scam email informs victims that their webcams were hacked and used to make recordings of them visiting porn sites.
Attackers demand that victims send a specified amount of money in Bitcoin or other cryptocurrency — or risk having the alleged recordings sent to every contact in their address books. The emails convey a sense of urgency by demanding the victims pay the extortion amount with 24 or 48 hours.
The scam emails often include passwords and phone numbers recipients may have used or are currently using to give the impression the attackers have access to a lot of their personal information. The goal is make users fear their computers might have actually been hacked and used to observe potentially compromising actions.
In reality, the criminals likely obtained the data from one of the many large password dumps that have happened in recent years, Symantec said. In some cases, attackers have purported to be members of law enforcement who have discovered child pornography on victims’ computers.
Not all email scams that Symantec blocked in the first five months of this year were sextortion-themed. Several were bomb-scare emails where the sender claimed to have planted a bomb in a building that would be triggered unless the requested amount is paid in full.
The scam emails typically followed the same pattern with relatively minor variations in the messages. Some, for instance, included PDF attachments, others had links pointing to malicious sites, while some contained obfuscated text and other characters designed to evade spam filters. Users opening the attachments or clicking on the URLs to see the purported recording of their activities often ended up downloading malware on their systems.
Easy Payoff
For cybercriminals, mounting such scams is easy because all it involves is sending a spam email, says Kevin Haley, director of security response at Symantec. “You can take a new idea, throw it against the wall, and see if it works. If not, move on to the next idea,” he says.
Blackmailing people over their alleged sexual activity is not new. But the abundant email lists and credential data available on the Dark Web these days has made it relatively easy for attackers to launch convincing-looking scam campaigns, Haley notes. Often victims are tricked into believing attackers might have gathered personally compromising information.
“For the amount of effort and skill that is required to carry out these scams, it’s a solid return on investment [for attackers],” Haley says. Symantec estimates that the 5,000 most-seen Bitcoin addresses received a total of about $106,240 in May. “If we take that number as the average amount to make in a 30-day period for these kinds of scams, that’s just over $1.2 million in a year,” Haley says.
For the most part, sextortion scams are consumer-focused. But reports about attackers using spear-phishing emails to target individuals in corporate settings have come out as well. For instance, earlier this year researchers from Barracuda Networks analyzed some 360,000 spear-phishing emails and found one in 10 involved sex-themed blackmail.
Barracuda found that the subject lines on a majority of sextortion emails contained some form of security alert and often included the victim’s email address or password, too.
Though sextortion scams are twice as likely as business email scams in a corporate setting, they are often under-reported because of the intentionally embarrassing and sensitive nature of the content, Barracuda discovered. IT teams often are unaware of these attacks because employees don’t report them regardless of whether they paid the demanded ransom.
For enterprises, the increase in sextortion and other scams highlight the need for strong email security controls, Haley says. “If these threats do not hit the end users’ mailbox, then they do not become an issue,” he notes. “Additionally, organizations need to educate their employees on the existence of these threats so they do not get fooled.”
Related Content:
- The Minefield of Corporate Email
- ‘Lone Wolf’ Scammer Built a Multifaceted BEC Cybercrime Operation
- Cyber Extortionists Can Earn $360,000 a Year
- 8 Legit Tools and Utilities That Cybercriminals Commonly Misuse
- The State of IT Operations and Cybersecurity Operations
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
Article source: https://www.darkreading.com/attacks-breaches/sextortion-email-scams-rise-sharply/d/d-id/1335377?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Black Hat Q&A: Cracking Apple’s T2 Security Chip
Apple’s T2 security chip is responsible for (among other things) enabling Secure Boot and safeguarding biometric Touch ID data on Apple devices. It’s a key piece of Apple’s security system, and you’ll get an expert look at how it works at the upcoming Black Hat USA in Las Vegas from Duo Labs’ Mikhail Davidov and Jeremy Erickson.
The two will present Inside the Apple T2 a 50-minute Briefing about the T2 chip derived from research and reverse-engineering. Attendees will learn how the Secure Boot process works, what attacks may be mitigated and what attack surfaces it exposes to both the OS and application layers. Davidov and Erickson will also share insight into their research and why they’re sharing it at Black Hat USA.
Alex: Hey Mikhail and Jeremy, thanks for taking the time to chat! Can you tell us a bit about who you are, and your recent work?
Mikhail and Jeremy: We’re both researchers on Duo’s advanced research team. Duo Labs is a team of hackers, researchers, and engineers dedicated to protecting the public by identifying and fixing security vulnerabilities on a broad scale. We do this by prototyping new features and products, and conducting research into security systems used by the broader computing community.
Apple’s T2 chip is a good example of the kind of security mechanism we explore, since it has far-reaching impact across the security space and gives us a glimpse of where this technology is headed.
Alex: What are you planning to speak about at Black Hat this year, and why now
Mikhail and Jeremy:. We will discuss what role the T2 plays in assuring system integrity, as well as how one may communicate with the chip from macOS.
Historically, there’s been limited information available on the internal workings of Apple’s hardware and software. At Duo Labs we believe in the concept of democratizing security. We strive to enable other researchers to leverage our work and tooling to further the field. Understanding the security underpinnings of a system is critical to being able to trust it, and that more eyes on any critical piece of technology will help uncover vulnerabilities.
Alex: Why do you feel this is important, and what are you hoping Black Hat attendees will learn from your presentation?
Mikhail and Jeremy: Our work is one of the earlier investigative studies on the internal workings of the T2 chip. We document and share our understanding of Apple’s implementation of the secure boot process which is the foundation of modern platform security. Additionally, we reverse engineered Apple’s XPC message format and produced documentation and tooling that enables further exploratory research. We hope our talk will serve as a primer into further investigation by the greater security community and that our tooling will enable them.
Alex: What’s been the most interesting aspect of cracking the T2 chip?
Mikhail and Jeremy: We characterize our work as exploring and documenting how the T2 chip functions beyond what Apple has published. Our research shows that the T2 chip remains probably the most secure boot-process on consumer systems today as it tries to bring the platform integrity features available on the battle-hardened iPhone to the macOS ecosystem. That said, it was particularly interesting to find just quite how much attack surface the ‘remotectl’ utility exposes from the T2 chip to macOS.
In our talk we’ll show how, with a little understanding of the XPC message format, additional T2 functionality can be exercised over this channel and highlight areas for further research. Complete details of our T2 research can be found on Duo Labs.
Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.
Article source: https://www.darkreading.com/black-hat/black-hat-qanda-cracking-apples-t2-security-chip/d/d-id/1335370?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
How Can We Stop Ransomware From Spreading?
Question: Recently, my team has been seeing a new wave of attempts to load ransomware into our system. What can we do to stop them or at least limit the systems it can reach?
Akamai: There are a couple different ways to go about doing this.
Most ransomware that we’ve seen is usually deployed via some sort of phishing attack. The victim gets an email, they click on an attachment or a link, the ransomware gets loaded, and from there it starts spreading through the network, encrypting as it goes along. Practicing good email hygiene and training users on what to do when they get emails with attachments is a decent first step. But we all know that human beings are fallible, and it’s likely something might slip through.
As we get more complicated and into more technical controls, most ransomware needs to communicate out to some sort of command-and-control server. That’s where it’s going to register it infected a system and get further instructions regarding the keys for decryption and other parts of the attack. You can intercept that by blocking it at a DNS level, or you can sometimes block it by doing some sort of outbound detection for a communication reaching out to a very strange domain name. Almost all of the common ransomwares use domain name generation algorithms, so domains that look like random strings are a good clue that there’s something going on.
Once ransomware has gotten a foothold in and is spreading through the network, things get a little bit trickier. You can try implementing some sort of firewall setup, what’s sometimes referred to as microsegmentation. However, this can mean a lot of administrative overhead for your IT staff to constantly update firewalls and make sure only necessary ports are in place.
Another approach is rolling out something like a zero-trust model, in which rather than endpoints connecting to a network and from there reaching out to other assets, databases, or Web apps, what we’re actually communicating with is an application proxy. As a result, ransomware – really any malware – that’s going to try to spread isn’t going to be able to go anywhere because all of those commands are being intercepted by the proxy, and only the commands that need to be sent to the application are sent through.
Regardless of what kind of preventative strategy you take, the other thing every organization should do is have a really good backup strategy. Knowing that you can restore data and get back up and running after a ransomware attack can be a lifesaver.
What do you advise? Let us know in the Comments section, below.
Do you have questions you’d like answered? Send them to [email protected].
Article source: https://www.darkreading.com/edge/theedge/how-can-we-stop-ransomware-from-spreading/b/d-id/1335366?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Oh sh*t’s, 11: VxWorks stars in today’s security thriller – hijack bugs discovered in countless gadgets’ network code
Wind River has patched 11 security vulnerabilities in VxWorks that can be potentially exploited over networks or the internet to commandeer all sorts of equipment dotted around the planet.
This real-time operating system powers car electronics, factory robots and controllers, aircraft and spacecraft, wireless routers, medical equipment, digital displays, and plenty of other stuff – so if you deploy a vulnerable version of VxWorks, and it is network or internet-connected, you definitely want to check this out.
This set of bugs seemingly primarily affects things like printers and gateways, we must point out.
The vulnerabilities, discovered by security outfit Armis, can be exploited to leak internal device information, crash gadgets, and – in more than half of the flaws – execute malicious code on machines. It is estimated that VxWorks runs on two billion devices as an embedded OS, though Armis reckoned 200 million gizmos are actually potentially affected. Wind River told El Reg it reckons that second figure, as an estimate, is too high.
According to Armis [PDF] today, all 11 of the vulnerabilities (dubbed Urgent/11 for marketing purposes) are found in the VxWorks TCP/IP stack, IPnet. Bear in mind, this stack can be found in non-VxWorks systems: Wind River acquired it in 2006 when it bought Interpeak, which had licensed its code to other real-time operating system makers.
Intel flogs off Wind River after it failed to deliver mobile supremacy
As such, an attacker needs network access to a vulnerable device, either on a LAN or over the internet if for some reason the gadget is public facing. VxWorks version 6.5 or higher, released circa 2006, with IPnet is vulnerable, except VxWorks 7 SR0620, which is the latest build: it contains patches that fix the aforementioned holes, and was released on July 19 following Armis’ discovery of the blunders. Safety-certified flavors of the OS, such as VxWorks 653 and VxWorks Cert Edition are said to be unaffected.
“As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions,” Armis researchers Ben Seri, Gregory Vishnepolsky, and Dor Zusman said in a write-up. “As a group, URGENT/11 affect VxWorks’ versions 6.5 and above with at least one remote code execution vulnerability affecting each version.”
Should a miscreant be able to connect to a vulnerable VxWorks device, they would potentially be able to send packets that could exploit any of the six critical flaws (CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12257) to gain remote code execution, thus leading to a complete takeover of the hardware.
Obviously, the seriousness of the exploit would depend on the device itself and where it sits on the network. External-facing devices like firewalls and routers could be pwned to act as the springboard for a larger attack, or embedded devices like industrial appliances could be exploited to cause physical damage.
Additionally, a hacker could cause a denial of service via two of the bugs (CVE-2019-12258, CVE-2019-12259), leak information (CVE-2019-12265), or tamper with devices through logic flaws (CVE-2019-12264, CVE-2019-12262).
NASA rover coders at Intel’s Wind River biz axed – sources
Wind River is advising folks to update their installations to protect against exploits, though none have been reported in the wild so far – which is good news because VxWorks-powered equipment typically runs constantly in critical functions where sudden outages for upgrades are most unfavorable. Also, you can’t just push firmware updates out to machinery and hope for the best: new builds have to go through rounds of testing first.
“In addition to the difficulty in identifying which devices run VxWorks, device manufacturers are also faced with a challenge to provide firmware upgrades within a reasonable time,” the Armis researchers noted. “Many VxWorks devices, such as medical and industrial devices, are required to go through extensive testing and certification processes before firmware updates can be provided to end-users.”
A spokesperson for Wind River told The Register VxWorks “has built-in security features that protect against the vulnerabilities when enabled,” meaning it’s quite possible at-risk devices will automatically thwart exploit attempts using defenses such as non-executable stacks – if enabled, of course. It is also possible to firewall off VxWorks-powered equipment from the rest of the network or world, of course.
They added that vulnerable machines likely “make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers.”
There’s more info over here in an FAQ from Wind River. ®
Sponsored:
Balancing consumerization and corporate control
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/29/wind_river_patches_vxworks/
Microsoft preps to purge its cloud access security broker of shonky crypto protocols TLS 1.0, 1.1
Transport Level Security (TLS) 1.0 and 1.1 is to be axed for users of Microsoft Cloud App Security (MCAS) from 8 September as the company shores up security with a requirement for TLS 1.2+.
It has been a while coming. The company announced that it wanted to kill off TLS 1.0 and 1.1 last year, joining with Apple, Google and Mozilla in agreeing that 2020 would be when the tech would be put out to pasture in favour of newer, shinier and more secure versions.
MCAS is a multimode cloud access security broker. The thinking behind it is to control data travel around the cloud and combat threats arising from the brave, new world. The tool maps an organisation’s cloud environment and then allows an administrator to tweak policies defining access and what apps can and can’t do.
It can be hard to avoid MCAS: while the thing can be licensed as a standalone product, it also crops up in various guises through Microsoft’s labyrinthine subscription options (PDF).
TLS itself is a successor to the venerable Secure Sockets Layer (SSL) originally developed by Netscape back in the day. While SSL 3.0, introduced in 1996, was deprecated in 2015, TLS 1.0 celebrated its 20th birthday this year and looks set to linger into 2020 before software makers finally put a bullet in it.
The technology is all about securing communications over a network. The vast majority of websites use the tech to keep things private between browser and server, with most supporting at least version 1.2. However, while TLS is an improvement on decades past, attackers have taken advantage of implementation flaws in more recent years to decrypt sensitive information.
The latest version of the protocol is version 1.3, which the likes of Google and Mozilla now support, but Microsoft does not, at least in the venerable Internet Explorer 11 browser. The Chromium-based Edge does enjoy the extra security but remains very much a work in progress. ®
Sponsored:
Balancing consumerization and corporate control
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/29/tls_microsoft_cloud_security/
Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants
A hacker raided Capital One’s cloud storage buckets and stole personal information on 106 million credit applicants in America and Canada.
The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we’re told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.
The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019. The info was siphoned between March this year and July 17, and Capital One learned of the intrusion on July 19.
Seattle software engineer Paige A. Thompson, aka “erratic,” aka 0xA3A97B6C on Twitter, was suspected of nicking the data, and collared by the FBI at her home on Monday this week. The 33-year-old has already appeared in court, charged with violating the US Computer Fraud and Abuse Act. She will remain in custody until her next hearing on August 1.
According to the Feds in their court paperwork [PDF], Thompson broke into Capital One’s cloud-hosted storage, believed to be Amazon Web Services’ S3 buckets, and downloaded their contents.
The financial giant said the intruder exploited a “configuration vulnerability,” while the Feds said a “firewall misconfiguration permitted commands to reach and be executed” by Capital One’s cloud-based storage servers. US prosecutors said the thief slipped past a “misconfigured web application firewall.”
Either way, someone using VPN service IPredator and the anonymizing Tor network illegally accessed the bank’s in-the-cloud systems, and downloaded citizens’ private data. This “misconfiguration” has since been fixed. Thompson was, by the way, an engineer at Amazon between 2015 and 2016, we understand.
In a webpage dedicated to the hack, Capital One said:
Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised. The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.
This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Capital One said it is “unlikely” the stolen information was shared with anyone else before Thompson was cuffed. Interestingly enough, the FBI said certain info, notably the social security and insurance numbers, were tokenized or encrypted, whereas Capital One reckoned at least some were compromised as a result of the theft. This suggests most, though not all, of the numbers were scrambled and useless to outsiders. The credit card biz went on say:
Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
* Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
* Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
No bank account numbers or Social Security numbers were compromised, other than:
* About 140,000 Social Security numbers of our credit card customers
* About 80,000 linked bank account numbers of our secured credit card customers
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
Affected customers will be alerted to the cyber-raid, we’re told, and offered the usual free identity theft and credit monitoring protection. An FAQ is available here for more details.
Arrest
It is alleged Thompson bragged about her hack to pals on an infosec-themed Slack workspace, and spilled the beans on a public GitHub Gist post – a move that led the Feds literally to her front door with a search warrant.
According to Uncle Sam, a GitHub user spotted erratic’s Gist post containing information about Capital One’s systems, and privately emailed the financial giant to warn it may have been cyber-plundered by miscreants. Erratic’s Gist listed details of some 700 Capital One cloud buckets, as well as commands to access then, the FBI claimed, and when the bank’s techies tested these commands, they found they were indeed able to retrieve credit card applicants’ data.
Specifically, one command obtained credentials for the next two commands, which listed Capital One’s S3 buckets, and fetched their contents. A peek inside Capital One’s system logs showed those commands were used earlier this year by someone outside the bank, via Tor and IPredator.
Solid password practice on Capital One’s site? Don’t bank on it
Two days later, Capital One called in the FBI, which claimed they were able to, from the Gist post, identify Thompson from her GitHub account as it used her full real name. This name led investigators to her home address via Washington state’s driving license database. Her GitHub account also linked to her systems engineer resume on a GitLab account. Her GitHub account was also accessed by the same IPredator IP addresses as those used to break into Capital One’s S3 buckets, it is claimed.
Thompson also, it is alleged, told a friend via private message, “I’ve basically strapped myself with a bomb vest, fucking dropping Capital Ones [sic] dox and admitting it. I wanna distribute those buckets I think first. Theres [sic] SSNs… with full name and DoB.” Said friend tipped off Capital One, the FBI said.
When agents rifled through her belongings at her Seattle home, they found storage devices containing the stolen Capital One data, it is claimed. She was promptly arrested and charged.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Capital One CEO and chairman Richard Fairbank.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Brian Moran, US Attorney of the western district of Washington state, added: “Capital One quickly alerted law enforcement to the data theft – allowing the FBI to trace the intrusion. I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.” ®
Sponsored:
Balancing consumerization and corporate control
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/30/capital_one_hacked/
Sephora Offers Monitoring Services in Wake of Data Breach
Sephora is addressing a data breach affecting some customers who shopped online in Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR, Australia, and New Zealand. The incident reportedly took place within the last two weeks, reports confirm.
The company has contacted those affected by the incident, which has reportedly exposed data including the first and last names, birthdate, gender, email address, encrypted password, and personal beauty preferences of customers to unauthorized third parties. Officials say no credit card numbers were compromised and they have not found victims’ data has been misused. Investigators have not found a “major vulnerability” on Sephora’s Southeast Asia websites.
As a precaution, Sephora has cancelled all current customer account passwords and reviewed its security system. It’s also offering a personal data monitoring service free of charge to those affected, wrote Alia Gogi, Sephora’s managing director for SEA, in an email to victims. Shoppers are urged to change their passwords, if they haven’t yet, and register for the service by Nov. 31.
Read more details here.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
Deutsche Bank Email Vulnerability Left Ex-Employees with Access
When Deutsche Bank left the equities trading business, employees in that division were let go. However, their access to their Deutsche Bank email accounts lasted for several weeks after they were shown the door.
While access to trading and other financial systems was immediately terminated along with the individuals’ employment, email accounts were missed for some employees for a period of time. According to the bank, a review of the accounts shows that no confidential or inappropriate information was transferred after the employees left the company.
Some observers say the vulnerability, which has now been closed, is indicative of issues with the bank’s computer systems and general controls. Deutsche Bank is now investing approximately $4.5 billion to address that.
Read more here.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio