STE WILLIAMS

The new division of responsibility moves some security concerns off a business’s plate while changing priorities for other risks.

Serverless computing is an exciting new approach in the world of cloud infrastructure that lets developers write small code functions and publish them to the cloud, where the platform runs them on demand. This new model overhauls many aspects of operations and unlocks opportunities for cost reduction, and large and small organizations are trying it out.

Alongside its operations impact, serverless computing and its underlying function-as-a-service (FaaS) platform also carry significant security implications. The new division of responsibility moves some security concerns off a business’s plate while simultaneously magnifying or shuffling priorities for other risks.

Risks You Can Worry About Less
First and foremost, serverless computing, as its names implies, lowers the risks involved with managing servers. While the servers clearly still exist, they are no longer managed by the application owner, and are instead taken care of by the cloud platform operators — for instance, Google, Microsoft, or Amazon. Efficient and secure handling of servers is a core competency for these platforms, and so it’s far more likely they will handle it well.

The biggest concern you can eliminate is  addressing vulnerable server dependencies. Patching your servers regularly is easy enough on a single server but quite hard to achieve at scale. As an industry, we are notoriously bad at tracking vulnerable operating system binaries, leading to one breach after another. Stats from Gartner predict this trend will continue into and past 2020. With a serverless approach, patching servers is the platform’s responsibility.

Beyond patching, serverless reduces the risk of a denial-of-service (DoS) attack. No server management also means no capacity management, as FaaS automatically provisions ad hoc servers to meet incoming demand. Such optimal scaling reduces the chance of an outage, including one attempted deliberately through a DoS attack. Attacks trying to take down a server will be stopped, as the platform kills the crippled server within seconds alongside launching new ones for new clients. Serverless computing won’t help against a high-volume distributed DoS attack, but the risk and damage of a DoS attack is greatly diminished.

Lastly, FaaS offers an opportunity to apply fine grain permission control. Each deployed function has to be granted explicit access to data, services, and other functions, and similar policies control who can invoke each function in the first place. Since functions are smaller than full applications, we can greatly reduce the number of code paths that access our sensitive data, as well as reduce the damage an attacker can do following a successful exploit. This granularity offers a great security opportunity, but it requires additional effort in configuring and maintaining such accurate policies.

The Risks That Bubble to the Top
Unfortunately, every architecture has its flaws, and serverless computing also triggers an increase in certain risks, caused by the statelessness and flexibility that also make it shine. In addition, by mitigating the above concerns, serverless computing draws attacker attention to other attack vectors, which remain open.

The first concern to grow with FaaS is the moving and storage of data. Since serverless forces all functions to be stateless, sensitive cached data, such as user sessions and negotiated keys, cannot be kept in memory and must be moved and stored in an external location. Moving the data risks leaking it in the process, and storing the data elsewhere requires security controls on the new database, and may have compliance implications as well. These data concerns are not new ones, but since data is moved and stored more often, the risk of a security failure grow.

Beyond data, serverless apps also make greater use of third-party services. Due to its event-driven nature, as well as the mentioned requirement that functions remain stateless, serverless applications rely more heavily on third-party services than typical apps. These services may be offered by the cloud platform itself or by external providers, and range from authentication to storage to email and messaging services. Each interaction with a third party needs multiple security controls, and the eventual dependency chain carries the risk of being as strong as its weakest link.

This third-party risk also applies to software, in the form of vulnerable open source libraries. Similar in nature to server dependencies, vulnerable application dependencies can cause serious harm, as demonstrated in Equifax being breached through a vulnerable Java library. Functions make heavy use of these libraries, most commonly pulled from npm and PyPI, and many FaaS platforms fetch them as part of their built-in provisioning. The platforms do not, however, manage these dependencies, which means you must monitor for known vulnerabilities in application dependencies yourself to remain secure.

Last but not least, a serverless approach increases your attack surface. Breaking up your applications into small functions allows for great flexibility as you combine functions in different ways but also exposes great risk. Functions may be invoked in many different execution sequences, and they can’t rely on input validation, authorization, or similar controls to have already happened. To properly secure a FaaS application, make sure each function maintains its own perimeter, and invest in security libraries and processes that help make such defense in depth easier.

Is Serverless Better for Security?
Serverless computing offers an incredible opportunity accelerating the pace we develop applications while dramatically reducing the cost of operating them. With the powerful benefits it brings to the table, it seems clear it is here to stay, and its adoption will rapidly grow.

Like many things, a serverless approach doesn’t clearly improve or worsen security; it simply changes priorities. Notably, it reduces the security concerns revolving servers and raises the ones related to applications. In a serverless context, worry less about capacity planning and server dependencies and more about moving data, applying permissions, and managing vulnerable application dependencies.

By adjusting our priorities and focusing on these updated concerns, we can make the reduction of servers lead to a reduction of risk.

Related Content:

• 6 Questions to Ask Your Cloud Provider Right Now
• Where to Find Security Holes in Serverless Architecture
• How Containers Serverless Computing Transform Attacker Methodologies

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 security track here. Save $200 off your conference pass with Promo Code DR200.

 

Guy Podjarny is CEO Co-Founder at Snyk.io, focusing on securing the Node.js and npm world. Guy was previously CTO at Akamai, founded Blaze.io (acquired by Akamai), helped build the first Web app firewall and security code analyzer, and was in the Israeli army cyber units. … View Full Bio

Article source: https://www.darkreading.com/cloud/how-serverless-computing-reshapes-security/a/d-id/1331265?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Service was disrupted but no customer records compromised, officials said.

PREPA, the power utility company of Puerto Rico, saw its computer infrastructure suffer an attack on Sunday, but no customer records were compromised. That’s the bad and good news according to statements from the company.

With no customer records compromised and no impact on the electrical grid, the biggest effect of the attack was on wait times at the utility’s customer service center, which were somewhat longer than normal.

PREPA told Reuters that the perpetrators are currently unknown, though the company is working with authorities to identify the hacker and insure that no damage remained in the system.

Puerto Rico’s electrical utility has suffered a number of setbacks in recent months, from an aging physical infrastructure to bankruptcy to Hurricane Maria.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/puerto-ricos-electric-utility-hacked-in-weekend-attack/d/d-id/1331328?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Vacation-booking biz Orbitz has warned that sensitive details on as many as 880,000 credit cards have “likely” been stolen from its servers by hackers.

In a statement today, US-based Orbitz said it discovered evidence of an intrusion on one of its legacy platforms on March 1, and called in a third-party forensics team. It now looks as though its central booking system was penetrated – and names, payment card information, dates of birth, phone numbers, email addresses, physical and/or billing addresses, and customers’ gender could have been stolen.

Equifax peeks under couch, finds 2.4 million more folk hit by breach

READ MORE

“Ensuring the safety and security of the personal data of our customers and our partners’ customers is very important to us,” the Expedia-owned outfit stated. “We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners.”

The Chicago biz claims people’s private details were potentially snatched between January 1, 2016, and December 22, 2017, which is a huge chunk of information. This potentially includes data entered via Orbitz-powered sites, such as American Express’s Amextravel.com.

Social security numbers, passport details, and travel itineraries were not swiped, the company insisted. It is a still investigating the cyber-break-in, and has promised one year of free credit monitoring and identity protection service to those affected, as well as to its partners. ®

PS: Active.com has admitted today it was hacked, with names, addresses, email addresses, credit or debit card numbers, expiration dates, and cardholder verification codes entered into its network of websites lifted by miscreants between December 2016 and September 2017. Customers have been notified by email.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/20/orbitz_hack/

AMD has finally weighed in with its opinion of the security flaws in its Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile chips, identified in a rather over-the-top fashion by CTS-Labs a week ago.

The vulnerabilities affect the firmware managing the AMD Secure Processor and the chips used in some socket AM4 and socket TR4 desktop platforms running AMD silicon.

In a post the AMD website on Tuesday, Mark Papermaster, senior VP and CTO of AMD, downplays the severity of the bugs and promises firmware fixes to come.

“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings,” said Papermaster.

“Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”

Papermaster adds that modern operating systems and hypervisors have additional security controls, such as Microsoft Windows Credential Guard, that can prevent the privilege elevation necessary to exploit the vulnerabilities identified.

He points to observations made last week by Dan Guido, CEO of security firm Trail of Bits and the researcher who helped verify CTS-Labs’ findings, that attempt to clarify the risks posed by the flaws.

OK, deep breath, relax… Let’s have a sober look at these ‘ere annoying AMD chip security flaws

READ MORE

Guido last week said much the same thing as Papermaster, that the bugs are not easy to exploit.

“There is no immediate risk of exploitation of these vulnerabilities for most users,” said Guido. “Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities.”

AMD says it will provide firmware patches through a BIOS update for MASTERKEY, FALLOUT, and RYZENFALL, and will also provide a firmware fix for its Secure Processor (PSP) in the coming weeks. The company insists there will be no performance hit.

The chip designer said it also intends to release a mitigation patch through a BIOS update for the CHIMERA bug. In addition, it is “working with the third-party provider that designed and manufactured the ‘Promontory’ chipset on appropriate mitigations.”

Papermaster added that the security issues identified by CTS-Labs are not related to the vulnerabilities identified by a Google researcher in January this year. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/21/amd_brushes_off_chip_flaws/

Facebook may be up to its armpits in alligators, but that hasn’t stopped Australia’s Gold Coast Council from chumming up with the ad-farm to offer free Wi-Fi to visitors at the upcoming Commonwealth Games.

The council, which has laid AU$5 million worth of its own broadband fibre backbone, is following a model familiar to cafe and laundromat Wi-Fi: it’ll use Faceboook as a sign-in mechanism for the network.

The Commonwealth Games (for US readers, think of it is an Olympics for countries wiling to identify with the vestigial British Empire) run from April 4 to April 15. Visitor forecasts predict 672,000 punters will attend the event.

The Australian Broadcasting Corporation today reported that visitors will be offered a lower-capacity connection without tracking, but to get the fastest connection, they’ll have to use the Facebook login.

The council’s chief innovation officer Ian Hatton promised the council would make only “limited” use of the data harvested via Facebook: personal data won’t be shared with other government agencies, and it will only be used to compile reports for the tourism industry.

There’s no word on how Facebook will use the data, however. At the very least, The Social Network™ will see when individuals log into the Wi-Fi, along with its usual haul of posts, Likes, and non-Facebook sites visited (if they carry Facebook’s cookie).

Since many Facebook add-on apps pull data from other users’ apps, the data slurp could well reach far beyond the footprint of users accessing the Commonwealth Games network.

What a week Gold Coast Council chose for this announcement, given that The Social Network™ stands accused of naive indifference – at best – in the Cambridge Analytica affair. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/21/commonwealth_games_wifi_better_with_facebook/

Older Chromebook owners should keep an eye open for Chrome OS updates, bcause Google’s announced they’ll get Meltdown protection soon.

The fix for the now-notorious speculative execution side-channel will arrive in Chrome OS 66. This went to the beta channel for Android last Friday (March 16).

Older Chromebooks running kernel 3.14 or 3.8 will get the Kernel Page Table Isolation (KPTI) Meltdown mitigation in Chrome OS 66.

The vendor list had all the familiar names: Acer, ASUS, Dell, Lenovo, Toshiba and Google (for kernel 3.14); with HP, LG and Samsung added to that list for kernel 3.18 machines.

Intel-based Chromebooks received the retpoline compiler-based mitigation as of Chrome OS 65.

As the advisory noted, ARM-based Chrome OS devices weren’t subject to Meltdown, and Google’s still working to implement ARM’s Spectre remediations.

On March 20, Chrome OS 65 had a separate bug-fix release for its Windows, Linux and Mac desktop version. There was one security fix in release 65.0.3325.181, but for now the nature of the fix is under wraps while the update rolls out. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/21/chrome_os_66_meltdown_fix/

Cybercrime is becoming a more boring business, a new report shows, and that’s a huge problem for victims and law enforcement.

A new study of the black market supporting cybercriminals shows how closely the workings of this underground echoes that of the legitimate business world.

From product reviews and online reputation to free samples and technical support, cybercriminals need the same sort of services used by any consumer. In the criminal world. those tend to require knowledge of the specific URL, a Tor browser, and one or more layers of introduction, but the service economy around criminal hacking is becoming as important as the direct criminal activity it supports, according to the study by security firm Armor.

Criminal activity itself is also evolving into a services sector, with multiple tiers of features and services offerings. Take the Blow-bot botnet, which Armor’s report highlighted with one of these multi-tiered offerings. A “seller offered to rent out the Blow-bot botnet, which includes webinject and other capabilities, for either $750 or $1,200 a month depending on whether the renter wanted a fully-featured version. Support was an extra $100 or $150 a month, respectively,” the report said.

The rise of malware as a service isn’t news, but it’s notable because it allows so many non-technical criminals to enter the marketplace. “The barrier to entry for cybercrime remains perilously low, making it that much more important that organizations and individuals focus on security,” Armor said in its report.

Armor found a definite pyramid structure in place for valuable personal information such as credit card account data. There are “likely only a handful of major credit card data farmers doing the majority of the data theft,” the report said, who then work through a series of wholesalers and distributors that any canned-good manufacturer would recognize as a way to get their wares into the hands of customers.

The ultimate conclusions of the Armor report reflect the utter banality of most cybercrime. Criminal hacking has become a white-collar business with professional practitioners who expect white-collar salaries (and benefits.) The bad news for victims is that these professional criminals and criminal support actors are competent professionals at their chosen tasks. 

On the other hand, there is good news: Recent law-enforcement wins have disrupted the support networks for cybercriminals. Ultimately, though, as Armor warned in its report: “The tools, documents and services threat actors need are readily available, which means big businesses, small organizations and home users alike need to follow security best practices and stay on guard to stay safe.”

Related Content:

• Hackers Steal Payment Card Data on 880K from Expedia Orbitz
• Malware ‘Cocktails’ Raise Attack Risk
• Hacking Back the Digital Wild West
• 7 University-Connected Cyber Ranges to Know Now

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is executive editor for technical content at InformationWeek. In this role he oversees product and technology coverage for the publication. In addition he acts as executive producer for InformationWeek Radio and Interop Radio where he works with … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/a-look-at-cybercrimes-banal-nature/d/d-id/1331323?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Is it time to end your Facebook life?

Not deactivate, mind you – actually end things once and for all.

In the wake of Facebook having failed to protect user data from being drained by Cambridge Analytica, we’re talking about what’s involved in permanently deleting data that Facebook holds on us.

That’s likely to be too extreme for many of us. But at the very least, it’s definitely time to check Facebook privacy settings, audit Facebook apps, and consider turning off API sharing.

But first, a quick recap: over the weekend, news emerged about Facebook having lost control of 50 million users’ data.

Facebook, after a week of questioning from investigative reporters at the New York Times and the Observer, suspended data analytics firm Cambridge Analytica and its parent company Strategic Communication Laboratories (SCL), as well as data analytics specialist and Cambridge Analytica founder Christopher Wylie.

How do we escape?

If you’re not ready to part with Facebook entirely, you should at least take a look at who and what you’re sharing your information with on Facebook. That would entail the obvious:

Check your privacy settings

We’ve written about this quite a bit. Here’s a good guide on how to check your Facebook settings to make sure your posts aren’t searchable, for starters.

That post also includes instructions on how to check how others view you on Facebook, how to limit the audience on past Facebook posts, and how to lock down the privacy on future posts.

Those are just part of our 3 ways to better secure your Facebook account, so it’s also worth checking out that article to make sure you’re doing all three.

Next, it’s time to….

Audit your apps.

You should always be careful about which Facebook apps you allow to connect with your account, as they can collect varying levels of information about you.

Case in point: the recent revelations about Cambridge Analytic center around an app, thisisyourdigitallife, that not only took personal data from the 270,000 users who willingly signed up for this personality test, it also scraped the profiles of users’ friends – which is how we got to that astronomical number of 50 million users having their information plundered without permission.

Unless you’ve locked down your privacy settings correctly – see above – the apps, games and websites that your friends use can also access your personal details, photos and updates.

If you yourself have used Facebook to sign in to a third-party website, game or app, those services may continue to access your personal data.

To audit which apps are doing what:

1. On Facebook in your browser, drop down the arrow at the top right of your screen and click Settings. Then click on the Apps tab for a list of apps connected to your account. This takes you to the App Settings page.

2. Check out the permissions you granted to each app to see what information you’re sharing and remove any that you no longer use or aren’t sure what they are for.

3. Below the summary of which apps are sucking what out of your neck is an innocuous looking gray box called Apps Others Use, with this brief description: “People who can see your info can bring it with them when they use apps. Use this setting to control the categories of information people can bring with them.”

Click Edit and there you will find a list we call “Holy mackerel, people can get all that?!”

Make the changes and click Save to button up your privates.

If you’re using the Facebook app you can access the same information by pressing the burger menu at the bottom right of your app, then choosing Settings and Account Settings. You’ll then find a menu option for Apps from which you can remove or restrict apps.

Turn off API sharing.

The Electronic Frontier Foundation (EFF) put out this guide to opt out of platform API sharing.

It does so with an apology: we shouldn’t have to “wade through complicated privacy settings in order to ensure that the companies with which you’ve entrusted your personal information are making reasonable, legal efforts to protect it,” but, well, recent events make clear that we can’t leave it up to Facebook to protect our privacy.

1. As above, visit the App Settings page.

2. Click the Edit button under Apps, Websites and Plugins. Click Disable Platform.

3. If that’s too much, you can, again, limit what information can be can be accessible to apps that others use. See above!

And finally, if you’re ready to disengage entirely, there’s the cut-it-out-completely option:

Delete your profile.

This is a lot more serious than simply deactivating your profile. When you deactivate, Facebook still has all your data. To truly remove your data from Facebook’s sweaty grip, deletion is the way to go.

But stop: don’t delete until you’ve downloaded your data first! Here’s how:

1. On Facebook in your browser, drop down the arrow at the top right of your screen and click Settings.

2. At the bottom of General Account Settings, click Download a copy of your Facebook data.

3. Choose Start My Archive.

Be careful about where and how you keep that file. It does, after all, have all the personal information you’re trying to keep safe in the first place.

You ready?

Have you downloaded the data? Have you encrypted it or otherwise stored it somewhere safe? OK, take a deep breath. Here’s comes the doomsday button.

Go to Delete My Account.

There. That’s done. Now all you have to do is listen to friends and family lament your Facebook death. Maybe it will start some conversations about why you felt deleting your profile was necessary.

If you want to share your Facebook exodus stories with us in the comments section below, please do: we’re all ears.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/R-PEvvNd4DU/

The FBI has raided the home of US intelligence contractor John Weed who is suspected of leaking classified blueprints online via a fake Facebook account.

On Monday, the Feds confirmed to The Register they have executed a search warrant at the Virginia home of John Glenn Weed, who worked for the National Reconnaissance Office – which runs Uncle Sam’s spy satellite fleet. The NRO called in the g-men after a screenshot of its classified source code was posted in 2017 on a Facebook profile belonging to one William Amos.

According to the FBI’s court filings earlier this month, “the Facebook page had a picture on the page … that appeared to depict computer code for a government computer system that Weed had designed. The computer code depicted in the Facebook post is related to the design, construction and use of a communications intelligence device and system used by United States government assets to communicate intelligence activities.”

Staggeringly, Weed is also accused of earlier nicking $340,000 in radio spying equipment as well as taking classified computer code home.

In a search warrant application submitted this month, FBI special agent Steve Hall said he suspected William Amos is John Weed: the Amos account was used to send messages to someone called Ken Mills, reading: “Ken, this is JW.”

Another message to someone called Sean Walker read: “It’s me brother, Facebook didn’t like the Non Sequitor name and they wouldn’t let me crate a john wed [sic] account without sending photo id because they said weed was not a valid last name.”

Also, the IP address used to access the Amos Facebook account matched the public internet address associated with Weed’s home address, according to his ISP Comcast in responding to a federal grand jury subpoena. A screenshot on the Amos profile revealed a folder named Connor: Weed has a son by the same name.

Agent Hall therefore alleged Weed leaked portions of the NRO’s secret source code on the bogus Amos profile, and was granted his search warrant by a judge in eastern Virginia. What also helped in securing that court order is that Weed apparently has a history of taking his work home with him and, well, being a bit odd.

Up in smoke

Between 1993 and 2012, Weed worked as a coder for military contractor Analytic Sciences Corporation developing secure communications systems, much of it for the NRO. But he lost his national security clearance, and his job, after being collared by the plod multiple times.

In May 2012, he was stopped by police and accused of driving under the influence, his third such arrest. Weed didn’t immediately report the allegations, despite being required to do so to keep his security clearance. He kept quiet about it until September 2012 when he pleaded guilty in court to DUI.

As a security clearance holder, Weed underwent regular background checks. During one of this routine probes, the US Department of Defense spotted the DUI arrests, and Weed ‘fessed up to his conviction. An investigator scheduled a meeting with Weed for September 18 to discuss it, however, the contractor cancelled on the day saying he had to deal with “Iran issues.”

It subsequently emerged Weed was instead busy that day being charged with violating his probation in Fauquier County, Virginia.

Two days later, Weed turned up to a meeting with the government investigator with a bullet-hole-riddled photograph of his arresting officer that he had used for firearms target practice, and said he was going to “ruin the life” of the policeman, it is claimed. Afterwards Weed’s security clearance was revoked for “criminal and personal conduct,” and he was sacked.

It gets weirder

Weed appealed the decision to terminate him and strip him of his clearance, and sent in a long letter titled “Double Standards, the Putrefaction of Public Trust and the Erratic Dispensing of Justice,” detailing his work on the “global war on terror.” Unfortunately, the letter was sent via regular mail from an unclassified computer system and contained classified material he should no longer have had access to, according to the FBI. Which is, suffice to say, a boo-boo.

Agent Hall said that in multiple interviews with Weed’s coworkers the g-man was told that the suspect felt that the rules didn’t apply to him. Weed’s appeal was unsuccessful, and his clearance remained revoked.

And just days before the September showdown with Weed, four remote desktop protocol (RDP) sessions were established from Weed’s secure workstation to his home broadband IP address, according to the FBI. These connections were discovered in logs in May 2013, and a search warrant for Weed’s home was issued, said Agent Hall. Yes, Weed has had his home raided at least twice now.

Angst in her pants: Alleged US govt leaker Reality Winner stashed docs in her pantyhose

READ MORE

That 2013 search turned up a $200,000 radio set that had been sent to the NRO by another government agency and 11 “friendly force trackers,” used to monitor the location of vehicles, it is alleged. In total, the Feds said they found purloined hardware worth $340,000 in the house, and the source code for two secret-level classified communications systems. A section of said code ultimately appeared on the Amos profile, according to the FBI.

Agent are now poring over materials collected from Weed’s home in the 8.30am swoop on Thursday, March 8. The FBI sought computers and other devices suspected of storing classified material, as well as networking gear, financial records, and more. A spokesperson for the Feds declined to comment further.

We could not reach Weed for comment: his phone line has been disconnected. It is also not clear what action was taken, if any yet, by prosecutors following the 2013 search. There is no record of any charges in the public court records system.

It seems that when it comes to contractors the US government still doesn’t quite have its security ducks in a row. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/20/fbi_nro_contractor_raided/

Expedia announces a breach exposing 880,000 customer records to the world.

Another season, another breach of personal information from a consumer-facing website. This time, it’s Expedia’s Orbitz and approximately 880,000 payment cards with information now in the hands of criminals.

According to Expedia, both its partner website and its consumer site were affected by the breach. The consumer site was breached sometime between Jan. 1, 2016 and June 22, 2016, while the partner site was hit between Jan. 1, 2016 and Dec. 22, 2017.

The company said that information including names, phone numbers, email, and billing addresses also might have been accessed. In a statement provided to Reuters, Orbitz said, “To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information.”

Expedia said that the breach was addressed after being discovered earlier this month.

For more, read here.

 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/hackers-steal-payment-card-data-on-880k-from-expedia-orbitz/d/d-id/1331318?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple