[ad_1]
It was past midnight when Alessandra Millican and a friend entered the Bellagio hotel room that was costing them hundreds of dollars a night, but unexpected noises made them stop cold.
“We started hearing grunts,” she said. “It’s somebody waking up — we were halfway through the room and we realized there’s somebody sleeping in here.”
Millican…
[ad_2]
[ad_1]
LAS VEGAS — A persistent error message greeted Dulce Martinez on Monday as she tried to access her casino rewards account to book accommodations for an upcoming business trip.
That’s odd, she thought, then toggled over to Facebook to search for clues about the issue on a group for MGM Resorts International loyalty members. There, she learned that the largest casino owner in Las Vegas had fallen victim to a cybersecurity breach.
Martinez, 45, immediately checked her bank statements for the credit card linked to her loyalty account. Now she was being greeted by four new transactions she did not recognize — charges that she said increased with each transaction, from $9.99 to $46. She canceled the credit card.
Unsettled by the thought of what other information the hackers may have stolen, Martinez, a publicist from Los Angeles, said she signed up for a credit report monitoring program, which will cost her $20 monthly.
“It’s been kind of an issue for me,” she said, “but I’m now monitoring my credit, and now I’m taking these extra steps.”
MGM Resorts said the incident began Sunday, affecting reservations and casino floors in Las Vegas and other states. Videos on social media showed video slot machines that had gone dark. Some customers said their hotel room cards weren’t working. Others said they were canceling their trips this weekend.
The situation entered its sixth day on Friday, with booking capabilities still down and MGM Resorts offering penalty-free room cancelations through Sept. 17. Brian Ahern, a company spokesperson, declined Friday to answer questions from The Associated Press, including what information had been compromised in the breach.
By Thursday, Caesars Entertainment — the largest casino owner in the world — confirmed it, too, had been hit by a cybersecurity attack. The casino giant said its casino and hotel computer operations weren’t disrupted but couldn’t say with certainty that personal information about tens of millions of its customers was secure following the data breach.
The security attacks that triggered an FBI probe shatter a public perception that casino security requires an “Oceans 11”-level effort to defeat it.
“When people think about security, they are thinking about the really big super-computers, firewalls, a lot of security systems,” said Yoohwan Kim, a computer science professor at the University of Nevada, Las Vegas, whose expertise includes network security.
It’s true, Kim said, that casino giants like MGM Resorts and Caesars are protected by sophisticated — and expensive — security operations. But no system is perfect.
“Hackers are always fighting for that 0.0001% weakness,” Kim said. “Usually, that weakness is human-related, like phishing.”
Tony Anscombe, the chief security official with the San Diego-based cybersecurity company ESET, said it appears the invasions may have been carried out as a “socially engineered attack,” meaning the hackers used tactics like a phone call, text messages or phishing emails to breach the system.
“Security is only as good as the weakest link, and unfortunately, as in many cyberattacks, human behavior is the method used by cybercriminals to gain the access to a company’s crown jewels,” Anscombe said.
As the security break-ins left some Las Vegas casino floors deserted this week, a hacker group emerged online, claiming responsibility for the attack on Caesars Entertainment’s systems and saying it had asked the company to pay a $30 million ransom fee.
It has not officially been determined whether either of the affected companies paid a ransom to regain control of their data. But if one had done so, the experts said, then more attacks could be on the way.
“If it happened to MGM, the same thing could happen to other properties, too,” said Kim, the UNLV professor. “Definitely more attacks will come. That’s why they have to prepare.”
___
Parry reported from Atlantic City. Associated Press videographer Ty O’Neil in Las Vegas contributed.
[ad_2]
[ad_1]
LAS VEGAS — A persistent error message greeted Dulce Martinez on Monday as she tried to access her casino rewards account to book accommodations for an upcoming business trip.
That’s odd, she thought, then toggled over to Facebook to search for clues about the issue on a group for MGM Resorts International loyalty members. There, she learned that the largest casino owner in Las Vegas had fallen victim to a cybersecurity breach.
Martinez, 45, immediately checked her bank statements for the credit card linked to her loyalty account. Now she was being greeted by four new transactions she did not recognize — charges that she said increased with each transaction, from $9.99 to $46. She canceled the credit card.
Unsettled by the thought of what other information the hackers may have stolen, Martinez, a publicist from Los Angeles, said she signed up for a credit report monitoring program, which will cost her $20 monthly.
“It’s been kind of an issue for me,” she said, “but I’m now monitoring my credit, and now I’m taking these extra steps.”
MGM Resorts said the incident began Sunday, affecting reservations and casino floors in Las Vegas and other states. Videos on social media showed video slot machines that had gone dark. Some customers said their hotel room cards weren’t working. Others said they were canceling their trips this weekend.
The situation entered its sixth day on Friday, with booking capabilities still down and MGM Resorts offering penalty-free room cancelations through Sept. 17. Brian Ahern, a company spokesperson, declined Friday to answer questions from The Associated Press, including what information had been compromised in the breach.
By Thursday, Caesars Entertainment — the largest casino owner in the world — confirmed it, too, had been hit by a cybersecurity attack. The casino giant said its casino and hotel computer operations weren’t disrupted but couldn’t say with certainty that personal information about tens of millions of its customers was secure following the data breach.
The security attacks that triggered an FBI probe shatter a public perception that casino security requires an “Oceans 11”-level effort to defeat it.
“When people think about security, they are thinking about the really big super-computers, firewalls, a lot of security systems,” said Yoohwan Kim, a computer science professor at the University of Nevada, Las Vegas, whose expertise includes network security.
It’s true, Kim said, that casino giants like MGM Resorts and Caesars are protected by sophisticated — and expensive — security operations. But no system is perfect.
“Hackers are always fighting for that 0.0001% weakness,” Kim said. “Usually, that weakness is human-related, like phishing.”
Tony Anscombe, the chief security official with the San Diego-based cybersecurity company ESET, said it appears the invasions may have been carried out as a “socially engineered attack,” meaning the hackers used tactics like a phone call, text messages or phishing emails to breach the system.
“Security is only as good as the weakest link, and unfortunately, as in many cyberattacks, human behavior is the method used by cybercriminals to gain the access to a company’s crown jewels,” Anscombe said.
As the security break-ins left some Las Vegas casino floors deserted this week, a hacker group emerged online, claiming responsibility for the attack on Caesars Entertainment’s systems and saying it had asked the company to pay a $30 million ransom fee.
It has not officially been determined whether either of the affected companies paid a ransom to regain control of their data. But if one had done so, the experts said, then more attacks could be on the way.
“If it happened to MGM, the same thing could happen to other properties, too,” said Kim, the UNLV professor. “Definitely more attacks will come. That’s why they have to prepare.”
___
Parry reported from Atlantic City. Associated Press videographer Ty O’Neil in Las Vegas contributed.
[ad_2]
[ad_1]
LAS VEGAS — A persistent error message greeted Dulce Martinez on Monday as she tried to access her casino rewards account to book accommodations for an upcoming business trip.
That’s odd, she thought, then toggled over to Facebook to search for clues about the issue on a group for MGM Resorts International loyalty members. There, she learned that the largest casino owner in Las Vegas had fallen victim to a cybersecurity breach.
Martinez, 45, immediately checked her bank statements for the credit card linked to her loyalty account. Now she was being greeted by four new transactions she did not recognize — charges that she said increased with each transaction, from $9.99 to $46. She canceled the credit card.
Unsettled by the thought of what other information the hackers may have stolen, Martinez, a publicist from Los Angeles, said she signed up for a credit report monitoring program, which will cost her $20 monthly.
“It’s been kind of an issue for me,” she said, “but I’m now monitoring my credit, and now I’m taking these extra steps.”
MGM Resorts said the incident began Sunday, affecting reservations and casino floors in Las Vegas and other states. Videos on social media showed video slot machines that had gone dark. Some customers said their hotel room cards weren’t working. Others said they were canceling their trips this weekend.
The situation entered its sixth day on Friday, with booking capabilities still down and MGM Resorts offering penalty-free room cancelations through Sept. 17. Brian Ahern, a company spokesperson, declined Friday to answer questions from The Associated Press, including what information had been compromised in the breach.
By Thursday, Caesars Entertainment — the largest casino owner in the world — confirmed it, too, had been hit by a cybersecurity attack. The casino giant said its casino and hotel computer operations weren’t disrupted but couldn’t say with certainty that personal information about tens of millions of its customers was secure following the data breach.
The security attacks that triggered an FBI probe shatter a public perception that casino security requires an “Oceans 11”-level effort to defeat it.
“When people think about security, they are thinking about the really big super-computers, firewalls, a lot of security systems,” said Yoohwan Kim, a computer science professor at the University of Nevada, Las Vegas, whose expertise includes network security.
It’s true, Kim said, that casino giants like MGM Resorts and Caesars are protected by sophisticated — and expensive — security operations. But no system is perfect.
“Hackers are always fighting for that 0.0001% weakness,” Kim said. “Usually, that weakness is human-related, like phishing.”
Tony Anscombe, the chief security official with the San Diego-based cybersecurity company ESET, said it appears the invasions may have been carried out as a “socially engineered attack,” meaning the hackers used tactics like a phone call, text messages or phishing emails to breach the system.
“Security is only as good as the weakest link, and unfortunately, as in many cyberattacks, human behavior is the method used by cybercriminals to gain the access to a company’s crown jewels,” Anscombe said.
As the security break-ins left some Las Vegas casino floors deserted this week, a hacker group emerged online, claiming responsibility for the attack on Caesars Entertainment’s systems and saying it had asked the company to pay a $30 million ransom fee.
It has not officially been determined whether either of the affected companies paid a ransom to regain control of their data. But if one had done so, the experts said, then more attacks could be on the way.
“If it happened to MGM, the same thing could happen to other properties, too,” said Kim, the UNLV professor. “Definitely more attacks will come. That’s why they have to prepare.”
___
Parry reported from Atlantic City. Associated Press videographer Ty O’Neil in Las Vegas contributed.
[ad_2]
[ad_1]
The FBI claims North Korea-linked hackers were behind a $100 million crypto heist on the so-called Horizon bridge in 2022.
Budrul Chukrut | Sopa Images | Lightrocket | Getty Images
North Korea-linked hackers have stolen hundreds of millions of crypto to fund the regime’s nuclear weapons programs, research shows.
So far this year, from January to Aug. 18, North Korea-affiliated hackers stole $200 million worth of crypto — accounting for over 20% of all stolen crypto this year, according to blockchain intelligence firm TRM Labs.
“In recent years, there has been a marked rise in the size and scale of cyber attacks against cryptocurrency-related businesses by North Korea. This has coincided with an apparent acceleration in the country’s nuclear and ballistic missile programs,” said TRM Labs in a June discussion with North Korea experts.
In that discussion, TRM Labs said there has been a pivot away from North Korea’s “traditional revenue-generating activities” — an indication that the regime may be “increasingly turning to cyber attacks to fund its weapons proliferation activity.”
Separately, crypto research company Chainalysis said in a February report that “most experts agree the North Korean government is using these stolen assets to fund its nuclear weapons programs.”
The Permanent Mission of North Korea to the United Nations in New York, a diplomatic mission of the regime to the UN, did not respond to CNBC’s request for comment.
They need every dollar they can. And this is just obviously a much more efficient way for North Korea to make money.
Nick Carlsen
intelligence analyst, TRM Labs
Since North Korea’s first nuclear test in 2006, the United Nations has slapped multiple sanctions on the reclusive regime — known formally as DPRK, or the Democratic People’s Republic of Korea — for its nuclear and ballistic missile programs.
The sanctions, which include bans on financial services, minerals, metals and arms, are aimed at limiting North Korea’s access to sources of funding it needs to support its nuclear activities.
Just last month, the FBI warned crypto companies that North Korea-linked hackers are planning to “cash out” $40 million of crypto.
The agency also said in January it continues “to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs.”
“They are under pretty serious economic stress with international sanctions. They need every dollar they can. And this is just obviously a much more efficient way for North Korea to make money,” Nick Carlsen, intelligence analyst at blockchain analytics firm TRM Labs, told CNBC.
“Even if that dollar stolen in crypto doesn’t directly go towards the purchase of some component for the nuclear program, it frees up another dollar to support the regime and its programs,” said Carlsen.
North Korea-affiliated hackers exploit vulnerabilities in the crypto ecosystem in a variety of ways.
Some examples include phishing and supply chain attacks, as well as through infrastructure hacks which involve private key or seed phrase compromises, TRM Labs said in the report.
According to data from Chainalysis, 2022 was the biggest year ever for crypto hacking.
A whopping $3.8 billion was stolen from crypto businesses, primarily from exploiting decentralized finance protocols and by North Korea-linked attackers, said Chainalysis.
In March last year, U.S. officials accused North Korea-linked hackers of stealing a record amount of more than $600 million worth of crypto assets from Ronin Bridge in the popular blockchain game Axie Infinity using stolen private keys — passwords that allow users to access and manage funds.
Hackers exploit what’s known as a blockchain “bridge,” which allows users to transfer their digital assets from one crypto network to another.
North Korean-affiliated cybercriminals reportedly posed as recruiters and lured an engineer from blockchain gaming firm Sky Mavis into believing there was a job opportunity, The Wall Street Journal said in June.
The hacker shared a malware-laced document with the victim, enabling the criminals to access the engineer’s computer and steal more than $600 million in crypto after they broke into Sky Mavis’s digital pets game, Axie Infinity.
“They leverage social engineering and they get themselves into the community. They build relationships and gain access to systems,” Erin Plante, vice president of Investigations at Chainalysis, told CNBC.
The U.S. Treasury’s Office of Foreign Assets Control and South Korea’s authorities has imposed sanctions against several entities and individuals for helping North Korean IT professionals fraudulently obtain employment overseas and launder illicitly obtained funds back to North Korea.
“They target employers located in wealthier countries, utilizing a variety of mainstream and industry-specific freelance contracting, payment, and social media and networking platforms,” said the press release, adding that North Korean IT workers often take on projects that involve virtual currency.
“DPRK IT workers also use virtual currency exchanges and trading platforms to manage digital payments they receive for contract work as well as to launder these illicitly obtained funds back to the DPRK.”
[ad_2]
[ad_1]
Palo Alto Networks Inc. shares rallied Friday after hours as the cybersecurity company topped expectations with its latest earnings, as well as with its forecasts for profit and billings, outlining that new reporting rules and AI-backed adversaries are driving adoption.
The stock
PANW,
was rallying more than 9% in the extended session, following a 1% gain in the regular session to close at $209.69.
Palo Alto Networks forecast first-quarter adjusted earnings of $1.15 to $1.17 a share on revenue of $1.82 billion to $1.85 billion and billings of $2.05 billion to $2.08 billion. Analysts were estimating $1.11 a share on revenue of $1.93 billion and billings of $2.04 billion for the first quarter.
For the year, the company expects $5.27 to $5.40 a share on revenue of $8.15 billion to $8.2 billion on billings of $10.9 billion to $11 billion. Analysts tracked by FactSet had been projecting $4.98 a share on revenue of $8.38 billion and billings of $10.81 billion for the year.
The company defines billings as “total revenue plus the change in total deferred revenue, net of acquired deferred revenue, during the period,” and is a metric used to account for subscriptions.
On the extended call with analysts, Nikesh Arora, the company’s chairman and chief executive, said that while strong fourth-quarter results did not come as a surprise, what did come as a surprise was the speed of adoption of its Cortex XSIAM AI-driven security platform, especially now that regulators are going to start requiring quick disclosures for material cyberattacks.
Palo Alto Networks reported fiscal fourth-quarter net income of $227.7 million, or 64 cents a share, compared with $3.3 million, or a penny a share, in the year-ago period. Adjusted earnings, which exclude stock-based compensation expenses and other items, were $1.44 a share, compared with 80 cents a share in the year-ago period.
Revenue rose to $1.95 billion from $1.55 billion in the year-ago quarter, while billings rose 18% to $3.2 billion. Analysts surveyed by FactSet had forecast $1.29 a share in adjusted earnings on revenue of $1.96 billion and billings of $3.18 billion.
The company launched XSIAM in October, and set a goal of booking more than $100 million in the first year. Arora said that in less than a year, XSIAM has already brought in $200 million, indicating that interest in applying AI to enhance security is “very high.”
In late July, the Securities and Exchange Commission adopted new rules requiring companies to disclose cyberattacks within four days of making the determination the intrusion has a material effect on results.
“Our customers have told us loud and clear that the legacy products powering their stacks are no longer working and they need to reduce by an order of magnitude,” Arora told analysts. “This becomes increasingly important with the new SEC rules detailing that all public companies will be required to report material breaches within four business days.”
On the call, Lee Klarich, Palo Alto Networks chief product officer, told analysts that it wasn’t long ago that the average time between an initial hack and stealing data was about 44 days. Now, that can happen in a matter of hours, which is a huge problem, Klarich said, noting that attackers are adopting AI to perform attacks.
“On average the industry is able to respond and remediate attacks in about six days: That doesn’t work,” Klarich said. “And even more challenging now with the SEC new rules of being able to disclose within four days, none of the math adds up.”
Five years ago, Palo Alto Networks was already in the middle of an M&A spree to transform itself from a firewall company to a multiproduct security platform, and showed no signs of slowing down until August 2021, when the company decided to report earnings without announcing an M&A deal, after having acquired 14 companies over the previous three-and-a-half years.
Nvidia Corp.
NVDA,
which also has a huge stake in AI, reports results after the bell on Wednesday.
Palo Alto Networks is a new entrant to the S&P 500 index
SPX,
having gotten the nod in June. As of Friday’s close, Palo Alto Networks shares have gained 50.3% year to date, compared with a 12.4% gain on the ETFMG Prime Cyber Security exchange-traded fund
HACK,
a 13.8 % gain on the S&P 500, and a 27% rise on the tech-heavy Nasdaq Composite
COMP.
[ad_2]
[ad_1]
US Secretary of State Antony Blinken (L) shakes hands with China’s Director of the Office of the Central Foreign Affairs Commission Wang Yi at the Diaoyutai State Guesthouse in Beijing on June 19, 2023. (Photo by Leah MILLIS / POOL / AFP) (Photo by LEAH MILLIS/POOL/AFP via Getty Images)
Leah Millis | Afp | Getty Images
China-linked hackers breached the email account of U.S. Ambassador to China Nicholas Burns, as part of a recent targeted intelligence-gathering campaign, NBC News has confirmed.
The hackers also accessed the email account of Daniel Kritenbrink, the assistant Secretary of State for East Asia, who recently travelled with Secretary of State Antony Blinken to China, said NBC, citing two U.S. officials familiar with the matter.
CNBC reached out to China’s Foreign Ministry for comment but has yet to hear back.
The beach was limited to the diplomats’ unclassified email accounts, NBC said adding that Secretary of Commerce Gina Raimondo’s email account was also accessed in the breach, as previously reported.
The news, first reported by the Wall Street Journal, further fuels the fallout for the U.S. of the alleged Chinese hack first revealed last week.
Late Tuesday, Microsoft announced it had discovered that China-based hackers breached email accounts of about 25 organizations, including some U.S. government agencies, in a significant breach.
The compromise was “mitigated” by Microsoft cybersecurity teams after it was first reported to the company in mid-June 2023, Microsoft said in two blog posts about the incidents. The hackers had been inside government systems since at least May, the company said.
Blinken said he raised the issue of the Chinese hacking when he met China’s top diplomat Wang Yi in Jakarta last week, on the sidelines of the Association of Southeast Asian Nations regional meeting.
The U.S. Secretary noted he made clear to Wang that Washington will ensure the hackers are held responsible for alleged breaches of U.S. government agencies.
“First of all, this is something that the State Department actually detected last month, and we took immediate steps to protect our systems, to report the incident – in this case, notifying a company, Microsoft, of the event,” Blinken said at a press briefing.
“I can’t discuss details of our response beyond that, and most critically this incident remains under investigation,” he added.
Still, Blinken said that as a general matter, “we have consistently made clear to China as well as to other countries that any action that targets the U.S. Government or U.S. companies, American citizens, is of deep concern to us, and we will take appropriate action in response.”
The secretary’s latest meeting with Wang came less than a month after Blinken made a rare trip to Beijing under the Biden administration.
The visit was aimed at soothing ties between the world’s two largest economies amid escalating tensions.
Security experts have argued the incidents demonstrate an acceleration in Beijing’s digital spying capabilities.
“Chinese cyber espionage operators’ tactics had steadily evolved to become more agile, stealthier, and complex to attribute” over the last decade, researchers at cybersecurity firm Mandiant wrote in a blog post Tuesday.
— CNBC’s Rohan Goswami contributed to this report.
[ad_2]
[ad_1]
Kevin Mitnick, whose pioneering antics tricking employees in the 1980s and 1990s into helping him steal software and services from big phone and tech companies made him the most celebrated U.S. hacker, has died at age 59.
Mitnick died Sunday in Las Vegas after a 14-month battle with pancreatic cancer, said Stu Sjouwerman, CEO of the security training firm KnowBe4, where Mitnick was chief hacking officer.
His colorful career — from student tinkerer to FBI-hunted fugitive, imprisoned felon and finally respected cybersecurity professional, public speaker and author tapped for advice by U.S. lawmakers and global corporations — mirrors the evolution of society’s grasp of the nuances of computer hacking.
Through Mitnick’s professional trajectory, and what many consider the misplaced prosecutorial zeal that put him behind bars for nearly five years until 2000, the public has learned how to better distinguish serious computer crime from the mischievious troublemaking of youths hellbent on proving their hacking prowess.
“He never hacked for money,” said Sjouwerman, who became Mitnick’s business partner in 2011. He was mostly after trophies, chiefly cellphone code, he said.
Much fanfare accompanied Mitnick’s high-profile arrest in 1995, three years after he’d skipped probation on a previous computer break-in charge. The government accused him of causing millions of dollars in damages to companies including Motorola, Novell, Nokia and Sun Microsystems by stealing software and altering computer code.
But federal prosecutors had difficulty gathering evidence of major crimes, and after being jailed for nearly four years, Mitnick reached a plea agreement in 1999 that credited him for time served.
Upon his January 2000 release from prison, Mitnick told reporters his “were simple crimes of trespass.” He said ”I wanted to know as much as I could find out about how phone networks worked.”
He was initially barred for three years from using computers, modems, cell phones or anything else that could give him internet access — and from public speaking. Those requirements were gradually eased but he wasn’t allowed back online until December 2002.
Mitnick’s forte was social engineering. He would impersonate company employees to obtain passwords and data, a technique known as pretexting that remains among the most effective in hacking and which typically requires considerable research to pull off successfully.
“His ingenuity challenged systems, incited dialogues, and pushed boundaries in cybersecurity. He will remain a testament to the uncharted power of curiousity,” tweeted Chris Wysopal, who as a member of the white-hat hacking group L0pht testified before the U.S. Senate a few years before Mitnick did the same.
“My hacking activity actually was a quest for knowledge, the intellectual challenge, the thrill and the escape from reality,” Mitnick said during a March 2000 congressional hearing in response to a question by Sen. Joseph Lieberman, D-Conn., about what motivated him.
In his prepared testimony, Mitnick boasted that he had “successfully penetrated some of the most resilient computer systems ever developed.”
Mitnick had first been arrested for computer crimes at age 17 for brazenly walking into a Pacific Bell office and taking a handful of computer manuals and codes to digital door locks. For that, he served a year in a rehabilitation center, deemed by a federal judge as being addicted to computer tampering.
Mitnick had been raised in the bleak Los Angeles suburb of Panorama City by his mother, who divorced his father when he was 3. An overweight, lonely teenager, he dropped out of high school and found friends only when he stumbled into the world of phone phreaks – teens who used stolen phone codes to make free long-distance calls.
Phones led to computers, and Mitnick showed himself to be a persistent, if not stellar, hacker. Enthralled by the possibility of using computers to gain access and power, Mitnick began breaking into voice mail and computer systems, rifling through private files and taunting those who crossed him.
But another side of Mitnick became clear in his conversations with investigative journalist Jonathan Littman printed in in the mid-1990s in “The Fugitive Game: Online with Kevin Mitnick.” The hacker seems less a threat than a fearful, disturbed young man, more annoying than vindictive.b
And though a computer file containing 20,000 credit card numbers copied from the internet service provider Netcom was found on Mitnick’s computer after a 1994 arrest, there is no evidence he ever used any of the accounts.
Mitnick became a cause celebre for hackers who considered his 5-year prison term excessive. Some defaced websites to post messages demanding his release. Among the targets was The New York Times — which some sympathizers accused of exaggerating the societal danger Mitnick posed.
Exaggerated stories of Mitnick’s exploits and abilities also made the rounds, sometimes fueling hysteria.
One led prison officials to put him in solitary confinment for nine months, said Sjouwerman, because they feared he could start a nuclear war by whistling into a pay phone — emulating a modem “to hack NORAD and trigger a ballistic missile.”
Mitnick is the author of “The Ghost in the Wires,” which recounts his adventures as a wanted hacker and three other books co-written with others including “The Art of Deception.”
In addition to his work at KnowBe4, where Mitnick was not involved in day-to-day operations, he ran a separate penetration-testing business with his wife, the former Kimberely Barry.
She is a native of Australia, where the two met.
[ad_2]
[ad_1]
WASHINGTON — The Biden administration and major consumer technology players on Tuesday launched an effort to put a nationwide cybersecurity certification and labeling program in place to help consumers choose smart devices that are less vulnerable to hacking.
Officials likened the new U.S. Cyber Trust Mark initiative — to be overseen by the Federal Communications Commission, with industry participation voluntary — to the Energy Star program, which rates appliances’ energy efficiency.
“It will allow Americans to confidently identify which internet- and Bluetooth-connected devices are cybersecure,” deputy national security adviser Anne Neuberger told reporters in a pre-announcement briefing.
Amazon, Best Buy, Google, LG Electronics USA, Logitech and Samsung as among industry participants.
Devices including baby monitors, home security cameras, fitness trackers, TVs, refrigerators and smart climate control systems that meet the U.S. government’s cybersecurity requirements will bear the “Cyber Trust” label, a shield logo, as early as next year, officials said.
FCC Chairwoman Jessica Rosenworcel said the mark will give consumers “peace of mind” and benefit manufacturers, whose products would need to adhere to criteria set by the National Institute of Standards and Technology to qualify.
The FCC was launching a rule-making process to set the standards and seek public comment. Besides carrying logos, participating devices would have QR codes that could be scanned for updated security information.
In a statement, the Consumer Technology Association said consumers could expect to see certification-ready products at the industry’s annual January show, CES 2024, once the FCC adopts final rules. A senior Biden administration official said it was expected that products that qualify for the logo would undergo an annual re-certification.
The Cyber Trust initiative was first announced in October following a meeting between White House and tech industry representatives.
The proliferation of so-called smart — or Internet of Things — devices has coincided with growing cybercrime in which one insecure IoT device can often give a cyberintruder a dangerous foothold on a home network.
An April report from the cybersecurity firm Bitdefender and networking equipment company NetGear, based on their monitoring of smart homes, found that the most vulnerable IoT devices in 2022 were, far and away, smart TVs, followed by smart plugs, routers and digital video recorders.
Providers of numerous smart home devices often don’t update and patch software fast enough to thwart newly emerging malware threats. The Cyber Mark standards are expected to make clear which devices patch vulnerable software in a timely fashion and secure their communications to preserve privacy, officials said. Also important will be informing consumers which devices are equipped to detect intrusions.
[ad_2]
[ad_1]
Sen. Elizabeth Warren (D-MA) speaks during a Senate Banking Committee hearing on Capitol Hill on June 13, 2023 in Washington, DC. The committee held the hearing to review “The Consumer Financial Protection Bureau’s Semi-Annual Report to Congress.”
Michael A. Mccoy | Getty Images
A group of lawmakers led by Massachusetts Democratic Senator Elizabeth Warren are calling on the Biden administration to investigate how tax prep software companies may have illegally shared customer data with tech platforms Google and Meta.
In a letter to Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan, Internal Revenue Service Commissioner Daniel Werfel and Treasury Inspector General for Tax Administration J. Russell George, the lawmakers laid out key findings from their own probe expanding on reporting from The Markup and The Verge, which initially revealed the data sharing. The FTC declined to comment on the letter and the other agencies named did not immediately respond to a request for comment.
In a story published last year, the publications jointly reported that tax prep software companies TaxSlayer, H&R Block, and TaxAct had shared sensitive financial information with Meta’s Facebook through a piece of code known as a pixel. The report found that Meta pixel trackers sent names, emails and income information to Meta, in violation of the platform’s policies.
The report also found that TaxAct had sent similar information to Google through its analytics tool, but that information did not include names.
After the initial report, Meta and Google both told CNBC they have policies against customers or advertisers sending them sensitive or identifying information. Some statements the tax prep companies provided to the publications at the time seemed to indicate the data sharing was done accidentally.
Building on the original reporting, the group of seven lawmakers opened their own probe into the extent of the data sharing. Among their findings released Wednesday, the lawmakers said that millions of taxpayers’ information had been shared with Big Tech firms through the tax prep software and that both the tax prep companies and tech firms were “reckless” in how they handled sensitive information. Although the companies said information shared would have been anonymous, the lawmakers found that experts believed it wouldn’t be hard to connect the data to individuals.
Sens. Ron Wyden, D-Ore., Richard Blumenthal, D-Conn., Tammy Duckworth, D-Ill., Bernie Sanders, I-Vt., Sheldon Whitehouse, D-R.I., and Rep. Katie Porter, D-Calif., joined Warren in the investigation and letter.
While the tax prep companies installed Meta and Google’s tools without fully understanding the privacy implications, according to the lawmakers, the two tech platforms failed to provide enough information about how they would collect and use the information gathered through their tools. Although Meta and Google both said they have filters to catch sensitive data that’s inadvertently collected, they seemed to be “ineffective,” the lawmakers wrote.
The probe also found that Meta tools used by TaxAct allegedly collected even more information than previously reported, including the approximate amount of federal taxes a person owed. They said that Meta confirmed it used data collected from the tax software providers “to target ads to taxpayers, including for companies other than the tax prep companies themselves, and to train Meta’s own AI algorithms.”
The group believes that their findings indicate the tax prep companies “may have violated taxpayer privacy laws,” which could result in criminal penalties “up to $1,000 per instance and up to a year in prison,” according to the letter.
After calling for the agencies to investigate and prosecute where necessary, the lawmakers noted that new policies may mitigate the issue in the future.
“We also welcome the recent IRS announcement of a free, direct file pilot next year, which will give taxpayers the option to file taxes without sharing their data with untrustworthy and incompetent tax preparation firms,” they wrote.
WATCH: Facebook battles Apple over user privacy features in iOS update
[ad_2]
[ad_1]
Former U.S. President Donald Trump delivers remarks during an event following his arraignment on classified document charges, at Trump National Golf Club, in Bedminster, New Jersey, U.S., June 13, 2023.
Amr Alfiky | Reuters
A federal judge issued a protective order Monday barring former President Donald Trump from disclosing — or keeping — evidence set to be turned over to him by the government in the classified documents case on social media.
The order against Trump and Walt Nauta, his co-defendant in the criminal case alleging he mishandled national security information, prohibits them from sharing evidence federal investigators are set to begin turning over to their lawyers as part of the discovery process in the case.
“The Discovery Materials, along with any information derived therefrom, shall not be disclosed to the public or the news media, or disseminated on any news or social media platform, without prior notice to and consent of the United States or approval of the Court,” Magistrate Judge Bruce Reinhart said in the order.
Read more from NBC News
Spy balloon ‘chapter should be closed’ after China talks, Blinken tells NBC News
U.S. and China hail progress but no breakthrough after Blinken meets with Xi
Blinken: Meeting with President Xi an ‘important start’ to stabilizing ties between U.S. and China
It bars them from disclosing information about the government’s evidence to people not directly involved in the case without explicit permission from a judge, and warns they could face criminal contempt charges if they violate the order.
It also puts limits on Trump’s access to the material.
“Defendants shall only have access to Discovery Materials under the direct supervision of Defense Counsel or a member of Defense Counsel’s staff. Defendants shall not retain copies of Discovery Material,” the ruling said.
The ruling largely tracks with a request for a protective order the government filed in the case on Friday. The government said in that filing that Trump and Nauta’s lawyers had “no objections to this motion or the protective order.”
Trump attorney Todd Blanche declined comment on the order.
The information prosecutors sought to guard includes “sensitive and confidential information,” including “information that reveals sensitive but unclassified investigative techniques; non-public information relating to potential witnesses and other third parties (including grand jury transcripts and exhibits and recordings of witness interviews); financial information of third parties; third-party location information; and personal information contained on electronic devices and accounts.”
“The materials also include information pertaining to ongoing investigations, the disclosure of which could compromise those investigations and identify uncharged individuals,” their Friday filing said.
Trump, 77, was indicted earlier this month on 37 federal felony counts, including willful retention of national defense information, making f
alse statements and representations, and conspiracy to obstruct justice.
He pleaded not guilty at his arraignment last week. Nauta, whose lawyer has declined comment on the case, is expected to enter a not guilty plea next week.
Trump was slapped with a similar order in the New York criminal case where he’s charged with dozens of counts of falsifying business records. Trump’s attorneys had objected to portions of the order in that case.
Prosecutors from the Manhattan district attorney’s office said those restrictions were necessary because the “risk” that Trump would use the evidence “inappropriately” was “substantial.”
“Donald J. Trump has a longstanding and perhaps singular history of attacking witnesses, investigators, prosecutors, trial jurors, grand jurors, judges, and others involved in legal proceedings against him, putting those individuals and their families at considerable safety risk,” the DA’s office had argued in a court filing.
Trump has pleaded not guilty in that case.
[ad_2]
[ad_1]
China’s government has rejected as “far-fetched and unprofessional” a report by a U.S. security firm that blamed Chinese-linked hackers for attacks on hundreds of public agencies, schools and other targets around the world
Chinese Foreign Ministry spokesperson Wang Wenbin speaks during a press conference at the Ministry of Foreign Affairs in Beijing, Friday, June 16, 2023. China’s government on Friday rejected as “far-fetched and unprofessional” a report by a U.S. security firm that blamed Chinese-linked hackers for attacks on hundreds of public agencies, schools and other targets around the world. (AP Photo/Liu Zheng)
The Associated Press
BEIJING — China’s government on Friday rejected as “far-fetched and unprofessional” a report by a U.S. security firm that blamed Chinese-linked hackers for attacks on hundreds of public agencies, schools and other targets around the world.
A foreign ministry spokesperson repeated accusations that Washington carries out hacking attacks and complained the cybersecurity industry rarely reports on them.
Mandiant’s report came ahead of a visit to Beijing by Secretary of State Antony Blinken aimed at repairing relations that have been strained by disputes over human rights, security and other irritants. Blinken’s visit was planned earlier this year but was canceled after what the U.S. government said was a Chinese spy balloon flew over the United States.
The report said hackers targeted email to engage in “espionage activity in support of the People’s Republic of China.”
“The relevant content is far-fetched and unprofessional,” said the Chinese spokesperson, Wang Wenbin.
“American cybersecurity companies continue to churn out reports on so-called cyberattacks by other countries, which have been reduced to accomplices for the U.S. government’s political smear against other countries,” Wang said.
The latest attacks exploited a vulnerability in a Barracuda Networks email system and targeted foreign ministries in Southeast Asia, other government agencies, trade offices and academic organizations in Taiwan and Hong Kong, according to Mandiant.
It described the attacks as the biggest cyber espionage campaign known to be conducted by a ”China-nexus threat actor” since a 2021 attack on Microsoft Exchange. That affected tens of thousands of computers.
China is regarded, along with the United States and Russia, as a leader in the development of computer hacking for military use. Security consultants say its military also supports hobbyist hacking clubs that might work for outsiders.
Barracuda announced on June 6 that some of its its email security appliances had been hacked as early as October, giving the intruders a back door to compromised networks.
Mandiant said the email attacks focused on issues that are priorities for China, particularly in the Asia Pacific region. It said the hackers searched for email accounts of people working for governments of political or strategic interest to China at the time they were participating in diplomatic meetings.
Earlier this year, Microsoft said state-backed Chinese hackers have been targeting U.S. critical infrastructure and could be laying the technical groundwork for the potential disruption of critical communications between the U.S. and Asia during future crises.
[ad_2]
[ad_1]
The Department of Energy and several other federal agencies were compromised in a Russian cyber-extortion gang’s global hack of a file-transfer program popular with corporations and governments, but the impact was not expected to be great, Homeland Security officials said Thursday.
But for others among what could be hundreds of victims from industry to higher education — including patrons of at least two state motor vehicle agencies — the hack was beginning to show some serious impacts.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told reporters that unlike the meticulous, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents that was months in the making, this campaign was short, relatively superficial and caught quickly.
“Based on discussions we have had with industry partners … these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information— in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said.
“Although we are very concerned about this campaign and working on it with urgency, this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks,” she added.
A senior CISA official said neither the U.S. military nor intelligence community was affected. Energy Department spokesperson Chad Smith said two agency entities were compromised but did not provide more detail.
Known victims to date include Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia provincial government, British Airways, the British Broadcasting Company and the U.K. drugstore chain Boots. The exploited program, MOVEit, is widely used by businesses to securely share files. Security experts say that can include sensitive financial and insurance data.
Louisiana officials said Thursday that people with a driver’s license or vehicle registration in the state likely had their personal information exposed. That included their name, address, Social Security number and birthdate. They encouraged Louisiana residents to freeze their credit to guard against identity theft.
The Oregon Department of Transportation confirmed Thursday that the attackers accessed personal information, some sensitive, for about 3.5 million people to whom the state issued identity cards or driver’s licenses.
The Cl0p ransomware syndicate behind the hack announced last week on its dark web site that its victims, who it suggested numbered in the hundreds, had until Wednesday to get in touch to negotiate a ransom or risk having sensitive stolen data dumped online.
The gang, among the world’s most prolific cybercrime syndicates, also claimed it would delete any data stolen from governments, cities and police departments.
The senior CISA official told reporters a “small number” of federal agencies were hit — declining to name them — and said “this is not a widespread campaign affecting a large number of federal agencies.” The official, speaking on condition of anonymity to discuss the breach, said no federal agencies had received extortion demands and no data from an affected federal agency had been leaked online by Cl0p.
U.S. officials “have no evidence to suggest coordination between Cl0p and the Russian government,” the official said.
The parent company of MOVIEit’s U.S. maker, Progress Software, alerted customers to the breach on May 31 and issued a patch. But cybersecurity researchers say scores if not hundreds of companies could by then have had sensitive data quietly exfiltrated.
“At this point, we are seeing industry estimates of several hundred of victims across the country,” the senior CISA official said. Federal officials encouraged victims to come forward, but they often don’t. The U.S. lacks a federal data breach law, and disclosure of hacks varies by state. Publicly traded corporations, health care providers and some critical infrastructure purveyors do have regulatory obligations.
The cybersecurity firm SecurityScorecard says it detected 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies. It said it was not able to break down those agencies by country.
The Office of the Comptroller of the Currency in the Treasury Department uses MOVEit, according to federal contracting data. Spokeswoman Stephanie Collins said the agency was aware of the hack and has been monitoring the situation closely. She said it was “conducting detailed forensic analysis of system activity and has not found any indications of a breach of sensitive information.” She would not say how the agency uses the file-transfer program.
The hackers were actively scanning for targets, penetrating them and stealing data at least as far back as March 29, said SecurityScorecard threat analyst Jared Smith.
This is far from the first time Cl0p has breached a file-transfer program to gain access to data it could then use to extort companies. Other instances include GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021.
The Associated Press emailed Cl0p on Thursday asking what government agencies it had hacked. It did not receive a response, but the gang posted a new message on its dark web leak site saying: “We got a lot of emails about government data, we don’t have it we have completely deleted this information we are only interested in business.”
Cybersecurity experts say the Cl0p criminals are not to be trusted to keep their word. Allan Liska of the firm Recorded Future has said he is aware of at least three cases in which data stolen by ransomware crooks appeared on the dark web six to 10 months after victims paid ransoms.
—
AP reporters Sara Cline in Baton Rouge, Louisiana, Eugene Johnson in Seattle and Nomaan Merchant and Rebecca Santana in Washington contributed to this report.
[ad_2]
[ad_1]
A 37-count criminal indictment against Donald Trump for retaining classified government records and conspiring to prevent their return to U.S. officials was unsealed Friday.
The charging document was made public a day after the former president was indicted by a grand jury in U.S. District Court in Miami.
Among other allegations, the indictment says that Trump showed classified documents to other people in the summer of 2021, after leaving office.
Follow our live coverage of Donald Trump’s indictment in the classified documents case.
One of those documents was a “plan of attack” that he said was prepared by the Pentagon, while the other was a classified map related to a military operation, the indictment alleges.
Also charged in the indictment was Trump’s valet, Walter Nauta, who faces several of the same charges as his boss, with whom he allegedly conspired to keep classified records and hide them from a federal grand jury.
The FBI raid of Trump’s Florida home last August discovered hundreds of classified documents, which he had failed to turn over to U.S. officials despite months of efforts to recover them.
Former U.S. President Donald Trump is seen in Midtown on April 03, 2023 in New York City. Trump is scheduled to be arraigned tomorrow at a Manhattan courthouse following his indictment by a grand jury.
Gotham | Gc Images | Getty Images
The indictment says Trump was aware of the highly sensitive nature of the documents, quoting him at one point as saying: “As president, I could have declassified it … but this is still secret.”
Trump and Nauta are due to be arraigned in Miami on Tuesday, the day before the ex-president’s 77th birthday.
He and Nauta each face a maximum possible sentence of 20 years in prison if convicted of the most serious charges, which are conspiracy to obstruct justice and counts related to withholding and concealing the government records.
Thirty-one of the counts accuse Trump of willful retention of national defense information. He is also charged with conspiracy to obstruct justice; withholding a document or record; corruptly concealing a document or record; concealing a document in a federal investigation; scheme to conceal; and false statements and representations.
Trump was put under criminal investigation in the spring of 2022, after the FBI was notified that classified documents were found in the 15 boxes of government records he gave to the National Records and Archives Administration after months of effort by NARA to recover documents the agency believed were missing.
By law, presidents must give NARA all government records when they leave office.
The indictment notes, “As he departed the White House, TRUMP caused scores of boxes, many of which contained classified documents, to be transported to The Mar-a-Lago Club in Palm Beach, Florida, where he maintained his residence.”
“TRUMP was not authorized to possess or retain those classified documents,” the indictment says.
Trump later suggested to any attorney that he lie to the FBI and a grand jury by saying that he did not have the documents they were seeking, and directed Nauto to move boxes of documents to conceal them from Trump’s own lawyer, the FBI and the grand jury, the indictment alleges.
Trump also is accused in the indictment of suggesting to his lawyer that the attorney hide or destroy documents, that he gave the FBI and the grand jury only some of the documents he had kept while claiming he was fully cooperating.
And Trump caused a certification to be submitted to the FBI and grand jury, falsely representing that all documents had been produced when he knew that was not true, according to the indicment.
The indictment estimates that Trump’s trial would take between 21 and 60 days.
Earlier Friday, two of his lawyers resigned from representing him in the classified documents case, and in another pending federal criminal investigation for his efforts to overturn his loss in the 2020 presidential election.
Read the indictment against Donald Trump
This is breaking news. Check back for updates.
[ad_2]
[ad_1]
No sooner did ChatGPT get unleashed than hackers started “jailbreaking” the artificial intelligence chatbot – trying to override its safeguards so it could blurt out something unhinged or obscene.
But now its maker, OpenAI, and other major AI providers such as Google and Microsoft, are coordinating with the Biden administration to let thousands of hackers take a shot at testing the limits of their technology.
Some of the things they’ll be looking to find: How can chatbots be manipulated to cause harm? Will they share the private information we confide in them to other users? And why do they assume a doctor is a man and a nurse is a woman?
“This is why we need thousands of people,” said Rumman Chowdhury, lead coordinator of the mass hacking event planned for this summer’s DEF CON hacker convention in Las Vegas that’s expected to draw several thousand people. “We need a lot of people with a wide range of lived experiences, subject matter expertise and backgrounds hacking at these models and trying to find problems that can then go be fixed.”
Anyone who’s tried ChatGPT, Microsoft’s Bing chatbot or Google’s Bard will have quickly learned that they have a tendency to fabricate information and confidently present it as fact. These systems, built on what’s known as large language models, also emulate the cultural biases they’ve learned from being trained upon huge troves of what people have written online.
The idea of a mass hack caught the attention of U.S. government officials in March at the South by Southwest festival in Austin, Texas, where Sven Cattell, founder of DEF CON’s long-running AI Village, and Austin Carson, president of responsible AI nonprofit SeedAI, helped lead a workshop inviting community college students to hack an AI model.
Carson said those conversations eventually blossomed into a proposal to test AI language models following the guidelines of the White House’s Blueprint for an AI Bill of Rights — a set of principles to limit the impacts of algorithmic bias, give users control over their data and ensure that automated systems are used safely and transparently.
There’s already a community of users trying their best to trick chatbots and highlight their flaws. Some are official “red teams” authorized by the companies to “prompt attack” the AI models to discover their vulnerabilities. Many others are hobbyists showing off humorous or disturbing outputs on social media until they get banned for violating a product’s terms of service.
“What happens now is kind of a scattershot approach where people find stuff, it goes viral on Twitter,” and then it may or may not get fixed if it’s egregious enough or the person calling attention to it is influential, Chowdhury said.
In one example, known as the “grandma exploit,” users were able to get chatbots to tell them how to make a bomb — a request a commercial chatbot would normally decline — by asking it to pretend it was a grandmother telling a bedtime story about how to make a bomb.
In another example, searching for Chowdhury using an early version of Microsoft’s Bing search engine chatbot — which is based on the same technology as ChatGPT but can pull real-time information from the internet — led to a profile that speculated Chowdhury “loves to buy new shoes every month” and made strange and gendered assertions about her physical appearance.
Chowdhury helped introduce a method for rewarding the discovery of algorithmic bias to DEF CON’s AI Village in 2021 when she was the head of Twitter’s AI ethics team — a job that has since been eliminated upon Elon Musk’s October takeover of the company. Paying hackers a “bounty” if they uncover a security bug is commonplace in the cybersecurity industry — but it was a newer concept to researchers studying harmful AI bias.
This year’s event will be at a much greater scale, and is the first to tackle the large language models that have attracted a surge of public interest and commercial investment since the release of ChatGPT late last year.
Chowdhury, now the co-founder of AI accountability nonprofit Humane Intelligence, said it’s not just about finding flaws but about figuring out ways to fix them.
“This is a direct pipeline to give feedback to companies,” she said. “It’s not like we’re just doing this hackathon and everybody’s going home. We’re going to be spending months after the exercise compiling a report, explaining common vulnerabilities, things that came up, patterns we saw.”
Some of the details are still being negotiated, but companies that have agreed to provide their models for testing include OpenAI, Google, chipmaker Nvidia and startups Anthropic, Hugging Face and Stability AI. Building the platform for the testing is another startup called Scale AI, known for its work in assigning humans to help train AI models by labeling data.
“As these foundation models become more and more widespread, it’s really critical that we do everything we can to ensure their safety,” said Scale CEO Alexandr Wang. “You can imagine somebody on one side of the world asking it some very sensitive or detailed questions, including some of their personal information. You don’t want any of that information leaking to any other user.”
Other dangers Wang worries about are chatbots that give out “unbelievably bad medical advice” or other misinformation that can cause serious harm.
Anthropic co-founder Jack Clark said the DEF CON event will hopefully be the start of a deeper commitment from AI developers to measure and evaluate the safety of the systems they are building.
“Our basic view is that AI systems will need third-party assessments, both before deployment and after deployment. Red-teaming is one way that you can do that,” Clark said. “We need to get practice at figuring out how to do this. It hasn’t really been done before.”
[ad_2]
[ad_1]
Gorodenkoff | iStock | Getty Images
The cybersecurity world faces new threats beyond targeted ransomware attacks, according to experts at the recent RSA cybersecurity industry conference in San Francisco.
Joe McMann, head of cybersecurity services at Binary Defense, a cybersecurity solutions provider, said the new battleground is data extortion and companies need to shift gears to face the threat.
Traditionally, ransomware attackers encrypt or delete proprietary data of organizations and ask for ransom before reverting the attack. McMann said hackers are now focusing on stealing customer or employee data and then threatening to leak it publicly.
“By naming, shaming, threatening reputational impact, they force the hands of their targets,” McMann said.
The International Data Corporation predicts firms will spend over $219 billion on cybersecurity this year, and McMann said cybercriminals constantly evolve their exploitations.
Hackers shifted tactics after ransomware attacks brought an unwelcome level of visibility by law enforcement and governments, and cybersecurity professionals became adept at solving decryption. Instead of paralyzing hospitals and pipelines, he said criminals changed gears to collect data and threaten companies with customer dissatisfaction and public outcry.
At the end of March, OpenAI documented a data leak in an open-source data provider that made it possible to see personal AI chat histories, payment information, and addresses. The team patched the leak in hours, but McMann said once data is out there, hackers can use it.
Chris Pierson, founder and CEO of Black Cloak, a digital executive protection company, said companies understand the growing threat of data extortion after public breaches. In the past year alone, he said Twilio, LastPass, and Uber all faced attacks that saw hackers targeting employees outside corporate security protection.
“For example, the LastPass breach saw one of four key individuals targeted on their personal computer, through a personal public IP address getting in through an unpatched solution,” he said.
The hackers stole credentials “outside the castle wall environment, on personal devices,” he said, using that data months later as a way into the corporate environment.
He said the advent of home offices accelerated employee targeting. As every company transformed into a digital-first world, employees naturally started working on personal devices.
Before the pandemic, Fortune 500 companies spent millions to secure corporate devices and buildings, but employees are not as well protected at home. “The moment an executive walks out of the building, uses their personal device or home network that they share with corporate devices, the attack surface changes,” Pierson said. What’s more, digital footprints are easy to find online, he said. “40% of our corporate executives’ home IP addresses are public on data broker websites.”
Pierson said it only takes one vulnerable device on a home network to open up the entire network.
Looking across the street at the RSA convention building filled with more than 45,000 industry attendants, Pierson said criminals always choose the path of least resistance.
“You don’t have to go in through all the gear that’s out here at RSA protecting the actual company; you go through the $5 of cybersecurity at home and get everything else,” Pierson said. “Cybercriminals are targeting at a personal level because they know they can get the data, and there are no controls out there,” he added.
There is higher visibility for cybersecurity this year with an increased number of phishing attempts and scam messages a daily occurrence for most people. And companies know that new SEC proposed guidelines will add another layer of accountability.
When finalized, the rules would require public firms to disclose data breaches to investors within four days, and have at least one cybersecurity-experienced board member. Though a Wall Street Journal survey found three-fourths of respondents had a cybersecurity director, Pierson said companies were at RSA looking for advice.
McMann said companies should focus on the simple fixes first and not worry about AI chat breaches if they aren’t using two-factor authentication on personal accounts. Criminals will first try older methods like ransomware before moving on to new ones.
He said practicing for cyberattacks has become as important as any other emergency drill. On a positive note, McMann said the success of cybersecurity professionals is why criminals are looking for new modes of attack.
“If you don’t have your operations streamlined and effective, if you don’t have good people and processes in place, don’t worry about the other stuff,” he said. “There’s a lot of fundamentals that get skipped.”
[ad_2]
[ad_1]
SAN FRANCISCO — The former chief security officer for Uber was sentenced to probation Thursday for trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.
Joseph Sullivan was sentenced to a three-year term of probation and ordered to pay a fine of $50,000, the U.S. attorney’s office announced.
Sullivan, 54, of Palo Alto was convicted by a federal jury in San Francisco last October of obstructing justice and concealing knowledge that a federal felony had been committed.
It was believed to be the first criminal prosecution of a company executive over a data breach.
Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.
After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.
According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,’ ” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.
Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new chief executive officer and others, the truth was uncovered, and the breach was made public, prosecutors said.
Sullivan was fired along with Craig Clark, an Uber lawyer he had told about the breach. Clark was given immunity by prosecutors and testified against Sullivan.
Prosecutors had recommended a sentence of 15 months in federal prison for Sullivan, who submitted more than 100 letters of support from friends, family and colleagues.
In an April sentencing memo, prosecutors said that showed that Sullivan is “a wealthy, powerful man” with a deep network of family and friends.
“There cannot be two different systems of justice, one for the privileged and another for the rest,” the memo argued. “Any such perception would do grievous damage to public respect for the law.”
His lawyers argued that Sullivan already “has suffered, and will continue to suffer, significant consequences because of this case.”
No other Uber executives were charged in the case.
The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing.
[ad_2]
[ad_1]
SAN FRANCISCO — The former chief security officer for Uber was sentenced to probation Thursday for trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.
Joseph Sullivan was sentenced to a three-year term of probation and ordered to pay a fine of $50,000, the U.S. attorney’s office announced.
Sullivan, 54, of Palo Alto was convicted by a federal jury in San Francisco last October of obstructing justice and concealing knowledge that a federal felony had been committed.
It was believed to be the first criminal prosecution of a company executive over a data breach.
Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.
After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.
According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,’ ” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.
Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new chief executive officer and others, the truth was uncovered, and the breach was made public, prosecutors said.
Sullivan was fired along with Craig Clark, an Uber lawyer he had told about the breach. Clark was given immunity by prosecutors and testified against Sullivan.
Prosecutors had recommended a sentence of 15 months in federal prison for Sullivan, who submitted more than 100 letters of support from friends, family and colleagues.
In an April sentencing memo, prosecutors said that showed that Sullivan is “a wealthy, powerful man” with a deep network of family and friends.
“There cannot be two different systems of justice, one for the privileged and another for the rest,” the memo argued. “Any such perception would do grievous damage to public respect for the law.”
His lawyers argued that Sullivan already “has suffered, and will continue to suffer, significant consequences because of this case.”
No other Uber executives were charged in the case.
The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing.
[ad_2]
[ad_1]
People charge their mobile devices at a Street Charge station in the Brooklyn Borough of New York.
Brendan McDermid | Reuters
The FBI recently warned consumers against using free public charging stations, saying crooks have managed to hijack public chargers that can infect devices with malware, or software that can give hackers access to your phone, tablet or computer.
“Avoid using free charging stations in airports, hotels or shopping centers,” a tweet from the FBI’s Denver field office said. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”
The FBI offers similar guidance on its website to avoid public chargers. The bulletin didn’t point to any recent instances of consumer harm from juice jacking. The FBI’s Denver field office said the message was meant as an advisory, and that there was no specific case that prompted it.
The Federal Communications Commission has also warned about “juice jacking,” as the malware loading scheme is known, since 2021.
Consumer devices with compromised USB cables can be hijacked through software that can then siphon off usernames and passwords, the FCC warned at the time. The commission told consumers to avoid those public stations.
[ad_2]
