cybercrime

California passes law that bans default passwords in connected devices

Good news! California has passed a law banning default passwords like “admin,” “123456” and the old classic “password” in all new consumer electronics starting in 2020. Every new gadget built in the state from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.” It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time. For years, botnets have utilized the power of badly secured connected devices to pummel s...

British Airways breach caused by credit card skimming malware, researchers say

A security firm says credit card skimming malware installed by hackers on British Airways’ website a few months ago was to blame for a data breach of over 380,000 credit cards. Payments through the airline’s website and mobile app were stolen over the three week period, but a key clue was that travel information wasn’t affected. Yonathan Klijnsma, a threat researcher at RiskIQ, suspected it might be the same group that was behind the Ticketmaster breach, in which hackers targeted a third-party that loaded code on Ticketmaster’s various sites. From there, it could siphon off thousands of transactions. This time, Klijnsma said the group took an even more “highly targeted approach,” describing a wave of attacks that the “Magecart” collective has used to steal thousands of records from various...

Russian hackers already targeted a Missouri senator up for reelection in 2018

A Democratic senator seeking reelection this fall appears to be the first identifiable target of Russian hacking in the 2018 midterm race. In a new story on the Daily Beast, Andrew Desiderio and Kevin Poulsen reported that Democratic Missouri Senator Claire McCaskill was targeted in a campaign-related phishing attack. That clears up one unspecified target from last week’s statement by Microsoft’s Tom Burt that three midterm election candidates had been targeted by Russian phishing campaigns. The report cites its own forensic research in determining the attacker is likely Fancy Bear, a hacking group believed to be affiliated with Russian military intelligence. “We did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata tha...

Social SafeGuard scores $11M to sell alerts for brand-damaging fakes

Social SafeGuard, a 2014-founded U.S. startup which sells security services to enterprises aimed at mitigating a range of digital risks that lie outside the corporate firewall, has closed an $11 million Series B funding round, from AllegisCyber and NightDragon Security. It’s hoping to ride the surge in awareness around social media fakery — putting the new funding towards sales and marketing, plus some product dev. “As one of the few dedicated cybersecurity venture firms, we know how big this challenge has become for today’s security executives,” said Spencer Tall, MD of AllegisCyber, in a supporting statement. Tall is joining the Social SafeGuard board. “This is no longer a fringe need that can be ignored or deferred. Digital risk protection should be on the shortlist of corporate securit...

Canadian Yahoo hacker gets a five-year prison sentence

After pleading guilty in November, the Canadian hacker at least partially to blame for the massive Yahoo hack that exposed up to 3 billion accounts will face five years in prison. According to the Justice Department, the hacker, 23-year-old Karim Baratov, worked under the guidance of two agents from the FSB, Russia’s spy agency, to compromise the accounts. Those officers, Dmitry Dokuchaev and Igor Sushchin, reside in Russia, as does Latvian hacker Alexsey Belan who also was implicated in the Yahoo hack. Given their location, those three are unlikely to face consequences for their involvement, but Baratov’s Canadian citizenship made him vulnerable to prosecution. “Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to his coconspirator who was wo...

Facebook, Microsoft and others sign anti-cyberattack pledge

Microsoft, Facebook and Cloudflare are among a group of technology firms that have signed a joint pledge committing publicly not to assist offensive government cyberattacks. The pledge also commits them to work together to enhance security awareness and the resilience of the global tech ecosystem. The four top-line principles the firms are agreeing to are [ALL CAPS theirs]: 1. WE WILL PROTECT ALL OF OUR USERS AND CUSTOMERS EVERYWHERE. 2. WE WILL OPPOSE CYBERATTACKS ON INNOCENT CITIZENS AND ENTERPRISES FROM ANYWHERE. 3. WE WILL HELP EMPOWER USERS, CUSTOMERS AND DEVELOPERS TO STRENGTHEN CYBERSECURITY PROTECTION. 4. WE WILL PARTNER WITH EACH OTHER AND WITH LIKEMINDED GROUPS TO ENHANCE CYBERSECURITY. You can read the full Cybersecurity Tech Accord here. So far 34 companies have signed up to th...

The United States needs a Department of Cybersecurity

Ted Schlein Contributor Ted Schlein, a general partner at venture capital firm Kleiner Perkins Caufield & Byers, focuses on early-stage technology companies in the enterprise software and infrastructure markets, including ventures within the networking and consumer security arenas. More posts by this contributor What Silicon Valley can do about cyber threats The Entrepreneur’s Guide To Surviving A Tech Bubble  This week over 40,000 security professionals will attend RSA in San Francisco to see the latest cyber technologies on display and discuss key issues. No topic will be higher on the agenda than the Russian sponsored hack of the American 2016 election with debate about why the country has done so little to respond and what measures should be taken to deter future attempts at subver...

Lessons from cybersecurity exits

Dear F0und3r: What a month this has been for cybersecurity! One unicorn IPO and two nice acquisitions – Zscaler’s great debut on wall street,  a $300 million acquisition of Evident.io by Palo Alto Networks and a $350 million acquisition of Phantom Cyber by Splunk has gotten all of us excited. Word on the street is that in each of those exits, the founders took home ~30% to 40% of the proceeds. Which is not bad for ~ 4 /5 years of work. They can finally afford to buy two bedroom homes in Silicon Valley. Evident.IO Investment Rounds and Return estimates Date Select Investors Round Size Pre Post Dilution Estimated Returns / Multiple of Invested Capital Sep 2013 True Ventures $1.5m $5.25m $6.75 m 22% 44X Nov 2014 Bain Capital $9.8 m $18.1m $28.0 m 35% 10.7X Apr 2016 Venrock $15.7 m $35.0 m $50...

1Password nets partnership with ‘Have I Been Pwned’

A little over a month since 1Password incorporated a pwned password check feature developed by Have I Been Pwned‘s Troy Hunt, the password manager service has now netted what’s being described as “a partnership” with the popular breach monitoring service. Essentially this boils down to a commercial arrangement between 1Password and the free-to-use breach check service, with HIBP now recommending users sign up to 1Password’s service at the point when they learn their information may have been involved in a data breach. In a blog post explaining why he feels it’s the right time to accept a sponsor for the service, Hunt writes that one of the reasons he feels comfortable taking money in this way is that users want “actionable steps once they’ve found themselves pwned” — so being able to point...