Author Archives: Mike Lennon

Saks, Lord & Taylor Stores Hit by Data Breach

Posted on by

A data breach at Saks Fifth Avenue and Lord & Taylor stores in North America exposed customer payment card data, parent company Hudson’s Bay Company (HBC) announced on Sunday.

The hack, which also impacted its discount store brand Saks OFF 5TH, did not appear to affect HBC’s e-commerce or other digital platforms.

“We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores,” the announcement said. “We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies,” it added.

According to cybersecurity research and threat intelligence firm Gemini Advisory, a cybercrime marketplace called JokerStash announced that over five million stolen credit and debit cards were for sale, which it says were likely stolen from HBC’s stores. 

“In cooperation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores,” Gemini said in a blog post, adding that the window of compromise was estimated to be May 2017 to present.”

As of Sunday, roughly 125,000 records had been released for sale so far, Gemini said, with the “entire cache” expected to become available in the following months.

HBC did not provide details on the number of customers/records impacted in the incident. 

“The Company is working rapidly with leading data security investigators to get customers the information they need, and the investigation is ongoing. HBC is also coordinating with law enforcement authorities and the payment card companies,” HBC said.

“The details of how these cards were stolen remains unclear at this time, but it’s important that we learn what happened so that others can work to prevent similar breaches,” commented Tim Erlin, VP, product management and strategy at Tripwire. “This appears to be the type of breach, through point-of-sale systems, that EMV is supposed to prevent, so we need to ask what happened here. Was EMV in use, and if so, how did the attackers circumvent it?

News of HBC’s breach comes days after sports gear maker Under Armour said that a data breach of its fitness application was hacked, affecting approximately 150 million user accounts.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

sponsored links

Continue reading Saks, Lord & Taylor Stores Hit by Data Breach

AMD Says Patches Coming Soon for Chip Vulnerabilities

Posted on by

AMD Chip Vulnerabilities to be Addressed Through BIOS Updates – No Performance Impact Expected

After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) on Tuesday said patches are coming to address several security flaws in its chips. 

In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

Vulnerabilities found in Ryzen and other AMD processors

CTS Labs, which was unheard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.

CTS Labs claimed that a number of vulnerabilities could be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.

“AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations,” the chipmaker wrote in an update on Tuesday. “It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.”

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

AMD attempted to downplay the risks, saying that any attacker gaining administrative access could have a wide range of attacks at their disposal “well beyond the exploits identified in this research.”

“Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues,” the notice continued. 

AMD also linked to a blog post from Trail of Bits, which was the first to independently review the findings from CTS. The company, which has been paid for its services, confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits added.

Check Point has also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”

Alex Ionescu, a reputable researcher and Windows security expert, also confirmed the findings and warned that “admin-level access and persistence are legitimate threats in multi-tenant IaaS and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken.”

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD stated last week.

Some have compared the recent AMD vulnerabilities to Meltdown and Spectre, which impact CPUs from Intel, AMD, ARM and others. However, some argued that the issues disclosed by CTS Labs are nowhere near as severe due to the fact that they mostly impact AMD’s Secure Processor technology rather than the hardware itself.

AMD did not provide specific dates that patches are expected to be released, but said it would provide additional updates on both its analysis of the issues and the related mitigation plans in the coming weeks. 

Eduard Kovacs contributed to this report

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

sponsored links

Continue reading AMD Says Patches Coming Soon for Chip Vulnerabilities

Virsec Raises $24 Million in Series B Funding

Posted on by

Virsec, a cybersecurity company that protects applications from various attacks, today announced that it has closed a $24 million Series B funding round led by tech investment firm BlueIO.

This latest funding round brings the total amount raised to-date by the company to $32 million. The company previously raised $1 million in seed funding and $7 million in a Series A funding round.

Virsec explains that its technology can protect applications by protecting processes in memory and pinpointing attacks in real-time, within any application. In more detail, the company explains that its Trusted Execution technology “maps acceptable application execution, and instantly detects deviations caused by attacks.” 

“The battleground has shifted in cybersecurity and the industry is not keeping up,” said Atiq Raza, CEO of San Jose, California-based Virsec. “With our deep understanding of process memory, control flow, and application context, we have developed a revolutionary solution that stops attacks in their tracks, where businesses are most vulnerable – within applications and processes.”

Additional investors participating in the round include Artiman Ventures, Amity Ventures, Raj Singh, and Boston Seed Capital.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

sponsored links

Continue reading Virsec Raises $24 Million in Series B Funding

Palo Alto Networks to Acquire CIA-Backed Cloud Security Firm Evident.io for $300 Million

Posted on by

Network security firm Palo Alto Networks (NYSE: PANW) on Wednesday said that it has agreed to acquire cloud security and compliance firm Evident.io for $300 million in cash. 

Palo Alto Networks currently has several security offerings that cater to cloud environments, including its VM-Series virtualized next-generation firewalls, API-based security for public cloud services infrastructure, and Traps for host-based security. 

Palo Alto Networks Logo

Pleasanton, Calif.-based Evident.io’s flagship Evident Security Platform (ESP) helps customers reduce cloud security risk by minimizing the attack surface and improving overall security posture. ESP can continuously monitor AWS and Microsoft Azure deployments, identify and assess security risks, provide security teams with remediation guidance, along with providing security auditing and compliance reporting by analyzing configurations of services and account settings against security and compliance controls. 

“Once integrated with the Palo Alto Networks cloud security offering, customers will be able to use a single approach to continuous monitoring, comprehensive storage security, and compliance validation and reporting,” explained Tim Prendergast, CEO & Co-Founder of Evident.io.

Evident.io is backed by Bain Capital Ventures, True Ventures, Venrock, Google Ventures, and In-Q-Tel, the not-for-profit venture capital arm of the CIA.

The acquisition is expected to close during Palo Alto Networks fiscal third quarter, subject to satisfaction of customary closing conditions. 

Evident.io’s co-founders, Tim Prendergast and Justin Lundy, will join Palo Alto Networks.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

sponsored links

Continue reading Palo Alto Networks to Acquire CIA-Backed Cloud Security Firm Evident.io for $300 Million

Former Equifax CIO Charged With Insider Trading

Posted on by

The United States Securities and Exchange Commission (SEC) said it has charged Jun Ying, former chief information officer (CIO) of a business unit of Equifax, with insider trading in connection with the massive data breach disclosed in late 2017 that put millions of customers at risk.

The SEC alleges that before Equifax’s public disclosure of the breach in September 2017, Ying exercised all of his vested Equifax stock options and then sold the shares, taking proceeds of roughly $1 million.  

By selling his shares before public disclosure of the data breach, Ying avoided more than $117,000 in losses, the SEC says.

According to the SEC’s complaint, Jun Ying, who reportedly was next in line to be the company’s global CIO, allegedly used confidential information provided to him by the company to conclude that Equifax had suffered a serious breach that exposed sensitive personal information of more than 148 million U.S. customers.

The Atlanta-based company has been under fire for not explaining why it waited more than a month to warn affected customers about a risk of identity theft and fraud. Questions were also raised after four Equifax executives sold stock worth $1.8 million just prior to public disclosure of the hack. Equifax claimed that the execs had been unaware of the breach when they sold shares.

“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard R. Best, Director of the SEC’s Atlanta Regional Office.  “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”

Ying has been charged with violating the antifraud provisions of the federal securities laws and seeks repayment of ill-gotten gains plus interest, penalties, and injunctive relief.

“Upon learning about Mr. Ying’s August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company’s trading policies, separated him from the company and reported our findings to government authorities,” Interim Chief Executive Officer, Paulino Do Rego Barros, Jr., said in a statement in response to the charges announced against Ying. “We are fully cooperating with the DOJ and the SEC, and will continue to do so.”

Late last month, the SEC announced updated guidance on how public companies should handle the investigation and disclosure of data breaches and other cybersecurity incidents, suggesting that executives should refrain from trading securities while in possession of non-public information regarding a significant cybersecurity incident.

The SEC itself admitted last year that it was the victim of a cyberattack in 2016 that may have allowed hackers to profit through trading on non-public information obtained from its EDGAR filing system.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

sponsored links

Continue reading Former Equifax CIO Charged With Insider Trading

Splunk to Acquire Security Orchestration Firm Phantom for $350 Million

Posted on by

Machine data solutions firm Splunk said on Tuesday that it has agreed to acquire Phantom Cyber, a provider of Security Orchestration, Automation and Response (SOAR) solutions.
Under the terms of the agreement, Splunk will pay approximately $350 million… Continue reading Splunk to Acquire Security Orchestration Firm Phantom for $350 Million