Author Archives: Patrick Howell O'Neill

After litany of lies, Israeli hacking firm Ability settles lawsuit for $3 million

Posted on by

Plagued by investor lawsuits and federal investigations over allegedly lying about products and finances, Israeli hacking company Ability Inc. recently settled out of court by paying $3 million to investors who say Ability’s executives have been misleading about their company’s finances from the start. Most of the allegations in the class action lawsuit are also violations of federal law, so it’s little surprise that Ability came under federal investigation last year for allegedly lying about products and finances. When asked about the current status of the investigation, the SEC declined to comment. Investigations of this nature tend to take years to complete. The settlement is a significant hit for a company with fast evaporating cash reserves and revenue — and little explanation as to why things have gone so badly. With just $3.6 million in cash left on their balance sheet, according to SEC filings, the clock is ticking. The company spent $8.4 million […]

The post After litany of lies, Israeli hacking firm Ability settles lawsuit for $3 million appeared first on Cyberscoop.

Continue reading After litany of lies, Israeli hacking firm Ability settles lawsuit for $3 million

Salon will use readers’ CPUs to mine Monero

Posted on by

Searching for new revenue in the cash-strapped and ad-blocked world of media, the blog Salon.com is turning to the new hotness: Cryptocurrency mining. Hotness is very literal in this case, by the way, because any time you visit Salon from now on, your CPU will be used to mine cryptocurrency on their behalf. Your processor will heat up as more than half of your CPU power is dedicated to the task while the computer’s fans fire up to keep the temperature under control. It’s not clear what the limit on Salon’s CPU usage is and Salon did not respond to questions. “Recently, with the increasing popularity of ad-blocking technology, there is even more of a disintegration of this already-tenuous relationship; like most media sites, ad-blockers cut deeply into our revenue and create a more one-sided relationship between reader and publisher,” Salon’s website explained. Salon says about 25 percent of its audience […]

The post Salon will use readers’ CPUs to mine Monero appeared first on Cyberscoop.

Continue reading Salon will use readers’ CPUs to mine Monero

Shopify pays $15,250 bug bounty for a Christmas Eve vulnerability

Posted on by

This one had the potential for a holiday nightmare: A security researcher reported a critical vulnerability to the Canadian e-commerce company Shopify late on Christmas Eve last year. Instead, Shopify fixed the bug within 12 hours and paid out $15,250 to a bug bounty hunter who goes by the handle Cache-Money. The bug potentially allowed an attacker to bypass Shopify’s email verification process and ultimately gain access to an online store they didn’t own. For a platform whose entire reason to exist is to host stores and protect retailers, any threat of hijackings is a big deal. “We tracked down the bug to a race condition in the logic for changing and verifying email addresses,” Shopify’s security team explained on the platform HackerOne, which handles Shopify’s bounty program, including communication and payment with researchers. A race condition is a situation in programming where the result depends on a certain sequence of events. Vulnerabilities can result if a […]

The post Shopify pays $15,250 bug bounty for a Christmas Eve vulnerability appeared first on Cyberscoop.

Continue reading Shopify pays $15,250 bug bounty for a Christmas Eve vulnerability

$45,000 bounty offered for Linux zero days

Posted on by

A startup that buys zero-day exploits will pay hackers $45,000 for Linux local privilege escalation exploits against popular operating systems like Ubuntu, Debian and Fedora. The company, Zerodium, is famous for its exploit-buying program. It pays bounties as high as $1.5 million bounty if the research is completely original and the target is right. The price depends on the security of the target and the demand in the market. The program might be widely known in the cybersecurity community, but the results are highly secret: Zerodium, based in Washington, D.C., sells its exploits to government customers who will pay for the ability to break virtually any kind of computer. Privilege escalation exploits are particularly valuable because they allow an attacker to gain access to parts of a computer that would otherwise be restricted from them. The new $45,000 bounty for Linux local privilege escalations is a $15,000 raise above Zerodium’s usual $30,000 price tag, suggesting a […]

The post $45,000 bounty offered for Linux zero days appeared first on Cyberscoop.

Continue reading $45,000 bounty offered for Linux zero days

Google paid $2.9 million in bug bounties in 2017

Posted on by

Google paid out $2.9 million in bug bounties to 274 security researchers in 2017, the company said. The tech giant has paid nearly $12 million in total since the bug bounty program launched in November 2010. The 2017 total was divided up with Android and Google products awarding $1.1 million each, and the rest came from Google Chrome bounties, the company said Wednesday. There were 1,230 bounties to researchers from 60 countries, and the biggest reward was $125,00, which was awarded more than 50 times, Google said. The $2.9 million total is slightly down from 2016’s high of $3 million in bounties paid. After receiving zero successful submissions for any Android remote exploit chain, Google raised the bounty on that kind of bug to $200,000. That’s likely lower than the offensive market will pay for such a bug, but it’s an exceptionally high reward as far as defensive bug bounty programs go. […]

The post Google paid $2.9 million in bug bounties in 2017 appeared first on Cyberscoop.

Continue reading Google paid $2.9 million in bug bounties in 2017

DOJ indicts leaders of cybercrime ring that allegedly stole $530 million

Posted on by

The U.S. Department of Justice arrested 13 cybercriminals from 17 countries, including the United States, from the Infraud dark web criminal carding and malware organization, the agency announced Wednesday. The group is charged with defrauding over $530 million from victims and $2.2 billion in losses, with the majority coming from crimes tied to identity fraud. A newly released indictment also names 23 other alleged members of Infraud who remain at large. In terms of scale of money stolen and international reach, the DOJ said Infraud is among the biggest in the world. “The sole purpose of the organization is the large scale acquisition and dissemination of stolen identities, compromised debit and credit cards, personally identifying information, computer malware and other products used to unlawfully enrich members and associates of the Infraud association,” Dale Eliason, U.S. Attorney of Nevada, said in a call with reporters. The alleged Infraud creator is Svyatoslav Bondarenko, […]

The post DOJ indicts leaders of cybercrime ring that allegedly stole $530 million appeared first on Cyberscoop.

Continue reading DOJ indicts leaders of cybercrime ring that allegedly stole $530 million

Oh, banks have cameras? Two men arrested for ATM jackpotting scheme must’ve forgot

Posted on by

The U.S. Justice Department charged two men with hacking ATMs inside Connecticut banks in full view of surveillance cameras.  The scheme, known as “ATM jackpotting,” ends with ATM machines dispensing large amounts of cash like a casino jackpot. The accused are Alex Alberto Fajin-Diaz, 31, of Spain, and Argenys Rodriguez, 21, of Massachusetts. Facing up to 30 years in prison if convicted, the pair appeared before a federal judge on Monday. Fajin-Diaz and Rodriguez allegedly dressed as repair staff, walked into banks and used malware to get the ATM machines to eject all of their money. The haul was thousands of dollars in cash each time. Police were alerted on Jan. 27, when Citizens Bank investigators observed an attack on an ATM in Cromwell, Connecticut. Police found Fajin-Diaz and Rodriguez near an ATM that was still in the process of ejecting $20 bills. When they searched Fajin-Diaz and Rodriguez’s vehicle, the authorities say they found found “tools […]

The post Oh, banks have cameras? Two men arrested for ATM jackpotting scheme must’ve forgot appeared first on Cyberscoop.

Continue reading Oh, banks have cameras? Two men arrested for ATM jackpotting scheme must’ve forgot

Cisco investigation reveals ASA vulnerability is worse than originally thought

Posted on by

The “perfect 10.0” critical vulnerability Cisco announced last week that impacts its Adaptive Security Appliance (ASA) devices has additional attack vectors and affects various features. A company investigation revealed the original security patch did not identify or fix the entire problem, so a new fix for Cisco ASA platforms is now available. This means Cisco customers will have additional downtime for security maintenance in order to fix a bug that allows an unauthenticated, remote attacker to execute code and cause system reloads. The problem is raising small hell on social media from systems and network administrators about additional downtime. Heads up: Cisco just updated the advisory on CVE-2018-0101 (ASA webvpn / AnyConnect RCE) with a newer software release to fix additional exploitation vectors not covered in last week’s patch. https://t.co/onwRSoXAla — David Longenecker (@dnlongen) February 5, 2018 For a whole week I have been patching ASAs with CVE-2018-0101. Today Cisco reports that the patches are not […]

The post Cisco investigation reveals ASA vulnerability is worse than originally thought appeared first on Cyberscoop.

Continue reading Cisco investigation reveals ASA vulnerability is worse than originally thought

Bug in Grammarly browser extension exposes virtually everything a user ever writes

Posted on by

The Grammarly browser extension, which has about 22 million users, exposes its authentication tokens to all websites, allowing any to access all the user’s data without permission, according to a bug report from Google Project Zero’s Tavis Ormandy. The high-severity bug was discovered on Friday and fixed early Monday morning, “a really impressive response time,” Ormandy wrote. Grammarly, launched in 2009 by Ukrainian developers, looks at all messages, documents and social media posts and attempts to clean up errors so the user is left with the clearest English possible. The browser extension has access to virtually everything a user types, and therefore an attacker could access a huge trove of private data. Exploitation is as simple as a couple of console commands granting full access to everything, as Ormandy explained. It’s not clear if the vulnerability was ever exploited. Grammarly has not responded to a request for comment. The vulnerability affected Chrome and Firefox. Updates are now available for […]

The post Bug in Grammarly browser extension exposes virtually everything a user ever writes appeared first on Cyberscoop.

Continue reading Bug in Grammarly browser extension exposes virtually everything a user ever writes

French marketing firm publicly exposes sensitive data of over 12,000 clients

Posted on by

Prominent French marketing firm Octoly accidentally publicly exposed an Amazon Web Services S3 cloud storage bucket containing sensitive information about the company’s IT operations as well as the firm’s thousands of clients, according to a report from the cybersecurity firm UpGuard. Octoly, which just got a $10 million investment round, is a marketing firm that connects companies and influencers for native advertising opportunities in the popular and lucrative worlds of beauty and video game blogging. The firm works with Sephora, Dior, Yves Saint Laurent and Blizzard Entertainment as well as popular “influencers” on social media — i.e. people with a large following. Over 12,000 Octoly clients had sensitive data exposed as a result of a misconfigured AWS account including real names, addresses, phone numbers, email addresses, birth dates and hashed user passwords for the individual influencers. On the brand side, Octoly’s analytics for each specific brand were publicly exposed as well. “Octoly’s potential business […]

The post French marketing firm publicly exposes sensitive data of over 12,000 clients appeared first on Cyberscoop.

Continue reading French marketing firm publicly exposes sensitive data of over 12,000 clients