Home Tags Identity protection

Tag: identity protection

FTC Suit Against D-Link Sends Message All IoT Devices Makers

NEWS ANALYSIS: Despite claims about advanced security, the Federal Trade Commission says that D-Link hard-coded login credentials leaving encryption keys unprotected and publicly exposed on the web LAS VEGAS—My panel on cyber-security at CES was just starting when I introduced Federal Trade Commission attorney Ben Rossen, who is part of the Division on Privacy and Identity Protection.Rossen opened his discussion with an announcement that the FTC had just filed a lawsuit in the U.S. Federal Court for the Northern District of California alleging that network equipment maker D-Link had been misleading in describing its advanced security technology and in had endangered the public with lax product security practices.Rossen said that the complaint was just one of what will be many complaints about poor internet of things device security. D-Link IP cameras were a major contributor to the immense IoT denial of service attacks that occurred last year causing widespread disruption on the internet, including taking down Domain Name System services provider DYN.Hackers had augmented the volume of their attacks by loading botnet software on vast numbers of IoT devices including security cameras, smart home devices and DVRs. If nothing else, Rossen made it clear why he was part of my panel on "Regulation and Enforcement in Cybersecurity." He said that the FTC was taking privacy and security risks affecting Americans very seriously. In this case, D-Link was allegedly engaging in unfair and deceptive practices by claiming to have provided security capabilities that clearly didn't exist. A typical example from the FTC complaint was the fact that D-Link had hard-coded "Guest" as the user name and password into its IP cameras. This made it easy for hackers to install botnet software on these devices so that thousands of them could be marshaled as part of a botnet. But the security holes in the D-Link equipment went beyond that.In the FTC announcement on the enforcement action, the agency noted that a software flaw in D-Link equipment allowed command injection, in which hackers can send remote commands over the internet to the devices without authorization from the owner. In addition, the FTC complaint says that D-Link mishandled its private key code used to sign the company's software products, by allowing it to be visible on the company's public website for six months.Finally, when users could actually create their own logins and passwords, the D-Link software allowed those names and passwords to be stored in the clear on the equipment.The FTC complaint said that the flaws included insecure routers that could allow access to attached storage devices that could be directed to attack other devices on the network. The insecure routers could also be remotely programmed to direct users to fraudulent websites.

Los Angeles to extradite bloke from Nigeria after scores of city...

County claims chap tried to infiltrate medical, social services Los Angeles wants to extradite a Nigerian man accused of swiping the passwords of more than 100 workers in 15 city and county departments via a phishing attack. The metropolis' prosecutors have obtained arrest warrants seeking the extradition of Austin Kelvin Onaghinor from Nigeria to face charges of identity theft and unauthorized access to a computer. The LA district attorney's office claimed on Friday that in May of this year, Onaghinor sent the emails to more than 1,000 of Los Angeles County's 120,000 employees. Of the 1,000, 108 of the emails tricked users into handing over their login credentials to city service portals. If convicted, Onaghinor could face up to 13 years in prison. The second-largest city in the US says that while it "thwarted" the attack, it is warning some residents that their personal information may have been exposed, and it's offering free identity protection services to the affected people. The notice, which will be mailed out to the affected citizens, warns that the exposed data includes "first and last name, date of birth, Social Security number (SSN), driver's license or state identification number, payment card information, bank account information, home address, phone number(s), and/or medical information, such as Medi-Cal or insurance carrier identification number, diagnosis, treatment history, or medical record number." "Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation," the notice reads. Those whose personal information was exposed will receive one free year of credit and identity monitoring services. The city says it will be improving its internal security and providing additional training to help employees spot and report phishing scams. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub

Where Cybercriminals Go To Buy Your Stolen Data

What malicious sites provide both free and paid access to stolen credit cards, company databases, malware and more? 1 of 10 Image Source: imsmartin With nothing more than a standard Web browser, cybercriminals can find personal, private information all over the public Internet.
It isn't just legitimate services - from genealogy sites to public records and social media - that can be mined and exploited for nefarious purposes. Openly malicious criminal activities are also happening on the public Internet.  True, much of the cybercrime underground consists of private and established communities that don't appear in a normal search engine and are not accessible by regular users without special authorization. However, according to the team at identity protection and fraud detection provider CSID, there are different levels of cybercriminal resources - and not all are so tightly protected.

The quality and quantity of the more easily accessible forums are still high, say the CSID team, and anyone can access content such as stolen credit cards, cyberattack tools, and even advanced malware, which can be leveraged with minimal technical know-how required. Adam Tyler, chief innovation officer at CSID, describes how black-market organizations are becoming more like traditional online businesses we visit and buy from every day. “For example," he says, "many sites now have their own Facebook, Twitter and even YouTube pages to advise their member base on new attacks and tools that are available.” Data sold on criminal marketplaces “age quickly, meaning that once the information is stolen, it has to be used for fraudulent purposes quickly,” says Christopher Doman, consulting analyst at Vectra Networks. “The more times the information is abused for fraud, the more the information will be devalued.” “Companies should have these marketplaces monitored, looking for trends in data breaches and attacks as well as to see if any of their data has been compromised,” says Carefree Solutions’s CEO Paul San Soucie. “One point that I’m not sure is evident is that there is more public and Dark Web research than any one IT person can handle. Researching and absorbing this information requires significant training and experience.

Even large US banks that have dedicated security staff are not able to do some of the research and analysis that specialized reconnaissance teams can perform.” San Soucie nevertheless suggests treading carefully when doing this research. "While you can get to most of these sites using standard https, I still consider them dark and strongly recommend accessing them via a VPN as both criminal and government sources track access in some cases.” Read on for a collection of some of the popular sites where private data, credentials, and attack tools are up for sale, or even for free download. Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as ...
View Full Bio 1 of 10 More Insights

Norton EVP: Lifelock Acquisition Will Allow Symantec To Expand Services, Partner...

Symantec's acquisition of LifeLock is a big boost to the company's consumer business, but Norton Executive Vice President Fran Rosch said partners should expect to see some benefits to the enterprise security portfolio, as well.

Symantec announced late Sunday that it would acquire LifeLock for $2.3 billion, with the deal expected to close in the first quarter of 2017. LifeLock offers a collection of identity protection and remediation services for consumers.

In an interview with CRN, Rosch said the LifeLock acquisition moves Symantec into more value-added services, above and beyond its traditional Norton antivirus portfolio. Rosch said Symantec was drawn to LifeLock because of its ID analytics capabilities, high customer rankings and strong partner channel.

[Related: Another Blockbuster Buy: Symantec Plans To Acquire LifeLock For $2.3B]

"In the past, we have seen a lot of our customers most worried about PC-based malware and viruses, which they now expect to be solved. Now, their hottest topics are around identity theft, the privacy of their information and where it is," Rosch said.  

"This market is such a fast-growing market.
In the Norton space, there is a lot of competition and identity protection is a faster growing market.

Combining [these two companies], the consumer business will be growing and maintaining strong profitability. We're really excited about the positive growth this will bring for Norton and for our partners," he said.  

Rosch said the benefits of the deal, while primarily focused on the company's consumer business, will also bleed into the enterprise side of the house. He said LifeLock's ID analytics business could appeal to enterprise customers, as well as its fraud mitigation service. He said the company's big data analytics capabilities could ultimately connect with Symantec's threat intelligence database.  

"That's something we want to nurture, but the consumer side will be the focus," Rosch said.

For partners, Rosch said he sees "natural" opportunity for service provider and telco partners, who are looking for additional services prospects. He said the LifeLock acquisition also opens a new channel of partners for Symantec for employee benefit program brokers, of which there are dozens.

Jason Eberhardt, vice president of strategic alliances at Chicago-based Conventus, said he is "very excited" to see Symantec continue to expand its security offerings with "an extremely strong product" from LifeLock. He said that is important because his business "will be able to offer more protection to our customers" with the combination of Symantec and LifeLock offerings.  

"Cybersecurity is ever-changing and constantly evolving.

These are the types of moves that keep us in the forefront.

This will be great for the partners as they will be able to now offer more solutions to our joint clients," Eberhardt said.

Symantec Acquires Identity Protection Vendor Lifelock for $2.3 Billion

Symantec CEO looks to grow the capabilities of company's consumer and enterprise business units. Symantec announced on November 21 that it is acquiring identity protection vendor Lifelock, in a deal valued at $2.3 billion.

The deal is expected to close...

Another Blockbuster Buy: Symantec Plans To Acquire LifeLock For $2.3B

In its second blockbuster deal in less than a year, Symantec unveiled plans to acquire LifeLock for $2.3 billion.

The buy primarily expands Symantec's consumer business, adding identity protection and remediation services.

“People’s identity and data are prime targets of cybercrime.

The security industry must step up and defend through innovation and vigilance,” Dan Schulman, Symantec’s chairman of the board, said in a statement. “With the acquisition of LifeLock, Symantec adds a new dimension to its protection capabilities to address the expanding needs of the consumer marketplace.”

[Related: 10 Companies Symantec Could Buy Next]

The deal is expected to close in the first calendar quarter of 2017, at which time the combined company would be the largest consumer security business.  

The acquisition news comes after a week of rumors that Symantec was looking to buy the company, following a Bloomberg report that said LifeLock was being eyed by Symantec, buyout group Permira or private equity group TPD, which in the process of closing a deal on competitor Intel Security.

Elliott Management owns an 11 percent stake in LifeLock.

Elliott Management also reportedly has a large stake in Symantec.

While the deal focuses on building Symantec's consumer business, Jane Wright, principal analyst at Technology Business Research, said it could provide some ancillary benefits to the company's enterprise security business. Wright said the consumer business provides the bulk of Symantec's operating profits, money it then uses to funnel investments into its less profitable enterprise division.

"I think it’s a really good idea. … Symantec probably looked at this [acquisition] and said it will give us our funding for the new things we want to do in the enterprise and with Blue Coat," Wright said, referring to Symantec's $4.65 billion blockbuster acquisition of Blue Coat Systems, which closed in August. "I fully expected them to have to do something to keep the consumer side of the business going.

This is a strong advance in this idea."

From a product perspective, Wright said the acquisition helps Symantec expand its Norton security line beyond just products, as antivirus and other transactional security products become commoditized. Wright said she also believes the LifeLock products could extend into the enterprise side of the portfolio down the road, particularly around Internet of Things security.

Symantec buys anti-ID fraud firm LifeLock for $2.3 billion

Ben Hudsonreader comments 13 Share this story Symantec, one of the biggest consumer computer security firms in the world, is about to become even bigger with plans to buy LifeLock—an identity-theft protection service. The proposed $2.3 billion (£1.86 billion) deal has been okayed by the boards of directors of both companies, and is expected to close in the first quarter of 2017, pending regulatory approval. LifeLock's shareholders will receive $24 (£19.45) per share—a 16 percent premium to its closing price on Friday of $20.75. Symantec, which owns the Norton suite of cybersecurity software, claimed that the deal will make it the world's largest consumer-facing online protection outfit. "As we all know, consumer cybercrime has reached crisis levels. LifeLock is a leading provider of identity and fraud protection services, with over 4.4 million highly-satisfied members and growing. With the combination of Norton and LifeLock, we will be able to deliver comprehensive cyber defence for consumers,” said Symantec chief Greg Clark. The cybersecurity market is growing: it's currently worth around $10 billion (£8.1 billion), while Symantec estimates that the total addressable market in the US alone is 80 million people. Tempe, Arizona-headquartered LifeLock says it provides "proactive identity theft protection services for consumers and consumer risk management services for enterprises." Among other things, it apparently alerts users to unauthorised identity access by monitoring new account openings and credit applications, while it also trains police, government, merchants, and NGOs in identity protection techniques. Symantec is taking on $750 million (£608 million) in new debt to finance the purchase, which follows its acquisition in August of cloud security firm Blue Coat for $4.65 billion (£3.77 billion).

That deal saw Clark—who had been Blue Coat’s CEO—take the helm at Symantec.

The company's former boss, Michael Brown, was ousted earlier this year following disappointing financial results. This post originated on Ars Technica UK

Symantec doubles down on consumer security by buying LifeLock

Bid to mitigate damage in face of declining anti-virus sales Symantec has bought identity theft protection firm LifeLock for $2.3bn. The deal, announced Sunday, represents a brave bid by Symantec to shore up a consumer security business eroded by dwindling anti-virus sales. Selling Norton consumer security alongside identity protection and remediation services from LifeLock will enable sustainable "consumer segment revenue and profit growth", according to Symantec.

The security giant said it plans to finance the transaction with cash supplemented by $750m of new debt.

The deal – which is subject to LifeLock stockholder approval and US regulatory approval – is not expected to affect Symantec's FY17 results. Symantec's share price dropped marginally on the announcement of a deal that effectively involves it "doubling down" on the consumer security market.

Data breaches and the identity theft that sometimes results are a growing problem but whether the sometimes controversial LifeLock offers a comprehensive defence is far from convincing. LifeLock's identity theft protection system is designed to alert subscribers about fraudulent applications for loans, credit cards or other financial services. The $2.3bn price tag ($24 per share) offered from Symantec represents a 16 per cent premium on LifeLock's Friday closing share price of $20.75, itself a year-long high. LifeLock was also reportedly being pursued by private equity firms Permira, TPG, and Evergreen Coast Capital, as well as Symantec. Symantec sold data storage software firm Veritas to Carlyle Group for $7.4bn earlier this year.
Since then it has purchased Blue Coat for $4.65bn and now LifeLock for $2.3 billion in a bid to redefine itself as a pure play cybersecurity firm. The purchase price looks high even though LifeLock is profitable.

The company's net income for 3Q16 came out at $14.4m on sales of $170.3m. Last year LifeLock was obliged to pay $100 million to settle charges (PDF) of failing to maintain a comprehensive information security program and deceptive advertising.

The court order followed FTC enforcement action against LifeLock for alleged violations of an earlier 2010 order. ® Sponsored: Customer Identity and Access Management

Check Point ZoneAlarm Free Firewall 2017

If you had a personal computer in the late 90s, you probably thought that firewall protection was something that businesses needed, not consumers.
It took the ZoneAlarm crew years to get out the message that consumers need firewall protection too.

F...

Avast Strikes Deal To Acquire AVG For $1.3B

Security technology developer Avast Software will acquire AVG Technologies, a developer of security applications for PCs and mobile devices, for $1.3 billion, the companies announced Thursday. Avast is itself a leading developer of PC and mobile device...

Microsoft Boosts Security in Windows 10 Anniversary Update

Next month's update to Microsoft's nearly 1-year-old OS will include several new features to help keep users and their data safe. When the Windows 10 Anniversary Update arrives Aug 2, it will include several new security features that are designed to p...

How Comcast and Charter are trying to fix their awful customer...

You can check out any time you'd like, but you can never... well, you know the song.Aurich Lawson Comcast and Charter yesterday told US senators how they're trying to fix their poorly rated customer service.

Executives from the nation's two largest cable companies testified in a hearing in response to a Senate investigation detailing the industry's shortcomings. Comcast Cable Senior VP of Customer Service Tom Karinshak detailed some customer service initiatives, mostly ones that are already in progress.

Transcripts of the companies' testimony along with Senate investigative reports are available here.

AT&T (owner of DirecTV) and Dish also testified. "At Comcast, we understand why we are here," Karinshak said. "We and the industry as a whole have not always made customer service the high priority it should have been. We regret that history and have committed to our customers that we will lead the way with initiatives to change it; we are committed to making every part of our customers’ experience better, and we have already begun to do so." Comcast said it has come up with a customer "Bill of Rights" with principles including these: more training and technology for employees; fair prices for customers; being on time and minimizing wait times; enabling self-service; keeping bills simple and transparent; re-assessing policies and fees that frustrate customers; crediting customers proactively for outages and billing errors; allowing customers to end their service without a hassle; [and] measuring employees on customer satisfaction. A Senate investigative report found that Charter and its new subsidiary, Time Warner Cable (TWC), have been overcharging customers at least $7.2 million per year for equipment and service. While Comcast apparently isn't as big an offender in that area, Senate Democrats released a second report detailing other failures common to Comcast and fellow pay-TV operators. The report gave special attention to the various fees that raise prices above advertised rates and how cable companies make it hard for customers to downgrade or cancel service. Comcast has been particularly infamous in this regard, with "retention agents" refusing to process cancelation requests until Comcast customers convince agents that they really do have a good reason to cancel. In response to senators' criticism, Karinshak said Comcast has "provided additional guidance to our retention representatives about the disconnect process for our customers and continue to work on ways to further streamline disconnect requests.

For example, we’re piloting a program to make it easier to cancel service online.

As part of the pilot, customers can now log on, enter a request, and cancel their service. We follow up by phone within two days just to verify the request, which we have to do for privacy and identity protection reasons (e.g., to verify the identity and credentials of the individual who canceled the account), and we will even make arrangements for them so all they have to do is drop any equipment they have at a local UPS store and have it sent back to us at no charge. We are continuing to explore other ways to make this process even simpler for our customers." Even this process can't be fully completed online and requires customers to explain why they're canceling, we noted in a previous story about California legislation that would require ISPs to let customers cancel online. Enlarge US Senate As for fees, Karinshak said Comcast recently stopped charging "change-of-service fees" but said it continues to charge many others.

Charging for "optional add-on services like our DVR service or for enabling HD technology" allows customers to get a lower bill if they don't want those services, he said. Comcast has extended the time in which customers can dispute charges from 60 to 120 days, given "front-line agents" the authority to issue credits of up to $100, and "afforded customers who say that they returned equipment the benefit of the doubt without requiring a receipt," he said. Other ongoing Comcast customer service initiatives described by Karinshak include the following: Creating more than 5,500 US-based customer service jobs over three years. Automatically crediting customers $20 when technicians arrive late. Giving employees a new cloud-based platform with "a better, holistic view of the customer’s account history so they have everything they need... to help customers faster and you won’t need to start over each time you talk to a different agent." Renovating and opening hundreds of retail stores. Devoting 125 employees to handle complaints on social media. Providing an interactive troubleshooting guide for customers within the "My Account" app. Karinshak also said that pay plans for employees, including top executives, now depend on customer satisfaction scores—which are pretty low, at least when measured by third-party research firms.

But Comcast uses internal metrics to judge its employees and set pay, the company told Ars. Charter's plan and more details on overcharges Charter, meanwhile, has its work cut out for it because it's still in the early stages of integrating Time Warner Cable (TWC) after an acquisition that made the company nearly four times larger. Charter has been trying to improve customer service since 2012, in part by "insourc[ing] thousands of Americans jobs that had previously been located overseas," said Charter Executive VP of Customer Operations Kathleen Mayo. Charter expects to hire another 20,000 US citizens as it continues to in-source service operations. "Today, nearly 90 percent of our customer calls are handled onshore and in-house, and 95 percent of our in-home service visits are performed by Charter employees, rather than third-party contractors," Mayo said. "By bringing those jobs in-house, Charter is better able to manage and train the people who work directly with our customers." As we reported yesterday, Charter has agreed—under pressure from senators—to identify billing overcharges and automatically credit customers. Out of 11 million Charter boxes in customers' homes (excluding TWC), Charter found 63,000 instances where customers were overbilled for the boxes at some point over the past 9 months.
Since Charter acknowledged that it has overcharged customers at least $442,691 per month, that works out to average overcharges of $63.28 for each box victimized by over-billing.

Before the TWC merger, Charter had 6.8 million subscribers, so there's more than one box per customer. "We were pleased that our accuracy rate [more than 99 percent] was as high as it was, but I will never be satisfied until we have zero instances of over-billing," Mayo said. "For the affected customers we identified over the course of this review, we will explain in their next bill that they were overcharged and will be issued a 12-month credit for those equipment fees.

During the course of this process, we also discovered approximately 9,000 boxes for which customers were not billed, though they should have been. We will correct and explain the discrepancy moving forward but will not seek to collect those fees that should have been charged." To eliminate this type of billing problem going forward, Charter has implemented "controls to catch any box/customer mismatch on a daily basis." The Senate report said this is progress, but added that it doesn't offer a complete solution.

Charter has not yet completed all the work necessary to determine how much it has over-billed customers, the report said.

That's why the numbers are described as the minimum that Charter has overcharged customers, rather than the full amount. Charter also "estimates that it has annually overcharged approximately 5,897 Missouri customers a total of $494,000 each year," nearly $84 per customer.

This data came in response to a query by Sen.

Claire McCaskill (D-Mo.). TWC—which was still independent when the Senate began its investigation—has started performing monthly audits to find overcharges and issue automatic credits, and it will move from monthly to daily audits under Charter ownership.

But the changes won't involve refunds to customers for all of the overcharges they've paid over the years. Neither Charter nor TWC automatically refunded or credited customers during the 6.5-year span studied by the Senate investigation. Time Warner Cable's total overcharges worked out to $1.9 million a year, affecting a small fraction of the 37 million pieces of equipment in service. "Our equipment billing error rate for video subscribers is a very small .07 percent and for Internet subscribers, .03 percent," TWC Chief Operating Officer John Keib said. (Keib left the company after the Charter acquisition.) Mayo said Charter is trying to be "a different kind of cable company." "To improve the customer experience and focus instead on our products, we don’t charge common industry fees like additional modem fees, sports surcharges, separate USF [Universal Service Fund] fees, or early termination charges," Mayo said. Charter says its metrics show a 12-percent increase in customer satisfaction since 2011. While senators pointed out that customers often cannot get their problems resolved on the first phone call, Charter said it is resolving problems on the first call 80 percent of the time. There's still a ways to go for both Charter and Comcast: a recent Temkin Group customer survey rated ISPs and pay-TV providers as the nation's least-liked industries.

As we previously reported, "Among eight ISPs rated, four got very poor ratings: Time Warner Cable (48 percent), Charter (48 percent), Cablevision (47 percent), and Comcast (40 percent)." Comcast scores remain low even though Comcast Executive VP David Cohen pledged major changes in front of a Senate hearing more than two years ago. Disclosure: The Advance/Newhouse Partnership, which owns about 13 percent of Charter, is part of Advance Publications.

Advance Publications owns Condé Nast, which owns Ars Technica.