6 C
London
Monday, November 20, 2017
Home Tags Stock Price

Tag: Stock Price

Nothing to see here, move along.

Go back to your homes Senior Equifax executives sold their shares in the credit agency just before its stock price plunged when the world was told it had been thoroughly hacked.…
Morgan Stanley: demand for graphics chips, video game consoles will slow in 2018.
New Ponemon study shows how breaches can bring a company's stock price down by an average of 5% on the day of the incident.
At more than $311 a share, Wall Street pegs Tesla as the most valuable US automaker.
This is not the way to get vulnerabilities fixed Security startup MedSec and the financial house backing the biz have published new allegations of security flaws in pacemakers and defibrillators built by St Jude Medical – and again look set to profit from the disclosures in an unorthodox way. In four swish videos, the MedSec team claims it exploited a debugging backdoor in the St Jude-built Merlin@home control unit so it could send commands wirelessly to a patient's defibrillator. The team were able to hijack the the control unit after reverse-engineering its software, written in Java, and hooking a laptop to the unit via Ethernet. MedSec claims it could do away with the Merlin@home all together, and wirelessly send orders to people's devices in their chests from software-defined radio kit, after working out St Jude's protocols. Using the compromised terminal, the team says it managed to make the defibrillator vibrate constantly, turn off its heart monitoring software, or get it to administer a mild electric shock, which the actor narrating the video describes as "painful, and can be detrimental to a patient's health if used in an unprescribed manner." MedSec's CEO Justine Bone explained to The Register that the team had used a hacked MedSec device because it was the easiest route to show deficiencies in the device. By using old debugged developer code left on the device by the original designers, they were able to take control of it. "We believe that this could be done from any wireless attack platform once someone had written out all protocols," she said. "It's going to be very hard to fix; you'd have to rewrite the RF communication protocols." Some of the attacks, particularly if used in conjunction with each other, could put lives at risk. But she acknowledged that in tests so far the maximum range of the defibrillator was limited to seven feet, so an attacker would have to be up close and personal. Bone also said that the MedSec team hadn't contacted St Jude Medical about the flaws before releasing the videos, and had instead gone to the Food and Drug Administration and the Department of Homeland Security. Bone said this was because St Jude doesn't have a good record of sorting out flaws like this. St Jude confirmed to The Register that MedSec hadn't passed on any details about the flaws, and made the following statement: "Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry." The company is also setting up a Cybersecurity Medical Advisory Board to give it tips on how to build more secure products. However, it appears as though it's mostly staffed by doctors, who aren't the best for finding sloppy software holes. The whole sorry saga started in August when MedSec found what it claims were flaws in St Jude's devices. Rather than go to the manufacturer and sort these out, the firm partnered with financial house Muddy Waters and shorted the stock before going public with the news. The security firm now gets a payout based on how far St Jude's stock price falls – the more the better. St Jude and others have disputed the claims, and St Jude is now suing those involved in the disclosures. People who have St Jude devices implanted have been left panicked and confused by the whole matter. In the meantime, many in the security community are worried that this kind of disclosure is just going to increase fear, uncertainty, and doubt in an industry sector already bedeviled with it. If short selling becomes the norm, then headlines rather than fixes will become the goal, and it's difficult to see how that benefits end users. ®
PHBs are applying the Ford Pinto formula to your data Whenever mega-hacks like the Yahoo! fiasco hit the news, inevitably the question gets asked as to why the IT security systems weren't good enough.

The answer could be that it's not in a company's financial interest to be secure. A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought – typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues.

That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems. He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security. It's this kind of thinking that led to the infamous Pinto Formula.
In 1973, a memorandum was prepared by Ford examining the costs of issuing a fix for its Pinto compact cars.
In tests, the cars were shown to have a dangerously unshielded fuel tank, meaning they had a tendency to burst into flames when hit from behind at more than 20 miles per hour. The boffins at Ford estimated that the cost to the company of doing a recall on the model would be $137.5m.

But if the recall wasn't held, the company would only have to pay out an estimated $49.5m in damages for the expected 180 deaths from fire, so the firm decided not to perform the recall. The memo was discovered by investigative journalist Mark Dowie and caused a massive problem for Ford.
It was forced to issue a recall and pay out millions in damages, and the case dogged Ford's reputation for years. However, it may be that the lack of security could have an effect on the burgeoning cyber insurance market. Romanosky pointed out that insurance costs would provide a more direct incentive for companies to protect their data. Insurance companies would also be in an ideal position to judge what IT security systems work best, he pointed out.

After all, their job is to price risk and they would have the data on incidents and how they occurred.

But so far that hasn't happened. "We don't get a lot of feedback from them; either they don't understand or they don't care so much," he said. "I get the sense they are a little complacent. Maybe they think they are overcharging.
I don't know if they are being strategic that way." ®
Defibrillator security saga will go to court Medical device maker St Jude has filed suit against a security company that reported security flaws in its products as part of a short-sale financial scheme. The medical supplier says that it has sued both security firm MedSec and researcher Muddy Waters, as well as three other individuals it says falsely reported serious vulnerabilities in its pacemakers and defibrillators.

They then made money by short-selling the stock when the news broke. The charges include false advertising, false statements, conspiracy, and market manipulation. "We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St Jude president and CEO Michael Rousseau said in announcing the suit. "We believe this lawsuit is critical to the entire medical device ecosystem – from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme." Muddy Waters and MedSec made headlines last month when they reported discovering vulnerabilities in St Jude pacemaker and defibrillator devices that, if exploited, could have allegedly posed threats to the health of patients. Rather than disclose the flaws to the manufacturer, the researchers instead went to an investment house and turned a tidy profit by short-selling St Jude stock after its price dropped on the release of the news. Shortly after the report surfaced, however, St Jude disputed the vulnerability reports and alleged the entire scheme had been made up to manipulate its stock price. "Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products, and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring," said St Jude vice president and chief medical officer Mark Carlson. "We decided to take this action because of the irresponsible manner in which these groups have acted." Experts at the University of Michigan also poured doubt on one claim by MedSec that St Jude's equipment is remotely brickable. ®
Peter KaminskiA former senior finance manager for Oracle claims the software maker fired her for not inflating revenues in its cloud services division.
In a whistleblower and wrongful termination lawsuit, Svetlana Blackburn also claims that Oracle ultimately inflated the numbers without her assistance. "The data, she knew, would end up in SEC filings and be touted on earnings calls, used to paint a rosier picture than actually existed on the ground," Blackburn says in her nine-page lawsuit. (PDF) The Silicon Valley software maker, having a market cap of roughly $165 billion, said it fired the woman for inadequate work. "We are confident that all our cloud accounting is proper and correct," Oracle said. "This former employee worked at Oracle for less than a year and did not work in the accounting group.
She was terminated for poor performance and we intend to sue her for malicious prosecution." The federal lawsuit comes as Oracle just suffered a major defeat in its long-running $9 billion lawsuit against Google.

A San Francisco federal jury declared that the search giant's use of Oracle's APIs in the Android operating system was authorized by the fair-use doctrine. What's more, the new suit questions a key metric—cloud services revenue—that has become an increasingly important sign to investors of a software company's health. Oracle's stock has slid about 10 percent this year, in part because of the stock market's concerns about its financial performance as the company moves from selling software for use on customer computers to software being hosted and run on Oracle's data centers. Blackburn's lawsuit claims Oracle was pushing her "to fit square data into round holes, in an effort to bolster Oracle Cloud Services financial reports that would be paraded before company leadership as well as the investing public." Citigroup analyst Walter Pritchard, in a Thursday research note, said the litigation "will keep some level of uncertainty" hovering over Oracle's stock valuation until more information comes out in the lawsuit.
The cost of even huge data breaches are not enough to convince companies to spend vastly more to bolster IT security, since neither investors nor customers permanently abandon them.
In October 2015, hackers compromised the Website of British telecommunications firm TalkTalk, likely using one of 11 known vulnerabilities in the site to steal the personal details of 157,000 customers, including bank-account information on more than 15,000 people.Earlier this month, the bill for the lapse in security came due: The company saw its profits decline by more than half in the first quarter of 2016.
In its annual report released in February, the company revealed that it lost 95,000 subscribers and attributed more than £55 million (US$80 million) in losses to the hack, including the "exceptional costs of restoring our online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades" that the company offered to retain customers.TalkTalk is the latest company to suffer significant lost business following a breach. While past analyses have found that breaches have not hurt companies' long-term stock price, businesses and their management are increasingly being called to account for significant recovery costs and lost business following successful cyber-attacks."The fact that we are moving into a period where people are being held liable says a lot," said Chris Novak, a director of the RISK computer investigations team at business-services firm Verizon Enterprise. "The impact is moving up the stack.
It is no longer just an IT-level issue, it is a board or C-level issue." Yet it may not be enough. While the sacking of CEOs has certainly drawn the attention of executive teams and boards, the financial penalties of breaches tend to be short-lived and easily subsumed by most large companies. When hacker Albert Gonzales stole information on nearly 100 million credit and debit cards from Heartland Payment Systems in 2009, the company lost more than 75 percent of its stock value in three months. Yet the price bounced back, and now its stock is up nearly 500 percent since that time. Following its 2013 breach, Target paid out more than $252 million, of which $90 million was reimbursed by insurance. While seemingly a large sum, the damages only amounted to 0.1 percent of the company's 2014 sales, Benjamin Dean, a fellow for Internet governance and cyber-security at Columbia University's School of International and Public Affairs, pointed out in an article last year.And, in spite of the $80 million in losses, TalkTalk's breach costs only cut into profits and did not result in an overall fiscal-year financial loss for the company.
In fact, the company's efforts to provide customer incentives resulted in churn reaching an all-time low in the last quarter of 2015.Overall, the losses are not enough to drive companies to spend appreciably more on security, Lillian Ablon, cyber-security and emerging technologies analyst at RAND, told eWEEK."Sure they feel the pain, and some stock prices have gone down, but no one has really felt a lot of pain," she said. Part of the problem is that consumers may be tired of the repeating pattern of breaches and not sure what they can do to change corporate behavior, Ablon said. 
The co-developer of RSA's SecureID explains how he fought against Chinese crack AusCERT In March 2011, a suspected-to-be-Beijing-backed hacking unit infiltrated security giant RSA, successfully subverted its SecureID product and hacked top American defence contractor Lockheed Martin. That attack left Bill Duane stressed and exhausted.

Duane is a quiet cryptologist who co-developed the SecureID token.

As the attack became apparent, he moved out of home and into a hotel across from RSA's office, to fight what would become a personal battle with an elite Chinese hacking unit. Those long hours were needed because the breach is one of the most significant in history.

The hacking unit known as PLA (People's Liberation Army) Unit 61398, or to the intelligence industry as Byzantine Candor, Comment Crew, and APT 1, operated out of a shabby building in the outskirts of Shanghai and excelled in plundering highly-secure US firms. The hacking team was split into formal divisions including wings charged with maintaining acquiring access into hacked systems, lateral movement, and identifying and exfiltrating huge data sets. Duane as a SecureID co-developer played a central role in the breach response. "I have never worked so hard, under so much stress, and with so much at risk," Duane told the AusCERT security conference on the Gold Coast. "At one point I was working every day of the week, 18 to 20 hours a day, sleeping in a hotel for a couple of hours across the road from work. "The strongest thing that was driving me, I'm slightly embarrassed to say, wasn't the customers or the stock price, but was that if I failed my fellow employees would be out of work and that would affect food on their tables and their kids going to school." Bill Duane.
Image: Darren Pauli, The Register. The Chinese hackers learned of Duane's involvement and began targeting him.

They did this despite that the distinguished engineer having virtually no online presence, no photos indexed by Google, no social media accounts, despite a tech sector career spanning more than four decades. "They came after me personally with malware attacks on my netbook when they realised what I was doing," he says. "I popped up on the radar screen and [my anonymity] was destroyed." He says the PLA hacking unit switched from its state of stealth, with infrequent command and control pings and careful lateral movement, to "smash and grab" after they realised they were detected. "It opened up the arena of advanced cyber attacks that I had never really understood," he says. The security pro urged the rapt AusCERT audience to treat their internal networks as "dirty", and to consider that any effort that makes life easier for staff and partners also simplifies an attacker's job "No organisation can muster the defence against these attackers," he says. Security administrators must also understand and reduce their exposure to the dangerous pass the hash attacks in which admin credentials can be plucked from memory. ® Sponsored: Rise of the machines
Shares tumble on news that iOS and Android apps may not adequately secure data.
For years, the popular reviews site has been accused of extortionary tactics.