Home Tags Stock Price

Tag: Stock Price

Breaches Can Crater Companies’ Stock by 5%

New Ponemon study shows how breaches can bring a company's stock price down by an average of 5% on the day of the incident.

Tesla is worth more than General Motors or Ford

At more than $311 a share, Wall Street pegs Tesla as the most valuable US automaker.

Pacemaker maker St Jude faces new security flaw claims from biz...

This is not the way to get vulnerabilities fixed Security startup MedSec and the financial house backing the biz have published new allegations of security flaws in pacemakers and defibrillators built by St Jude Medical – and again look set to profit from the disclosures in an unorthodox way. In four swish videos, the MedSec team claims it exploited a debugging backdoor in the St Jude-built Merlin@home control unit so it could send commands wirelessly to a patient's defibrillator. The team were able to hijack the the control unit after reverse-engineering its software, written in Java, and hooking a laptop to the unit via Ethernet. MedSec claims it could do away with the Merlin@home all together, and wirelessly send orders to people's devices in their chests from software-defined radio kit, after working out St Jude's protocols. Using the compromised terminal, the team says it managed to make the defibrillator vibrate constantly, turn off its heart monitoring software, or get it to administer a mild electric shock, which the actor narrating the video describes as "painful, and can be detrimental to a patient's health if used in an unprescribed manner." MedSec's CEO Justine Bone explained to The Register that the team had used a hacked MedSec device because it was the easiest route to show deficiencies in the device. By using old debugged developer code left on the device by the original designers, they were able to take control of it. "We believe that this could be done from any wireless attack platform once someone had written out all protocols," she said. "It's going to be very hard to fix; you'd have to rewrite the RF communication protocols." Some of the attacks, particularly if used in conjunction with each other, could put lives at risk. But she acknowledged that in tests so far the maximum range of the defibrillator was limited to seven feet, so an attacker would have to be up close and personal. Bone also said that the MedSec team hadn't contacted St Jude Medical about the flaws before releasing the videos, and had instead gone to the Food and Drug Administration and the Department of Homeland Security. Bone said this was because St Jude doesn't have a good record of sorting out flaws like this. St Jude confirmed to The Register that MedSec hadn't passed on any details about the flaws, and made the following statement: "Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry." The company is also setting up a Cybersecurity Medical Advisory Board to give it tips on how to build more secure products. However, it appears as though it's mostly staffed by doctors, who aren't the best for finding sloppy software holes. The whole sorry saga started in August when MedSec found what it claims were flaws in St Jude's devices. Rather than go to the manufacturer and sort these out, the firm partnered with financial house Muddy Waters and shorted the stock before going public with the news. The security firm now gets a payout based on how far St Jude's stock price falls – the more the better. St Jude and others have disputed the claims, and St Jude is now suing those involved in the disclosures. People who have St Jude devices implanted have been left panicked and confused by the whole matter. In the meantime, many in the security community are worried that this kind of disclosure is just going to increase fear, uncertainty, and doubt in an industry sector already bedeviled with it. If short selling becomes the norm, then headlines rather than fixes will become the goal, and it's difficult to see how that benefits end users. ®

Sad reality: It’s cheaper to get hacked than build strong IT...

PHBs are applying the Ford Pinto formula to your data Whenever mega-hacks like the Yahoo! fiasco hit the news, inevitably the question gets asked as to why the IT security systems weren't good enough.

The answer could be that it's not in a company's financial interest to be secure. A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought – typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues.

That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems. He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security. It's this kind of thinking that led to the infamous Pinto Formula.
In 1973, a memorandum was prepared by Ford examining the costs of issuing a fix for its Pinto compact cars.
In tests, the cars were shown to have a dangerously unshielded fuel tank, meaning they had a tendency to burst into flames when hit from behind at more than 20 miles per hour. The boffins at Ford estimated that the cost to the company of doing a recall on the model would be $137.5m.

But if the recall wasn't held, the company would only have to pay out an estimated $49.5m in damages for the expected 180 deaths from fire, so the firm decided not to perform the recall. The memo was discovered by investigative journalist Mark Dowie and caused a massive problem for Ford.
It was forced to issue a recall and pay out millions in damages, and the case dogged Ford's reputation for years. However, it may be that the lack of security could have an effect on the burgeoning cyber insurance market. Romanosky pointed out that insurance costs would provide a more direct incentive for companies to protect their data. Insurance companies would also be in an ideal position to judge what IT security systems work best, he pointed out.

After all, their job is to price risk and they would have the data on incidents and how they occurred.

But so far that hasn't happened. "We don't get a lot of feedback from them; either they don't understand or they don't care so much," he said. "I get the sense they are a little complacent. Maybe they think they are overcharging.
I don't know if they are being strategic that way." ®

St Jude sues short-selling MedSec over pacemaker ‘hack’ report

Defibrillator security saga will go to court Medical device maker St Jude has filed suit against a security company that reported security flaws in its products as part of a short-sale financial scheme. The medical supplier says that it has sued both security firm MedSec and researcher Muddy Waters, as well as three other individuals it says falsely reported serious vulnerabilities in its pacemakers and defibrillators.

They then made money by short-selling the stock when the news broke. The charges include false advertising, false statements, conspiracy, and market manipulation. "We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St Jude president and CEO Michael Rousseau said in announcing the suit. "We believe this lawsuit is critical to the entire medical device ecosystem – from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme." Muddy Waters and MedSec made headlines last month when they reported discovering vulnerabilities in St Jude pacemaker and defibrillator devices that, if exploited, could have allegedly posed threats to the health of patients. Rather than disclose the flaws to the manufacturer, the researchers instead went to an investment house and turned a tidy profit by short-selling St Jude stock after its price dropped on the release of the news. Shortly after the report surfaced, however, St Jude disputed the vulnerability reports and alleged the entire scheme had been made up to manipulate its stock price. "Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products, and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring," said St Jude vice president and chief medical officer Mark Carlson. "We decided to take this action because of the irresponsible manner in which these groups have acted." Experts at the University of Michigan also poured doubt on one claim by MedSec that St Jude's equipment is remotely brickable. ®

Oracle accused of cooking “cloud services” books to boost stock price

Peter KaminskiA former senior finance manager for Oracle claims the software maker fired her for not inflating revenues in its cloud services division.
In a whistleblower and wrongful termination lawsuit, Svetlana Blackburn also claims that Oracle ultimately inflated the numbers without her assistance. "The data, she knew, would end up in SEC filings and be touted on earnings calls, used to paint a rosier picture than actually existed on the ground," Blackburn says in her nine-page lawsuit. (PDF) The Silicon Valley software maker, having a market cap of roughly $165 billion, said it fired the woman for inadequate work. "We are confident that all our cloud accounting is proper and correct," Oracle said. "This former employee worked at Oracle for less than a year and did not work in the accounting group.
She was terminated for poor performance and we intend to sue her for malicious prosecution." The federal lawsuit comes as Oracle just suffered a major defeat in its long-running $9 billion lawsuit against Google.

A San Francisco federal jury declared that the search giant's use of Oracle's APIs in the Android operating system was authorized by the fair-use doctrine. What's more, the new suit questions a key metric—cloud services revenue—that has become an increasingly important sign to investors of a software company's health. Oracle's stock has slid about 10 percent this year, in part because of the stock market's concerns about its financial performance as the company moves from selling software for use on customer computers to software being hosted and run on Oracle's data centers. Blackburn's lawsuit claims Oracle was pushing her "to fit square data into round holes, in an effort to bolster Oracle Cloud Services financial reports that would be paraded before company leadership as well as the investing public." Citigroup analyst Walter Pritchard, in a Thursday research note, said the litigation "will keep some level of uncertainty" hovering over Oracle's stock valuation until more information comes out in the lawsuit.

Huge Data Breach Losses Aren't Forcing Companies to Bolster Security

The cost of even huge data breaches are not enough to convince companies to spend vastly more to bolster IT security, since neither investors nor customers permanently abandon them.
In October 2015, hackers compromised the Website of British telecommunications firm TalkTalk, likely using one of 11 known vulnerabilities in the site to steal the personal details of 157,000 customers, including bank-account information on more than 15,000 people.Earlier this month, the bill for the lapse in security came due: The company saw its profits decline by more than half in the first quarter of 2016.
In its annual report released in February, the company revealed that it lost 95,000 subscribers and attributed more than £55 million (US$80 million) in losses to the hack, including the "exceptional costs of restoring our online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades" that the company offered to retain customers.TalkTalk is the latest company to suffer significant lost business following a breach. While past analyses have found that breaches have not hurt companies' long-term stock price, businesses and their management are increasingly being called to account for significant recovery costs and lost business following successful cyber-attacks."The fact that we are moving into a period where people are being held liable says a lot," said Chris Novak, a director of the RISK computer investigations team at business-services firm Verizon Enterprise. "The impact is moving up the stack.
It is no longer just an IT-level issue, it is a board or C-level issue." Yet it may not be enough. While the sacking of CEOs has certainly drawn the attention of executive teams and boards, the financial penalties of breaches tend to be short-lived and easily subsumed by most large companies. When hacker Albert Gonzales stole information on nearly 100 million credit and debit cards from Heartland Payment Systems in 2009, the company lost more than 75 percent of its stock value in three months. Yet the price bounced back, and now its stock is up nearly 500 percent since that time. Following its 2013 breach, Target paid out more than $252 million, of which $90 million was reimbursed by insurance. While seemingly a large sum, the damages only amounted to 0.1 percent of the company's 2014 sales, Benjamin Dean, a fellow for Internet governance and cyber-security at Columbia University's School of International and Public Affairs, pointed out in an article last year.And, in spite of the $80 million in losses, TalkTalk's breach costs only cut into profits and did not result in an overall fiscal-year financial loss for the company.
In fact, the company's efforts to provide customer incentives resulted in churn reaching an all-time low in the last quarter of 2015.Overall, the losses are not enough to drive companies to spend appreciably more on security, Lillian Ablon, cyber-security and emerging technologies analyst at RAND, told eWEEK."Sure they feel the pain, and some stock prices have gone down, but no one has really felt a lot of pain," she said. Part of the problem is that consumers may be tired of the repeating pattern of breaches and not sure what they can do to change corporate behavior, Ablon said. 

Quiet cryptologist Bill Duane's war with Beijing's best

The co-developer of RSA's SecureID explains how he fought against Chinese crack AusCERT In March 2011, a suspected-to-be-Beijing-backed hacking unit infiltrated security giant RSA, successfully subverted its SecureID product and hacked top American defence contractor Lockheed Martin. That attack left Bill Duane stressed and exhausted.

Duane is a quiet cryptologist who co-developed the SecureID token.

As the attack became apparent, he moved out of home and into a hotel across from RSA's office, to fight what would become a personal battle with an elite Chinese hacking unit. Those long hours were needed because the breach is one of the most significant in history.

The hacking unit known as PLA (People's Liberation Army) Unit 61398, or to the intelligence industry as Byzantine Candor, Comment Crew, and APT 1, operated out of a shabby building in the outskirts of Shanghai and excelled in plundering highly-secure US firms. The hacking team was split into formal divisions including wings charged with maintaining acquiring access into hacked systems, lateral movement, and identifying and exfiltrating huge data sets. Duane as a SecureID co-developer played a central role in the breach response. "I have never worked so hard, under so much stress, and with so much at risk," Duane told the AusCERT security conference on the Gold Coast. "At one point I was working every day of the week, 18 to 20 hours a day, sleeping in a hotel for a couple of hours across the road from work. "The strongest thing that was driving me, I'm slightly embarrassed to say, wasn't the customers or the stock price, but was that if I failed my fellow employees would be out of work and that would affect food on their tables and their kids going to school." Bill Duane.
Image: Darren Pauli, The Register. The Chinese hackers learned of Duane's involvement and began targeting him.

They did this despite that the distinguished engineer having virtually no online presence, no photos indexed by Google, no social media accounts, despite a tech sector career spanning more than four decades. "They came after me personally with malware attacks on my netbook when they realised what I was doing," he says. "I popped up on the radar screen and [my anonymity] was destroyed." He says the PLA hacking unit switched from its state of stealth, with infrequent command and control pings and careful lateral movement, to "smash and grab" after they realised they were detected. "It opened up the arena of advanced cyber attacks that I had never really understood," he says. The security pro urged the rapt AusCERT audience to treat their internal networks as "dirty", and to consider that any effort that makes life easier for staff and partners also simplifies an attacker's job "No organisation can muster the defence against these attackers," he says. Security administrators must also understand and reduce their exposure to the dangerous pass the hash attacks in which admin credentials can be plucked from memory. ® Sponsored: Rise of the machines

ID theft protector LifeLock deletes user data over concerns that app...

Shares tumble on news that iOS and Android apps may not adequately secure data.

Yelp stock falls as FTC says it’s received more than 2,000...

For years, the popular reviews site has been accused of extortionary tactics.

Heavy Pressure on Symantec as It Seeks a New CEO

NEWS ANALYSIS: The data security and storage provider terminates the contract of chief executive Steve Bennett after 20 months, but deeper problems persist. Few red flags wave more prominently above a corporation than when two things happen: a) earnings and stock prices go south; and b) CEOs seem to be coming and going a little too quickly. Hewlett-Packard and Yahoo famously have suffered both these maladies. Symantec, the world's largest security software provider, has now stumbled into those footsteps. The Mountain View, Calif.-based data security and storage provider revealed March 20 that it has terminated the contract of chief executive Steve Bennett (pictured) after 20 months. Bennett, who came to Symantec as a board member in 2010 after CEO-ing Intuit to a $3 billion sales year, also resigned from the company's board of directors. Board member Michael Brown will serve as interim CEO while the company, best known for its Norton antivirus and BackupExec software, begins its search for a permanent day-to-day leader. Stock Price Took Big Hit Investors were not pleased by the development.

The stock closed at $20.91 March 21 but plummeted 13 percent to $18.20 in after-hours trading.A number of industry analysts declared that they were surprised by the announcement. Symantec itself, however, contended that Bennett's exit was something the company had discussed for some months and did not happen as a result of anything inappropriate on his part. The reason Bennett was shooed out of his corner office so early in his tenure goes way beyond his personal on-the-job performance. Bennett has long proven himself to be a competent corporate CEO; he just wasn't the right one for this job. In fact, few people on Earth are right for this job.

The company is the one with serious and deep-seated problems. In its simplest terms, Symantec is a well-established enterprise that didn't heed key trends and let new-gen IT slip by when it needed to retool several years ago.

Its core business is protecting data and apps on desktop and laptop PCs; it didn't move quickly enough to invest in other lines of business when PC sales started slipping five years ago. Symantec also didn't move to the cloud quickly enough; some of its older competitors moved faster to build products that use it. Symantec only recently cloud-ized its product line, and it's having issues getting customers to buy into the new products. Asleep at the Wheel? More than one person had been asleep at the wheel long before Bennett arrived. There are multiple sides to this story, of course. Like many old-school IT vendors, Symantec has built-in problems marshaling a large global installed base in the small and midsize enterprise market. It's extremely difficult to get all those customers to pay for regular upgrades to their software when they often think it's not required. Microsoft has, um, a modicum of experience in this department. The other major problem is the type of IT in which Symantec plays. No sector evolves faster or more thoroughly than security, which is always chasing the bad guys and never—and we do mean NEVER—getting ahead of them so as to cut them off at the pass. As a result, a great many new, less-expensive and more agile competitors from places like Eastern Europe and Israel have sprung up, and Symantec has been taking hits as a result. Insider Perspective One of those competitors is Justin Moore, CEO of Axcient.

The company has a well-known billboard up on the Bayshore Freeway—Interstate 101, which traverses the center of Silicon Valley and connects San Francisco on the north with San Jose on the south—that says: "R.I.P. Symantec BackupExec.cloud; Axcient Beyond Backup." While it's clear where Moore's loyalties lie, he also provides some cogent storage-business insider perspective. "When Steve Bennett turned around Intuit in his tenure from 2000 to 2007, the company's problem was mainly a core business and processes challenge. However, Symantec is different; the company has a technology problem," Moore told eWEEK. "Bennett was given a year and half to turn around a company that has much deeper challenges that relate to how it has been viewing technology, which is the core of its business. When Bennett announced his vision for Symantec 4.0, which was announced less than a year ago, he made the right choices—for the most part. Yet, Symantec was already too far behind the cloud/SaaS (software-as-a-service) curve to catch up.

A change of this magnitude is impossible in less than 3 to 5 years," Moore said. Corporate Errors Add Up Symantec is pinning the failure on Bennett—when, in reality, the core of its failing stems from decisions made years ago, Moore said. "Symantec lacks product focus and has spread itself too thin over a variety of product lines that spans security, productivity, protection, information management, business continuity and storage in the consumer and enterprise market. Like so many other enterprise software companies, it has struggled to transition to the enterprise cloud world proving that it is indeed a systemic issue that goes far beyond Bennett's control. Given his spectacular overhaul of Intuit's business, Bennett was the right person to tackle Symantec and had shown bold ideas to fix the company, but was ultimately thrown out by Symantec's stubbornness and shortsighted approach to its technological challenges," Moore said. Symantec has struggled in recent years against new-gen security companies such as Axcient, Palo Alto Networks and FireEye.

Its $10.2 billion purchase of Veritas Software in 2005, crafted in an effort to become a serious data storage player, was widely critiqued as a mistake. Symantec's sales have been treading water for several years. Leadership Turnover Since 2005 Symantec's leadership turnover issues started back in 2005, when the company merged with storage provider Veritas to combine it with the Norton data protection product line. Co-CEOs John Thompson (then incumbent at Symantec) and Gary Bloom (from Veritas) didn't exactly see eye-to-eye on how to run the company, and Bloom soon left for other ventures.

He now heads up database maker MarkLogic. Thompson, who was on the short list to be Secretary of Commerce in the Obama Administration in 2008, left in 2009 to do start up Virtual Instruments and is now chairman of the board of Microsoft.

He was replaced by longtime Symantec executive Enrique Salem. However, the well-rounded Salem also was deposed as CEO a mere three years later (2012) in favor of Bennett.

Now Bennett's out the door after less than two years. In its requisite thank you statement using Chairman Daniel Schulman's name, the board said: "We recognize Steve's contributions to Symantec, including developing and leading a series of successful initiatives focused on organizational realignment, cost reduction and process effectiveness. Our priority is now to identify a leader who can leverage our company's assets and leadership team to drive the next stage of Symantec's product innovation and growth." So the House of Norton and BackupExec is facing a real crossroads.

A lot will be riding on the new face it selects to represent Symantec in the world market.

Juniper Is Next in Line for Elliott Attention

The hedge fund firm, which recently made a bid to buy Riverbed, is urging Juniper executives to reduce costs and review their product portfolio. Juniper Networks is the latest networking vendor to catch the eye of Elliot Management, which a week ago put in a $3 billion bid to buy WAN optimization solution provider Riverbed Technology. Officials with the activist investment firm, which owns about 6.2 percent of Juniper's common stock, outlined in a statement Jan. 13 and a presentation several steps that the networking vendor should take, including possibly ditching its security business, re-evaluating its switching and router strategies, slowing its acquisition initiatives, cut operating expenses by $200 million and buy back $3.5 billion worth of stock. The moves would push the company's stock price to $35 to $40 a share, up about 70 percent of the current price, according to Elliott Management officials. Echoing their views on Riverbed's situation, Elliott officials said Juniper has solid products and a strong reputation in the market, but that its stock is underperforming and the company should take advantage of having a new CEO on board to make these changes. "Juniper's new CEO along with its existing management team and Board have a unique opportunity to immediately unlock significant value at the Company through three straightforward and much-requested courses of action," Jesse Cohn, portfolio manager at Elliott, said in a statement. A spokesman for Juniper said in an email that the company "welcomes the opinions and insights of its shareholders and is always open to constructive input toward the goal of enhancing shareholder value." Juniper in November 2013 named Shaygan Kheradpir, a former executive with financial services provider Barclays, as its new CEO, replacing Kevin Johnson, who four months earlier announced his intent to resign after a successor was found. Elliott officials see the change in leadership as a chance to sway the direction of the company. One of those steps is reviewing parts of its portfolio, including its security business. Elliott officials in their presentation said the business is underperforming, and that it's also lacking leadership now that Bob Muglia, executive vice president of Juniper's software unit, resigned in December. In addition, Elliott officials said Juniper executives "overpromised and underdelivered" on its QFabric technology, which was introduced in 2011 and designed to reduce the number of networking layers in the data center from three to one.

The hedge fund operators noted that Juniper had seen little return on its $100 million, two-year investment in QFabric, and that in the intervening time, competitors like Cisco Systems, Brocade and Avaya have introduced their own fabric solutions. Juniper officials in October 2013 unveiled MetaFabric, a networking solution aimed at both corporate data centers and cloud computing environments that integrates a number of products in the company's portfolio, including QFabric. Overall, Juniper has been unable to gain much market share since entering the switch market five years ago, Elliott officials said. In streamlining the finances and cutting $200 million in expenses, the head fund operators said Juniper executives should look at squeezing costs from such areas as research and development and salaries.

The company also should consider not making any more acquisitions to focus more on executing on current strategies, Elliott officials said. Juniper has a market cap of about $12.87 billion. The hedge fund firm made headlines last week when it announced a plan to buy Riverbed, which had been the subject of buyout rumors for several months.

Again, Elliott officials praised Riverbed's technology and products, but questioned whether company officials had done enough to increase Riverbed's value to stockholders. Riverbed executives had met with Elliott in November and December to hear the hedge fund firm's recommendations, and Elliott officials noted there also had been "significant" interest in acquiring Riverbed from several parties, including them. However, they were concerned that Riverbed executives did not show enough interest in those overtures.