Tag Archive for: chief

Ex-Uber security chief convicted of hiding hack from federal regulators

/in


Ex-Uber security chief convicted of hiding hack from federal regulators

On Wednesday, a jury found former Uber security chief Joe Sullivan guilty of hiding a massive data breach from federal regulators who were already investigating the ride-share company for a different breach. With that verdict, Sullivan has likely become the first executive to be criminally prosecuted over a hack, The New York Times reported.

A jury of six men and six women started deliberating last Friday. After 19 hours, they decided that Sullivan was guilty on one count of obstructing the Federal Trade Commission’s investigation and “one count of misprision, or acting to conceal a felony from authorities,” according to the Times.

Sullivan’s legal team did not immediately provide comment for Ars, but one of his lawyers, David Angeli, told NYT how Sullivan received the verdict. “While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” Angeli told the paper. “Mr. Sullivan’s sole focus—in this incident and throughout his distinguished career—has been ensuring the safety of people’s personal data on the Internet.”

When Sullivan first learned of the second data breach, he disguised the illegal activity by paying the hackers through Uber’s bug bounty program. Uber had just announced the program in March 2016 in coordination with HackerOne, a widely used security firm whose company values urge executives like Sullivan to “default to disclosure” and ask “why keep this private?” instead of “why make this public?” It took less than a year for Sullivan to use HackerOne’s bug bounty program as a way to avoid disclosing a hack.

HackerOne did not immediately respond to Ars’ request for comment. [Update: A HackerOne spokesperson told Ars, “HackerOne has made the executive decision not to comment.”]

The Times report suggested that Sullivan’s conviction could change how all companies manage data breaches in the future.

Uber did not provide comment to NYT or Ars. Previously, an Uber spokesperson directed Ars to a blog post in which Uber CEO Dara Khosrowshahi discussed how the…

Source…

Former Uber security chief guilty of data breach coverup

/in


SAN FRANCISCO – The former chief security officer for Uber was convicted Wednesday of trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.

A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing knowledge that a federal felony had been committed, federal prosecutors said.

Sullivan remains free on bond pending sentencing and could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

It was believed to be the first criminal prosecution of a company executive over a data breach.

A lawyer for Sullivan, David Angeli, took issue with the verdict.

“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli told the New York Times.

An email to Uber seeking comment on the conviction wasn’t immediately returned.

Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.

After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,'” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry,…

Source…

NeGD, MeitY organises 30th Batch of Chief Information Security Officers’ (CISOs) Deep Dive Training Programme under Cyber Surakshit Bharat Initiative

/in


NeGD, MeitY organises 30th Batch of Chief Information Security Officers’ (CISOs) Deep Dive Training Programme under Cyber Surakshit Bharat Initiative – Odisha Diary

Source…

Ukraine’s cyber chief comes to Black Hat in surprise visit • The Register

/in


Black Hat In Brief Victor Zhora, Ukraine’s lead cybersecurity official, made an unannounced visit to Black Hat in Las Vegas this week, where he spoke to attendees about the state of cyberwarfare in the country’s conflict with Russia. The picture Zhora painted was bleak.

Zhora, who is the deputy director of Ukraine’s State Service of Special Communications and Information Protection, said cyber incidents in the country have tripled since February, when Russia invaded. 

Zhora told attendees that Ukraine had detected over 1,600 “major cyber incidents” so far in 2022, but reports don’t include elaboration on how such incidents are classified. A number of huge incidents happened between March and April, Zhora said, including discovery of the “Industroyer2,” an apparent successor to the Industroyer malware discovered in 2017.

Industroyer was a particularly nasty strain that was able to control electrical substation software and cause power blackouts, as well as damage equipment. Ukraine was hit by a similar malware called BlackEnergy in 2015.

Online attacks against Ukraine were a common tactic in the leadup to Russia’s invasion of the country in late February he said. DDoS attacks took many of Ukraine’s government agencies offline, and new malware strains were discovered in the leadup to the invasion as well. 

The Russo-Ukraine conflict has had global cybersecurity implications, including leading to a large spike in data-wiping malware, of which six significant new strains have been found this year.

Fortinet, which reported the jump, said it hadn’t uncovered more than one significant file wiper a year since 2012, and several years when it didn’t spot a new one at all. Of the strains discovered in 2022, all have been used against Ukrainian infrastructure and organizations – in other words the gloves are off. 

Back at Black Hat, Zhora…

Source…