Tag Archive for: exist

Uber’s former security chief covered up enormous hack he said ‘did not exist’

/in


Uber Cybersecurity (Copyright 2022 The Associated Press. All rights reserved)

Uber Cybersecurity (Copyright 2022 The Associated Press. All rights reserved)

Uber’s former chief security officer has been found guilty of attempting to cover up a data breach in which hackers accessed tens of millions of customer records.

Joseph Sullivan was convicted of obstructing justice and concealing knowledge that a federal felony had been committed.

Mr Sullivan remains free on bond pending sentencing and could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” US Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

It was believed to be the first criminal prosecution of a company executive over a data breach.

The lone hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials. Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.

It is not known how much data the hacker stole or how long they were inside Uber’s network. There was no indication they destroyed data.

A lawyer for Mr Sullivan, David Angeli, took issue with the verdict. “Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli told the New York Times.

Uber did not respond to a request for comment.

Mr Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.

After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

According to…

Source…

Does AI-powered malware exist in the wild? Not yet

/in


AI is making its mark on the cybersecurity world.

For defenders, AI can help security teams detect and mitigate threats more quickly. For attackers, weaponized AI can assist with a number of attacks, such as deepfakes, data poisoning and reverse-engineering.

But, lately, it’s AI-powered­ malware that has come into the spotlight — and had its existence questioned.

AI-enabled attacks vs. AI-powered malware

AI-enabled attacks occur when a threat actor uses AI to assist in an attack. Deepfake technology, a type of AI used to create false but convincing images, audio and videos, may be used, for example, during social engineering attacks. In these situations, AI is a tool to conduct an attack, not create it.

AI-powered malware, on the other hand, is trained via machine learning to be slyer, faster and more effective than traditional malware. Unlike malware that targets a large number of people with the intention of successfully attacking a small percentage of them, AI-powered malware is trained to think for itself, update its actions based on the scenario, and specifically target its victims and their systems.

IBM researchers presented the proof-of-concept AI-powered malware DeepLocker at the 2018 Black Hat Conference to demonstrate this new breed of threat. WannaCry ransomware was hidden in a video conferencing application and remained dormant until a specific face was identified using AI facial recognition software.

Does AI-powered malware exist in the wild?

The quick answer is no. AI-powered malware has yet to be seen in the wild — but don’t rule out the possibility.

“Nobody has been hit with or successfully uncovered a truly AI-powered piece of offense,” said Justin Fier, vice president of tactical risk and response at Darktrace. “It doesn’t mean it’s not out there; we just haven’t seen it yet.”

Pieter Arntz, malware analyst at Malwarebytes, agreed AI-malware has yet to be seen. “To my knowledge, so far, AI is only used at scale in malware circles to improve the effectiveness of existing malware campaigns,” he said in an email to SearchSecurity. He predicted that cybercriminals will continue to use AI to enhance operations, such as targeted spam, deepfakes and social…

Source…

That no-click iOS 0-day reported to be under exploit doesn’t exist, Apple says

/in
That no-click iOS 0-day reported to be under exploit doesn’t exist, Apple says

Enlarge (credit: Titanas)

Apple is disputing the accuracy of this week’s report that found attackers have been exploiting an unpatched iOS bug that allowed them to take full control of iPhones.

San Francisco-based security firm ZecOps said on Wednesday that attackers had used the zero-day exploit against at least six targets over a span of at least two years. In the now-disputed report, ZecOps had said the critical flaw was located in the Mail app and could be triggered be sending specially manipulated emails that required no interaction on the part of users.

Apple declined to comment on the report at the time. Late on Thursday night, however, Apple pushed back on ZecOps’ findings that (a) the bug posed a threat to iPhone and iPad users and (b) there had been any active exploit at all. In a statement, officials wrote:

Read 10 remaining paragraphs | Comments

Biz & IT – Ars Technica

Copyright Troll Gets Smacked Around By Court, As Judge Wonders If Some Of Its Experts Even Exist

/in

When last we checked in with Venice PI, the copyright troll claiming to hold rights to the movie Once Upon A Time In Venice and attempting to claim in court that a 91 year old man with dementia was part of a torrent swarm offering the movie who, oh by the way, had recently passed away, it was being lightly slapped around by judge Thomas Zilly. Zilly had barred Venice PI from contacting the family of the deceased, halted the trial, questioned the quality of the evidence Venice PI had put before the court, and likewise demanded more information on how that evidence was collected in the first place. Given that the evidence mostly amounted to IP addresses obtained by Venice PI, I had written that this particular judge was likely to be unimpressed by whatever the copyright troll provided.

Well, hoo-boy, was that ever an understatement. The end result of what Venice PI put before the court in response was the judge issuing a minute order declaring that the company essentially explain its copyright trolling efforts entirely across several cases and slapped the company around for some truly stunning misbehavior. The order goes into three different areas in which Venice PI appears to have really, truly screwed up, starting with the fact that the troll’s claims of ownership and affiliations can’t even be substantiated.

“A search of the California Secretary of State’s online database, however, reveals no registered entity with the name ‘Lost Dog’ or ‘Lost Dog Productions’. Moreover, although ‘Voltage Pictures, LLC’ is registered with the California Secretary of State, and has the same address as Venice PI, LLC, the parent company named in plaintiff’s corporate disclosure form, ‘Voltage Productions, LLC,’ cannot be found in the California Secretary of State’s online database and does not appear to exist.”

This rightly is giving the court the impression that something is shady in all of this. We’ve seen this sort of corporate shuffling shell game in copyright troll cases before and it’s never a good sign. Still, the truly alarming stuff is further along in the order and has to do with exactly how Venice IP is collecting its supposed evidence.

GuardaLey CEO Benjamin Perino, who claims that he coded the tracking software, wrote a declaration explaining that the infringement detection system at issue “cannot yield a false positive.” However, the Court doubts this statement and Perino’s qualifications in general.

“Perino has been proffered as an expert, but his qualifications consist of a technical high school education and work experience unrelated to the peer-to-peer file-sharing technology known as BitTorrent,” the Court writes. “Perino does not have the qualifications necessary to be considered an expert in the field in question, and his opinion that the surveillance program is incapable of error is both contrary to common sense and inconsistent with plaintiff’s counsel’s conduct in other matters in this district. Plaintiff has not submitted an adequate offer of proof.”

Guardaley, of course, is the shifty, shady company out of Germany that we’ve written about many times before. In the past, it’s been somewhat difficult to separate Guardaley from, for instance, Malibu Media and its notoriously suspect trolling efforts. As we’ve noted before, part of the Guardaley modus operandi appears to be supplying front-lawyers with so-called experts that proclaim the company’s technology for finding real pirates somehow perfect in every respect, just as is happening here. Interestingly, the company’s internal documents that declare the experts it relies on iffy at best haven’t appeared to deter their use in the courtroom.

Guardaley also, somewhat infamously, has used a number of different names for its own operation, and variously names a bunch of “experts” who some sites have argued don’t exist. Judge Zilly now seems to be wondering if these people exist as well:

The Court has recently become aware that Arheidt is the latest in a series of German declarants (Darren M. Griffin, Daniel Macek, Daniel Susac, Tobias Fieser, Michael Patzer) who might be aliases or even fictitious…. Plaintiff will not be permitted to rely on Arheidt’s declarations or underlying data without explaining to the Court’s satisfaction Arheidt’s relationship to the above-listed declarants and producing proof beyond a reasonable doubt of Arheidt’s existence.

Suffice it to say, when the judge in your case is questioning the very existence of one of the key people supporting your story, you’re probably in trouble.

So, now we’re coupling a shady company with shady software that collects evidence, written by someone who claims his software is infallible but doesn’t have the necessary credentials to back up such an absurd declaration. It’s pretty clear at this point that the Judge Zilly is quite suspicious of the type of operation he’s dealing with, and with good reason. It’s long been known that IP addresses are shaky evidence at best, and having someone claim he can gather IP addresses completely without false positives is totally laughable. That Venice IP decided its best expert witness to the quality of its evidence was the guy who wrote the software that collected said evidence is nearly hilarious in its vanity.

There’s also the fact that Arheidt, if he exists, may be breaking the law, and the lawyer for Venice IP was aware of that… and failed to disclose this fact:

Nowhere in Arheidt’s declarations does he indicate that either he or MaverickEye is licensed in Washington to conduct private investigation work. See RCW 18.165.150 (performing the functions of a private investigator without a license is a gross misdemeanor); see also RCW 18.165.010(12)(e) (defining a “private investigator agency” to include a person or entity that is in the business of “detecting, discovering, or revealing . . . [e]vidence to be used before a court”). Plaintiff’s counsel has apparently been aware since October 2016, when he received a letter concerning LHF Productions, Inc. v. Collins, C16-1017 RSM, that Arheidt might be committing a crime by engaging in unlicensed surveillance of Washington citizens,2 but he did not disclose this fact to the Court or offer any analysis for why such conduct is not prohibited by RCW 18.165.150. Plaintiff’s counsel’s lack of candor was a serious breach of his ethical duties…

Gross incompetence is a phrase that leaps to mind, and it is frankly one of the kinder assessments of exactly what’s going on here. To that end, Zilly’s order requires that the company provide further details to explain these deficiencies in over a dozen cases and orders Venice PI not to spend or transfer any money it has collected via settlements. That latter bit seems to indicate that the court may seek to have that money repaid to past victims of this trolling operation.

Next up: perhaps Judge Zilly can follow in the footsteps of Judge Otis Wright, and demand to know what the hell is really going on here… and refer those responsible for possible criminal prosecution.

Permalink | Comments | Email This Story

Techdirt.