Tag Archive for: Posthack

Reeling from post-hack price slump, Easyfi reveals community compensation plan

/in


After a devastating hack, a cross-chain decentralized finance (DeFi) protocol has revealed today a temporary compensation plan for token holders and investors impacted by one of the largest exploits in DeFi history. 

In a Tweet today, EasyFi announced their “Interim Compensation Plan,” a multi-stage process that includes immediate payments, IOU tokens, and incentive programs aimed at victims of the attack.

The hack, which took place 19 April, is considered to be among the largest in DeFi history, with $6 million in stablecoins and 2.98 million EZ tokens worth upwards of $120 million lost at the time of the attack. The hacker was in a complicated position, however, as after exploiting the protocol they owned upwards of 30% of the supply of EZ tokens and there was limited liquidity with which to unload them. The token “hardforked” to EZ 2.0 a week later, rendering the attacker’s remaining tokens effectively worthless. 

In a Tweet from his personal account, EasyFi founder Ankitt Gaur confirmed that the hack was the result of a “targeted attack on the founder’s machine/metamask to access admin keys and execute the well-planned hack.” This attack vector bears similarities to a 2020 hack on the personal computer of Hugh Karp, the founder of Nexus Mutual, who lost $8 million.

An expert from hack and exploit publication Rekt noted that the theft may have been the result of lax security practices, in that a single individual was in possession of the keys to the treasury, as opposed to being secured in a wallet with precautions against this type of hack such as a multisignature scheme or timelocked transactions.

In their compensation plan blog post, EasyFi characterizes the attack as “well-planned” and “sophisticated.”

Regardless of the cause, the efforts to compensate victims is multifaceted. Per their post, 25% of lost funds will be distributed to…

Source…

SolarWinds’ new CEO will make these 5 changes post-hack – Security

/in


New SolarWinds CEO Sudhakar Ramakrishna struck a different tone in his first public communication just seven days after starting as CEO of the embattled IT infrastructure management vendor. Unlike his predecessor Kevin Thompson, who is an accountant by training and led the firm from March 2010 to December 2020, Ramakrishna comes from a security background, having most recently led Pulse Secure.

During his five years as Pulse Secure’s CEO, Ramakrishna had to deal with hackers exploiting a widely known flaw in the company’s VPN appliance to carry out ransomware attacks many months after a patch had already been rolled out. Ramakrishna said Thursday the experience taught him to lead with humility, ownership, transparency, focused action, and bias toward customer safety and security.

“Although I accepted the position to become CEO before the Company [SolarWinds] was notified of the cyberattack, I feel an even greater commitment now to taking action, ensuring we learn from this experience, and continuing to deliver for our customers,” Ramakrishna wrote in a blog post published late Thursday.

From resetting privileged credentials and re-signing all digital certificates to manually checking source code and rolling out more threat hunting software, here are five critical changes Ramakrishna will make to put security front and center.

5. Leverage third-party tools, ethical hackers for insight

Ramakrishna said SolarWinds will leverage third-party tools to expand the security analysis of the source code for Orion software as well as related products. The company also pledges to engage with and fund ethical hacking from white hat communities to quickly identify, report and remediate security issues across the entire SolarWinds portfolio, according to Ramakrishna.

Vulnerability disclosure programs are nearly as old as the internet itself but didn’t gain traction until the early 2010s when companies like Microsoft, Google, Facebook and Mozilla rolled out programs of their own. Companies without a formal vulnerability disclosure policy often remain in the dark about known flaws in their architecture, with hackers not reporting flaws they’ve found due to fear…

Source…

Post-hack, VTech has to pay $650,000 in FTC settlement – but doesn’t have to admit any wrongdoing

/in
Post-hack, VTech has to pay $ 650,000 in FTC settlement

The FTC settlement, one of the first reached with an internet-enabled toy manufacturer over security and privacy concerns, lets the firm off the hook in one key area: it doesn’t require VTech to admit to any wrongdoing.

Read more in my article on the Bitdefender BOX blog.

Graham Cluley