Tag Archive for: Sue

US regulators sue SolarWinds and its security chief for alleged cyber neglect ahead of Russian hack

/in


U.S. regulators on Monday sued SolarWinds, a Texas-based technology company whose software was breached in a massive 2020 Russian cyberespionage campaign, for fraud for failing to disclose security deficiencies ahead of the stunning hack.

The company’s top security executive was also named in the complaint filed by the Securities and Exchange Commission seeking unspecified civil penalties, reimbursement of “ill-gotten gains” and the executive’s removal.

Detected in December 2020, the SolarWinds hack penetrated U.S. government agencies including the Justice and Homeland Security departments, and more than 100 private companies and think tanks. It was a rude wake-up call that raised awareness in Washington about the urgency of stepping up efforts to better guard against intrusions.

In the 68-page complaint filed in New York federal court, the SEC says SolarWinds and its then vice president of security, Tim Brown, defrauded investors and customers “through misstatements, omissions and schemes” that concealed both the company’s “poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”

In a statement, SolarWinds called the SEC charges unfounded and said it is “deeply concerned this action will put our national security at risk.”

Brown performed his responsibilities “with diligence, integrity, and distinction,” his lawyer, Alec Koch, said in a statement. Koch added that “we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.” Brown’s current title at SolarWinds is chief information security officer.

The SEC’s enforcement division director, Gurbir S. Grewal, said in a statement that SolarWinds and Brown ignored “repeated red flags” for years, painting “a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The very month that SolarWinds registered for an initial public offering, October 2018, Brown wrote in an internal presentation that the company’s “current state of security leaves us in a very vulnerable state,” the complaint says.

Among the SEC’s damning allegations: An internal SolarWinds…

Source…

Missouri Threatens to Sue a Reporter Who Flagged a Security Flaw

/in


Missouri Governor Mike Parson Thursday threatened to prosecute and seek civil damages from a St. Louis Post-Dispatch journalist who identified a security flaw that exposed the Social Security numbers of teachers and other school employees, claiming that the journalist is a “hacker” and that the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news outlet.” The Republican governor also vowed to hold the Post-Dispatch “accountable” for the supposed crime of helping the state find and fix a security vulnerability that could have harmed teachers.

Despite Parson’s surprising description of a security report that normally wouldn’t be particularly controversial, it appears that the Post-Dispatch handled the problem in a way that prevented harm to school employees while encouraging the state to close what one security professor called a “mind-boggling” vulnerability. Josh Renaud, a Post-Dispatch web developer who also writes articles, wrote in a report published Wednesday that more than 100,000 Social Security numbers were vulnerable “in a web application that allowed the public to search teacher certifications and credentials.” The Social Security numbers of school administrators and counselors were also vulnerable.

“Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved,” the report said.

The Post-Dispatch seems to have done exactly what ethical security researchers generally do in these situations: give the organization with the vulnerability time to close the hole before making it public.

“The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities,” the article said. The news report was published one day after the “department removed the affected pages from its website.”

As of this writing, the DESE’s educator-credentials checker was “down for maintenance.”

Governor: Journalist Tried…

Source…

Workers and consumers hurt by ransomware attacks are starting to sue the companies who got hacked – The Washington Post

/in



Workers and consumers hurt by ransomware attacks are starting to sue the companies who got hacked  The Washington Post

Source…

Android Users Sue Google Over Alleged Security Flaw Exposing COVID-19 Contact-Tracing Data

/in


Screenshot of CA Notify website. A proposed class action is asking a federal court to order Google to fix an alleged security threat that makes the company’s COVID-19 contact-tracing system developed with Apple less “privacy-preserving” than the tech giants claimed.

Nearly 40 countries and dozens of U.S. states, including California, use the Google-Apple Exposure Notification System (GAEN) for their coronavirus contact-tracing apps. The system leverages Bluetooth technology and deploys safeguards such as randomized identifiers, called rolling proximity identifiers or RPIs, and decentralized storage on devices to protect users’ privacy.

In a complaint filed Wednesday in the U.S. District Court for the Northern District of California, attorneys from Lieff Cabraser Heimann & Bernstein assert that dozens of third parties might have access to the system’s stored data on mobile devices, including personally identifiable information and potential COVID-19 exposure results.

Source…