All posts in “Cybersecurity”

Equifax exec who sold nearly $1 million in shares charged with insider trading

Equifax’s former chief information officer has been indicted for insider trading, making him the first executive to face criminal charges following the company’s massive data breach that exposed the personal data of more than 145 million Americans.

Jun Ying, who was the company’s CIO at the time the company was hacked last summer, will be arraigned in federal court this week on charges of insider trading, according to the Department of Justice.

For a CIO at a financial company, Ying didn’t exactly do a great job at covering his tracks. 

According to a DOJ statement, following a meeting on a Friday, he texted a coworker that “Sounds bad. We may be the one breached.” The next Monday morning, he searched the web to see how a data breach had affected the stock price of competitor Experian. Later that same morning, he exercised all the stock options available to him. 

He then sold the shares — a move nabbed him $950,000 before Equifax’s data breach was made public. Had he sold after the breach, he would have lost $117,000, according to a statement from the SEC.

Stunningly, Ying is not the only executive who faced scrutiny for selling shares ahead of the Equifax’s public disclosure of the breach. Three other top executives, including its chief financial officer, president of workforce solutions, and president of U.S. information solutions, also dumped hundreds of thousands of dollars in shares just days before alerting the public to the breach.

Neither the SEC or the DOJ has commented on those cases.

[embedded content]

Cryptocurrency exchange puts $250,000 bounty on hackers

The hunter has become the hunted and so on.
The hunter has become the hunted and so on.


Binance is done playing nice. 

The cryptocurrency exchange was the target of an attempted hack last week, and although the company claims that the attackers were largely unsuccessful in their efforts, they nevertheless still made someone at the exchange mad. So mad, in fact, that on Sunday, Binance announced the equivalent of a $250,000 bounty on the hackers. 

“To ensure a safe crypto community, we can’t simply play defense,” read the statement. “We need to actively prevent any instances of hacking before they occur, as well as follow through after-the-fact.”

That follow through just so happens to come in the form of a fat cryptocurrency reward, and is all but guaranteed to kick off a mad digital vigilante rush. 

“The first person to supply substantial information and evidence that leads to the legal arrest of the hackers, in any jurisdiction, will receive the equivalent of $250,000 USD in BNB [Binance Coin],” continued the modern day version of a wanted poster. 

Binance appears to relish being on the offensive — a fact emphasized by the company’s CEO, Changpeng Zhao.

“As in a football match, you can’t just play defense,” he tweeted

Regardless of how this particular case gets resolved, it doesn’t look like the idea of exchanges putting bounties on hackers is going away any time soon. In fact, it’s probably going to pick up steam. 

“Binance has currently allocated the equivalent of $10,000,000 USD in crypto reserves for future bounty awards against any illegal hacking attempts on Binance,” noted the same announcement. “We have also invited other exchanges and crypto businesses to join our initiative.”

So all you would-be cryptocurrency exchange hackers out there, consider yourselves warned.

[embedded content]

Chinese iCloud account privacy may be at risk once Apple complies with new laws

Image: yichuan cao/NurPhoto via Getty Images

Apple is preparing for a big change at the end of the month: Henceforth, iCloud data belonging to users based in China will have to be stored there, in the company’s new Chinese data center.

That means text message, emails, and other data stored in the cloud will be physically housed on Chinese soil. Importantly, it also means that the cryptographic keys required to unlock an iCloud account will live in China as well.

Previously, as Reuters points out, those keys had been stored in the United States. Whenever Chinese authorities have sought access to a user’s account in the past for one reason or another, they’d have to go through the processes set forth in the U.S. legal system.

Moving the keys to a data center in China means that authorities can seek access to iCloud accounts using the local legal system instead. This is a worry to human rights and privacy advocates, who fear what the country’s looser privacy restrictions and the broad powers held by local authorities might mean.

“Even very early in a criminal investigation, police have broad powers to collect evidence,” Jeremy Daum, an attorney and research fellow based in Beijing, told Reuters.  “[They are] authorized by internal police procedures rather than independent court review, and the public has an obligation to cooperate.”

China’s data privacy laws also offer little protection when the authorities in question are investigating certain criminal offenses, including some that many countries would define as political suppression. 

Two Chinese citizens were jailed as dissidents in 2002 for distributing pro-democracy writings and other materials. It was later discovered that the damning evidence had been provided to the Chinese government by Yahoo, prompting harsh criticism. The tech company later apologized and settled a lawsuit brought by the families of Chinese activists.

While plenty has changed in China since the events of 2002 — that was more than a decade before the country’s longtime ban on video game consoles finally lifted, for example — concerns remain. 

Some have criticized Apple’s decision, but the company contends it tried to keep this from happening. 

“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” a statement provided to Reuters reads. Apple claims that moving iCloud data and encryption keys to China is preferable to shutting down iCloud services there completely, a move that the company says would add to the risk of user security and privacy being compromised.

Apple maintains that it alone controls the encryption keys, regardless of the nation in which they’re based. Even its Chinese partner — the state-owned Guizhou, which helped to get the data center established — doesn’t have access.

Of course, that’s exactly what a company concerned with its own interests would say in a situation like this. Apple’s partnership with Guizhou is a necessity; without it, the U.S. company wouldn’t be able to store data in China under the new rules. That, in turn, could cut off Apple’s access to the large Chinese market of more than 1 billion potential customers.

Critics, meanwhile, feel that Apple caved too easily. New York Times writer and college professor Zeynep Tufekci, one such critic, articulated her feelings on the move in a pair of tweets.

Whatever you believe, the move is happening and it goes into effect on Feb. 28. 

An Apple support article makes clear that, as of Feb. 28, users in China will be required to accept a new terms of service agreement if they wish to continue using iCloud. The company told Reuters that more than 99.9 percent of the current users there have already done so.

[embedded content]

The best VPNs for iOS if you’re looking for more privacy

VPNs, or Virtual Private Networks, are relevant tools to anyone concerned about fast-diminishing privacy on the internet. 

These days, it’s difficult to surf the web without leaving a trail of your activity. Google and Facebook, for instance, rake in billions a year by gathering and selling information about your online behavior.

While there’s certainly no foolproof privacy option, VPNs are a popular way to shroud your web identity, and they’re available for almost any device that connects to the internet, including iOS devices.

VPNs, which are built, maintained and operated by private businesses, reroute your computer’s web address to another location. For example, you may be sitting in a cafe in Akron, Ohio, but your web address, or IP address, could show that you’re browsing from Bulgaria. Some VPNs allow you to choose what remote server you’d like to connect through, others pick one for you, and many allow both options.

Whether or not you need a VPN is completely up to you. Your internet provider isn’t going to recommend or offer the service. It comes down to whether or not you’d like to increase your anonymity online — and much of this depends on how you use the web. 

To cite one example: In July 2017, the U.S. Department of Justice issued a warrant to the web hosting company DreamHost demanding information about people that had visited the site, a site used to organize protests at President Trump’s inauguration. Anyone who may find this kind of action to be an infringement of privacy may want to look into using a VPN.

Here, we list and test seven popular VPN options available for Apple’s iOS devices.

How we tested the ‘best’ iOS VPNs

Many of these VPNs offer free seven-day trials, so it’s wise to try and see what works best for you.

But to help you out with a somewhat daunting shopping process, we put the following VPNs through a speed test, posted screenshots of their user interface, and commented upon their ease-of-use. 

The speed tests were run on an iPhone using the Ookla Speed Test app. We tested each VPN three times, and the results were averaged. Both download and upload speeds are measured in megabits per second, or Mbps. Typically, 10-12 Mbps is adequate for normal web browsing and streaming. The FCC recommends students need between 5-25 Mbps minimum for web activities, and a minimum of 5-8 Mbps is needed to stream High Definition (HD) video.  

The VPN tests were performed at the Mashable offices in Manhattan, New York City. Without running the web through any VPNs, the baseline speeds were:

As expected, rerouting an IP address through a VPN caused a significant slowing in speed performance for every VPN tested.

Here are our favorites in no particular order.

TunnelBear wins for graphics.

TunnelBear wins for graphics.

Image: tunnelbear screenshot

  • 64 Mbps download speed 

  • 63 Mbps upload speed 

TunnelBear performed quite well for both its upload and download speeds. The VPN says it rerouted my IP address to somewhere in the Midwest U.S. The TunnelBear user interface is, admittedly, the most “fun” to use as you get to watch a cartoon bear dig a hole in the ground and reappear at your new, virtual IP address.

In late 2016, TunnelBear ran an audit of its security and privacy performance. The report, carried out by an independent privacy consultant, found that TunnelBear initially performed poorly (“the software revealed significant security vulnerabilities and weaknesses”), but TunnelBear improved dramatically during another audit performed six months later. 

Privacy Internet Access has a LOT of servers.

Privacy Internet Access has a LOT of servers.

Image: PiA Screenshot

  • 33 Mbps download speed 

  • 26 Mbps upload speed 

Private Internet Access VPN boasts that it has more than 3,170 servers in over 28 counties. Next to each country, the VPN shows the data speed (or perhaps average of server speeds) for each country, so users can make more informed decisions about where they want to go (virtually) and how fast the data experience will be. 

The above speed test was performed on a server in the United States. But when I chose Melbourne, Australia, the speed dropped substantially: 4 Mbps download and 1 Mbps upload.

NordVPN offers protection for up to six devices.

NordVPN offers protection for up to six devices.

Image: Nord screenshot

  • 28 Mbps download speed

  • 29 Mbps upload speed

NordVPN rerouted my web IP address to the middle the U.S., and both upload and download speeds performed decently. 

Nord touts that its service allows users to “Protect up to 6 devices simultaneously,” so someone might not have to switch between a device that is on a protected VPN, and one that isn’t. 

PureVPN is a user-friendly choice.

PureVPN is a user-friendly choice.

Image: Purevpm screenshot

  • 26 Mbps download speed

  • 17 Mbps upload speed 

The PureVPN iOS is pretty user-friendly, but so are most VPN iOS apps that hope to compete in a crowded market. 

PureVPN appears to be one of the more well-known VPN options, though it comes with some known concerns. In 2017, PureVPN’s homepage claimed it kept “NO logs of your activities.” However, when investigating a cyberstalker, investigators from the U.S. Department of Justice requested a suspect’s web history from PureVPN after finding the software on his laptop.

According to court records, PureVPM then provided federal agents this data, revealing the company had, in fact, been logging its users’ web history. It’s unknown if PureVPM still logs customer data, though it now states on its homepage that “your cybersecurity is never compromised with PureVPN.”

IP vanish has servers worldwide.

IP vanish has servers worldwide.

Image: IP Vanish

  • 25 Mbps download speed

  • 8 Mbps upload speed

When I initially connected to IP Vanish, it by default sent me to a new web address in New York City, even though my actual web address was already in New York City. 

Fortunately, for those interested in achieving greater anonymity, IP Vanish (like most of VPNs) allows users to specifically select other far off locations. I selected Los Angeles, although the company has servers in distant countries, including 98 different servers in Amsterdam (according to IP Vanish). 

TorGuard also offers a VPN router.

TorGuard also offers a VPN router.

Image: Torguard screenshot

  • 9 Mbps download speed

  • 1 Mbps upload speed

TorGuard sent me to a faraway server in Sydney, Australia, which may be partly responsible for its slow speed test performance. 

TorGuard says that it keeps no logs (but so did PureVPM), and it offers other privacy services as well, including anonymous email, proxies, and even a piece of hardware: a VPN router.

KeepSolid is a, well, solid option, if a bit slower.

KeepSolid is a, well, solid option, if a bit slower.

Image: keepsolid screenshot

  • 6.5 Mbps download speed

  • 27.1 Mbps upload speed

Mashable tested KeepSolid’s VPN product “VPN Unlimited.”

Initially, I told the VPN to reroute me to New Zealand, and this resulted in some really slow speed test results: 7 Mbps download and 2 Mbps upload. I reran the trials at a closer location, in Brooklyn, New York, which KeepSolid noted had a faster data load.

The results, shown above, were still lower than average in the download speed department.

[embedded content]

Cybersecurity researchers say Olympics hacker aimed to embarrass

Ya burnt.
Ya burnt.

Image: Matthias Hangst/Getty Images

The hot new trend in Winter Olympics fashion? Making the host country look like a chump. 

Following reports that Olympic organizers had their servers hacked during the opening ceremony, security researchers have dug into the malware responsible and come to an interesting conclusion: Embarrassment was the name of the game. 

According to Talos, “Cisco’s industry-leading threat intelligence team,” the attack that knocked Olympic press center TVs offline and forced the temporary shutdown of the Pyeongchang 2018 website was tailored to be destructive. 

In other words, unlike the ransomware that swept the globe last year, there was no clear financial motive. And it doesn’t look like the attackers were after information, either. 

“The purpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote data,” explained report authors Warren Mercer and Paul Rascagneres. “Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.”

The researchers at Talos dubbed the malware “Olympic Destroyer,” just in case anyone was unclear about their conclusions. 

Deleting that data.

Deleting that data.

Image: Talos

Importantly, there is no foolproof way to know with 100 percent certainty what motivated the hackers. However, a plot to muck things up isn’t that farfetched. After all, there is at least one powerful actor that could conceivably have such a motive. 

Russia was banned from officially competing in this year’s Winter Olympics by the International Olympic Committee, and hasn’t taken that reality well. The Washington Post reported today that Russian foreign minister Sergei Lavrov claimed the reason for the ban — state-sponsored doping — was invented by the United States because the U.S. “can’t beat us fairly.”

So, yeah, clearly someone is upset — and Russia has been known to wield its powerful hacking skills in a variety of unsavory ways

Does that mean Russia perpetrated the hack? At this point, it’s too early to say. However, if an attack during the opening ceremony is any indication of what’s to come, we may just end up with plenty more opportunities to find out. 

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f84484%2f4e01c3d4 79b9 46fe adaf 6776164bdd41