Morgan Stanley fines some employees $1M for WhatsApp, iMessage use

Investment banking firm Morgan Stanley has punished some of its employees with fines that topped more than $1 million for breaching compliance rules by using WhatsApp and iMessage for business communications.

The fines were levied by docking previous bonuses or future pay, according to a report  in the Financial Times.

While the fines might seem steep, Morgan Stanley itself has had to pay millions of dollars in fines for previous SEC violations related to the use of consumer messaging apps for business purposes.

To read this article in full, please click here

Read more

Experian Glitch Exposing Credit Files Lasted 47 Days

Credit to Author: BrianKrebs| Date: Wed, 25 Jan 2023 19:58:46 +0000

On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

Read more

Administrator of RSOCKS Proxy Botnet Pleads Guilty

Credit to Author: BrianKrebs| Date: Tue, 24 Jan 2023 19:00:32 +0000

Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.”

Read more

Apple marks Data Privacy Week with in-store privacy training, more

Read more

How Microsoft is helping Ukraine’s cyberwar against Russia

One of the big surprises in Russia’s war against Ukraine has been how well Ukraine has fended off Russian cyberattacks. Ad hoc groups of white-hat hackers have helped, as have a number of nations and the US government.

Less well known is that tech companies, including Microsoft, are part of the effort. That aid ranges from giving advice to identifying attacks, offering fixes for them, and providing Ukraine with free tech and security services.

Microsoft isn’t just trying to help defend a country under siege from an aggressive, more-powerful neighbor. Russian cyberattacks against Ukraine can also get loose in the wild and do damage to enterprises and organizations that rely on Microsoft technology. (Russia could also deliberately target private companies with those attacks.)

To read this article in full, please click here

Read more

New T-Mobile Breach Affects 37 Million Accounts

Credit to Author: BrianKrebs| Date: Fri, 20 Jan 2023 04:09:22 +0000

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

Read more

Thinking of Hiring or Running a Booter Service? Think Again.

Credit to Author: BrianKrebs| Date: Wed, 18 Jan 2023 02:30:15 +0000

Most people who operate DDoS-for-hire services attempt to hide their true identities and location. Proprietors of these so-called “booter” or “stresser” services — designed to knock websites and users offline — have long operated in a legally murky area of cybercrime law. But until recently, their biggest concern wasn’t avoiding capture or shutdown by the feds: It was minimizing harassment from unhappy customers or victims, and insulating themselves against incessant attacks from competing DDoS-for-hire services. And then there are booter store operators like John Dobbs, a 32-year-old computer science graduate student living in Honolulu, Hawaii. For at least a decade until late last year, Dobbs openly operated IPStresser[.]com, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbs’s name and hometown in Pennsylvania. The only work experience Dobbs listed on his resume was as a freelance developer from 2013 to the present day. Dobbs’s resume doesn’t name his booter service, but in it he brags about maintaining websites with half a million page views daily, and “designing server deployments for performance, high-availability and security.” In December 2022, the U.S. Department of Justice seized Dobbs’s IPStresser website and charged him with one count of aiding and abetting computer intrusions. Prosecutors say his service attracted more than two million registered users, and was responsible for launching a staggering 30 million distinct DDoS attacks.

Read more

Patch now to address critical Windows zero-day flaw

The first Patch Tuesday of the year from Microsoft addresses 98 security vulnerabilities, with 10 classified as critical for Windows. One vulnerability (CVE-2023-21674) in a core section of Windows code is a zero-day that requires immediate attention. And Adobe has returned with a critical update, paired with a few low-profile patches for the Microsoft Edge browser.

We have added the Windows and Adobe updates to our “Patch Now” list, recognizing that this month’s patch deployments will require significant testing and engineering effort. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this January update cycle.

To read this article in full, please click here

Read more