Android ransomware authors have a new trick to go with an old shakedown technique
Mobile ransomware scams — in which crooks lock your phone and demand money — are nothing new. But they are getting more clever as cybercriminals find new ways to circumvent security.
The latest example is a ransomware scheme targeting Android phones that Microsoft made public Thursday. According to the research, the malicious code gets around security checks that Google, which owns Android, has instituted against previous ransomware kits.
Instead of abusing a permission feature that controls what apps can do on the phone, as other mobile ransomware scams have, this one triggers an incoming call notice to display the ransom note. It’s “the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop,” Dinesh Venkatesan, a Microsoft researcher, wrote in a blog.
Mobile ransomware generally isn’t as profitable as ransomware attacks on PCs or enterprise networks. But Allan Liska, an analyst at threat intelligence company Recorded Future, said phone-focused ransomware can still be effective.
“Ransomware campaigns against mobile devices have stumbled over the last couple of years compared to their network counterparts,” Liska said. “This new evolution in Android ransomware shows that it can still be dangerous. The techniques this actor is using are borrowed from other successful Android malware campaigns.”
Some old tricks with the new
As with other mobile ransomware schemes, the attackers are locking access to the phone rather than encrypting data on the device, said Tanmay Ganacharya, lead of the Microsoft Defender Research team.
“Considering the limited compute power on mobile devices. performing operations like encryption can be very costly and could cause the device to freeze which can be easily noticed by the user,” Ganacharya said.
Ganacharya said the attackers, who are Russian speakers targeting other Russian speakers, have been demanding on average just 1000 rubles, or $13, to unlock the phone. It’s not clear who exactly is behind the scheme, or how successful it has been. Mobile users can generally reset their phones if they don’t want to pay a ransom.
While innovative in some ways, the newly revealed Android ransomware is conventional in others.
It borrows an age-old tactic of impersonating law enforcement and accusing the victim of heinous crimes to demand payment. A ransom note that came with a previous version of the malicious code accuses the mobile user of watching child pornography. If no payment is received, the attackers claim the user will be prosecuted.
That follows a separate scheme, reported in April by security company Check Point, in which Russian-speaking hackers were trying to shake down Android users by claiming to report them to the FBI for possessing pornography. The FBI has previously warned the public that ransomware actors have impersonated the bureau.
The post Android ransomware authors have a new trick to go with an old shakedown technique appeared first on CyberScoop.
via CyberScoop https://ift.tt/2hq4cKh
October 8, 2020 at 05:21PM
Here's How to Take Your ECG on the Fitbit Sense
Last month, the Food and Drug Administration said Fitbit could have a little treat in the form of clearance for its ECG app. As of today, that app is now live for anyone in the U.S. (as well as some countries in Europe and Asia) with a brand spanking new Fitbit Sense.
Before you can take a heart reading, you’ll have to do a little word reading first. To get started, navigate to the Discover tab in the Fitbit app, scroll down to Assessments & Reports, and then select Heart Rhythm Assessment. You’ll be asked to confirm that you’re 22 years old or older, don’t have a pacemaker, and acknowledge that whatever results you get, the Fitbit Sense isn’t providing you with a diagnosis and that it can’t detect heart attacks, blood clots, or a stroke.
Once you’ve done that, you’ll get some more reading about the types of results you could possibly get: Atrial fibrillation, normal sinus rhythm, and inconclusive. The first two are self-explanatory, though if the watch says you’ve got Afib, you should definitely talk to a doctor for a proper diagnosis. If your result is inconclusive, it’s likely because your heart rate is outside of the 50-120bpm range. This limitation isn’t a ding on Fitbit—Apple also had issues with heart rates above 120bpm with its ECG app, something that was just improved with the launch of the Apple Watch Series 6.
Once you’ve done all the reading, you can then take an ECG reading. The ECG apps should already be on the Fitbit Sense—I just synced to the Fitbit app and boom, it was already there on my watch, though I had to swipe through some of the menu screens to find it.
G/O Media may get a commission
As with other ECG-capable smartwatches, it’s best if you sit still and rest your arm on either a table or some kind of flat surface. In the app, you select which wrist you’re wearing the Sense on, and then all you have to do is put your index finger and thumb on opposite corners of the Sense’s metal frame. The whole thing takes about 30 seconds and is easy peasy. If you want a PDF report to share with your doctor, you can just go back to the Assessments & Reports section in the Discover tab, tap Heart Rhythm Assessment, and your results should pop up.
Overall, the process feels very similar to how you would take an ECG on the Apple Watch. I tried it twice and both times got a normal sinus rhythm, which I love for me, personally. The one thing I would say is that getting your reports is a smidge easier on the Apple Watch, but this definitely isn’t a dealbreaker.
In any case, this is great news for Android users interested in advanced heart health features. While Samsung also got FDA clearance for its ECG feature this year, when it finally went live a few weeks ago, it turned out ECGs were only available to folks with Samsung phones with Android Nougat or higher. This gives ECG access to a much larger group of Android users. Now if only we could get an LTE capable Fitbit, we’d be all set.
via Gizmodo https://gizmodo.com
October 8, 2020 at 05:15PM
Daily Crunch: Waymo opens up driverless ride-hailing
Alphabet’s self-driving technology company hits a major milestone, Apple TV+ extends its free subscription period and Affirm files to go public. This is your Daily Crunch for October 8, 2020.
The big story: Waymo opens up driverless ride-hailing
Waymo hit a major milestone today: It’s offering fully driverless rides to (some) members of the public.
While the Alphabet-owned company has offered plenty of self-driving rides before, they usually came with a human in the driver’s seat for safety. Members of the early rider program who’d signed nondisclosure agreements were able to try out fully driverless rides — but again, they had to sign NDAs first.
Today, the company said members of its more open Waymo One program in Phoenix will be able to go fully driverless, and to take friends and family with them. And over the next few weeks, the program will open up to even more passengers.
The tech giants
Apple is extending some Apple TV+ subs through February 2021 for free — Apple gave away a free year of Apple TV+ to new device purchasers last year; now it’s bumping those subs out to February.
Amazon debuts its first fully electric delivery vehicle, created in partnership with Rivian — The van’s unique features include sensor-based highway driving and traffic assist features.
IBM plans to spin off infrastructure services as a separate $19B business — The company said this will allow it to focus on newer opportunities in hybrid cloud applications and artificial intelligence.
Startups, funding and venture capital
Instacart raises $200M more at a $17.7B valuation — It’s not hard to trace a connection between COVID-19 and Instacart’s business results.
Affirm files confidentially to go public — The news comes after the impending debut was reported in July.
Delivery startup goPuff raises $380M at a $3.9B valuation — GoPuff delivers products like over-the-counter medicine, baby food and alcohol (basically, the stuff you’d buy at a convenience store) in 30 minutes or less.
Advice and analysis from Extra Crunch
Investors, founders report hot market for API startups — Startups that deliver their service via an API are having a moment.
Tech’s role in the COVID-19 response: Assist, don’t reinvent — Speakers at Disrupt explained how technology companies have taken a backseat to frontline workers, rather than attempting to “solve” the issues on their own.
These 3 factors are holding back podcast monetization — Fundamental fixes could unleash the channel’s revenue potential.
(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)
General Motors finally gets serious about in-car tech, taps Unreal Engine for next-gen interface — Matt Burns writes that GM’s current crop of in-car user interfaces is among the worst on the market.
Consumers spent a record $28B in apps in Q3, aided by pandemic — According to a new report from App Annie, consumers in the third quarter downloaded 33 billion new apps globally.
US Space Force is getting an immersive space sim training tool built in part by the VFX studio behind ‘The Mandalorian’ — The U.S. Space Force obviously won’t be able to train most of their service people in actual space, so the new arm of America’s defense forces has tasked Slingshot Aerospace to create a VR space sim.
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.
via TechCrunch https://techcrunch.com
October 8, 2020 at 05:09PM
Hurricane Delta Is Heading for the Petrochemical Hub That Hurricane Laura Hit Six Weeks Ago
Hurricane Delta is gaining power after striking the Yucatan Peninsula as a Category 4 storm on Wednesday. The National Hurricane Center’s Thursday evening update found winds of 115 mph, making Delta a major Category 3 hurricane once again as the storm feeds on warm waters in the Gulf of Mexico. Its wind field is also growing, which the storm will use to whip up the ocean and send more storm surge inland.
Right now, its track has it on a collision course with southwest Louisiana by Friday afternoon or evening. The region was hit hard by Hurricane Laura in late August with a 10-foot storm surge that destroyed entire neighborhoods. Several parishes in the region are under mandatory evacuation orders, including Lake Charles. The region is a petrochemical hub, and Hurricane Laura ignited dangerous, polluting chemical fires there due to leaks at processing plants. Ahead of the coming storm, area officials are working to clean up debris left from the previous hurricane, which could be hazardous if it blows in the strong winds.
“This is not a bad dream, it’s not a test run. These are the cards we’ve been dealt,” Lake Charles Mayor Nic Hunter said on Thursday in a Facebook video. “There’s still time to get out of the way of Hurricane Delta. Please don’t wait,” he added in another post.
Storm surge could rise up 11 feet, with the NHC warning of “life-threatening inundation.” Lake Charles is to west of the worst of the surge forecast, but water levels there are still expected to rise up to 8 feet above normal.
G/O Media may get a commission
“Persons located within these areas should take all necessary actions to protect life and property from rising water and the potential for other dangerous conditions,” the NHC said.
Much of Texas’ Gulf Coast, as well as southwest and central Mississippi, could also see impacts from Hurricane Delta. A hurricane warning is currently in effect from High Island, Texas, to Morgan City, Louisiana. The Texas city of Port Arthur, which is home to the continent’s largest oil refinery and saw three killed by Hurricane Laura, is expected to be affected. Swaths of Texas and Mississippi are also under storm surge warning.
Rates of cancer are high in the region, as are rates of poverty. When Hurricane Laura battered the Gulf Coast, it brought the region’s inequality into sharp relief. While mansion owners bought $7,000 inflatable levees to barricade their homes, low-income people were forced to rely on buses to evacuate. Delta will almost certainly shine another spotlight on the unequal ways people experience disasters.
“We realize that not everyone has the financial wherewithal to simply put money into a gas tank and go rent a hotel right now,” Lake Charles Mayor Hunter said in his Facebook video. He advised any residents without the means to evacuate to head to any city bus stop, where they can be transported to a safe location for free.
Until we take serious action to mitigate and adapt to the climate crisis and rapidly alleviate inequality, the gross truth is that we’re likely to see injustice in the face of climate disaster again and again.
via Gizmodo https://gizmodo.com
October 8, 2020 at 05:03PM
Cyberattacks Up, But Companies (Mostly) Succeed in Securing Remote Workforce
Despite fears that the burgeoning population of remote workers would lead to breaches, companies have held their own, a survey of threat analysts finds.
Since the onset of the pandemic, more than half of firms say they have detected at least a "moderate increase" in cyberattacks, while one in10 firms have encountered a drastic increase, according to a survey of more than 520 security professionals.
Yet the increase in attacks has not led to an increase in breaches, with 16% of firms experiencing a breach in the past 12 months compared with 15% for the same period in 2019, according to a report by threat-hunting tools provider DomainTools. More than half of the surveyed companies (56%) stated they are prepared to support a fully remote workforce, with about a third tightening security policies and settings.
Overall, fears that the chaos of the coronavirus pandemic and the massive shift to remote work would lead to more frequent security incidents and breaches have failed to be realized, says Tim Helming, security evangelist at DomainTools.
"In general, organizations held their own pretty well," he says. "Obviously, COVID represented a dual problem for security shops — the shift to remote work encompasses all kinds of complexities — but on top of that, you had a bunch of attackers seizing on the moment and preying on the hunger for information on COVID."
Concerns over the spread of the novel coronavirus have resulted in most companies shifting employees to work from home. In June, more than three-quarters of companies had the majority of their employees working outside of the office, according to consultancy PwC. Looking toward the future, almost 90% of companies expect at least 30% or more of employees not to work from the office at least part of the time.
The DomainTools survey gave companies a chance to rate their security programs. The share of respondents that gave their program an "A" declined to 24% in 2020, from 30% in 2019, while the number of "B" grades rose to 49% in 2020, from 45% in 2019.
"COVID-19 served as an inflection point for over a quarter of security teams to reassess their perceived cybersecurity posture," DomainTools stated in its report. "Twelve percent of respondents would have given their organization a lower grade prior to the pandemic, showing surprise in how well they were able to cope."
Companies that had good training programs successfully transitioned to a secure workforce. About 60% of companies surveyed have a program for training IT staff in cybersecurity subjects, and of those respondents who gave their company's security efforts an A, 86% had a training program.
Almost half of security professionals (46%) — and three-quarters (74%) of professionals who rated their company's security an A — believe the training helped the organization respond to the security challenges posed by the pandemic.
"Training and preparation paid off," Helming says. "We had this big Black Swan event that happened, and it put organizations to the test, and the ones that felt like they had successfully risen to the occasion are the ones who did training and preparation ahead of time."
Looking to the future, about 62% of companies said they will not change their security budgets. Of the nearly one-quarter of companies that will increase their budgets, nearly half will focus on hiring more cybersecurity professionals and slightly less than half will focus on team training, the survey found. Adding new threat intelligence sources claimed a distant third position, with 36% of security professionals indicating that more budget would be spent on that capability.
Overall, companies saw more attacks but mainly common vectors, such as spear phishing, malware, and business e-mail compromise. More than a third of companies saw active or suspected cyberattacks every day, the survey found.
"The number of attacks moderately increased, so if you hold that up against the increases in the number of breaches that were attempted, companies, in general, are doing a good job," Helming says. "To me, that was one of the bright spots."Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ...
via Dark Reading https://ift.tt/2qbHoDd
October 8, 2020 at 04:57PM
Disneyland Isn't Reopening Anytime Soon
California continues to fight the novel coronavirus pandemic, and it’s going to keep theme parks closed a little while longer. Governor Gavin Newsom recently announced that Disneyland, Universal Studios, and other theme parks in the state will remain shut for the time being—a decision that Disney CEO Bob Iger is apparently not happy with.
During a press conference on Wednesday (as revealed by Deadline), Newsom said there are no immediate plans to reopen California’s theme parks so long as covid-19 cases are failing to decline at the rate state officials are looking for. He said they’re letting “science and data make that determination” instead of economics. In addition, the long-awaited theme park guidelines—which were first discussed in July, back when Disneyland was first trying to reopen its doors—are still nowhere to be found in Newsom’s “Blueprint for a Safer Economy,” and Newsom said there’s no rush to add them.
“We don’t anticipate in the immediate term any of these larger parks opening until we see more stability in terms of the data,” he said. “We feel there’s no hurry to put out guidelines, and we continue to work with the industry.”
This decision has angered the theme park industry. After Wednesday’s announcement, California Attractions and Parks Association—which represents California’s Disney Parks, Universal Studios, Knott’s Berry Farm, and others—issued a statement condemning the decision and calling on Newsom to release safety reopening guidelines for the state’s theme parks. Here’s the statement from executive director Erin Guerrero:
G/O Media may get a commission
Disney’s been taking the news extra hard. According to Newsom, Iger resigned from the state task force for economic recovery over disagreements related to reopening plans. In addition, Disney put out a statement from Dr. Pamela Hymel, Chief Medical Officer for Disney Parks Experiences and Products, saying that other Disney Parks around the world have found a way to reopen in a way they claim is safe for guests and cast members. Here is her statement in full:
California saw about 3,400 new covid-19 cases on Wednesday—which is much lower than the August peak of over 11,000 in a single day but is still pretty high. Orange County, where Disneyland and Disney’s California Adventure are located, is listed as having a “substantial” number of cases (the second-highest tier behind “widespread”), with about 3.2% positivity rate. This means many indoor places are open, like movie theaters and restaurants, albeit with limited capacity. However, bars and offices remain closed—along with theme parks. It’s tough, but Newsom said the state is simply trying to keep people safe.
“I understand the dialectic, the friction that many business leaders have that they want to move forward,” Newsom said. “But we’re going to be led by a health-first framework, and we’re going to be stubborn about it.”
The park closings and lower attendance numbers were cited as the reason behind Disney Parks laying off about 28,000 resort employees (keeping in mind that Disney also reinstated full salaries for its executives one month prior). It was recently revealed that about 8,800 of those who’ve been laid off are part-time union workers.
Disney World Resorts in Florida is currently open, although at reduced capacity. Florida most recently saw almost 2,600 novel coronavirus cases, though that could rise after Governor Ron DeSantis ordered that restaurants and bars could reopen at 100% capacity and sports stadiums could once again see full attendance.
For more, make sure you’re following us on our Instagram @io9dotcom.
via Gizmodo https://gizmodo.com
October 8, 2020 at 04:51PM
Microsoft Edge's new feature promotes Skype video conferencing
Microsoft is rolling out a new feature in Microsoft Edge that integrates Skype's Meet now video conferencing feature on the new tab page, also known as NTP.
With this new feature, Microsoft aims to help consumers relying on video conferencing to get in touch with coworkers, friends, and relatives without creating a Skype or Microsoft account.
Last month, Microsoft added the Skype Meet feature to Windows 10 preview builds and the same feature is now rolling out to Microsoft Edge.
Microsoft will add a small video conferencing button to the new tab page of Edge when the feature is rolled out to your device, as shown below:
When clicked on the Meet Now button, Edge will open Skype Web and launch the Meet Now setup screen. This will allow you to create a meeting and others can join using your invite link.
Once created, you can use chat, voice and video to communicate with attendees.
Other Microsoft Edge features
Today, Microsoft also announced a new feature called "Price comparison" for Microsoft Edge that will help you find the best price this holiday.
This new feature will help you easily compare the price of a product you want across other retailers with one single click and it has been designed to help you find the best price while shopping online.
To get started, you need to add a product to a collection and click “compare price to other retailers” to compare the price of a product across other retailers.
In addition, Microsoft is rolling out "Web Capture" feature that will help you take a snapshot of web article to share in a PowerPoint presentation with annotation.
via BleepingComputer https://ift.tt/2fDDDRH
October 8, 2020 at 04:37PM
Frontier’s Bankruptcy Shows Why ISPs Shouldn’t Be in Charge of the Internet
Let’s state the obvious: Internet in the U.S. sucks. Unless you already have fiber, you’re probably stuck with cable, DSL, or no internet at all because no ISP wants to expand into your area. If you live in a rural area and are lucky to get some form of broadband, you’re probably paying an exorbitant amount for slower than molasses speeds. And most people, about 83.3 million according to a recent report from the Institute for Local Self-Reliance (ILSR), can only access broadband through a single provider. There’s no incentive for major ISPs to actually offer their customers good service. Instead, their focus is on short-term profits—even if that means leaving money on the table and customers on DSL.
Our own Alex Cranz and Brian Kahn recently spoke with Electronic Frontier Foundation special adviser Cory Doctorow about how ISPs continue to wreck their own internet service, overcharge customers, shut out competition, and leave a significant chunk of urban and rural America pleading for more affordable and better broadband. (You can listen to this first episode of the System Reboot podcast here.) The podcast is a nice overview of the problems with ISPs, but I wanted to dig a bit further into one key element of Doctorow’s focus in the episode: The case of Frontier’s bankruptcy. It’s especially illuminating when it comes to tracing the steps of how ISPs got this monopolistic power over consumers and continue to wield it to absolute ill effects.
As Doctorow, along with EFF’s Ernesto Falcon and Katharine Trendacosta, wrote in a report for the EFF not too long after the bankruptcy announcement in April 2020, Frontier refused to upgrade many of its DSL customers to much faster and more stable fiber because it was too focused on short-term profits. “Instead of being incentivized to grow a satisfied consumer base by investing in better service and expanding to underserved customers, publicly traded companies’ incentives are dominated by quarterly reporting,” the EFF report said.
Frontier isn’t the only one doing this. All major ISPs do this: throw the majority of their effort and money toward programs and investments that will pay out in a few years instead of decade. This literal short-sighted mentality has left significant coverage gaps across both urban and rural America. Instead of investing money in upgrading old DSL lines, ISPs have selectivity chosen to upgrade connections located in more populated, affluent areas. Major ISPs have maintained for years there isn’t the demand for fiber or another type of high-speed internet in undercovered areas. There is demand, just not enough people demanding it for the ISPs to reap the benefits of their investment in a short amount of time.
G/O Media may get a commission
In its bankruptcy filing, Frontier admitted that it could generate about $1 billion in profits starting in 2031 by—wait for it—upgrading 3 million DSL connections to fiber broadband. As EFF points out, the company’s bankruptcy filing has freed it from its investors’ tendrils, and where it once would never even consider a paltry $1 billion return on investment, now it is. And all of this requires exactly $0 in government subsidies.
Not only that but before it filed for bankruptcy, Frontier straight-up told its investors that if it had replaced all that DSL it bought from AT&T and Verizon with fiber, it wouldn’t have lost as many customers as it eventually lost.
“So long as major national ISPs continue to operate with that same short-term mindset, they will never deliver high-speed fiber to the home broadband of their own accord. If they will not do it, then policymakers need to be thinking about incentivizing others to do it,” said Doctorow, Falcon and Trendacosta.
So long as policymakers make the right incentives for the right ISPs, like local municipal broadband, policy at the federal or state level could work. Giving billions of dollars under the Rural Digital Opportunity Fund (formerly the Connect America Fund) to major ISPs? That’s been done. As soon as the government cheese is gone, the ISPs stop expanding their fiber networks. Frontier wasn’t able to deploy all the fiber it said it would by January 2020 under its agreement. The company said it faced delays due to “tribal permitting and rights of way,” yet by March 2020 there were serious talks of bankruptcy. The company officially filed for bankruptcy a month later.
Incentives should go further than money, though. They should also come in tangible reform. Major ISPs hold effective monopolies over certain states and certain cities within those states, and a big reason why this has been allowed to happen, other than a massive lack of oversight, is that many states keep banning local municipalities from creating their own broadband service.
According to BroadbandNow, 22 states roadblock or completely outlaw municipal broadband. Yet out of the states that do allow it, only 55% of the population has access to wired broadband that costs $60 or less a month. California is one of those states that does allow local broadband, and yet its state assembly recently killed a bill, without explanation, that would have “secured more than 100 million dollars a year to secure access to high-speed Internet for families, first responders, and seniors across the state,” said EFF. Only six of the 17 municipal broadband providers in California offer residential services, by the way. So 26% of households don’t have broadband and rely heavily on their mobile data plans for internet access. Not ideal for distance learning and remote work.
On one side, ISPs don’t want to invest the money necessary to outfit the entire country with fast, reliable internet. On the other side, government regulators allow these monopolistic practices to keep happening by banning municipal broadband and killing bills like California’s SB 1130, enabling the ISPs to keep doing what they’re doing. One of these groups is going to have change what they’re doing for real change to happen, for fiber to spread across the country as widely as DSL and dial-up. My confidence is not in the ISPs.
via Gizmodo https://gizmodo.com
October 8, 2020 at 04:33PM
Sam's Club customer accounts hacked in credential stuffing attacks
Over the past two weeks, Sam's Club has started sending automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks.
Sam's Club, owned by Walmart, is an American chain of membership-only retail warehouse clubs operating since 1983. The brand is frequently listed alongside Costco and BJ's Wholesale Club.
BleepingComputer had been closely monitoring these notifications over this period and has heard from Sam's Club.
Possible credential stuffing or phishing
In emails sent out to Sam's Club members, and seen by BleepingComputer, the company is alerting members that an unauthorized party may have gained access to their accounts.
This activity, detected by Sam's Club in September, did not stem from a data breach. According to the company, it was likely a result of the attackers already knowing the user's credentials—for example, via credential stuffing, data breaches, or phishing.
Credential stuffing attacks involve the attackers trying previously leaked username-password combinations against another website in an automated fashion, in an attempt to find accounts that share the same credentials.
That is one reason security professionals strongly advise against using the same username-password combination across different websites. Should one such website be compromised, the attackers would now be able to re-use the leaked credentials on others as well.
"We recently learned that, in mid-September, an unauthorized party used your login credentials (email address and password) to access your Sam’s Club account. Based on our investigation, the credentials used did not come from Sam’s Club," read the security notification.
"Instead, it is likely that your credentials were taken from another source, for example, another company’s website, where you may have used the same or similar login information," the email continued.
When asked for more information, Sam's Club spokesperson Meggan Kring told BleepingComputer:
"Protecting our members' privacy is something we take very seriously, and we are continually monitoring for suspicious activity. As part of this effort, we recently found that unauthorized parties had logged into certain member accounts."
"This was not a breach of our systems, but rather a case of these parties obtaining user names and passwords from phishing campaigns, planting malware or breaches at other companies. We have reset passwords for these accounts and are taking additional measures to protect the accounts from fraudulent activity."
"We are reaching out directly to those members who were affected," Kring told BleepingComputer.
Automatic password resets completed mid-September
Previously, Sam's Club members had received security notifications alerting them of an automatic password reset due to suspicions of unauthorized account access.
A copy of such an email obtained by BleepingComputer was sent September 24, 2020, to customers and read:
"Our monitoring suggests someone might be trying to take advantage of your account. As a precaution, we've reset your SamsClub.com password. We apologize for any inconvenience this may cause, but we are focused on protecting you and your account."
More companies should follow Sam's Club's lead in proactively monitoring customer accounts and resetting passwords. This proactive protection of customers is especially important with cyberattacks on the rise and attackers deploying credential stuffing attacks that deprive people of COVID-19 relief payments.
However, it is not clear how it became possible to gain unauthorized access to Sam's Club member accounts. Assuming the credential stuffing technique was leveraged as an attack vector, were there no automated rate limiters or security controls in place?
Cybersecurity challenges continue to grow as the attackers constantly evolve their tactics, and defenders continue to catch up in stepping up their game.
via BleepingComputer https://ift.tt/2fDDDRH
October 8, 2020 at 04:15PM
Let's Get Real About the President's Antibody Treatment
The President claimed on Wednesday that he’d had a rapid “cure” from Covid-19, because of an experimental drug from Regeneron that’s, “like, unbelievable!” Trump also said he has “emergency use authorization all set” for the treatment, and Regeneron quickly followed by requesting that approval from the US Food and Drug Administration. But the real miracle would be if we were that good at predicting which drugs are going to make a real difference this early on in the research and development process. We’re not. That’s why dosing up on unproven therapies isn’t good medicine.
The Regeneron drug, like another in development by Eli Lilly, consists of a pair of monoclonal antibodies. Just to give you an idea of how thoroughly it’s been tested, the only data available so far—sketchy details of which were released last week via press release, not through a medical journal—mention only six people in Trump’s age group who received the same dose that he did. Preliminary findings from Eli Lilly are also limited to a press release, and, taken together, the treatment groups for these two experimental drugs include fewer than 300 people. Now, if the drugs had a dramatic effect on disease, it might be clear even in small amounts of data. But that’s not the case here, at least so far. What’s more, the Eli Lilly trial is not designed to test effectiveness; while the Regeneron report describes only about one-quarter of the patients it would need to show whether the treatment works.
I really hope these drugs prevent serious illness and deaths. There is sadly no shortage of people testing positive for Covid-19 in the UK and the US, and with multiple clinical trials underway we could have solid answers very soon. The RECOVERY trial, for example, has been pumping out critical results—like the finding that dexamethasone, a steroid that Trump is also taking, can reduce mortality from Covid-19. Just this week, the RECOVERY trial group published another important finding, that the antiviral combination lopinavir-ritonavir, like hydroxychloroquine, does not improve outcomes. (Regeneron’s antibody treatment has recently been added to the ongoing research.) But this work could end up being slowed by the last few days’ publicity. A clamor for presidentially-juiced drugs, and prompt approval for their emergency use by the FDA, might end up driving people away from randomized trials where they could end up receiving a placebo, or “standard care.”
Covid-19 can be a ghastly disease, made truly terrible by how widely it has spread; but it doesn’t have Ebola-scale destructive capability at the individual level. That makes it less obvious whether any particular drug makes a difference to the course of illness. Take the President, as an example. Even in his age group, he’s highly unlikely to die from Covid-19. The Centers for Disease Control and Prevention estimates a case fatality rate of 5.4 percent for people 70 years and over who test positive. Perhaps 40 percent of that group will end up having no symptoms at all. Even when people 65 and over are sick enough to need hospital care, almost 80 percent won’t progress to needing mechanical ventilation. We have no idea what would have happened if the President hadn’t had the clutch of treatments he’s getting. Even Trump himself has now acknowledged this uncertainty: After declaring the Regeneron drug a “cure” on Wednesday, he mused on Thursday that maybe his infection “would have gone away by itself,” even without treatment. He’s right, of course: That’s why we need data from solid, randomized trials.
As I’ve often said, a “promising” treatment is often the larval stage of a disappointing one. Most new drugs that get into clinical trials never end up approved by the FDA. Drugs for influenza and pneumonia do better than those for other infectious diseases; but even then, only about half clear that bar. Approval doesn’t necessarily mean that a drug is more than minimally effective, nor even that it definitely works. It’s been estimated about 10 percent of clinical trials actually reverse the findings of previous ones.
via Wired https://ift.tt/2uc60ci
October 8, 2020 at 04:12PM