Symantec has bought identity theft protection firm LifeLock for $ 2.3bn.

The deal, announced Sunday, represents a brave bid by Symantec to shore up a consumer security business eroded by dwindling anti-virus sales.

Selling Norton consumer security alongside identity protection and remediation services from LifeLock will enable sustainable "consumer segment revenue and profit growth", according to Symantec. The security giant said it plans to finance the transaction with cash supplemented by $ 750m of new debt. The deal – which is subject to LifeLock stockholder approval and US regulatory approval – is not expected to affect Symantec's FY17 results.

Symantec's share price dropped marginally on the announcement of a deal that effectively involves it "doubling down" on the consumer security market. Data breaches and the identity theft that sometimes results are a growing problem but whether the sometimes controversial LifeLock offers a comprehensive defence is far from convincing.

LifeLock's identity theft protection system is designed to alert subscribers about fraudulent applications for loans, credit cards or other financial services.

The $ 2.3bn price tag ($ 24 per share) offered from Symantec represents a 16 per cent premium on LifeLock's Friday closing share price of $ 20.75, itself a year-long high. LifeLock was also reportedly being pursued by private equity firms Permira, TPG, and Evergreen Coast Capital, as well as Symantec.

Symantec sold data storage software firm Veritas to Carlyle Group for $ 7.4bn earlier this year. Since then it has purchased Blue Coat for $ 4.65bn and now LifeLock for $ 2.3 billion in a bid to redefine itself as a pure play cybersecurity firm.

The purchase price looks high even though LifeLock is profitable. The company's net income for 3Q16 came out at $ 14.4m on sales of $ 170.3m.

Last year LifeLock was obliged to pay $ 100 million to settle charges (PDF) of failing to maintain a comprehensive information security program and deceptive advertising. The court order followed FTC enforcement action against LifeLock for alleged violations of an earlier 2010 order. ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads

The Register - Security

Versus16 Silicon Valley should work with the US government in Washington to arrive at a solution that gives law enforcement access to encrypted comms, but that respects individual privacy.

That's according to former White House counterterrorism and cybersecurity official Daniel Rosenthal, who was debating where the issue of encryption should go next.

Nonsense, responded Cindy Cohn of the Electronic Frontier Foundation (EFF), on stage at the Versus conference in San Francisco. If the tech sector offers some form of compromise now, the government will only come asking for more later.

In the week since Donald Trump was elected president, tech companies have reported a 25 per cent spike in people encrypting their communications.

The reason why is not hard to discern: on the campaign trail the Republican nominee repeatedly stated that he would be prepared to use the full power of the federal government to carry out his policy goals, which includes the forced deportation of millions of people, the surveillance of millions of others, and the pursuit of terrorism above all else.

What's more, Trump weighed in on the biggest showdown in the past decade between law enforcement and the tech industry, telling crowds that they should boycott Apple over its refusal to bypass its own security and grant the FBI access to a locked phone that belonged to San Bernardino shooter Syed Farook.


Both Rosenthal and Cohn acknowledged that the likelihood of the executive branch of the US government pushing for a backdoor into encryption was "significantly greater" under the Trump Administration.

Although both offered some consolation: Rosenthal said there still remained forces within the executive branch that would argue for the value of strong encryption and the importance of privacy; Cohn promises that the EFF will continue to fight – as it has for decades – to prevent government overreach.

But while both agreed in general, Rosenthal and Cohn represented two very different viewpoints, themselves reflecting two very different attitudes on the East and West Coasts of the United States.

Both agreed that the bill put forward by Senators Dianne Feinstein and Richard Burr in April was a horrible piece of legislation (it eventually died, but not without significant effort being made to kill it).

Rosenthal warned, however, that if the tech industry rules out working on ways to open up access to encrypted data, it may find itself left out the conversation when the "inevitable" next terrorist attack hits the United States and the government reacts to it with new laws.

Cohn stuck with well-worn arguments about the mathematics of encryption: weakened encryption is weak for everyone, and a backdoor is a backdoor as much for bad actors as for law enforcement.

She also warned that if the US government pushes a law to undermine encryption, it sends a signal to the rest of the world's governments, and makes it impossible for tech companies to stand up to other, inevitable demands from across the world.

Déjà vu

This is not the first time this debate has played out – for months this year the back-and-forth over encryption turned into fixed positions.

Rosenthal fell back on flattering the West Coast as being "much smarter" and urging tech companies to figure out a way to make breakable encryption possible. In response, Cohn offered the logic of math and argued that everyone has access to prime numbers. She shook her head at the Washington, DC policy process of finding a middle ground between opposing sides: there is no middle ground on encryption – it works or it doesn't.

Fortunately, neither fed into the familiar insults traded between the coasts – but they did reference them: Silicon Valley doesn't care about terrorism; Washington, DC doesn't care about its citizens' privacy.

Rosenthal thinks that Apple should feel an obligation to be a "good citizen"; Cohn notes that law enforcement agencies should be obliged to follow the law and run all requests for information through the legal process – "because companies are not always in the best position to evaluate requests or know if the system is being misused."

In short, despite the best efforts of two very knowledgeable individuals actively looking to find some common ground, nothing new was uncovered.

It's also notable that neither Cohn nor Rosenthal currently possess government or tech industry roles. It is, of course, possible that there are lots of positive conversations going on behind closed doors between DC and Silicon Valley. But it seems unlikely.

What seems even more unlikely is that the conversation will start with the arrival of the Trump Administration. Trump's stated policies are in many ways antithetical to both the politics and the finances of Silicon Valley.

Trouble ahead

When that inevitable next terrorist attack does come, we can expect to see the Apple versus FBI argument return – but this time with much greater odds and carried out in much louder voices. Just as with the election itself, there is increasingly less room for compromise. One side will win, and one side will lose.

Where will it fall? It will come down to Trump and whether he can persuade Congress to enact a new law. The Obama Administration was split on the issue and the President very publicly sat on the fence. That is far less likely to happen with the President-elect.

If there is a large terrorist attack, as Rosenthal noted, the people's concerns about privacy will fall away if they are offered a firm hand and a clearly stated solution.

And while Tim Cook has taken a principled stance on privacy and encryption, and Google and Facebook and many other tech companies have said they support that view – no one has ever said they will ignore the law of the land. ®

Sponsored: Transforming software delivery with DevOps

The Register - Security

The European Union has published its proposal (PDF) for a revised Regulation on the export of dual use goods. The primary purpose is to overhaul and simplify the existing controls that were designed to limit the proliferation of weapons of mass destruction (WMDs); but it also introduces new controls over the export of cyber surveillance and computer intrusion tools.

More explicitly, it aims at preventing "the misuse of digital surveillance and intrusion systems that results in human rights violations" in line with the 2015 Human Rights Action Plan and the EU Guidelines for Freedom of Expression. New laws are necessary because existing legislation does not provide sufficient control over cyber-surveillance technologies.

It is a difficult area since cyber-surveillance and intrusion are both recognized as legitimate practices for some governments and some law enforcement agencies (especially in the name of national security). The problem is to allow and even simplify sales and exports to acceptable companies and governments while restricting it from those companies and countries that might use it to abuse the human rights that are protected by the EU constitution.

Misuse of these technologies can have -- and have had -- dire effects; and this is explicitly acknowledged by the EU. These technologies, notes the Introductory Memorandum, have "been misused for internal repression by authoritarian or repressive governments to infiltrate computer systems of dissidents and human rights activists, at times resulting in their imprisonment or even death." Under such circumstances, it goes on, continued export of cyber-surveillance runs counter to the EU's own human rights requirements, "such as the right to privacy and the protection of personal data, freedom of expression, freedom of association, as well as, indirectly, freedom from arbitrary arrest and detention, or the right to life."

The EU's proposed solution "sets out a two-fold approach, combining detailed controls of a few specific listed items with a 'targeted catch-all clause' to act as an 'emergency brake' in case where there is evidence of a risk of misuse. The precise design of those new controls would ensure that negative economic impact will be strictly limited and will only affect a very small trade volume."

Privacy International (PI) is one of the organizations that has long campaigned for stricter rules on the export of surveillance technologies. In a recent report (PDF) published in August 2016, it called for a new approach combining corporate social responsibility with export restrictions. "While pro-active due diligence on the behalf of companies is a necessary start," it suggests, "without instruments capable of restricting transfers and shining a light on the companies and the trade, surveillance technologies developed in and traded from the West will further undermine privacy and facilitate other abuses."

The export of encryption technologies is also covered in the new proposal. Encryption is considered 'dual use' and therefore regulated by many countries. However, different countries have different standards, and the EU has concluded that this gives those countries an unfair trading advantage.

The proposal is expected, says the Memorandum, "to improve the international competitiveness of EU operators as certain provisions - e.g. on technology transfers, on the export of encryption - will facilitate controls in areas where third countries have already introduced more flexible control modalities. The proposal's new chapter on cooperation with third countries is also expected to promote the convergence of controls with key trade partners and a global level-playing field, and thus to have a positive impact on international trade."

Details of the new Regulation were leaked in July. Since that time PI has lobbied the EU for additional improvements. In a statement sent to SecurityWeek, PI comments, "The eventual proposals only differ slightly however, with the main change being that the definition of 'cyber-surveillance' technology has been narrowed. The actual annex which contains a detailed list of what technology has been subject to control has also been published. In addition to spyware used to infect devices, mobile phone interception tech, and mass internet monitoring centres, the Commission has proposed to add unilateral EU categories. Currently these are listed as telecommunications monitoring centres and lawful interception retention systems."

While PI welcomes the new regulation, it believes it could be better and should have been done much sooner. It points out that more than half of the world's surveillance companies that it has identified are based in the EU, and that it has been known since 1979 that "a UK company had provided the necessary wiretapping technology to the genocidal regime of Idi Amin in Uganda." 

The proposals, says PI, "encapsulate the best and worst aspects of the European Union. Their stated intent reflects Europe's commitment to fundamental rights, and - as a regulation - it will be binding on all member states, massively magnifying the effect of any legislation. But it adds, "The policy making process has been marked by technical and bureaucratic complexities detached from individuals, making it vulnerable to the interests of industry, powerful national governments, and civil society."

FinFisher GmBH and the Hacking Team are two EU companies that are likely to be affected by the new regulation. This would also have included Vupen if it had not closed down and resurrected itself as Zerodium in the US.

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:


SecurityWeek RSS Feed

Security researchers earlier this year managed to zero-in on the Encryptor Ransomware-as-a-Service (Raas), which forced the developer to shut down the operation, but without releasing the master key to help victims.

The ransomware service first emerged in July 2015 as a multiplatform threat at an appealing price, and managed to become a considerable threat to users and businesses fast, Trend Micro researchers reveal. Attacks leveraging this piece of ransomware could be easily tailored by affiliates, and Encryptor RaaS author created a full web panel for his patrons, which could be accessed only via the Tor network.

The same as with other ransomware, Bitcoin was the preferred transaction currency, and the earnings looked highly appealing for affiliates, as they had to share only 5% of their revenue to the author. Other similar services out there, such as Cerber, would require affiliates to pay 40% in commissions, Trend Micro explains (the Cerber campaigns generate an estimated $ 2.3 million in annual revenue). 

Encryptor RaaS was being advertised in surface web and darknet forums and interested parties only needed to contact the developer to show interest. Technical expertise wasn’t a requirement, though affiliates needed to know how to set up a Bitcoin Wallet ID, which would be attached to the distributed ransomware variant. Affiliates were also provided with a “customer ID” and could choose the ransom amount and the distribution method.

The malware was written purely in C language, used a combination of RC6 and RSA-2048 algorithms to encrypt 231 file types, generated an ID for each victim, and had its entire infrastructure hidden within the Tor network. Victims were instructed to use Tor2Web or the Tor Browser to access the payment site and could also use a chat box to contact the cybercriminals.

The ransomware’s author focused on avoiding detection and even started offering a file-signing service for affiliates, saying that he had access to stolen Authenticodes. Encryptor RaaS was improved to become virtually undetectable, being able to trick static engine analysis, but still being caught by behavioral detection.

While analyzing the threat, researchers discovered that the actor left a command and control (C&C) server either abandoned or mistakenly open: it was exposed and not anonymized by Tor. Thus, researchers determined that Encryptor RaaS was being hosted on a legitimate cloud service, and one of the RaaS’s systems was seized in June.

The operator immediately took the infrastructure down as a precautionary measure, but more servers were seized a few days later. However, the developer managed to bring the entire system back online after four days, and also announced that it would shut down the operation. A shutdown notice was posted on all the main pages of decryptor sites, and Encryptor RaaS’s main site.

“Encryptor RaaS’s systems went down around 5 PM GMT on July 5, 2016, with the developer leaving victims a message that they can no longer recover their files, as he deleted the master key,” Trend Micro reveals. Thus, while there’s one less ransomware family to worry about, there are users left without the possibility of recovering their files.

Related: Locky Ransomware Drops Offline Mode

Related: New MarsJoke Ransomware Targets Government Agencies

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Yahoo!'s embattled mail service was dealt another blow Tuesday when an outage hit users worldwide.

Data from outage monitors DownDetector and Outage.Report back up multiple reports from users that the service was knocked offline for a period of time earlier this morning US time, or afternoon for those in Europe.

Spokespersons for Jerry and David's Guide to the World Wide Web did not respond to a request for comment on the outage.

The downtime only adds to an already sizable pile of problems for Yahoo! with its free mail service. Last week's disclosure of a massive hack exposing some 500 million user accounts has now reached the point of possible legal actions.

Following demands that US financial watchdog the SEC be called in to probe the matter, a group of US Senators is also asking Yahoo! chief executive Marissa Mayer to provide them with an explanation as to why the Purple Palace took so long to find and disclose the hack, and what they plan to do to prevent future intrusions.

The letter [PDF], sent by Senators Al Franken (D-MN), Patrick Leahy (D-VT), Ed Markey (D-MA), Elizabeth Warren (D-MA), Richard Blumenthal (D-CT), and Ron Wyden (D-OR), requests a formal briefing from Mayer and Yahoo!.

"This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the group writes.

"Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps to be taken to protect that information."

Verizon, which has a standing agreement to acquire Yahoo! for $ 4.8bn, has so far declined to comment beyond a brief statement it issued last week. ®

Sponsored: Optimizing the hybrid cloud

The Register - Security

In this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party.

Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning.

Listen in, comment and share with your colleagues! Our show is always safe for the office and educational.

Talk back! Use our Twitter hashtag #DtSR to discuss this episode, ask questions, or suggest other topics or guests for the future!

Direct download: DtSR_Episode_212_-_Insider_Threat_Primer.mp3
Category:Enterprise Security -- posted at: 12:00am CDT

Information Security Podcasts

Quick note from Michael about the Straight Talk Framework -- >

  • I’ve separated the framework from the programs; the framework is free and available for download from my website. More on the way!
  • To support both the framework and the programs, I’ve just finished a video that introduces the 5 questions; I have an optional workbook available and make a special offer at the end of the video
  • I’m about to launch an online offering… stay tuned for details

$ 2.7 Million HIPAA Penalty For Two Smaller Breaches

  • Interesting the info about the use of Google and lack of contract. How many other health companies are using Google or Microsoft to store some data?  Do they have the contracts in place?

Is the GOP seriously considering endorsing vigilante hacking?!

  • The wording here is dangerous, and could encourage vigilante justice
  • So much could go wrong here, so much collateral damage
  • You’ll likely hear a re-start of the hack back debate
  • What if we just called it “forward looking research in a kinetic state?”

NIST declares the age of SMS based 2-factor authentication over

  • Recommendation use app (like google authenticator), RSA token or something similar rather than SMS
  • How will this effect all of the financial institutions that have sms based 2-factor?   Even google supports SMS and App based.  
  • This is an interesting change.  Apparently just being released as part of their call for comments.
  • It’s not a ban; it’s a realization that through VoIP and the general approach to build our phone system, out of band isn’t as out of band as we’d think/like

The ninth circuit holds that accessing a website after receiving a cease and desist order does violate CFAA

  • Curious if the reverse is true, then. And how bug bounties and other programs might create the invitation for people

A “famed hacker” is Grading Thousands of programs

Direct download: DtSR_Episode_205_-_NewsCast_for_August_2nd_2016.mp3
Category:NewsCast -- posted at: 10:59pm CDT

Information Security Podcasts