Information Technology

The founder of a pair of cryptocurrency hedge funds in New York has been charged for stealing $90 million from clients. 

According to the US Department of Justice (DoJ), Stefan He Qin, the founder of Virgil Sigma Fund LP and VQR Multistrategy Fund LP, siphoned away investor funds for “years” while enjoying an extravagant lifestyle. 
The case was presided over by US District Judge Valerie Caproni at the United States District Court for the Southern District of New York.
On Thursday, US prosecutors said that from 2017 and throughout 2020, Qin was the operator of the two New York-based funds. Virgil Sigma was touted as a fund that took advantage of speculative cryptocurrency market opportunities and claimed to use a trading algorithm to reap profits by monitoring price changes across exchanges. 
The 24-year-old Australian national hoodwinked investors into believing that the fund was a safe bet as a “market-neutral” fund. During investor meetings and PR calls, Qin said that Virgil Sigma was profitable month after month — with the exception of March 2017 — and also claimed that over $90 million in assets were under active management. 
In February 2020, Qin created VQR, a hedge fund that “was poised to make or lose money based on the fluctuations in the value of cryptocurrency and was not market-neutral,” according to the DoJ. This fund held $24 million on behalf of investors. 
However, Virgil Sigma funds were embezzled. The cash was used by Qin to pay for personal expenses including penthouse rent and services, as well as to make personal cryptocurrency and speculative investments, including those in Initial Coin Offerings (ICOs) that had nothing to do with the hedge fund. 

It did not take long for “nearly all of the investor capital” in Virgil Sigma to drain away, US prosecutors say. 
As Qin continued to pretend that the hedge fund was making a substantial profit, more investors flocked to the fund. In turn, he was able to pay off client redemption requests — at least, until the summer of 2020.
Qin was suddenly unable to meet redemption requests, and so attempted to steal from VQR by way of fund transfers. In December 2020, he ordered the head trader at VQR to wind down all trading positions and transfer the funds to Virgil Sigma. 
By this point, the fraud had been exposed. 
“Stefan He Qin drained almost all of the assets from the $90 million cryptocurrency fund he owned, stealing investors’ money, spending it on indulgences and speculative personal investments, and lying to investors about the performance of the fund and what he had done with their money,” commented US Attorney Audrey Strauss. “The whole house of cards has been revealed, and Qin now awaits sentencing for his brazen thievery.”
Qin pled guilty to one count of securities fraud, an offense that carries a maximum term of 20 years in prison. Sentencing is scheduled for May. 
Last month, a San Francisco resident was sentenced to six months in prison and was ordered to pay damages of $4.4 million after being found guilty of defrauding investors. The 33-year-old represented himself as a cryptocurrency and ICO consultant, but once he secured investments, he simply embezzled the funds. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Citrix
DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks, security firm Netscout said in an alert on Wednesday.
The company’s alert comes to warn owners of devices that ship with Plex Media Server, a web application for Windows, Mac, and Linux that’s usually used for video or audio streaming and multimedia asset management.
The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices.
Plex Media servers punch a hole in router NATs
Netscout says that when a server/device running a Plex Media Server app is booted and connected to a network, it will start a local scan for other compatible devices via the Simple Service Discovery Protocol (SSDP).
The problem comes when a Plex Media Server discovers a local router that has SSDP support enabled. When this happens, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.
Since the SSDP protocol has been known for years to be a perfect vector to amplify the size of a DDoS attack, this makes Plex Media servers a juicy and untapped source of DDoS bots for DDoS-for-hire operations.
Netscout says that attackers only have to scan the internet for devices with this port enabled, and then abuse them to amplify web traffic they send to a DDoS attack victim.

According to Netscout, the amplification factor is around 4.68, with a Plex Media server amplifying incoming PMSSDP packets from 52 bytes to around 281 bytes, before sending the packet to the victim.
27K+ Plex Media servers are exposed on the internet
The security firm said it scanned the internet and found 27,000 Plex Media servers left exposed online that could be abused for DDoS attacks.
Furthermore, some servers have already been abused. Netscout said that not only did it saw DDoS attacks using Plex Media servers, but that this vector is now becoming common.
“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” the company said.
According to Netscout, past PMSSDP attacks have reached around 2-3 Gbps, but the servers could be combined with other vectors for much larger attacks.
This is Netscout’s second warning about a new DDoS attack vector being discovered abused in the wild this year. In January, the company warned that Windows Remote Desktop Protocol (RDP) servers were also being abused for DDoS attacks. More

Google has released today version 88.0.4324.150 of the Chrome browser for Windows, Mac, and Linux. Today’s release contains only one bugfix for a zero-day vulnerability that was exploited in the wild.

The zero-day, which was assigned the identifier of CVE-2021-21148, was described as a “heap overflow” memory corruption bug in the V8 JavaScript engine.
Google said the bug was exploited in attacks in the wild before a security researcher named Mattias Buelens reported the issue to its engineers on January 24.
Two days after Buelens’ report, Google’s security team published a report about attacks carried out by North Korean hackers against the cyber-security community.
Some of these attacks consisted of luring security researchers to a blog where the attackers exploited browser zero-days to run malware on researchers’ systems.
In a report on January 28, Microsoft said that attackers most likely used a Chrome zero-day for their attacks. In a report published today, South Korean security firm said they discovered an Internet Explorer zero-day used for these attacks as well.
Google did not say today if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe it was so due to the proximity of the two events.

But despite how this zero-day was exploited, regular users are advised to use Chrome’s built-in update feature to upgrade their browser to the latest version as soon as possible. This can be found via the Chrome menu, Help option, and About Google Chrome section.
Before today’s patches, Google went through a spell last year where it patched five actively-exploited Chrome zero-days in a span of three weeks. More

Growing awareness of the importance of digital security is driving customer growth for NortonLifeLock, the company said Thursday. In its third quarter financial results, the company reported a direct customer count of 21 million, up by 876,000 year-over-year and by 334,000 quarter-over-quarter. 
“Our vision to protect and empower everyone to live their digital lives safely has never been more relevant than it is today,” CEO Vincent Pilette said in a statement. “Consumers are seeing the value of Cyber Safety with nearly 60% of our customers using Norton 360. We are accelerating our investments in new products and customer experiences that are driving our growth momentum, and with the Avira acquisition, we are just getting started.”
NortonLifeLock’s non-GAAP diluted EPS was 38 cents on revenue of $639 million, up 3 percent.
Analysts were expecting earnings of 37 cents per share on revenue of $630.53 million.
Consumer reported billings in the quarter came to $700 million, up 10 percent. Average revenue per user was $9.10 per month, up 1 percent. 
NortonLifeLock also said its board of directors has declared a quarterly cash dividend of $0.125 per common share to be paid on March 17.
For the fourth quarter, the company is expecting revenue in the range of $655 million to $665 million.

Tech Earnings More

Fortinet delivered strong fourth quarter growth and updated its FortiOS operating system with more than 300 new features including Zero Trust Network Access capabilities and tools to better secure networks and proliferating end points.
The updates come as the company said it will focus on growth for the quarters ahead. Fortinet delivered fourth quarter revenue of $748 million, up 21% from a year ago, with net income of 89 cents a share.
As for the fourth quarter, Fortinet’s non-GAAP earnings of $1/06 a share were above expectations. The company said demand for its security platform was strong. Wall Street was expecting Fortinet to report fourth quarter earnings of 97 cents a share on revenue of $722.4 million.
For 2020, Fortinet delivered earnings of $2.91 a share on revenue of $2.59 billion, up 20% from a year ago. Non-GAAP earnings for 2020 were $3.35 a share.
Ken Xie, CEO of Fortinet, said “given the many growth opportunities that lie ahead for us, we plan to shift our focus more to growth for at least the next several quarters.”
For the first quarter, Fortinet is projecting revenue between $670 million to $685 million with non-GAAP earnings of 70 cents a share to 75 cents a share. For 2021, Fortinet is projecting revenue of $3.02 billion to $3.07 billion with non-GAAP earnings of $3.60 a share to $3.75 a share.  
FortiOS 7.0 lands as Fortinet is aiming to create a platform that will cover data centers, clouds, edge computing end points and networks. Fortinet Security Fabric is powered by FortiOS.

Among the key updates:
Zero Trust Network Access for Remote Access and Application Control for FortiGate firewall customers. The Zero Trust set-up is designed to replace traditional VPNs and cut the attack surface by verifying the user and device for every application session.
Cloud-based SASE security as a service.
Self-healing SD-WAN tools with remediation tools that can adapt for passive application monitoring as well as various cloud deployments.
Security for 5G and LTE.
Adaptive cloud security to manage hybrid and multi-cloud deployments.
Network security tools to improve efficiency and integrate with FortiManager/FortiAnalyzer.
The FortiGuard security service with advanced tools for remote work.
Fortinet said FortiOS 7.0 will be available at the end of the first quarter.
Also:  More

Our communications need to be both private and secure. The recent uproar about WhatsApp’s changes to its privacy policy is a good reminder of that fact. While the changes had implications for consumers who use WhatsApp, the concerns also made their way into the enterprise. CISOs have seen discussions quickly morph from personal concerns about privacy to enterprise security concerns about using WhatsApp for business communications. 

ZDNet Recommends

The common question: Is WhatsApp “safe” to use for business communications?  Consider a follow-up question: What do we do, and what can we do, about it? 
Understand the risks to the business to help make the case for change
Your business is exposed to privacy, security, reputation, and compliance risks when employees use consumer tools for business purposes. If someone is targeting your organization specifically, it is useful to know that employees regularly communicate business info freely on such a channel. It likely wouldn’t be too difficult to discover if employees talk about it as a tool they use for work or encourage customers or others to use it to communicate with them. 
Consumer apps aren’t built for business use. End-to-end encryption protects data in transit and the app provider doesn’t see the content yet data is still vulnerable on devices. Malware on phones enables hackers to read messages. Someone else picking up an employee’s phone may be able to see messages if there’s no PIN protecting access on the phone or for the app. There is also no guarantee that an individual is using two-step verification or not automatically backing up their messages to the cloud. They could also save messages to share with others outside of the company, or screenshot freely, and the recipient can do whatever they wish with them. Additionally, vertical-specific compliance guidelines, such as those of the FFIEC (Federal Financial Institutions Examination Council), may also require that you retain business-related text messages. 
Explore how purpose-built tools for secure, private, and compliant business communications can help
Enterprises typically already have corporate-sanctioned tools for employee communication and collaboration like Google Chat or Microsoft Teams. Sometimes, they need more. They may find that they have use cases where another purpose-built tool is better suited for their needs. For general-purpose business communications and collaboration, tools such as Wickr and Wire include messaging/chat functionality, as well as other features like videoconferencing and file sharing. Tools like KoolSpan and CellTrust enable secure voice calling and more. 
Also: Microsoft Teams: The complete starter guide for business decision makers
Options exist with added controls and features that make these offerings suitable for business communications. These can include capabilities such as administrative controls to revoke user access and adjust settings, encryption, the option to host on-premises or in private cloud, metadata protection, or integrations with enterprise applications. Some also offer the option of a portable phone number or use of the app independent of a mobile phone number so that employees are not using their personal phone number for business. 

What to do next — because change doesn’t happen overnight 
Provide clear guidance for acceptable communication tools for employees. Consider this a part of security awareness training so that employees understand the risks. This human element is the most important factor. Changing behavior is the most challenging component, especially when consumer apps are a convenient option. 
Identify your audience, their use case, and employee requirements. Will a new tool serve a segment of the employee population, or is it meant to be used companywide? Determine if employees will need voice, text messaging, document sharing, video, or some other combination of functionality. Will you require integration with key systems (e.g., mobile device management or an archiving solution)? Clarity about these requirements in your initial planning will help narrow your shortlist of vendors and find the best fit for both your workforce and security needs. 
Build a network of business user champions. These individuals evangelize the use of the tool internally with their peers and provide feedback from initial testing and tool selection through deployment. Target your messaging to best appeal to organizational culture and your workforce. In healthcare, this may be about promoting patient outcomes. For a manufacturer, protecting its competitive edge and reputation may resonate with employees. If no one wants to or can easily use the tool, you’re back at square one. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Principal Analyst Heidi Shey, and it originally appeared here.  More

Image: Google
Google said today it paid more than $6.7 million in bug bounty rewards to 662 security researchers across 62 countries for submitting vulnerability reports in Google products last year.

The figure, up from the $6.5 million the company paid in 2019, is the company’s largest prize pool paid to security researchers to date.
Most of last year’s bug prizes were awarded in the Chrome VRP (Vulnerabilities Rewards Program), which handed out more than $2.1 million to security researchers for 300 bugs identified in Google’s flagship browser.
Another major VRP was the company’s Android programs. Google said it gave out $1.74 million for bugs discovered in the Android OS code and another $270,000 in the Google Play VRP for bugs found in the Play Store’s most popular and widely used Android apps.
Among the Android VRP’s main highlights last year, Google listed the following:
We awarded our first-ever Android 11 developer preview bonus, which paid out over $50,000 across 11 reports. This allowed us to patch the issues proactively before the official release of Android 11.
Guang Gong (@oldfresher) and his team at 360 Alpha Lab, Qihoo 360 Technology Co. Ltd., now hold a record eight exploits (30% of the all-time total) on the leaderboard. Most recently, Alpha Lab submitted an impressive 1-click remote root exploit targeting recent Android devices. They maintain the top Android payout ($161,337, plus another $40,000 from Chrome VRP) for their 2019 exploit.
Another researcher submitted an additional two exploits and is vying for the top all-time spot with an impressive $400,000 in all-time exploit payouts.
We launched a number of pilot rewards programs to guide security researchers toward additional areas of interest, including Android Auto OS, writing fuzzers for Android code, and a reward program for Android chipsets.
On top of these, Google also said more than $400,000 were sent to security researchers through its research grant program that the company uses to fund innovative areas of security research.
More than 180 security researchers received grants last year, which submitted back 200 bug reports that yielded 100 confirmed vulnerabilities in Google products and the open-source ecosystem.

This year will mark the Google VRP’s 10th anniversary. More

Netgear BR200 small-business router

The
Netgear
BR200
Insight
Managed
Business
Router
has
been
designed
to
be
easy
to
set
up,
and
features
a
built-in
firewall,
VLAN
management,
and
remote
cloud
monitoring,
and
can
be
… More