RansomHouse Extortion Group Claims AMD as Its Latest Victim (techcrunch.com) 16
AMD said it is investigating a potential data breach after RansomHouse, a relatively new data cybercrime operation, claims to have extorted data from the U.S. chipmaker. From a report: An AMD spokesperson told TechCrunch that the company "is aware of a bad actor claiming to be in possession of stolen data," adding that "an investigation is currently underway." RansomHouse, which earlier this month claimed responsibility for a cyberattack on Shoprite, Africa's largest retailer, claims to have breached AMD on January 5 to steal 450 GB of data. The group claims to be targeting companies with weak security, and claimed it was able to compromise AMD due to the use of weak passwords throughout the organization.
"An era of high-end technology, progress and top security... there's so much in these words for the crowds. But it seems those are still just beautiful words when even technology giants like AMD use simple passwords to protect their networks from intrusion," RansomHouse wrote on its data leak site. "It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our hands on -- all thanks to these passwords." Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch there's no reason to doubt the group's claims.
"An era of high-end technology, progress and top security... there's so much in these words for the crowds. But it seems those are still just beautiful words when even technology giants like AMD use simple passwords to protect their networks from intrusion," RansomHouse wrote on its data leak site. "It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our hands on -- all thanks to these passwords." Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch there's no reason to doubt the group's claims.
Passwords (Score:2)
People will never stop using the same password at work with a number at the end that increments up every time they are made to change a password.
Re: (Score:2)
Why the hell is any corporation still allowing connections into their network with nothing more than a password? What year is it?
Re: (Score:2)
Cheapskates doesn't care what year it is. Why pay for security if nothing bad has happened so far.
Re: (Score:1)
Cheapskates doesn't care what year it is. Why pay for security if nothing bad has happened so far.
Why give a shit when cheapskates go out of business for their ignorance? Oh wait, that's right. Because No Company Left Behind funding and Too Big To Fail bailouts, right?
And you wonder why companies are delusional about security recommendations or even mandates.
Re: (Score:2)
Costs start adding up.
Re: (Score:2)
Understandable when security devices start at $50 and then go up from there.
Costs start adding up.
Bullshit. The simple 2FA uses the users's phone and is essentially free. Sure, a dedicated token runs you $30 or so, but that is it. If you buy small numbers. That is essentially nothing compared to what an employee-hour costs. Personally I have some higher-security stuff on a kindle fire (no RF part, WiFi in airplane mode) that also cost me $30 used. Hence anybody not doing this because of cost is an idiot that does not understand the basics of risk-management.
Re: (Score:3)
The phrasing makes it sound like a 'crunchy on the outside, soft on the inside' approach, where a VPN is used to distinguish good from bad. The good news is that narrows the problem domain to a single software suite and you can in fact implement more robust security in a straightforward way. The bad news is this is inadequate, as while it mitigates, when an attacker does piggyback on a compromised system to gain access on the 'soft' side, they can just go to town. Some have the opinion this is even worse
Re: (Score:2)
No, it's not that bad.
Most of them also require a username.
Re: (Score:1)
People will never stop using the same password at work with a number at the end that increments up every time they are made to change a password.
Sure they will. Implement much better password minimums. Or better yet, implement MFA. And if that doesn't work, then fire your fucking incompetent morons who can't manage to authenticate to a computer in the 21st Century.
And if people can recall their favorite song lyrics verbatim then spare me your bullshit excuses about passphrases being "too long".
Re: (Score:2)
Long phrases can in fact be far more memorable than the bullshit passwords everyone has been trained to try to 'harden'. Having a sentence that's over 20 characters long with natural spacing, characters, and grammar is easy to type, but will stand up to cracking attempts unless someone mismanaged or allowed phishing.
But the password mismanagement and phishing potential means people really need to be pushing on the software industry for more consistent support of better authentication. Unfortunately while
Re: (Score:3)
Anybody that still makes people change passwords regularly is simply _incompetent_. It fosters exactly this type of crap. It is a ritual that has been meaningless for at least a decade. NIST has dropped the requirement several years ago and even the notoriously slow BSI dropped it without replacement in 2020.
Also, any actual IT security expert knows that passwords only go so far and hence does 2FA for anything that protects real value. It is easy these days. I recently put it even on my Linux SSH logins. An
Re: (Score:2)
The problem with 2FA, especially in a big company, is support.
Phone based 2FA is especially annoying because users can be expected to change phones periodically, and almost everyone will u
RandomHouse (Score:5, Funny)
Re:RandomHouse (Score:4, Funny)
My first thought was that it's sad that Random House has been doing so badly that they've turned to crime.
to the editors and the fancy folks at techcrunch: (Score:2)
a relatively new data cybercrime operation, claims to have extorted data from the U.S. chipmaker.
An AMD spokesperson told TechCrunch that the company “is aware of a bad actor claiming to be in possession of stolen data,”
extort
verb
obtain (something) by force, threats, or other unfair means.
"he attempted to extort money from the company"
yw
Better deal (Score:1)
Seems like a much better deal than Random House. If you don't pay, they publish all of your works for free.