The #DataInsecurity Digest | Issue 15

Issue 15 | March 2, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Welcome to your RSA edition of the #DataInsecurity Digest! Much of Washington’s data security elite have decamped to sunny San Francisco for the annual RSA Conferencea who’s who of data security researchers and policymakers. But, never fear, we remain here in early spring-time DC to cover the latest in data security-focused policy and consumer news.

The FTC’s new Consumer Sentinel Data Book is out, so we’ll be busy digging into the complaint data to see what trends are emerging in the data security space. Also In this edition of the #DID, we highlight a new effort by consumer groups (including yours truly) to work with the FTC to take a look at the problem of unwanted software—those pesky ad injectors and other bloatware that slow down your computer and leave it more vulnerable to malware. Also, the scope of the IRS breach keeps getting bigger—now up to 700,000 records affected (and possibly growing). In the Guardian, Tom Lamont takes a deep dive into the impact of the AshleyMadison.com breach and the lackluster response by parent company Avid Life Media. However, there’s a bit of silver lining in the breach world. According to new research from Mandiant, the average time to detect a breach fell to 146 days in 2015 from 205 days in 2014, so it’s not all doom and gloom!

And now, on to the clips!

—————– 

BREAKING: FTC Data Book shows continued uptick in ID theft complaints. For data security geeks, the publication of the FTC’s annual Consumer Sentinel Data Book is an opportunity to dig into one of the richest troves of complaint data available. This year is no different, with identity theft continuing to rank as a top consumer concern. With more than half a million complaints submitted to the agency, ID theft was the second-biggest complaint category in 2015. Phony debt collection ranked #1 this year, thanks in part to the contribution of telemarketing complaint service PrivacyStar. (Source: Federal Trade Commission)

Consumer groups call on FTC to convene workshop on unwanted software. In a letter to FTC Chairwoman Edith Ramirez, NCL and four other consumer groups urge the Commission to convene a workshop to examine the continuing problem of unwanted software. Wrote the groups: “Unwanted software are programs that consumers install inadvertently, typically because the program is bundled (often deceptively) with another program that the consumer intends to install. … In particular, we are concerned that unwanted software may disable security updates to operating systems, Web browsers or other essential software. This can leave consumers’ computers especially vulnerable to malware infections and raise the risk of fraud such as identity theft.” (Source: National Consumers League)

Drip, drip … IRS data breach keeps getting bigger. The hack of the IRS’s Get Transcript function was significantly worse than previously reported, said the agency’s Inspector General. The breach was originally thought to have compromised 114,000 accounts, but that number has since grown twice—first to 334,000, and now to as many as 724,000. Of note is the role that weak security at tax preparers may have played in the breach. Citing @otaalliance data, @cbsnews reports that “six out of 13 IRS-approved companies failed at providing adequate security to customers.” (Source: CBS News)

What was it like to be caught up in the AshleyMadison.com breach? Writing for the Guardian, @tomlamont has an incredibly in-depth look at what went on behind the scenes as Avid Life Media, the parent company of AshleyMadison.com, struggled to deal with one of the most sensitive data breaches in history. “The hack of Ashley Madison was historic – the first leak of the online era to expose to mass view not passwords, not pictures, not diplomatic gossip, not military secrets, but something weirder, deeper, less tangible. This was a leak of desires.” (Source: The Guardian)

Issa: Forcing Apple to break iPhone security “sets a dangerous precedent.” Amid all the discussion over Apple’s ongoing legal fight with the FBI over the bureau’s order that the tech giant help them gain access to a San Bernardino shooter’s iPhone, Congressman Darrell Issa took to the pages of WIRED to warn against unintended consequences of such an action. “Forcing Apple to manufacture new security vulnerabilities into its phones’ operating system in order to give the government access paves the way for these kinds of breaches to become all the more common. But even more alarming are the implications this decision would have for the online security of Americans for generations.” (Source: WIRED)

ICYMI: Rep. Johnson introduces mobile privacy, data broker bills. We missed this nugget in our last issue of the Digest, but on February 10, Congressman Hank Johnson (D-GA) introduced two bills to address mobile device privacy and security and data broker information collection practices. The good folks at @kslaw have the summary: “The Apps Act [would require mobile app developers] to take ‘reasonable and appropriate measures’ to safeguard the data they collect from users. The Apps Act authorizes the FTC to enforce these requirements under its existing unfair and deceptive trade practices authority codified in Section 5 of the FTC Act and permits state enforcement actions as well.” (Source: King and Spaulding)

Splunk SVP: Why cyber needs to be a priority on the 2016 campaign trail. Haiyan Song of security firm Splunk (tweeting from @SplunkGov) lays out why cybersecurity is becoming a bigger part of the campaign agenda. “The fact that we’re seeing regular, in-depth media coverage and ongoing discussions in Washington around cybersecurity proves this issue is more than a trend, it’s a sign that cybersecurity has become a national priority.” (Source: The Hill)

1,700 kids’ records exposed at uKnowKids. Chris Vickery, whose security research has exposed breaches at Microsoft, MacKeeper, and elsewhere, has another site to add to his rosterchild-tracker app maker uKnowKids. Writing in the Register, @jleyden notes that “[a] misconfigured database at uKnowKids.com exposed the data of 1,700 children, their personal messages, social media profiles, and images. More than 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles were left exposed, according to Vickery. This includes first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more.” (Source: The Register)

OPM breach claims CIO. The ongoing saga of the data breach at the Office of Personnel Management (OPM), which compromised the data of more than 20 million federal employees, has claimed another victimthe agency’s CIO. Donna Seymour, OPM’s top cybersecurity officer resigned on February 22, two days in advance of new hearings in the House of Representatives on the breach. And it wouldn’t be Washington if politics didn’t intrude, writes @ErinVKelly. Said House Oversight Committee Chair Jason Chaffetz: “Her retirement is necessary and long overdue. On her watch, whether through negligence or incompetence, millions of Americans lost their privacy and personal data.” Ranking Member Elijah Cummings fired back: “Efforts by Republicans to blame her for the cyber attack on OPM are both unfair and inaccurate. And they set a terrible precedent that will discourage qualified experts from taking on the challenges that face our nation in the future.” (Source: USA TODAY)

Wendy’s data breach lawsuits start to roll in. Consumers are looking to the courts for compensation in response to a point-of-sale terminal breach at Wendy’s restaurants. Notes @LegalNewsline: The suit alleges Wendy’s could have prevented the data breach by adopting technology that helps make transactions more secure, especially as the software used in the data breach was allegedly likely a variant of the ‘BlackPOS’ strain that hackers used in last year’s data breach at many other retail establishments.” (Source: LegalNewsline)

WSJ: Microsoft upping its cybersecurity game. Recognizing the ubiquity of threats to its many platformsPCs, mobile devices, and gaming consolesMicrosoft is making news for its new Cyber Defense Operation Center. Writes @greene, “‘Microsoft has been on the fringe of security for some time,’ said Duncan Brown, research director at IDC Research Inc. ‘Now, they are putting it at the center of operations.’” (Source: Wall Street Journal)

“Breach stats: Improving from abysmal to just awful.” @ErickaChick has the story on new data out from Mandiant M-Trends showing gradual improvement in breach response times. “[T]he median number of days it takes for victim firms to discover breaches dropped significantly to 146 days from 205 days in 2014. This is the fourth year in a row that the number has fallen. Compared to 416 days of 2011, this figure shows the industry has made marked improvements.” (Source: Information Week) 

Upcoming events

RSA Conference – February 29-March 4 – San Francisco, CA
The premier conference for Internet security professionals. Agenda will include speakers from the DOJ, DOE, Department of Homeland Security, FBI, and NSA, among others.

National Consumer Protection Week – March 6-12 – Nationwide
The FTC is the hub for the annual National Consumer Protection Week. Among the topics on tap this year: identity theft and technology.