The #DataInsecurity Digest | Issue 20 – National Consumers League

Issue 20 | May 10, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: It was another “banner” week for data breaches, with hundreds of millions of compromised email account credentials discovered in a trove made available by a Russian hacker. While the bulk of the cache were for Mail.ru accounts, tens of millions corresponded to Gmail, Yahoo!, and Hotmail accounts. And if that wasn’t enough, we’re hearing about tens of millions of other accounts from online dating services Zoosk and Fling.com, and virtual pet community Neopets being leaked. If you missed World Password Day last week, hopefully this news is the kick in the pants you need to get serious about enabling multi-factor authentication and stop reusing those passwords. But don’t take our word for it, Betty White says MFA is good for you too!

In other data security news, we missed the publication of the bellwether Verizon Data Breach Investigations Report last issue, but never fear! We have the TL:DR version for you in this, our 20th edition of the #DataInsecurity Digest. Finally, don’t forget to read my USA Today piece on the link between the rise in unwanted software infections and identity fraud risk!

And now, on to the clips!

—————–

Should the FTC take a closer look at unwanted software problem? You may have noticed a familiar byline in USA Today last week. *smile* The link between unwanted software — the source of many of those annoying pop-ups consumers see online — and identity fraud is something consumer groups urged the FTC to investigate earlier this year. I write: “…the greatest danger of unwanted software is that it often disables security updates to computer operating systems, Web browsers or other essential software like anti-virus tools. This leaves consumers’ computers especially vulnerable to malware infections, dramatically raising the risk of fraud such as identity theft.” (Source: USA Today)

272.3 million compromised email credentials discovered on cyber black market. Milwaukee-based @holdsecurity, has identified more than 272 million unique compromised email accounts on an online Russian black market, including tens of millions of Gmail, Yahoo!, and Hotmail accounts. The firm, which has played a role in uncovering breaches at JPMorgan, Adobe, and elsewhere, identified the credentials as part of a cache of 1.1 billion records on offer from a Russian hacker. @auchard has the story for Reuters: “Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web. … Hackers know users cling to favourite passwords, resisting admonitions to change credentials regularly and make them more complex. It’s why attackers reuse old passwords found on one account to try to break into other accounts of the same user.” (Source: Reuters)

Even more accounts hacked – 57.2 million accounts for sale on dark web. Another hack, unrelated to the Russian hack, came to light last week. While as yet unconfirmed, signs point to much of the data coming from online dating service Zoosk. @zackwhittaker has the story for ZDNet: “Hackers last year quietly stole a database containing the details of over 57 million people. The breach has only come to light this week, after the stolen data was put up for sale on the dark web. The breach data contains data spanning three years between 2012 and 2015, including usernames, email addresses, and passwords that were hashed with the MD5 algorithm, which nowadays is easy to crack. Many cell phone numbers and Facebook usernames are also in the cache.” (Source: ZDNet)

Neopets allegedly hacked, too. Virtual pet community Neopets is also getting some unwanted attention over allegations that it lost tens of millions of users’ account credentials, possibly dating as far back as 2014. While details are still sketchy, users typically provide an email address, and provide a limited amount of personal information, such as their gender, country, state, and date of birth during the sign-up process. Neopets has more than 90 millions users, many of which are young children. (Source: Motherboard)

40 million credentials from Fling.com for sale on the dark web too. Motherboard’s @josephfcox’s “Another Day, Another Hack” column is quickly turning into required reading. Last week, he also broke news about a breach at adult dating site Fling.com that may have exposed 40 million records containing “email addresses, usernames, plain text passwords, IP addresses, dates of birth, and more.” According to Cox, “[r]ecords also indicated whether the account was a free or paid version, and what gender and sort of relationships the user was interested in, such as ‘fetish,’ ‘group sex,’ ‘online flirting,’ or ‘other.’” (Source: Motherboard)

NCSA: As if you needed another reason to turn on multi-factor authentication… The Russian email hack news broke, appropriately, on World Password Day. Our colleagues at @StaySafeOnline are using the opportunity to remind everyone that the email address/password combination is no longer safe enough to protect your accounts. Turn on multi-factor authentication! Writes @MKaiserNCSA: “Logging on multiple times daily to our most frequently used accounts seems like second nature, but incidents like this reminds us of the need to be vigilant in protecting our personal online information … A simple, critical first step in this process is securing all email, social media and financial accounts, by making use of available security tools such as multi-factor authentication that provide an additional layer of protection and make it significantly harder for accounts to be accessed by others.” (Source: National Cyber Security Alliance)

Dessert: Even Betty White is getting into the safer password game! Everyone’s favorite Golden Girl is getting in on the multi-factor game. If you watch one thing today, it should be Betty saying “passwords … they annoy the [bleeping] heck out of me.” (Source: Passwordday.org)

TONIGHT: Politico Cocktails and Conversation event focusing on health care breach risk. A tip ‘o the cap to @dandiamond of POLITICO Pulse for alerting us to their great event tonight looking at medical privacy in the age of cyber attacks. The panel will include Brooking’s @niamyaraghi who recently examined the link between the federal government’s meaningful use program and the growth in healthcare data breaches. (RSVP here. Doors open at 5:15pm at the District Architecture Center – 421 7th St. NW Washington, DC).

Republican Study Committee: IRS breach another reason to shut down agency. Last year’s breach at the Internal Revenue Service is now fodder in conservative Republicans quest to shut down the agency. (Source: Forbes)

Heritage: Obama cybersecurity policy efforts “Too Little, Too Late.” The conservative Heritage Foundation is also taking aim at cybersecurity lapses by the Obama Administration. David Shedd writes that the president’s Cybersecurity National Action Plan will do little to address the weaknesses that led to breaches at OPM and the Department of Energy, “I agree with the president as to the need for a national cybersecurity plan. Unfortunately, the evidence points to years of cybersecurity complacency and outright incompetence. The poor-to-failing cybersecurity grades across all federal agencies illustrates that this administration does not have a “record of boosting cybersecurity.” Why should be we confident that this administration will follow through?” (Source: TNS)

Verizon Data Breach Investigations Report points the finger at us humans. One of the key dates on the calendar for data security geeks like us is the annual publication of Verizon’s Data Breach Investigations Report. The report is a must-read. Topline threats continue to include methods that rely on human fallibility – phishing, exploiting weak passwords, and ransomware. “You might say our findings boil down to one common theme — the human element,” said Bryan Sartin, executive director of global security services, Verizon Enterprise Solutions. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?” (Source: Verizon)

Myers: Paying ransomware crooks only makes the problem worse. @LysaMyers, a security researcher for the ESET firm took to the pages of Passcode to chide those who would pay ransomware scammers to decrypt their files. Writes Myers: “To be sure, it’s a tough decision whether to pay or risk losing data. But paying should never, ever be the first, second, or even third option. There’s something wrong if the working assumption is that businesses, organizations, or individuals just pay without working on a solution to recover the data on their own – or just decide they are going to live without those pictures, files, and documents. And anyone with viable backups should greet cybercriminal’s ransom demands with a smug scoff, and then quickly restore affected files.” (Source: Passcode)

Upcoming events

June 15 – FTC Start with Security – Chicago – Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

National Consumers League
Published May 10, 2016