The #DataInsecurity Digest | Issue 26

Issue 26 | August 3, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: We are excited to launch the first of our new series of interviews with thought leaders in the data security policy space, and we could not have hoped for a better inaugural interview than one with FTC Commissioner Terrell McSweeny! Excerpts from our chat are below, and the full interview is available online.

Data security was headline news this week thanks to a leak of 20,000 embarrassing emails taken in a hack of the Democratic National Committee (DNC), allegedly the work of Russian hackers. The disclosure cost DNC Chairwoman Rep. Debbie Wasserman Schultz her job and created a lot of heartburn at a critical moment for the presidential campaign of Hillary Clinton. And more seems set to come, with a new leak of voicemails from the DCCC. All of these breaches have security officials considering whether campaign computer systems should be considered critical infrastructure.

A quick note on scheduling: Like many of you, we’re taking some well deserved R&R in August. We’ll be back with another edition of the #DataInsecurity Digest on August 31.

—————–

Thought Leaders interview with FTC Commissioner Terrell McSweeny

To kick off the #DataInsecurity Thought Leaders series, we were honored to get FTC Commissioner Terrell McSweeny to answer a range of emailed questions about data security policy, including her thoughts on the latest mega-breaches, identity fraud, ransomware encryption, and much more. Excerpts are below and you can read the full interview here.

NCL: What is the state of data security in America? Should consumers be concerned about what companies, the government, and other organizations are doing (or not doing) to safeguard the data that companies hold about them?

Cmmr. McSweeny: The good news is many firms have taken the idea of security by design to heart and have integrated security into the product design process from the start. Many companies do have robust defense in depth security architectures to protect consumer data. On the other hand, there is a wide spectrum of data security practices in the marketplace, and it can be difficult for consumers to know what is going on behind the scenes at the companies that hold their data. I’m particularly concerned about the security of so-called “Internet of Things” products – connected appliances, wearables, cars, televisions etc.

NCL: You’ve become something of a regular at some of the more popular hacker conferences like Black Hat and DEFCON in recent years. What are you hearing at these conferences that has influenced how you’re doing your job at the FTC?

Cmmr. McSweeny: I think it is important to understand as much as possible about how technology works. I always learn a lot from security researchers I meet at these kinds of conferences and from the presentations of research at them. Some of our cases even come to our attention thanks to the work of hackers. I think it is important for the FTC to continue to build relationships with researchers who can be important partners in our work to protect consumer data security and privacy.

NCL: There has been a lot of discussion recently around the issue of encryption, backdoors, and iPhone passcodes. Earlier this year, you wrote about concerns that businesses may be implementing encryption in insecure ways. Has your view about encryption technology evolved given all of the debate around the issue? How does the FTC help consumers take advantage of the security protections that encryption provides?

Cmmr. McSweeny: I personally have highlighted encryption as a vital practice that can allow firms to store and transmit personal information securely. I’m concerned that mandating back doors to break encryption would weaken security protections for consumers and make them worse off. As we connect more things in our daily lives – such as our TVs, watches, appliances, cars – we will increasingly need tools like encryption to make sure that they remain secure. The FTC advises consumers that encryption is key to keeping their information secure, whether it’s transmitted to a website, to a mobile app, or through a wi-fi hotspot.

NCL: Back in 2005, the FTC released a staff report on the threat of spyware, adware, and other unwanted software. In 2008, the Commission testified about the threat of spyware and the principles it relies on in enforcement actions against spyware operators. We recently sent an alert about the related issue of unwanted software (UwS). What are your thoughts on the growing phenomenon of UwS and the threats it may pose to consumers’ online security? Can the FTC do more to protect consumers from UwS?

Cmmr. McSweeny: Unwanted software remains a problem, and we have put out some consumer education on how to avoid it and remove it, including telling consumers to obtain well-known software only directly from manufacturers’ websites, and to be alert when installing new software. This is the type of problem that really needs a broad technological solution, and I know that industry members – such as browser manufacturers – are working diligently to fight the problem, including issuing alerts that will warn consumers about potentially harmful websites. In the same vein, app stores are working hard to police the app marketplaces to reduce the number of malicious apps. Depending upon the specific facts of the case, we could also potentially bring an FTC enforcement action relating to the installation of unwanted software.

Read full interview here.

This edition’s #DataInsecurity Clips

Breach du jour: Cici’s pizza restaurants hacked. News recently came to light that 140 Cici’s restaurants had their point-of-sale systems infected with malware and were thus compromising customer credit and debit cards for months at a time. @EduardKovacs reports, “While in most cases the attackers gained access to PoS systems in March 2016, some restaurants in Florida, Mississippi, North Carolina, Ohio, Tennessee, and Texas had been breached since mid-2015.” @briankrebs was the first to report the breach and has estimated that around 600,000 card numbers were stolen. (Source: Security Week)

DNC hack: Are political campaigns “critical infrastructure?” Although experts generally agree that Russia hacked and stole 20,000 emails from the DNC, experts are not yet sure who subsequently leaked the emails on the eve of the Democratic National Convention, setting off a firestorm of controversy. Regardless of who leaked the emails and their reasoning for doing so, this email dump is highly concerning to current and former national security officials. @nakashimae reports that many senior security officials believe that this breach “could warrant considering whether the elements of the electoral process should be raised to the level of ‘critical infrastructure,’ the same protections that power grids and key financial systems enjoy, so that our elections could be better protected from cyber attacks.” (Source: Washington Post)

Dems getting pWn3d: FBI investigating potential DCCC breach. On the heels of the massive DNC breach, investigators are now looking into a potential breach at the Democratic Congressional Campaign Committee (DCCC) that is believed to be aimed at gathering information about the DCCC’s donors. “Until proven otherwise, I would suggest that everyone involved with the campaign committee operate under the assumption Russians have access to everything in their computer systems,” said Democratic strategist Jim Manley. (Source: Reuters)

Turk Hack Team takes credit for Library of Congress attack. The cyber attack that recently downed the websites of Congress, the Library of Congress, the Congressional Research Service, and the Copyright Office was apparently an act of political protest. Hacktivists “The Turk Hack Team” stated that they launched the attack in response to the United States’ alleged fomenting of the coup that nearly overthrew the Turkish government, writes @thisismaz. “U.S. officials would likely be on the lookout for more hacktivist activity emanating from Turkey. ‘This is the first kind of visible activity generated post-coup, but it doesn’t mean it’s going to be the last,’ said Baron DiCamillo, current partner and CTO of Strategic Cyber Ventures.” (Source: FCW)

Defense department hacked? Department of Defense (DOD) Chief Information Officer Terry Halvorsen recently admitted that the DOD frequently gets hacked. @Politico reports that the DOD receives “a million” cyber attacks a day, and some are successful. Halverson also claimed that we are more secure today than we have been. “We’re attacked more than any other group in the world,” said Halverson. “Do we get hacked? Yes. Percentage of hack against attacks is, like, lower than .001.” (Source: Politico)

POTUS: New cyber threat level helps breach victims know who to call. Last week, President Obama approved a cyber incident directive that, for the first time, puts into writing how the government will assess cyber threats, and who is in charge of helping Americans, businesses, and agencies defuse a cyber threat. In terms of assessing each cyber threat, writes @nakashimae, “The White House has come up with a severity scheme ranging from Level Zero for an inconsequential event to Level 5 for an emergency — or an attack that poses an ‘imminent threat’ to critical systems such as the power grid, federal government stability or people’s lives. … There has been no known incident that would be considered a Level 5, senior officials said. The suspected Russian cyberattack on Ukraine’s electric grid in December that caused widespread power outages probably would have been a Level 4 — a ‘severe’ event that likely would result in ‘significant’ harm to public safety or national security — if it had happened in the United States, the official said.” (Source: Washington Post)

Department of Commerce signals the end of SMS two-factor authentication. The Department of Commerce’s National Institute of Standards and Technology (NIST) has released a draft guide that strongly discourages SMS two-factor authentication, and even hints at a future governmental SMS authentication ban. @thetecheye reports, “NIST officials are discouraging companies from using SMS-based authentication, even saying that SMS-based 2FA might be considered insecure in future versions of the agency’s security guidelines. Basically, SMS-based two-factor authentication is an insecure process because the (consumer) may not always be in possession of the phone.” NIST is suggesting that biometrics may be a better alternative to SMS two-factor authentication. (Source: Techeye)

Upcoming events

September 7 – Fall Technology Series: Ransomware – Washington, DC
The FTC’s first event in this year’s Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, and what technological measures can be taken to prevent a ransomware attack.

January 12, 2017 – PrivacyCon – Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

National Consumers League
Published August 3, 2016