National Consumers League

The #DataInsecurity Digest | Issue 31

Issue 31 | October 26, 2016

#DataInsecurity Digest: Massive DDoS attack highlights IoT security woes; GOP now getting hacked, too

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: As the presidential race enters its final stretch, the issue of cybersecurity continues to make headlines. A massive distributed denial of service (DDoS) attack that knocked several major websites offline Friday may have an increasingly familiar culprit: unsecured IoT devices used to power “zombie” botnets. We hope the participants in the NTIA’s multi-stakeholder process on IoT security are taking note! The FTC will be taking a fresh look at the link between data breaches and identity theft in May; an issue we here at NCL know a little something about. Unfortunately, the healthcare industry seems to be slow to get the message, with a new report finding that healthcare providers are twice as unlikely as manufacturers to fix critical cyber errors.

And now, on to the clips!

-----------------

Massive DDOS attack highlights problem of insecure IoT devices. The massive distributed denial of service (DDoS) attack against DNS provider Dyn, Inc. knocked major websites like Reddit, Netflix, and Twitter offline for an extended period on Friday, inconveniencing millions of users. The attack, part of a growing spate of powerful DDoS attacks this year, may have been powered by an army of compromised Internet of Things (IoT) devices, such as webcams, writes @NateLanxon. “The joke about the Internet of Things was that you were going to get people hijacking people’s connected fridges to conduct these attacks, but in these recent cases the culprit seems to be webcams,” [Director of Technology at U.K. cyber security company Darktrace, Dave] Palmer said. “We will probably see, when this is investigated, that it is a botnet of the Internet of Things. … This is exactly what happens when tens of thousands or hundreds of thousands of devices are left unprotected[.]” (Source: Bloomberg

New rules aim to get banks up and running two hours after a cyber attack. The Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency jointly proposed a rule that would require U.S. and foreign banks operating in the U.S. with $50 billion or more in assets, as well as “systemically risky” financial companies, to “substantially mitigate the risk of a disruption due to a cyber event to their sector-critical systems.” @donnaborak reports that the proposed rules will require firms to: prove that they can run core operations within two hours of an attack, “develop and maintain a cybersecurity risk management plan approved by their boards and incorporated into their business strategies,” and “require banks to use the cyberdefenses in their business units and incorporate them into company audits.” (Source: Wall Street Journal)

Breach du jour: National Republican Senatorial Committee (NRSC). Hacked systems aren’t just a problem for Democratic groups. A hack of the NRSC’s e-commerce storefront may have compromised credit card numbers, full names, and mailing addresses for thousands of donors, reports @dangood001. The breach, which lasted a reported six months–from March to October of this year–stemmed from a larger breach of nearly 6,000 online platforms, according to security researcher Willem de Groot. (Source: Ars Technica)

GOP’s hacking headaches don’t end there. On the heels of a firebomb attack on a North Carolina campaign office, the head of the state’s Republican Party fell victim to a phishing attack this week. According to @NolanDMcCaskill, all of North Carolina GOP Executive Director Dallas Woodhouse’s contacts received a phishing email prompting users to type in their email address and password to receive access to a fake Dropbox file titled “GOP-financial_Document.pdf.” Woodhouse advised recipients who were tricked into clicking the link to change their passwords and to “never use that password again, for anything, ever.” (Source: Politico)

Peace at last? LinkedIn hacker reportedly arrested. Last summer, a hacker going by the name “Peace” sold the credentials of 117 million LinkedIn accounts. Now it seems that LinkedIn users may finally get some justice. At least one of the Russian hackers allegedly involved in the attack was arrested in Prague last Tuesday by Czech authorities working in collaboration with the FBI. (Source: Motherboard)

Healthcare industry remains behind the times on data security. Despite repeatedly making headlines for ransomware attacks that resulted in patients being turned away and the breach of sensitive patient data, the healthcare industry’s record on data security remains spotty, reports @MorningCybersec. Security firm Veracode’s 7th “State of the Software Security Report” found that "[t]he healthcare industry ranks last in its ability to fix vulnerabilities and has the highest prevalence of cybersecurity mishaps like poor credentials management” and that health care companies are twice as unlikely than manufacturing firms to fix critical cyber errors.. (Source: Politico)

Majority of voting millennials think a candidate's stance on cybersecurity will influence their vote. A new Zogby poll commissioned by Raytheon and the Department of Homeland Security’s “Stop. Think. Connect.” campaign found that “[h]alf of young voters believe there hasn’t been enough discussion of cybersecurity in the current election campaign and a small majority say a candidate’s stance on the issue would influence their decision whether to support them.” (Source: FedScoop)

Upcoming events

January 12, 2017 - PrivacyCon - Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

May 24, 2017 - Planning for the Future: A Conference About Identity Theft - Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

National Consumers League
Published October 26, 2016