Issue 35 | December 7, 2016
#DataInsecurity Digest: Cyber policy clues about Trump transition hires; ransomware hack cripples Muni
By John Breyault (@jammingecono, email@example.com)
NCL Vice President of Public Policy, Telecommunications and Fraud
Editor’s Note: Over the past several days, we’ve seen the incoming Trump Administration’s data security policy continue to take shape. While a head for the Department of Homeland Security (the government’s largest cybersecurity agency) has not yet been named, other transition team member hires—Reps. Marsha Blackburn (R-TN) and Tom Marino (R-PA), for example—point to a significantly more law enforcement-friendly data security direction. They’ll have a blueprint for action thanks to the report of the blue ribbon Commission on Enhancing National Cybersecurity, which among other recommendations calls for a “nutrition label” for the data security characteristics of consumer IT products and services. In other news, a ransomware attack on San Francisco’s Muni transit system forced bus drivers in the heart of the technology industry to rely on hand-written notes on bulletin boards and gave Rep. Ted Lieu (D-CA) an opportunity to call for additional ransomware hearings. Finally, while most of us have transitioned to using chip cards, gas stations are likely to remain holdouts for several more years, thanks to Visa’s new rules extending the so-called “liability shift” into 2020.
And now, on to the clips!
NIST Cybersecurity Commission calls for nutrition label for data security. The long-awaited report of the President’s blue ribbon Commission on Enhancing National Cybersecurity called for a range of policy solutions to improve the nation’s cybersecurity defense. Recommendations such as creating a new assistant to the President for cybersecurity and establishing an ambassador for cybersecurity were among the 16 policy solutions put forward by the panel. Perhaps most intriguingly, the panel called for a “nutritional label” for IT products and services to “drive product innovation and improve purchasing decisions.” The label would be used by consumers to evaluate the security characteristics and features of products before purchasing them. (Source: NIST)
Trump taps Marine Corps General James Mattis for Defense Secretary. @timstarks reports that although critics point out Mattis’ sparse cyber experience, he has made several statements about international cyber warfare. Speaking at a public event last year on the Middle East and America’s role, Mattis said that it wouldn't be up to the Pentagon to send in troops for a cyberattack: “DoD would not be the decider on that. It would have to be a political decision that the damage was severe enough. If they turn the lights off in Madison, Wis., or something, you can expect that the U.S. military has plans to deal with these things. We give options to the commander in chief." (Source: Politico)
Trump transition appointments hint at cyber interests. Although Trump has yet to nominate a Department of Homeland Security secretary and Mattis, the DoD secretary-to-be, has not yet laid out a substantial cyber agenda, his transition team choices may suggest what types of cyber policy the new Administration will pursue. Leaders like Marsha Blackburn (R-TN), who co-sponsored data security and breach notification bills, will serve as his transition vice chair. Appointee Rep. Tom Marino (R-PA) has sponsored bills to limit the Justice Department’s ability to demand access to customer data stored by U.S. companies in different nations. And Rep. Devin Nunes (R-CA) has co-sponsored successful cyber information-sharing legislation, which many advocates fear could pave the way toward an encryption backdoor. (Source: Nextgov)
San Francisco's Muni is the latest high-profile victim of ransomware. Over Thanksgiving weekend, hackers infiltrated more than 2,000 San Francisco Municipal Railway (Muni) computers with ransomware and demanded 100 Bitcoin (about $73,000). The attack forced the transportation authority to offer free transportation to riders and take unorthodox tactics such as assigning “routes to bus drivers via hand-written notes on bulletin boards,” until the computer system was restored. (Source: San Francisco Business Times)
Bonus: Muni hacker gets hacked. The Muni hacker had his primary and backup email hacked by security researchers who were able to “guess” the answers to the password reset questions used for both of his accounts. The hacked email accounts provided tantalizing clues suggesting the hacker’s location (Iran), as well as correspondence between the hacker and his past victims. (Source: Krebs on Security)
Quick hit: Rep. Ted Lieu (D-CA) urges House Oversight Committee to hold ransomware hearing. Last Tuesday, Congressman Ted Lieu (D-CA) sent a letter to House Oversight Committee Chairman Jason Chaffetz (R-UT) and ranking member Elijah Cummings (D-MD) stating that a "hearing is needed to shed light on the growing threat of ransomware, outline best practices to mitigate it, and identify the most critical areas for improvement in both the public and private sectors..." as “these malware attacks have had tremendous economic costs in recent years, and it would seem only a matter of time before we face life-threatening or national security consequences as well." (Source: The Hill).
Breach du jour: BP/Exxon explosive contractor. A lead security researcher at @MacKeeper discovered that thousands of sensitive files belonging to Allied-Horizontal Wireline Services, including personal employee documents and the location of explosives storage facilities have been compromised due to a misconfigured storage device. “The discovery of an exposed file repository for an explosives-handling company is alarming,” stated security researcher Chris Vickery. “If bad guys wanted to know where explosives are being held, or who to blackmail into obtaining explosives, this would have been a prime knowledge base.” Vickery added that, “high quality scans of explosives-handling licenses were also found in the files, which raises the possibility of impersonating authorized explosives-handling personnel.” (Source: The Daily Dot)
Gas stations get reprieve from chip card rules, despite wave of skimming attacks. As more merchants install chip card readers, the ability of data thieves to skim account data from credit and debit cards’ magnetic stripes appear to be numbered. However, one business sector—gas stations—will continue to be a lucrative target of skimming fraudsters, potentially into the next decade. @briankrebs reports that Visa has amended its merchant rules to allow gas stations until 2020 to install chip card readers before new liability rules take effect. This decision comes in spite of evidence of continued attacks on insecure gas station card readers. Writes Krebs “[t]he delay comes as some states — particularly in the southern United States — are grappling with major increases in fuel station skimming attacks. In September, KrebsOnSecurity published a detailed look at nine months’ worth of fuel pump skimming incident reports filed by police and regulators in Arizona, which said it saw more fuel station skimming attacks in the month of August 2016 than in all of 2015 combined.” (Source: KrebsonSecurity.com)
January 12, 2017 - PrivacyCon - Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”
May 24, 2017 - Planning for the Future: A Conference About Identity Theft - Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.
National Consumers League
Published December 7, 2016