National Consumers League

The #DataInsecurity Digest | Issue 37

Issue 37 | January 18, 2017

#DataInsecurity Digest: Giuliani's cyber cred takes a hit, more headaches for Verizon-Yahoo, Ramirez stepping down at FTC

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The incoming Trump Administration continues to make waves in data security policy and likely not how it had hoped. Most notably, former New York City Mayor Rudy Giuliani was tapped to provide advice to the new Administration on cybersecurity matters. Unfortunately, his own firm’s website is riddled with security vulnerabilities, which doesn’t inspire confidence among experts. One of the outgoing Obama Administration’s data security champions, FTC Chairwoman Edith Ramirez, announced Friday that she will be stepping down on February 20 to make way for Trump’s pick for FTC chair. The next chair will have to deal with a renewed assault by the Koch-linked Cause of Action Institute on the FTC’s authority to enforce data security standards.

And now, on to the clips!

-----------------

Giuliani offered spot on Trump’s team. Former New York Mayor and current Trump surrogate Rudy Giuliani has been asked to advise the Trump Administration on cybersecurity issues. @NPR reports that, in a phone call with reporters, the former mayor “compared the issues with cyber security to cancer, saying if all the people doing cancer research were brought together, ‘you might be able to cure it.’ His job he said, will be to bring those experts to the President-elect so they can share with him their solutions.” (Source: NPR)

But…Giuliani’s own website is “insecure as hell.” If Giuliani’s own firm’s website security is any indication, the advice he gives to the Trump Administration will be suspect, to say the least. As @hudsonhongo writes, “the website for Giuliani Security & Safety is an all around disaster that runs on an ancient version of Joomla!, a free to use content management system (CMS). In the almost four years since the version that Giuliani’s site uses was released, more than a dozen vulnerabilities have been documented in the CMS … The site fails to follow a number of other basic best practices that would be obvious to the most casual student of cyber security.” (Source: Gizmodo)

Koch-linked watchdog heads back to court to fight FTC on data security. Cause of Action Institute, a conservative watchdog group linked to the Koch brothers network, is again going to bat to fight the FTC’s efforts to enforce data security standards. The group, which previously represented LabMD in its fight against the Commission, has agreed to represent D-Link Corporation, a Taiwanese company that is in the FTC’s crosshairs for marketing an insecure router. In a statement, Cause of Action’s Vice President Patrick Massari wrote that “[t]his lawsuit is another instance of the FTC’s unchecked regulatory overreach. If the FTC can bring a lawsuit on the mere potential of a data security breach, nearly every company will be subject to unconstrained and unexplored data security liability. Such limitless liability coupled with FTC’s history of unrelentingly litigious oversight will no doubt have a chilling effect on innovation in the Internet of Things.” (Source: Cause of Action Institute)

FTC’s Ramirez to step down. The Federal Trade Commission on Friday announced that Chairwoman Edith Ramirez will be stepping down on February 20. In its announcement, the Commission noted its big win in the case against Wyndham Hotels, convincing a federal appeals court to uphold the FTC’s authority to bring enforcement actions for unreasonable data security practices. (Source: Federal Trade Commission)

Rep. Graves to focus on fintech cybersecurity on financial services subcommittee. Congressman Tom Graves (R-GA) plans to use his new position as chair of the House Appropriation Subcommittee on Financial Services to push for greater cybersecurity protections in the emerging fintech space. Writes Graves, “with the growing importance of financial technology – or ‘fintech’ – in our 21st Century economy, this assignment puts me in a great position to work on new approaches to cyber security so American businesses and the families who use their services are protected from cyber threats.” (Source: Congressman Tom Graves)

Hackers get hacked. The mobile hacking technology company Cellebrite, which offers hacking services to U.S. agencies and potentially a few regimes such as Russia, the United Arab Emirates, and Turkey, suffered a breach of some 900 gigabytes of data. The compromised data includes “the alleged usernames and passwords for logging into Cellebrite databases connected to the company's my.cellebrite domain,” as well as “what appears to be evidence files from seized mobile phones, and logs from Cellebrite devices.” (Source: Motherboard)

Is Verizon getting cold feet in the wake of record-setting Yahoo breach? Yahoo’s name change to Altaba left many scratching their heads this week, but the company is still facing a raft of issues stemming from the breach of more than 1.5 billion records over the past six months. Quoting unnamed executives, @dseetharaman and @mjarmental report that “Verizon has become less certain that the deal will go through” and that “[t]he breaches could be a material event that would allow Verizon to change the terms of the deal[.]” (Source: Wall Street Journal)

Breach du jour: 1.5 million E-Sports Entertainment Association (ESEA) accounts hacked. The breach is believed to have compromised the user names, email addresses, bcrypt hashed passwords, dates of birth, phone numbers, and IDs at the popular competitive gaming website ESEA. @Jason_A_Murdock reports that this is not the first time ESEA received bad publicity for its cybersecurity practices. He writes that “[i]n May 2013, ESEA was mired in a separate scandal, hit with legal action after a rogue employee was caught enslaving users' computers – via its software downloads - to mine Bitcoin. The website admins were forced to cough up a $325,000 settlement payout after found to be in violation of the US Consumer Fraud Act.” (Source: International Business Insider)

Quick hit: ESEA cannot be extorted. Although data security followers like myself would have preferred ESEA to have taken the steps necessary to prevent itself from being hacked, it was great to see ESEA follow the FBI and FTC’s guidance regarding not paying ransoms, as the username leak came only after ESEA refused to pay $100,000 in ransom demands. ESEA stated “we do not give into extortion and ransom demands and we take the security of customers' data very seriously. In addition to investigating the incident and reporting it to the authorities, we have been working to isolate the vector attack and secure the vulnerability." (Source: ESPN)

DNC remains a target for hackers. @buzzfeed is reporting that, as recently as New Year’s Eve, the DNC was fending off attacks from hackers. @AliWatkins and @sheeraf quoted one high-level source familiar with the investigation stating that “there was activity the day after the president issued sanctions [against Russia], looking for ways to get into the servers.” (Source: Buzzfeed)

Upcoming events

May 24, 2017 - Planning for the Future: A Conference About Identity Theft - Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 - Workshop on Technology and Consumer Protection (ConPro ’17) - San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology's impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published January 18, 2017