Issue 40 | February 28, 2017

#DataInsecurity Digest: Advocates unite against DHS plan to check passwords at the border

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: DHS Secretary John Kelly’s comments that the agency may require non-citizens to provide passwords to their social media accounts at U.S. borders is provoking quite a backlash. Last week, NCL joined more than 100 data security experts, privacy and civil liberties organizations that said the proposal “will fail to increase the security of U.S. citizens and is a direct assault on fundamental rights.” The move also prompted a reaction from Sen. Ron Wyden (D-OR), a noted privacy hawk, who vowed to introduce legislation requiring DHS to obtain a warrant before demanding passwords to Americans’ online accounts and mobile devices. In other news, Yahoo’s mega-breaches finally have a price tag: $350 million — the discounted sale price negotiated by Verizon due to the overhanging liability stemming from the breaches. Finally, while there was plenty of news from the big RSA security conference, the most troubling was probably a Nuix survey of RSA attendees that more than 80 percent of hackers said they can breach a network’s security and steal valuable information in less than 24 hours.

And now, on to the clips!

—————–

Public interest and privacy experts stand firm against DHS. A coalition of 100+ data security experts and civil liberties, human rights, and consumer organizations (including NCL) last week blasted a DHS plan to require non-citizens to provide social media passwords at the border. “The first rule of online security is simple: Do not share your passwords,” noted the groups’ letter. “No government agency should undermine security, privacy, and other rights with a blanket policy of demanding passwords from individuals.” (Source: Center for Democracy and Technology) 

Sen. Ron Wyden (D-OR) to introduce legislation to prevent seizure of passwords.. “Circumventing the normal protections for such private information is simply unacceptable,” and that his legislation would ensure that the “4th Amendment is respected at the border.” (Source: Buzzfeed)

Chairman of House Homeland Security committee: ‘We are in the fight of our digital lives…and we are not winning.’ In his remarks before the RSA conference, Rep. Michael McCaul (R-TX) also discussed the lack of “clear proportionate response policies for striking back against nation states, cyber criminals and others” and the need to show that “there will be consequences and that intruders will be brought to justice.” (Source: Government Technology)

Yahoo’s massive data breaches caused $350 million devaluation. In the wake of its massive data breaches, Yahoo had to make serious concessions to Verizon to keep the buyer on board. In the new deal, Yahoo will split any financial liabilities caused by their two massive breaches 50-50 with Verizon. In addition, @Ryan_Knutson reports that “as part of the revised agreement, Verizon will give up its right to sue over the idea that Yahoo had covered up the hacks, one of the people said. The entity selling Yahoo will retain liability for the SEC investigation and any shareholder lawsuits related to the deal itself. Verizon will split costs and liabilities related to any lawsuits from consumers or partners.” (Source: Wall Street Journal)

Verizon’s general counsel defends the decision to move ahead on the deal. @TheNLJ reports that, while many have criticized Verizon’s lack of due diligence surrounding data breaches, Verizon general counsel Craig Silliman disagrees. “’There is no way you can do due diligence and find something … that the company itself hasn’t found,’ he said, adding that this is why representations and warranties are added to these agreements. ‘I don’t think one of the lessons learned is the need for due diligence around data breaches,’ he said. ‘I do think it points to the importance of reps and warranties around data breaches.’” (Source: The National Law Journal)

Microsoft proposes ‘Digital Geneva Convention.’ At the RSA conference last week, Microsoft President and Chief Legal Officer Brad Smith argued for a “Digital Geneva Convention.” @jeremy_kirk reports that “[h]is proposal would commit governments to implementing norms designed to protect civilians on the internet in times of peace, in the same spirit as the Fourth Geneva Convention of 1949. Governments should agree to not conduct cyberattacks against the private sector, specifically stealing intellectual property, or critical infrastructure.” (Source: Bank Info Security)

New York’s ‘first-in-the-nation’ breach notification law takes effect today. The new rules require New York-based financial firms to “scrutinize” their security practices and notify regulators after a data breach. @NYGovCuomo stated that “these strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes.” (Source: Reuters)

88 percent of hackers believe they can breach your network defenses in less than 12 hours. That’s according to @nuix, a Virginia-based security firm whose Black Report surveyed hackers at the DEFCON conference this year in Las Vegas. The report also found that once inside a system, 81 percent of respondents could identify and steal high value data in fewer than 12 hours. Most concerningly, the report found that nearly two-thirds of hackers stated that their biggest frustration was that “most organizations did not bother to fix the vulnerabilities and security weaknesses they discovered.” (Source: ZDNet)

Breach du jour: Coachella. The user information for the popular California music festival Coachella is currently for sale on the dark web. The listing boasts 950,000 accounts, including users’ email addresses, usernames, and hashed passwords. @motherboard reports that according to the listing, “around 360,000 of the accounts relate to the main Coachella website, and another 590,000 concern the message board. The latter set allegedly includes more information such as the user’s IP address.” (Source: Motherboard)

Quick hit: Trump’s Chief Digital Officer leaves White House over security concerns. @politico reports that “White House Chief Digital Officer Gerrit Lansing was among the six staffers escorted out of the White House last week after being unable to pass an FBI background check.” The CDO slot is a somewhat nebulous position within the White House. Former Obama CDO Jason Goldman described the role as meant to “create more meaningful online engagement between government and American citizens.” (Source: Politico)

Upcoming events

May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 – Workshop on Technology and Consumer Protection (ConPro ’17) – San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology’s impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published February 28, 2017