National Consumers League

The #DataInsecurity Digest | Issue 45

Issue 45 | May 10, 2017

#DataInsecurity Digest: Macron hacked; Google Docs attack hits 1 million users

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The hacking of French President-elect Emmanuel Macron’s campaign last week has all the hallmarks of another Russia-based attempt to affect a Western election. Although, security experts are cautioning that we shouldn’t rush to judgment just yet. On the government data security front, the Trump Administration’s long-rumored cyber order has leaked. The new strategy document unsurprisingly gives a big role to the National Institute of Standards and Technology’s cybersecurity framework. Not to be outdone, the Department of Homeland security (DHS) has a new report warning federal workers to beware of the security vulnerabilities in their government Blackberrys and iPhones.

And now to the clips!

-----------------

Macron campaign hack: Signs point to Russians, but not conclusive yet. The massive hack of French President-elect Emmanuel Macron’s En Marche party was front-page news in the waning hours of its campaign. While similarities to the hacks of the Hillary Clinton campaign last year immediately raised suspicion of Russian involvement, many data security experts are cautioning against a rush to judgment. @a_greenberg reports, “‘I do think this is more likely than not a Russian operation, but I’d put this at more like 60 percent at this stage,’ says [Kings College London Professor Thomas] Rid, who recently testified at a Senate hearing about Russian interference in the US presidential election. In that case, by contrast, Rid says he has zero doubt that the Kremlin—and specifically a hacking group known as Fancy Bear, or APT 28—was the culprit. But in the Macron case, Rid says, ‘none of the pieces of evidence that has come out so far is particularly strong in forensic terms. We only have circumstantial evidence. We can’t exclude the possibility that someone is trying to frame someone else.’” (Source: WIRED)

Google Docs phishing attack affects 1 million Gmail users. Think twice before clicking on that automated email from Google Docs . Last week’s attack was quickly shut down by Google, but not before approximately 1 millions users received the spammed messages. @mike_mimoso writes, “The messages were a convincing mix of social engineering and abuse of users’ trust in the convenience of mechanisms that share account access with third parties. Many of the phishing messages came from contacts known to victims since part of the attack includes gaining access to contact lists.” (Source: Threatpost)

New Trump cybersecurity order draft similar to February draft. An updated draft of the long-delayed Trump Administration’s cybersecurity order is making the rounds and the outlines show some broad changes from the previous version. @Joseph_Marks_ reports, “...some of the language has been changed significantly, especially on a plan to foster international cooperation in cyberspace. … Those similar elements include mandating federal agencies adopt cybersecurity best practices outlined in the National Institute of Standards and Technology’s cybersecurity framework and a requirement that government leaders be held accountable for cyber lapses at their agencies.” (Source: NextGov)

Insecure government mobile devices raise alarm bells at DHS. A new report from the Department of Homeland Security (DHS) is calling attention to the security vulnerabilities of mobile devices used by many federal government employees. “The federal government also comprises only a small fraction of mobile carriers’ customer base so it cannot exert significant market pressure on carriers to boost security,” writes @Joseph_Marks_. “The government should mitigate those weaknesses by focusing efforts where it does wield power, such as promoting cross-government mobile security standards and working cooperatively with industry,” the DHS report stated (Source: NextGov)

Anatomy of a breach: Hackers exploited known vulnerability for months. It seems simple. Hackers develop an attack based on a new bug. The software vendor fixes the problem and ships a security update. The hackers move on to the next exploit. But as Microsoft security flaw CVE-2017-0199 demonstrated, it’s not always that easy. @josephmenn reports, “The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft's regular monthly security update. But it had traveled a rocky, nine-month journey from discovery to resolution, which cybersecurity experts say is an unusually long time. … The saga shows that Microsoft's progress on security issues, as well as that of the software industry as a whole, remains uneven in an era when the stakes are growing dramatically.” (Source: Reuters)

Breach du jour: Chipotle. Mexican-American restaurant chain Chipotle is investigating a data breach “on a system used to help process payments for purchases made inside its restaurants, though offered no details on specific locations that may have been affected.” Chipotle does not know which locations have been affected yet, but the suspicious activity occurred between March 24 and April 18. (Source: The Hill)

Are more breaches to come? @Bing_Chris reported that the same group behind the Chipotle breach (FIN7) is also targeting other national restaurant franchises, such as Baja Fresh and Ruby Tuesday. The article also found that, “More than 20 U.S.-based hospitality companies — the sector that includes hotels and restaurants — have been successfully hacked by FIN7 since the summer of 2016.” (Source: Cyberscoop)

Democrats urge OPM to streamline cybersecurity hiring. In a letter to OPM’s acting director, the New Democrat Coalition’s Cybersecurity Task Force stated that while “our country faces unprecedented cybersecurity challenges... the federal government struggles to recruit and retain qualified cyber professionals.” The letter further urged OPM to fill the empty cybersecurity jobs by exploring “ways to adjust job requirements and streamline the hiring process for federal cybersecurity jobs, including looking to the private sector for ideas.” (Source: The Hill)

180,000 patient records breached. TheDarkOverlord (the same hacker that dumped free bootleg copies of Netflix’s Orange is the New Black and is threatening to do the same for other Netflix shows) dumped 180,000 records from three separate hacks last week. Patients of Aesthetic Dentistry in New York City, OC Gastrocare in California, and Tampa Bay Surgery Center all had their personal medical information compromised. (Source: databreaches.net)

-----------------

Upcoming events

May 24, 2017 - Planning for the Future: A Conference About Identity Theft - Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 - Workshop on Technology and Consumer Protection (ConPro ’17) - San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology's impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published May 10, 2017