The #DataInsecurity Digest | Issue 55

Issue 55 | November 2, 2017

#DataInsecurity Digest: Equifax knew about vulnerability; White House considers cyber strategy

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Equifax remained in the headlines this week when it came to light that the credit-reporting giant knew about its security vulnerability as early as December 2016 and chose to do nothing. Deservingly, the UK’s Financial Conduct Authority began investigating Equifax’s actions, and may even prevent Equifax from running credit checks on British citizens.

The Trump Administration announced that after 10 months in office, it’s in the beginning stages of creating a cybersecurity strategy. Meanwhile, researchers found a massive vulnerability in LG connected devices, which could have led to several safety hazards including hackers remotely turning on stovetops and operating in-home cameras.

On to the clips!

—————–

Equifax knew of its security vulnerability in December and turned a blind eye. @lorenzoFB reports that months prior to its massive breach, a security researcher warned Equifax that an employee portal “was completely exposed to anyone on the internet. [The portal] displayed several search fields, and anyone—with no authentication whatsoever—could force the site to display the personal data of Equifax’s customers…” The fact that this vulnerability was left unpatched for months “opens the possibility that more than one group of hackers broke into the company.” (Source: Motherboard)

Equifax’s regulatory fallout intensifies with new U.K. Financial Conduct Authority investigation. The U.K.’s Financial Conduct Authority has announced it will investigate Equifax in the wake of 694,000 UK citizens having their personal data compromised. @kayewiggins reports that, “The regulator has the power to fine the firm or even withdraw its authorization, which would prevent it from running credit checks in Britain.” (Source: Bloomberg Technology)

Speaking of Equifax’s lax security…10 percent of surveyed financial firms were hacked in 2017. New research from Security Scorecard found that financial firms were much more susceptible to hacks than telecommunications (3 percent hacked in 2017), transportation (2 percent) or manufacturing firms (1 percent). In addition, the report also found that “Only 25 percent of the Top 20 FDIC-insured banks (ranked by cybersecurity performance) received an ‘A’ grade in DNS Health,” and that the “financial services industry had more malware events than five other industries combined.” (Source: Security Scorecard)  

Trump Administration’s cybersecurity strategy in process. Last week, White House Homeland Security Adviser @TomBossert45 announced that the White House plans to start drafting a new cybersecurity strategy. @Joseph_Marks_ reports that the strategy is likely to be based off of three main components: “improving the security of federal government computer networks; leveraging government resources to better secure critical infrastructure, such as hospitals, banks and financial firms; and establishing norms of good behavior in cyberspace and punishing bad behavior.” While @TomBossert45 would not provide a timeline for the strategy’s release, he did say that, “As soon as we’re prepared to put forward a strategy that will be beneficial to the government and the nation, we’ll do so.” (Source: Nextgov)

Citing executive privilege, White House blocks cyber czar from testifying in Senate. White House Cyber Coordinator Rob Joyce’s absence from the Senate Armed Services hearing led Chairman John McCain (R-AZ) to comment: “I would also like to note at the outset the empty chair at the witness table… Unfortunately, but not surprisingly, the White House declined to have its cyber coordinator testify.” Sen. McCain left open the possibility to pursue Sen. Bill Nelson’s (D-FL) suggestion of subpoenaing Rob Joyce. (Source: The Hill)

Breach du jour: LG home appliances. A vulnerability found in the LG SmartThinQ application could have allowed hackers to “take over a user’s account and control connected appliances such as their oven, refrigerator, dishwasher, washing machine, air conditioner and more.” Check Point Software Technologies, the security researchers who discovered the flaw, stated that the vulnerability also “gave attackers the potential to spy on users’ home activities via the Hom-Bot robot vacuum cleaner video camera.” (Source: Yahoo News)

Americans’ mobile device cyber hygiene has improved by more than 50 percent in the past 5 years. A CTIA study finds that “77 percent of Americans use PINs/passwords on their smartphones, a 54 percent increase in the last five years,” and that “(n)early 50 percent of Americans have an anti-virus program installed on their smartphone, a 58 percent increase in the last five years.” (Source: CTIA)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published November 2, 2017