National Consumers League

The #DataInsecurity Digest | Issue 59

Issue 59 | January 11, 2018

#DataInsecurity Digest: Discovery of major vulnerabilities ushers in 2018

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Happy New Year and welcome to the first #DataInsecurity Digest of 2018! The year started off with a bang as news of critical vulnerabilities in nearly every electronic device shook the data security world. The vulnerabilities, known as Spectre and Meltdown, have no easy repair/patch available, though no attacks exploiting the vulnerabilities have yet been reported. Nonetheless, we expect the news to serve as a catalyst for litigation in the coming months. As if this were not enough, compromised personal data of Florida Medicaid recipients and DHS employees also made headlines, along with the revelation that Romanian hackers were able to disable Washington, DC security cameras for days prior to the inauguration of President Trump in January 2017.

And now, on to the clips!

-----------------

Spectre/Meltdown: Majority of world’s computers may be compromised. Security researchers have discovered two massive security flaws in Intel, AMD, and ARM-based processors called Meltdown and Spectre. The security vulnerabilities “could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks...There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent.” Paul Kocher, a key researcher who helped discover the vulnerabilities, commented that “we’ve really screwed up... There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.” (Source: New York Times)

The flaw will affect almost a decade worth of Intel computer chips. @HowellONeill reports that “the fix requires a fundamental redesign of the operating system kernel, the software that manages a machine’s resources. It’s meant to be nearly all-powerful and all-secure. This flaw renders it plainly vulnerable across platforms.” (Source: Cyber Scoop)

Apple users are victims too. Apple informed users that while “there are no known exploits impacting customers at this time,” all iPhones, iPads, and Mac computers are affected by the recently disclosed processor flaws. (Source: CNN)

At least three class action lawsuits have been filed against Intel. Class action suits in California, Oregon, and Indiana are expected to be followed by others in the coming days. “All three cite the security vulnerability and Intel’s delay in public disclosure from when it was first notified by researchers of the flaws in June. … The plaintiffs also cite the alleged computer slowdown that will be caused by the fixes needed to address the security concerns...” (Source: The Guardian)

Intel CEO sold off most of his stock after learning of massive security flaw. Intel CEO Brian Krzanich, “sold the majority of his company stock in November, several months after the company was alerted to the flaws…” but before the failure was made public. “Krzanich sold off all but 250,000 of his Intel shares—the minimum number he’s required to hold per his employee agreement.” (Source: Quartz)

Hackers took over DC surveillance cameras prior to inauguration. A recently unsealed criminal complaint revealed that, just prior to President Trump’s inauguration, Romanian hackers took over two-thirds of the District of Columbia’s outdoor surveillance cameras. The attack “affected 123 of the DC police department’s 187 outdoor surveillance cameras, leaving them unable to record for several days.” (Source: Washington Post)

Breach du jour: 30,000 Florida Medicaid records. The breach came about due to a malicious phishing email attack. As a result of the breach, “hackers may have partly or fully accessed the enrollees’ full names, Medicaid ID numbers, birthdates, addresses, diagnoses, medical conditions and Social Security numbers.” (Source: Associated Press)

Breach du jour part deux: 247,000 Homeland Security Department employees and non-employees. Last week, authorities confirmed previous reports that DHS suffered a data breach in 2014. They did not detail what personal information was compromised in the breach but revealed that the “personal information on 247,167 Homeland Security employees as well as...” an undisclosed number of “...non-employees who were subjects, witnesses or complainants in inspector general investigations between 2002 and 2014,” had been compromised as well. (Source: Next Gov)

Opinion: The end of Net Neutrality could worsen data security. @TonyAtESET contemplates how the end of net neutrality “could put many devices and their users’ critical data at risk.” (Source: We Live Security)

Events

February 28, 2018 - Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published January 11, 2018