National Consumers League

The #DataInsecurity Digest | Issue 69

Cyber challenges remain as Russia infects hundred of thousands of Internet routers

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Last week the the FBI urged all Internet router users to restart their devices in an effort to determine which routers Russian hackers have infiltrated. Meanwhile news came to light that the geolocations for users of four major cellphone carriers were unsecured and available to anyone who knew where to look. This could be a problem for President Trump, since he routinely refuses pleas from security experts in the White House that he switch out his cell phones on a regular basis as being “too inconvenient.”

And now, on to the clips!

-----------------

FBI: Hundreds of thousands of Internet routers have been hacked with Russian malware. The FBI is urging anyone with an Internet router to restart it in an effort to thwart malware that is linked to Fancy Bear, the Russian hacking group responsible for the hacking of the Democratic National Committee. The malware, “is capable of blocking web traffic, collecting information that passes through home and office routers, and disabling the devices entirely.” According to @TalosSecurity, “The malware has a destructive capability that can render an infected device unusable.” The malware “can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”(Source: New York Times)

Speaking of Russia: 95 percent of surveyed digital security experts believe that our state election systems are not safe. (Source: Washington Post)

FBI massively overstates number of encrypted phones it cannot access. For months, the FBI has told both Congress and the public that “investigators were locked out of nearly 7,800 devices connected to crimes last year when the correct number was much smaller, probably between 1,000 and 2,000.” @DevlinBarrett reports that the bureau believes the overstatement was a result of a coding error, which resulted in “the use of three distinct databases that led to repeated counting of phones.” (Source: Washington Post)

The geo location information of AT&T, Sprint, T-Mobile, and Verizon users was left unsecured on the Internet. @briankrebs reports that LocationSmart, a company that provides real-time geolocation information of cellular devices has been providing Internet users the geolocation of any cell phone on the four major networks “without the need for any password or other form of authentication or authorization...to an accuracy of within a few hundred yards.” (Source: Krebs on Security)

Using a secure mobile device is “too inconvenient,” for President Trump. While advisors have urged the President to swap out his phones once a month as his predecessors have done for security reasons, he’s reportedly gone as long as five months between security checks as they are “too inconvenient” for him. In addition, @politico reports that unlike his predecessor, President Trump uses a phone with an enabled microphone and camera, which multiply the security risks. “Former national security officials are virtually unanimous in their agreement about the dangers posed by cell phones, which are vulnerable to hacking by domestic and foreign actors who would want to listen in on the president’s conversations or monitor his movements.” (Source: Politico)

House and Senate introduce bill to protect children from data collection. The bill, introduced by Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) in their respective chambers, “would amend the Children's Online Privacy Protection Act to tighten protections against collecting data on minors, forcing websites to obtain parental consent before collecting data on users under the age of 13. To collect data on those ages 13-15, it would require websites to secure consent from the users themselves. The bill would also prohibit using such data for advertising targeted at children.” (Source: The Hill)

GDPR is in effect. As if the hundreds of emails clogging your inbox wasn’t a tip-off, last week, Europe’s long awaited General Data Protection Regulation (GDPR) law officially went into effect. The law pairs consumer protections such as “requirements to notify regulators about data breaches (within 72 hours)” with steep penalties for noncompliance. (Source: The Verge)

Mobile app fraud increases 600 percent in three years. The report published by RSA also found that 48 percent of the fraud it observed stemmed from phishing attacks. (Source: RSA)

Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published May 31, 2018