National Consumers League

The #DataInsecurity Digest | Issue 7

Issue 7 | Nov. 4, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Despite opposition from the tech industry and privacy/consumer advocates, the Senate approved the Cyber Information Sharing Act (CISA). But will the bill, once enacted, actually do much good to protect consumers’ data security? The consensus, according to security watchers at the New York Times and KrebsonSecurity.com is that Congress felt like it needed to do something, even if it was a bad bill like CISA. In other data security news: USPIRG wants you to get a credit freeze; 000Webhost.com loses 13 million passwords; and we find out why Craigslist isn’t the best place to place a wanted ad for a hacker.

And don’t forget to tune in on Thursday for the FTC’s second Start with Security conference, direct from Austin, TX. We’re keeping the #DID weird here in DC, so let’s roll on to the clips!

-----------------

CISA passes Senate: Was it worth it? @SangerNYT and @nicoleperlroth take a look at what hath Congress wrought, and find it wanting: “In the years that Congress was debating it, computer attackers have grown so much more sophisticated — in many cases, backed by state sponsors from Shanghai to Tehran — that the central feature of the legislation, agreements allowing companies and the government to share information, seems almost quaint. To many in the trenches of daily computer combat, it is a little like the insistence of some cavalry officers in the 1930s on sticking to horses, rather than investing in mechanized divisions.” (Source: New York Times)

Instant analysis: “Virtually impossible” to tell if CISA will do any good. @BrianKrebs offers his take: “The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches. Meanwhile, history is littered with examples of well-intentioned laws that produce unintended (if not unforeseen) consequences.” (Source: KrebsonSecurity.com)

Breach du Jour: 13M passwords from prominent web hosting firm. If you needed another reminder to turn on two-factor authentication, news of a massive breach at (apparently) Arizona-based web hosting company 000Webhost.com comes to us from @dangood001: Anyone who has used 000Webhost should be on the alert for fraud. In the event that users have used the same or a similar password on other websites, they should change it immediately. The fresh infusion of 13 million passwords into the already massive corpus of existing passwords should bring new urgency to the oft-repeated admonition to use a long, randomly generated password that's unique to every site. (Source: Ars Technica)

 

USPIRG: The time to get a credit freeze is before a breach. (with a hat tip to @EdMPIRG) Consumer colleagues USPIRG are out with a new report containing advice that we’re increasingly giving consumers to help reduce the risk of breach-fueled identity fraud: Get a credit freeze now. “‘Only the security freeze can prevent someone from opening a new credit account in your name,’ said Mike Litt (@MikeLittUSA) of U.S. PIRG. ‘Credit monitoring services may tell you but only after you’ve already been victimized. Worse, they are often offered after simple retail credit number breaches, even though they offer no help against unauthorized use of your existing accounts, which is the fraud most likely to occur from that type of breach.’” (Source: USPIRG)

Bankers mobilizing behind Carper-Blunt bill. American Bankers Association head Frank Keating is in The Hill calling for Congress to move on the Carper-Blunt Data Security Act of 2015. Expect resistance from retailers and advocates. (Source: The Hill)

Nearly 1 in 4 U.S. business get cyber insurance. New research from the Council on Insurance Agents and Brokers (@TheCIAB) puts the take rate on cyber insurance for U.S. businesses at 24%. “As cyber threats move beyond just the theft of personal information, meaningful business interruption insurance is starting to become available,” said [CIAB President and CEO Ken] Crerar. “While the market has more loss data on cyber incidents, theft of intellectual property, physical damage and bodily injury are still not fully comprehended.” (Source: CIAB)

Self-regulatory news: CEA offers “guiding principles” for wellness data. With the explosion in IoT, the Consumer Electronics Association (@CEA) has offered up a new set of voluntary guidelines for wearables manufacturers. Nice to see “Provide robust security measures” at the top of the list. (Source: CEA)

SMU study: C-Suite increasingly “gets it” on cybersecurity. Key data points from a new survey of CISO’s on the state of cybersecurity preparedness: “More than 80 percent of those interviewed reported broad and increasing support among senior-level management and corporate boards for their cybersecurity efforts; Eighty-eight percent of respondents reported that their security budgets have increased.” (Source: SMU)

Small biz data breach case study: Less than 1 hour from start to pWn3d. Joe Ross of security firm @CSIdentity is out with the result of an interesting experiment. He looked at how quickly hackers can take down a new small business when employees make common data security mistakes. “Our experiment further ensured that Jomoco’s fictional employees made common mistakes when protecting their professional and personal data online, including sharing sensitive information via email and reusing passwords across multiple sites. Then we sat back and let the real cyber criminals take it from there. … We didn't wait long. Within an hour, and armed only with a personal email and login, hackers completely shut down Jomoco.” (Source: Entrepreneur.com

Sony settles employee data breach suit for $8M. Remember the Sony Pictures hack that made news last year? Affected employees will finally see some restitution for the harm caused by (alleged) North Korean hackers, writes @edpettersson for Bloomberg: “Former employees alleged the company knew it had inadequate measures in place to protect its data and suffered breaches twice before last year’s attack. The former employees claimed Sony made a ‘business decision to accept the risk’ of losses associated with being hacked. … Some ex-employees claimed in July that identity thieves had attempted to use their credit cards and were trying to sell their personal data on black market websites.” (Source: Bloomberg)

#DataInsecurity news of the weird: PA man gets two years for hiring hackers to erase court records. (H/T @PogoWasRight) “A Harrisburg man will serve at least two years in prison for recruiting a computer hacker to wipe out fines he owed to Lancaster County. … Landis posted an advertisement on Craigslist for a hacker who could erase records of more than $16,000 he owes for victim restitution, fines, and court costs.” (Source: ABC 27)

Upcoming Events 

Postponed - U.S. Cyber Crime Conference
Originally scheduled for National Harbor, Nov. 18-20. Make-up date/location TBD.

Nov. 5 - After the Shift: Securing Tomorrow’s Payment Technology - Washington, DC
The recent shift to chip technology in credit and other payment cards aims to reduce fraud and better protect consumer data. But as cyber threats become more sophisticated, what are the financial services and tech industries doing to stay ahead? Speakers to include: Sen. Gary Peters (D-MI), Sen. Mike Rounds (R-SD), Rep. Ed Perlmutter (D-CO-7)

Nov. 5 - Start with Security - Austin, TX
This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.

Jan. 14, 2016 - PrivacyCon - Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

National Consumers League
Published November 4, 2015