National Consumers League

The #DataInsecurity Digest | Issue 77

Warren: A year after Equifax, it doesn’t look like we’re any safer

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: The one-year anniversary of the Equifax breach is prompting a flurry of complaints from policymakers at the lack of action in Congress and elsewhere to better protect consumers’ sensitive data. For example, Sen. Warren and Rep. Cummings may be previewing lines of questions at the next week’s privacy hearing where representatives of Big Tech (but no consumer advocates) are slated to testify. Meanwhile, the discovery of a new hardware vulnerability in Intel chips could put nearly every computer at risk of a new hacking technique that has no easy fix. Finally, the telecoms are plugging their new Project Verify as a way to address the broken username + password authentication system. Security researchers like Brian Krebs are less than confident in the new tech.

And now, on to the clips!

-----------------

More than a year after the Equifax breach, Sen. Warren (D-MA) and Rep. Cummings (D-MD) ask why the FTC and CFPB have not taken any action. In a letter, the legislators write “[i]n response to Congressional inquiry into your investigations, you reaffirmed your commitment to protecting consumer privacy, promoting data security, and using your agencies' authorities to address wrongdoing by CRAs. Yet, to date, your agencies appear to have taken no definitive action to hold Eqtlifax accountable.” (Source: Senator Warren)

Hearing watch: Six tech companies including Amazon AT&T, Twitter, and Google will detail their consumer data privacy practices to a U.S. Senate panel on Sept. 26. Commerce Committee Chairman John Thune (R-SD) commented that the hearing will provide “an opportunity to explain their approaches to privacy,” and identify what “Congress can do to promote clear privacy expectations without hurting innovation.” (Source: Reuters)

‘Nearly all’ laptops and desktops—both Windows and Mac users—vulnerable to new attack that can steal sensitive data in minutes. @nxsollek comments that there is no easy fix for the security flaw. “Unfortunately, there is nothing Microsoft can do, since we are using flaws in PC hardware vendors’ firmware,” said security consultant Olle Segerdahl. “Intel can only do so much, their position in the ecosystem is providing a reference platform for the vendors to extend and build their new models on… Companies, and users, are on their own.” (Source: TechCrunch)

Could Project Verify be the replacement to passwords we’ve been waiting for? Project Verify and the four major mobile companies behind it say that it could “improve online authentication because they alone have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.” However, as @briankrebs points out, “A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are,” through the proliferation of the SIM Swap Scam.” @ncweaver worries “this new solution could make mobile phones and their associated numbers even more of an attractive target for cyber thieves.” (Source: Krebs on Security)

Data management company mismanaged 440 million of their users’ records. Security researchers recently discovered that Veeam “exposed [a] database containing more than 200 gigabytes of customer records, mostly names, email addresses, and in some cases IP addresses. That might not seem like much but that data would be a goldmine for spammers or bad actors conducting phishing attacks.” (Source: TechCrunch)

Suggested reading: The art of shaming. @troyhunt posits how shaming companies is sometimes effective in getting them to take action to improve their security. “What public shaming does is appeals to a different set of priorities…” @troyhunt argues that while flagging lackluster security to developers doesn't always work, public shaming will often serve as a catalyst for action. (Source: troyhunt.com)

Cyber experts warn of increased data insecurity in wake of Hurricane Florence. Cyber experts warn that as companies in harm's way “shift technology operations to backup sites and issue emergency equipment … systems and data can be exposed...Think of a crab shedding its shell. Moving from one to another is the most vulnerable time.” (Source: Wall Street Journal)

Upcoming Events

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published September 20, 2018