National Consumers League

Pages tagged "privacy"

The #DataInsecurity Digest | Issue 79

Google+ user data compromised, GAO reports on weapon vulnerability, CA legislating stronger passwords

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Big Tech again found itself in the headlines after Google revealed that hundreds of thousands of Google+ users may have had their personal data compromised. Even more disturbingly, a GAO report rocked Washington when it found that many (if not all) of our recently manufactured weapons are vulnerable to hacking. California provided a little solace to its hacker-plagued residents when it passed a law requiring stronger default passwords for connected devices.

And now, on to the clips!

-----------------

Breach du jour: Hundreds of thousands of Google+ users. @dmac1 and @bobmcmillan report that a “software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue.” The software giant then “opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage,” and “ trigger “immediate regulatory interest.” (Source: Wall Street Journal)  

Google faces Congressional scrutiny. In the aftermath of Google’s breach, Senator Richard Blumenthal (D-CT) said that Google, which is currently operating under an FTC consent decree, “must explain its unwillingness to disclose this breach and the FTC must conduct a fulsome investigation. But to truly end this cycle of broken promises, we need a national privacy framework that protects consumers and empowers the FTC to hold companies accountable.” (Source: Washington Post)

Facebook says its largest security lapse to date was smaller than originally thought. Originally, Facebook estimated that 50 million users had their personal data compromised between July 2017 and September 2018. It now believes the number to be closer to 30 million. @KirstenGrind reports that, “of the 30 million impacted, Facebook said 14 million were the most affected. They had their names and contact details--including phone numbers and email addresses--accessed, along with such data as their gender or relationship status, as well as the last 10 places they checked into or 15 most recent searches. Fifteen million others had their names and contacts accessed.” (Source: Wall Street Journal)

All of the United States military weapons made in the last five years are susceptible to hacking. A bombshell GAO report found that “from 2012 to 2017, (Department of Defense) testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development." @rabrowne75 reports that “one of the reasons that the weapons systems are so vulnerable to cyber-attack is their connectivity to other systems, something long seen by the Pentagon as an advantage.” (Source: CNN)

California bans weak default passwords. Starting in 2020, every connected device made or sold in California must have a unique default password. Previously, “easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.” The law will require strong passwords and “allows customers who suffer harm when a company ignores the law to sue for damages.” (Source: BBC)

Quick hit: Government website administrators to begin using two-factor authentication. “Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over dot-gov domains.” (Source: Washington Post)

Op-ed watch: Data security is about to get much worse. @schneierblog argues that security risks “are about to get worse because computers are being embedded into physical devices and will affect lives, not just our data. Security is not a problem the market will solve.” @schneierblog further argues that data security is a market failure that requires good government regulations as “buyers can't differentiate between secure and insecure products, so sellers prefer to spend their money on features that buyers can see.” (Source: New York Times)  

Kanye reveals his woefully poor cyber hygiene. In a meeting with President Trump, the rapper received wide criticism after a clip of him “mashing the “0” button as he unlocked his iPhone to show Trump a picture of a hydrogen-powered airplane he said could replace Air Force One went viral...” inadvertently revealing his six-digit security key of “000000” to the world. (Source: Washington Post)

Events

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published October 18, 2018


The #DataInsecurity Digest | Issue 73

Cyber threats are ‘blinking red’ as U.S. readiness struggles continue

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: While Director of National Intelligence Dan Coats was raising the alarm over U.S. lack of cybersecurity readiness to lawmakers last week, cybersecurity issues continued to plague American businesses–especially concerning given new research that data breaches are more financially devastating to U.S. companies than to any others around the globe. In further bad news for businesses, researchers have found a site on the dark web that is selling backdoors to computers (including three at a single international airport) for a mere $10. Finally, Russian state-sponsored hacking has compromised “hundreds” of American electrical utilities, potentially giving adversaries the power to literally turn out the lights on millions of U.S. consumers.

And now, on to the clips!

-----------------

Director of National Intelligence Dan Coats: Cyber threat warnings are ‘blinking red.’ The top intelligence official compared America’s current cyber threat with pre-9/11 characterizations of our preparedness for terror attacks. “‘Here we are nearly two decades later and I’m here to say the warning lights are blinking red again,’ Coats said.” (Source: Washington Post)

Russians ‘could have thrown switches’ at utilities. State-sponsored Russian hackers have compromised “hundreds” of supposedly secure American electric utilities and possess the ability to cause blackouts, said Department of Homeland Security officials this week. “‘They got to the point where they could have thrown switches’ and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS.” (Source: Wall Street Journal)

The government continues to struggle with sharing cyber threat intelligence. Last week, at a Washington Post Live event, current and former policymakers lamented that “the U.S. government needs do a better job sharing cyber threat information with the private sector if it’s going to defeat increasingly complex cyberattacks from nation states. …” During the event, government officials acknowledged they “have been too focused on trying to get companies to share information with them -- and less on sharing with private companies who want threat intelligence the government detects.” (Source: Washington Post)

Data breaches cost U.S. companies more in 2018 than foreign counterparts. A new report from Statistica shows that American companies “paid significantly more on average for every data breach in 2018 than [did] companies in any other country — a little over $3 million more than companies in runner-up Canada, and more than twice [as much] as everyone other than Canada, Germany, and France.” (Source: Business Insider)

Backdoors into your computer could be for sale on the dark web for $10. A dark web store is advertising backdoors into computer systems and offering tips on how to use the logins without being caught. In one frightening case, cybersecurity researchers examined the IP address of compromised machines advertised on the store’s site “to discover that three belonged to a single international airport. ‘This is definitely not something you want to discover on a Russian underground RDP shop,’ said John Fokker, head of cyber investigations for McAfee Advanced Threat Research.” (Source: ZDNet)

2018 has not been a good year for cybersecurity. With a little more than half of 2018 behind us, we have a pretty good idea of what is going well and what isn’t in the cybersecurity space. @lilyhnewman reports that, while “there haven't been as many government leaks and global ransomware attacks as there were by this time last year... that's pretty much where the good news ends. Corporate security isn't getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.” (Source: Wired)

Quick hit: none of Google’s 85,000 employees have been a victim of a phishing attack since it began requiring their use of physical security keys to log into their workspaces in early 2017. (Source: Krebs on Security)

Advocates raise concern over CFPB nominee Kraninger’s questionable data security track record. While working at DHS, Kathy Kraninger advocated for a biometric data collection program that would later be criticized by the GAO for “significant information security control weaknesses.” (Source: Allied Progress)

SEC opens probe against Facebook. The SEC has now acknowledged that it is investigating whether Facebook “adequately warned investors that developers and other third parties may have obtained users’ data without their permission or in violation of Facebook policies.” (Source: Wall Street Journal)

Upcoming Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published July 26, 2018


The #DataInsecurity Digest | Issue 72

Data broker leaves 340M consumers’ most personal data unsecured

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: As the cyber community assess President Trump’s Supreme Court nominee’s views on privacy and the 4th Amendment, data breaches continue to plague businesses and make headlines. Last week, a data broker left the intimate details of 340 million consumers unsecured online. Likewise, Ticketmaster found itself in the midst of a massive data breach whose scope is not yet fully known. With the midterm elections looming in less than four months, Congress is letting the administration know of its displeasure with the lack of cyber leadership from the White House.

And now, on to the clips!

-----------------

Data broker Exactis left nearly 340 million consumer profiles unprotected and easily discoverable. While the records did not contain Social Security Numbers, they did include “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. …” The data trove also includes information on individuals’ children and other details, including “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.” (Source: Wired)

Senate Commerce Committee convenes hearing on Spectre and Meltdown vulnerabilities. In the hearing, Sen. Bill Nelson (D-FL) complained that “seven months [was] too long for the companies to wait before disclosing major vulnerabilities.” In response, the companies testifying pointed out that they were mainly focused on informing the affected companies first. However, @alfredwkng reports that some senators rebutted this, pointing out that “companies notified Chinese companies about Spectre and Meltdown before the US government." (Source: CNET)

SCOTUS nominee Brett Kavanaugh has a track record of opposing net neutrality and privacy. @alfredwkng reports that Kavanaugh believes that the “NSA's surveillance program was consistent with the Fourth Amendment, even without a warrant, citing that ‘In my view, that critical national security need outweighs the impact on privacy occasioned by this program.’” The justice also “sided against net neutrality in a 2017 dissent, arguing that it was ‘one of the most consequential regulations ever issued by any executive or independent agency in the history of the United States.’" (Source: CNET)

Lawmakers aim to force Trump to act on cybersecurity. The Senate Armed Services Committee added language to the must-pass defense reauthorization bill that would require the administration to develop a cyberwar doctrine. @D_Hawk reports that “[t]he move highlights mounting frustration with what lawmakers see as a woefully insufficient strategy for responding to cyberattacks, and shows they’re serious about holding officials to their tough rhetoric.” As Sen. Ben Sasse (R-NE) recently said, “Let's not sugarcoat it: Washington is dangerously unserious about cybersecurity. … We're decades into the era of cyberwar and we're still playing catch-up.” (Source: Washington Post)

Cyber lamentations: The cost of doing nothing. In a July 4 piece, New York Times opinion columnist @NickKristof provided a sobering look at the path ahead if nothing is done to improve America’s cybersecurity. When Gen. Paul Nakasone, head of the U.S. Cyber Command, was asked in his 2018 confirmation hearings what he thought would happen if our enemies attack us in cyberspace, Kristof wrote, “They do not think much will happen,” Nakasone replied. “They don’t fear us.” (Source: New York Times)

Ticketmaster breach grows to affect U.S. website and possibly 800 additional e-commerce sites. Security researchers @RiskIQ believe that the “Ticketmaster breach was far bigger than first thought, after several of its global sites -- including its US site, which had initially ruled out being affected -- was running code from another third-party company that had also been compromised.” (Source: ZDNet)

Equifax agrees to a consent decree, avoiding financial penalty with eight states. However, Equifax must perform a detailed assessment of cyber threats, boost board oversight of cybersecurity, and improve processes for patching known security vulnerabilities, according to the terms of the agreement. The consent decree was approved by regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas. (Source: Reuters)

Facebook’s new privacy settings may not be that consumer-friendly. Consumer Reports found that “the design and language used in Facebook's privacy controls nudge people toward sharing the maximum amount of data with the company.” The report also found that “users can’t make changes to default settings before completing the sign-up process. Facebook also directs new users through a confusing dashboard of policies to learn how to change settings, and in some instances users need to perform a dozen or more clicks and swipes to find and adjust the appropriate settings.” (Source: Consumer Reports)

Upcoming Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published July 12, 2018


Carpenter v. United States: Impacts on privacy legislation

The U.S. Supreme Court decision last week in Carpenter v. United States will shape the relationship consumers have with their wireless devices and the services they use every day for years to come. In a 5-4 decision, the Court held that by obtaining cell-site records, the U.S. government performed a search. By doing so without a warrant, this search was judged unconstitutional, violating petitioner Timothy Carpenter’s Fourth Amendment rights and reversing two previous decisions.


The #DataInsecurity Digest | Issue 71

New fraud related to OPM hack underscores growing threat of data breach fallout

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The fallout from the OPM breach continues as media outlets have learned that criminals are using the data to take out fake loans. Demonstrating harm in data breach cases is often difficult for the individuals affected, but the OPM case gives a peek into how fraud can flow from breaches. Unfortunately, several new studies are suggesting that 2018 is not on track to provide any data breach relief for consumers. The Ponemon Institute estimates that 38 percent of public sector entities will suffer an attack, and two-thirds of small businesses don’t work to improve their cybersecurity in the aftermath of a breach, which sets them up for yet another breach. Good news, however, is that some victims of the Equifax breach are receiving a bit of relief in small claims court.

And now, on to the clips!

-----------------

Despite warnings of Russian interference in the midterm elections from top intelligence officials, White House remains silent. To fill the leadership void, members of Congress are stepping up by convening a summit next month to determine just how severe the threat is. “We’re getting so many mixed signals, depending on what the agency is,” said Senate Intelligence Chairman Richard Burr (R-NC). “It compels us to bring everybody together in the same room and try to figure out whether or not there’s some stovepipe issues.” (Source: Politico)

Four years after the OPM breach, we now know what criminals are using the data for. The Washington Post reports that “two people have admitted in Newport News federal court they used the stolen identities to take out fake loans through a federal credit union.” Left unexplained is how the individuals obtained the OPM information, as the hack was traced back to China and the criminals “were not accused of any hacking-related crimes.” (Source: Washington Post)

Quick hit: In 2017, the average data breach cost companies $3.6 million. The report also found the average cost per lost or stolen record was $141. (Source: Ponemon Institute)

Data breach victims are taking Equifax to small claims court and winning. While this may be good news, as one plaintiff—a small-business owner in San Francisco—put it, “I’m happy to get the money, but it’s not really over because I know my information has been leaked and you can never put it back.’” (Source: New York Times)

Ponemon Institute estimates that 38 percent of public sector entities will suffer a ransomware attack this year alone. @jon_kamp and @scottmcalvert observe that “[p]ublic-sector attacks appear to be rising faster than those in the private sector.” However, @nppd_krebs notes that hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” says DHS’s Christopher Krebs. (Source: Wall Street Journal)

Employee negligence is perceived to be the main cause of data breaches by employers. A report by Shred-it found that “47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.” (Source: CNBC)

New report: Two-thirds of small business do not improve their data security after a hack. Perhaps unsurprisingly, the same report also found that 44 percent of small business suffered multiple attacks last year, according to a survey by insurer Hiscox. (Source: Associated Press)

FBI to World Cup fans: Leave your devices at home. The FBI is advising Americans to not take electronic devices with them “because they are likely to be hacked by criminals or the Russian government.” William Evanina, director of the U.S. National Counterintelligence and Security Center, warned travelers that “[i]f you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you—make no mistake—any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cybercriminals.” (Source: Reuters)

Upcoming Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published June 28, 2018


The #DataInsecurity Digest | Issue 70

The FCC 'hack' that never was; U.S. thought to be nation most vulnerable to hacking

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Concern that John Bolton’s decision to eliminate the White House’s cyber coordinator position continued to grow this week, with more experts speaking out that the move could leave the United States more vulnerable to hacks. The FCC continues to face questions over the alleged hack of its complaint database after internal emails revealed that Commission staff purposely mislead the media to think that the database was hacked (rather than reveal it had simply crashed from the overwhelming number of net neutrality comments submitted by the public).

Facebook remained in hot water after news came to light that it potentially violated its FTC consent decree by sharing users’ personal data with device manufacturers--even after users opted out of having their data shared.

And now, on to the clips!

-----------------

Cyber experts and lawmakers worry that Bolton’s decision to fire cyber coordinator will hurt U.S. cyber efforts. @ericgeller reports that “Both Republicans and Democrats are expressing concern that the White House is rudderless on cybersecurity at a time when hostile nations’ hackers are moving aggressively, inspiring fears about disruptive attacks on local governments, power plants, hospitals and other critical systems.” The consensus among lawmakers, former officials from the White House, the intelligence community, and the departments of Justice, Homeland Security, Defense and State “is that Bolton’s moves are a major step backward for the increasingly critical and still-evolving world of cyber policy.” (Source: Politico)

The FCC 'hack' that never was. In May of 2017, when the FCC was accepting comments on its plan to roll back net neutrality protections, Americans responded by flooding the FCC with comments in support of net neutrality. The deluge of comments was so large that the FCC’s comment collection system crashed. In the days that followed, the FCC would blame its inability to accept comments on hackers. @dellcam has now learned from internal FCC emails that senior FCC officials “purposely misled several news organizations, choosing to feed journalists false information, while at the same time discouraging them from challenging the agency’s official story...the agency conducted a quiet campaign to bolster its cyberattack story with the aid of friendly and easily duped reporters, chiefly by spreading word of an earlier cyberattack that its own security staff say never happened.” @dellcam reports that to sell their story, agency staff even spread misinformation about former Chairman Wheeler stating that he supposedly covered up a similar breach back in 2014. (Source: Gizmodo)

Facebook shares personal data with at least 60 device makers. “Some device partners can retrieve Facebook users’ relationship status, religion, political leaning and upcoming events, among other data.” In addition, @nytimes found that “Facebook allows the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing.” This revelation raises “concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission.” (Source: New York Times)

United States is the world’s most vulnerable-to-a-massive-cyber-attack nation. The report, conducted by Rapid 7 concluded that "The United States leads all other countries in the 2018 exposure rankings, scoring the highest in nearly every exposure metric we measure.” (Source: Rapid 7)

Only 23 percent of people understand that wearable devices and connected toys for children need to have security protection. This is problematic as the “data collected by cybercriminals paints a picture of the children’s lives, making them vulnerable to all kinds of cybercrime and potential attacks.” (Source: Forbes)

Breach du jour: 26 million Ticketfly users. The online ticket marketplace has been taken down by hackers, and 26 million of Ticketfly users have had their email address, home addresses, and phone numbers compromised. (Source: Motherboard)

Trump/Kim summit tests journalists’ cybersecurity IQ. Every journalist that was covering the historic summit received a goodie bag that included “a blue, innocent-looking mini USB fan. ... Not so hot about it was the information security community,” which warned that “the device could be a covert method of installing malware onto the computers of journalists covering the summit.” (Source: Mashable)

Events

August 9-12, 2018 - DEF CON 26 - Las Vegas, NV
DEF CON is the world's longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published June 14, 2018


The promise and peril of always-on ad filtering

Last year, we examined whether the growth of ad blocking was partly a logical response to consumers’ desire to reduce their data security risk. The catalyst for that blog post was Google’s announcement that it intended to include ad filtering-by-default in its Chrome browser, the most popular browser on the market. Earlier this year, that promise became a reality as Google rolled out an update to Chrome that included the ad filtering function.


Target CEO is out

This week, the CEO of Target, Gregg Steinhafel, resigned. He was unable to recover from the damage caused by a massive data breach at the company – which happened right in the middle of the holiday shopping season last year. Last December, Target announced that 40 million customers’ credit and debit cards and personal information had been compromised.  Steinhafel was with the company for 35 years.

Announcing the #DataInsecurity Project

Last December, millions of consumers busily rang up more than $600 billion in holiday purchases. Unfortunately, hackers were also having a field day — at consumers’ expense. We learned that lax security procedures combined with an insecure payment mechanism resulted in as many as 110 million shoppers at retail giant Target having their personal information compromised.


FTC report shines light on continuing problem of ID theft

In the world of fraud fighting, the release of the Federal Trade Commission’s Consumer Sentinel Data Book is something of a wonky holiday. Yesterday was no exception, with the agency publishing the annual report, which examines trends in the 2 million-plus complaints the FTC receives annually. The headline of the report was depressingly familiar: identity theft continued to be the biggest driver of complaints to the FTC for the 14th straight year. 


1  2  Next →