The #DataInsecurity Digest | Issue 21

Issue 21 | May 25, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: LinkedIn’s data breach woes won’t die. The company’s 2012 breach was apparently much worse than previously thought: 167 million account credentials worse. Former FDIC Chair Sheila Bair was apparently among the dozen or so senior officials at the banking agency whose personal information was disclosed, thanks to an “advanced persistent threat” that attacked 90 workstations at the FDIC.

Staffers on the Hill may have a harder time checking their personal email after the House IT department cut off access to Yahoo! Mail in response to a widespread ransomware attack on Congressional computers. If there’s a ransomware problem on the Senate side of Congress, Senators Graham and Whitehouse are on the case. Their hearing last week was intended to highlight the harm that ransomware causes to businesses and consumers, and to highlight efforts to beef up law enforcement’s anti-ransomware abilities. The FTC will also be taking up the ransomware fight on September 7, when it focuses on the problem as part of its Fall Technology Series.

With all this persistent bad news on the data security front, is it any surprise that the NTIA found that one in two Internet users admitted they changed their online activity out of concerns for their privacy and security?

And now, on to the clips!

—————– 

The plot thickens: 167 million LinkedIn records for sale on the dark web. LinkedIn has announced that the 2012 breach that compromised 6.5 million login credentials is now much more extensive than they originally believed. The hacked information actually includes 167 million LinkedIn account credentials, 117 million of which contain both user emails and passwords. It is not clear whether the 167 million LinkedIn accounts include or are in addition to the original 6.5 million login credentials that were compromised by the same hack in 2012. News of the breach surfaced when the hacker Peace began selling the 167 million accounts for 5 bitcoins, or somewhere in the neighborhood of $2,300. (Source: Motherboard and PCWorld)

Check out Fraud.org for official info on the LinkedIn breach. When big breaches make news, phishing attacks that seek to capitalize on public fear about the breach are never far behind. These phishing attacks often take the form of fake data breach notification emails. To help fight back, NCL’s Fraud.org campaign’s “Latest Breaches” website is where you can find dependable information about particular breaches, including links to official info, when available, from the breached entities. Check it out here.

One in two consumers changing the way they use the Internet due to privacy and security concerns. @kansasalps has the scoop on a new 41,000-household survey from the National Telecommunications and  Information Administration (NTIA), which shows that half of Americans report withholding from “doing basic things online—such as posting to social networks, expressing opinions in forums or even buying things from websites due to privacy and security concerns.” The disheartening report gives voice to many that have been stating that #DataInsecurity is harming consumer confidence, and that action must be taken to protect individuals’ privacy and digital commerce. (Source: Washington Post)

Former FDIC head’s computer hacked. Former FDIC Chair Sheila Bair is believed to be a victim, along with 11 other FDIC executives, of a cyber attack that infiltrated more than 90 FDIC servers and computers, writes @JoeDavidsonWP. According to a recently disclosed 2013 report from the FDIC Office of Inspector General, cyber attacks in 2010 and 2011 penetrated the FDIC and “ultimately allowed the creation of valid administrator accounts providing full access.” The breach constituted an “advanced persistent threat … penetrated over 90 workstations or servers” according to the report. (Source: Washington Post)

Senate hearing takes aim at ransomware. It is “hard to overstate” the impact of ransomware on victims, said Department of Justice (DOJ)  Acting Deputy Assistant Attorney General Richard Downing at last week’s Senate Judiciary Crime and Terrorism Subcommittee’s hearing on ransomware. The hearing brought together victims of ransomware attacks and industry to discuss threats and potential solutions—primarily Senator Lindsey Graham (R-SC), Senator Sheldon Whitehouse (D-RI), and Senator Richard Blumenthal’s (D-CT) new bill, the Botnet Prevention Act of 2016, which aims to hinder cyber criminal ransomware operations by granting law enforcement expanded powers. (Source: SC Magazine)

House of Representatives’ ransomware attack causes Yahoo! Mail to be banned from House computers. Last week, reports surfaced that a ransomware attack occurred on a House computer from an email obtained through third-party email applications such as Yahoo! Mail. House IT was able to contain the ransomware’s spread; however, as a result of the attack, the House Information Security Office announced that it “will be blocking access to Yahoo! Mail on the House Network until further notice.” Writes @kateconger: “if a representative’s data was ransomed, it’s not clear whether the ransom would be paid[.]” (Source:TechCrunch)

Teen dating site’s private messages not so private. Up until recently, the predominantly underaged users of the popular teen dating site OurTeenNetwork had much of their private data viewable to the public due to an easily exploitable programing error, writes @lorenzoofb. The data included private messages, real names, and email addresses. The site’s administrator, Mora Lopez, explained that such an obvious flaw existed in the system by writing that she “built the site in haste[.]” (Source: Motherboard)

Private information of China’s most prominent leaders posted on Twitter to protest China’s lack of privacy protections. The Twitter user @schenfenzheng, a gray hat hacker (who clearly has qualms with China’s anti-privacy policies) has released the personal information of dozens of China’s richest and most powerful citizens, including Jack Ma of Alibaba, in protest of the country’s lack of personal privacy protections. The breached data includes the addresses, marital status, educational level, and national identification number (which contains citizens’ birthdates and hometowns.) Writes @pekingmike, “[T]he goal of @shenfenzheng appears to be to draw attention to the illegal selling of personal information in China, a widespread practice. Private investigators can buy troves of personal data to obtain information on companies or individuals.” (Source: New York Times)

89 percent of healthcare organizations experienced data breaches last year. More depressing news in the healthcare data security space as The Ponemon Institute released its Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. The study found that cyber attacks on healthcare organizations were again the leading cause of data breaches and that 50 percent of data breaches were the result of criminal activity. The report cited user error and stolen computers as the primary culprit for the other half of data breaches, and ransomware as the newest threat of 2016. (Source: PRNewswire)

“We can neither confirm nor deny…” whether the government is listening to your conversations through your Amazon Echo. That is the unsettling response that Gizmodo writer @paleofuture received from the FBI in regards to a Freedom of Information Act request filed to determine whether the FBI has ever used an Amazon Echo in its wiretapping operations. (Source: Gizmodo)

Leaked account information used to steal $12.7 million from ATMs across Japan. On the morning of May 15, counterfeit credit cards that utilized account information from a previous South African Bank data breach were used to steal 1.4 billion yen from roughly 14,000 ATM machines across Japan. The theft took place during a timespan of less than two hours and Japanese authorities believe that 100+ individuals participated in the coordinated withdrawals. Preliminary evidence suggests that 1,600 credit cards were compromised. (Source: The Mainichi)

Employees viewed as not being knowledgeable about their company’s security risks. Only 35 percent of employees say that understanding how security risks and breaches affect their company is a priority for senior management, according to a new survey, which also found 60 percent of companies believe that their employees are not knowledgeable enough on their security threats. It appears that there is some miscommunication occurring between management and labor, one that must be fixed if we want to see the #1 cause of data breaches, employee error, decline. (Source: PR Newswire)

Sticks and stones may break our bones, but data breaches hurt us most. When given the choice, 18 percent of Americans would prefer to have their bones broken than have their payment information stolen. According to the same survey, conducted by Harris Poll, 12 percent would also prefer to be cheated on by their significant other than have their financial information compromised. (Source: icrunchdataNews)

Upcoming events

June 15 – FTC Start with Security – Chicago – Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

September 7 – Fall Technology Series: Ransomware – Washington, DC
The FTC’s first event in this year’s Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, technological measures can be taken to prevent a ransomware attack.

National Consumers League
Published May 25, 2016