The #DataInsecurity Digest | Issue 30

Issue 30 | October 13, 2016

#DataInsecurity Digest: Yahoo breach causing heartburn on Capitol Hill, multi-factor campaign launches, and more!

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Welcome to National Cyber Security Awareness month! Our colleagues at the National Cyber Security Alliance (NCSA) have teamed up with the White House to remind everyone that multi-factor authentication is critical to securing any important account. Now is the perfect time to do it and NCSA’s LockDownYourLogin.com site is a terrific new resource to find information on how to do it.

Unfortunately, the folks at Yahoo should have probably heeded this advice far sooner, since their breach headaches aren’t showing signs of going away. The mega-breach is just the latest argument for Congress to sort out its differences on a stalled breach notification/data security bill. The hits keep on coming for the beleaguered tech giant, with news that Yahoo was also helping U.S. intelligence agencies systematically scan its users’ emails. At least the deal with Verizon still appears to be on track, according to Verizon CEO Lowell McAdam.

In other data security news, the Obama Administration finally confirmed what most of us already assumed: Russia was in fact behind the hacks of the DNC and other organizations in an effort to cast doubt on the 2016 elections. Mike Orcutt’s deep dive into the issue for the MIT Technology Review should be required reading for anyone interested in the topic.

And now, on to the clips!

—————–

Yahoo screened all users’ emails at the request of the U.S. On the heels of Yahoo’s record-setting 500-million-account breach, @Reuters broke news last week that Yahoo systematically scanned each of their users’ email accounts at the request of U.S. intelligence agencies. @josephmenn reports that the practice ruffled feathers among senior Yahoo leadership, with Chief Information Security Officer Alex Stamos resigning over it. (Source: Reuters)

What exactly did Yahoo do? Yahoo received a government order to “search for messages containing a computer ‘signature’ tied to the communications of a state-sponsored terrorist organization.” @nytimes reports that, to meet this requirement, Yahoo customized an existing system originally designed to scan emails for child pornography and spam. “With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature.” @charlie_savage reports,“This order was unusual as it involved the systematic scanning of all Yahoo users’ emails rather than individual accounts; several other tech companies said they had not encountered such a demand.” (Source: New York Times)

Yahoo breach putting pressure on Congress. @thehill reports that Senate Commerce Committee Chairman John Thune (R-SD) “is in talks with a handful of senators, some of whom have competing proposals, to address data breach rules.” Sen. Blumenthal (D-CT), a proponent of stronger data security protections, stated,“[T]his breach demonstrates the urgent need for Congress to enact data breach and security legislation — only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised.” (Source: The Hill

Verizon-Yahoo deal still on. Verizon CEO Lowell McAdam was busy this week insisting that the breach won’t derail his company’s planned acquisition of the troubled tech titan. At an Internet Association event in California, McAdam stated that “the industrial logic of doing this merger still makes a lot of sense … I’m hoping we can get through all this stuff and get to the close,” reports @MsABalakrishnan. (Source: CNBC)

U.S. officially blames Russia for DNC hack. On Friday afternoon, the Offices of the Director of National Intelligence and the Department of Homeland Security formally pointed the finger at Russia for a series of wide-ranging campaigns, including the DNC hack and other acts committed  “to interfere with the U.S. election process.” (Source: CNN)

Breach du jour: Surgeon General’s office. @EricYoderWP reports that Surgeon General Vice Admiral Vivek H. Murthy told the commissioned corps, a group of 6,600 medical professionals that work in disease control and prevention, that their information, including their names, dates of birth and Social Security numbers “may have been accessed by unauthenticated users who hacked the agency’s personnel system.” The number of individuals affected is not currently known, however Murthy did state that the sensitive data of all “current, retired, and former Commissioned Corps officers and their dependents” was stored on the compromised personnel system. (Source: Washington Post)

Did hackers tamper with the World Anti Doping Agency’s documents before leaking them? Since September 13, the suspected Russian intelligence hacking outfit Fancy Bear has been posting documents online from World Anti Doping Agency (WADA), believed to be retaliation for the agency’s banning of the Russian track and field team from the Rio Olympics. WADA is now claiming that Fancy Bear’s released documents contained falsified statements. (Source: The Hill)

Trump releases cybersecurity agenda. Donald Trump declared that cyber “is the warfare of the future, America’s dominance in this arena must be unquestioned.” @nedtgov reports,“[t]he agenda promises to bolster both the government’s cyber defenses and its offensive capabilities, building forces with the ‘unquestioned capacity to launch crippling cyber counterattacks’ against foreign government or non state terror actors.” @Frank_Konkel remains skeptical, stating that, like Hillary Clinton’s plan, Trump’s plan does not “provide enough meat to seriously compare. Both call for increased investment in cybersecurity, mirroring actions Obama took this year and proposing $5 billion in additional cyber funding for fiscal 2017.” (Source: Nextgov)

Vulnerability of voter registration databases gets a hearing. Rice University Professor Dan Wallach recently expressed concern at a hearing before the House Committee on Science, Space, and Technology that a successful attack on voter files could effectively “disenfranchise significant numbers of voters.” Gregory Miller, cofounder of the Open Source Election Technology Foundation, argued that hackers could disrupt voter registration databases through digital poll books. “These systems are essentially computerized versions of the paper lists that poll workers have traditionally used to check in voters… officials in a number of jurisdictions have connected these to the Internet so they can conveniently send information about voter check-ins to other machines important for election management,” which opens them up to hacking. (Source: MIT Technology Review)

Upcoming event

January 12, 2017 – PrivacyCon – Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

National Consumers League
Published October 13, 2016