Issue 34 | November 22, 2016

#DataInsecurity Digest: Rogers pick for DNI could steady Trump cybersecurity jitters, FriendFinder mega-breach, and more!

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: It appears as if the Trump transition team’s difficulty in filling top jobs is making cybersecurity officials nervous. The removal of former Representative Mike Rogers from the team, in particular, is causing jitters for those in charge of the country’s cybersecurity defenses. For government agencies that already have trouble attracting talent from the private sector, and where threats continue to grow, this could be a critical weakness for the incoming Administration. These worries may be allayed, however, if reports that Trump is considering current NSA Director Admiral Mike Rogers as his Director of National Intelligence.

In other news, the need for better data security was underlined again with news of another mega breach. This time, 412 million accounts associated with the adult dating and entertainment company FriendFinder Networks were compromised. We also learned that 700 million low-end Android devices were secretly collecting and sending their users’ data to China. Meanwhile, Congress returned from recess to grapple with what options they have available to secure the Internet of Things.

And now, on to the clips!

—————–

Trump staffing problems include his cybersecurity team. Recruiting and retaining cyber talent in the federal government has always been a challenge. Due in part to the President-elect’s inflammatory statements and icy relationships with Silicon Valley, however, the Trump transition team may be having even more trouble than usual. @Reuters reports that “Susan Hennessey, a former attorney in the office of the general counsel at the NSA, said she has been urging people in the intelligence community to keep working in Trump’s administration because their expertise will be necessary to protect the country and resist potential abuses of executive power on issues such as surveillance. ‘In candor, I’m sad to be asking former colleagues whom I respect to consider setting aside their conscience in order to serve their country,’ said Hennessey, who now serves as managing editor of the national security blog Lawfare. ‘I can’t and don’t blame anyone who feels they can’t stay.’” (Source: Fortune) 

Transition watch: Admiral Rogers Floated for DNI. In the ranks of government cybersecurity defenders, few positions loom larger than Director of National Intelligence (DNI), a position that ensures that all of the nation’s 17 spy agencies are effectively sharing threat information, particularly about cyber threats. It’s for this reason that news that current National Security Administration head Admiral Mike Rogers is being considered as the next head of DNI by the Trump transition team is so important. Rogers has been at the forefront of warning about cyber threats from Russia and other adversaries at NSA and before that at the U.S. Cyber Command. As @damianpaletta and @AlanCullison report, “Adm. Rogers’s appointment as director of national intelligence could add a complication to the Trump administration, in which the president-elect wants to pursue closer relations to Russia, but where part of the national security establishment is suspicious of Moscow’s intentions.” (Source: Wall Street Journal)

Mega-breach du jour: 412 million FriendFinder Network accounts hacked. Online dating and entertainment company FriendFinder Networks and its affiliate websites could have just sustained one of the largest data breaches in history. This reported hack, the company’s second in two years, is much larger than the previous hack which compromised 3.5 million accounts at the firm. @kansasalps reports that the hacked “data stretched back 20 years and included information such as usernames, emails, join dates and the date of a user’s last visit … Passwords were also included in the trove — the vast majority of them featured unsecured protections or none at all.” (Source: Washington Post)

IoT hearing turns on role of government in improving device security. Unsecured Internet of Things (IoT) devices were to blame for the crippling distributed denial of service (DDoS) attack on DNS provider Dyn which knocked many popular websites offline last month. At last week’s House Commerce Committee hearing on the issue, all sides acknowledged the great threat posed by insecure IoT devices. However, there was still hesitation to support strict rules mandating IoT security standards, reports @alibreland. Communications subcommittee chair Greg Walden (R-OR) expressed concerns that “[t]he knee-jerk reaction might be to regulate the Internet of Things, and while I am not taking that off the table, the question is whether we need a more holistic solution.” Rep. Jan Schakowsky (D-IL) rebutted saying that “we cannot count on IoT manufacturers to do the right thing on their own.” Security expert Bruce Schneier argued that data security in this space could be a market failure necessitating action: “This is not something that the market can fix.” (Source: The Hill)

700 million Android phones secretly sending personal data to China. Security research firm @kryptowire has discovered that software was written into approximately 700 million low-end Android devices that “monitors where users go, whom they talk to and what they write in text messages,” and then send the collected data to China every 72 hours. @mattapuzzo and @nytmike report that “[i]t was not a bug. Rather, Adups (the software manufacture) intentionally designed the software to help a Chinese phone manufacturer monitor user behavior.” (Source: New York Times)

Feds able to gain access to 87 percent of mobile phones and electronic devices. Data security geeks and civil libertarians won’t soon forget the high-profile fight between the FBI and Apple when the agency pressured Apple to create a backdoor into the iPhone belonging to San Bernardino shooter Syed Rizwan Farook. Privacy advocates were therefore rightfully incredulous when the FBI’s General Counsel Jim Baker reportedly stated that of the 6,814 devices the FBI forensics teams attempted to access, they succeeded at an 87 percent rate, with only approximately 880 devices successfully evading investigators efforts. (Source: Motherboard)

Meet the future of DDoS attacks: “BlackNurse.” Researchers at the Danish Firm TDC have discovered a new type of DDoS attack software, one that requires much less to cripple its targets. @joeuchill reports that unlike typical DDoS programs which leverage thousands of devices to storm a single website at once,“[i]n BlackNurse, a computer sends a low volume of a specific Internet Control Message Protocol (ICMP) error message that can overwhelm a firewall’s processor. It only requires a single computer with a decent Internet connection.” (Source: The Hill)

State Department given failing cybersecurity grade. Despite the State Department’s $1.92 billion IT budget, the State Department’s Office of Inspector General (OIG) still gave the department failing cyber security grades in a new report. @HowellOneill reports that the OIG report “served as both a stark reminder of past failing grades and a warning that significant vulnerabilities are getting worse.” (Source: Cyber Scoop)

Quick hit: Donald Trump’s victory is good news for end-to-end encryption businesses. In the days after the election, the end-to-end encryption service Protonmail announced that their subscriptions have doubled. Protonmail CEO Andy Yen wrote that, “Regardless of which side of the political spectrum you are on, Trump’s control over the NSA is now an indisputable fact, and we think it is worth taking a closer look at what this means.” (Source: The Verge)

Obama uses the “red phone” for cybersecurity. It is no secret that cybersecurity experts, defence workers, and the White House feared Russian meddling leading up to the election. In the days before November 8, however, cyber defenders breathed a collective sigh of relief that no major cyber attacks disrupted the election. @IgnatiusPos credits part of that to a message President Obama sent to Russia via a secret crisis message system meant to defuse potential nuclear situations between the two superpowers. Reportedly, “the message was sent on a special channel created in 2013 as part of the Nuclear Risk Reduction Center, using a template designed for crisis communication. ‘It was a very clear statement to the Russians and asked them to stop their activity,’ a senior administration official said, adding: ‘The fact that we used this channel was part of the messaging.’” (Source: Washington Post)

Upcoming events

January 12, 2017 – PrivacyCon – Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

National Consumers League
Published November 22, 2016