The #DataInsecurity Digest | Issue 41

/by

Issue 41 | March 15, 2017

#DataInsecurity Digest: WikiLeaks not as bad as we thought? Average zero-day lasts nearly seven years. Breach costs Yahoo’s Mayer $2M.

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: WikiLeaks strikes again with a massive 7,818 page leak detailing the CIA’s extensive cyber-espionage and hacking tactics. But upon closer review, it appears that the CIA’s methods may have relied, at least somewhat, on vulnerabilities that have been disclosed by academics and other open source materials. Exploiting zero-day vulnerabilities is a key tool for government and criminal hackers. According to a ground-breaking new study from RAND, the average zero-day can remain undisclosed for nearly seven years—underscoring their value to governments and criminals alike. The Yahoo breach fallout continues with a new Morning Consult consumer perception survey showing that the breach cost the company dearly in the eyes of consumers. The breach will also hit Yahoo CEO Marissa Mayer’s pocketbook—to the tune of a $2 million cash bonus she’ll have to forego.

And now, on to the clips!

—————–

Wikileaks publishes CIA hacking methods. Last Tuesday, WikiLeaks published their largest trove of classified documents yet. The Washington Post states that more than 7,818 web pages with 943 attachments allegedly reveal “secret cyber-tools used by the agency to convert cellphones, televisions and other ordinary devices into implements of espionage.” (Source Washington Post)

But…is the leak as bad as it sounds? UNC cyber expert @zeynep tells us to step back and consider that the WikiLeaks documents don’t actually reveal that the CIA has broken encryption on secure messaging apps like Signal and WhatsApp. She writes, “[n]either Signal nor WhatsApp, for example, appears by name in any of the alleged C.I.A. files in the cache. … More important, the hacking methods described in the documents do not, in fact, include the ability to bypass such encrypted apps — at least not in the sense of ‘bypass’ that had seemed so alarming. Indeed, if anything, the C.I.A. documents in the cache confirm the strength of encryption technologies.” (Source: New York Times)

RAND: Average zero-day vulnerability remains undiscovered for nearly seven years. The impact of zero-day vulnerabilities—undisclosed errors in computer code that can allow hackers to access systems undetected—typically lasts years, according to a fascinating new study from RAND Corporation. The study examined 200 real-world zero-day vulnerabilities and found varying incentives for white hat, grey hat, and government researchers to disclose or stockpile zero-day vulnerabilities. Whether and how to disclose zero-day vulnerabilities has been at the heart of a bubbling controversy in the data security world—a controversy that WikiLeaks cited in its decision to leak CIA hacking tools. (Source: RAND)

Yahoo cuts chief executive’s pay and beefs up cyber security. In the aftermath of Yahoo’s massive data breaches, the board undertook an investigation which found that Chief Executive Officer Marissa Mayer and other senior executives failed to “properly comprehend or investigate” the breach. The Wall Street Journal reports that as a result of the investigation, “Yahoo’s board won’t award Ms. Mayer her 2016 cash bonus, and accepted her offer to forgo her 2017 equity awards… The board also directed Yahoo to beef up its cybersecurity measures.” (Source: Wall Street Journal)

Quick hit: Yahoo’s favorability amongst consumers takes a 10 point hit. A Morning Consult study found that following the unprecedented breach at Yahoo, American consumers’ perception of the company declined from a 73 percent favorability rating on December 17 (just a few days after the breach) to 63 percent on December 25. (Source: Morning Consult)

Breach du jour: 800,000 CloudPet user accounts. CloudPet,one of the many companies making “smart toys” that allow kids to communicate with distant loved ones through a stuffed animal, accidently left 800,000 user accounts exposed online for anyone to discover. Motherboard reports that the data included emails, passwords, and over 2 million private voice messages exchanged between kids and loved ones. (Source: Motherboard)

Hackers target oil industry. The Associated Press reports that the Department of Homeland Security “received reports of some 350 incidents at energy companies from 2011 to 2015… Over that period, the agency found nearly 900 security flaws within U.S. energy companies, more than any other industry.” The Associated Press argues that the numerous security flaws, coupled with the opportunity to cause catastrophic damage, makes the energy sector a prime target for hackers. “You could mess with a refinery or cause a vessel to explode,” explained former FBI agent Richard Garcia. (Source: ABC News)

Quick hit: How are botnet armies created? Check out this great infographic from Reuters that explains how hackers take over devices and launch distributed denial of service (DDoS) attacks. (Source: Reuters)

Home Depot pays out $25 million to settle data breach class action. Law 360 is reporting that after years of litigation, Home Depot agreed to “resolve a putative class action brought by financial institutions after a 2014 data breach that compromised 56 million credit and debit card numbers.” (Source: Law 360)

White House’s chief information security officer removed. Cory Louie, an Obama-appointed security expert that was charged with keeping senior staff and the president safe from cyber attacks, was removed from his job last week. ZD Net reports that while the circumstances surrounding his sudden departure are unknown, it’s believed he was either fired or asked to resign last Thursday evening. (Source: ZD Net)

Upcoming events

May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 – Workshop on Technology and Consumer Protection (ConPro ’17)  San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology’s impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published March 15, 2017