The #DataInsecurity Digest | Issue 67

As cyber threats continue to grow, White House looks to eliminate top cyber job

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The White House raised eyebrows this week when several sources reported that the new National Security Advisor, John Bolton, was lobbying the President to eliminate the role of special assistant to the president and cybersecurity coordinator. The position is currently held by the departing Rob Joyce.

Meanwhile, Equifax provided further details into the types of data its massive 146 million account breach compromised. Facebook, in response to the Cambridge Analytica scandal, suspended 200 applications while it looked into their data handling practices.

And now, on to the clips!

—————–

John Bolton is lobbying for the elimination of top cyber security job. As Iran raisers its cyber attacks in response to the US decision to pull out of the Iran deal, the White House is considering eliminating a key cyber post charged with protecting America from foreign state hackers. @ericgeller reports that “[c]ybersecurity experts and former National Security Council officials expressed alarm at the idea of eliminating the job, saying it would undo much of the progress the U.S. has made on cyber efforts and send the wrong message about U.S. priorities in the digital domain.” (Source: Politico)

Further details of Equifax breach released. Prior to Equifax’s latest disclosure, we knew that the breach had affected more than 146 million people, but we did not know the number of the records that were compromised. Equifax is now acknowledging that the compromised records included “146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers’ licenses and 3,200 passport details.” (Source: The Register)

Personal data breaches, phishing scams among the top cyber crimes reported to the FBI in 2017. The FBI released its 2017 Internet Crime Complaint Center (IC3) Internet crimes report which “represents a total of 301,580 complaints with reported losses in excess of $1.4 billion. The top three crime types reported by victims in 2017 were non-payment/non-delivery, personal data breach, and phishing.” (Source: FBI)

Breach du jour: Chili’s. Last week, the restaurant chain learned that some of its customers’ payment cards had been compromised. @justinlmack reports that “Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.” (Source: USA Today)

Breach du jour part deux: 3M Facebook users. Facebook users who took a personality quiz had their data stored on a website whose access codes were googleable. While the dataset did not include users’ names, in many cases it contained their ages, genders, and relationship statuses. For 150,000 people, it even contained their status updates. @Jake_K observes that while “a leak of 3 million users’ data is far smaller than the 87 million obtained by Cambridge Analytica, the story still serves as another warning of how easily this information can spread around and just how detailed it can be… even though the data was supposed to be anonymized, New Scientist points out that it easily could have been re-identified using the extra Facebook information attached to each personality test.” (Source: The Verge)

Quick hit: In related news, Facebook suspends 200 apps to investigate potential misuses of data. (Source: Quartz)

Twitter urges users to change their passwords. While there is no evidence that user passwords were compromised, a bug in the password hashing process caused user passwords to be “saved in plain text to an internal log, instead of masking them with the hashing process.” @cgartenberg observes tht while “Twitter hasn’t revealed how many users’ passwords may have potentially been compromised or how long the bug was exposing passwords before it found and fixed the issue … [t]he fact that the company is urging its entire user base to change their passwords indicates that it would seem to be a significant number of users.” (Source: Verge)

California teen phishes teachers to successfully change grades. Phishing attacks are usually used to perpetrate identity theft or to drain bank accounts. David Rotaro, a California student, used a phishing attack to change students’ grades at his school. Rotaro “created a fake website that looked identical to the school’s and then sent emails to teachers in an attempt to get them to sign into his fake site. At least one did, which allowed Rotaro to collect their login and password info. He then reportedly used that information to get into the Mount Diablo Unified School District IT network where he then changed other students’ grades — he even lowered some.” Rotaro now faces 14 felony charges. (Source: Yahoo!)

Events

August 9-12, 2018 – DEF CON 26 – Las Vegas, NV
DEF CON is the world’s longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published May 17, 2018