The #DataInsecurity Digest | Issue 74

Administration claims Russian hacking threat being taken seriously; evidence suggests otherwise

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Despite vocal assurances from senior leaders within the Trump Administration that they are doing all they can to secure our digital infrastructure and elections, cyber experts remain concerned over the lack of concrete steps that are being taken. This concern has only grown with the recent string of cybersecurity failures at the agency level in recent months. And despite new threats like crypto-jacking and “sextortion,” consumer uptake of digital hygiene technology like password managers remains low. 

And now, on to the clips!

—————–

Senior intelligence officials stress their commitment to securing the midterm elections during White House press conference. @shaneharris and @feliciasonmez report that while the press conference “did not offer new details about any attacks or announce new policies, their show of unity just steps from the Oval Office appeared aimed at easing public concerns about President Trump’s public skepticism of Russia’s intentions.” However, when National Security Agency Director Paul Nakasone, the individual that has the authority to attack and disable foreign computer networks, was asked what orders he had been given to counteract Russian interference, he didn’t answer the question directly and instead responded that, “We’re not going to accept meddling in the elections.” (Source: Washington Post)

Democrats remain concerned over lack of action taken to secure elections. In a letter that was sent out the same day as the White House press conference, a group of senators wrote that National Security Advisor John Bolton continues to ignore their requests for action and that “Republicans in the Senate [need] to reconsider their position blocking critical funding requested by 21 states to bolster election security ahead of the midterms.” (Source: The Hill)

Nearly two years in to the Trump Administration, VPOTUS gives first cybersecurity speech.  In the speech, Vice President Mike Pence commented that “[w]hile other nations certainly possessed the capability, the fact is Russia meddled in our 2016 elections.” @D_Hawk notes that “despite the tough rhetoric from Pence and other top administration officials, the broader conference highlights only incremental steps the administration is taking to address the problem.” (Source: Washington Post)

Despite rhetoric, government agencies continually fail to take basic steps to secure data. @D_Hawk offers a sobering report on the most recent slew of federal cyber vulnerabilities: “A top lawmaker on Capitol Hill sounded the alarm about agencies’ use of a web program widely known to be outdated and vulnerable. Across town, the Government Accountability Office revealed in a new report that agencies still hadn’t implemented hundreds of recommendations to shore up their cyberdefenses. And even the watchdog at the National Security Agency, which is tasked with defending U.S. communication systems, rebuked the agency for failing to properly safeguard sensitive data stored in its networks.” (Source: Washington Post)

‘Breach fatigue’ one reason only 12 percent of consumers use password managers. Despite repeated warnings from cybersecurity experts, consumer uptake of good data hygiene practices like password managers remains low, reports @MeleChristopher. “A ‘recency bias’ leads consumers to believe that as a breach recedes in the headlines, it becomes less threatening,  … [h]owever, the data in the Equifax breach does not have a half-life and could be used for nefarious purposes at any point.” (Source: New York Times)

Every Republican and Democratic FTC commissioner implored Congress to grant the agency rule-making authority on data privacy issues. At a congressional oversight hearing, each commissioner explained the Commission’s need for more tools to protect consumers. Commissioner Chopra commented that the FTC’s “existing toolkit won’t do the trick… We need the ability to deter misconduct through financial penalties and sensible safeguards that can evolve with the marketplace.” (Source: Adexchanger)

Equifax agrees to a consent decree, avoiding financial penalty with eight states. However, Equifax must perform a detailed assessment of cyber threats, boost board oversight of cybersecurity, and improve processes for patching known security vulnerabilities, according to the terms of the agreement. The consent decree was approved by regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas. (Source: Reuters)

Quick hit: Equifax breach was a little more than a year ago today. @lillyhnewman provides a look back at the catastrophic breach. (Source: Wired)

Cryptojacking displaces ransomware as greatest cyber threat. For those of you not yet familiar with the term, @TheEbizWizard explains that “cryptojacking is where an attacker surreptitiously installs cryptocurrency mining software on a target system. The software – which may not even technically be malware – consumes processor cycles and their requisite electricity to process cryptocurrency transactions, thus earning the attacker a commission, usually in the anonymous cryptocurrency Monero.” (Source: Forbes)

New ‘sextortion’ scam utilizes breached passwords to blackmail victims. @briankrebs reports that victims of this new scam receive an email from a fraudster falsely claiming to have “compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. What spooked people most about this scam was that its salutation included a password that each recipient legitimately used at some point online.” (Source: Krebs on Security)

Upcoming Events

August 9-12, 2018 – DEF CON 26 – Las Vegas, NV
DEF CON is the world’s longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

October 2018 – National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published August 9, 2018