The #DataInsecurity Digest | Issue 25

Issue 25 | July 20, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The FDIC is in Congress’ crosshairs after the agency covered up a significant breach perpetrated by Chinese hackers in 2012 to avoid derailing FDIC Chairman Martin Gruenberg’s confirmation hearing. Gruenberg claimed ignorance of such efforts in House testimony last week, but this is one breach whose impact is likely to linger given the super-charged election year atmosphere. In addition to the FDIC news, we also learned that the Wendy’s breach is significantly larger than originally reported, and Omni Hotels is the latest hotel chain to have been breached. In light of these and other numerous breaches, it’s not surprising that new data shows consumers are losing confidence that businesses can protect their data, according to Brunswick Insights. On a more exciting note, make sure to mark your calendars for the next issue of the #DataInsecurity Digest, which will feature an exclusive interview with FTC Commissioner Terrell McSweeny!

And now, on to the clips!

—————–

FDIC “Breachgate?” The House Committee on Science, Space and Technology released a report that found that not only did Chinese hackers install malware on 12 workstations and 10 servers (including those belonging to the general counsel, chief of staff, and chairman) at the Federal Deposit Insurance Corporation (FDIC), the FDIC also engaged in a cover-up of the breach. News of the breach came to light due to a separate investigation involving an October 2015 breach where 44,000 individuals had their personally identifiable information compromised by the FDIC (which the FDIC also neglected to inform Congress about). @CNNMoney reports that the FDIC’s Chief Information Officer Russ Pittman worked to directly mislead investigators: “One whistleblower, whose identity is not revealed in the report, claimed that Pittman ‘instructed employees not to discuss… this foreign government penetration of the FDIC’s network’ to avoid ruining [FDIC Chairman Martin] Gruenberg’s confirmation by the U.S. Senate in March 2012.” (Source: CNN Money and Ars Technica)

Gruenberg: “I can’t speak to the accuracy” of breach cover-up allegations. Grab your popcorn folks, this one is going to linger. In testimony before a House committee, FDIC Chairman Gruenberg claimed ignorance of efforts to cover up significant data breaches at the agency. Responding to questions about cover-up allegations from Rep. Don Beyer (D-VA), Gruenberg said, “I was certainly unaware, Congressman,” and that, “There hasn’t been a review of what actually occurred here. I would be cautious about the accuracy of the representation.” (Source: Wall Street Journal)

COMING SOON: #DataInsecurity Thought Leaders Series. As we mark the 25th edition of the #DataInsecurity Digest, we’re excited to announce that you’ll soon be seeing original content in the newsletter. From time to time, we’ll feature interviews with data security thought leaders and policymakers from Washington and beyond to get their insights on breaches and other data security threats and what’s being done to better secure our data. First up for our Aug. 3 Digest: FTC Commissioner Terrell McSweeny. Don’t miss it!

80 percent of North American Omni Hotels and Resorts breached. Last week, Omni Hotels announced that hackers stole payment-card information from their point-of-sale systems at 49 of their 60 North American hotels and bar locations between December 23, 2015 and June 14, 2016. Andrei Barysevich, director of cybercrime research at Flashpoint, a cyber criminal research organization found that, since the breach, “more than 50,000 payment-card numbers related to the breach have been sold on criminal online forums by a hacker calling himself JokerStash.” Barysevich believes that the hackers utilized the same technique that was used in the previous attacks against Hyatt, Starwood, and Hilton. (Source: Wall Street Journal)

Wendy’s breach much meatier than initially thought. When news of a breach at Wendy’s first broke last fall, the company claimed that point-of-sale systems at fewer than 300 locations had been affected. This month, however, Wendy’s announced that the breach was much larger, actually affecting more than 1,025 store locations. The compromised payment data includes customer names, credit and debit card numbers, expiration dates, cardholder verification values (CVV), and service codes. @briankrebs points out that this breach was particularly hard on banks and credit unions. “Not long after a new card is shipped, these customers turn around and unwittingly re-compromise their cards, prompting institutions to weigh the costs of continuously re-issuing versus the chances that the cards will be sold in the underground and used for fraud.” (Source: Krebs on Security)

Library of Congress hacked, Congress.gov downed. The recently confirmed Librarian of Congress, Carla Hayden, is already having a tough start at her new job. On Sunday, just a few days after her Senate confirmation, the Library of Congress’ systems were hit with a massive denial-of-service attack that has knocked sites maintained by the agency offline, including Congress.gov, the U.S. Copyright Office website, the Library’s internal websites, and employee email. This attack comes in spite of the U.S. Government Accountability Office flagging numerous cybersecurity areas in need of improvement in a June 2015 report on the agency. (Source: FCW)

50,000 Baton Rouge police records “hacked” and dumped in retaliation for Baton Rouge police shooting. Days after the shooting of Alton Sterling, police records including names, addresses, emails, and phone numbers appeared online. Although this is a significant data dump, the investigators believe that the breach was a result more of user error than hacking skills, or as The Daily Dot put it, “the “breach—for lack of a better term—appears to have simply been a case of unauthorized access through the use of discovered login credentials rather than through any kind of technical attack.” The hacker @0x2Taylor explained his reasoning for the leak by stating to @HowellOneill of The Daily Dot through a private Twitter message that, “The reason i did it is because of what that officer did to alton sterling…i’m sick of seeing police abuse their power and all the killings.” (Source: The Daily Dot)

Update your Pokémon Go app. Pokémon Go has taken the nation by storm, but as you were hunting down Dragonite, the game developer Niantic had, under the app’s terms of service, full access to iOS users’ Google accounts. This, according to Google, allowed Niantic to “see and modify nearly all information in your Google Account.” Not surprisingly, this created a huge backlash that led Niantic to create an update to Pokémon Go’s terms of service that would prevent them from having full access to your Google account. However, in order to be covered by new terms of service, you must update the app. (Source: Wired)

Stagefright flashback: 85 million Android phones infected with HummingBad malware. The malware was first discovered in February and has reportedly generated $300,000 a month in fraudulent ad revenue for its creators. @businessinsider reports that it goes undetected by secretly installing fraudulent apps and “setting up a permanent rootkit—a set of software tools that enable an unauthorized user to gain control of a computer system.” HummingBad’s success is yet another example of the impact of fragmentation on the overall security of the Android ecosystem, writes @BIIntelligence. However, it is clear from the report that only a small fraction of HummingBad infections (approximately 286,000) are affecting users in the U.S., with those using older versions of Android (particularly Jelly Bean and Kit Kat) most at risk. (Source: Business Insider)

Oregon Health & Science University pays $2.7 million in fines for data breaches. In 2013, Oregon Health & Science University was the subject of two breaches that compromised more than 7,000 patient records. @LynnePDX reports that, “The two breaches occurred within three months of each other. One occurred after a surgeon’s laptop was stolen from a Hawaii vacation rental. The computer, which had information on 4,022 patients, was not encrypted. The other case involved newly minted physicians in residency programs for plastic surgery, urology, and kidney transplants who used an Internet-based storage device, or cloud service, to maintain a spreadsheet of patients. The spreadsheet had information on 3,044 people.” In addition to the cash settlement, Oregon Health & Science University will undergo a “rigorous three-year corrective action plan” overseen by the U.S. Department of Health and Human Services Office for Civil Rights. (Source: The Oregonian)

Ranscam: Probably more amateur hour than real threat. The so-called “Ranscam,” may look like typical ransomware to an infected user, but instead of encrypting files, it deletes them, even if you pay. @thepacketrat explains that, “Ranscam is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for ‘encrypted’ files that were actually just plain deleted by a batch command.” The Bitcoin wallet associated with the scam has seen no activity since June, so it appears that this scam may be more hoax than threat. Still, it’s never a bad idea to take steps to defend yourself against ransomware. For tips on spotting and avoiding ransomware, read Fraud.org’s Fraud Alert on the scam. (Source: Ars Technica)

OurMine Strikes again: This week’s victim—Twitter CEO Jack Dorsey. Jack Dorsey proved to us that no one is immune to hacking when he joined Google’s Sundar Pichai and Facebook’s Mark Zuckerberg as the latest prominent tech luminary to have his Twitter account hacked. The hacker, OurMine, tweeted their standard “We are testing your security” message. The Verge’s @colinlecher reports that it’s not yet known how Dorsey’s account was hacked. Last month, Twitter took the step of locking down some accounts on the service after several million passwords—apparently thanks to breaches at non-Twitter services—were leaked. (Source: The Verge)

Brunswick: 43 percent of consumers trust companies less with their data today than a year ago. New research by Brunswick Insights, an advisory firm specializing in critical issues for business, is out with some interesting new research. According to a survey of 7,000 consumers in seven countries (including the U.S.), the rash of data breaches is affecting consumers’ confidence in the ability of businesses to protect consumer data. Another interesting nugget from the survey revealed that when a breach hits a business, affected consumers blame the breached company itself more than the hackers by a nearly 2:1 margin (69 percent vs. 39 percent). (Source: Brunswick Group)

Brits: Cybercriminals’ capability “currently outpaces the U.K.’s collective response to cybercrime.” In light of data breaches becoming an everyday occurrence—affecting everyone from the FDIC, to the House of Representatives, to large hospitals—it is perhaps not surprising that law enforcement is having difficulty keeping up. Nonetheless, our friends across the pond have reiterated a familiar call to action for organizations to take proactive steps. The British National Crime Agency’s most recent cybercrime assessment states, “It is critical that businesses not only implement and maintain the latest good practices but also actively test how well they are prepared for criminal attacks… This testing should encompass both their resistance to threats, and their ability to minimize and mitigate the damage caused by successful attacks.” (Source: National Crime Agency)

Students agree to give up first-born, share data with NSA. If the Pokémon Go app’s terms of service didn’t prove that few actually read these agreements, then perhaps this will. Researchers Jonathan Obar and Anne Oeldorf-Hirsch studied just how closely we read terms of service agreements. As @dmkravets reports, “The study said that students were intentionally deceived and told that the university was working with NameDrop (a fictitious social networking site) and that they would be ’contributing to a pre-launch evaluation,’ and they needed to sign up for the site to perform their analysis. The agreements included so-called ‘gotcha clauses’—such as agreeing to give up first-born children and sharing social networking data with the NSA—which were added to assess ‘ignoring behavior.’” Unsurprisingly, only 26 percent of users actually clicked on the TOS agreement, spending an average of about a minute reading it. (Source: Ars Technica)

Upcoming events

September 7 – Fall Technology Series: Ransomware – Washington, DC
The FTC’s first event in this year’s Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, and what technological measures can be taken to prevent a ransomware attack.

National Consumers League
Published July 20, 2016