The #DataInsecurity Digest | Issue 29

Issue 29 | September 28, 2016

#DataInsecurity Digest: Yahoo breach – who knew what, when? Hillary, Donald disagree on ‘the cyber’

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Half a billion. That’s how many accounts (so far) were compromised in the record-setting breach at Yahoo announced this past Friday. As Yahoo is the primary email account for many users, the breach is likely to affect many other services where users often reuse passwords. The advice to everyone who has a Yahoo account (and at that this point, that’s probably just about everyone) is to once again update your passwords to try to limit the fallout. What remains to be seen: could the Yahoo breach affect the company’s multi-billion acquisition by Verizon and will it become an issue on the campaign trail? So far, state-sponsored hacking has focused on explicitly political targets (e.g,. the DNC), but the Yahoo hack potentially affects far more consumers, potentially moving the data security debate back to being a front burner issue this election season.

In other breach news, Wall Street firm SS&C was scammed into transferring nearly $6 million into a Chinese hacker’s account. Meanwhile, the Government Accountability Office released a report that found that federal cyber incidents jumped 1,300 percent in the last 10 years. As if to illustrate this point, released Secret Service and Democratic advance documents involving the planned movements of Hillary Clinton, Michelle Obama, and Joe Biden. Needless to say, this breach raised several questions about how well our leaders are protected if hackers can so easily attain access to these secure documents.

And now, on to the clips!


At least 500 million Yahoo accounts compromised. Yahoo, one of the world’s busiest websites, has confirmed that it was the subject of the largest password breach in history, which compromised the “names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions,” of 500 million of its account users. @nicoleperlroth reports that this massive data breach will have far-reaching implications for consumers. “Changing Yahoo passwords will be just the start for many users. They’ll also have to comb through other services to make sure passwords used on those sites aren’t too similar to what they were using on Yahoo. And if they weren’t doing so already, they’ll have to treat everything they receive online with an abundance of suspicion, in case hackers are trying to trick them out of even more information.” (Source: New York Times)

Questions remain about Yahoo’s culpability for breach. Important questions aboutthe record-setting breach at Yahoo were unanswered as the full scope and impact of the hack sank in over the weekend, writes @TechTimes_News’s Fritz Gleyo. For example, why did it take two years to discover the breach? Apparently the attackers were in the system as far back as 2014. Who did it? Yahoo blames a “state-sponsored actor” (read: Russia). How will it affect the Verizon-Yahoo acquisition? The breach could cause Verizon to modify the deal. (Source: Tech Times)

Quick hit: Is a SEC investigation coming? @madhumita29 of @FT says it’s quite possible. “If I were at the SEC, I’d be looking for the perfect case, the perfect storm. This may be it.” (Source: Financial Times)

Breach could make Yahoo “worthless.” With class-action suits already being filed by affected users, the impact on Yahoo’s worth to Verizon given the legal risk could be significant, writes @MikeSnide and @eweise. “Bulger estimates that Yahoo will likely have to pay at least $10 per user in reparations. That could amount to $5 billion — more than Verizon’s $4.8 billion paying price — making Yahoo ‘worthless,’ he said.” (Source: USA Today)

Hillary: Cyber “one of the biggest challenges facing the next president.” Cybersecurity issues got a nod at Monday’s debate. Clinton on the recent Russian hacking: “There’s no doubt now that Russia has used cyber attacks against all kinds of organizations in our country and I’m deeply concerned about this.” For his part, Donald Trump was somewhat circumspect in describing the Russian threat, saying “”[s]he’s saying Russia, Russia, Russia. Maybe it was. It could be Russia but it could be China, it could be lots of people. It could be somebody that sits on their bed that weighs 400 pounds.” (Source: CNET)

GAO: Federal cyber incidents jump 1,300 percent in 10 years. The U.S. Government Accountability Office (GAO) presented a report last week to the President’s Commission on Enhancing National Cybersecurity detailing the concerning trend of cybersecurity breaches at federal agencies. @JoeDavidsonWP reports that the GAO study found, “The number of cyber incidents reported by federal agencies jumped more than 1,300 percent, from 5,503 to 77,183, over the 10 years through fiscal 2015.” (Source: Washington Post)

Minute-by-minute schedules of Clinton, Biden, and Michelle Obama leaked., the site that previously released Colin Powell’s personal emails, posted hundreds of emails from a Democratic staffer that listed the “phone numbers of numerous Secret Service agents, spreadsheets with the names and Social Security numbers of campaign donors, and PowerPoint presentations showing step-by-step directions for where officials like Vice President Joseph R. Biden Jr. should walk when they arrived at events.” @shearm and @AllMattNYT commented that fortunately, the emails contained movement information for previous, not future, events. (Source: New York Times)

Mellul’s account hack may stem from 2013 Adobe breach. Account information for Ian Mellul, the contractor whose hacked email account was used to release the sensitive information about Michelle Obama, Hillary Clinton, and others, was likely first exposed in the 2013 breach of Adobe users’ data, writes @thepacketrat. “Government sources have described as being connected to Russian intelligence organizations. But just about anyone could have gotten into Ian Mellul’s e-mail if he was using the same password for his Gmail account that was exposed in a 2013 breach of Adobe user data…” (Source: Ars Technica)

Future of ransomware: More expensive and targeted. Followers of ransomware news know that the attacks are not only growing in frequency, but also in sophistication. @briankrebs speculates this trend will only continue: “What we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.“ Lawrence Abrams, owner of the tech-help site @BleepinComputer agrees that ransomware attackers will increasingly seek out affluent holders of valuable information: “these guys are going to start more aggressively targeting really data intensive organizations like medical practices and law and architectural firms.” (Source: Krebs on Security)

Election systems will not be classified as critical infrastructure … for now. The Department of Homeland Security’s (DHS) Assistant Secretary for Cybersecurity, Andy Ozment, commented last Tuesday that DHS will not reclassify election systems as critical infrastructure, a move that would give DHS increased resources and additional authorities before the November election. “This is not something we’re looking to in the near future. This is a conversation we’re having in the long term with state and local government …To some degree this question of ‘is it critical infrastructure or not’ is a distraction from the important thing, which is that everybody needs to help each other out.” (Source: FedScoop)

Some in Congress disagree with DHS decision. Rep. Hank Johnson (D-GA), a member whose district is reliant on electronic voting, introduced two bills named the “Election Infrastructure and Security Promotion Act of 2016” and the “Election Integrity Act.” These bills would “require the Department of Homeland Security, or DHS, to designate voting systems as critical infrastructure… compel states to comply with relevant federal rules while incorporating additional security standards and testing measures,” and prohibit “election systems responsible for vote casting or tabulating” from being connected to the Internet. (Source: FedScoop)

Krebs on Security attacked. Brian Krebs, one of the most prominent data insecurity reporters, faced one of the largest distributed denial-of-service attacks on record last week. @briankrebs reports, “On Tuesday evening, was the target of an extremely large and unusual DoS attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.” (Source: Krebs on Security)

Hackers steal $6 million from Wall Street tech firm in phishing attack. SS&C Technologies, a $6 billion market capitalization company, is being sued for falling for a series of email scams that led to their employees transferring nearly $6 million into the accounts of the Chinese hackers. Lawyers filing the suit stated that the firm did not “exercise even a modicum of care and responsibility in connection with known and obvious cybersecurity threats.” (Source: CNBC)

Upcoming event

January 12, 2017 – PrivacyCon – Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

National Consumers League
Published September 28, 2016