Issue 58 | December 14, 2017

#DataInsecurity Digest: Nielsen settling in at DHS during uncertain times for cybersecurity

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Newly confirmed DHS secretary Kirstjen Nielsen will certainly have her work cut out for her as she settles into her role amid growing concerns on the U.S.’s role in leading global cybersecurity efforts. Breaches continue making news as PayPal announced that the personal data of 1.6 million TIO users has been compromised. More than $75 million in bitcoin was stolen as the value of the popular cryptocurrency rises dramatically. Uber announced new departures from the security team in the wake its data breach cover-up. Unfortunately, it looks like the epidemic of data insecurity is here to stay as one recent study found that ransomware attacks jumped nearly 2000 percent since 2015, and another group of researchers found that phishing attacks are becoming even more elaborate in order to lull their victims into a false sense of security.

After this issue, The #DataInsecurity Digest will take a few weeks off for winter break and will resume publication in 2018. Thank you for being a loyal reader! From the staff at the National Consumers League, best wishes for a happy holiday season and a healthy New Year!

And now, on to the clips!

—————–

Kirstjen Nielsen confirmed as DHS secretary. Last week’s Senate vote confirming Nielsen as John Kelly’s replacement couldn’t have been timelier, @tayhatmaker reports, “given the ever-expanding nature of cyber threats, particularly those against U.S. critical infrastructure.” (Source: Techcrunch)

More than $70 million vanishes in bitcoin cyber heist. The dramatic rise in bitcoins’ value in recent months has raised concerns about the security of bitcoin wallets. NiceHash, the largest crypto-mining marketplace, revealed that approximately 4,700 bitcoin—or $70+ million—had been stolen from an online account. Although few details about the hack are available, NiceHash chief executive Marko Kobal promised that “we are doing really everything we can right now. However, this will take time… As soon as we have a solution in place, we’ll reach out, hopefully in the next few days.” (Source: Wall Street Journal)

Breach du jour: 1.6 million TIO users. PayPal, which recently acquired TIO, a digital payment company, announced that the personally identifiable information (names, addresses, bank-account details, Social Security numbers, and login details) of 1.6 million TIO users may have been breached. Fortunately, “PayPal hasn’t integrated TIO with its platform, so PayPal users aren’t affected by the security vulnerabilities at TIO.” (Source: Wall Street Journal)

Cyber analysts raise concerns over Trump’s cyber foreign policy. With the Trump Administration almost a year into its term, cyber officials on both sides of the aisle are beginning to worry about a failure to lead on cyber policy. “When it comes to shaping and enforcing international rules of the road in cyberspace… the Trump Administration may be taking a step back from the U.S.’s historic role, a move experts worry could cede ground to an anti-Democratic model for the internet championed by U.S. adversaries such as Russia and China.” (Source: NextGov)

Ransomware attacks up nearly 2,000 percent. A new study by @Malwarebytes found that since 2015, ransomware attacks have jumped 1,989 percent. The report called for businesses to “heighten their awareness of cyber crime, and take a realistic view towards the likelihood of attack.” @Malwarebytes argued that “cyber crime must be elevated from a tech issue to a business-critical consideration.” (Source: Computer Weekly)

Phishers adopting https to grant their victims a false sense of security. @PhishLabs published new analysis that found “phishers actively chose to implement web encryption. The green padlock lends legitimacy, a patina of security that helps trick web users into trusting a site and giving up their valuable information.” The study also found that “in two extremely prevalent types of phishers targeting PayPal and Apple, about 75 percent were using HTTPS sites.” (Source: Wired)

Quick hit: Canadian hacker-for-hire admits to hacking Yahoo. Karim Baratov admitted “to breaking into Yahoo’s systems to steal information on at least 500 million user accounts in 2014 as part of a job he did for Russian government agents.” Baratov now faces a fine of up to $2.3 million. (Source: Law 360)

More senior executive resignations from Uber’s security team. Three high-profile resignations add to the uncertainty Uber’s security team has been facing since Chief Security Officer Joe Sullivan was fired after covering up a massive data breach. @josephmenn and @dnvolz report resignations by: Pooja Ashok, Sullivan’s chief of staff; Prithvi Rai, a senior security engineer and the number two manager in the department; and Jeff Jones, who handled physical security. (Source: Reuters)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published December 14, 2017