The #DataInsecurity Digest | Issue 66

Russian hacker threat to consumer IoT devices prompts warnings from US, UK; Facebook’s woes continue

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The biggest recent news in data security is the unprecedented warning from the U.S. and U.K. governments that millions of consumers’ Internet of Things (IoT) devices may have been compromised by Russian hackers. Consumers’ compromised accounts are each worth, on average, $1,200 on the dark web. Typical targets like PayPal or credit card accounts are worth the most, but accounts at places like GrubHub and are also being traded on the dark web. Finally, after having its CEO on the hot seat before Congress, Facebook surely wants to be seen as being on its best behavior; new revelations about scammers using closed Facebook groups to promote fraud is unlikely to help its case.

And now, on to the clips!


US, UK warn of Russian hackers infiltrating home IoT devices. In an unprecedented move, American and British governments are warning citizens to beware Russian hackers’ efforts to compromise home broadband routers and Internet of Things (IoT) devices. Government officials have identified Russian efforts that have compromised millions of Internet-connected devices, allowing hackers to eavesdrop, collect confidential information, misdirect payments, or further compromise security. “The sweep and urgency of the statements from both sides of the Atlantic called to mind a computer-age version of a Cold War air raid drill, but asking citizens to upgrade their passwords rather than duck and cover,” write @ddknyt and @nixonron. (Source: New York Times)

Big Tech: We won’t help governments with cyberattacks. Thirty-one tech firms, led by Microsoft and Cisco, announced this week that they will not assist in governments’ attempts — including the U.S. government’s — to mount cyberattacks against  “innocent civilians and enterprises from anywhere.” The agreement, writes @SangerNYT, stems from efforts by Microsoft’s Brad Smith to create a “‘digital Geneva Convention’ that sets norms of behavior for cyberspace just as the Geneva Conventions set rules for the conduct of war in the physical world.” Notably absent from the list of signers on the agreement are Amazon, Apple, and Google. (Source: New York Times)

You’re worth $1,200 on the dark web. VPN review site @top10_VPN is out with some interesting research looking at the average price of various kinds of compromised accounts on the dark web. The company’s Dark Web Market Price Index finds that the average cost of of a consumer’s digital identity — comprising all of a typical user’s hacked accounts — is $1,200. “Everything has a price on the dark web it seems,” writes @simonmigliano. “Paypal accounts with a healthy balance attract the highest prices ($247 on average). At the other end of the scale though, hacked Grubhub or Walmart accounts sell for less than $10.” (Source: Top 10 VPN)

Krebs: Deleted cybercrime groups on Facebook had 300,000 members. Research by cybersecurity reporter @briankrebs turned up nearly 120 private Facebook groups with more than 300,000 members dedicated solely to promoting cybercrime. “The scam groups facilitated a broad spectrum of shady activities, including spamming, wire fraud, account takeovers, phony tax refunds, 419 scams, denial-of-service attack-for-hire services and botnet creation tools,” writes Krebs. “The average age of these groups on Facebook’s platform was two years.” After being alerted by Krebs, Facebook deleted the groups, though there are likely to be “hundreds or thousands” of other similar groups still operating on the platform, writes Krebs. (Site:

White House cyber brain drain follows Bolton appointment. The Trump Administration has lost two of its key experts on cyber issues, leaving the White House short-handed as it confronts continuing data security threats. Since the appointment of John Bolton as National Security Advisor, Tom Bossert, who oversaw cybersecurity policy, was forced out. In addition, the White House Cybersecurity Coordinator Rob Joyce is returning to the National Security Agency. (Source: POLITICO)

iPhone users urged to ditch 6-digit passcodes. Thanks to a new technology called GrayKey, which is being aggressively adopted by police departments, privacy-conscious users are being encouraged to ditch the default 6-digit passcode. That’s because GrayKey is being touted as a way for police departments to bypass the iPhone’s default disk encryption technology. Instead, writes @lorenzoFB, users concerned about surveillance are encouraged to adopt tougher-to-crack alphanumeric passcodes. (Site: Motherboard)

NYU study: Russian Bitcoin exchange brought in $16 million from 20,000 victims. New research by NYU Professor Damon McCoy tracked 20,000 victims of ransomware scams over a two-year period, finding that $16 million in payments were collected by a single Russian Bitcoin exchange. “With the rise of cryptocurrencies like Bitcoin, McCoy speculates that ransomware attacks, which thrive off of such difficult-to-trace payments, could become more of a threat to internet users,” writes @nyuews. (Source: Washington Square News)


April 21, 2018 – Better Business Bureau Secure Your ID Day – BBB offices nationwide
BBBs across North America will host this helpful identity theft prevention event featuring FREE on-site shredding, electronic recycling, and tips to protect your identity. (Source: BBB)

August 9-12, 2018 – DEF CON 26 – Las Vegas, NV
DEF CON is the world’s longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published April 19, 2018