Prev

RISKS Digest 30.46

Monday 11 September 2017

Equifax Hack May Expose Data of 143 Million Users

Polly Mosendz <neu...@csl.sri.com>

Date: Fri, 8 Sep 2017 9:41:10 PDT

Polly Mosendz, Bloomberg, 8 Sep 2017 Class action seeking to represent 143 million consumers alleges company didn't spend enough on protecting data. https://www.bloomberg.com/news/articles/2017-09-08/equifax-sued-over-massive-hack-in-multibillion-dollar-lawsuit

A proposed class-action lawsuit was filed against Equifax Inc. late Thursday evening, shortly after the company reported that an unprecedented hack had compromised the private information of about 143 million people.

In the complaint filed in Portland, Ore., federal court, users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack. Data revealed included Social Security numbers, addresses, driver's license data, and birth dates. Some credit card information was also put at risk.

Equifax first discovered the vulnerability in late July, though it chose not to announce it publicly until more than a month later. The company was widely criticized for its customer service approach in the aftermath of the hack, as users struggled to understand whether their information had been affected. Others expressed frustration that three senior executives sold about $1.7 million in stock in the days following the discovery of the hack. A spokeswoman for Equifax said the men “had no knowledge that an intrusion had occurred at the time.”

The plaintiffs in the lawsuit are Mary McHill and Brook Reinhard. Both reside in Oregon and had their personal information stored by Equifax.

“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard's information from unauthorized access by hackers,” the complaint stated. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyberattacks but chose not to.”

The case was filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions. Ben Meiselas, an attorney for Geragos, said the class will seek as much as $70 billion in damages nationally.

[See also:] http://www.businessinsider.com/equifax-hackers-may-have-accessed-personal-details-143-million-us-customers-2017-9 https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?smprod=nytcore-ipad&smid=nytcore-ipad-share DF: by using the service, you may be giving up legal rights: https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/

More info on Equifax breach

Lauren Weinstein <lau...@vortex.com>

Date: Fri, 8 Sep 2017 18:21:50 -0700

There is increasing evidence to suggest that primary impacts of the Equifax breach involve consumers who interacted directly with (and provided personal information to) their public facing website. The breach does not appear at this time to involve their core credit reporting databases.

PSA: no matter what you write, Equifax may tell you you've been impacted by the hack

TechCrunch <lau...@vortex.com>

Date: Fri, 8 Sep 2017 18:07:44 -0700

via NNSquad https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/?ncid=rss

What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.

Hurricane Harvey Knocked Out Cell Service. Now Calls for Backup Wireless Power Are Rising

Fortune <lau...@vortex.com>

Date: Mon, 11 Sep 2017 09:35:43 -0700

via NNSquad http://fortune.com/2017/08/30/hurricane-harvey-cell-backup-power/

The wireless industry has for years successfully fought regulations that would force mobile phone networks to be hardened so they work during storms, but it may face renewed demands after Hurricane Harvey knocked out seven of 10 cell towers in the hardest-hit counties of Texas.

Depending on cell service during a disaster is a disaster in and of itself. That's why so many telecom experts hang onto their landlines as lifelines! I sure as hell do!

Fake Russian Facebook Accounts Planted $100,000 in Political Ads

Vindu Goel and Scott Shane <neu...@csl.sri.com>

Date: Thu, 7 Sep 2017 9:13:39 PDT

Vindu Goel and Scott Shane, The New York Times, 6 Sep 2017

Providing new evidence of Russian interference in the 2016 election, Facebook disclosed on Wednesday that it had identified more than $100,000 worth of divisive ads on hot-button issues purchased by a shadowy Russian company linked to the Kremlin. The fake accounts were created by a Russian company called the Internet Research Agency" (which is known for using troll accounts to post on social media and comment on news websites).

Fake Facebook 'like' networks exploited code flaw to create millions of bogus 'likes'

Elizabeth Weise <lau...@vortex.com>

Date: Fri, 8 Sep 2017 10:12:35 -0700

via NNSquad, USA Today https://www.usatoday.com/story/tech/news/2017/09/07/facebook-fake-likes-scammers-collusion-networks/642446001/

A thriving ecosystem of websites that allow users to automatically generate millions of fake "likes" and comments on Facebook has been documented by researchers at the University of Iowa.

Facebook Wins, Democracy Loses

NYTimes <james....@cmu.edu>

Date: Sat, Sep 9, 2017 at 3:36 PM

Siva Vaidhyanathan, The New York Times, 8 Sep 2017 [via Dave Farber]

Wait!

Facebook, unlike Twitter, does not allow puppets, i.e. accounts controlled by other accounts. I recall Egyptian Spring activists complaining about this.

Does Facebook allow ads, i.e. something paid for, to masquerade as unpaid posts? It shouldn't; Google doesn't. Finally, any ad should allow its reader to learn about who paid for it.

None of these rules would prevent Russian robot trolls from posting evil ideas, but it would make detecting them easier. A skeptical reader could ask "Who posted this, and who are their friends?"

> Healthy democracies have transparency in political advertising. That > doesn't matter to Facebook. <https://www.nytimes.com/2017/09/08/opinion/facebook-wins-democracy-loses.html>

Virginia scraps touchscreen voting machines

Morgan Chalfant <rfo...@infowarrior.org>

Date: Fri, Sep 8, 2017 at 10:28 PM

Morgan Chalfant, *The Hill*, 9 Sep 2017, via Dave Farber http://thehill.com/business-a-lobbying/349896-virginia-scraps-touchscreen-voting-machines

The Virginia State Board of Elections moved Friday to do away with touchscreen voting machines in the state by November's election, a move aimed at boosting security.

The board decided to phase out the machines this year after the Virginia Department of Elections recommended that the touchscreen voting machines be decertified. The recommendation came after security experts breached numerous types of voting machines with ease at the DEF CON cybersecurity conference in Las Vegas in July, according to The Richmond Times-Dispatch.

The move comes amid heightened concerns over foreign interference in future elections, in light of the U.S. intelligence community's conclusion that Russia used cyberattacks and disinformation to interfere in the 2016 presidential election.

Virginia's gubernatorial election will take place in November, meaning that the move to get rid of the machines would result in 22 localities having to replace their equipment less than two months before the vote.

The state has already passed a law mandating that the machines be phased out by 2020. According to the Times-Dispatch, 10 localities have already started purchasing new equipment. The remaining 12 would need to work quickly to phase out the old equipment by Nov. 7.

“The security of the election process is always of paramount importance. The Department is continually vigilant on matters related to security of voting equipment used in Virginia,'' Edgardo Cortes, the state's election commissioner, said in a news release Friday. “The ability to meaningfully participate in our democracy is one of the most important rights that we have as citizens, and the Department of Elections is dedicated to maintaining voters' confidence in the democratic process.''

Cyber-experts have raised alarm over the touchscreen devices, called direct-recording electronic, or DRE, voting machines, because they yield no paper records that can be checked with the electronic records to make sure votes are tallied accurately.

More than 100 cyber- and voting experts penned a letter to Congress in June urging them to take steps to secure future elections, including a recommendation to phase out DRE voting machines and others that do not produce a voter-verified paper ballot.

“While there has been encouraging progress to improve election security in recent years, too many polling stations across the nation are still equipped with electronic machines that do not produce voter-verified paper ballots, Many jurisdictions are also inadequately prepared to deal with rising cybersecurity risks.''

The letter was sent the day that Department of Homeland Security officials testified of evidence that Russia targeted election-related systems in 21 states ahead of the 2016 presidential election.

While officials maintain that the systems targeted were not involved in vote tallying, Moscow's interference campaign has nevertheless stoked fears about the possibility that foreign actors could attempt to use hacking to affect vote counts in the future.

See also Today's Washington Post: DefCon 2017 contributed to Virginia dumping DREs https://www.washingtonpost.com/local/virginia-politics/virginia-scraps-touch-screen-voting-machines-as-election-for-governor-looms/2017/09/08/e266ead6-94fe-11e7-89fa-bb822a46da5b_story.html?utm_term=3D.6fb49dcd9b08#comments

A huge solar flare temporarily knocked out GPS communications

Engadget <ga...@gabegold.com>

Date: Thu, 7 Sep 2017 16:17:51 -0400

The sun did its biggest burp in 12 years. On the morning of 6 September the sun let out two pretty sizable burps of radiation. Both were considered X-class—the strongest type of solar flare—with one of them proving to be the most powerful since 2005. If a solar flare is directed at Earth, which these ones were, it can generate a radiation storm that interferes with radio and GPS signals. The biggest flare ever recorded, in 2003, was so strong it even knocked out NASA's solar measurement equipment. These recent belches weren't quite on par with that, but they were enough to jam high frequency radios and interfere with GPS systems for about an hour on the side of the Earth facing the sun. Put your hand over your mouth, sun! Rude!

https://www.engadget.com/2017/09/07/a-huge-solar-flare-temporarily-knocked-out-gps-communications/

Sextant, chronometer, compass, maps, oh my...

Apple and Google Fix Browser Bug. Microsoft Does Not.

Bleeping Computer <lau...@vortex.com>

Date: Fri, 8 Sep 2017 15:44:18 -0700

via NNSquad https://www.bleepingcomputer.com/news/security/apple-and-google-fix-browser-bug-microsoft-does-not-/

Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively.

Dogwhistle ultrasound returns in a new guise

The Verge <neu...@csl.sri.com>

Date: Thu, 7 Sep 2017 21:17:17 PDT

Dolphin attack uses high-frequency sound against voice-based assistants such as Siri.

https://www.theverge.com/2017/9/7/16265906/ultrasound-hack-siri-alexa-google https://techcrunch.com/2017/09/06/hackers-send-silent-commands-to-speech-recognition-systems-with-ultrasound/

India's Supreme Court ruled that privacy is a constitutional right

Menaka Guruswamy <neu...@csl.sri.com>

Date: Mon, 11 Sep 2017 15:02:23 PDT

https://www.nytimes.com/2017/09/10/opinion/indias-supreme-court-expands-freedom.html

'Game of Thrones' was pirated more than a billion times -- far more than it was watched legally

The Washington Post <mo...@roscom.com>

Date: Fri, 8 Sep 2017 23:36:25 -0400

https://www.washingtonpost.com/news/morning-mix/wp/2017/09/08/game-of-thrones-was-pirated-more-than-a-billion-times-far-more-than-it-was-watched-legally/

10 minutes of silence storms iTunes charts thanks to awful Apple UI

The Register <m...@vex.net>

Date: Tue, 5 Sep 2017 21:06:48 -0400 (EDT)

"A a a a Very Good Song" is A a a a simple workaround. http://www.theregister.co.uk/2017/08/16/silent_track_bug_fix_itunes/