Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
Geezers Ruin Security
In This Issue:
- Geezers ruin security
- Equifax and Facebook pay up
- Breach responses, from clumsy to catastrophic
Geezers Ruin Security
Attorney General William Barr on Encryption Policy. To paraphrase: U.S. Attorney General William Barr wants American tech companies to put backdoors in products so that law enforcement can break any encryption used. We think this is a terrible idea from a security perspective—once the backdoor exists, it can and will be exploited by criminals—but he thinks that being able to snoop on the bad guys is worth the tradeoff.
Australia has already passed a law requiring this. Last week in The Countermeasure we mentioned that this was not well-received by Australian businesses, especially telcos. This week, we learn who is in favor of Australian encryption law: old people. Boomers and Coalition voters least worried by metadata and encryption laws.
Our age-ist quips are all in fun, of course, but don't ignore the dystopia that laws like this cause. You don't have to be American, Australian, a phone company or a tech giant to be affected by this issue. More lax security, especially on such a big scale, means everyone will get hacked more often and more brutally. Contact your relevant elected officials. Remind them that these backdoor laws create more crime than they prevent, and that's bad for business.
Equifax and Facebook Pay Up
There were two big settlements relating to data breaches this week: Equifax and Facebook. These have been covered extensively elsewhere, but here are sources that provide in-depth information for each:
- What You Should Know About the Equifax Data Breach Settlement
- FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook
The Facebook fine is old news. The other restrictions on Facebook are new. Whether or not the requirements will be enforced remains to be seen.
"Don't be Facebook. Or Equifax." There. We said it. There is definite proof that fines for this kind of stupidity are getting bigger. However, re-reading the details of these cases might make you wonder if they are big enough.
Breach Responses, From Clumsy to Catastrophic
Equifax's original response to their data breach was so bad that Brian Krebs called it a "dumpster fire." In a sarcastic toast to this week's settlement, here are a bunch of incident response no-nos for your learning pleasure.
The original: Equifax Breach Response Turns Dumpster Fire. What not to do: put up a website claiming to be able to tell customers if they were affected by the breach or not. Have the website spout random, inaccurate 'gibberish.'
This week: 1) QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack. What not to do: just deactivate your Twitter account. Unpublish any negative customer comments that appear on Facebook.
2) Sky worries users with phishy-looking password reset email. What not to do: Send out a notification e-mail that starts with the generic "Dear Customer," and looks like a phishing attempt.
3) Marketing biz bares folks' data in the act of asking for their GDPR comms preferences. What not to do: While trying to comply with the GDPR… violate the GDPR. The mistake these folks made had to do with Insecure Direct Object References. This is a piece of insecure web design that infosec people have known about for more than a decade. However, this knowledge does not seem to have spread to web designers working for PR and marketing teams.
4) Slack response. Passwords reset four years after data breach. What not to do: when breached, insist that only a small fraction of users need to reset their login credentials. Then, years later, discover that those accounts that were supposedly "unaffected" were affected after all.
This week's prize for least awful incident response goes to stock trading service Robinhood. Robinhood admits to storing some passwords in cleartext. Storing passwords in plaintext isn't a good look, especially for a company that handles financial data. But Robinhood gets points for 1) notifying users about the mistake before it was exploited by hackers, and 2) requiring a password reset by those affected.
As part of incident response planning, get your team to review these and other responses to major breaches. Make a specific plan for how to notify people affected by a breach. Make sure that the notification will be quick, accurate, and will not contain additional embarrassing security mistakes. Some companies, when responding to a breach, hire an outside PR firm to help. If you are going to go this route, make sure that their web developers have at least heard of the OWASP top 10. Otherwise they will probably do you more harm than good.
Thread of the Week
In a speech today, AG Bill Barr re-upped DOJ's "Going Dark" push to require manufacturers of encrypted devices like iPhones to build in a way for law enforcement to gain access, which detractors call "back doors." – Charlie Savage - @charlie_savage
Resource of the Week
"This thread includes all my #infographics so far, they present different terms related to Information Security." – SecurityGuill - @Guillaume_Lpl
Tweet of the Week
"Ladies and gentlemen, we're at 28,000 miles, passing over Intercourse, PA, and Windows XP tells us it's time to reboot the plane. There is no need to panic." – Tinfoil - @tinfoilsec
Podcast of the Week
Smashing Security #138: Logic bombs, brain data exploitation, and Digga D tweets.
- US company selling weaponized BlueKeep exploit. You patched Windows, right? No? PATCH WINDOWS.
- How cyber criminals are still snaring victims using seven-year-old malware. See above. Patch your stuff.
- Airbus A350 software bug forces airlines to turn planes off and on every 149 hours. Your weekly IoT nightmare, with apologies to anyone who already had a phobia of flying.
- Software Developers and Security. 'nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help. One disgruntled programmer said, "It's a mess, no standardization, most of my work has never had a security scan."'
- New York City moves to protect citizens’ location data. Yes, please. This is the kind of thing that the law should prevent: I Gave a Bounty Hunter $300. Then He Located Our Phone. This author thinks that cell phone plans already cost enough; mobile companies shouldn't also get to sell our data to any shady guy who asks for it.
- Penetration Test Data Shows Risk to Domain Admin Credentials
- Business Email Compromise: Thinking Beyond Wire Transfers
- How Cybercriminals Break into the Microsoft Cloud
- You can probably be identified from your anonymized data