Geezers Ruin Security

In This Issue:

  • Geezers ruin security
  • Equifax and Facebook pay up
  • Breach responses, from clumsy to catastrophic

Geezers Ruin Security

Attorney General William Barr on Encryption Policy. To paraphrase: U.S. Attorney General William Barr wants American tech companies to put backdoors in products so that law enforcement can break any encryption used. We think this is a terrible idea from a security perspective—once the backdoor exists, it can and will be exploited by criminals—but he thinks that being able to snoop on the bad guys is worth the tradeoff.
 
Australia has already passed a law requiring this. Last week in The Countermeasure we mentioned that this was not well-received by Australian businesses, especially telcos. This week, we learn who is in favor of Australian encryption law: old people. Boomers and Coalition voters least worried by metadata and encryption laws.

Countermeasure:

Our age-ist quips are all in fun, of course, but don't ignore the dystopia that laws like this cause. You don't have to be American, Australian, a phone company or a tech giant to be affected by this issue. More lax security, especially on such a big scale, means everyone will get hacked more often and more brutally. Contact your relevant elected officials. Remind them that these backdoor laws create more crime than they prevent, and that's bad for business.

Read More >

Equifax and Facebook Pay Up

There were two big settlements relating to data breaches this week: Equifax and Facebook. These have been covered extensively elsewhere, but here are sources that provide in-depth information for each:
 

 
The Facebook fine is old news. The other restrictions on Facebook are new. Whether or not the requirements will be enforced remains to be seen.

Countermeasure:

"Don't be Facebook. Or Equifax." There. We said it. There is definite proof that fines for this kind of stupidity are getting bigger. However, re-reading the details of these cases might make you wonder if they are big enough.

Read More >

Breach Responses, From Clumsy to Catastrophic

Equifax's original response to their data breach was so bad that Brian Krebs called it a "dumpster fire." In a sarcastic toast to this week's settlement, here are a bunch of incident response no-nos for your learning pleasure.
 
The original: Equifax Breach Response Turns Dumpster Fire. What not to do: put up a website claiming to be able to tell customers if they were affected by the breach or not. Have the website spout random, inaccurate 'gibberish.'
 
This week: 1) QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack. What not to do: just deactivate your Twitter account. Unpublish any negative customer comments that appear on Facebook.
 
2) Sky worries users with phishy-looking password reset email. What not to do: Send out a notification e-mail that starts with the generic "Dear Customer," and looks like a phishing attempt.
 
3) Marketing biz bares folks' data in the act of asking for their GDPR comms preferences. What not to do: While trying to comply with the GDPR… violate the GDPR. The mistake these folks made had to do with Insecure Direct Object References. This is a piece of insecure web design that infosec people have known about for more than a decade. However, this knowledge does not seem to have spread to web designers working for PR and marketing teams.
 
4) Slack response. Passwords reset four years after data breach. What not to do: when breached, insist that only a small fraction of users need to reset their login credentials. Then, years later, discover that those accounts that were supposedly "unaffected" were affected after all.
 
This week's prize for least awful incident response goes to stock trading service Robinhood. Robinhood admits to storing some passwords in cleartext. Storing passwords in plaintext isn't a good look, especially for a company that handles financial data. But Robinhood gets points for 1) notifying users about the mistake before it was exploited by hackers, and 2) requiring a password reset by those affected.
 

Countermeasure:

As part of incident response planning, get your team to review these and other responses to major breaches. Make a specific plan for how to notify people affected by a breach. Make sure that the notification will be quick, accurate, and will not contain additional embarrassing security mistakes. Some companies, when responding to a breach, hire an outside PR firm to help. If you are going to go this route, make sure that their web developers have at least heard of the OWASP top 10. Otherwise they will probably do you more harm than good.
 

Read More >

Thread of the Week

In a speech today, AG Bill Barr re-upped DOJ's "Going Dark" push to require manufacturers of encrypted devices like iPhones to build in a way for law enforcement to gain access, which detractors call "back doors." – Charlie Savage - @charlie_savage

Resource of the Week

"This thread includes all my #infographics so far, they present different terms related to Information Security." – SecurityGuill - @Guillaume_Lpl

Tweet of the Week

"Ladies and gentlemen, we're at 28,000 miles, passing over Intercourse, PA, and Windows XP tells us it's time to reboot the plane. There is no need to panic." – Tinfoil - @tinfoilsec

Podcast of the Week

Smashing Security #138: Logic bombs, brain data exploitation, and Digga D tweets.

Quick Links

 

Get Your Copy.