Bad Intel And Zero Verification Leads To LifeLock Naming Wrong Company In Suspected Security Breach

from the more-'security-mediocre-practices'-from-the-biggest-name-in-ID-protectio dept

Tue, Jun 7th 2016 2:03pm — Tim Cushing

LifeLock has never been the brightest star in the identity fraud protection constellation. Its own CEO -- with his mouth writing checks others would soon be cashing with his credentials -- expressed his trust in LifeLock's service by publishing his Social Security number, leading directly to 13 separate cases of (successful) identity theft.

Beyond that, LifeLock was barely a lock. It didn't encrypt stored credentials and had a bad habit of ambulance-chasing reported security breaches in hopes of pressuring corporate victims into picking up a year's worth of coverage for affected customers. This culminated in the FTC ordering it to pay a $12 million fine for its deceptive advertising, scare tactics, and inability to keep its customers' ID info safe.

It's LifeLock's ambulance chasing that's getting it into trouble again. Rather than verify the details of a recent breach, it began sending notices to customers informing them about possibly exposed info at entirely the wrong service.

Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

This isn't completely LifeLock's fault. It did send out a false alarm and finger the wrong platform, but its information came from a third party: CSID. Brian Krebs approached the identity monitoring firm to determine how it had arrived at the wrong conclusion. It appears it's ~~turtles~~ misinformation all the way down. CSID president of product and marketing Bryan Hjelm confirmed his company was suffering some "reputational concerns" after wrongly naming Dropbox, rather than Tumblr, as the source of the breach. But he still felt his company was doing a bang-up job in the ID protection department, despite utilizing questionable sources.

He told me that CSID relies on a number of sources online who have been accurate, early indicators of breaches past. One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm said.

In this case, w0rm posted to Twitter a link to download a file containing what he claimed were 100M records stolen from Dropbox. Perhaps one early sign that something didn’t quite add up is that the download he linked to as the Dropbox user file actually only included 73 million usernames and passwords.

In any case, CSID analysts couldn’t determine one way or the other whether it actually was Dropbox’s data. Nonetheless, they sent it out as such anyway, based on little more than w0rm’s say-so.

The problem with this bogus alert is that every step of it was automated. CSID admits it never checked out w0rm's claim by manually verifying the data dump contained what w0rm said it contained. It simply generated its alert, which was then picked up by others, like LifeLock, that rely on it for breach identification/notification. The automation continued as LifeLock sent auto-generated messages to its customers. The only manual part of this process occurred at the end user level when Dropbox customers began altering their login credentials to protect themselves from a nonexistent breach. Meanwhile, the real breach went ignored.

It's often said that humans are the weakest link in the security chain, but this incident shows that a little human intervention would have gone a long way towards heading off bogus breach notifications that made an unaffected company look like it was hiding something from its users.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: security breach
Companies: dropbox, lifelock, tumblr

23 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

orbitalinsertion (profile), 7 Jun 2016 @ 2:21pm

How does one not tell the difference between Dropbox and Tumblr?
[ link to this | view in chronology ]
- Someantimalwareguy, 7 Jun 2016 @ 2:27pm
  
  Re:
  As the article said - automation. Automation can only do so much before any results generated need to be reviewed by human eyes and then appropriate samples verified for accuracy.
  
  This was just lazy corner cutting on the cheap and it (as it always does) bit them all in the rear-end...
  [ link to this | view in chronology ]
  - ltlw0lf (profile), 7 Jun 2016 @ 3:01pm
    
    Re: Re:
    It wasn't just automation, it was that the source (w0rm) said it was a dump from dropbox, when in fact it was a dump from tumblr. They took the statement on face value without verification, and then automation took over.
    
    It wouldn't have taken them that long to verify the data...simply try to feed the email addresses into the "new user registration" form and if it allows the email to be used and continues the process, the email address hasn't been used on the service. Get a bunch of these to work, and the dump isn't likely to be real.
    [ link to this | view in chronology ]
    - Anonymous Coward, 7 Jun 2016 @ 5:50pm
      
      Re: Re: Re:
      Well, the breach wasn't fake apparently. It was just for tumblr instead of dropbox.
      [ link to this | view in chronology ]
  - orbitalinsertion (profile), 8 Jun 2016 @ 3:29pm
    
    Re: Re:
    Indeed, the original source indicated incorrectly (for some reason), and was then blindly followed. How or why w0rm mis-posted is a more interesting bit. Lifelock is a ball of crap no matter how you slice it, and their behavior is unsurprising, if still stupid. (And if you automate such serious errors out of a Twitter feed, idkwtflol.)
    [ link to this | view in chronology ]
Anonymous Anonymous Coward (profile), 7 Jun 2016 @ 2:38pm

It is not like the idea of encrypting customer data is new
How hard is it to encrypt customer records? I mean, it is 2016 already. The Internet is over 20 years old. The rate of change is pretty fast, and getting faster. What is the hold up?

Is it super costly?

Is is easy to leave some kind of backdoor?

Is it ego, the CEO's just believe they will never be on the list of hackers?

Is it something I haven't thought of?
[ link to this | view in chronology ]
- That One Guy (profile), 7 Jun 2016 @ 3:46pm
  
  Re: It is not like the idea of encrypting customer data is new
  It's not so much it's 'super' costly so much as it costs at all, and if those running the company are only focused on the short-term then the odds of being hacked are likely pretty low, making paying extra for encryption(both in time and money) a 'waste'.
  
  If you're only looking at short-term costs, then encryption is going to be a waste the majority of the time, it's only those that are willing to look more long-term, or accept that it only has to happen once to potentially trash your company that are able to realize that encryption, even if it's never used, is still worth the extra cost.
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward (profile), 7 Jun 2016 @ 4:34pm
    
    Re: Re: It is not like the idea of encrypting customer data is new
    The cost of shame and paying off lawsuits, or insurance that will pay off lawsuits is cheaper than paying for encryption? Or, so it seems in their minds? Which brings to mind, why aren't insurance companies requiring encryption in order to give coverage?
    
    The whole 'only this quarters profits matter to our decisions' has bothered me for a long while now. I don't know what we can do about it, but I sometimes have wild dreams about laws that require investments be held for a year or more before they can be sold, and terminate all computer generated trading. That might slow some investment down. So what. But it will make CEO's think longer term.
    
    But those things will not happen lest Wall Street has some kind of conniption fit and wakes up with a conscience. Not holding my breath.
    
    Nothing will happen from our corrupt Congress, and the SEC and FBI have proven, through their lack of action, that they will not hold anyone there responsible. And guess what, there is no one to hold THEM responsible for that lack of action. We are in trouble.
    [ link to this | view in chronology ]
    - marcus (profile), 8 Jun 2016 @ 4:47am
      
      Re: Re: Re: It is not like the idea of encrypting customer data is new
      Add to this that the FBI and other agencies want to ban encryption without back doors for law enforcement even though back doors tend to weaken encryption.
      [ link to this | view in chronology ]
  - Anonymous Coward, 8 Jun 2016 @ 2:23am
    
    Re: Re: It is not like the idea of encrypting customer data is new
    Look at it this way, when bean counters are involved, logic goes out the window. Particularly if they are CA's. One does tend to get a little more sense out of CPA's, but you don't put either in charge of anything. It will only cause you problems.
    
    If they are given the power to make financial decisions, all you will see is money wasted because they "know" what has to happen to save a penny, but don't seem to understand that spending money can save much more in the long term. They are too often focussed on the current financial year and the next financial year to recognise what is needed now to save money over the next 10, 20 or even 50 years.
    [ link to this | view in chronology ]
- Anonymous Coward, 7 Jun 2016 @ 6:12pm
  
  Re: It is not like the idea of encrypting customer data is new
  Encrypting customer data IS hard and costly. I'm referring to things like email addresses, phone numbers, names, social security numbers and such.
  
  1. The web server needs to encrypt and decrypt the data, so it needs the keys. Hack web server, copy keys and data and all that encryption was just a waste of time doing nothing to protect the data.
  2. To solve problem #1 you use an HSM ( Hardware Security Module ) the HSM does the encryption/decryption for the web server. Hack web server, figure out how things work, utilize HSM to decrypt all the data and all that encryption was just a waste of time. All the HSM did was make it more difficult for the hacker because he must maintain unauthorized access to the HSM to decrypt data.
  3. The whole point of collecting data is to do something with it. If it's all stored encrypted it's hard to do anything with it such as searching, reporting etc.
  
  Some encryption efforts are easy
  1. Store passwords as Cryptographic hashes (irreversible encryption)
  2. Encrypted portable media like backups/laptops
  3. Encrypting data stored on disk in case the hacker decides going all mission impossible breaking into your data center to steal your disk drives is easier than using the latest zero day exploit.
  
  Conclusion:
  It's easy to protect your password and data loss through physical access. Currently there is no unhackable way to protect data stored in networked systems unless you know someone capable of making a perfect system....
  [ link to this | view in chronology ]
  - PaulT (profile), 8 Jun 2016 @ 12:06am
    
    Re: Re: It is not like the idea of encrypting customer data is new
    "The web server needs to encrypt and decrypt the data, so it needs the keys. Hack web server, copy keys and data and all that encryption was just a waste of time doing nothing to protect the data."
    
    A door lock needs to secure the door in certain ways which means it needs the keys. Pick pocket, copy keys and all that lock is just a waste of time doing nothing to protect the home.
    
    So, why bother with locks on your doors, right?
    [ link to this | view in chronology ]
  - marcus (profile), 8 Jun 2016 @ 4:56am
    
    Re: Re: It is not like the idea of encrypting customer data is new
    You can make the same arguments about a lock to your door since it would be so easy for someone to steal your keys or make a copy of your keys without your knowledge. A lot of companies don't even encrypt backup media and have been the victim of theft exposing records of many customers on these unencrypted stored media. A lot of the removable media is stolen during transport to off sites.
    [ link to this | view in chronology ]
  - jim, 8 Jun 2016 @ 6:19am
    
    Re: Re: It is not like the idea of encrypting customer data is new
    So with the hardware moder, nothing gets hacked? Ask Microsoft.
    [ link to this | view in chronology ]
  - Anonymous Coward, 8 Jun 2016 @ 6:51am
    
    Re: Re: It is not like the idea of encrypting customer data is new
    " it's hard to do anything with it"
    
    Isn't that the point?
    [ link to this | view in chronology ]
- nasch (profile), 8 Jun 2016 @ 8:39am
  
  Re: It is not like the idea of encrypting customer data is new
  I was in a meeting this week with a major nation wide provider of real estate data, and they are just now working on hashing user passwords in their database. Someone said something about external pressure to beef up security (didn't catch from where exactly) and that they really aren't all that interested in doing it.
  [ link to this | view in chronology ]
jordan Chandler, 7 Jun 2016 @ 3:50pm

Lifelock
In 2015, it was ordered to pay $100 million to settle Federal Trade Commission contempt charges for failing to protect consumer information and deceptive advertising, the largest monetary award obtained by the Commission for an enforcement action

https://en.wikipedia.org/wiki/LifeLock#Controversies

You're an idiot if you use lifelock
[ link to this | view in chronology ]
- Isma;il, 8 Jun 2016 @ 8:34am
  
  Re: Lifelock
  Great point. Why anyone would want to use LifeLock after the deceptive advertising settlement and the CEO's identity being stolen multiple times is beyond me.
  
  It just proves the adage that a fool and his money are soon parted.
  [ link to this | view in chronology ]
Whoever, 7 Jun 2016 @ 4:35pm

Intel?
Was I the only person to wonder what the chip manufacturer called "Intel" had done to be labelled "bad"?
[ link to this | view in chronology ]
- Anonymous Coward, 8 Jun 2016 @ 2:15am
  
  Re: Intel?
  No, but it has puzzled me for a long time why the chip manufacturing company used the name it chose when it was the name of a "bad" cartel in "A for Andromeda".
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jun 2016 @ 5:38pm

Was I the only one that was expecting to see some crazy accusation about the x86 market here?
[ link to this | view in chronology ]
marcus (profile), 8 Jun 2016 @ 4:42am

Always wondered how safe identity theft protection sites are with information
After a breech last year, I was offered free identity theft protection for one year by CSID. I was weary of giving my information to them since others I have known told me how they had to give CSID their SSN and all kinds of other information in order to take advantage of the free service. Being the victim of one breech, I was concerned if CSID would protect my personal information so that I don't become a victim of identity theft again. I remember one person even was protected from Lifelock but still was a victim of this breech and wasn't eligible for the free 1 year protection from CSID since they already are signed up with Lifelock.
[ link to this | view in chronology ]
John85851 (profile), 8 Jun 2016 @ 10:44am

Not surprising
It's not surprising when companies use other companies as their source of data rather than verifying it themselves.
How many times has this happened in the news industry? Site #1 (such as The Onion) will publish a story and site #2 will take it as gospel and re-print it... even though The Onion is a known satirical site! Then site #3 will re-print site #2's article using site #2 as the "verified source", yet the original data is still bad.
[ link to this | view in chronology ]