Bad Intel And Zero Verification Leads To LifeLock Naming Wrong Company In Suspected Security Breach
from the more-'security-mediocre-practices'-from-the-biggest-name-in-ID-protectio dept
LifeLock has never been the brightest star in the identity fraud protection constellation. Its own CEO -- with his mouth writing checks others would soon be cashing with his credentials -- expressed his trust in LifeLock's service by publishing his Social Security number, leading directly to 13 separate cases of (successful) identity theft.
Beyond that, LifeLock was barely a lock. It didn't encrypt stored credentials and had a bad habit of ambulance-chasing reported security breaches in hopes of pressuring corporate victims into picking up a year's worth of coverage for affected customers. This culminated in the FTC ordering it to pay a $12 million fine for its deceptive advertising, scare tactics, and inability to keep its customers' ID info safe.
It's LifeLock's ambulance chasing that's getting it into trouble again. Rather than verify the details of a recent breach, it began sending notices to customers informing them about possibly exposed info at entirely the wrong service.
Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.
This isn't completely LifeLock's fault. It did send out a false alarm and finger the wrong platform, but its information came from a third party: CSID. Brian Krebs approached the identity monitoring firm to determine how it had arrived at the wrong conclusion. It appears it's turtles misinformation all the way down. CSID president of product and marketing Bryan Hjelm confirmed his company was suffering some "reputational concerns" after wrongly naming Dropbox, rather than Tumblr, as the source of the breach. But he still felt his company was doing a bang-up job in the ID protection department, despite utilizing questionable sources.
He told me that CSID relies on a number of sources online who have been accurate, early indicators of breaches past. One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm said.
In this case, w0rm posted to Twitter a link to download a file containing what he claimed were 100M records stolen from Dropbox. Perhaps one early sign that something didn’t quite add up is that the download he linked to as the Dropbox user file actually only included 73 million usernames and passwords.
In any case, CSID analysts couldn’t determine one way or the other whether it actually was Dropbox’s data. Nonetheless, they sent it out as such anyway, based on little more than w0rm’s say-so.
The problem with this bogus alert is that every step of it was automated. CSID admits it never checked out w0rm's claim by manually verifying the data dump contained what w0rm said it contained. It simply generated its alert, which was then picked up by others, like LifeLock, that rely on it for breach identification/notification. The automation continued as LifeLock sent auto-generated messages to its customers. The only manual part of this process occurred at the end user level when Dropbox customers began altering their login credentials to protect themselves from a nonexistent breach. Meanwhile, the real breach went ignored.
It's often said that humans are the weakest link in the security chain, but this incident shows that a little human intervention would have gone a long way towards heading off bogus breach notifications that made an unaffected company look like it was hiding something from its users.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: security breach
Companies: dropbox, lifelock, tumblr
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
This was just lazy corner cutting on the cheap and it (as it always does) bit them all in the rear-end...
[ link to this | view in chronology ]
Re: Re:
It wouldn't have taken them that long to verify the data...simply try to feed the email addresses into the "new user registration" form and if it allows the email to be used and continues the process, the email address hasn't been used on the service. Get a bunch of these to work, and the dump isn't likely to be real.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
It is not like the idea of encrypting customer data is new
Is it super costly?
Is is easy to leave some kind of backdoor?
Is it ego, the CEO's just believe they will never be on the list of hackers?
Is it something I haven't thought of?
[ link to this | view in chronology ]
Re: It is not like the idea of encrypting customer data is new
If you're only looking at short-term costs, then encryption is going to be a waste the majority of the time, it's only those that are willing to look more long-term, or accept that it only has to happen once to potentially trash your company that are able to realize that encryption, even if it's never used, is still worth the extra cost.
[ link to this | view in chronology ]
Re: Re: It is not like the idea of encrypting customer data is new
The whole 'only this quarters profits matter to our decisions' has bothered me for a long while now. I don't know what we can do about it, but I sometimes have wild dreams about laws that require investments be held for a year or more before they can be sold, and terminate all computer generated trading. That might slow some investment down. So what. But it will make CEO's think longer term.
But those things will not happen lest Wall Street has some kind of conniption fit and wakes up with a conscience. Not holding my breath.
Nothing will happen from our corrupt Congress, and the SEC and FBI have proven, through their lack of action, that they will not hold anyone there responsible. And guess what, there is no one to hold THEM responsible for that lack of action. We are in trouble.
[ link to this | view in chronology ]
Re: Re: Re: It is not like the idea of encrypting customer data is new
[ link to this | view in chronology ]
Re: Re: It is not like the idea of encrypting customer data is new
If they are given the power to make financial decisions, all you will see is money wasted because they "know" what has to happen to save a penny, but don't seem to understand that spending money can save much more in the long term. They are too often focussed on the current financial year and the next financial year to recognise what is needed now to save money over the next 10, 20 or even 50 years.
[ link to this | view in chronology ]
Re: It is not like the idea of encrypting customer data is new
1. The web server needs to encrypt and decrypt the data, so it needs the keys. Hack web server, copy keys and data and all that encryption was just a waste of time doing nothing to protect the data.
2. To solve problem #1 you use an HSM ( Hardware Security Module ) the HSM does the encryption/decryption for the web server. Hack web server, figure out how things work, utilize HSM to decrypt all the data and all that encryption was just a waste of time. All the HSM did was make it more difficult for the hacker because he must maintain unauthorized access to the HSM to decrypt data.
3. The whole point of collecting data is to do something with it. If it's all stored encrypted it's hard to do anything with it such as searching, reporting etc.
Some encryption efforts are easy
1. Store passwords as Cryptographic hashes (irreversible encryption)
2. Encrypted portable media like backups/laptops
3. Encrypting data stored on disk in case the hacker decides going all mission impossible breaking into your data center to steal your disk drives is easier than using the latest zero day exploit.
Conclusion:
It's easy to protect your password and data loss through physical access. Currently there is no unhackable way to protect data stored in networked systems unless you know someone capable of making a perfect system....
[ link to this | view in chronology ]
Re: Re: It is not like the idea of encrypting customer data is new
A door lock needs to secure the door in certain ways which means it needs the keys. Pick pocket, copy keys and all that lock is just a waste of time doing nothing to protect the home.
So, why bother with locks on your doors, right?
[ link to this | view in chronology ]
Re: Re: It is not like the idea of encrypting customer data is new
[ link to this | view in chronology ]
Re: Re: It is not like the idea of encrypting customer data is new
[ link to this | view in chronology ]
Re: Re: It is not like the idea of encrypting customer data is new
Isn't that the point?
[ link to this | view in chronology ]
Re: It is not like the idea of encrypting customer data is new
[ link to this | view in chronology ]
Lifelock
https://en.wikipedia.org/wiki/LifeLock#Controversies
You're an idiot if you use lifelock
[ link to this | view in chronology ]
Re: Lifelock
It just proves the adage that a fool and his money are soon parted.
[ link to this | view in chronology ]
Intel?
[ link to this | view in chronology ]
Re: Intel?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Always wondered how safe identity theft protection sites are with information
[ link to this | view in chronology ]
Not surprising
How many times has this happened in the news industry? Site #1 (such as The Onion) will publish a story and site #2 will take it as gospel and re-print it... even though The Onion is a known satirical site! Then site #3 will re-print site #2's article using site #2 as the "verified source", yet the original data is still bad.
[ link to this | view in chronology ]