DHS Subpoenas Twitter For New Zealand Security Researcher's Info

from the instead-of-addressing-the-problem,-we'll-go-after-the-people-talking-about-i dept

Over the weekend, Zack Whittaker of ZDNet reported a New Zealand security researcher has somehow earned the unwanted attention of DHS and ICE.

Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data.

The New Zealand national, whose name isn't known but goes by the handle Flash Gordon, revealed the subpoena in a tweet last month.

Flash Gordon secured the assistance of the EFF to challenge the subpoena, but apparently that effort failed. This leaves everyone with the unanswered question as to why DHS/ICE are seeking the researcher's identifying info.

As Whittaker notes, the researcher has discovered and reported several data breaches. One in particular might have drawn the attention of the feds: the exposure of a law enforcement training database.

The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University.

The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection.

This would be the sort of thing the US government notices, even if it's only interested in prosecuting the messenger. PII belonging to law enforcement officers is considered to be the most sacrosanct of data, and anyone exposing a government contractor's careless handling of it is likely to find themselves targeted by federal agents.

But this is all conjecture at this point. Flash Gordon only knows the government as demanded his info and is likely to receive it soon, if it hasn't already. The involvement of DHS and ICE is still strange, as a breach involving US law enforcement personnel would normally be handled by the FBI.

As Dissent Doe points out in her coverage at Databreaches.net, it could have something to do with the expansive definition of "export," which covers information as well as physical goods. That's actual ICE territory -- its less-controversial export control function. It's illegal to export "controlled" info and tech, so the researcher's New Zealand locale could provide a nexus for criminal charges, but only if you're willing to suspend reality during the charging process. Doe asks:

But how would that apply to this situation? There is no U.S. individual here who is exporting information to a non-U.S. person, is there?

If this has anything to do with the multiple US-based breaches Flash Gordon has reported, the information has traveled from US companies to US journalists via a New Zealand intermediary. If Gordon has downloaded a copy of the breach's contents, the same thing applies: the info shared with US journalists was "exported" from New Zealand to the US. The only possibility left is this: the government wants to consider a New Zealand researcher's acquisition of breach data from US companies to be considered an illegal "export" of controlled info.

Unfortunately for the researcher, the DOJ has engaged in some highly-questionable prosecutions based on highly-questionable interpretations of US law. It seems when tech/data is involved, common sense is the first victim. It hasn't always been successful in its novel interpretations of these laws, but every federal prosecution has the potential to completely destroy the target's life -- even if it ends in a dismissal or verdict in the defendant's favor.

The last possibility is this: it's just a fishing operation meant to deter Gordon and others like him from searching for breaches and turning this data over to journalists. If the US government obtains identifying info, it can simply retain the info indefinitely as an implicit threat, pushing Gordon to pursue "safer" careers and hobbies. This won't make anyone else any safer, but it will at least spare the government and its contractors further embarrassment.

Filed Under: dhs, flash gordon, security breach, security research, subpoean
Companies: twitter

Uber Hid Security Breach Impacting 57 Million People, Paid Off Hackers

from the not-good,-uber,-not-good dept

It's no secret that Uber's management over the years has been pretty sketchy, if not downright nefarious. At some point I may write a longer post about this, but it appears that the company culture took the idea of reasonably pushing back on bad laws (such as those that restricted competition in the taxi space) and took it to mean that it could just ignore all sorts of rules. And it appears that a company culture was created that celebrated rulebreaking in all sorts of ways -- most of which were bad. The company has a new CEO, Dara Khosrowshahi, who comes in with a strong reputation and has indicated his intent to change the culture. On Tuesday, the company admitted that it had covered up that data on 57 million users had been leaked. While the data didn't include credit card info or trip data, it did include drivers' license info for 7 million drivers, and the email addresses and phone numbers of 50 million riders.

It's bad enough that the data leaked, but covering it up is serious -- and means that the company is going to be hit with lawsuits. California (among others) has a strong data breach law, and it seems quite likely that Uber broke that law in failing to alert people that their info had been accessed. Perhaps more incredibly, the cover-up happened at the very same time that the company was negotiating with FTC officials over a previous data breach. Also, it appears that Uber paid off the hackers who were trying to extort the company to keep the data secret:

Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Apparently, Uber paid the hackers $100,000 to keep the data from getting out.

In response to this, Khosrowshahi has put up a blog post taking responsibility for this and more or less admitting that the company had royally fucked up. He also fired two employees who were apparently responsible for covering this up (the report technically says one was "asked to resign" while the other was fired). The whole thing sounds like a complete shitshow from a company that, well, has a history of Broadway-level shitshows.

While the blog post is clearly an attempt to show that the company is trying to turn over a new leaf, the whole situation is still troubling. The blog post doesn't mention paying off the hackers -- it just says that the company "obtained assurances that the downloaded data had been destroyed." It certainly feels like the overall statement could be stronger. Here's part of it:

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions:

• I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
• We are individually notifying the drivers whose driver’s license numbers were downloaded.
• We are providing these drivers with free credit monitoring and identity theft protection.
• We are notifying regulatory authorities.
• While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.

None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.

It will be interesting to see if the company can really change its culture. I still think that the concept behind Uber is powerful and can do some fairly useful things in the world, but the way in which the company has gone about running its business has been a disgrace.

Filed Under: breach reporting, bug bounty, dara khosrowshahi, hacks, security breach, trashfire
Companies: uber

Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse

from the hang-on... dept

Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

Not surprisingly, it didn't take long for various security tools to warn that the site wasn't safe.

And, when Equifax pushed people to its own "TrustedID" program to supposedly check to see if you were a victim of its own failures... it just started telling everyone yes no matter what info they put in:

So, yeah, what the hell did Equifax do during those six weeks it had to prepare? Oh, well, a few of its top execs used the delay to sell off stock, which may put them in even more hot water (of the criminal variety). Also, just days before it revealed the breach, and long after it knew of it, the company was talking up how admired its CEO is. This is literally the last tweet from Equifax prior to tweeting about the breach (screenshotted, because who knows how long it'll last):

I can't see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well. Beyond the possible insider trading above, there's already scrutiny on its corporate VP and Chief Legal Officer, John J. Kelley, who made $2.8 million last year and runs the company's "security, compliance, and privacy" efforts.

And despite six weeks to prepare for this, the following was Equifax's non-apology:

We apologize to our consumers and business customers for the concern and frustration this causes.

That's a classic non-apology. It's not apologizing for its own actions. It's not apologizing for the total mess it's created. It's just apologizing if you're "concerned and frustrated."

Oh, and did we mention that the very morning of the day that Equifax announced the breach, it tweeted out about a newsletter it published about how "safeguarding valuable customer data is critical." Really (again, screenshotted in case this disappears):

What the fuck, Equifax? Should we even mention that Equifax has been a key lobbying force against data breach bills? Those bills have some problems... but, really, it's not a good look following all of this.

And while there was some concern that signing up to check to see if you were a victim (again: look, you probably were...) would force you out of being a part of any class action lawsuit, that's since been "clarified" to not apply to any class action lawsuits over the breach. And you better believe that the company is going to be facing one heck of a class action lawsuit (a bunch are being filed, but they'll likely be consolidated).

That's all background of course. What I really wanted to discuss is how this will almost certainly get worse before it gets better. More than twelve years ago, I wrote that every major data breach is later revealed to be worse than initially reported on. This has held true for years and years. The initial analysis almost always underplays how serious the leak is or how much data is leaked. Stay tuned, because there's a very high likelihood we'll find out that either more people were impacted or that more sensitive information is out there.

And that should be a major concern, because what we already know here is stunning. As Michael Hiltzik at the LA Times noted, this is the mother lode of data if you want to commit all sorts of fraud:

The data now at large includes names, Social Security numbers, birthdates, addresses and driver’s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person’s name.

In some cases, Equifax says, the security questions and answers used on some websites to verify users’ identity may also have been exposed. Having that information in hand would allow hackers to change their targets’ passwords and other account settings.

Other data breaches may have been bigger in terms of total accounts impacted, but it's hard to see how any data breach could have been this damaging. For over a decade, we've pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency. In fact, back in 2005, we wrote about Equifax itself saying that it was "unconstitutional and un-American" to let people know what kind of information Equifax had on them. The amount of data that Equifax and the other credit bureaus hold is staggering -- and as this event shows, they don't seem to have much of a clue about how to actually secure it.

At some point, we need to rethink why we've given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. You can't avoid them. And now we know that at least one of them doesn't know how to secure that data.

Filed Under: cybersecurity, fraud, leak, security, security breach
Companies: equifax

Bad Intel And Zero Verification Leads To LifeLock Naming Wrong Company In Suspected Security Breach

from the more-'security-mediocre-practices'-from-the-biggest-name-in-ID-protectio dept

LifeLock has never been the brightest star in the identity fraud protection constellation. Its own CEO -- with his mouth writing checks others would soon be cashing with his credentials -- expressed his trust in LifeLock's service by publishing his Social Security number, leading directly to 13 separate cases of (successful) identity theft.

Beyond that, LifeLock was barely a lock. It didn't encrypt stored credentials and had a bad habit of ambulance-chasing reported security breaches in hopes of pressuring corporate victims into picking up a year's worth of coverage for affected customers. This culminated in the FTC ordering it to pay a $12 million fine for its deceptive advertising, scare tactics, and inability to keep its customers' ID info safe.

It's LifeLock's ambulance chasing that's getting it into trouble again. Rather than verify the details of a recent breach, it began sending notices to customers informing them about possibly exposed info at entirely the wrong service.

Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

This isn't completely LifeLock's fault. It did send out a false alarm and finger the wrong platform, but its information came from a third party: CSID. Brian Krebs approached the identity monitoring firm to determine how it had arrived at the wrong conclusion. It appears it's turtles misinformation all the way down. CSID president of product and marketing Bryan Hjelm confirmed his company was suffering some "reputational concerns" after wrongly naming Dropbox, rather than Tumblr, as the source of the breach. But he still felt his company was doing a bang-up job in the ID protection department, despite utilizing questionable sources.

He told me that CSID relies on a number of sources online who have been accurate, early indicators of breaches past. One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm said.

In this case, w0rm posted to Twitter a link to download a file containing what he claimed were 100M records stolen from Dropbox. Perhaps one early sign that something didn’t quite add up is that the download he linked to as the Dropbox user file actually only included 73 million usernames and passwords.

In any case, CSID analysts couldn’t determine one way or the other whether it actually was Dropbox’s data. Nonetheless, they sent it out as such anyway, based on little more than w0rm’s say-so.

The problem with this bogus alert is that every step of it was automated. CSID admits it never checked out w0rm's claim by manually verifying the data dump contained what w0rm said it contained. It simply generated its alert, which was then picked up by others, like LifeLock, that rely on it for breach identification/notification. The automation continued as LifeLock sent auto-generated messages to its customers. The only manual part of this process occurred at the end user level when Dropbox customers began altering their login credentials to protect themselves from a nonexistent breach. Meanwhile, the real breach went ignored.

It's often said that humans are the weakest link in the security chain, but this incident shows that a little human intervention would have gone a long way towards heading off bogus breach notifications that made an unaffected company look like it was hiding something from its users.

Filed Under: security breach
Companies: dropbox, lifelock, tumblr

Using A Security Breach As An Upsell Opportunity?

from the shameful dept

Danny Sullivan has a blog post blasting Citibank for how it handled a security breach, requiring him to get a new credit card. Apparently a vendor where Sullivan had used the card had a breach, meaning Citibank sent him a new card. But did they tell him which vendor it was so that Sullivan could avoid doing business with them in the future? Of course not. But much more insulting is that when he went to activate the new card, Citibank tried to upsell him on a credit check offering. As Sullivan notes, shouldn't Citibank be offering that to him for free? It's probably cheaper than having to send out thousands of new cards every time a vendor screws up. Of course, when Sullivan points that out to the person on the phone, the person at the other end says "we're just the activation department, you'd have to talk to customer service for that." Of course, if they're just the activation department, why are they doing sales as well? I'm sure the big banks will claim that these sorts of sales processes work in that enough people are suckered into these high margin upsell offerings, but wouldn't it be nice to have a bank that actually treated customers well?

Filed Under: security breach, upsell
Companies: citibank

Making Credit-Card Payments More Secure By Making Breaches More Expensive

from the aligning-incentives dept

It seems that hardly a month goes by without news of yet another credit-card data breach. Based on this, it seems fairly clear that the industry largely sees these breaches and the fallout from them as a cost of doing business, and one that's preferable to the cost of securing and monitoring their systems effectively. The industry has come up with a security compliance framework, but such rules have a history of being ignored. Even if they aren't ignored, though, they're so full of loopholes that they're fairly worthless. As the original poster, Andrew Conry-Murray, puts it, "It's not about security. It's about an industry covering its ass." Basically, the compliance system exists not to truly protect data, but rather to ward off government intervention.

Conry-Murray's contention is that the compliance system is far too easy to game, particularly because it only checks companies' systems once per year. His suggestion is to force all merchants and processors to comply, and check their systems regularly. Companies could opt out, but by doing so, they would be agreeing to significantly higher fees and penalties in the case of a breach. As he notes, these fees would have to be high enough to where they would make devoting more resources to security a more desirable option. This idea, and indeed any that dramatically increases the cost of breaches, is worth mulling over as a way to encourage companies to increase their security. As long as the fallout from data breaches isn't enough to make companies sit up and take notice -- and change their behavior -- there won't be any real change.

Filed Under: credit cards, security breach

May Have A New Winner In The Largest Security Breach Ever Department

from the and-it-will-get-larger,-I'm-sure dept

In the past, we've joked about how with pretty much every security breach, there's an initial estimate of the damage done, followed much later by a second report that admits the breach impacted many more people. It happened with the VA. It happened with Choicepoint. And, it happened with TJX, who raised the bar on being the worst security breach ever not once, but twice to impact nearly 94 million people. Who could top that?

Step up to bat, Heartland Payment Systems. Chris writes in to point out that Heartland appears to have picked a pretty good day to announce a security breach that may impact over 100 million people. Everyone's off paying attention to the inauguration, so they might miss the news as it comes out today -- but they're likely to hear about it soon enough. It appears that Heartland's own computers were infected with malware which passed on information about transactions to some scammers.

Heartland is now claiming that this really isn't that big a deal, because personal information wasn't included in the breach -- meaning the data was useful for creating new cards with bogus data, but not useful for "card not present" transactions such as internet transactions or creating fake cards of real people. Because of this, Heartland doesn't think that it should need to offer credit monitoring services to impacted users, which has become the somewhat standard penance for those caught leaking credit card info.

Of course, some are already questioning the timing of announcing the breach. Considering they figured out what happened a week ago, it does seem a bit of interesting timing to wait until the inauguration was underway to disclose this information.

Still, given the history of so many earlier breaches turning out to be much worse later on, what's the over-under on the next announcement about how much worse this breach actually was?

Filed Under: credit cards, security breach
Companies: heartland payment systems