Adam Levin - Identity, Security, and Personal Finance
AdamLevin.com is the official homepage of identity theft and credit expert Adam Levin. This blog features his articles surrounding the issues of personal finance, data security, identity theft, and privacy.
Email systems used by some county election officials lack rudimentary security settings and are vulnerable to hacking, according to a recent survey conducted by the nonprofit investigative newsroom, ProPublica.
Propublica’s findings include eleven offices protected by only a login and password. Election security best practices suggest 2-Factor authentication for sensitive email accounts. This simple protocol requires a second account (usually a mobile phone) to receive a security code that must be entered to gain access to an email account.
The possibility of election interference is hot-button issue after it was determined by the state department that Russia interfered with the 2016 election. The Democratic Party’s push to flip the House of Representatives in the November election makes this a much watched midterm election–and partisan politics are a major reason for this increased attention. According to the ProPublica survey, found 10 of the 12 districts with non-secure email systems were home to incumbent Republicans up for re-election.
The vulnerability of email systems has been understated in comparison to the security of machines within the voting booth. “The focus on election equipment… ignores the greater dangers caused by hacking into the diverse collection of sensitive information that flows through … the electoral process,” commented Jasson Casey in an editorial for the website Dark Reading.
The threat posed by hackers infiltrating electoral systems isn’t limited to coercing or influencing votes, but to undermine the overall confidence in the system itself. Matt Dietrich, a spokesman for the Illinois Board of elections said of a 2016 hack of the state’s voter base “wasn’t… to steal votes, but to create havoc.”
Jasson Casey echoed this point, saying “Even if the hacker’s candidate-of-choice is not elected, the information’s integrity becomes a distraction as authority figures are discredited, creating social and political instability.”
Upgrading and securing the U.S. election systems has been something of an uphill battle, even with a $380 million fund provided by the federal government. A cybersecurity skills shortage and political infighting has slowed attempts at reform.
The first major piece of cybersecurity legislation to address vulnerabilities in Internet of Things (IoT) devices has passed in California, and is ready to be signed into law by Governor Jerry Brown.
First introduced in 2017 by State Senator Hannah-Beth Jackson, SB-327 calls for “a manufacturer of a connected device… to equip [it] with a reasonable security feature or features that are appropriate to the nature and function of the device… to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
While the bill represents a milestone in creating a legal basis for security standards, not every security expert likes it. Among the most vocal critics has been Errata Security’s Robert Graham, who blogged about it, saying it’s a “bad bill based on a superficial understanding of cybersecurity/hacking that will do little [to] improve security, while doing a lot to impose costs and harm innovation.” in a released last week.
Graham went on to say “the point is not to add ‘security features’ but to remove ‘insecure features’… arbitrary features like firewall and anti-virus add to these products [that] just increase the attack surface making things worse.”
The law has also been criticized for being too vague.
“The law should be defined in a more specific manner, as the requirement for an ‘appropriate’ security procedure, depending on the device nature and function, is too ambiguous with no real mechanism to verify that the vendor took the appropriate steps. There should be clear standards per the device’s components that a manufacturer will be able to follow and a way to validate that the manufacturer designed to those standards,” wrote VDOO Senior Product Marketing Manager Ruth Artzi in an email to Threatpost.
Proponents of the bill acknowledge its imperfections, but view it as a good start. “[I]t probably doesn’t go far enough — but that’s no reason not to pass it. It’s a reason to keep going after you pass it,” said author and security technologist Bruce Schneier to the Washington Post.
California has recently taken a more proactive stance in filling the legal gaps in technology-related issues, including its recent passage of the country’s first major Consumer Privacy Act. Since neither SB-327 nor the Consumer Privacy Act would take effect until 2020, their overall impact on the tech industry and consumers remains to be seen.
New Mexico’s attorney general has filed a lawsuit against a popular children’s app developer as well as Google and Twitter’s online ad platforms for allegedly violating the privacy of children under the age of 13, the New York Times has reported.
The app named in the lawsuit, Fun Kid Racing and its developer, Tiny Lab Productions, are accused of sharing the data of children with five separate online advertising companies. If proven in court, this would mean a violation of COPPA (Children’s Online Privacy Protection Act), which went into effect in 2000.
A recent study of 6000 Android apps published by Berkeley suggests Tiny Lab Productions is not alone with regard to tracking children, finding that up to 50% of games marketed to children flouted privacy laws. Yet another New York Times study found similar results.
At issue is the legal distinction between games and apps marketed to children under 13–where data tracking is both illegal and banned by both Google and Apple–and “family apps” that are less restrictive and track children so long as they claim to be older than 13.
In light of the lawsuit, Google has banned Tiny Labs from its app store and removed all of its apps, but it seems likely this won’t be the last we hear about the issue.
Drastic times call for drastic measures, and it seems like EU Commission President Jean-Claude Juncker feels we’ve entered the dire zone when it comes to extremist content. He’s called for a fine penalizing websites that allow extremist content on their platforms for longer than an hour.
In an annual State of the Union address, Juncker indicated that too little had been done in the three months internet firms had been given to remove radical posts in a timely way. The proposed fine would target up to 4% of an offending party’s annual global income, which would come to $4.4 billion for Google, Youtube’s parent company. Any such move would need to be ratified by EU member states and the European Parliament.
Internet companies like Google, Facebook, and Twitter have received heavy criticism from European governments for not moving quickly enough to remove content promoting violent extremism. Facebook claims an 83% success rate for the removal of content affiliated with ISIS or Al-Qaeda, and YouTube has committed 10,000 employees to manually blocking extremist content.
“We welcome the focus the Commission is bringing to this and we’ll continue to engage closely with them, member states and law enforcement on this crucial issue,” Google said in a statement.
Unstated in the announcement were free speech considerations.
The Government Accountability Office released a report detailing last year’s massive Equifax data breach and how hackers were able to infiltrate the company’s systems to gain access to the personal information of at least 145.5 million individuals.
According to the report, the hackers took advantage of a recently announced vulnerability in a web server technology called Apache Struts, which Equifax failed to patch or address and that left their systems vulnerable for weeks.
Compounding the Apache Struts vulnerability was a misconfigured network security device that was supposed to inspect incoming traffic for signs of malicious activity. The misconfiguration went unnoticed for 10 months. According to the report, “during that period, the attacker was able to run commands and remove stolen data over an encrypted connection without detention.”
The GAO report also showed that in addition to the failure to patch Apache Struts and the misconfiguration of the security tool, Equifax identified an insecure database structure that “allowed the attackers to gain access to additional database containing PII [personally identifiable information].”
Lax Data Governance standards were also cited, which let the attackers gain “access to a database that contained unencrypted credentials… such as user names and passwords.”
Only 34.5 % of the approximately 500 professionals responsible for compliance to the European Union (EU) General Data Protection Regulation (GDPR) report maintaining practices that are in keeping with the regulation, a recent Deloitte poll.
According to the poll, one-third of respondents (32.7 %) hope to be compliant within 2018. And, 11.7% plan to take a “wait and see” approach amid uncertainty over how EU regulators in various countries will enforce the new regulation.
“The fact that the GDPR effective date has come and gone,” (it became law in May 2018), “and many are still scrambling to demonstrate a defensible position on GDPR compliance reflects the complexity and challenges as the world of privacy rapidly changes,” said Rich Vestuto, a Deloitte Risk and Financial Advisory managing director in discovery for Deloitte Transactions and Business Analytics LLP.
There were a number of other serious issues brought to light, including a very low number of professionals feeling that their organizations knew the state of their third-party data access, and the extent to which artificial intelligence was applied to that data.
At issue here is the prevailing culture of cyber-insecurity and privacy de-damned-ism. The poll found that many issues facing organizations on the privacy front may actually be made easier to track in the wake of the GDPR, but the prevailing sense found in those polled out there still seems to be that compliance costs money—much more than fines.
On the heels of last weeks news that Air Canada suffered a breach affecting thousands of customers, British Airways announced a major breach affecting 380,000 customers who used the company’s website and app over a two-week period.
From August 21 to September 5, hackers stole British Airways customer user names, addresses, email addresses and credit card information (including expiration dates and security codes). According to the company, travel plans and passport information were not included in the data breached.
British Airways CEO Alec Cruz called the attack sophisticated, and promised to reimburse any expense caused by the breach. Customers have been critical of the way the company handled the news, many complaining that they had learned about it from the media long before the company reached out.
British Airways is still reeling from the May 17 power outage and subsequent glitch-fest that affected 75,000 customers and caused more than 700 flights to be cancelled.
Read more about the hack and the company’s response here.
Adam Levin was featured on Radio America discussing why cybersecurity requires constant vigilance and consistent internal communication to keep hackers and thieves at bay. Listen to the the interview here:
On the first anniversary of the Equifax data breach, Americans may be taking identity theft more seriously. In a survey of roughly 1000 people commissioned by LendingTree.com, over 90% of respondents had reported taking some kind of action to protect themselves.
Highlights of the survey include 65% of the sample group reporting that they pay more attention to their online bank and credit card statements, with 51% checking their credit score, and 37% reviewing their credit report. Overall 81% said that they were taking identity theft either somewhat or much more seriously.
While the survey definitely shows progress, the results show there’s a long way to go before best practices for personal protection become commonplace. A minimal number of respondents reporting taking more proactive steps recommended by experts including subscribing to a credit monitoring service (11%), or freezing credit (8%). 25% reported having never changed their ATM personal identification number.
It remains to be seen if another Equifax-level breach would move the needle further, or if the survey results represent a plateau of compliance and consumer awareness after a year’s worth of news stories detailing the fallout. In either case, the experts’ advice remains the same, including checking credit scores and reports, practicing good data hygiene online, and freezing credit when possible.