Hacked Butt Plug Highlights Poor Security Of Many Mobile Devices

Image of butt plug, Hush by Lovense. Click to view larger version

In a blog post on Tuesday, security researcher Giovanni Mellini  discussed how easy it was to hack a Bluetooth-enabled butt plug. Why this Internet-connected sex toy? Mellini explained that after what started as a joke he'd bought a few weeks ago:

"... a Bluetooth Low Energy (BLE) butt plug to test the (in)security of BLE protocol. This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design."

Another security researcher, Simone Margaritelli had previously discussed a BLE scanner he wrote called BLEAH and how to use it to hack BLE-connected devices. Mellini sought to replicate Margaritelli's hack, and was successful:

"The butt plug can be remotely controlled with a mobile application called Lovense Remote (download here). With jadx you can disassemble the java application and find the Bluetooth class used to control the device. Inside you can find the strings to be sent to the toy to start vibration... So we have all the elements to hack the sex toy with BLEAH... At the end is very easy to hack BLE protocol due to poor design choices. Welcome to 2017."

Welcome, indeed, to 2017. The seems to be the year of hacked mobile devices. Too many news reports about devices with poor (or no) security: the encryption security flaw in many home wireless routers and devices, patched Macs still vulnerable to firmware hacks, a robovac maker's plans to resell interior home maps its devices created, a smart vibrator maker paid hefty fines to settle allegations it tracked users without their knowledge nor consent, security researchers hacked a popular smart speaker, and a bungled software update bricked many customers' smart door locks.

In 2016, security researchers hacked an internet-connected vibrator.

And, that's some of the reports. All of this runs counter to consumers' needs. In August, a survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built in. Are device makers listening?

Newsweek reported:

"Lovense did not immediately respond to a request for comment from Newsweek but the sex toy company has spoken previously about the security of its products. "There are three layers of security," Lovense said in a statement last year. "The server side, the way we transfer information from the user’s phone to our server and on the client side. We take our customer’s private data very seriously, which is why we don’t serve any on our servers." "

I have nothing against sex toys. Use one or not. I don't care. My concern: supposedly smart devices should have robust security to protect consumers' privacy.

Smart shoppers want persons they authorize -- and not unknown hackers -- to remotely control their vibrators. Thoughts? Comments?


Experts Find Security Flaw In Wireless Encryption Software. Most Mobile Devices At Risk

Researchers have found a new security vulnerability which places most computers, smartphones, and wireless routers at risk. The vulnerability allows hackers to decrypt and eavesdrop on victims' wireless network traffic; plus inject content (e.g., malware) into users' wireless data streams. ZDNet reported yesterday:

"The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network... The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk."

Reportedly, the vulnerability was confirmed on Monday by U.S. Homeland Security's cyber-emergency unit US-CERT, which had warned vendors about two months ago.

What should consumers do? Experts advise consumers to update the software in all mobile devices connected to their home wireless router. Obviously, that means first contacting the maker of your home wireless router, or your Internet Service Provider (ISP), for software patches to fix the security vulnerability.

ZDNet also reported that the security flaw:

"... could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched Internet-of-things (IoT) devices being exposed for use by botnets."

So, plenty of home devices must also be updated. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). One "price" of wireless convenience is the responsibility for consumers and device makers to continually update the security software in internet-connected devices. Nobody wants their home router and devices participating in scammers' and fraudsters' botnets with malicious software.

ZDNet also listed software patches by vendor. And:

"In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer... At the time of writing, neither Toshiba and Samsung responded to our requests for comment..."

Hopefully, all of the Internet-connected devices in your home provide for software updates. If not, then you probably have some choices ahead: whether to keep that device or upgrade to better device for security. Comments?


What We Do and Don’t Know About Facebook’s New Political Ad Transparency Initiative

[Editor's note: today's guest post is by the reporters at ProPublica. It is reprinted with permission.]

The short answer: It leaves the company some wiggle room.

Facebook logo By Julia Angwin, ProPublica

On Thursday September 21, Facebook Chief Executive Mark Zuckerberg announced several steps to make political ads on the world’s largest social network more transparent. The changes follow Facebook’s acknowledgment in September that $100,000 worth of political ads were placed during the 2016 election cycle by “inauthentic accounts” linked to Russia.

The changes also follow ProPublica’s launch of a crowdsourcing effort during September to collect political advertising from Facebook. Our goal was to ensure that political ads on Facebook, which until now have largely avoided scrutiny, receive the same level of fact-checking by journalists, advocacy groups and political opponents as do print, broadcast and radio political ads. We hope to have some results to share soon.

In the meantime, here’s what we do and don’t know about how Facebook’s changes could play out.

How does Facebook plan to increase disclosure of funders of political ads?
In his statement, Zuckerberg said that Facebook will start requiring political advertisers to disclose “which page paid for an ad.”

This is a reversal for Facebook. In 2011, the company argued to the Federal Election Commission that it would be “inconvenient and impracticable” to include disclaimers in political ads because the ads are so small in size.

While the commission was too divided to make a decision on Facebook’s request for an advisory ruling, the deadlock effectively allowed the company to continue omitting disclosures. (The commission has just reopened discussion of whether to require disclosure for internet advertising).

Now Facebook appears to have dropped its objections to adding disclosures. However, the problem with Facebook’s plan of only revealing which page purchased the ad is that the source of the money behind the page is not always clear.

What is Facebook doing to make political ads more transparent to the public?
Zuckerberg also said that Facebook will start to require political advertisers to place on their pages all the ads they are “currently running to any audience on Facebook.”

This requirement could mean the end of the so-called “dark posts” on Facebook — political ads whose origins were not easily traced. Now, theoretically, each Facebook political ad would be associated with and published on a Facebook page — either for candidates, political action committees or interest groups.

However, the word “currently” suggests that such disclosure could be fleeting. After all, ads can run on Facebook for as little as a few minutes or a few hours. And since campaigns can run dozens, hundreds or even thousands of variations of a single ad — to test which one gets the best response — it will be interesting to see whether and how they manage to display all those ads on their pages simultaneously.

“It would require a lot of vigilance on the part of users and voters to be on those pages at the exact time” that campaigns posted all of their ads, said Brendan Fischer, a lawyer at the Campaign Legal Center, a campaign finance reform watchdog group.

How will Facebook decide which ads are political?
It’s not clear how Facebook will decide which ads are political and which aren’t. There are several existing definitions they could choose from.

The Federal Communications Commission defines political advertising as anything that “communicates a message relating to any political matter of national importance,” but those rules only apply to television and radio broadcasters. FCC rules require extensive disclosure, including the amount paid for the ads, the audiences targeted and how many times the ads run.

The Federal Election Commission has traditionally defined two major types of campaign ads. “Independent expenditures” are ads that expressly advocate the election or defeat of a “clearly identified candidate.” A slightly broader definition, “electioneering communications,” encompasses so-called “issue ads” that mention a candidate but may not directly advocate for his or her election or defeat.

The FEC only requires spending on electioneering ads to be disclosed in the 60 days leading up to a general election or the 30 days leading up to a primary election. And the electioneering communications rule does not apply to online advertising.

Of course, Facebook doesn’t have to choose of any of the existing definitions of political advertising. It could do what it did with hate speech — and make up its own rules.

How will Facebook catch future political ads secretly placed by foreigners?
The law prohibits a foreign national from making any contribution or expenditure in any U.S. election. That means that Russians who bought the ads may have broken the law, but it also means that any American who “knowingly provided substantial assistance” may also have broken the law.

In mid-September, when Facebook disclosed the Russian ad purchase, the company said it was increasing its technical efforts to identify fake and inauthentic pages and to prevent them from running ads.

Zuckerberg said the company would “strengthen our ad review process for political ads” but didn’t specify exactly how. (Separately, Facebook Chief Operating Officer Sheryl Sandberg said in September that the company is adding more human review to its ad-buying categories, after ProPublica revealed that it allowed advertisers to target ads toward “Jew haters.”)

Zuckerberg also said Facebook will work with other tech companies and governments to share information about online risks during elections.

Will ProPublica continue crowd-sourcing Facebook political ads?
Yes, we plan to keep using our tool to monitor political advertising. In September, we worked with news outlets in Germany — Spiegel Online, Süddeutsche Zeitung and Tagesschau — to collect more than 600 political ads during the parliamentary elections.

We believe there is value to creating a permanent database of political ads that can be inspected by the public, and we intend to track whether Facebook lives up to its promises. If you want to help us, download our tool for Firefox or Chrome web browsers.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Equifax Reported 15.2 Million Records Of U.K. Persons Exposed

Equifax logo Yesterday, Equifax's United Kingdom (UK) unit released a press release about the credit reporting agency's massive data breach and the number of breach victims. A portion of the statement:

"It has always been Equifax’s intention to write to those consumers whose information had been illegally compromised, but it would have been inappropriate and irresponsible of us to do so before we had absolute clarity on what data had been accessed. Following the completion of an independent investigation into the attack, and with agreement from appropriate investigatory authorities, Equifax has begun corresponding with affected consumers.

We would like to take this opportunity to emphasize that Equifax correspondence will never ask consumers for money or cite personal details to seek financial information, and if they receive such correspondence they should not respond. For security reasons, we will not be making any outbound telephone calls to consumers. However, customers can call our Freephone number on 0800 587 1584 for more information.

Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test data-sets, duplicates and spurious fields... we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post... The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed."

Below is the tabular information of risk categories from the Equifax UK announcement:

Consumer groups Remedial action
12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed

14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details - from 2014 accessed

29,188 consumers who had their driving license number accessed

We will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organizations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence.

637,430 consumers who had their phone numbers accessed Consumers who had a phone number accessed will be offered a leading identity monitoring service for free.

Some observations seem warranted.

First, the announcement was vague about whether the 15.2 million U.K. persons affected were included in the prior breach total, or in addition to the prior total. Second, the U.K. unit will send written breach notices to all affected consumers via postal mail, while the U.S. unit refused. The U.K. unit did the right thing, so their users are confused by and don't have to access a hastily built site to see if they were affected.

Third, given the data elements stolen some U.K. breach victims are vulnerable to additional frauds and threats like breach victims in the USA.

Kudos to the Equifax U.K. unit for the postal breach notices and for clearly stating the above risk categories.


Consequences And New Threats From The Massive Equifax Breach

Equifax logo To protect themselves and their sensitive information, many victims of the massive Equifax data breach have signed up for the free credit monitoring and fraud resolution services Equifax arranged. That's a good start. Some victims have gone a step further and placed Fraud Alerts or Security Freezes on their credit reports at Equifax, Experian, and TransUnion. That's good, too. But, is that enough?

The answer to that question requires an understanding of what criminals can do with the sensitive information accessed stolen during the Equifax breach. Criminals can commit types of fraud which credit monitoring, credit report alerts, and freezes cannot stop. Consumer Reports (CR) explained:

"Freezing your credit report specifically at Equifax will also prevent crooks from registering as you at the government website, my Social Security, and block them from attempting to steal your Social Security benefits. But taking these steps won't protect you against every identity fraud threat arising from the Equifax data breach."

Sadly, besides credit and loan fraud the Equifax breach exposed breach victims to tax refund fraud, health care fraud, and driver's license (identity) fraud. This is what makes the data breach particularly nasty. CR also listed the data elements criminals use with each type of fraud:

"With your Social Security number, crooks can file false income tax returns in your name, take bogus deductions, and steal the resulting refund. More than 14,000 fraudulent 2016 tax returns, with $92 million in unwarranted refunds, were detected and stopped by the Internal Revenue Service (IRS) as of last March... Data from the Equifax breach can be used to steal your benefits from private health insurance, Medicare, or Medicaid when the identity thief uses your coverage to pay for his own medical treatment and prescriptions... Using your driver’s license number, identity thieves can create bogus driver’s licenses and hang their moving violations on you...."

The CR article suggested several ways for consumers to protect themselves from each type of fraud: a) request an Identity Protection PIN number from the IRS; b) request copies of your medical file from your providers and review your MIB Consumer File each year; and c) request a copy of your driving license record and get your free annual consumer report from ChexSystemsCertegy, and TeleCheck -  the three major check verification companies.

Never considered reviewing your tax account with the IRS? You can. Never heard of a Consumer MIB File? I'm not surprised. Most people haven't. I encourage consumers to read the entire CR article. While at the CR site, read their review of TrustedID Premier service which Equifax arranged for breach victims. It's an eye-opener.

Do these solutions sound like a lot of preventative work? They are. You have Equifax to thank for that. Will Equifax help breach victims with the time and effort required to research and implement the solutions CR recommended? Will Equifax compensate breach victims for the costs incurred with these solutions? These are questions breach victims should ask Equifax and TrustedID Premier.

Consumers and breach victims are slowly learning the consequences of a data breach are extensive. The consequences include time, effort, money, and aggravation. You might say breach victims have been mugged. Worse, consumers are saddled the burden from the consequences. That isn't fair. The companies making money by selling consumers' credit reports and information should be responsible for the burdens. Things are out of balance.

What are your opinions?


Without Fanfare, Equifax Makes Bankruptcy Change That Affects Hundreds of Thousands

[Editor's note: today's guest post, by the reporters at ProPublica, highlights how credit reporting agencies treat certain information contained in consumers' credit reports. It is reprinted with permission.]

By Paul Kiel. ProPublica

For what appears to be decades, the credit rating agency Equifax has quietly layered three more years of tarnish on the credit histories of hundreds of thousands of people who had filed for bankruptcy under Chapter 13.

While its competitors, TransUnion and Experian, placed a flag on such histories for seven years, Equifax left it on the reports of Chapter 13 filers who failed to complete their bankruptcy plans for 10.

After ProPublica asked about the difference in its policy, the company said it now leaves the flag on for seven years, but refused to say when and why the change was made.

The consequences of Equifax’s harsher policy were likely life-changing for some unlucky people. As Experian warns consumers on its website, “having a bankruptcy in your credit history will seriously affect your ability to obtain credit for as long as it remains on your report. It can also affect your ability to qualify for things like an apartment, utilities, and even employment. Even car insurance rates may be affected.” Without knowing why, consumers could have been turned down for apartments because landlords checked their Equifax report rather than those from Experian or TransUnion.

Why Equifax’s policy was different is unclear and the company would not address it. But that such a discrepancy had gone unnoticed and unaddressed for so long underscores how lightly regulated the industry is.

ProPublica contacted all of the major credit agencies earlier this year as part of our ongoing series on consumer bankruptcy. The policies of TransUnion and Experian were similar: People who filed under Chapter 7, which wipes out most debts, would have a flag on their report for 10 years; those who filed under Chapter 13, which usually involves five years of payments before debts are forgiven, would have a flag for seven.

Equifax had the same Chapter 7 policy. But the company had a key difference in its policy for Chapter 13 filers: Those who were unable to complete their five years of payments and had their cases dismissed were saddled with a flag for three additional years.

This difference had the potential for widespread impact. About half of Chapter 13 cases are dismissed, usually because debtors fall behind on payments. From 2008 through 2010, 574,000 Chapter 13 cases were filed and subsequently dismissed, according to our analysis of filings. Under Equifax’s policy of keeping the flag on for 10 years, all those debtors would have a flag on their Equifax report through the end of 2017, but not on their TransUnion and Experian histories.

“It’s a problem, because you have a disparate treatment of debtors depending on which credit rating agency is reporting,” said Tara Twomey, an attorney with the National Consumer Law Center. “We really need consistent credit reporting for this system to work.”

Equifax’s policy also disproportionately affected black consumers, because, as our analysis showed, black debtors are more likely than whites to choose Chapter 13 and have their cases dismissed.

ProPublica wrote the company again in July, prior to its recent disclosure that its records had been hacked, laying out the potential impact of its policy on consumers and asking why it differed from competitors. In an email, Equifax spokeswoman Nancy Bistritz-Balkan wrote that the company had “recently modified the length of time for how long a dismissed Chapter 13 bankruptcy remains on file.” Under the new policy, she wrote, “Equifax removes the flag for a Chapter 13 bankruptcy after seven years, regardless of outcome.”

She would not say what “recently” meant, only saying, “The change we referenced was not implemented after we received your inquiry.” As to why Equifax made the change, she wrote, “At this time, I do not have additional details about how the change was made.”

It might seem puzzling that such a meaningful policy is not governed by law. While some aspects of credit reporting are, others are simply decided among the agencies themselves. Bankruptcy is a mix of the two. Under the Fair Credit Reporting Act, the longest a bankruptcy can stay on someone’s credit report is 10 years. The credit rating agencies have voluntarily decided to treat Chapter 13 cases differently because Chapter 13 typically involves the repayment of some debt, while Chapter 7 does not. Bistritz-Balkan made a point of saying that Equifax’s previous policy had been legal.

Initially, Chapter 7 and Chapter 13 have a similar effect on debtors’ credit scores, one that diminishes over time. Bankruptcy is a negative mark on a debtor’s history, but that doesn’t mean that declaring bankruptcy will invariably damage someone’s credit score. In fact, research shows that most people who declare bankruptcy actually see their score rise in the following months. That’s because the typical score is so low that the negative effect of the bankruptcy is outweighed by the positive effect of wiping out debt.

According to Zachary Anderson, a spokesman for FICO, the median FICO score for consumers who declared bankruptcy between October 2009 and October 2010, when filings peaked during the Great Recession, was 558 — lower than all but 20 percent of consumers with a credit score.

A recent analysis of credit files by Paul Goldsmith-Pinkham, an economist with the Federal Reserve Bank of New York, shows how scores change before and after bankruptcy. In the months prior to filing, as consumers fall deeper into debt, the average credit score plunges. The analysis, using a credit score generated by Equifax that works similarly to a FICO score, found that the average score fell to a low around 520-530, but recovered sharply over the next 6 months, then gradually increased thereafter.

Chart. Average Credit Scores Plunge Before Bankruptcy, Rise After. Click to view larger version

The next noticeable bump was seven or 10 years later, depending on the chapter, when the bankruptcy flags were removed. Consumers’ credit scores then jumped by about 10 points.

The consumers with the lowest credit scores, the analysis found, were those who had their Chapter 13 cases dismissed. That would be due, in part, to the fact that they tend to be disproportionately low-income and black, two groups with lower credit scores on average.

As we showed in our story about bankruptcy in Memphis, where Chapter 13 dismissals are incredibly common, these debtors can find themselves worse off for having tried bankruptcy. They might be even further behind on their debts after their cases are dismissed, making it harder to re-establish their credit. The effect of a dismissal lasts for years. At the very least, Equifax’s change in how it handles Chapter 13s means that the shadow cast by a past bankruptcy isn’t quite as long.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Why The IRS Gave Equifax A No-Bid Contract Extension

You've probably heard the news. The Internal Revenue Service (IRS) gave a no-bid contract to Equifax, even after knowing about the credit reporting agency's massive data breach and arguably lackadaisical data security approaches by management.

Why would the IRS do this? The contract's synopsis in the Federal Business Opportunities (FBO) site stated on September 30:

"This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service. A sole source order is required to cover the timeframe needed to resolve the protest on contract TIRNO-17-Z-00024. This is considered a critical service that cannot lapse."

C/Net explained the decision and sequence of key events:

"The IRS already had enough trouble dealing with tax fraud, losing $5.8 billion to scammers in 2013... The contract, first reported by Politico,... describes the agreement as a "sole source order," calling Equifax's help a "critical service." When it comes to credit monitoring, there are really only three major names in the US: Equifax, Experian and TransUnion. Experian has also suffered a breach... The IRS actually awarded its authentication service contract to another company in July, Jeffrey Tribiano, the agency's deputy commissioner for operations support told members of Congress. Equifax protested losing the contract to the US Government Accountability Office on July 7, according to documents. The office will decide on the protest by October 16. Until then, the IRS could not move onto its new partner. That meant that when the IRS' old contract with Equifax was supposed to expire on Friday (Sept. 29), Tribiano said, millions of Americans would not have been able to verify their identity with the agency for more than two weeks."

Wow! So, the IRS was caught between a rock and a hard place... or "caught between a rock and a hacked place" as C/Net described. Apparently, consumers taxpayers are also caught.

Once again, another mess involving Equifax gives consumers that "I've been mugged" feeling.


Update: All Yahoo Accounts Hacked During Its Data Breach in 2013

Verizon Oath logo Yahoo, now within Verizon's Oath business unit, announced on Tuesday an update in the the number of accounts hacked during its massive data breach in 2013. The announcement stated:

"... [Yahoo] is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected... Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft... Yahoo is sending email notifications to the additional affected user accounts..."

That's 3 billion accounts hacked! It almost boggles the mind. Consumers with questions should also visit the Yahoo 2013 Account Security Page which has been updated with information released this week. Key information about the breach and consumers' data stolen:

"On December 14, 2016, Yahoo announced that, based on its analysis of data files provided by law enforcement, the company believed that an unauthorized party stole data associated with certain user accounts in August 2013... the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or un-encrypted security questions and answers. The investigation indicates that the information that was stolen did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected... No additional notifications regarding the cookie forging activity are being sent in connection with this update..."

Obviously, affected users should change their passwords, security questions, and security answers -- if they haven't already. Some consumers are confused about whether e-mail breach announcements they have received are authentic and truly from Yahoo. The tech company advised:

"... email from Yahoo about this issue will display the Yahoo icon Purple Y icon when viewed through the Yahoo website or Yahoo Mail app. Importantly, the email does not ask you to click on any links or contain attachments and does not request your personal information. If an email you received about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails."

Uncertain users should also check the official Yahoo breach notices by country. In June of this year, Verizon completed its acquisition of Yahoo! Inc. and announced then:

"Verizon has combined these assets with its existing AOL business to create a new subsidiary, Oath, a diverse house of more than 50 media and technology brands that engages more than a billion people around the world. The Oath portfolio includes HuffPost, Yahoo Sports, AOL.com, MAKERS, Tumblr, BUILD Studios, Yahoo Finance, Yahoo Mail and more, with a mission to build brands people love."

Reportedly, the Oath portfolio will include products, services, and apps covering content partnerships, virtual reality (VR), artificial intelligence (AI), and the Internet of Things (IoT).

In March of this year, the U.S. Department of Justice announced the indictment by a grand jury of four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts.

The announcement this week by Yahoo is a reminder of the importance of post-breach investigations and how long these investigations can take to uncover complete details about the hack. It is unwise to assume that everything is known at the time of the initial breach notification. It is also unwise to assume that companies can immediately improve their data security and systems after a massive breach.


Equifax: 2.5 Million More Persons Affected By Massive Data Breach

Equifax logo Equifax disclosed on Monday, October 2, that 2.5 more persons than originally announced were affected by its massive data breach earlier this year. According to the Equifax breach website:

"... cybersecurity firm Mandiant has completed the forensic portion of its investigation of the cybersecurity incident disclosed on September 7 to finalize the consumers potentially impacted... The completed review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million. Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process."

The September breach announcement said that persons outside the United States may have been affected. The October 2nd update addressed that, too:

"The completed review also has concluded that there is no evidence the attackers accessed databases located outside of the United States. With respect to potentially impacted Canadian citizens, the company previously had stated that there may have been up to 100,000 Canadian citizens impacted... The completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted. In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian. The company will mail written notice to all of the potentially impacted Canadian citizens."

So, things are worse than originally announced in September: more United States citizens affected, fewer Canadian citizens affected overall but more Canadians' credit card information exposed, and we still don't know the number of United Kingdom residents affected:

"The forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom. Equifax is continuing discussions with regulators in the United Kingdom regarding the scope of the company’s consumer notifications...

And, there's this statement by Paulino do Rego Barros, Jr., the newly appointed interim CEO (after former CEO Richard Smith resigned):

"... As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements..."

To review? That means Equifax has not finished the job of making its systems and websites more secure with security fixes based upon how the attackers broke in, which identify attacks earlier, and which prevent future breaches. As bad as this sounds, the reality is probably worse.

After testimony before Congress by former Equifax CEO Richard Smith, Wired documented "six fresh horrors" about the breach and the leisurely approach by the credit reporting agency's executives. First, this about the former CEO:

"... during Tuesday's hearing, former CEO Smith added that he first heard about "suspicious activity" in a customer-dispute portal, where Equifax tracks customer complaints and efforts to correct mistakes in their credit reports, on July 31. He moved to hire cybersecurity experts from the law firm King & Spalding to start investigating the issue on August 2. Smith claimed that, at that time, there was no indication that any customer's personally identifying information had been compromised. As it turns out, after repeated questions from lawmakers, Smith admitted he never asked at the time whether PII being affected was even a possibility. Smith further testified that he didn't ask for a briefing about the "suspicious activity" until August 15, almost two weeks after the special investigation began and 18 days after the initial red flag."

Didn't ask about PII? Geez! PII describes the set of data elements which are the most sensitive information about consumers. It's the business of being a credit reporting agency. Waited 2 weeks for a briefing? Not good either. And, that is a most generous description since some experts question whether the breach actually started in March -- about four months before the July event.

Wired reported the following about Smith's Congressional testimony and the March breach:

"Attackers initially got into the affected customer-dispute portal through a vulnerability in the Apache Struts platform, an open-source web application service popular with corporate clients. Apache disclosed and patched the relevant vulnerability on March 6... Smith said there are two reasons the customer-dispute portal didn't receive that patch, known to be critical, in time to prevent the breach. The first excuse Smith gave was "human error." He says there was a particular (unnamed) individual who knew that the portal needed to be patched but failed to notify the appropriate IT team. Second, Smith blamed a scanning system used to spot this sort of oversight that did not identify the customer-dispute portal as vulnerable. Smith said forensic investigators are still looking into why the scanner failed."

Geez! Sounds like a managerial failure, too. Nobody followed up with the unnamed persons responsible for patching the portal? And Equifax executives took a leisurely (and perhaps lackadaisical) approach to protecting sensitive information about consumers:

"When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers... It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax's attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all," Smith replied. "There are varying levels of security techniques that the team deploys in different environments around the business."

Geez! So, we now have confirmation that the "core" information -- the most sensitive data about consumers -- in Equifax's databases is only partially encrypted.

Context matters. In January of this year, the Consumer Financial Protection Bureau (CFPB) took punitive action against TransUnion and Equifax for deceptive marketing practices involving credit scores and related subscription services. That action included $23.1 million in fines and penalties.

Thanks to member of Congress for asking the tough questions. No thanks to Equifax executives for taking lackadaisical approaches to data security. (TransUnion, Innovis, and Experian executives: are you watching? Learning what mistakes not to repeat?) Equifax has lost my trust.

Until Equifax hardens its systems (I prefer NSA-level hardness), it shouldn't be entrusted with consumers' sensitive personal and payment information. Consumers should be able to totally opt out of credit reporting agencies that fail with data security. This would allow the marketplace to govern things and stop the corporate socialism benefiting credit reporting agencies.

What are your opinions?

[Editor's note: this post was amended on October 7 with information about the CFPB fines.]


Report: Patched Macs Still Vulnerable To Firmware Hacks

Apple Inc. logo I've heard numerous times the erroneous assumption by consumers: "Apple-branded devices don't get computer viruses." Well, they do. Ars Technica reported about a particular nasty hack of vulnerabilities in devices' Extensible Firmware Interface (EFI). Never heard of EFI? Well:

"An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. 47 Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version."

This is very bad. EFI hacks are particularly effective and nasty because:

"... they give attackers control that starts with the very first instruction a Mac receives... the level of control attackers get far exceeds what they gain by exploiting vulnerabilities in the OS... That means an attacker who compromises a computer's EFI can bypass higher-level security controls, such as those built into the OS or, assuming one is running for extra protection, a virtual machine hypervisor. An EFI infection is also extremely hard to detect and even harder to remedy, as it can survive even after a hard drive is wiped or replaced and a clean version of the OS is installed."

At-risk EFI versions mean that devices running Windows and Linux operating systems are also vulnerable. Reportedly, the exploit requires plenty of computing and technical expertise, so hackers would probably pursue high-value targets (e.g., journalists, attorneys, government officials, contractors with government clearances) first.

The Duo Labs Report (63 pages, Adobe PDF) lists the specific MacBook, MacBookAir, and MacBookPro models at risk. The researchers shared a draft of the report with Apple before publication. The report's "Mitigation" section provides solutions, including but not limited to:

"Always deploy the full update package as released by Apple, do not remove separate packages from the bundle updater... When possible, deploy Combo OS updates instead of Delta updates... As a general rule of thumb, always run the latest version of macOS..."

Scary, huh? The nature of the attack means that hackers probably can disable the anti-virus software on your device(s), and you probably wouldn't know you've been hacked.


Survey: United States Citizens Don't Know Their Basic Constitutional Rights

The Annenberg Public Policy Center (APPC) announced the results of its latest annual Constitution Day Civics Survey -- how well United States citizens know their Constitutional rights. The latest survey was conducted August 9 to 13 and included 1,013 adults. Main findings:

"1. More than half of Americans (53 percent) incorrectly think it is accurate to say that immigrants who are here illegally do not have any rights under the U.S. Constitution;

2. More than a third of those surveyed (37 percent) can’t name any of the rights guaranteed under the First Amendment; and

3. Only a quarter of Americans (26 percent) can name all three branches of government."

About the rights of undocumented immigrants, the incorrect belief is held by more conservatives (67 percent) compared to moderates (48 percent) and liberals (46 percent). The APPC explained:

"In fact, immigrants who are in the United States illegally share some constitutional protections with U.S. citizens. More than a century ago, in Yick Wo v. Hopkins (1886), a case involving a Chinese immigrant, the Supreme Court ruled that non-citizens were entitled to due process rights under the 14th Amendment’s equal protection clause. Other cases have expanded upon those rights..."

A tiny bit of good news in the survey results:

"Most respondents, though not all, know that under the Constitution, U.S. citizens who are atheists or Muslim have the same rights as all other citizens. Seventy-nine percent of respondents know it is accurate to say that U.S. citizens who are atheists have the same rights as other citizens, and 76 percent know it is accurate to say that citizens who are Muslim have the same rights as other citizens."

About how well (or not) citizens' know their rights under the First Amendment (bold emphasis added):

"Nearly half of those surveyed (48 percent) say that freedom of speech is a right guaranteed by the First Amendment. But, unprompted, 37 percent could not name any First Amendment rights. And far fewer people could name the other First Amendment rights: 15 percent of respondents say freedom of religion; 14 percent say freedom of the press; 10 percent say the right of assembly; and only 3 percent say the right to petition the government... Contrary to the First Amendment, 39 percent of Americans support allowing Congress to stop the news media from reporting on any issue of national security without government approval. That was essentially unchanged from last year..."

So, many Americans fail to understand the law of the land -- the U.S. Constitution -- and some naively (or stupidly) support actions to restrict their rights.

Are things getting better or worse? In a 2011 survey by the APPC, barely half of United States citizens (51 percent) knew that a two-thirds majority vote by Congress is needed to overturn a presidential veto. In a 2015 survey by the APPC, about one in ten Americans (12 percent) said that the Bill of Rights guarantees pet ownership. It doesn't. A quick comparison across the years:

Survey Result (% of People) 2011 2015 2017
Correctly named all 3 branches of government 38 31 26
Unable to name 1 branch of government 33 32 33

Kathleen Hall Jamieson, director of the Annenberg Public Policy Center (APPC) of the University of Pennsylvania said:

"Protecting the rights guaranteed by the Constitution presupposes that we know what they are. The fact that many don’t is worrisome... These results emphasize the need for high-quality civics education in the schools and for press reporting that underscores the existence of constitutional protections."

I agree. These results are embarrassing, too. What do you think?


Here Comes The Post-Equifax-Breach Spam From Scammers

If you haven't received them yet, you probably will soon. Here comes the spam - unwanted e-mail messages - from scammers, supposedly related to the massive Equifax data breach. The spam will likely include phishing attacks: attempts to trick consumers into disclosing sensitive bank account and payment data.

What might this spam look like? The spam filter by my e-mail provider recently trapped the message below in my spam folder:

Suspected spam email. Click to view larger version

The sender's intent is to clearly leverage consumers' anxieties and fears about the massive, horrific Equifax breach. The e-mail message also states:

Suspected spam email. Click to view larger version

The message offers both three free credit scores and free credit reports. The problems I see with this e-mail:

  1. The message doesn't list a price for its offer. The company name -- FreeCreditClick -- implies the offer is free.
  2. Key items in the e-mail don't match. The company name in the "From" field doesn't match the e-mail address. Nor does the company name in the "From" field match the company name in the body of the message.
  3. The sender's e-mail address in the "From" field includes a version of an e-mail address I've seen before in other spam.
  4. The Equifax site already directs consumers affected by the data breach to an Equifax site to learn how to get protection (e.g., credit monitoring and fraud resolution services) for free.
  5.  The e-mail offers credit reports from the three major credit reporting agencies: Experian, Equifax, and TransUnion. Informed consumers know that the official website for free credit reports is annualcreditreport.com.
  6. Informed consumers know that while there are several brands of credit scores, they probably need a single good one.
  7. The e-mail contains order and unsubscribe links with destinations that doesn't match either the company's name in "1" nor "2."

To understand #7, I reviewed the underlying HTML markup language used to create this e-mail message:

HTML markup of the suspected spam email. Click to view larger version

The destinations for both the order link (A) and the unsubscribe link (B) contain the "proffbuilder.com" site and embedded redirect commands. The redirect commands could take your web browser anywhere. Too risky, so I did not click on them.

As best I can tell, this definitely is spam. I don't trust it. What do you think?