Snapchat Vulnerability Exposed

Now you see it…. and then maybe…

Snapchat, another messaging service that is supposed to delete content once it has been sent, recently suffered a “breach,” of sorts.  No sensitive information was released but security researchers wanted to “expose” the vulnerabilities in the service so they gained access to data and then posted user names and phone numbers on a site called SnapchatDB.info and made the data available for download.

The security researchers stated on this website: “This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”

They also cautioned that they redacted part of the info: “For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”

Snapchat reportedly is going to update its applications to secure the data; from their website:

“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”

http://blog.snapchat.com/post/72013106599/find-friends-abuse

Security experts have been concerned by the false sense of security that some of these messaging services purport to provide their users.

See NYT blog for more info:

http://bits.blogs.nytimes.com/2014/01/02/snapchat-breach-exposes-weak-security/

UPDATE:

Snapchat reports of customer complaints of an increase in spam but denies that the activity is related to the “Find Friends” breach.

http://blog.snapchat.com/post/73216178814/snap-spam-update

iStock_000022547339Small

 

UPDATE:

–Snapchat settled with the FTC – May 8, 2014–

From the FTC’s Press release:

According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to  how the app actually worked.

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez.  “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information.  In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.

It appears the settlement was for corrective and compliance actions but no monetary payment.

Read more: http://www.digitaltrends.com/mobile/your-incriminating-selfies-on-snapchat-werent-deleted/#ixzz31WFRFzn6

See also, critique of Snapchat –

http://www.informationweek.com/software/social/5-ways-snapchat-violated-your-privacy-security/d/d-id/1251175

snapchatphoto-8-650x0

Target Data Breach – Holiday Shopping Season 2013

INVESTIGATION UPDATE:

From KrebsonSecurity: Target’s HVAC contractor was the vulnerability for the attack–

“It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.

***

It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.

Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).”

AND ON THE LITIGATION FRONT:

Banks file suit over their costs:

“The cancellation and reissuance of cards has caused significant damages and losses to Amalgamated and members of its class,” the company said in its complaint.

http://blogs.wsj.com/riskandcompliance/2014/02/07/banks-heap-suits-on-target-over-data-breach/

 

POST-BREACH REVIEW:

Notification to consumers (not just customers, apparently) appeared to be a phishing attack and with link to suspicious subdomain:

http://www.pcworld.com/article/2089104/target-breach-notifications-are-a-perfect-example-of-what-not-to-do.html

CHRONOLOGY:

From the New York Times:-

DEC. 12 The Secret Service requests a meeting with Target.

13 Target is informed of the breach by the Secret Service and Justice Department.

15 Target removes the malware that evening.

17 Credit card companies are given information about which cards were compromised. Target determines 40 million customers were affected and tells financial firms it will publicly announce the breach on Dec. 18.

18 MasterCard and Visa begin informing banks of the breach. Brian Krebs publishes a story on the breach in the afternoon.

19 Target makes its first public acknowledgement of the breach.

20 Target tells its financial partners that credit card data and encrypted PIN data had been taken. JPMorgan decides at night to reissue all debit cards that were compromised and keep its branches open late over the weekend.

UPDATES:

Congressional hearing: Target and Secret Service representatives are asked to testify before the House Commerce sub-committee.  See:

http://thehill.com/blogs/hillicon-valley/technology/195664-target-to-testify-on-data-breach-next-month

And from Reuters: A cybersecurity firm, IntelCrawler, said it has uncovered at least six ongoing attacks at merchants across the United States whose credit card processing systems are infected with the same type of malicious software used to steal data from credit cards at Target Inc.  The attackers used an inexpensive “off the shelf” malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.

http://www.reuters.com/article/2014/01/17/us-target-databreach-idUSBREA0G18P20140117

http://intelcrawler.com/about/press08

virusiStock_000003290536XSmall

Target, one of the largest US retailers, is reporting a data breach from November 27th through December 15th, involving consumer credit card data – customer name, card number.  News reports are estimating 40 million accounts impacted.Credit Cards

The Target website includes a banner at the top of the home page with a link to the current information.  Click to that link and Target has included the following information, so far:

“We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…

We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”

See notice at:

https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

And news articles at:

http://www.reuters.com/article/2013/12/19/us-target-breach-idUSBRE9BH1GX20131219

http://www.latimes.com/business/money/la-fi-mo-target-40-million-credit-debit-cards-possibly-breached-20131219,0,774974.story#axzz2nvWL0Dlb

UPDATE:  It appears the magnetic strip is getting the blame for the security weakness and the fact that the data from the Target systems was unencrypted as the data transferred through the payment system.  Reportedly, 40 million accounts had names, credit/debit card numbers, expiration dates and three-digit security codes compromised.  Target has not yet specifically identified the method of access or weakness that allowed for the breach.

Experts suggest it is time for U.S. card issuers to go to the chip-card system, currently in use in most other markets, as chip cards use a different encrypted mathematical value for each transaction, making it harder for criminals to use stolen data for future purchases.

ADDITIONAL UPDATE:

PINs also breached:-

http://bits.blogs.nytimes.com/2013/12/27/targets-nightmare-goes-on-encrypted-pin-data-stolen/?_r=0

UPDATE AND COMMENTARY: 

What are the prospects for class litigation?  Will the claimants be able to string together an ‘actual injury’ theory or is it more likely that a “class” of financial institutions will bring suit?

http://blogs.reuters.com/alison-frankel/2014/01/13/why-most-consumer-data-breach-class-actions-vs-target-are-doomed/?goback=%2Egde_88093_member_5828604845245898755#%21

See also top ten data breaches for 2013 (thanks to Daniel M. Ryan for graphs):

databreach2013Picture1

2013 Top 10 US Data Breaches 1

Reports of ‘Safe Harbor’ Demise are Premature?

Brill addresses Issues at IAPP Data Protection Congress in Brussels
HiRes

FTC Commissioner Julie Brill delivered remarks at the IAPP Data Protection Congress in Brussels today along with one the EU’s Commissioners, Constantijn van Orange-Nassau.  Commissioner Brill acknowledged some of the criticism being leveled at the U.S.-EU Safe Harbor Data Protection process in light of revelations from the Edward Snowden-NSA so-called spying scandal.  Snowden’s disclosures included copies of PowerPoint presentation slides identifying the NSA’s PRISM program, which program reportedly allowed the NSA to gain access to the private communications of users of nine popular Internet services (including Google, Yahoo!, Facebook, Microsoft and others).  The Safe Harbor framework is supposed to allow for the transfer of such personal data in compliance with the EU Data Protection Directive.  The FTC is responsible for compliance enforcement, once an entity self-reports to the U.S. Department of Commerce.

As a result of the revelations, certain EU principals began to question the efficacy of the terms of transferring data between U.S. and EU entities, via the Safe Harbor program.  See remarks from Vice President Reding as of July 2013:

http://europa.eu/rapid/press-release_MEMO-13-710_en.htm

–“PRISM has been a wake-up call. The data protection reform is Europe’s answer.”

–“The Safe Harbour agreement may not be so safe after all.”

Now, Commissioner Brill acknowledges the issue and responds, in part:

–“[Safe Harbor is a] very effective tool for protecting the privacy of EU consumers … the FTC has vigorously enforced the Safe Harbor.”

–“We’ve taken the initiative to look for Safe Harbor violations in every single privacy and data security investigation we conduct. That’s how we discovered the Safe Harbor violations of Facebook, Google and Myspace.”

–“[Safe Harbor has]received its share of criticism in large part due to revelations about government surveillance. There’s no doubt that has created tensions in the transatlantic partnership.”

Commissioner Brill likewise took to Twitter to drive home the point:  “Safe Harbor is strong – can help make it strong; increase transparency; make ADR more affordable; strengthen accountability #dpcongress”

BrillTweetsreEU

BrillSafeHarborttweets


See article at:

https://www.privacyassociation.org/publications/eu_u.s._officials_indicate_potential_privacy_agreement_at_data_protection_c

Her EU colleague took the opportunity to outline what should be the focus for these cross-Atlantic partnerships: 1) a standard commitment to Privacy by Design; 2) any Big Data applications that might put fundamental rights at risk should have a privacy impact assessment required; 3) consent is a cornerstone of data protection; and, 4) there needs to be a commitment to de-identification.

euflagth4P2UWF78

Brill, for her part, Tweeted a photo of the two privacy regulators engaged in conversation; apparently, doing some one-on-one diplomacy to try to calm these choppy waters!
brilltweets

blue anchor

Ride the Pony, Mony, Mony

TrustWave SpiderLabs tm is reporting on stolen credentials for approximately two million compromised accounts.  The tactic is similar to earlier breaches: harvesting passwords using key logging software.  The team believes the passwords had been harvested by a large botnet –
dubbed Pony.  Given that many users employ the same or similar passwords for many purposes, the security risks are apparent.  TrustWave cautions “If you don’t enforce a password policy, don’t expect your users to do it for you.”

Most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc.

See link to the report:

http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html

passwordphotol

The IoT needs PByD: FTC Looking at Privacy and Security in the Age of Smart Homes

The Internet of Things is the phrase used to describe technology that talks to technology – connected sensors and embedded technology.  Think of smart homes – your refrigerator knows what and when to restock; your HVAC adjusts to your schedule; personal tech – your heart monitor talks to your health care provider.  The FTC recently convened a workshop to address privacy and security considerations surrounding the use of such applications; see:

http://www.ftc.gov/bcp/workshops/internet-of-things/FINALAGENDA-11-13-13.pdf

In conjunction with the event, the Future of Privacy Forum  released “a whitepaper arguing for a new privacy paradigm in the new highly connected world.”

http://www.futureofprivacy.org/2013/11/19/fpf-releases-a-new-privacy-paradigm-for-the-internet-of-things/

The whitepaper authors argue that the consent/notice issues in dealing with the usual customer/consumer paradigm of managing privacy issues may not be relevant or sufficient in a world where the uses of data cannot be discovered until after the data has been collected, employed.  The argument now focuses on Privacy By Design strategies to tackle these thorny issues: anonymizing of data; transparency; codes of conduct; accountability/accessibility.

See IAPP summary of the workshop issues at:  https://www.privacyassociation.org/publications/is_notice_and_consent_possible_with_the_internet_of_things

If we don’t get a handle on this now, that wristband I’m wearing  may soon force me to add another mile to my jog because it knows what I had for lunch!  Let’s move, indeed!Exclamation Point with Social Technology and Internet Color Icon

And in more IoT news, along comes the worm:

http://allthingsd.com/20131130/a-new-worm-proves-that-the-internet-of-things-is-vulnerable-to-attack/#!

My new excuse – the bathroom scale’s been hacked!

Wow Scale

UPDATE:

Google has acquired Nest, the maker of “connected” thermostats and smoke detectors.  According to a statement one of Nest’s founders delivered to TechCrunch, Nest will only use customer information for “providing and improving Nest’s products and services,” indicating it will not be used for Google’s larger advertising schemes.  Of course, the commentators are lining up to speculate about what Google will do with all that data collected straight from a consumer’s home., much in the way consumers have been using connectivity in their cars.  And now Detroit is increasing that connectivity with cars that will be able to connect to the Internet independently, with the car using the custom apps on their own.

See info on Google acquisition of Nest: http://www.engadget.com/2014/01/13/google-acquires-nest/

And, GM’s 2015 roll-out of more connected cars: http://business.time.com/2014/01/07/your-car-is-about-to-get-smarter-than-you-are/

Fun from tomfishburne.com:

 

And then along came Fridge Spam:

-More than 750,000 Phishing and SPAM emails Launched from “Thingbots” Including Televisions, Fridge-

“The attack is believed to be one of the first to exploit lax security on devices that are part of the ‘internet of things.”

See press release from Proofpoint: http://www.proofpoint.com/about-us/press-releases/01162014.php

And, BBC update:

http://www.bbc.co.uk/news/technology-25780908#!

 

 

 

DNTK – Do Not Track Kids – Proposed Legislation

No real eraser button?
No real eraser button?

Senator Ed Markey (D-Mass.) has introduced a bill to amend the Children’s Online Privacy Protection Act of 1998 to “extend, enhance, and revise the provisions relating to the collection, use and disclosure of personal information of children, to establish certain other protections for personal information of children and minors, and for other purposes.”  In the Findings included in the Bill, the proponents note that a Wall Street Journal study (2010) found that websites directed to children and teens were more likely to use cookies and other tracking tools than sites directed to a general audience.  The legislation is aimed at prohibiting “operators” (including mobile apps) from collecting personal information, including location data, from children ages fifteen and younger without that person’s permission (guardian permission already required under COPPA for minors 12 and under).

A Republican sponsor, Rep. Joe Barton (R-Tex.) says that “It is important that our teenagers receive protections.  They are prone to mistakes; we need to make sure those mistakes aren’t exploited online.”

http://www.markey.senate.gov/documents/2013-11-14_Markey_DNTK.pd

Meanwhile, California also just passed the online “eraser” law.  California SB 568 requires “the operator of an Internet Web site, online service, online application, or mobile application to permit a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted”.  The law kicks in on January 1st.   It also prohibits websites from targeting minors with products like e-cigarettes and tattoos.

Despite the DNTK proposal, it remains that state legislatures and attorneys general continue to take the lead in privacy legislation and enforcement.  See, http://www.nytimes.com/2013/10/31/technology/no-us-action-so-states-move-on-privacy-law.html

See also, State AGs Chuckle at Idea of Federal Breach Law:   https://www.privacyassociation.org/publications/amidst_u.s._govt_shutdown_state_ags_chuckle_at_idea_of_federal_breach_law

calstreetsigniStock_000015398858Small

And, in other California news, California also enacted AB370, its own “Do Not Track” law.  The legislation requires owners of commercial websites and online service providers (again, “operators”) to conspicuously post a privacy policy, which policy must disclose the categories of personally identifiable information the operator collects and with whom the operator shares such information. The law also addresses Do-Not-Track (“DNT”) signals sent from browsers, in that it requires operators of websites and online services to notify users about how they handle DNT signals.

“Operators” include website operators, and per the CA AG, that would be software operators and mobile apps that transmit and collect PII online.  The law does not prohibit commercial websites or online services from tracking and gathering personal information from its users – just addresses notice policies and procedures.  In that regard it does not prompt an “opt in” option on the operator’s website or app – which would require a consumer/customer to affirmatively allow the operator to share PII.  It is an update to CalOPPA (“California Online Privacy Protection Act of 2003”).

http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB370

And see also: The FTC has denied an application seeking approval of a proposed verifiable parental consent method submitted by AssertID, Inc., under COPPA.

In a letter to AssertID, the Commission noted that the company’s proposal failed to provide sufficient evidence that its method would meet the requirements set out under the rule. Specifically, the Commission noted that there was not yet adequate research or market testing to show the effectiveness of the AssertID “social-graph verification” method.

The Office Workhorse is a Digital Machine

copyiStock_000004950258XSmall

And it is worth sanitizing.

On August 14, 2013, HHS announced a settlement with Affinity Health Plan, Inc. after investigating the finding of sensitive health data stored on copier hard drives.

photocopieriStock_000003018037XSmall

Affinity Health Plan, a not-for-profit managed care plan serving the New York metropolitan area, was informed by CBS Evening News that CBS had purchased a photocopier previously used by Affinity that contained confidential medical information on the hard drive.  Affinity turned around and reported this breach to the HHS Office for Civil Rights on April 15, 2010.  Affinity estimated that up to 344,579 individuals may have been affected by the breach.

OCR reports that its investigation revealed that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  Affinity and OCR negotiated a settlement, which included a $1.2 million payment and “a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.”

See HHS press release: http://www.hhs.gov/news/press/2013pres/08/20130814a.html

Electronic Health Records – Competition and Coordination

 
Electronic Health Records – Help or Hurt?
 
 

webdoctoriStock_000017019410XSmall

An article in The New England Journal of Medicine examines whether current proposals in the U.S. health care system may unintentionally be at odds with promoting competition in health care markets.  In particular, the authors opine that efforts to promote integrated, coordinated care can generate incentives for provider consolidation that may reduce competition — citing the ACO initiative as an example.  ACO’s may take the form of vertical integration — hospitals acquiring physician groups; or horizontal integation — the merger of two hospitals.  This, the authors, Katherine Baicker and Helen Levy, argue reduces competition (which is why there is scrutiny from FTC, they note, and from CMS).  With respect to EHRs, specifically, the authors caution that “the use of electronic health records, can in theory promote both competition and coordination, but only if they are implemented well.”  They then use as an example interoperable health IT, which could lock patients in to their current providers or provider networks.

See the article at:

http://www.nejm.org/doi/full/10.1056/NEJMp1306268?query=featured_home

As noted in earlier posts, some commentators also worry that only the biggest health care entities will benefit from integrated IT systems, which are supposed to seemlessly and safely share patient data among and between providers or health care payors.