This Week in Cybercrime: Companies to FTC: Your Data Security Reach Exceeds Your Grasp

Plus: Bruce Schneier discusses the NSA’s war on cryptography, contractor steals 2 million Vodafone customers’ personal data

Advertisement

The U.S. Federal Trade Commission is wrong to claim broad authority to seek sanctions against companies for data breaches when it has no clearly defined data security standards, said panelists at a forum sponsored by Tech Freedom, a Washington, D.C., think tank that regularly rails against government regulation.

The event, held on Thursday, coalesced around the fact that in the last decade, the FTC has settled nearly four dozen cases after filing complaints based on its reasoning that a failure to have sufficient data security constitutes an unfair or deceptive trade practice. Two pending court cases, says a Tech Freedom statement, "may finally allow the courts to rule on the legal validity of what the FTC calls its 'common law of settlements.'"

One of the FTC critics speaking at the forum was Mike Daugherty, CEO of Atlanta-based diagnostic lab LabMD. The company is currently in the agency’s crosshairs but is fighting back. According to FTC, somehow, a spreadsheet in LabMD's possession containing Social Security numbers, dates of birth, health insurance provider information, and standardized medical treatment codes and other information for more than 9000 patients ended up on a peer-to-peer file-sharing network in 2008. That and another LabMD security lapse wherein 500 customer records were lost to identity thieves last year triggered the agency to file a complaint.

Those facts notwithstanding, the company maintains that the complaint wasn't based on established rules. According to a Computer World article, Daugherty said use of Section 5 of the FTC Act, which allows the agency to take action to prevent or punish unfair or deceptive business practices, is a huge overreach. “If you want to upset [FTC officials], ask them what the standards are," Daugherty said. He incredulously asked, "You mean you can make them up as you go along?”

The forum participants agreed that, the U.S. Congress needs to step in and pass legislation that gives the FTC or some other federal agency a specific mandate for such action and rules to follow. What becomes of that argument may be determined by the outcome of the upcoming court case.

Bruce Schneier on Combating the NSA’s War on Data Security

Bruce Schneier, internationally renowned security technologist and author of the influential newsletter "Crypto-Gram" and the blog "Schneier on Security," sits down for a conversation about revelations of the NSA’s efforts to subvert and weaken cryptographic algorithms, security products, and standards. In the podcast, Schneier, author of books including Liars and Outliers: Enabling the Trust Society Needs to Survive, talks about what it will take to help defeat the capabilities the NSA has developed. The NSA isn’t even doing it through sleuthing or some ultra-advanced mathematical techniques. It’s mainly setting up agreements with software vendors who deliberately weaken security protocols such as SSL and VPNs in a way known only to the NSA.

Why would a company acquiesce to the government in this way? Schneier says that the NSA can ask nicely (while holding a club in its hand in the form of threats to withhold government contracts). It can also force a firm to play ball by sending it a National Security Letter demanding cooperation as well as the company’s silence about what it is being told to do to its unsuspecting customers. And the agency is not above placing a covert agent inside a company to surreptitiously weaken products. “It validates all the paranoia,” Schneier said. “We now can’t trust anything. It’s possible that they’ve done this to only half the protocols on the Internet. But which half? How do you know? You don’t. If a company says, ‘It’s not us,’ you can’t trust them. The CEO might not know [if its cryptography has been weakened by the NSA].”

Pwn2Own Part II: The Researchers Hack Back

HP TippingPoint, whose ZDI bug bounty program pays researchers to spot vulnerabilities so it can do an even better job of protecting customers against as-yet-unpatched security holes, is yet again putting its money where its mouth is. It announced this week on its company blog that it and its co-sponsors, Google and BlackBerry, are putting up US $300 000 in prize money for a hacking contest challenging researchers to demonstrate successful attacks against mobile services and browsers. The Mobile Pwn2Own contest will take place in Tokyo on 13 and 14 November. The first researcher or team to hack a phone's baseband processor will walk away with $100,000.  The contest’s rules require that researchers disclose details of the vulnerabilities they leveraged as well as the exploit techniques used to hack the device, service or operating system.

Big money will still be available for hacking a mobile browser ($40,000, but $50,000 for Chrome on Android running on a Nexus 4 or Samsung Galaxy SO); a mobile operating system ($40,000); a message service such as SMS ($70,000); or a short-distance linking technology, like Bluetooth or NFC ($50,000).”

The researchers can chose the wall they’ll attempt to scale; the list of eligible devices to be picked apart includes Apple's iPhone 5 and iPad Mini, Google's Nexus 4 smartphone and Nexus 7 tablet, Nokia's Lumia 1020, and Samsung's Galaxy S4 smartphone.

Contractor Steals Data on 2 Million Vodafone Customers

German police and security experts have informed Vodafone customers that a contractor accessed a database inside the telecom giant’s network and made off with customer names, addresses, birth dates and bank account numbers among other personal data for as many as two million customers. Ouch. Though the authorities have a suspect in custody, that provides no assurances about who has gained access to the data and what plans they have for it.

A Kaspersky Threatpost article notes that “Vodafone delayed disclosing the breach in order to give authorities time to investigate.” Meanwhile, Vodafone released a statement describing the activities it has been engaged in subsequent to the horse leaving the barn. Administrators’ passwords have been changed, digital certificates updated, and the server from which the data was pilfered wiped, the company said.

And In Other Cybercrime News…

Is Cybercrime in Russia Actually Declining

E-Mail Spam Campaign Spreads Android Malware to Smartphones

Twelve Arrested in Plot to Rob London Bank Remotely Using KVM Device Installed on a Computer at a Local Branch

Image: Danil Melekhin/iStockphoto

The Computing Technology Newsletter

Biweekly newsletter about advances in hardware, software and systems.

About the Risk Factor blog

IEEE Spectrum’s risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.