Facebook Admits Storing Passwords In Plain Text*:
- Facebook said Thursday that it stored millions of its users' passwords in plain text for years.
- The acknowledgement from the social media giant came after a security researcher posted about the issue online.
- "Security rule 101 dictates that under no circumstances passwords should be stored in plain text, and at all times must be encrypted," said cybersecurity expert Andrei Barysevich of Recorded Future.
- There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users' passwords in plain text.
- Facebook said there is no evidence its employees abused access to this data.
- But thousands of employees could have searched them.
- The company said the passwords were stored on internal company servers, where no outsiders could access them.
- But the incident reveals a huge oversight for the company amid a slew of bruises and stumbles in the last couple of years.
- The security blog KrebsOnSecurity said some 600 million Facebook users may have had their passwords stored in plain text.
- Facebook said in a blog post Thursday it will likely notify "hundreds of millions" of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users that their passwords were stored in plain text.
- Facebook Lite is designed for users with older phones or low-speed internet connections and is used primarily in developing countries.
- Facebook said it discovered the problem in January.
- But, according to Brian Krebs, the security researcher, in some cases the passwords had been stored in plain text since 2012.
- Facebook Lite launched in 2015 and Facebook bought Instagram in 2012.
*Source: Gulf News, March 21, 2019
Marriott Could Have Prevented Privacy Data Breach With Tokenization*:
- On November 30, 2018, Marriot International announced one of the largest data breaches in history.
- The amount of data was massive given that the breach lasted across a period of over four years. And it wasn’t just any data : payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.
- Recent testimony by Marriott’s CEO, Arne Sorenson, has disclosed new details about the data breach announced last year.
- Here’s what Sorenson told the Senate Committee on Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations last week.
- The hack originated at Starwood’s reservation system.
- Marriott acquired that hotel group in September 2016, but the intrusion went undetected until September 8, 2018, when it was contacted by the IT company managing its Starwood guest reservation database.
- On September 10, Marriott called in third-party investigators to investigate whether it had been breached.
- Soon afterwards, malware on the Starwood IT systems was found: A Remote Access Trojan (RAT), which allows hackers to covertly access, survey and gain control over a computer.
- According to Sorenson’s latest statement, 383 million guest records and 18.5 million encrypted passport numbers were breached.
- Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers.
- During his testimony (min. 6:30), CEO Arne discussed Marriott’s strategy moving forward.
- As their highest priority, Marriott will now rely on encryption and tokenization tools to secure all data they currently keep in the space.
- There are two critical aspects on the breach and Arne’s hearing:
- The hack originated at Starwood’s reservation system, which is a transactional system. Unfortunately, many corporations de-identify sensitive data in their analytical systems but not in their transactional systems.
- Marriott’s CEO, Arne, highlights his first priority as using tokenization along with encryption to swap out all sensitive data across the enterprise.
- Why Tokenization? The purpose of tokenization is to swap out sensitive data—typically payment card or personally identifiable information (PII)—with a randomized number in the same format, but with no intrinsic value of its own. The data is replaced with an undecipherable token.
- Why isn’t Encryption enough? Encrypted numbers can be decrypted with the appropriate key—whether through brute computing force, or through a hacked/stolen key.
- There are various deidentification methods available today and best practices on when it is best to apply these techniques.
- differential privacy
- risk-based anonymization
- data masking
- Moving forward Marriott has announced that they will be using one of these techniques.
*Source: Security Boulevard, March 20, 2019
FEMA ‘major privacy incident’ reveals data from 2.5 million disaster survivors*:
- The Federal Emergency Management Agency shared personal addresses and banking information of more than 2 million U.S. disaster survivors in what the agency acknowledged Friday was a “major privacy incident.”
- The data mishap, discovered recently and the subject of a report by the Department of Homeland Security’s Office of Inspector General, occurred when the agency shared sensitive, personally identifiable information of disaster survivors who used FEMA’S Transitional Sheltering Assistance program, according to officials at FEMA.
- Those affected included the victims of California wildfires in 2017 and Hurricanes Harvey, Irma and Maria, the report said.
- In a statement, Lizzie Litzow, FEMA’s press secretary, said, “FEMA provided more information than was necessary” while transferring disaster survivor information to a contractor.
- Over 1.8 million people had both their banking information and addresses revealed, and about 725,000 people had just their addresses shared.
- It is unclear if the oversharing had led to identity theft or other malicious actions.
- The Inspector General report said the privacy mishap threatened survivors with “identity theft and fraud.”
- That report, dated March 15, estimated that 2.3 million people had been affected, slightly less than the estimate provided by the DHS official on Friday.
- The Inspector General report told FEMA it needed to install controls to make sure such data would not continue to be shared with contractors and that the agency needed to assess how wide the problem was and to make sure that data in the contractor’s system was destroyed.
- In the Inspector General report, FEMA said that once it became aware of the problem, the agency installed a data filter in December to prevent any unnecessary personal data of survivors from leaving its system.
- FEMA also said in the report that, since implementing its new procedures, it had twice sent internal security experts to conduct on-site checks of its network.
- FEMA declined to identify the contractor.
- Litzow said FEMA has been working with the contractor to remove the unnecessary data from its system.
- As an added measure, Litzow said, FEMA instructed contracted staff to complete additional DHS privacy training.
*Source: The Washington Post, March 22, 2019
Does GDPR Compliance Reduce Breach Risk?*:
- Compliance can be costly and often feels more like red tape and a barrier to business than anything that provides a benefit.
- A report by EY and the International Association of Privacy Professionals (IAPP) estimates that organizations have spend an average of $3 million to achieve compliance with the European Union’s General Data Protection Regulation (GDPR), a sweeping piece of legislation that affects any company that stores or processes data on European Union (EU) citizens.
- Aside from reducing the chance of large fines from the likes of the Information Commisioner’s Office (ICO) or the Commission nationale de l'informatique et des libertés (CNIL), what are the quantifiable business outcomes that GDPR provides?
- Achieving GDPR compliance may have some quantifiable benefits in reducing the potential risk and impact of data breaches.
- Proper data mapping, greater organization of data, encryption, and a general reduction in data that’s being collected can all help a company reduce some of its risk.
- According to Cisco’s 2019 Data Privacy Benchmark Study, organizations with mature privacy functions were more likely to know where its personally identifiable information (PII) is located (and how it is used) and have a catalogue of its data assets.
- “Achieving operational efficiency from having data organized and catalogued” and “mitigating losses from data breaches” were listed as two of the top six benefits of GDPR-related privacy investments given by the report’s respondents.
- Fifty-nine percent of the 3,200 security professionals surveyed from 18 countries across all major industries and geographic regions defined themselves as GDPR-ready (meeting most or all GDPR requirements).
- Those GDPR-ready companies are reportedly less likely to have experienced a breach in the last year, and those that did suffer breaches lost fewer records and therefore saw smaller incident costs.
- According to the report, 74 percent of companies listed as GDPR-ready suffered breaches compared to 80 percent of those companies that expect to be compliant within 12 months and 89 percent of those who don’t expect to be compliant in the next 12 months.
- The average number of records affected during a breach by GDPR-ready companies was 79,000, compared to 100,000 for those looking to be GDPR-ready in the next year, and 212,000 for the laggards.
- As a result, associated costs around incidents were lower.
- Only 37 percent of GDPR-ready companies had a loss of over $500,000 last year versus 46 percent for the soon-to-be compliant and 64 percent of the least GDPR ready.
*Source: CSO Online, March 19, 2019
Google Fined $1.7 Billion over a third breach of EU Antitrust rules in as many years*:
- Google has been punished with a third fine by the European Union in as many years.
- The Alphabet-owned company was fined $1.7 billion on Wednesday by European Competition Commissioner Margrethe Vestager over anticompetitive practices related to its AdSense advertising service.
- The penalty follows its record $5 billion fine in July last year for abusing the dominance of Android.
- The search giant was also fined $2.7 billion in September 2017 over its shopping service.
*Source: Business Insider, March 20, 2019
NIST Pushes New Encryption protocols for Quantum, connected devices*:
- The National Institute of Standards and Technology is inching closer to developing two new encryption standards designed to protect the federal government from new and emerging cybersecurity threats.
- Many experts believe the advanced computing capabilities of quantum computers will render most traditional encryption protocols used today obsolete.
- While true quantum computing is still decades away, the federal government is already preparing contingencies for how to defend its current IT assets and equipment from the threat.
- In a March 20 briefing to the Information Security and Privacy Advisory Board, Matthew Scholl, Chief of the Computer Security Division at NIST, said the agency spent much of the past year evaluating 69 algorithms for its Post Quantum Cryptography Standardization project, a 2016 project designed to protect the machines used by federal agencies today from the encryption-breaking tools of tomorrow.
- The submitted algorithms are all designed to work with current technology and equipment, each offering different ways to protect computers and data from attack vectors – known and unknown – posed by developments in quantum computing.
- NIST chose 26 of the most promising proposals in January 2019, and the agency will be conducting a second evaluation this year to whittle that list down even further.
- Scholl told the board that the agency isn't shooting for a specific number of algorithms at the end of the process and wants to leave room for agencies to deploy multiple options to protect their assets.
- Switching encryption protocols is disruptive.
- NIST turned to the history books to study previous cryptographic transitions in the federal government and found they were plagued by poor communication, unrealistic timelines and overall confusion regarding expectations.
- Scholl said the agency is planning to do more proactive outreach to agencies and industry during second round evaluations.
NIST is also working on another revamp of encryption standards for small "lightweight" computing devices, focusing on components such as RFID tags, industrial controllers, sensor nodes and smart cards that are inherent in many Internet of Things devices.
- The agency received 57 proposals for the project at the end of February, extending the submission timeline by a month due to the partial government shutdown, and plans to consider candidate algorithms at a public workshop in November.
- The government's current encryption standards are largely designed for personal computers, laptops and other general purpose computing platforms.
- NIST officials believe new standards are needed to tackle a range of problems, from increasing reliance on connected devices to dissatisfaction with current identity and access management tools.
*Source: FCW, March 20, 2019