fake news becomes a business model researchers
Last Updated : GMT 06:49:16
Arab Today, arab today
Arab Today, arab today
Last Updated : GMT 06:49:16
Arab Today, arab today

security researchers said Thursday

'Fake news' becomes a business model: researchers

Arab Today, arab today

Arab Today, arab today 'Fake news' becomes a business model: researchers

Consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.
Washington - Arab Today

For a few bracing weeks this fall, consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.

But in late October, Senate Republicans voted to overturn the newly minted rule by the Consumer Financial Protection Bureau, which gave consumers the right to join class-action lawsuits against banks, credit bureaus and lenders. Now  consumers' only recourse is a secret arbitration hearing – which corporations win 93 percent of the time.

“This vote marked a truly shameful moment in Congress, said Amanda Werner, campaign manager for Americans for Financial Reform and Public Citizen, who dressed as Monopoly Man to “troll” Equifax CEO Richard Smith during a Senate hearing in October. “Just weeks after holding hearings on scandals of historic proportion, the Senate granted Equifax and Wells Fargo a ‘Get Out of Jail Free’ card.”

Werner maintains it’s now unlikely Equifax will be held accountable for the errors leading to its massive security breach – errors that consumer advocates say they’d expect to find in a small, not-so-savvy business rather than in a multibillion dollar global security company.

Equifax’s “rookie mistakes”

Meanwhile, cybersecurity experts are mystified at how a giant multinational like Equifax had such lax control over customer data security.

Besides the security issues that led to the hacking of 145 million accounts, the credit bureau used stunningly simple PIN numbers that were composed of the date and time that someone signed up for its free identity theft tracking after the breach – an easy-to-break PIN first reported in this column on September 9.

“Absolutely yes, this is a rookie mistake,” says Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity. “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that. Turns out they had been doing that for a long time. Clearly, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.”

Moehlenbruck says the other error revolved around PIN integrity. “All [a potential hacker] needed was to possess the PIN; you didn’t need to be authorized to use it,” says Moehlenbruck. “Normally a company would use what we call 2FA, or two-factor authentification, which requires all users to “authenticate” receipt of a pin via an additional channel or key piece of information, such as an email address, cell phone number, and so on. This is because a PIN or password can be easily guessed, but obtaining the victim's cell phone and login to their authenticator application is much harder. 2FA is common practice now on banking websites, email accounts, and social media.  We’re all surprised that a company the size of Equifax isn’t current with the times.

Moehlenbruck points to a still more alarming example “of some very grossly negligent security practices” at Equifax.” As reported by security researcher Brian Krebs within a week of the Equifax breach and picked up in TechCrunch, a company called Hold Security LLC investigated Argentina’s Equifax site “and unbelievably, found it was ‘protected’ by the user name ‘admin’ and the password ‘admin.’” (!)  Once the investigators typed in that combo, they had access to all the users’ names and emails. And, after cracking another “unbelievably” bad Equifax ID and password combo, which consisted of the employees’ last names for both slots, researchers could access and modify all kinds of private information, including the Argentine version of the employees’ social security numbers.

“‘Admin/admin’ as a database password is a surefire way to get hacked almost instantly,” Moehlenbruck says. “A production database with this account smells of poor security policy and a lack of due diligence rather than simple oversight. Breaches at Equifax or other companies will continue unless information security becomes top priority at the highest levels of the organization.”

There is no perfect security, Moehlenbruck adds, “but this breach should be a reminder to everyone to change their passwords, pins and security questions regularly, as well as enable 2FA on all the sites that provide it...In fact, if your bank doesn’t offer it, you should change banks.”

In a roundtable discussion on the Equifax breach this fall with Security Solutions Watch, some experts remarked mordantly that the “Internet of Things” was fast becoming the “Internet of Insecure Things.” One reason for the increased attacks, Cyberinc CEO Samir Shah suggested, is that many corporations are far behind the times when it comes to hackers.

“The real question we should be asking ourselves is will anything change in how companies protect against attacks,” said Shah, whose information security company offers an integrated solution to malware and other cyberattacks. He said attackers are quick to take advantage of weak or outdated access systems or to use advanced malware to sneak inside a company’s platform through browsers. “As this latest attack suggests, it certainly is time for a change.”

Equifax’s post-attack snafus

But change is slow in coming. Even after the Equifax security hack, which opened up nearly half the country to potential identify theft, the security giant stumbled again.

As discussed in my last Equifax story for Forbes, Equifax created a site where people could enter the last four digits of their social security number to see whether they were caught up in the security breach. Unfortunately, according to a a story in Mashable, a prankster cloned that site and used a similar URL to host it. Not realizing the error, Equifax tweeted out a link to the phishing site eight times (Mashable provided screenshots).

Moehlenbruck attributes the debacle to human error and a likely hole in Equifax’s overall security information assurance (IA) training. “The Twitter story hints strongly at a lack of adequate security awareness training, which if provided at least annually, might have prevented the embarrassment of re-tweeting a phishing site link from the Equifax Twitter account not once, but 8 times!” said Moehlenbruck. “You would think that this type of training would be front and center of every employee's mind when interacting online for one of the largest credit monitoring companies, especially right after the breach.”

The apparent lack of adequate IA training may have left Equifax more vulnerable to attack, according to Moehlenbruck. The breach was reportedly made possible by the failure to patch a critical vulnerability in Apache Struts, though Equifax  was aware of the vulnerability, he said. But from what he’s read, Moehlenbruck says, “The real problem was a very poor focus on information security at the highest levels of the company – what we call C-level [CEO, CIO, CSO-suite level]. Training is great if it's practiced and preached throughout the organization. But evidence hints to the contrary.”

As one example, he points to Equifax’s choice for its chief of security, who retired after the recent breach and whose LinkedIn profile (now scrubbed) did not list any advanced technology or security training, according to news reports. Some news outlets pounced on the finding that her college degree was in music composition, prompting a rightful backlash from liberal arts majors turned engineers and tech leads. Moehlenbruck agrees that a music major in no way hampers someone from working in tech, but anyone in the position of chief security officer, he says, “should have a deep background in information security, whose policies and practices need to come from the top-down throughout the organization.”

“In its business model, customer privacy and data is Equifax's biggest concern and most prized asset,” Moehlenbruck observes. “But it seems that adequate security training and other best practices weren't in place to guard it.”

Consumer advocates say that the best way to drive home that and other pro-consumer messages is to take negligent corporations to court. Of course, the Senate and Trump just took away consumers' right to sue financial institutions, noted Rosemary Shahan of Consumers for Auto Responsibility and Safety (CARS), adding that many car owners ruined financially in an auto loan scandal at Wells Fargo now have little hope for justice. “It hurts, but we’ll keep on fighting,” she says. “I expect more people will send a message on election time, especially since abuses will likely proliferate – especially because corporations no longer feel they have to be on their best behavior.”

Source: AFP

arabstoday
arabstoday

Name *

E-mail *

Comment Title*

Comment *

: Characters Left

Mandatory *

Terms of use

Publishing Terms: Not to offend the author, or to persons or sanctities or attacking religions or divine self. And stay away from sectarian and racial incitement and insults.

I agree with the Terms of Use

Security Code*

fake news becomes a business model researchers fake news becomes a business model researchers

 



Name *

E-mail *

Comment Title*

Comment *

: Characters Left

Mandatory *

Terms of use

Publishing Terms: Not to offend the author, or to persons or sanctities or attacking religions or divine self. And stay away from sectarian and racial incitement and insults.

I agree with the Terms of Use

Security Code*

fake news becomes a business model researchers fake news becomes a business model researchers

 



GMT 09:27 2017 Tuesday ,10 October

Macron takes EU reform push to Germany book fair

GMT 12:50 2017 Sunday ,03 December

Shiffrin bags first downhill win

GMT 10:33 2016 Friday ,08 April

Carter v Nonu as Racing eye Toulon's scalp

GMT 10:57 2017 Wednesday ,09 August

Iran's Rouhani names female VPs

GMT 11:21 2017 Monday ,20 February

Tunisian court tries suspects over violence charges

GMT 20:52 2017 Thursday ,30 November

Honeywell to maintain A380, B777 components for Emirates

GMT 02:36 2017 Thursday ,23 November

Casablanca’s president hails achievement

GMT 19:18 2017 Wednesday ,18 October

Investment sector attend Saudi Investment Initiative

GMT 07:08 2016 Tuesday ,28 June

Hodgson pays price for sorry England

GMT 16:44 2017 Monday ,17 July

Industrial energy city will provide jobs

GMT 16:06 2017 Sunday ,23 April

Prince Khaled bin Salman appointed US ambassador

GMT 14:00 2017 Wednesday ,19 April

Young professionals meet

GMT 09:35 2017 Friday ,17 November

Mugabe refuses to stand down in talks

GMT 14:26 2017 Monday ,02 October

Macron backs Spanish unity in call with Rajoy

GMT 18:15 2018 Wednesday ,05 September

Shaikh Khalid bin Hamad receives Bahraini researcher
Arab Today, arab today
 
 Arab Today Facebook,arab today facebook  Arab Today Twitter,arab today twitter Arab Today Rss,arab today rss  Arab Today Youtube,arab today youtube  Arab Today Youtube,arab today youtube

Maintained and developed by Arabs Today Group SAL.
All rights reserved to Arab Today Media Group 2021 ©

Maintained and developed by Arabs Today Group SAL.
All rights reserved to Arab Today Media Group 2021 ©

arabstoday arabstoday arabstoday arabstoday
arabstoday arabstoday arabstoday
arabstoday
بناية النخيل - رأس النبع _ خلف السفارة الفرنسية _بيروت - لبنان
arabstoday, Arabstoday, Arabstoday