fake news becomes a business model researchers
Last Updated : GMT 09:03:51
Almaghrib Today, almaghrib today
Almaghrib Today, almaghrib today
Last Updated : GMT 09:03:51
Almaghrib Today, almaghrib today

security researchers said Thursday

'Fake news' becomes a business model: researchers

Almaghrib Today, almaghrib today

Almaghrib Today, almaghrib today 'Fake news' becomes a business model: researchers

Consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.
Washington - Al Maghrib Today

For a few bracing weeks this fall, consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.

But in late October, Senate Republicans voted to overturn the newly minted rule by the Consumer Financial Protection Bureau, which gave consumers the right to join class-action lawsuits against banks, credit bureaus and lenders. Now  consumers' only recourse is a secret arbitration hearing – which corporations win 93 percent of the time.

“This vote marked a truly shameful moment in Congress, said Amanda Werner, campaign manager for Americans for Financial Reform and Public Citizen, who dressed as Monopoly Man to “troll” Equifax CEO Richard Smith during a Senate hearing in October. “Just weeks after holding hearings on scandals of historic proportion, the Senate granted Equifax and Wells Fargo a ‘Get Out of Jail Free’ card.”

Werner maintains it’s now unlikely Equifax will be held accountable for the errors leading to its massive security breach – errors that consumer advocates say they’d expect to find in a small, not-so-savvy business rather than in a multibillion dollar global security company.

Equifax’s “rookie mistakes”

Meanwhile, cybersecurity experts are mystified at how a giant multinational like Equifax had such lax control over customer data security.

Besides the security issues that led to the hacking of 145 million accounts, the credit bureau used stunningly simple PIN numbers that were composed of the date and time that someone signed up for its free identity theft tracking after the breach – an easy-to-break PIN first reported in this column on September 9.

“Absolutely yes, this is a rookie mistake,” says Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity. “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that. Turns out they had been doing that for a long time. Clearly, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.”

Moehlenbruck says the other error revolved around PIN integrity. “All [a potential hacker] needed was to possess the PIN; you didn’t need to be authorized to use it,” says Moehlenbruck. “Normally a company would use what we call 2FA, or two-factor authentification, which requires all users to “authenticate” receipt of a pin via an additional channel or key piece of information, such as an email address, cell phone number, and so on. This is because a PIN or password can be easily guessed, but obtaining the victim's cell phone and login to their authenticator application is much harder. 2FA is common practice now on banking websites, email accounts, and social media.  We’re all surprised that a company the size of Equifax isn’t current with the times.

Moehlenbruck points to a still more alarming example “of some very grossly negligent security practices” at Equifax.” As reported by security researcher Brian Krebs within a week of the Equifax breach and picked up in TechCrunch, a company called Hold Security LLC investigated Argentina’s Equifax site “and unbelievably, found it was ‘protected’ by the user name ‘admin’ and the password ‘admin.’” (!)  Once the investigators typed in that combo, they had access to all the users’ names and emails. And, after cracking another “unbelievably” bad Equifax ID and password combo, which consisted of the employees’ last names for both slots, researchers could access and modify all kinds of private information, including the Argentine version of the employees’ social security numbers.

“‘Admin/admin’ as a database password is a surefire way to get hacked almost instantly,” Moehlenbruck says. “A production database with this account smells of poor security policy and a lack of due diligence rather than simple oversight. Breaches at Equifax or other companies will continue unless information security becomes top priority at the highest levels of the organization.”

There is no perfect security, Moehlenbruck adds, “but this breach should be a reminder to everyone to change their passwords, pins and security questions regularly, as well as enable 2FA on all the sites that provide it...In fact, if your bank doesn’t offer it, you should change banks.”

In a roundtable discussion on the Equifax breach this fall with Security Solutions Watch, some experts remarked mordantly that the “Internet of Things” was fast becoming the “Internet of Insecure Things.” One reason for the increased attacks, Cyberinc CEO Samir Shah suggested, is that many corporations are far behind the times when it comes to hackers.

“The real question we should be asking ourselves is will anything change in how companies protect against attacks,” said Shah, whose information security company offers an integrated solution to malware and other cyberattacks. He said attackers are quick to take advantage of weak or outdated access systems or to use advanced malware to sneak inside a company’s platform through browsers. “As this latest attack suggests, it certainly is time for a change.”

Equifax’s post-attack snafus

But change is slow in coming. Even after the Equifax security hack, which opened up nearly half the country to potential identify theft, the security giant stumbled again.

As discussed in my last Equifax story for Forbes, Equifax created a site where people could enter the last four digits of their social security number to see whether they were caught up in the security breach. Unfortunately, according to a a story in Mashable, a prankster cloned that site and used a similar URL to host it. Not realizing the error, Equifax tweeted out a link to the phishing site eight times (Mashable provided screenshots).

Moehlenbruck attributes the debacle to human error and a likely hole in Equifax’s overall security information assurance (IA) training. “The Twitter story hints strongly at a lack of adequate security awareness training, which if provided at least annually, might have prevented the embarrassment of re-tweeting a phishing site link from the Equifax Twitter account not once, but 8 times!” said Moehlenbruck. “You would think that this type of training would be front and center of every employee's mind when interacting online for one of the largest credit monitoring companies, especially right after the breach.”

The apparent lack of adequate IA training may have left Equifax more vulnerable to attack, according to Moehlenbruck. The breach was reportedly made possible by the failure to patch a critical vulnerability in Apache Struts, though Equifax  was aware of the vulnerability, he said. But from what he’s read, Moehlenbruck says, “The real problem was a very poor focus on information security at the highest levels of the company – what we call C-level [CEO, CIO, CSO-suite level]. Training is great if it's practiced and preached throughout the organization. But evidence hints to the contrary.”

As one example, he points to Equifax’s choice for its chief of security, who retired after the recent breach and whose LinkedIn profile (now scrubbed) did not list any advanced technology or security training, according to news reports. Some news outlets pounced on the finding that her college degree was in music composition, prompting a rightful backlash from liberal arts majors turned engineers and tech leads. Moehlenbruck agrees that a music major in no way hampers someone from working in tech, but anyone in the position of chief security officer, he says, “should have a deep background in information security, whose policies and practices need to come from the top-down throughout the organization.”

“In its business model, customer privacy and data is Equifax's biggest concern and most prized asset,” Moehlenbruck observes. “But it seems that adequate security training and other best practices weren't in place to guard it.”

Consumer advocates say that the best way to drive home that and other pro-consumer messages is to take negligent corporations to court. Of course, the Senate and Trump just took away consumers' right to sue financial institutions, noted Rosemary Shahan of Consumers for Auto Responsibility and Safety (CARS), adding that many car owners ruined financially in an auto loan scandal at Wells Fargo now have little hope for justice. “It hurts, but we’ll keep on fighting,” she says. “I expect more people will send a message on election time, especially since abuses will likely proliferate – especially because corporations no longer feel they have to be on their best behavior.”

Source: AFP

almaghribtoday
almaghribtoday

Name *

E-mail *

Comment Title*

Comment *

: Characters Left

Mandatory *

Terms of use

Publishing Terms: Not to offend the author, or to persons or sanctities or attacking religions or divine self. And stay away from sectarian and racial incitement and insults.

I agree with the Terms of Use

Security Code*

fake news becomes a business model researchers fake news becomes a business model researchers

 



Name *

E-mail *

Comment Title*

Comment *

: Characters Left

Mandatory *

Terms of use

Publishing Terms: Not to offend the author, or to persons or sanctities or attacking religions or divine self. And stay away from sectarian and racial incitement and insults.

I agree with the Terms of Use

Security Code*

fake news becomes a business model researchers fake news becomes a business model researchers

 



Almaghrib Today, almaghrib today Skincare PR Performance Full Year 2017

GMT 09:22 2018 Monday ,22 January

Skincare PR Performance Full Year 2017
Almaghrib Today, almaghrib today New hunt for flight MH370 gets under way

GMT 11:03 2018 Wednesday ,24 January

New hunt for flight MH370 gets under way
Almaghrib Today, almaghrib today Modern colorful bedroom renovation

GMT 10:57 2017 Thursday ,21 December

Modern colorful bedroom renovation
Almaghrib Today, almaghrib today Puigdemont candidate for Catalan president

GMT 13:56 2018 Tuesday ,23 January

Puigdemont candidate for Catalan president
Almaghrib Today, almaghrib today Turkey detains dozens more

GMT 10:47 2018 Wednesday ,24 January

Turkey detains dozens more
Almaghrib Today, almaghrib today The Rake announces editorial updates

GMT 10:46 2018 Tuesday ,16 January

The Rake announces editorial updates
Almaghrib Today, almaghrib today Europe brings on charm and blue skies

GMT 11:51 2018 Tuesday ,23 January

Europe brings on charm and blue skies
Almaghrib Today, almaghrib today For the Variety of Interior Design Styles

GMT 10:46 2017 Tuesday ,19 December

For the Variety of Interior Design Styles
Almaghrib Today, almaghrib today US Christian tourists see deep meaning

GMT 13:44 2018 Monday ,22 January

US Christian tourists see deep meaning
Almaghrib Today, almaghrib today Amazon to open first cashierless shop

GMT 10:03 2018 Tuesday ,23 January

Amazon to open first cashierless shop

GMT 11:14 2017 Saturday ,09 December

Bitcoin surges towards $17,000

GMT 12:37 2017 Tuesday ,21 November

Merkel's fate in balance as German coalition

GMT 10:50 2017 Saturday ,29 April

Dubai welcomes over 1.6m Saudi travelers in 2016

GMT 10:44 2011 Wednesday ,28 December

Afghanistan signs \'$7 bn\' oil deal with China

GMT 09:57 2017 Wednesday ,30 August

Guatemala court overrules leader's order expelling

GMT 03:01 2016 Monday ,25 July

Flood death toll rises to 130 in nourth China

GMT 14:10 2012 Monday ,20 February

Egypt more precious than sight

GMT 14:25 2013 Sunday ,30 June

Americans spend 23 hours a week online

GMT 00:29 2012 Thursday ,12 January

Chalet Girl

GMT 13:40 2011 Monday ,11 July

DEWA launches Al Barshaa substation

GMT 07:11 2017 Thursday ,16 February

Intermittent rain on Thursday

GMT 14:17 2011 Tuesday ,31 May

Abu Dhabi airport passenger, cargo up 15%

GMT 20:00 2017 Sunday ,08 January

Why Tehran claims its war in Syria is defensive

GMT 08:21 2011 Thursday ,26 May

Air India airline fined for fake visas
Almaghrib Today, almaghrib today
 
 Almaghrib Today Facebook,almaghrib today facebook  Almaghrib Today Twitter,almaghrib today twitter Almaghrib Today Rss,almaghrib today rss  Almaghrib Today Youtube,almaghrib today youtube  Almaghrib Today Youtube,almaghrib today youtube

Maintained and developed by Arabs Today Group SAL.
All rights reserved to Arab Today Media Group 2021 ©

Maintained and developed by Arabs Today Group SAL.
All rights reserved to Arab Today Media Group 2021 ©

.almaghribtoday .almaghribtoday .almaghribtoday .almaghribtoday
almaghribtoday almaghribtoday almaghribtoday
almaghribtoday
بناية النخيل - رأس النبع _ خلف السفارة الفرنسية _بيروت - لبنان
almaghribtoday, Almaghribtoday, Almaghribtoday