fake news becomes a business model researchers
Last Updated : GMT 09:07:40
Egypt Today, egypt today
Egypt Today, egypt today
Last Updated : GMT 09:07:40
Egypt Today, egypt today

security researchers said Thursday

'Fake news' becomes a business model: researchers

Egypt Today, egypt today

Egypt Today, egypt today 'Fake news' becomes a business model: researchers

Consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.
Washington - AFP

For a few bracing weeks this fall, consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.

But in late October, Senate Republicans voted to overturn the newly minted rule by the Consumer Financial Protection Bureau, which gave consumers the right to join class-action lawsuits against banks, credit bureaus and lenders. Now  consumers' only recourse is a secret arbitration hearing – which corporations win 93 percent of the time.

“This vote marked a truly shameful moment in Congress, said Amanda Werner, campaign manager for Americans for Financial Reform and Public Citizen, who dressed as Monopoly Man to “troll” Equifax CEO Richard Smith during a Senate hearing in October. “Just weeks after holding hearings on scandals of historic proportion, the Senate granted Equifax and Wells Fargo a ‘Get Out of Jail Free’ card.”

Werner maintains it’s now unlikely Equifax will be held accountable for the errors leading to its massive security breach – errors that consumer advocates say they’d expect to find in a small, not-so-savvy business rather than in a multibillion dollar global security company.

Equifax’s “rookie mistakes”

Meanwhile, cybersecurity experts are mystified at how a giant multinational like Equifax had such lax control over customer data security.

Besides the security issues that led to the hacking of 145 million accounts, the credit bureau used stunningly simple PIN numbers that were composed of the date and time that someone signed up for its free identity theft tracking after the breach – an easy-to-break PIN first reported in this column on September 9.

“Absolutely yes, this is a rookie mistake,” says Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity. “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that. Turns out they had been doing that for a long time. Clearly, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.”

Moehlenbruck says the other error revolved around PIN integrity. “All [a potential hacker] needed was to possess the PIN; you didn’t need to be authorized to use it,” says Moehlenbruck. “Normally a company would use what we call 2FA, or two-factor authentification, which requires all users to “authenticate” receipt of a pin via an additional channel or key piece of information, such as an email address, cell phone number, and so on. This is because a PIN or password can be easily guessed, but obtaining the victim's cell phone and login to their authenticator application is much harder. 2FA is common practice now on banking websites, email accounts, and social media.  We’re all surprised that a company the size of Equifax isn’t current with the times.

Moehlenbruck points to a still more alarming example “of some very grossly negligent security practices” at Equifax.” As reported by security researcher Brian Krebs within a week of the Equifax breach and picked up in TechCrunch, a company called Hold Security LLC investigated Argentina’s Equifax site “and unbelievably, found it was ‘protected’ by the user name ‘admin’ and the password ‘admin.’” (!)  Once the investigators typed in that combo, they had access to all the users’ names and emails. And, after cracking another “unbelievably” bad Equifax ID and password combo, which consisted of the employees’ last names for both slots, researchers could access and modify all kinds of private information, including the Argentine version of the employees’ social security numbers.

“‘Admin/admin’ as a database password is a surefire way to get hacked almost instantly,” Moehlenbruck says. “A production database with this account smells of poor security policy and a lack of due diligence rather than simple oversight. Breaches at Equifax or other companies will continue unless information security becomes top priority at the highest levels of the organization.”

There is no perfect security, Moehlenbruck adds, “but this breach should be a reminder to everyone to change their passwords, pins and security questions regularly, as well as enable 2FA on all the sites that provide it...In fact, if your bank doesn’t offer it, you should change banks.”

In a roundtable discussion on the Equifax breach this fall with Security Solutions Watch, some experts remarked mordantly that the “Internet of Things” was fast becoming the “Internet of Insecure Things.” One reason for the increased attacks, Cyberinc CEO Samir Shah suggested, is that many corporations are far behind the times when it comes to hackers.

“The real question we should be asking ourselves is will anything change in how companies protect against attacks,” said Shah, whose information security company offers an integrated solution to malware and other cyberattacks. He said attackers are quick to take advantage of weak or outdated access systems or to use advanced malware to sneak inside a company’s platform through browsers. “As this latest attack suggests, it certainly is time for a change.”

Equifax’s post-attack snafus

But change is slow in coming. Even after the Equifax security hack, which opened up nearly half the country to potential identify theft, the security giant stumbled again.

As discussed in my last Equifax story for Forbes, Equifax created a site where people could enter the last four digits of their social security number to see whether they were caught up in the security breach. Unfortunately, according to a a story in Mashable, a prankster cloned that site and used a similar URL to host it. Not realizing the error, Equifax tweeted out a link to the phishing site eight times (Mashable provided screenshots).

Moehlenbruck attributes the debacle to human error and a likely hole in Equifax’s overall security information assurance (IA) training. “The Twitter story hints strongly at a lack of adequate security awareness training, which if provided at least annually, might have prevented the embarrassment of re-tweeting a phishing site link from the Equifax Twitter account not once, but 8 times!” said Moehlenbruck. “You would think that this type of training would be front and center of every employee's mind when interacting online for one of the largest credit monitoring companies, especially right after the breach.”

The apparent lack of adequate IA training may have left Equifax more vulnerable to attack, according to Moehlenbruck. The breach was reportedly made possible by the failure to patch a critical vulnerability in Apache Struts, though Equifax  was aware of the vulnerability, he said. But from what he’s read, Moehlenbruck says, “The real problem was a very poor focus on information security at the highest levels of the company – what we call C-level [CEO, CIO, CSO-suite level]. Training is great if it's practiced and preached throughout the organization. But evidence hints to the contrary.”

As one example, he points to Equifax’s choice for its chief of security, who retired after the recent breach and whose LinkedIn profile (now scrubbed) did not list any advanced technology or security training, according to news reports. Some news outlets pounced on the finding that her college degree was in music composition, prompting a rightful backlash from liberal arts majors turned engineers and tech leads. Moehlenbruck agrees that a music major in no way hampers someone from working in tech, but anyone in the position of chief security officer, he says, “should have a deep background in information security, whose policies and practices need to come from the top-down throughout the organization.”

“In its business model, customer privacy and data is Equifax's biggest concern and most prized asset,” Moehlenbruck observes. “But it seems that adequate security training and other best practices weren't in place to guard it.”

Consumer advocates say that the best way to drive home that and other pro-consumer messages is to take negligent corporations to court. Of course, the Senate and Trump just took away consumers' right to sue financial institutions, noted Rosemary Shahan of Consumers for Auto Responsibility and Safety (CARS), adding that many car owners ruined financially in an auto loan scandal at Wells Fargo now have little hope for justice. “It hurts, but we’ll keep on fighting,” she says. “I expect more people will send a message on election time, especially since abuses will likely proliferate – especially because corporations no longer feel they have to be on their best behavior.”

Source: AFP

egypttoday
egypttoday

Name *

E-mail *

Comment Title*

Comment *

: Characters Left

Mandatory *

Terms of use

Publishing Terms: Not to offend the author, or to persons or sanctities or attacking religions or divine self. And stay away from sectarian and racial incitement and insults.

I agree with the Terms of Use

Security Code*

fake news becomes a business model researchers fake news becomes a business model researchers



GMT 03:33 2016 Saturday ,24 September

Diesel Black Gold fashion show during Milan Fashion Week

GMT 11:12 2018 Wednesday ,03 October

Osaka saunters into China Open third round

GMT 03:18 2017 Tuesday ,10 January

Home Centre decides to go in for a fresh look

GMT 14:44 2017 Saturday ,06 May

Pharmaceutical industry

GMT 22:32 2016 Wednesday ,24 February

'Deadpool' upends competition at North America box office

GMT 06:44 2017 Friday ,17 March

Bowling, table tennis achievements lauded

GMT 18:11 2017 Saturday ,04 March

Violence claims lives of 18 people across Syria

GMT 11:50 2017 Tuesday ,03 October

Bahrain weather forecast

GMT 12:18 2016 Friday ,30 September

To the importance of Oscar Wilde

GMT 09:53 2012 Friday ,25 May

Amr Yousef heads to Kenya \'Al Montaqem\'

GMT 09:25 2017 Saturday ,07 October

Spain rejects mediation calls as Catalans plan

GMT 22:41 2017 Friday ,02 June

Actress Suzanne Najm Al Din received

GMT 23:52 2017 Tuesday ,03 January

Syrian peace process struggles as rebels

GMT 12:59 2011 Friday ,15 July

Tasting lump of ice with fruit frozen inside

GMT 16:50 2011 Wednesday ,31 August

Justice sues to stop AT&T, t-mobile merger

GMT 21:14 2012 Tuesday ,28 August

Hyundai Veloster turbo SE

GMT 11:50 2011 Friday ,08 July

Russia\'s VTB bank secures record $3.1 bn loan

GMT 07:01 2017 Tuesday ,26 December

Lorde cancels Israel show after pressure

GMT 00:12 2013 Wednesday ,18 September

Damascus clubbers dance on in bid to forget war

GMT 10:55 2011 Tuesday ,15 November

TRA participates in UNESCO General Conference

GMT 18:26 2014 Tuesday ,27 May

Samsung to introduce standalone smart watch

GMT 15:24 2016 Sunday ,07 August

Stranded kayaker rescued after crocodile attack
 
 Egypt Today Facebook,egypt today facebook  Egypt Today Twitter,egypt today twitter Egypt Today Rss,egypt today rss  Egypt Today Youtube,egypt today youtube  Egypt Today Youtube,egypt today youtube

Maintained and developed by Arabs Today Group SAL.
All rights reserved to Arab Today Media Group 2021 ©

Maintained and developed by Arabs Today Group SAL.
All rights reserved to Arab Today Media Group 2021 ©

egypttoday egypttoday egypttoday egypttoday
egypttoday egypttoday egypttoday
egypttoday
بناية النخيل - رأس النبع _ خلف السفارة الفرنسية _بيروت - لبنان
egypttoday, Egypttoday, Egypttoday