At a glance.
- New Zealand MP resigns over privacy breach.
- Microsoft takes down COVID-19-themed phishing infrastructure.
- TikTok and user privacy.
- 15 billion stolen credentials circulating in the dark web?
- Police use of hacked data.
New Zealand MP resigns over role in breaching patient privacy.
Newsroom reports that Hamish Walker, who represents Clutha-Southland in New Zealand's parliament as a member of the National Party, has said he'll leave parliament at this September's election. It's a gesture acknowledging his responsibility for breaching the privacy of 18 people who tested positive for COVID-19. Mr. Walker says he never intended that the information should become public, but rather intended to use it as an illustration of the Government's poor handling of data during the pandemic. "I did this to expose the Government's shortcomings so they would be rectified. It was never intended that the personal details would be made public, and they have not been, either by me or the persons I forwarded them to. By exposing a significant privacy issue I hope the Government will improve its protocols and get its safeguards right," Walker said. The information he received was neither password-protected nor stored on a secure system, nor was it redacted to protect patient privacy. None of that, of course, counts as a good reason for exposing the data. Instead of merely providing evidence of poor data handling, his actions became an instance of poor data handling. "An appalling lack of judgment," his party's leader called it.
Good hunting, Redmond.
Microsoft’s Digital Crimes Unit has taken down infrastructure criminals were using to run COVID-19 phishing scams against consumers. The takedown was authorized by the US District Court for the Eastern District of Virginia, and it affected “key domains” used for business email compromise attacks and other criminal phishing operations against targets in more than sixty countries.
TikTok under scrutiny for its handling of user data.
India is standing by its intention to block TikTok as a collection threat, a policy that WIRED sees as an example of the market working against invasive, unregulated technology.
The social platform is also facing headwinds in the US, where Reuters reports that both the Federal Trade Commission and the Justice Department are investigating allegations that TikTok is in violation of a consent decree reached last year that was designed to protect children’s privacy. The Center for Digital Democracy, the Campaign for a Commercial-Free Childhood and other groups asked in May that the FTC look into their claims that TikTok failed to delete videos and personal information about users aged 13 and under, as the consent decree had specified.
US Secretary of State Pompeo had said earlier this week that the US Government was considering a ban on TikTok for what he characterized as its collection of information on behalf of the Chinese government.
Fifteen billion, with a "b"? That's, that's a lot of log-in credentials. (Can the dark web really hold them all?)
It will surprise no one that the number of log-in credentials exceeds the number of human beings on this planet, but it is a little surprising to learn that there are 15 billion log-in credentials circulating on the dark web. With only 7.8 billion people on earth, that's just a couple of baker's dozen less than twice the number of potential users of anything.
A report by Digital Shadows gives the skinny on this odd discovery. Granted that not everyone uses a device that requires logging in (infants, the very elderly or the very infirm, determined off-the-gridders, those living in remote and technologically impoverished places, bloody-minded technophobes, etc.) but those who log in do use on average 191 services that require credentials. The underworld aggressively steals credentials and uses them for account takeovers. The credentials are also freely traded on the criminal-to-criminal market.
We received some perspective from James McQuiggan, Security Awareness Advocate at KnowBe4, who emailed:
"As much as we all dislike usernames and passwords and the attempts to remember them, this data discovery only exemplifies why organizations need to provide secure methods to access personal and sensitive data, including social media.
"Most financial organizations provide multi-factor authentication methods for providing access to your money. Still, there needs to be a time when having a password cannot be the way you log into your accounts.
"There are certain capabilities where hardware tokens are plugged into a computer to authenticate an account, but this isn't easy with mobile devices. Soft tokens or authenticators are starting to be utilized more for applications, like Microsoft and Google, which makes logging into the accounts easier."
Hacked data made available to law enforcement.
Motherboard reports that SpyCloud is offering hacked data for sale to law enforcement organizations. The data aren't being illegally obtained by SpyCloud--they're not the hackers--but rather from publicly available compromises similar to those disclosed by services like Have I Been Pwned. SpyCloud's core business is account takeover prevention, and the data they offer can be bundled with various analytical tools that enable further investigation. The civil libertarians Motherboard talks to see the trade as intrusive and menacing: after all, most of the people whose data are up for grabs in this way aren't suspected of any crimes, and the police are seen as using breached data in an end-run around proper warranted search. The law enforcement types see the data as a useful tool in tracking the activities of criminals who work online.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, commented on the issue in an email:
"As a matter of practice, some law enforcement organisations and police units indeed occasionally buy stolen data from various sources. The data may then be used for a wide spectrum of monitoring, preventive or investigative purposes. Its usage, however, rarely becomes official and mostly serves different “in-house” purposes. Therefore, I doubt that Western law enforcement agencies would buy this stolen data from commercial companies or vendors.
“These sales statements sound a bit exaggerated and overhyped. In courts of many jurisdictions, use of stolen, or otherwise unlawfully obtained data or evidence, is expressly prohibited by law.
“As for police investigation purposes, normally much of this data may be easily and lawfully subpoenaed from service providers and technology companies for the purpose of an ongoing criminal investigation. Moreover, subpoenaed data will likely be more recent, relevant and complete, and won’t pose problems for law enforcement officers later if a defendant (hacker) can afford skilled criminal defence lawyers.”