After Capital One, Equifax, Marriott, and the Rest, Just Assume Your Data Has Been Hacked—Cyber Saturday
As a few friends and I were settling a dinner bill last night, I noticed a Capital One credit card peeking out amid a table-full of taco scraps and emptied margarita glasses.
"Uh, oh," I remarked. “Who’s got the Capital One card? Are you pissed?"
The owner revealed himself, yet he was oblivious to the week’s news. I informed him: A hacker had gotten her hands on personal information for more than 100 million of the bank's customers and credit card applicants. The suspect, a former Amazon Web Services employee, per court documents, stole people's names and addresses, 140,000 Social Security numbers, 80,000 bank account numbers, and one million Canadian social insurance numbers (like Social Security numbers, but Canadian). My friend had no idea.
The young man whipped out his phone, googled the story to learn more, and subsequently, out of an abundance of caution, reviewed his recent credit card statements. "Well," he said, "I just assume all of my data is leaked everywhere already." It is a cynical, albeit astute, stance.
This is not the first time my friend has dealt with data exposure. His Social Security number and other sensitive details were looted in the monstrous Equifax data breach of 2017. He is one of the 150 million consumers who Equifax, which recently reached a $650 million settlement over the debacle, has forever harmed. (Unfortunately, my friend was not one of the lucky bunch who submitted a claim before the credit bureau stopped offering cash payouts.)
What's a data breach victim to do? Answer: Don't let the leakages get you down. Do not give up hope. Stay vigilant—and take action.
Even though Capital One says it believes "it is unlikely that the information was used for fraud or disseminated by this individual," the abundance of breaches at big companies like Equifax, Marriott, and seemingly everywhere in between, should persuade consumers to heed the old adage that urges safety over sorrow. My friend, for example, said he implemented a credit freeze on his accounts in the aftermath of Equifax's failure—one of the few true, proactive precautions a person can take to ward off identity theft. (A freeze prevents would-be impersonators from opening new lines of credit in one's name.)
While credit freezes are one of the most effective defenses available, other options include implementing fraud alerts, credit monitoring, and good password hygiene. Even if you were spared this most recent misfortune via Capital One, you might consider adopting some of these measures before the next breach strikes.
Go on defense; avoid defeatism.
Robert Hackett | @rhhackett | email@example.com
Capitulation One. Adding to the column above, The New York Times has a good look at the security the financial sector following Capital One’s breach. The suspected hacker may have hit other targets beyond the bank. And the Wall Street Journal took a look at Capital One’s low-profile CEO, Richard Fairbank, who is now begrudgingly in the spotlight.
The whistles go WOOO. Cisco has agreed to pay $8.6 million to settle a claim alleging that it knowingly sold easily hackable video surveillance cameras to hospitals, schools, governments, and other customers. A whistleblower, James Glenn, alerted the IT giant to the issues in 2008, four years before the company addressed the security flaws, the settlement said.
Rest assured. The cyber insurance industry is popping off. Premiums grew to $2 billion last year, a 26% increase since 2015, according to a report from Moody’s Investors Service. CyberScoop, a cybersecurity news outlet, dug into the booming market.
Breach roundup. There’s Capital One, of course. Poshmark, a market for used clothes, warned customers that a recent data breach exposed people’s names, email addresses, hashed passwords, and other information. An exposed database at Honda could have allowed attackers to see which of the carmakers’ IT systems had unpatched vulnerabilities. And Bank of Cardiff, a San Diego-based financial firm, left a server containing one million phone call recordings exposed online.
Trinity test. Tom Bossert, a former cybersecurity czar in the Trump administration, has joined a new startup, Trinity Cyber, as chief strategy officer. Intel Capital has supplied $23 million in venture capital funding to the concern. Wired has an intriguing profile of the business.
“Your Highness Qiao Biluo” has no clothes.
Share today’s Cyber Saturday with a friend: http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here.
Tear down this firewall. The clearest technical explanation of what likely caused the Capital One breach was penned by Evan Johnson, product security team manager at Cloudflare, a multibillion-dollar Internet infrastructure startup. Johnson’s post, published on his personal blog, details the problem, as he sees it. He calls out public cloud providers, like Amazon Web Services (AWS), for not doing more to address the underlying issue.
Every indication is that the attacker exploited a type of vulnerability known as Server Side Request Forgery (SSRF) in order to perform the attack. SSRF has become the most serious vulnerability facing organizations that use public clouds. SSRF is not an unknown vulnerability, but it doesn’t receive enough attention and was absent from the OWASP Top 10.
SSRF is a bug hunters dream because it is an easy to perform attack and regularly yields critical findings, like this bug bounty report to Shopify. The problem is common and well-known, but hard to prevent and does not have any mitigations built in to the AWS platform.
Server Side Request Forgery is an attack where a server can be tricked into connecting to a server it did not intend. SSRF is more deeply explained in this article by Hackerone. The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it.
Facebook Misinformation Cleanup Targeted Pages Meant to Mislead on Middle East Ideas by Sarah Frier and Kurt Wagner
Homeland Security Issuing Hacking Alert for Small Planes by Tami Abdollah
ONE MORE THING
“Moscow Mitch.” Many people are taking Senate majority leader Mitch McConnell to task for blocking the passage of two election security bills. The politician’s critics have bestowed upon him a new nickname: “Moscow Mitch,” a moniker that suggests he is aiding and abetting Russian election interference. Ben Folds, the singer-songwriter, has piled on, debuting a song bearing the unflattering nickname as its title.