Failures

by Tim Cushing


Filed Under:
security breach

Companies:
dropbox, lifelock, tumblr



Bad Intel And Zero Verification Leads To LifeLock Naming Wrong Company In Suspected Security Breach

from the more-'security-mediocre-practices'-from-the-biggest-name-in-ID-protectio dept

LifeLock has never been the brightest star in the identity fraud protection constellation. Its own CEO -- with his mouth writing checks others would soon be cashing with his credentials -- expressed his trust in LifeLock's service by publishing his Social Security number, leading directly to 13 separate cases of (successful) identity theft.

Beyond that, LifeLock was barely a lock. It didn't encrypt stored credentials and had a bad habit of ambulance-chasing reported security breaches in hopes of pressuring corporate victims into picking up a year's worth of coverage for affected customers. This culminated in the FTC ordering it to pay a $12 million fine for its deceptive advertising, scare tactics, and inability to keep its customers' ID info safe.

It's LifeLock's ambulance chasing that's getting it into trouble again. Rather than verify the details of a recent breach, it began sending notices to customers informing them about possibly exposed info at entirely the wrong service.

Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

This isn't completely LifeLock's fault. It did send out a false alarm and finger the wrong platform, but its information came from a third party: CSID. Brian Krebs approached the identity monitoring firm to determine how it had arrived at the wrong conclusion. It appears it's turtles misinformation all the way down. CSID president of product and marketing Bryan Hjelm confirmed his company was suffering some "reputational concerns" after wrongly naming Dropbox, rather than Tumblr, as the source of the breach. But he still felt his company was doing a bang-up job in the ID protection department, despite utilizing questionable sources.

He told me that CSID relies on a number of sources online who have been accurate, early indicators of breaches past. One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm said.

In this case, w0rm posted to Twitter a link to download a file containing what he claimed were 100M records stolen from Dropbox. Perhaps one early sign that something didn’t quite add up is that the download he linked to as the Dropbox user file actually only included 73 million usernames and passwords.

In any case, CSID analysts couldn’t determine one way or the other whether it actually was Dropbox’s data. Nonetheless, they sent it out as such anyway, based on little more than w0rm’s say-so.

The problem with this bogus alert is that every step of it was automated. CSID admits it never checked out w0rm's claim by manually verifying the data dump contained what w0rm said it contained. It simply generated its alert, which was then picked up by others, like LifeLock, that rely on it for breach identification/notification. The automation continued as LifeLock sent auto-generated messages to its customers. The only manual part of this process occurred at the end user level when Dropbox customers began altering their login credentials to protect themselves from a nonexistent breach. Meanwhile, the real breach went ignored.

It's often said that humans are the weakest link in the security chain, but this incident shows that a little human intervention would have gone a long way towards heading off bogus breach notifications that made an unaffected company look like it was hiding something from its users.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    orbitalinsertion (profile), 7 Jun 2016 @ 2:21pm

    How does one not tell the difference between Dropbox and Tumblr?

    reply to this | link to this | view in chronology ]

    • identicon
      Someantimalwareguy, 7 Jun 2016 @ 2:27pm

      Re:

      As the article said - automation. Automation can only do so much before any results generated need to be reviewed by human eyes and then appropriate samples verified for accuracy.

      This was just lazy corner cutting on the cheap and it (as it always does) bit them all in the rear-end...

      reply to this | link to this | view in chronology ]

      • icon
        ltlw0lf (profile), 7 Jun 2016 @ 3:01pm

        Re: Re:

        It wasn't just automation, it was that the source (w0rm) said it was a dump from dropbox, when in fact it was a dump from tumblr. They took the statement on face value without verification, and then automation took over.

        It wouldn't have taken them that long to verify the data...simply try to feed the email addresses into the "new user registration" form and if it allows the email to be used and continues the process, the email address hasn't been used on the service. Get a bunch of these to work, and the dump isn't likely to be real.

        reply to this | link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 8 Jun 2016 @ 3:29pm

        Re: Re:

        Indeed, the original source indicated incorrectly (for some reason), and was then blindly followed. How or why w0rm mis-posted is a more interesting bit. Lifelock is a ball of crap no matter how you slice it, and their behavior is unsurprising, if still stupid. (And if you automate such serious errors out of a Twitter feed, idkwtflol.)

        reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 7 Jun 2016 @ 2:38pm

    It is not like the idea of encrypting customer data is new

    How hard is it to encrypt customer records? I mean, it is 2016 already. The Internet is over 20 years old. The rate of change is pretty fast, and getting faster. What is the hold up?

    Is it super costly?

    Is is easy to leave some kind of backdoor?

    Is it ego, the CEO's just believe they will never be on the list of hackers?

    Is it something I haven't thought of?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 7 Jun 2016 @ 3:46pm

      Re: It is not like the idea of encrypting customer data is new

      It's not so much it's 'super' costly so much as it costs at all, and if those running the company are only focused on the short-term then the odds of being hacked are likely pretty low, making paying extra for encryption(both in time and money) a 'waste'.

      If you're only looking at short-term costs, then encryption is going to be a waste the majority of the time, it's only those that are willing to look more long-term, or accept that it only has to happen once to potentially trash your company that are able to realize that encryption, even if it's never used, is still worth the extra cost.

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 7 Jun 2016 @ 4:34pm

        Re: Re: It is not like the idea of encrypting customer data is new

        The cost of shame and paying off lawsuits, or insurance that will pay off lawsuits is cheaper than paying for encryption? Or, so it seems in their minds? Which brings to mind, why aren't insurance companies requiring encryption in order to give coverage?

        The whole 'only this quarters profits matter to our decisions' has bothered me for a long while now. I don't know what we can do about it, but I sometimes have wild dreams about laws that require investments be held for a year or more before they can be sold, and terminate all computer generated trading. That might slow some investment down. So what. But it will make CEO's think longer term.

        But those things will not happen lest Wall Street has some kind of conniption fit and wakes up with a conscience. Not holding my breath.

        Nothing will happen from our corrupt Congress, and the SEC and FBI have proven, through their lack of action, that they will not hold anyone there responsible. And guess what, there is no one to hold THEM responsible for that lack of action. We are in trouble.

        reply to this | link to this | view in chronology ]

        • icon
          marcus (profile), 8 Jun 2016 @ 4:47am

          Re: Re: Re: It is not like the idea of encrypting customer data is new

          Add to this that the FBI and other agencies want to ban encryption without back doors for law enforcement even though back doors tend to weaken encryption.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Jun 2016 @ 2:23am

        Re: Re: It is not like the idea of encrypting customer data is new

        Look at it this way, when bean counters are involved, logic goes out the window. Particularly if they are CA's. One does tend to get a little more sense out of CPA's, but you don't put either in charge of anything. It will only cause you problems.

        If they are given the power to make financial decisions, all you will see is money wasted because they "know" what has to happen to save a penny, but don't seem to understand that spending money can save much more in the long term. They are too often focussed on the current financial year and the next financial year to recognise what is needed now to save money over the next 10, 20 or even 50 years.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jun 2016 @ 6:12pm

      Re: It is not like the idea of encrypting customer data is new

      Encrypting customer data IS hard and costly. I'm referring to things like email addresses, phone numbers, names, social security numbers and such.

      1. The web server needs to encrypt and decrypt the data, so it needs the keys. Hack web server, copy keys and data and all that encryption was just a waste of time doing nothing to protect the data.
      2. To solve problem #1 you use an HSM ( Hardware Security Module ) the HSM does the encryption/decryption for the web server. Hack web server, figure out how things work, utilize HSM to decrypt all the data and all that encryption was just a waste of time. All the HSM did was make it more difficult for the hacker because he must maintain unauthorized access to the HSM to decrypt data.
      3. The whole point of collecting data is to do something with it. If it's all stored encrypted it's hard to do anything with it such as searching, reporting etc.

      Some encryption efforts are easy
      1. Store passwords as Cryptographic hashes (irreversible encryption)
      2. Encrypted portable media like backups/laptops
      3. Encrypting data stored on disk in case the hacker decides going all mission impossible breaking into your data center to steal your disk drives is easier than using the latest zero day exploit.

      Conclusion:
      It's easy to protect your password and data loss through physical access. Currently there is no unhackable way to protect data stored in networked systems unless you know someone capable of making a perfect system....

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 8 Jun 2016 @ 12:06am

        Re: Re: It is not like the idea of encrypting customer data is new

        "The web server needs to encrypt and decrypt the data, so it needs the keys. Hack web server, copy keys and data and all that encryption was just a waste of time doing nothing to protect the data."

        A door lock needs to secure the door in certain ways which means it needs the keys. Pick pocket, copy keys and all that lock is just a waste of time doing nothing to protect the home.

        So, why bother with locks on your doors, right?

        reply to this | link to this | view in chronology ]

      • icon
        marcus (profile), 8 Jun 2016 @ 4:56am

        Re: Re: It is not like the idea of encrypting customer data is new

        You can make the same arguments about a lock to your door since it would be so easy for someone to steal your keys or make a copy of your keys without your knowledge. A lot of companies don't even encrypt backup media and have been the victim of theft exposing records of many customers on these unencrypted stored media. A lot of the removable media is stolen during transport to off sites.

        reply to this | link to this | view in chronology ]

      • identicon
        jim, 8 Jun 2016 @ 6:19am

        Re: Re: It is not like the idea of encrypting customer data is new

        So with the hardware moder, nothing gets hacked? Ask Microsoft.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Jun 2016 @ 6:51am

        Re: Re: It is not like the idea of encrypting customer data is new

        " it's hard to do anything with it"

        Isn't that the point?

        reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 8 Jun 2016 @ 8:39am

      Re: It is not like the idea of encrypting customer data is new

      I was in a meeting this week with a major nation wide provider of real estate data, and they are just now working on hashing user passwords in their database. Someone said something about external pressure to beef up security (didn't catch from where exactly) and that they really aren't all that interested in doing it.

      reply to this | link to this | view in chronology ]

  • identicon
    jordan Chandler, 7 Jun 2016 @ 3:50pm

    Lifelock

    In 2015, it was ordered to pay $100 million to settle Federal Trade Commission contempt charges for failing to protect consumer information and deceptive advertising, the largest monetary award obtained by the Commission for an enforcement action

    https://en.wikipedia.org/wiki/LifeLock#Controversies

    You're an idiot if you use lifelock

    reply to this | link to this | view in chronology ]

    • identicon
      Isma;il, 8 Jun 2016 @ 8:34am

      Re: Lifelock

      Great point. Why anyone would want to use LifeLock after the deceptive advertising settlement and the CEO's identity being stolen multiple times is beyond me.

      It just proves the adage that a fool and his money are soon parted.

      reply to this | link to this | view in chronology ]

  • identicon
    Whoever, 7 Jun 2016 @ 4:35pm

    Intel?

    Was I the only person to wonder what the chip manufacturer called "Intel" had done to be labelled "bad"?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jun 2016 @ 2:15am

      Re: Intel?

      No, but it has puzzled me for a long time why the chip manufacturing company used the name it chose when it was the name of a "bad" cartel in "A for Andromeda".

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2016 @ 5:38pm

    Was I the only one that was expecting to see some crazy accusation about the x86 market here?

    reply to this | link to this | view in chronology ]

  • icon
    marcus (profile), 8 Jun 2016 @ 4:42am

    Always wondered how safe identity theft protection sites are with information

    After a breech last year, I was offered free identity theft protection for one year by CSID. I was weary of giving my information to them since others I have known told me how they had to give CSID their SSN and all kinds of other information in order to take advantage of the free service. Being the victim of one breech, I was concerned if CSID would protect my personal information so that I don't become a victim of identity theft again. I remember one person even was protected from Lifelock but still was a victim of this breech and wasn't eligible for the free 1 year protection from CSID since they already are signed up with Lifelock.

    reply to this | link to this | view in chronology ]

  • icon
    John85851 (profile), 8 Jun 2016 @ 10:44am

    Not surprising

    It's not surprising when companies use other companies as their source of data rather than verifying it themselves.
    How many times has this happened in the news industry? Site #1 (such as The Onion) will publish a story and site #2 will take it as gospel and re-print it... even though The Onion is a known satirical site! Then site #3 will re-print site #2's article using site #2 as the "verified source", yet the original data is still bad.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.