Security News Survey – March 1, 2019

A look at an exposed watchlist of 2.4 million clients, the battle over federal data privacy laws, and a re-evaluation of password managers.


February may be the shortest month of the year, but it hasn’t been short on activity in the cybersecurity world. We closed out the month with some dramatic data breach news, as well as movement on the privacy regulation and password security fronts.

Let’s start with the latest and most attention-grabbing news.

Dow Jones Watchlist of 2.4 million “High-risk” Individuals Exposed

A Dow Jones watchlist of “risky” clients was exposed due to a misconfigured database. A security researcher discovered the unsecured AWS-hosted Elasticsearch database and published a write-up of his findings detailing the database was 4.4 GB in size and available to “anyone who knew where to look.”

The watchlist, maintained for risk and compliance purposes, is a catalog of more than 2.4 million individuals and business entities that are deemed to be “high-risk” clients, typically due to potential criminal affiliations. The list includes politicians or companies under sanctions and even individuals linked to terrorism and is used by government and financial institutions to evaluate financing. According to the researcher, the entire database was indexed and searchable.

It seems the data—names, addresses, cities, and location—has been secured, but it’s not the first time we’ve heard of this type of incident. Misconfigured databases seem to be all too common these days, and, unfortunately, the nature of the data exposed in this case is very troubling. Dow Jones has pointed a finger at a “third party” for the server error, but the name of that partner hasn’t been revealed.

Data Privacy: A Federal or State Responsibility?

U.S. lawmakers convened this week in what is expected to be the first of several House hearings on data privacy. While both sides of the aisle agreed on the need for bipartisan legislation on privacy, there is substantial disagreement around how to handle state legislation on the subject. As you might recall, California passed its own law on data protection in 2018, and other states are considering the same. Should a federal privacy law come into effect, it begs the question on what will happen to any state-produced legislation. For many, a major concern around state-driven legislation on privacy is whether or not conflicting state laws can create impossible compliance circumstances for business and subsequently hurt profits.

Data privacy has been a topic of growing concern, especially in light of recent and major data breaches, and Congress’s hand is being forced to act sooner rather than later. In December, a group of 15 senators introduced the Data Care Act, a federal bill for regulating data privacy and the impetus of this week’s hearings. Unfortunately, it seems Congress isn’t on the same page about how to handle data privacy—not just in terms of jurisdiction but also severity. Within the next few weeks, we’ll see if or how lawmakers can reach a compromise on federal legislation. What’s clear is that, in the absence of federal action, states will continue to seek out their own regulation.

Wait, Are Password Managers Actually Unsafe?

Since last week, you may have seen headlines pop up declaring that popular password managers have major vulnerabilities, which is really the last thing any of us want to hear when we’re already being inundated with warnings about good password hygiene. Here’s the news in a nutshell: a group of security researchers conducted a study and found that top password manager apps for Windows 10 leak data (in plaintext, apparently) to your PC’s memory, which can then be easily read by an attacker who has taken over your PC with malware. Because of this issue, the researchers were able to access login credentials from major password manager apps even the app was locked.

So, does this mean we should stop using password managers?

That’s a fair question and one that may depend on your personal circumstances. In an ideal world, we would be able to come up with strong, unique passwords for every one of our hundreds of online accounts and remember each password without issue—all by ourselves. Unfortunately, that’s a lot easier said than done. Password managers do serve an important purpose and can significantly decrease your chances of being impacted by data breaches if you use them correctly. The Washington Post’s Geoffrey Fowler shared a helpful perspective on the topic: “Online safety isn’t about being unhackable; it’s about not being the lowest-hanging fruit.” At the end of the day, most security experts (including the researchers who did that initial study), still recommend using password managers. It’s important to understand that no software is, as Fowler says, unhackable. But you may still be safer using a password manager, especially in light of the apparent rise in credential stuffing attacks these days.

 

A quick final update: The Interset team will be at RSA next week, so stay tuned to our social channels to see what we’re up to at the show! If you haven’t registered yet for the show, be sure to grab a free expo plus reg code at www.interset.com/rsa-2019/.