[HN Gopher] FTC takes action against CafePress for data breach c... ___________________________________________________________________ FTC takes action against CafePress for data breach cover up Author : reidrac Score : 94 points Date : 2022-06-27 17:41 UTC (5 hours ago) (HTM) web link (www.ftc.gov) (TXT) w3m dump (www.ftc.gov) | olliej wrote: | It sounds like the concealing of it is (rightfully) a bigger part | of things. | encryptluks2 wrote: | Which is okay if you're an Xfinity or other entity that | frequently lobbies congress. | olliej wrote: | Yeah, except that seems to be true of /any/ crime, in any | industry. | dontbenebby wrote: | The BCP is kind of a joke, they do these enforcements | usually when a practice is widespread, it's like when they | pull over one car on the highway and the rest slow down. | | The GOP commissioners do not believe in the mission, and | obstruct it, so you have the same issues with enforcement | you saw play out on the SC recently -- GOP presidents stack | the org with people who aim to destroy it. | | Then to add insult to injury, they require you to have a JD | (which entails not be able to operate a computer | apparently, or when you do, needing to have 1 pagers on | encryption from the 90s rewritten every two weeks to two | years), and when they do hire anything remotely related to | the liberal arts, they label them as "economists" and don't | allow anyone who actually believes in sound economics in -- | only Austrian bull crap, the usual Keyes neoliberlism, or, | at best neoliberalish "behavioral economists" who | rediscover concepts I learned in my cognitive psyc class in | undergrad that date back decades. | | (Dark patterns being a classic example -- we're gonna | discover the lies that were explained in Consumer Reports | for Kids in the 1990s at an exploratory workshop in 2020s? | Stuff like that is why more and more people are leaving | America permanently.) | kevin_thibedeau wrote: | > inadequately encrypted passwords, | | Assuming this means unsalted hashes. Since when has the FTC been | going after this? | blacksmith_tb wrote: | That whole sentence is even more interesting: "the FTC alleges | that CafePress failed to implement reasonable security measures | to protect sensitive information stored on its network, | including plain text Social Security numbers, inadequately | encrypted passwords, and answers to password reset questions." | Why would CafePress have anyone's SSN? I suppose potentially a | merchant selling on it might need to have provided banking | details, but that still doesn't seem like it should include a | SSN? | kayodelycaon wrote: | Sole proprietors use their SSN for tax purposes. May also | apply to single-member LLCs. | lsaferite wrote: | Can't Sole Proprietors obtain an EIN as well though? No way | I'm using my SSN for stuff like that. I always used an LLC | with an EIN. | xeromal wrote: | They can. I assume DBAs (Doing business as) folks are the | ones that use their SSN. Just real small-time shops. | mcculley wrote: | Many sole proprietors execute under their SSN. Most will | not bother to acquire an EIN. | mcculley wrote: | An individual can sell custom/branded merchandise on | CafePress. If CafePress is sending more than $600 per year to | an individual, they have to issue a 1099, which has to have a | TIN, which is going to be an SSN for most individuals. | olliej wrote: | Income reporting? If you're a non-business merchant? Or if | you're a business the businesses tax is? | | This is me stabbing in the dark, no actual knowledge or | anything :) | nerdponx wrote: | For all the apparent inaction and broken promises of the Biden | administration, it's been very refreshing to see "technical" | government agencies returning to basic competency, and in some | cases apparently actively bucking long trends of regulatory | capture. The bureaucrats seem surprisingly progressive this | cycle (once again highlighting the fragility of a system that | functions in spite of, rather than because of, the primary | lawmaking body). It's a shame that they will probably be voted | out next go around, possibly in favor of the prior Twitter User | In Chief. | pavon wrote: | I was curious about what legal theory they were using to | enforce this. It appears that 5/7 of the counts are just false | or misleading statements - CafePress claimed to have good | security but didn't. Another is just tangentially related to | security. The interesting one is Count III: | | > As described in Paragraph 11, Respondents' failure to employ | reasonable data security measures to protect Personal | Information caused or is likely to cause substantial injury to | consumers that is not outweighed by countervailing benefits to | consumers or competition and is not reasonably avoidable by | consumers themselves. This practice is an unfair act or | practice. ... | | > in violation of Section 5(a) of the Federal Trade Commission | Act. | | If I'm reading this correctly, it is saying that the FTC | interprets poor security of user's data to be in violation the | FTC act even outside of any promises given to the customer. | That seems like a big stretch IMO. | bombcar wrote: | It's the legal theory of "agree to these things or we're | going to publicly try to nail your assets to the wall" - even | if they actually can't do it, do you want to pay the costs of | fighting it, or give the FTC their little PR moment. | dontbenebby wrote: | I saw one darknet site where they didn't keep hashes, so they | could go off and use all the various algos (sha, md5 etc) then | see where else those users were members (by looking for | password if they were dumb enough), I wonder how often that | happens in the corporate world but absent a whistleblower or a | helpful hacker no one would find out. | | (I'm not clear if they were being run by the police when I | showed up, or if that was an extortion technique, but it's been | over two years since that adventure, so the CFAA has expired | and if someone takes issue I tried to take down a den of | hurtcore creeps because one of them obstructed my job search | before the portmanteau had been popularized, form a line to my | left so you don't interfere with the baristas taking orders, as | I operate in the clear and I will not abide absolute scumbags | who abuse their access.) | inetknght wrote: | > _they didn 't keep hashes, so they could go off and use all | the various algos (sha, md5 etc) then see where else those | users were members (by looking for password if they were dumb | enough), I wonder how often that happens in the corporate | world_ | | https://en.wikipedia.org/wiki/Credential_stuffing | | Indeed, it's a major problem. | dontbenebby wrote: | Oh yeah I know the re-use is common, I more meant the | technique of purposefully not hashing or disabling hashing | to compare hashes across services and connect users. | tptacek wrote: | I'm a little nerd-sniped by the callout over using SHA-1; SHA-1 | is broken in a way that has nothing to do with password storage | security (they're not using a password KDF at all, so the | thrust of the complaint isn't wrong, and no sane person would | use SHA-1 to build a new password KDF in 2019, but still!) | bityard wrote: | They're not going after them for that. They're going after them | for that plus an incredibly long list of other basic security | failures, failing to notify customers that their personal data | was now in the wild, and other negligence | 4oh9do wrote: | Bullshit like this will continue happening en masse until there | are mandatory prison sentences for C-suite executives for | negligence and malice like this. | tbihl wrote: | As much as we love to imprison people in the US... Maybe just | make the expected value of cover up massively negative with | fines as significant multiples of actual damage? | dontbenebby wrote: | No, jail them, even if just overnight. It fixed Iceland's | issues. | | https://en.wikipedia.org/wiki/2008%E2%80%932011_Icelandic_fi. | .. | | Prison is for serious crimes, like murder, or financial | losses so large they are akin to one. | | A human life is worth about 10 million: | | https://en.wikipedia.org/wiki/Value_of_life#United_States | | If someone makes a big deal out of never killing, and they do | multiples of damage to that, some of which causes others to | die of depression... then walk them out of their offices in | handcuffs, one by one, until they're "nudged" to change their | behavior. | | I feel just as precarious as I did in 2008. (Moreso since I'm | older, and don't have the clean slate young people do but | don't have the savings others have on this site despite | always trying to make the least wrong decisions I could... | but if others don't opt in to giving me income, I can't | invest it wisely, full stop.) | lesuorac wrote: | I dunno, we seem to issue fines a lot nowadays and the | behavior doesn't change. | | What even would the the expected value for a fine in this | situation? It seems overly complex to calculate as I don't | think even the FTC tried to put a value of the damages from | the sale of the person information. | adrr wrote: | Fines or threat of jail time is just trying treating the | symptoms. Bigger issue is that companies use SSN as a way | to authenticate a user. Government should mandate only | allowing SSN for tax identification purposes. Passwords | need to go away and with webauth, we are almost there. The | average person is re-using the same password across sites | so it's pointless protection. | | An e-commerce store hack shouldn't give hackers the data | needed to access customers financial accounts. | lesuorac wrote: | And when a company doesn't comply? | | A law without a penalty isn't a law you need to follow. | 4oh9do wrote: | > Government should mandate only allowing SSN for tax | identification purposes. | | CafePress was presumably collecting SSNs precisely for | tax identification purposes. | adrr wrote: | It's not them who are the problem. Its financial | institutions and other services that use SSN as way to | verify a person. You should not be able to setup a cell | phone plan by providing a name and a SSN. And credit | reporting should not be tied to a SSN. It should just be | used to submit tax information to the government and have | no value beyond that. | deathanatos wrote: | > _I dunno, we seem to issue fines a lot nowadays and the | behavior doesn 't change._ | | We issue fines, yes. We do not issue fines to an amount | that would incentivize behavior change. Most fines from | agencies like this, when I see them, tend to be in the <$10 | range, when scaled to how "impactful" the fine would be | against an average person's income. My father would call a | fine that's less than $10 a "toll". | | In this particular case, the fined entity is too small for | me to know exactly, as I can't find their financials. But | the amount doesn't smell large. | | In some instances, I've seen agencies level $0 fines | against corporations. Literally, all the agency demanded | was "stop doing the bad thing, m'kay?" | dontbenebby wrote: | >We issue fines, yes. We do not issue fines to an amount | that would incentivize behavior change. | | Who is we? The US? | | I see many euros on HN tutting about lax regulation, but | no one in the EU seem willing to actually enfore the GDPR | and levy a corporate death penalty if their brothers | across the pond won't do the needful. | | (I'm eligible for an Italian passport Jus sanguinis, | though I had intended not to look into it until late in | life -- maybe I should abandon my American one, and | immediately lobby for the above to my new elected | representatives, since everyone I've met from the world | of spooks seems to obstruct me out of fear I'll expose | their illegal behavior rather than do their damn job well | enough I wouldn't notice how they spend their free time.) | 4oh9do wrote: | It's all Monopoly money to corporations. If there is no fear | of an actual corporal punishment, then there is no personal | skin in the game, so to speak. An executive who causes a | corporation to be fined may worry about losing their job, but | they'll be much more worried if the risk is going to prison. | | And it's not that we love to imprison people in the US, it's | that we love to imprison the wrong people. | tbihl wrote: | >It's all Monopoly money to corporations. | | Surely you don't mean by this that they don't care about | money. Isn't the cynical take normally that corporations | are amoral money maximizing juggernauts? Why wouldn't they | respond to adequate threats? | themitigating wrote: | It's not that they don't care about money it's that they | are less affected by loss. | | Once someone earns about 10 million they can live for the | rest of their life in a reasonable way without working | again. So when you are an executive who has assets of 50 | to 70 million and your stock, which was worth 10 mil is | now worth 7 mil you aren't hurt that bad. | | The company can they raise prices, cut quality, and fire | people to reduce costs to make up for the fine. The stock | might eventually even go higher than it was before. | 4oh9do wrote: | What I mean is that executives value their personal | livelihoods above money, though the two are often | correlated. Therefore the punishment needs to strike at | the core, their personal as opposed to financial freedom. | "Big" fines for corporations have been around forever, I | don't see them changing anything. | dontbenebby wrote: | >It's all Monopoly money to corporations. If there is no | fear of an actual corporal punishment | | The Swift Ban was as close to an economic death penalty as | you can give a bank, we should do it more often to | corporations, public or private, that act the fool | | (Looking at you, China, with your manipulation of both CNH | and CNY) | | https://en.wikipedia.org/wiki/SWIFT_ban_against_Russian_ban | k... | tptacek wrote: | From the consent agreement, in addition to a bunch of fuzzier | stuff about standing up a security program, the FTC has demanded: | 1. Technical measures to monitor all of Respondent's networks and | all systems and assets within those networks to identify | data security events, including unauthorized attempts to | exfiltrate Personal Information from those networks; | 2. Policies and procedures to ensure that all code for web | applications is reviewed for the existence of common | vulnerabilities; 3. Policies and procedures to | minimize data collection, storage, and retention, including | data deletion or retention policies and procedures; | 4. Encryption of all Social Security numbers on Respondent's | computer networks; 5. Data access controls for all | databases storing Personal Information, including by, at a | minimum, (a) restricting inbound connections to approved IP | addresses, (b) requiring authentication to access them, | and (c) limiting employee access to what is needed to | perform that employee's job function; 6. Policies | and procedures to ensure that all devices on Respondent's network | with access to Personal Information are securely | installed and inventoried at least once every twelve (12) | months, including policies and procedures to timely remediate | critical and high-risk security vulnerabilities and apply up-to- | date security patches; 7. Replacing authentication | measures based on the use of security questions and answers | to access accounts with multi-factor authentication methods that | use a secure authentication protocol, such as | cryptographic software or devices, mobile authenticator | applications, or allowing the use of security keys; and | 8. Training of all of Respondent's employees, at least once every | twelve (12) months, on how to safeguard Personal | Information; | | #7 jumps out at me. The problem CafePress has is that they used | security questions rather than the industry-standard practice of | just sending password-reset emails, which meant the answers to | those security questions were password-equivalent, and, of | course, stolen in the SQLI attacks. But the simpler fix here is | just to require password reset emails, not to mandate multi- | factor authentication. Though I wonder if they'll just claim | email resets are a second factor. | bombcar wrote: | #1 sounds like a boondoggle for security companies, selling | software that doesn't actually _do_ much; but perhaps I 'm out | of the market too long to know what's the current standard. | 4oh9do wrote: | > But the simpler fix here is just to require password reset | emails, not to mandate multi-factor authentication. | | Password resets lead to iterative passwords, which lead to | password reuse, which lead to email compromise, which leads to | it being pointless to use email as some ersatz second factor. | | If we want to move towards a world where phishing attacks and | password breaches are obsolete, then we need to press full- | throttle to mandating hardware security keys for all accounts. | tptacek wrote: | It is very much the FTC's place to require companies to live | up to the commitments they've made to customers, and | probably, more broadly, to make sure they live up to the | implied commitments of universal industry best practices. It | is less clear that FTC has the authority to turn random | companies into test cases for the elimination of phishing | attacks. | | The practices CafePress had prior to its breach were clearly | inadequate, and justifiably actionable. They authenticated | users with password-equivalent "security questions", which | they (of course) stored in clear text. Storing cleartext | password reset secrets contravenes universal industry best | practices, and, really, so does the use of "security | questions" at all --- though many banks still do. | | But requiring 2FA tokens is not a universal practice. | Moreover, deployed over a whole userbase, it doesn't really | address the concerns that lead to or were revealed by this | breach. Managing 2FA for non-technical end users --- that's | the kind CafePress serves --- is extraordinarily difficult. | People lose tokens, 2FA codes are phishable, account recovery | remains the most difficult problem in computer security, and | so on. | | So yes, it is weird to me to see the FTC suggest that the | appropriate solution to a broken authentication system with | security question is "make people use 2FA tokens". The | universal best practice solution to the specific problem the | security tokens solved is "password reset emails that prove | custody of a trusted email account". The demand from the FTC | exceeds that best practice. That's interesting, and so I | called it out. | | We don't know each other, so it probably bears saying that I | am foursquare supportive of 2FA. I'm supportive of a lot of | things the FTC would no doubt love to force companies to do | (penetration testing in particular!) | 4oh9do wrote: | > But requiring 2FA tokens is not a universal practice. | | It is not universal practice, but it is industry-standard, | so I don't particularly understand why it is surprising | that the FTC is recommending that CafePress adhere to | industry standards. | tptacek wrote: | 2FA is not in fact the industry standard process for | account recovery (it's the industry standard problem that | causes us to have to spend time on account recovery!), | and account recovery is the problem this part of the | consent agreement addresses. | 4oh9do wrote: | As per NIST 800-63B: | | > To maintain the integrity of the authentication | factors, it is essential that it not be possible to | leverage an authentication involving one factor to obtain | an authenticator of a different factor. For example, a | memorized secret must not be usable to obtain a new list | of look-up secrets. | | And further: | | > Methods that do not prove possession of a specific | device, such as voice-over-IP (VOIP) or email, SHALL NOT | be used for out-of-band authentication. | tptacek wrote: | That's the NIST standard definition for out-of-band | authenticators. FTC didn't demand out-of-band | authenticators, nor is anyone obligated to comply with | NIST. | bombcar wrote: | And the account/2FA reset procedure is always the weak | point - most of my accounts with 2FA enabled let me reset | it with access to email or SMS. | | (Which is good for some of them, as they're notoriously | flaky). | tptacek wrote: | Yes. For obvious reasons, people are more prone to lose | 2FA authenticators (be they code generators or hardware | keys) than passwords. Both passwords and 2FA mechanisms | are customers of account recovery, which is the process | that kicks in when you can't log in. Security questions | are a particularly bad account recovery system. Reset | emails are somewhat better. | | Again, 2FA isn't an account recovery process at all; it's | a reason you need account recovery. | | To get a general sense of where we're at as an industry | with this, look at the process for what happens when you | lose an AWS 2FA secret: | | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_crede | nti... | 4oh9do wrote: | > Again, 2FA isn't an account recovery process at all; | it's a reason you need account recovery. | | Your reading of the FTC text seems to be that you think | the FTC has conflated account recovery with 2FA, but I | don't think that's the case. Instead, my read is that | they're suggesting that password breaches can be rendered | moot points by requiring 2FA for accounts, so that the | compromise of a password would not require an account | reset in the first place. | tptacek wrote: | I'm reading the plain language of the agreement, which | requires the replacement _of security questions and | answers_ , and is not in fact a manifesto about the | insecurity of passwords writ large. | | But technical language aside: a requirement that | CafePress fully adopt 2FA also doesn't make sense, | because its users will not fully adopt 2FA. The users | that can't 2FA are the interesting case here, and the | thing I'm calling out. | ketralnis wrote: | I think you think they mean password _expiration_ , not | password resets. I don't see how the existence of a "I forgot | my password" (password reset) flow leads to reused passwords, | though automatically expiring passwords certainly do | arlattimore wrote: | What they are requiring might be interesting when compared to the | Whitehouse Zero Trust Architecture [1] that was announced last | year. | | [1] https://www.whitehouse.gov/briefing-room/presidential- | action... ___________________________________________________________________ (page generated 2022-06-27 23:01 UTC)