[HN Gopher] FTC takes action against CafePress for data breach c...
___________________________________________________________________
FTC takes action against CafePress for data breach cover up
Author : reidrac
Score : 94 points
Date : 2022-06-27 17:41 UTC (5 hours ago)
(HTM) web link (www.ftc.gov)
(TXT) w3m dump (www.ftc.gov)
| olliej wrote:
| It sounds like the concealing of it is (rightfully) a bigger part
| of things.
| encryptluks2 wrote:
| Which is okay if you're an Xfinity or other entity that
| frequently lobbies congress.
| olliej wrote:
| Yeah, except that seems to be true of /any/ crime, in any
| industry.
| dontbenebby wrote:
| The BCP is kind of a joke, they do these enforcements
| usually when a practice is widespread, it's like when they
| pull over one car on the highway and the rest slow down.
|
| The GOP commissioners do not believe in the mission, and
| obstruct it, so you have the same issues with enforcement
| you saw play out on the SC recently -- GOP presidents stack
| the org with people who aim to destroy it.
|
| Then to add insult to injury, they require you to have a JD
| (which entails not be able to operate a computer
| apparently, or when you do, needing to have 1 pagers on
| encryption from the 90s rewritten every two weeks to two
| years), and when they do hire anything remotely related to
| the liberal arts, they label them as "economists" and don't
| allow anyone who actually believes in sound economics in --
| only Austrian bull crap, the usual Keyes neoliberlism, or,
| at best neoliberalish "behavioral economists" who
| rediscover concepts I learned in my cognitive psyc class in
| undergrad that date back decades.
|
| (Dark patterns being a classic example -- we're gonna
| discover the lies that were explained in Consumer Reports
| for Kids in the 1990s at an exploratory workshop in 2020s?
| Stuff like that is why more and more people are leaving
| America permanently.)
| kevin_thibedeau wrote:
| > inadequately encrypted passwords,
|
| Assuming this means unsalted hashes. Since when has the FTC been
| going after this?
| blacksmith_tb wrote:
| That whole sentence is even more interesting: "the FTC alleges
| that CafePress failed to implement reasonable security measures
| to protect sensitive information stored on its network,
| including plain text Social Security numbers, inadequately
| encrypted passwords, and answers to password reset questions."
| Why would CafePress have anyone's SSN? I suppose potentially a
| merchant selling on it might need to have provided banking
| details, but that still doesn't seem like it should include a
| SSN?
| kayodelycaon wrote:
| Sole proprietors use their SSN for tax purposes. May also
| apply to single-member LLCs.
| lsaferite wrote:
| Can't Sole Proprietors obtain an EIN as well though? No way
| I'm using my SSN for stuff like that. I always used an LLC
| with an EIN.
| xeromal wrote:
| They can. I assume DBAs (Doing business as) folks are the
| ones that use their SSN. Just real small-time shops.
| mcculley wrote:
| Many sole proprietors execute under their SSN. Most will
| not bother to acquire an EIN.
| mcculley wrote:
| An individual can sell custom/branded merchandise on
| CafePress. If CafePress is sending more than $600 per year to
| an individual, they have to issue a 1099, which has to have a
| TIN, which is going to be an SSN for most individuals.
| olliej wrote:
| Income reporting? If you're a non-business merchant? Or if
| you're a business the businesses tax is?
|
| This is me stabbing in the dark, no actual knowledge or
| anything :)
| nerdponx wrote:
| For all the apparent inaction and broken promises of the Biden
| administration, it's been very refreshing to see "technical"
| government agencies returning to basic competency, and in some
| cases apparently actively bucking long trends of regulatory
| capture. The bureaucrats seem surprisingly progressive this
| cycle (once again highlighting the fragility of a system that
| functions in spite of, rather than because of, the primary
| lawmaking body). It's a shame that they will probably be voted
| out next go around, possibly in favor of the prior Twitter User
| In Chief.
| pavon wrote:
| I was curious about what legal theory they were using to
| enforce this. It appears that 5/7 of the counts are just false
| or misleading statements - CafePress claimed to have good
| security but didn't. Another is just tangentially related to
| security. The interesting one is Count III:
|
| > As described in Paragraph 11, Respondents' failure to employ
| reasonable data security measures to protect Personal
| Information caused or is likely to cause substantial injury to
| consumers that is not outweighed by countervailing benefits to
| consumers or competition and is not reasonably avoidable by
| consumers themselves. This practice is an unfair act or
| practice. ...
|
| > in violation of Section 5(a) of the Federal Trade Commission
| Act.
|
| If I'm reading this correctly, it is saying that the FTC
| interprets poor security of user's data to be in violation the
| FTC act even outside of any promises given to the customer.
| That seems like a big stretch IMO.
| bombcar wrote:
| It's the legal theory of "agree to these things or we're
| going to publicly try to nail your assets to the wall" - even
| if they actually can't do it, do you want to pay the costs of
| fighting it, or give the FTC their little PR moment.
| dontbenebby wrote:
| I saw one darknet site where they didn't keep hashes, so they
| could go off and use all the various algos (sha, md5 etc) then
| see where else those users were members (by looking for
| password if they were dumb enough), I wonder how often that
| happens in the corporate world but absent a whistleblower or a
| helpful hacker no one would find out.
|
| (I'm not clear if they were being run by the police when I
| showed up, or if that was an extortion technique, but it's been
| over two years since that adventure, so the CFAA has expired
| and if someone takes issue I tried to take down a den of
| hurtcore creeps because one of them obstructed my job search
| before the portmanteau had been popularized, form a line to my
| left so you don't interfere with the baristas taking orders, as
| I operate in the clear and I will not abide absolute scumbags
| who abuse their access.)
| inetknght wrote:
| > _they didn 't keep hashes, so they could go off and use all
| the various algos (sha, md5 etc) then see where else those
| users were members (by looking for password if they were dumb
| enough), I wonder how often that happens in the corporate
| world_
|
| https://en.wikipedia.org/wiki/Credential_stuffing
|
| Indeed, it's a major problem.
| dontbenebby wrote:
| Oh yeah I know the re-use is common, I more meant the
| technique of purposefully not hashing or disabling hashing
| to compare hashes across services and connect users.
| tptacek wrote:
| I'm a little nerd-sniped by the callout over using SHA-1; SHA-1
| is broken in a way that has nothing to do with password storage
| security (they're not using a password KDF at all, so the
| thrust of the complaint isn't wrong, and no sane person would
| use SHA-1 to build a new password KDF in 2019, but still!)
| bityard wrote:
| They're not going after them for that. They're going after them
| for that plus an incredibly long list of other basic security
| failures, failing to notify customers that their personal data
| was now in the wild, and other negligence
| 4oh9do wrote:
| Bullshit like this will continue happening en masse until there
| are mandatory prison sentences for C-suite executives for
| negligence and malice like this.
| tbihl wrote:
| As much as we love to imprison people in the US... Maybe just
| make the expected value of cover up massively negative with
| fines as significant multiples of actual damage?
| dontbenebby wrote:
| No, jail them, even if just overnight. It fixed Iceland's
| issues.
|
| https://en.wikipedia.org/wiki/2008%E2%80%932011_Icelandic_fi.
| ..
|
| Prison is for serious crimes, like murder, or financial
| losses so large they are akin to one.
|
| A human life is worth about 10 million:
|
| https://en.wikipedia.org/wiki/Value_of_life#United_States
|
| If someone makes a big deal out of never killing, and they do
| multiples of damage to that, some of which causes others to
| die of depression... then walk them out of their offices in
| handcuffs, one by one, until they're "nudged" to change their
| behavior.
|
| I feel just as precarious as I did in 2008. (Moreso since I'm
| older, and don't have the clean slate young people do but
| don't have the savings others have on this site despite
| always trying to make the least wrong decisions I could...
| but if others don't opt in to giving me income, I can't
| invest it wisely, full stop.)
| lesuorac wrote:
| I dunno, we seem to issue fines a lot nowadays and the
| behavior doesn't change.
|
| What even would the the expected value for a fine in this
| situation? It seems overly complex to calculate as I don't
| think even the FTC tried to put a value of the damages from
| the sale of the person information.
| adrr wrote:
| Fines or threat of jail time is just trying treating the
| symptoms. Bigger issue is that companies use SSN as a way
| to authenticate a user. Government should mandate only
| allowing SSN for tax identification purposes. Passwords
| need to go away and with webauth, we are almost there. The
| average person is re-using the same password across sites
| so it's pointless protection.
|
| An e-commerce store hack shouldn't give hackers the data
| needed to access customers financial accounts.
| lesuorac wrote:
| And when a company doesn't comply?
|
| A law without a penalty isn't a law you need to follow.
| 4oh9do wrote:
| > Government should mandate only allowing SSN for tax
| identification purposes.
|
| CafePress was presumably collecting SSNs precisely for
| tax identification purposes.
| adrr wrote:
| It's not them who are the problem. Its financial
| institutions and other services that use SSN as way to
| verify a person. You should not be able to setup a cell
| phone plan by providing a name and a SSN. And credit
| reporting should not be tied to a SSN. It should just be
| used to submit tax information to the government and have
| no value beyond that.
| deathanatos wrote:
| > _I dunno, we seem to issue fines a lot nowadays and the
| behavior doesn 't change._
|
| We issue fines, yes. We do not issue fines to an amount
| that would incentivize behavior change. Most fines from
| agencies like this, when I see them, tend to be in the <$10
| range, when scaled to how "impactful" the fine would be
| against an average person's income. My father would call a
| fine that's less than $10 a "toll".
|
| In this particular case, the fined entity is too small for
| me to know exactly, as I can't find their financials. But
| the amount doesn't smell large.
|
| In some instances, I've seen agencies level $0 fines
| against corporations. Literally, all the agency demanded
| was "stop doing the bad thing, m'kay?"
| dontbenebby wrote:
| >We issue fines, yes. We do not issue fines to an amount
| that would incentivize behavior change.
|
| Who is we? The US?
|
| I see many euros on HN tutting about lax regulation, but
| no one in the EU seem willing to actually enfore the GDPR
| and levy a corporate death penalty if their brothers
| across the pond won't do the needful.
|
| (I'm eligible for an Italian passport Jus sanguinis,
| though I had intended not to look into it until late in
| life -- maybe I should abandon my American one, and
| immediately lobby for the above to my new elected
| representatives, since everyone I've met from the world
| of spooks seems to obstruct me out of fear I'll expose
| their illegal behavior rather than do their damn job well
| enough I wouldn't notice how they spend their free time.)
| 4oh9do wrote:
| It's all Monopoly money to corporations. If there is no fear
| of an actual corporal punishment, then there is no personal
| skin in the game, so to speak. An executive who causes a
| corporation to be fined may worry about losing their job, but
| they'll be much more worried if the risk is going to prison.
|
| And it's not that we love to imprison people in the US, it's
| that we love to imprison the wrong people.
| tbihl wrote:
| >It's all Monopoly money to corporations.
|
| Surely you don't mean by this that they don't care about
| money. Isn't the cynical take normally that corporations
| are amoral money maximizing juggernauts? Why wouldn't they
| respond to adequate threats?
| themitigating wrote:
| It's not that they don't care about money it's that they
| are less affected by loss.
|
| Once someone earns about 10 million they can live for the
| rest of their life in a reasonable way without working
| again. So when you are an executive who has assets of 50
| to 70 million and your stock, which was worth 10 mil is
| now worth 7 mil you aren't hurt that bad.
|
| The company can they raise prices, cut quality, and fire
| people to reduce costs to make up for the fine. The stock
| might eventually even go higher than it was before.
| 4oh9do wrote:
| What I mean is that executives value their personal
| livelihoods above money, though the two are often
| correlated. Therefore the punishment needs to strike at
| the core, their personal as opposed to financial freedom.
| "Big" fines for corporations have been around forever, I
| don't see them changing anything.
| dontbenebby wrote:
| >It's all Monopoly money to corporations. If there is no
| fear of an actual corporal punishment
|
| The Swift Ban was as close to an economic death penalty as
| you can give a bank, we should do it more often to
| corporations, public or private, that act the fool
|
| (Looking at you, China, with your manipulation of both CNH
| and CNY)
|
| https://en.wikipedia.org/wiki/SWIFT_ban_against_Russian_ban
| k...
| tptacek wrote:
| From the consent agreement, in addition to a bunch of fuzzier
| stuff about standing up a security program, the FTC has demanded:
| 1. Technical measures to monitor all of Respondent's networks and
| all systems and assets within those networks to identify
| data security events, including unauthorized attempts to
| exfiltrate Personal Information from those networks;
| 2. Policies and procedures to ensure that all code for web
| applications is reviewed for the existence of common
| vulnerabilities; 3. Policies and procedures to
| minimize data collection, storage, and retention, including
| data deletion or retention policies and procedures;
| 4. Encryption of all Social Security numbers on Respondent's
| computer networks; 5. Data access controls for all
| databases storing Personal Information, including by, at a
| minimum, (a) restricting inbound connections to approved IP
| addresses, (b) requiring authentication to access them,
| and (c) limiting employee access to what is needed to
| perform that employee's job function; 6. Policies
| and procedures to ensure that all devices on Respondent's network
| with access to Personal Information are securely
| installed and inventoried at least once every twelve (12)
| months, including policies and procedures to timely remediate
| critical and high-risk security vulnerabilities and apply up-to-
| date security patches; 7. Replacing authentication
| measures based on the use of security questions and answers
| to access accounts with multi-factor authentication methods that
| use a secure authentication protocol, such as
| cryptographic software or devices, mobile authenticator
| applications, or allowing the use of security keys; and
| 8. Training of all of Respondent's employees, at least once every
| twelve (12) months, on how to safeguard Personal
| Information;
|
| #7 jumps out at me. The problem CafePress has is that they used
| security questions rather than the industry-standard practice of
| just sending password-reset emails, which meant the answers to
| those security questions were password-equivalent, and, of
| course, stolen in the SQLI attacks. But the simpler fix here is
| just to require password reset emails, not to mandate multi-
| factor authentication. Though I wonder if they'll just claim
| email resets are a second factor.
| bombcar wrote:
| #1 sounds like a boondoggle for security companies, selling
| software that doesn't actually _do_ much; but perhaps I 'm out
| of the market too long to know what's the current standard.
| 4oh9do wrote:
| > But the simpler fix here is just to require password reset
| emails, not to mandate multi-factor authentication.
|
| Password resets lead to iterative passwords, which lead to
| password reuse, which lead to email compromise, which leads to
| it being pointless to use email as some ersatz second factor.
|
| If we want to move towards a world where phishing attacks and
| password breaches are obsolete, then we need to press full-
| throttle to mandating hardware security keys for all accounts.
| tptacek wrote:
| It is very much the FTC's place to require companies to live
| up to the commitments they've made to customers, and
| probably, more broadly, to make sure they live up to the
| implied commitments of universal industry best practices. It
| is less clear that FTC has the authority to turn random
| companies into test cases for the elimination of phishing
| attacks.
|
| The practices CafePress had prior to its breach were clearly
| inadequate, and justifiably actionable. They authenticated
| users with password-equivalent "security questions", which
| they (of course) stored in clear text. Storing cleartext
| password reset secrets contravenes universal industry best
| practices, and, really, so does the use of "security
| questions" at all --- though many banks still do.
|
| But requiring 2FA tokens is not a universal practice.
| Moreover, deployed over a whole userbase, it doesn't really
| address the concerns that lead to or were revealed by this
| breach. Managing 2FA for non-technical end users --- that's
| the kind CafePress serves --- is extraordinarily difficult.
| People lose tokens, 2FA codes are phishable, account recovery
| remains the most difficult problem in computer security, and
| so on.
|
| So yes, it is weird to me to see the FTC suggest that the
| appropriate solution to a broken authentication system with
| security question is "make people use 2FA tokens". The
| universal best practice solution to the specific problem the
| security tokens solved is "password reset emails that prove
| custody of a trusted email account". The demand from the FTC
| exceeds that best practice. That's interesting, and so I
| called it out.
|
| We don't know each other, so it probably bears saying that I
| am foursquare supportive of 2FA. I'm supportive of a lot of
| things the FTC would no doubt love to force companies to do
| (penetration testing in particular!)
| 4oh9do wrote:
| > But requiring 2FA tokens is not a universal practice.
|
| It is not universal practice, but it is industry-standard,
| so I don't particularly understand why it is surprising
| that the FTC is recommending that CafePress adhere to
| industry standards.
| tptacek wrote:
| 2FA is not in fact the industry standard process for
| account recovery (it's the industry standard problem that
| causes us to have to spend time on account recovery!),
| and account recovery is the problem this part of the
| consent agreement addresses.
| 4oh9do wrote:
| As per NIST 800-63B:
|
| > To maintain the integrity of the authentication
| factors, it is essential that it not be possible to
| leverage an authentication involving one factor to obtain
| an authenticator of a different factor. For example, a
| memorized secret must not be usable to obtain a new list
| of look-up secrets.
|
| And further:
|
| > Methods that do not prove possession of a specific
| device, such as voice-over-IP (VOIP) or email, SHALL NOT
| be used for out-of-band authentication.
| tptacek wrote:
| That's the NIST standard definition for out-of-band
| authenticators. FTC didn't demand out-of-band
| authenticators, nor is anyone obligated to comply with
| NIST.
| bombcar wrote:
| And the account/2FA reset procedure is always the weak
| point - most of my accounts with 2FA enabled let me reset
| it with access to email or SMS.
|
| (Which is good for some of them, as they're notoriously
| flaky).
| tptacek wrote:
| Yes. For obvious reasons, people are more prone to lose
| 2FA authenticators (be they code generators or hardware
| keys) than passwords. Both passwords and 2FA mechanisms
| are customers of account recovery, which is the process
| that kicks in when you can't log in. Security questions
| are a particularly bad account recovery system. Reset
| emails are somewhat better.
|
| Again, 2FA isn't an account recovery process at all; it's
| a reason you need account recovery.
|
| To get a general sense of where we're at as an industry
| with this, look at the process for what happens when you
| lose an AWS 2FA secret:
|
| https://docs.aws.amazon.com/IAM/latest/UserGuide/id_crede
| nti...
| 4oh9do wrote:
| > Again, 2FA isn't an account recovery process at all;
| it's a reason you need account recovery.
|
| Your reading of the FTC text seems to be that you think
| the FTC has conflated account recovery with 2FA, but I
| don't think that's the case. Instead, my read is that
| they're suggesting that password breaches can be rendered
| moot points by requiring 2FA for accounts, so that the
| compromise of a password would not require an account
| reset in the first place.
| tptacek wrote:
| I'm reading the plain language of the agreement, which
| requires the replacement _of security questions and
| answers_ , and is not in fact a manifesto about the
| insecurity of passwords writ large.
|
| But technical language aside: a requirement that
| CafePress fully adopt 2FA also doesn't make sense,
| because its users will not fully adopt 2FA. The users
| that can't 2FA are the interesting case here, and the
| thing I'm calling out.
| ketralnis wrote:
| I think you think they mean password _expiration_ , not
| password resets. I don't see how the existence of a "I forgot
| my password" (password reset) flow leads to reused passwords,
| though automatically expiring passwords certainly do
| arlattimore wrote:
| What they are requiring might be interesting when compared to the
| Whitehouse Zero Trust Architecture [1] that was announced last
| year.
|
| [1] https://www.whitehouse.gov/briefing-room/presidential-
| action...
___________________________________________________________________
(page generated 2022-06-27 23:01 UTC)