Hacked cheating site Ashley Madison will pay $1.6 million to FTC for breach


Ashley Madison, the dating website for married people seeking extramarital affairs, will pay the Federal Trade Commission (FTC) $1.6 million for its failure to protect the account information of 36 million users, for failing to delete account information after regretful users paid a $19 fee, and for luring users with fake accounts of “female” users.

In a press conference call, FTC Chairwoman Edith Ramirez said the commission had secured a $17.5 million settlement, but the company will only pay $1.6 million of that amount due to inability to pay. Ashley Madison's operators are also required to implement a data security program that will be audited by a third party, according to the settlement.

The website was hacked in August 2015, and the hack resulted in the release of user names, first and last names, hacked passwords, partial credit card data, street names, phone numbers, records of transactions, and e-mail addresses. In the wake of the hack, it was discovered that many people who paid the company $20 for a “Full Delete” had been bilked—Ashley Madison parent company Avid Life Media, now Ruby Corporation, had left that data on its servers for up to 12 months after the request had been made.

Read 4 remaining paragraphs | Comments

Frequent password changes are the enemy of security, FTC technologist says

Enlarge / FTC Chief Technologist Lorrie Cranor speaking at PasswordsCon 2016, part of the Bsides security conference in Las Vegas.

Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: "Encourage your loved ones to change passwords often, making them long, strong, and unique." Cranor wasted no time challenging it.

The reasoning behind the advice is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days.

"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days."

Read 8 remaining paragraphs | Comments

Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users

(credit: Intel Free Press)

A mobile advertising company that tracked the locations of hundreds of millions of consumers without consent has agreed to pay $950,000 in civil penalties and implement a privacy program to settle charges that it violated federal law.

The US Federal Trade Commission alleged in a complaint filed Wednesday that Singapore-based InMobi undermined phone users' ability to make informed decisions about the collection of their location information. While InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent, the software in fact used nearby Wi-Fi signals to infer locations when permission wasn't given, FTC officials alleged. InMobi then archived the location information and used it to push targeted advertisements to individual phone users.

Specifically, the FTC alleged, InMobi collected nearby basic service set identification addresses, which act as unique serial numbers for wireless access points. The company, which thousands of Android and iOS app makers use to deliver ads to end users, then fed each BSSID into a "geocorder" database to infer the phone user's latitude and longitude, even when an end user hadn't provided permission for location to be tracked through the phone's dedicated location feature.

Read 5 remaining paragraphs | Comments

Feds probe mobile phone industry over the sad state of security updates

Enlarge (credit: Ron Amadeo)

For years, critics have bemoaned the sad state of security updates available to hundreds of millions of owners of mobile devices running Google's Android operating system. Now, federal regulators are investigating whether Google, Apple, and the rest of the players in the mobile industry are doing everything they can to keep their customers safe.

In a joint action, the Federal Communications Commission and the Federal Trade Commission are ordering mobile operating system developers, hardware manufacturers, and carriers to explain their rationale in deciding when to issue updates, or as is so often the case for Android users, why they don't provide updates. Two of the more glaring examples are a vulnerability dubbed Stagefright disclosed last year and another disclosed in March called Metaphor. Both allow attackers to surreptitiously execute malicious code on Android devices when they view a booby-trapped website.

"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device and all the personal, sensitive data on it," Jon Wilkins, chief of the FCC's Wireless Telecommunications Bureau, wrote in a letter to carriers. "One of the most significant to date is a vulnerability in the Android component called 'Stagefright.' It may have the ability to affect close to 1 billion Android devices around the world. And there are many other vulnerabilities that could do just as much harm."

Read 5 remaining paragraphs | Comments