15 days of fame

Screenshot 2019-09-03 11.03.37 Looks like the storm of visitors to this blog looking for information on that fake video circulating Facebook is over. Most of the searches were for the hostname of the server which I happened to mention in the post. Which, I guess put me to the top of the search results.

One individual found me on Facebook and accused me of being the creator of the video because I mentioned it on my blog. Of course, I had her read the blog post for help addressing her account to getting the hacker’s session kicked out and securing it.

Fb Messenger virus

Got a message from a coworker that suggested I was in a video. Naturally, I am supposed to click on it, but it felt wrong. A quick Duck Duck Go search revealed it to be a virus.

If you think a virus was installed on your device, then my advice is to find a trusted anti-virus software to scan your computer. There are also malware apps to scan & protect your phone. Some carriers offer them for free.

Some reports suggest if you click on it, then you get a Facebook login page.

Only, it is not a real one and designed to capture your credentials. That gives another party your credentials so that they can:

  1. send this out as messages to your contacts
  2. capture more information from your account

If you fell for the 2nd login issue, then my advice is to:

  1. Immediately change your password.
  2. Kick off all sessions in the “Security and Login” page. There is a “Log Out Of All Sessions” option.
  3. Also in the security section, setup two-factor authentication.
  4. Turn on getting alerts about unrecognized logins.

Of all the things I can report, I cannot report this?

It seems like Facebook should be able to detect this virus or phishing by now. What I can see of the link goes to a Facebook server: si-chao.cstools.facebook.com  So, at least the link to virus/phishing is on their servers enough that they could check for its presence.

The person who sent it me says the account was locked out for 24 hours for behaving suspiciously. The act of sending hundreds of messages in a few seconds alerted Facebook to automated behavior. So, these are accounts they could be checking for being compromised.

How wide was the Equifax data breach?

143 million US consumers were caught up in the data breach. I keep seeing it portrayed as 44% of the US population. But, the US population includes children.

Initially, it seemed to me the better metric was 11 million more than all of 2016 IRS tax filers. The problems with this latter comparison? Lots of people who file taxes might not have a credit history and some with credit histories might not file taxes in a specific year. Which brings up taxes for a specific year comparing against people who had a credit history across many years is sketchy.

Other statistics give me headaches too.

  • The US Census’ latest 2016 estimate is that there were 325M (million) people in the country. The original 44% statistic is based on that.
  • The US Census’ latest 2016 estimate is that there were 249M adults in the country. That brings the percentage up to 57%.
  • The Bureau of Labor Statistics says in July 2017 when the hack occurred, there were 160M members of the civilian noninstitutionalized population. That excludes inmates and members of the armed forces most of whom probably have credit histories.

So, I took the BLS 160M and looked up the excluded populations.

  • It looks like there were about 1.5M in the prisons.
  • And there is about 1.4M active military.

Combining these, it looks like about 88% of people in the “potentially have worked population” were affected.

I feel good with the 88% number.

Really, though, everyone probably has had their SSN and birthday exposed.  If you have ever attended a K-12 school, post-secondary education, gotten insurance, gone to a doctor, engaged in any way with a financial institution, or given your SSN to a government entity, then you should assume that your personal information is ready to be exposed at any time. Nor should you rely on being told. The state of Georgia exposed every voter’s SSN to subscribers of the voting list by accident and notified no one because they felt the CDs being returned meant no one could have the info. (Because the subscribers could not have copied the files off the discs.)

Overuse of SSNs

The overuse of the Social Security Number bothers me.

Healthcare providers use the SSN. They all want it, so they all have it in their files and databases. Given the push to move records to electronic form, they all have it recorded in databases. This makes them tempting targets for fraudsters. They have to use the strongest security practices to protect the data which also makes working with it more difficult which leads to shortcuts that make them more vulnerable.

From Bruce Schneier,

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you — almost all of them companies you’ve never heard of and have no business relationship with.

He goes on to talk about how companies are tracking our moves online and tying it to their profiles of our identity.

If my financial account (like a credit card number) is compromised, then the bank’s solution is to close the bad account and open a clean one for me. If my Social Security Number is compromised, then my solution is to closely monitor the opening of accounts using it. Getting a new SSN is very difficult because unlike a financial account, the number is my unique identifier.

Personally, I think the fine for a healthcare entity getting breached should be $100 per account. So, Anthem’s 2017 breach of 18,000 members would cost it $1,800,000. Anthem’s 2015 breach of 78.8 million would cost it $7.88 billion. (They got a fine of $115 million or about $1.50 per account.)