Coffee makers are SCADA, right?!

[This was originally published on the OSVDB blog.]

Steven Christey of CVE posted asking a question about VDBs and the inclusion of coffee makers. Yes, you read that correctly, vulnerabilities are being found in coffee makers that are network accessible. Don’t be surprised, we all knew the day was coming when every household appliance would become IP aware.

Before you laugh and spew your own coffee all over the keyboard, consider that the vulnerabilities are legitimate in the sense that a remote attacker can manipulate how the device performs and possibly do physical damage to the unit. This is really no different than SCADA devices such as air conditioners that are IP aware.

Some replies (like mine) were a bit more serious suggesting this type of vulnerability is definitely worth inclusion in OSVDB. If we can’t draw the line between coffee makers, air conditioners and other SCADA devices today, we will be able to in a year or years from now? At some point, the blur between computing device and household appliance will be too hard to distinguish. Rather than waste too much time arguing that line, why not track these few vulnerabilities now that might be a bit primitive, but will surely show historic value if nothing else.

Other replies were a bit less serious but fun, suggesting that making weak (or no) coffee would lead to disgruntled code writers that produce poor code filled with more vulnerabilities. Either way, count on us to include vulnerabilities in your favorite IP aware devices, kitchen, computing or otherwise, to this database.

Useless Compensation for Data Loss Incidents

[This was originally published on attrition.org. It was written by Apacid and Jericho.]

If you have been the victim of a data loss incident, odds are you have received a letter from the careless organization that lost your information. These letters always offer apologies and sincere hope that your identity or personal information isn’t abused. The recent BNY Mellon incident (which now stands at 4.5 million potential customers affected) resulted in customers receiving such a letter:

Notice that in return for having your personal information lost, they are offering free credit monitoring for 12 whole months! This seemingly generous offer has apparently become the standard business practice for acceptable compensation when your personal information is treated with carelessness. BNY opted to go with ConsumerInfo.com’s “Triple Alert” credit monitoring product (despite no mention of that ‘product’ on the consumerinfo.com web page), which watches for changes to your credit reports from the three national credit reporting agencies in the United States (Experian, Equifax, TransUnion). If you are unlucky and get caught up in multiple data loss incidents, you may receive this “gracious compensation” many times over.

First, why is this type of reactive credit monitoring acceptable compensation? This seems to be another case of one business following another and… voila, we have an industry ‘standard’ that does little to serve the customer but does everything to serve businesses that want to look caring and “customer-centric” in the media.

Second, since this is hardly compensating customers, what better things could the money be used for? If you take Experian at face value and accept it is a US$60 value, that will pay for a nice steak dinner and bottle of wine to fuel grumbling about corporate irresponsibility, which is definitely a better use than redundant ‘credit monitoring’ that really does little for the customer. What if the company that lost that information were required to send each person affected US $60 in cash instead? Bank of NY Mellon would have to pay out 270 million dollars, Hannaford would have to pay out 252 million, and TD Ameritrade would have to pay out 378 million. Wouldn’t that be good incentive to implement stronger data security? Instead, businesses get out cheap by paying pennies on the dollar for ineffective and catch-ridden ‘services’ from companies that also profit heavily from having your information in the first place. If not that, companies should spend a fraction of those multi-million dollar amounts and pay for the institution of higher data security and a more thorough method for auditing their security. Imagine if any of those companies had budgeted US $100 million on data security the year before the breach.

Third, have you read the fine print to this generous credit monitoring? The monitoring in question consists of “daily” checks on your credit report in which they notify you of “key changes”. If you get such a notification and suspect something is wrong, you must file a police report within 10 days of receiving the e-mail notification, report the suspected identity theft to their Fraud Resolution Department within 10 days of receiving the e-mail, place a fraud alert with Experian, Equifax and TransUnion within 10 days of receiving the e-mail notification, work with the Fraud Resolution Department to pursue all sources of reimbursement (so they don’t have to pay you the guaranteed amount) and finally, pay out of pocket if you don’t meet all the criteria on their list in section 4. So if you happen to be on vacation or without e-mail for 10 days, this monitoring is entirely worthless as they will do nothing else to proactively protect you from such abuse. All this for only US $4.95 a month!! Oh, they can also terminate this offer/agreement at any time at their sole and complete discretion…

Fourth, does this seem like a huge profit circle and/or conflict of interest? The companies that are there maintaining your credit history and score are in turn charging customers for this monitoring. If you are unlucky and get your information lost, you get this paid service for free for one year. If not, you pay this company to monitor the records they keep for suspicious activity because they wouldn’t do it otherwise. They really care about the accuracy and security of your personal information, promise!

The simple truth is that offering limited credit monitoring for a heinous act of carelessness is no form of “compensation” to the affected customers. This desperate attempt to seem generous and caring is nothing more than a marketing ploy designed to appease customers that should otherwise be angry and looking to take their business elsewhere. It’s time to expect and demand more from companies that lose your personal information, whether by theft, poor policies, gross negligence, or any combination of the above.