For the most part, everyone that I speak with has come to accept the possibility that the Internet knows much more about them than they might think. Their acceptance (which ranges from grudging to incredibly blasé) of a faceless, amorphous entity known as “the Internet” being more familiar with them than their neighbors is made acceptable exactly because the Internet has achieved that same omniscient and omnipresent position as “the Government” or “the CIA” or, dare we say, God him/her/itself. These entities are out there, both comforting and ominous, but not personal, not sitting right next to you.
Perhaps we’ve been doing this wrong.
People aren’t scared, upset or even bothered anymore when we tell them their privacy has been invaded by the “Internet”. In truth, that’s a kindness, because the specifics are much more disturbing. A security researcher just uncovered a veritable treasure trove of personal information on nearly 340 million Americans, i.e., all of us. This information was being hosted in an unsecured database by marketing firm Exactis, and it holds close to 2 terabytes of data. And unfortunately for all of us, it’s much worse than credit cards and social security numbers. Instead, it’s much more personal, such as home addresses and phone numbers, number of children in the family, interests, hobbies, habits, shopping preferences, up to 400 variables on each person in their database, including whether they are a smoker, how many pets and what type, and yes, religious affiliation.
If you ever question how online advertising could be so specific, wonder no more. The marketing firms know where their bread is buttered, and firms like Cambridge Analytica and Exactis are sacrificing your privacy on the altar of data aggregation for the almighty dollar. How does one fight back? Make sure you understand where your local congress critter stands on matters like privacy, encryption and regulatory enforcement on failures like the massive Equifax breach for which exactly zero justice or compensation was delivered.
Get out and vote.
I’d like to say we actually went a few weeks without having to talk about Facebook because they weren’t in the news, but in reality, they were. I was just exhausted with the punishment they have been taking in the media ring, and rang the bell out of mercy rather than letting them continue to get pounded, at least on this blog. But break time is over and its time to lace up. Facebook did come out swinging earlier this week, publicizing their last quarter efforts to clean the place up: over half a billion fake accounts have been banned since the start of 2018, and they have removed nearly one billion posts that violated the social media giant’s guidelines. But the wind was snatched from their sails with news of a yet another breach of user privacy as researchers at New Scientist uncover a leak of three million users’ extremely confidential data gathered by an app called My Personality. The app, designed by psychometric researchers affiliated with Cambridge University, gathered in-depth psychological data on over six million users, half of whom agreed to share their data anonymously with 3rd-parties for research purposes.
Pinky-swear to keep this data confidential?
While I’m sure they didn’t intend to out three million people to the internet, a class project uploaded to a popular code-sharing website by university students was found to contain a login and password to the protected database built by the My Personality team. Whoops. And that data was there, available for the public to access, for 4 years. Double-whoops. Here’s the thing: in order to gain access to this data originally, one had to register for access, and were supposedly bound by a strict confidentiality clause. Two-hundred and eighty people from 150 companies did register, but you can bet at least an equal number (and probably many more) did not, once they discovered the “backdoor” uploaded to GitHub. And the thing with data, once it’s out of the barn, there is no telling where it went from there. There’s a hard lesson to be learned from all of this: it’s extremely difficult to control data once you relinquish any control on it, and this control all but vanishes literally one step from that first line of control, as managing the chain of custody scope expands exponentially. You can liken this to the old party game of “Telephone”, but instead of the message getting muddled with each person, the security and responsibility get hopelessly mangled literally in the next whispered exchange.
Do you remember when a technology company in the media spotlight usually meant something exciting and shiny was being announced? Those days seem so distant now. Back then, Jobs was giving us “one more thing,” Google was actually trying to not be evil, Flash was still doing amazing things on the web, Facebook was connecting us with long-lost friends and relatives, and Yahoo was the darling search engine and homepage for millions. Unfortunately for all involved, their present-day state reads like a click-bait-y “Where are they now?” article, and it’s just as depressing as you might think, at least as far as Yahoo Mail is concerned.
So where is Yahoo now?
The former internet giant was divvied up in 2015 between Oath Inc (aka Verizon) and a new company called Altaba. Oath took over the ailing portal and email services, while the more profitable parts of the business, including Yahoo! Japan and their investments in Alibaba were consolidated under Altaba. While it may be hard to comprehend why anyone, let alone Verizon, would pay to take over Yahoo Mail, apparently the revenue potential of millions of eyeballs trying to read emails surrounded by advertising whetted someone’s appetite. Whatever tantalizing profit potential that might have existed, it’s considerably less thanks to a $35M fine handed down by the SEC for the company’s failure to inform its investors of the 2014 breach, which, keep in mind, was a paltry 500M accounts breached as compared to the 3 billion accounts breached in the previous year. Oh, and don’t forget, it’s also highly likely that the US government scanned your Ymail for terrorist activity as well. Would you think less of me if I started calling this service “Why-mail”? Or maybe “Y-R-U-still-using-this-mail”. Oh, how the might-Y have fallen. Alright, I’ll stop now, please don’t unsubscribe!
It had all the trappings of a Hollywood blockbuster: a massive data breach, hackers hired by Russian spies, and a secret operation that went on for years undetected. Except for one rather pedestrian and crucial element. According to indictments handed down by the US Federal Bureau of Investigation, the hackers penetrated Yahoo’s security not through some sophisticated cyber-tango of caffeine-fueled hacker artistry. There weren’t any high-tech micro computers covertly implanted into neon-lit server racks following a series of cleverly choreographed hi-jinks. No, the largest single leak of Personally Identifying Information was enabled by a Yahoo employee falling for a spear phishing attack.
Here comes the email security soapbox again!
What’s a spear phishing attack and what makes it different from the rest of the spam you get in your email? Typical spam and phishing emails are sent to as many people as possible in the hopes that a small percentage will click the link or open the attachment, whereas spear phishing is designed to target a very specific audience or even a particular individual. They are typically several levels more sophisticated than the usual garbage clogging our email as the content is custom-tailored to appear believable to the target. While I’m sure many of you are scratching your heads at how a single click on a fake email could lead to the largest breach in history against a storied dot-com darling, keep in mind that in the ongoing plate-spinning war of internet security, the good guys only win if they can keep all the plates spinning, and the bad guys win if even a single plate falls.
There are many lessons to be learned from this incident, but perhaps the most important one of all still remains: all security systems are only as strong as the weakest link, and many times that weakest link is a human. Given enough resources, time and determination, any security system can be hacked, and any company or organization can be breached. What’s a business owner to do in light of a seemingly unstoppable force? Just like preparing for two other famously unavoidable eventualities, planning for security breach will prepare you to react properly and deliberately rather than a mad scramble for recovery. Not sure how to get started? Pick up the phone and let C2 give you a leg up on getting ready.
Remember when there was nothing more innocent and incorruptible as a child’s teddy bear? For all the potential good the internet can bring, there are some things that should just not get connected, at least until we can secure data properly. The latest black eye for the “Internet of Things” (IoT) comes in the form of a line of stuffed animals that can record and relay messages back and forth between parent and child. While wholesome and lovely in theory, the whole implementation is undermined by poor security and what appears to be a non-trivial amount of carelessness, all the ingredients for a disastrous internet breach. Reports vary, but anywhere from 500k-800k “users” data was exposed to an unknowable number of unauthorized eyes. This data included both identifying information as well as the actual voice messages from both adults and children.
What this means for you:
If you happened to be the (no longer) proud owner of a CloudPet, you have the unenviable responsibility of trying to explain to your child why they can’t use the thing that made this toy special. Hopefully it won’t be traumatizing. While you may be able to enjoy some schadenfreude from the possibility that the company appears well on it’s way to failure, this also means that there will be no recourse or recompense for saddling you with a toy that violated your family’s privacy. Not a CloudPet user? Regardless if you are a parent, relative or even just a friend, think twice before giving a small child an internet-connected toy. Very clearly, we, and the internet, are not ready for such a thing.
Just under a month ago, Samsung announced that it was recalling/replacing all Galaxy Note 7 phablets shipped prior to early September due to exploding batteries. Roughly two weeks later, news broke that Yahoo more than likely allowed US government agencies full access to the entire breadth of all email accounts hosted by Yahoo, while the fading tech giant was still reeling from a reported data breach and the pending sale to Verizon. Unfortunately both companies are back in the news this week and not for good reason. Samsung’s replacement Note 7s with the less explodey battery, has – you guessed it – started exploding again, even putting a customer in the hospital. This incident and at least 2 other reports of flaming phones has prompted Samsung to halt production on the Note 7, and all major US carriers will no longer sell the device. Yahoo’s troubles continue as well: the now infamous email service has suspiciously dropped the forwarding function from its service, making it more difficult for people to move to another provider. When you combine this mysterious change with the lawsuit against Yahoo’s CEO Marissa Meyer, Yahoo is looking less like a technology leader and more like a troubled company struggling to survive.
What this means for you:
Companies of this size typically have resources enough to pick themselves up and shake off these types of events. Heck, breaches are so commonplace now that most of the time consumers just shrug and carry on. Despite various widespread problems with iPhones (Antenna-gate, Bend-gate, Touch Rot) Apple still manages to sell lots of units every year. While Samsung will undoubtedly take a huge reputation hit in the mobile market, the Korean megacorp itself is so broad that it’s hard to image the Note 7 sinking the entire company. If anything the repeat failure just highlights the complex manufacturing chain that goes into producing our smartphones and will perhaps push Samsung and its competitors to look for safer, better battery solutions.
Yahoo is looking a lot less resilient than Samsung: it doesn’t have the broad product base to fall back on, and one might argue that its most valuable asset – the millions of people who still use Yahoo Mail – is in jeopardy at a time when the company can least afford it. Whether the disappearance of mail forwarding was ill-timed or carefully calculated, the long-term optics look worse than a smoking phablet. Last week’s news of Yahoo’s compromising relationship with US intelligence agencies should have been enough to encourage you to retire your Yahoo account, and their current strategy is not the Hail-Mary play they need to stay in the game.
You know the general public is suffering from security fatigue when something as big as the Dropbox breach appears in the news, and almost as quickly, disappears. In case you blinked, online magazine Vice.com broke the news last week that a database recently surfaced which contains over 60 million Dropbox.com user accounts (email addresses) and hashed passwords. Almost immediately following this news, Dropbox itself issued an email warning to its users that it was resetting passwords of users who might have been impacted by a 2012 breach. Breach notification site HaveIBeenPwned.com also corroborated the reports that the account information found in the database does contain valid usernames and encrypted passwords.
What this means for you:
Even though breach data may be years old it can still be valuable, especially if the passwords are stored with weak, easy-to-crack encryption. In the case of the Dropbox breach, approximately half of the passwords are strongly encrypted, and are unlikely to be decoded, and the other half stored in a slightly weaker, but still formidable encryption method. As proof of their continued value, many databases from breaches as far back as 2012 and earlier as still actively traded and sold in the digital blackmarket, and as technology continues to advance, you can bet that even strongly encrypted databases will eventually be cracked. If your account and password only showed up in the Dropbox.com breach, you could consider your password relatively safe (change it anyways!) for now, but if you used it elsewhere, and that account was exposed in another breach, like the LinkedIn.com breach that happened in the same year, and you used the same password as you did for Dropbox, your security is considerably more compromised. Multiply that exposure for every other breach you were a part of and used the same password again, and we can’t even account for the breaches that haven’t yet been publicized!
Long story short: check HaveIBeenPwned.com, change your passwords, and don’t reuse passwords!
In what appears to be a record breaking breach, the information exposed when MySpace was hacked in 2013 has finally been publicly documented by website LeakedSource as containing nearly half a billion passwords for 360 million accounts, dwarfing previous breaches like the US Voter Database Breach (190M), Ebay (145M) and Global Payments (130M). What makes this breach particularly egregious is the fact that MySpace was storing this data with very weak encryption (SHA1) and no “salting” (an encryption technique to add complexity and randomness to each stored password), resulting in a massive password source for hackers and identity thieves.
What this means for you:
Numerically speaking, the odds are at least one of your passwords (present or past) has been compromised and is likely to be found in either LeakedSource’s or Have I Been Pwned’s databases, both of whom offer a simple lookup tool to check to see if your password or passwords have been exposed in any of the numerous breaches that have occurred over the past few years. Depending on how diligent you have been in keeping unique passwords or at least changing them, if a search turns up positive on either site, and you are still using that same password or a similar one with minor changes, you should go out and change it immediately. Additionally, if it’s available, you should be using 2-factor authentication to secure any important online accounts, especially email. Lastly, stop using the same password everywhere. It’s only a matter of time before that will come back to haunt you!
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
I really wanted this holiday season to be one of joy and goodwill towards all people, but it seems like the black hats will never rest. Let’s just get the ugliness out of the way: VTech – maker of tech toys for kids – has suffered a data breach that has exposed over five million customer accounts, and worse still, over six million child profiles. As per the usual, it seems that the Hong Kong company initially tried to downplay the breach by omitting any numbers or that kid’s profiles might be at risk, but eventually came clean as word began to spread. Even after announcing the number of people affected by this breach, VTech continued to spin the incident and tried to downplay the extent of data leaked, despite proof provided to the media that the data exposed included a year’s worth of chat logs and childrens’ profile pictures, which were uploaded to VTech’s Kid Connect service, a supposedly secure social media platform that parents can use to chat with their children through VTech’s tablets.
What this means for you:
It’s not clear yet when VTech (if ever) will take action and contact the affected families. Hopefully you will know whether or not you’ve purchased an internet-capable VTech toy for your child and set up the Kid Connect service. The information exposed in this hack has not been released to the internet, and the hacker behind the breach says that the info that was shared with the press to expose VTech’s poor security practices, but that’s not to say that it won’t eventually be released. As a parent, you should be mindful of any activity that involves exposing confidential information about your children on the internet (including Facebook!) and this will continue to be more important as more and more toys become increasingly sophisticated, connected and complex. According to VTech’s own admission, they were unaware of the security breach until the media contacted them for comment. As a business owner or manager, that is one nasty surprise you don’t want as a holiday gift. Make sure you have a good understanding of what confidential information you do store, and make sure it’s wrapped tight and kept safe, if it has to be kept at all.
Three major companies and a popular crowdfunding website joined the illustrious ranks of the hacked last week. At the forefront of media attention was mobile service provider T-Mobile who had to explain to nearly 15 million of its customers that anyone who had their credit checked while in the process of applying for T-Mobile service would now be enjoying the “benefits” a near perfect (for identity thieves) exposure of their data, including name, date of birth, social security number, addresses, phone numbers and even government-issued ID numbers. Online brokerage Scottstrade suffered a breach exposing nearly 5 million customers over a year ago that they didn’t even know about until informed by authorities investigating the matter. Rounding out the list of big names is everyone’s favorite business bad-boy, Donald Trump and his Trump Hotels business, of which seven luxury hotels appeared to have suffered a year-long breach in security that allowed thieves to siphon off guest credit and debit card data. And if that wasn’t enough, data thieves also managed to penetrate Patreon, a website used primarily by independent artists and entrepreneurs for fundraising, and exposed over 2 million users emails, passwords as well as their specific site activity.
What this means for you:
By this point, if you haven’t at least racked up two years or more of “free” identity theft protection from the numerous data breaches, you have been living the life of a true luddite and should share the secrets of your success (just not online, right?). What I’ve found among many of my clients, friends and family is that most have just furrowed their brows, shaken a symbolic fist at the faceless enemy/internet/corporation and more or less accepted this as a new fact of life. Many of them haven’t even taken advantage of the credit protection services offered as compensation for being a victim of one or more data breaches. As I’ve mentioned in the past, most Americans are now suffering a near textbook-perfect example of bad news fatigue, primarily because it seems like nothing can be done. But there are things you can do:
- Have a look at Have I Been Pwned to see if any of your email addresses show up. If they do, you should change your passwords, especially if the account that was “pwned” was associated with a password you use elsewhere.
- Sign up for any identity/credit protection services offered to you if they are still available. While they may not be able to prevent an attempt to use your identity, you are much more likely to catch it happening, and these companies can help recover from damage caused by the theft.
- Most critical online services such as banking and email offer two-factor authentication which can provide a much higher degree of security. Even though a hacker may have a password for your account, they won’t be able to access accounts protected by two-factor authentication.
- Understand what data you or your company is responsible for, and if you use vendors to process any of that data, make sure they are exercising proper diligence in securing their perimeter and your data. In the case of T-Mobile’s breach, credit-check vendor Experian was the source of the breach that will likely result in significant financial and reputation distress.