For the most part, everyone that I speak with has come to accept the possibility that the Internet knows much more about them than they might think. Their acceptance (which ranges from grudging to incredibly blasé) of a faceless, amorphous entity known as “the Internet” being more familiar with them than their neighbors is made acceptable exactly because the Internet has achieved that same omniscient and omnipresent position as “the Government” or “the CIA” or, dare we say, God him/her/itself. These entities are out there, both comforting and ominous, but not personal, not sitting right next to you.
Perhaps we’ve been doing this wrong.
People aren’t scared, upset or even bothered anymore when we tell them their privacy has been invaded by the “Internet”. In truth, that’s a kindness, because the specifics are much more disturbing. A security researcher just uncovered a veritable treasure trove of personal information on nearly 340 million Americans, i.e., all of us. This information was being hosted in an unsecured database by marketing firm Exactis, and it holds close to 2 terabytes of data. And unfortunately for all of us, it’s much worse than credit cards and social security numbers. Instead, it’s much more personal, such as home addresses and phone numbers, number of children in the family, interests, hobbies, habits, shopping preferences, up to 400 variables on each person in their database, including whether they are a smoker, how many pets and what type, and yes, religious affiliation.
If you ever question how online advertising could be so specific, wonder no more. The marketing firms know where their bread is buttered, and firms like Cambridge Analytica and Exactis are sacrificing your privacy on the altar of data aggregation for the almighty dollar. How does one fight back? Make sure you understand where your local congress critter stands on matters like privacy, encryption and regulatory enforcement on failures like the massive Equifax breach for which exactly zero justice or compensation was delivered.
Get out and vote.
Get ready for 1000% of your daily dose of Irony: America’s top surveillance outfit, the National Security Agency appears to have been hacked, according to announcements made by a group known as the “Shadow Brokers” and backed by a sample of data released as proof. Not only that, it may have happened as early as 2013, just days after NSA whistleblower Snowden went public. The spy agency has yet to comment on the matter, though given their usual taciturn stance on sharing information with the public, further enlightenment is unlikely to come from that source. Snowden himself weighed in on the issue shortly after this news became public, attributing the original hack as likely being the Russian government. In a further dose of irony, Snowden currently resides in Russia, presumably as part American exile and part Russian political trophy.
What this means for you:
Before you grab your bug-out bag and head for your internet-proof bunker, make sure you freak out for the right reasons. In this particular instance, the data for sale appears to be code, and not data on Americans (which they are assuredly collecting). Offered as proof of the deed, the Shadow Brokers posted source code of known malware apps the NSA is alleged (by Snowden and others) to have used to break firewalls and other security platforms in use by foreign nations, presumably to allow the install of other covert surveillance software on the computers behind those security measures. Security pundits, including industry vet Bruce Scheier, have evaluated the data released, and in light of the the current political climate between the US and Russia, are of the opinion that this might be a manuever by the Russian government in anticipation of criticism or accusations from the US about the DNC hacks. To put it in more understandable terms, we may be seeing the opening salvos in a new, thoroughly modern Cold War. Instead of warheads and undercover spies as pawns, this one may be waged via the internet through cyber warfare and social media. Ready to head to that bunker yet?
First the country’s largest bank has a huge data breach, and now the nation’s largest bond insurer admits that it inadvertently exposed sensitive customer information through its website. As an example of the old maxim, “Man has no greater enemy than himself,” MBIA, Inc. allowed unfettered access to a subset of very sensitive customer information (think: customer names, account and routing numbers, balances and dividend amounts) via a poorly configured webserver that opened up this data to the general internet. Access was so unrestricted as to allow search engines to index up to 230 pages of information that also included administrative login credentials that could lead to much more significant security breaches throughout the MBIA infrastructure.
What this means for you:
Today’s technology is a resounding testament to how innovative humans are, but equally apt to demonstrate just how fallible we can be. In the digital world, a simple mistake can lead to millions being compromised in life-affecting ways. Most of you aren’t responsible for millions of customers or their data, but imagine if you had to contact your hundreds or thousands of customers with the bad news that “due to a configuration error” their data was leaked to the internet, and probably in the hands of cybercriminals. Whether it is thousands or millions, it would still be a nightmare, especially if your business isn’t big enough to be able to count on the data breach fatigue that has allowed Target, Home Depot and JP Morgan to sail past titanic failures in security. In the end, your security boils down to one thing: humans, not machines. Knowing this, you should always hope for the best (we will get better at this) and plan for the worst: we’re going to make a lot of mistakes along the way!
Another day, another social networking site hacked. This time, unfortunately, it was new internet darling SnapChat that was breached, exposing over four million mobile numbers and user names. The hacker(s) who published the data did so purportedly to compel Snapchat to take action on security flaws in its platform that have been known since earlier in the year, but remained unpatched up to (and even past) the public release on Dec 31, 2013 of the information harvested by exploiting the security flaws.
What this means for you:
SnapChat is very popular with younger generations who moved to the service for a variety of reasons, not the least of which was more privacy (from Facebook-savvy parents and authority figures) and less permanence (Snaps are deleted forever within seconds of being shared). Irony aside, the data exposed in the security breach reveals sensitive personal data from millions of individuals, many of whom are probably minors, a demographic that may include your child(ren).
You can check this website to see if any of your family’s mobile numbers were leaked by this SnapChat hack. While the data released isn’t as sensitive as bits like Social Security numbers, birthdates or debit card pins, some other services do use mobile numbers as identifying data, alongside usernames which many people (including Snapchat teens) like to re-use as part of their online “brand.” Armed even with these slender morsels, clever social engineers can wedge their way into someone’s online presence and use it as a stepping off point for a complete takeover of an identity, leading to credit fraud, theft and much, much worse.
Remember last week when I reported on a “small” privacy blunder committed by Facebook and their data portability app? Security software maker Symantec announced over the weekend that they noticed Facebook’s Android app behaving inappropriately, to the tune of uploading the phone number of the device to Facebook’s servers the first time the app is installed and launched, prior to any logins or other interaction by the phone owner. According to Facebook, they never used this information, and have since deleted it from their databases. Seeing as the Android Facebook app has been downloaded by several hundred million people, up until this “bug” was discovered and remedied, several hundred million people had their phone numbers harvested by Facebook without their explicit permission.
What this means for you:
Maintaining control over the privacy of your personal data requires constant vigilance on your part, and trustworthiness on the part of those who are requesting the use of your data. In this specific instance, a list of several hundred million mobile numbers isn’t very useful without any other meta data, but it highlights the larger issue at hand: can Facebook be trusted to be good stewards of your personal data? Should they have ever been trusted to the extent that most people have up until now? Recent events should put a great deal of caution into even the most open social networker, and should serve as a red-flag warning to everyone. Organizations are only as good as the people who run them. Apps are only as good as the people who program them. If your privacy is important to you, pay close attention to how others respect that privacy. Don’t reward bad or careless behavior with your dollars or loyalty, and don’t let inertia alone keep you from making informed choices.
FYI: “Facepalm”: http://en.wikipedia.org/wiki/Facepalm
There’s a whole lot of spying going on: the US and China continue to bicker over who’s spying on who, and the Washington Post fumbles an early scoop that clearly confuses what may end up being the biggest information leak since the Wikileaks scandal. In the midst of this surveillance brouhaha, the confidential source that triggered the Washington Post story has stepped forward in the form of an IT security analyst employed by the spookiest of spook agencies, the Central Intelligence Agency and the National Security Agency. Based upon the information this whistleblower has provided to news agencies, the American Civil Liberties Union has brought suit against the president, the NSA and Verizon for illegal spying, and more are on the way.
What this means for you:
Though the details are still being argued over, it appears the NSA has had an ongoing warrant with Verizon that has provided them with calling histories for just about any domestic Verizon customer, all under the umbrella of the controversial Patriot Act. Now, before you start worrying if your recorded phone calls will be leaked and become the next YouTube sensation, the information collected is data-based (numbers, times, geographic locations) as opposed to them eavesdropping in on your conversations, Hollywood “listening post”-style. Given the vast computational power the NSA has at its fingertips, this is still amazingly comprehensive, and gives them the ability to very accurately profile any US Verzion customer based upon that history.
Sadly, once again, there’s very little you can do as an individual, other than to write your congressperson, or boycott just about every major telecommunications provider and credit card company out there, because it seems that all of them have been forced to cooperate with the NSA at one point or the other under the Patriot Act. The Wired article also makes a very good point: threats to our security can just as easily come from the inside as the outside. Unfortunately, for all involved, it also demonstrates the trend that trusted insiders can easily become the biggest security breach an organization has ever known.
Have you thought about what access your employees have to confidential information? How much trust have you invested in them? Do you have sufficient controls in place to protect your company from inadvertent security breaches caused by a trusted employee? What if that same employee was to deliberately breach your security?