Blog

Another week, another breach. This time, credit card company Capital One announced that it discovered a data breach about 10 days ago affecting around 106 million customers. It looks like part of the reason that they waited 10 days to announce it is because they were working with the FBI to get the person responsible. You can read Capital One’s version of events and information about what happened here. If you want more details about how the FBI apprehended the woman responsible for the breach and how she carried out the breach, check out this story on Krebs on Security. It has interesting details like how she was a former employee of a certain cloud service provider and how the FBI found her. It doesn’t look like any passwords or login information was compromised, but keep an eye out for communications from Capital One indicating whether your accounts were affected.

Cyber crime and the need for cybersecurity is not going anywhere any time soon. In fact, all signs indicated it is only going to be more important in the future. This recent article at CPO Magazine discusses the ways that cyber crime is growing and changing and states that digital criminals made off with $45 billion in 2018. That’s 45 billion reasons why you should make privacy and data security a priority in your life and business.

File this under “things that happen while you blink.” The ICO, the UK regulator responsible for data protection, issued an updated report on real time bidding and adtech. While the report is full of details and recommendations, these paragraphs jumped out:

When you visit a website, some of the ads you see have been specifically selected for you. As the site was loading, the website publisher auctioned a space on the page you are viewing, and an advertiser bought it because it specifically wants to reach people like you. The process can involve many companies, and happens in milliseconds. Billions of online ads are placed on webpages and apps in this way every day.

The process – known as real time bidding – relies on the potential advertiser seeing information about you. That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you’ve visited, what your perceived interests are, even what health condition you’ve been searching for information about.

ICO- Update report into adtech and real time bidding, 20 June 2019

This is happening every day and without the majority of people even thinking about it. It’s another reminder why privacy is of growing importance with modern technology.

You may have seen headlines the last few days about Facebook getting fined $5 Billion related to its privacy practices and the Cambridge Analytica incident. Upon a closer look, the reports are that it is a proposed settlement between the FTC and Facebook that the FTC approved, but has not yet made public.

Despite the massive number of $5 billion, some people think that Facebook is getting a sweetheart deal. A few senators have already written a letter to the FTC asking questions about the settlement, concerned that it does not go far enough to address the privacy issues with Facebook. According to some data about Facebook’s earnings being around $16 billion, the fine would represent nearly 1/3 of that. While it is certainly an impressive number that should have some deterrent effect on other would-be privacy violators, it’s hard to know exactly whether this is enough to make a difference if it does at all. On the other hand, it is hard to call $5 billion dollars and a 1/3 of yearly revenue a sweetheart deal. In comparison, recent fines proposed for Marriott and British Airways by the ICO for violations of the GDPR topped out at roughly $230 million and 1.5% of yearly revenue. Only time will tell whether these fines will really serve as the deterrent and enforcement tool they were meant to be, but his news about FTC and Facebook is definitely something to keep an eye on in coming weeks.

It seems like every week another data breach is being disclosed. One of the latest announced breaches was web invitation service Evite. Unauthorized access of Evite data goes back to 2013 and includes personal information related to over 101 million email addresses–many of which belonged to recipients of invitations and never even used the service. Regardless of whether you used the service, it is a good reminder that you should check your accounts and passwords to determine if your data was exposed in a breach–especially since in a breach like this one, data was exposed for people who didn’t even knowingly sign up for the service.

I recommend going to haveibeenpwned.com and checking to see if your email addressed has been affected by the Evite breach or any other of the numerous breaches that have happened this year. If your email address was exposed, you should also check to see if your password has ever turned up in the haveibeenpwned database. If your email addresses and passwords show up, then it is time to change your password if you want to keep your data secure. You can even sign up to get a notification if your email address ever turns up in a breach.

While most of us probably don’t pay much attention to the laws in Europe, the nature of the internet means that what happens in one place can affect citizens around the globe. With regard to the General Data Protection Regulation (“GDPR”), the EU’s stringent new data privacy law that went into effect in May 2018, we have already seen it change the face of the web by requiring companies to disclose how they use cookies when you land on a site. Today, we see the beginning of another consequence. The ICO (the organization that enforces the GDPR) fined British Airways nearly $230 million for a data breach last year as part of a magecart credit card skimming attack. (You can read what I wrote about magecart here.) There is still a chance that the fine will change, but it shows that the GDPR is serious business. While the rules allow the fine to be up to 4% of annual turnover, this fine ends up being just about 1.5% of British Airways annual revenue. With approximately 500,000 people affected by the breach, the fine amounts to $460/person. This should serve as a stark warning that data privacy is serious business and not to be ignored.

It’s often said that it’s not a question of if you will be the victim of a cybersecurity incident, only a question of when. With the number of privacy incidents and data breaches on the rise, it looks more certain everyday that you will be affected. Have you already taken the time to analyze your or your company’s cybersecurity posture? Do you have glaring weaknesses that need to be addressed? Perhaps you have thought about it and already have a system in place that includes a backup. Have you considered how you and your employees will access that data in a backup? If you’re the decision maker at your company, are you giving your IT team the opportunity to talk to you and address their immediate concerns? These are a just a few of the things that you should be thinking about with regard to your cybersecurity. If you haven’t given this much thought yet, there’s no time like the present to start. If you need help figuring out where to start, I would be glad to help.

I saw a picture on The Cyber Security Hub‘s LinkedIn page that said:

“There is no cloud, it’s just someone else’s computer.”

There were some great points made in the comments under that picture about whether that is an accurate statement. For me, it is an oversimplification that, while generally true, may not be completely helpful. This is just like saying that your office belongs to the landlord simply because you are leasing the space from them. While you expect to have privacy and security in your leased space, ultimately the contents are yours and you are still trusting that the owner/property manager of that space will respect that and meet their obligations to maintain it. You still need to do your part to that end as well—like locking the door on your way out.

One of the most important ways you can protect yourself when using the cloud or leasing office space is with the contract you sign. Make sure that the contract is not only protecting the landlord, but serving to protect you and/or your business. Make sure your cloud service agreements are tailored to protect your interests. You may not want to enforce them all the time and enforcing some provisions may prove difficult, but you put yourself in the best position to protect yourself by doing so.

For an assignment in the graduate certificate program on cybersecurity I’m doing at UNLV, I was asked to respond to the following prompt:

The year is 2039 and you are getting ready to retire from a management position.  Describe some of the technology and innovations now being used in the prevention, response and recovery of cyberattacks.

This gave me the opportunity to imagine one (extreme?) way things could play out over the next 20 years. Here’s my response (note that it was written before Libra was announced or that would probably be part of the response as well):

As I step down from management, I’m pleased to report that the Company is in the best position it has ever been with regard to cybersecurity.  Thanks in large part to UNWISE (United Nations World Identification Security Exchange) we have not had any significant breaches in the last five years.  As you may recall, UNWISE came about in 2029 in part as a response to the Black Friday Offensive of 2026 coordinated by the cybercriminal hacking syndicate known as the AFANG gang. Following a pre-Thanksgiving coordinated breach of Apple, Facebook, Amazon, Netflix, and Google, using zero day vulnerabilities, the AFANG gang wreaked havoc and made headlines while a smaller hacker group, believed to have been state-sponsored, took advantage of footholds gained through APTs in several financial institutions to execute a time bomb virus on the morning of Black Friday.  After shoppers made the frantic rush through the stores to grab their doorbusters, the first signs of the attack showed up as payment systems rejected every transaction. It was estimated that $30 billion in damages were experienced worldwide as a result of that breach.  That fateful Black Friday lead to major changes not just in the cybersecurity realm, but also in the socio-economic landscape of the world.  The Black Friday Offensive resulted in the financial industry moving to a blockchain based system based on Bitcoin that avoided the pitfalls of relying on central ledgers.  With each transaction being recorded at multiple blockchain nodes, there is no longer the possibility for a group of hackers to wipe out the entire system. With the financial industry leading the way, the AFANG companies and retail sector were anxious to come up with a better security system.

That clamor for a solution resulted in many different techniques being developed and implemented, some of which we still see in use today.  For example, subcutaneous NFC implants capable of acting as a key for two-factor authentication was widely proposed and adopted by some industries (like the medical industry due to its ease in tracking patients, etc), but did not gain full support by a large portion of the population who believed the implants to be the mark of the beast foretold by the Bible. 

As political bodies tend to do, it took some time before there was any agreement about what could be done to improve worldwide cybersecurity.  The official UN resolution creating UNWISE was precipitated by a North Korean defector who revealed that North Korea had obtained access to among other things, the DOD’s cloud, as well as mountains of DNA data from 23andMe and Ancestry.com to be able to take advantage of the implementation of biometric solutions in cybersecurity.  After forensic investigations confirmed the defector’s report, the UN Security Council decided that the only real way to securely maintain data would be by identifying every person on Earth using biometrics, DNA, and government assigned identification numbers.  UNWISE was proposed and a protocol was setup for establishing a ledger of the population of the world with as much information as possible about each citizen.  When the EU, known for their protection of privacy in the 2010s, jumped on board, a large portion of the member states were quick to follow and ratify the resolution.  By 2035, 175 of the member states were committed at least in part to participating in the exchange.  

With the exchange, it has become easier than ever to authenticate who is accessing data.  Forensic investigations make it easy to narrow down who had access and caused the problem.  While the system is not perfect, it seems to be doing its jobs.  Taking into account the death rate and some other factors, it is estimated that the ledger will contain some data on at least 99% of the world’s population by 2050.  

Of course this was all made possible with the help of quantum computing, AI, and Elon Musk.  Not only did Musk fund the founding of neural link computing, but his company’s foray into space exploration made it possible for the use of cold storage for data on Mars using special satellites not accessible from anywhere but the LC3 (lunar communications command center).  Now, while breaches are fewer and farther between, we can simply recover data by retrieving backups through that system.  

All in all, I believe we are on the right track with regard to cybersecurity.  If you would have told me 20 years ago that there would be a ledger with the information about all the world’s citizens used to prevent cyber attacks and that we retrieve our backups from Mars via the moon, I would have said you were crazy, but here we are.  I look forward to hearing what developments you all make over the next 20 years as I enjoy my retirement on the beaches of Maui.

Business Insider has an article up about a bill that would require big tech companies to disclose to their users the value of each individual user’s information. Have you ever wondered how valuable the data that Facebook, Google, and others collect about you is to them? Have you ever thought about why those same companies are so willing to provide you so many “free” services. I suspect that no one really knows the exact cost/benefit for each user of these services, but most everyone would agree that users and their data have value. Keep that in mind the next time you deal with the security of your personal data and take the extra step to keep it secure. Whether you think about it or not, your data has value!