قالب وردپرس درنا توس
Home / Gadgets / Data breaches: The complete WIRED manual

Data breaches: The complete WIRED manual

Another week, another massive new vulnerability that reveals your personal information. Names, e-mail addresses, passwords, social security numbers, dates of birth, credit card numbers, bank details, passport numbers, phone numbers, home addresses, driver's license numbers, medical records – all are carried away by shadowy, amorphous hackers for fraud, identity theft and even worse. Sometimes the affected company sends you an email telling you to change a password or credit card number, but these incidents are mostly invisible – until they are not.

Imagine data breaches in two ways: violations of institutions that people want to entrust with their data ̵

1; such as retailers and banks – and violations of entities that have secondarily acquired user data, such as credit bureaus and marketing firms. Unfortunately, you can not keep your data completely secure: exchanging data is often impossible, especially with organizations such as governments and health insurance companies. In cases where a company or institution passes your information on to another party, you have often agreed to share more data than you indicate by clicking "I agree" in a dense user agreement.

Many of these incidents are not displayed. inevitably even hackers are involved. Data "exposures" occur when information was available that should be blocked, but it is unclear if anyone has actually stolen it.

Even after a data breach has taken place and an unauthorized actor has your data definitely, you have won & # 39; You will necessarily see an immediate negative impact. Hackers, for example, who steal a collection of credentials, can quietly use them for crimes under the radar instead of selling or publishing the data. As a result, the impact of an infringement can be very delayed and not fully manifest for years.

Attackers tend to use certain types of data immediately, namely financial information such as credit card numbers. However, some data disappear in the ether and become a kind of time bomb. The victims of identity theft, however, know the consequences of data breaches accurately and painfully. They could have their credit ruined by thieves, lose all their money, or persecuted by a shadow hand for years, interfering in their affairs and opening digital accounts on their behalf.

The problem is so abstract and far-reaching that you would do the feeling that it's not worth while to deal with it. Unfortunately, there is no perfect security for victims and no way to completely eliminate all privacy breaches. But massive institutional violations do not have to happen that often. Many are not due to complex and complex hacking, but to the fact that organizations have made fundamental and potentially avoidable errors in the implementation of their security plans. They are hanging fruits for hackers.

Yes, it's a difficult, never-ending process for a large organization to secure its inevitable sprawling networks, but for decades, many institutions have not really tried. They have gone through some of the movements without digital security actually being an expense priority. However, over the last decade, as corporate and government breaches have increased and the data of billions of people has increased, institutional leaders and the general public have finally recognized the urgency and need to put safety first. This increased focus is beginning to translate into concrete privacy and security enhancements. But collective inactivity for decades has led to a security deficit that will take a lot of time and money. The fact that robust digital security requires an infinite investment is hard for institutions to accept.

The History of Data Violations

Data breaches have been more frequent and harmful for decades. However, some of them are revealing examples of how violations have developed, how attackers can orchestrate these attacks, what can be stolen, and what happens to data when a violation has occurred.

Violations of digital data started long before The use of the Internet was widespread, but they were in many ways similar to the leaks we see today. An early milestone incident occurred in 1984, when credit information agency TRW Information Systems (now Experian) found that one of its database files had been breached. The find was protected by a numeric passcode that someone had taken from a management note in a Sears store and published on an "electronic bulletin board" – a kind of rudimentary Google document users access and use over their landline telephone line can change. From there, anyone who knew how to view the bulletin board would have used the password to access the data stored in the TRW file: personal data and credit worthiness of 90 million Americans. The password was displayed for one month. At that point, TRW said the database password was changed as soon as it knew about the situation. Although the incident was overshadowed last year by the breach of credit agency Equifax (see below), the TRW outage was a warning to all data companies – a fact many did not seem to notice.

Major violations such as the TRW The incident occurred sporadically as the years passed and the Internet expanded. In the early 2010s, as mobile devices and the Internet of Things greatly expanded interconnectivity, the problem of data breach became particularly pressing. Stealing user name / password pairs or credit card numbers – even breaking a collection of data that has already been collected from public sources – can give attackers the keys to a person's entire online life. In particular, certain violations fueled a growing dark web economy of stolen user data.

What is considered a data breach?

A data breach occurs whenever an entity accesses information for which it was not intended. If someone unobtrusively looks over your shoulder and reads what you're typing, this is a privacy violation. If someone just a block away uses binoculars to look through your window and see what you see on TV, this is also a privacy violation. You may not think it's important if someone knows you well The Good Place but if it's not your intention to see what you see, this is a violation of your expectations.

These incidents were a LinkedIn violation in 2012, with 6.5 million passwords initially disclosed. The data was hacked or cryptographically encrypted to make it incomprehensible and therefore difficult to reuse. However, hackers quickly started cracking the hashes to show the actual passwords of LinkedIn users. Although LinkedIn has taken precautions to reset the affected account passwords, the attackers still managed to get many miles away from them by finding other accounts on the Internet where users had reused the same password. The all too familiar lax password hygiene means that a single violation can track users for years.

And what counts as exposure?

Imagine an exposure as the same street-level window. Anyone who comes by can see what's on your TV. Whether this is actually the case does not matter – the risk exists. When sensitive data, such as medical records or bank details, are uncovered, the stakes are high.

The LinkedIn hack proved even worse when it first appeared. In 2016, a hacker named "Peace" sold account information, especially email addresses and passwords, to 117 million LinkedIn users. Data stolen from the LinkedIn violation has since been reused and resold by criminals, and attackers have had some success using the data to this day, as so many people use the same passwords for many accounts for years.

Then What

A common assurance after data exposure is that there is no evidence that the data was stolen. To a certain extent, it is possible to check access logs and other system indicators to determine this. However, organizations usually have no way of knowing exactly what happens if they have not been observed. This makes data exposure such a big problem, be it through your window or through a database that a company has made available online: it is always possible for someone to realize that they can view and filter some information without anyone noted.

Data breach It did not really become the table food, however, until the end of 2013 and 2014 when major retailers Target, Neiman Marcus and Home Depot suffered massive violations in turn. The Target Hack, first published publicly in December 2013, had an impact on the personal information (such as names, addresses, phone numbers, and e-mail addresses) of 70 million Americans and at least 40 million credit card numbers at risk. Just a few weeks later, in January 2014, Neiman admitted to Marcus that his POS systems were affected by the same malware that infected Target, as well as information from around 110 million Neiman Marcus customers and 1.1 million credit and debit information revealed card numbers. After months of the impact of these two violations, Home Depot announced in September 2014 that hackers had stolen 56 million credit and debit card numbers from their systems by installing malware on the company's payment terminals.

An even more devastating and disastrous attack took place at the same time. The Personnel Management Department is the administrative and human resources department for US Government employees. The department manages security checks, performs background checks, and keeps records of every former and current federal employee. If you want to know what is going on in the US government, you have to hack that department. That is what China did.

Hackers affiliated with the Chinese government infiltrated OPM's network twice, stealing technical plans for the network in 2013, and then launched a second attack shortly after which they gained control of the administrative server that hosted the Authentication managed all other server logons. In other words, when OPM fully understood what had happened and eliminated the invaders in 2015, the hackers had been able to steal tens of millions of detailed records of every aspect of federal employee life, including 21.5 million Social Security numbers and 5.6 million fingerprint records. In some cases, the victims were not even federal employees, but in some ways associated with government employees being screened in the background. (These reviews include all sorts of highly specific information, such as maps of a subject's family, friends, coworkers, and children.)

Surgery data was not disseminated online or had appeared on the black market, probably because they were stealing intelligence value and not the street value. Chinese employees reportedly used the information as a supplement to a database cataloging US citizens and government activities.

Nowadays, data breaches are so prevalent that the cybersecurity industry even phrased the term "fatigue injury" to describe the indifference that it may derive from such an overwhelming and seemingly hopeless series of events. And while tech companies – not to mention regulators – are starting to take data protection seriously, the industry has not even made a turnaround. In fact, some of the most discouraging violations ever published in recent years have been exposed.

Yahoo repeatedly submitted contenders for distinguishing the greatest data breach ever, when an extraordinary series of announcements began in September 2016. First, the company announced that a 2014 intrusion affected personal information from 500 million user accounts. Then, two months later, Yahoo added that there is a separate violation of one billion accounts in August 2013. Sounds like a pretty unassailable lead in the race at the bottom of the data breach, right? And yet! In October 2017, the company announced it was revising its estimate of 1 billion accounts to 3 billion, or any Yahoo account existing in August 2013, after further investigation.

There are few companies that can even lose billions of user accounts, but there are other ways an infringement can be worse than the Yahoo debacles. For example, in early September, credit monitoring company Equifax announced a massive infringement involving 147.9 million people receiving personal data. The data included dates of birth, addresses, some license numbers, about 209,000 credit card numbers and social security numbers. This means that nearly half of the US population has potentially been exposed to their critical secret code. Since the information that was stolen from Equifax was so sensitive, it is generally considered the worst breach of corporate data. At least for the time being.

Even Equifax has completely misunderstood his disclosure and reaction in the episode. The website the company had set up for the victims was itself vulnerable to attacks and asked for the last six digits of people's social security numbers to check if their data was affected by the violation. This meant that Equifax asked the Americans to re-entrust their data to them. Equifax made the infringement response site a stand-alone Web site rather than a part of the main domain of the corporate domain. This was a decision that led to unwanted websites and aggressive phishing attempts. Equifax's official Twitter account has even inadvertently tweeted the same phishing link four times. Fortunately, in this case, it was just a proof-of-concept page, not a real malicious website.

There are many indications that Equifax had a dangerously loose safety culture and lack of reaction. Former Equifax CEO Richard Smith told Congress in October 2017 that he usually met with security and IT representatives only once a quarter to review the company's security situation. Hackers came to Equifax because of a well-known web framework that had been patched for months. A digital platform used by Equifax employees in Argentina was even protected by the most ruthless "admin, admin" evidence – a true rookie mistake.

If anything came of the Equifax injury, it might have been sheer severity as a wake-up call needed the American. On the other hand, the frequency of successful attacks does not appear to have diminished one year after this breach. And the scariest thing about the Equifax injury? The data has not appeared yet.
Data aggregators like Equifax, which source an enormous amount of public and private information from countless sources, have become a single point of failure of the digital age. Attackers are increasingly targeting data analytics companies from a single source to obtain valuable information from a single source. But even hackers are still targeting the true industry giants – if they can find a way. Just a few weeks ago, Facebook unveiled its first privacy breach, which gave attackers access to 30 million user authorization tokens. This meant that hackers could access users' Facebook accounts and filter out a significant portion of their personal information. Facebook is investigating the incident with the FBI and has not yet said who was behind it or what goals it had with the attack.

And the security train rolls on. Both, Marriott and Quora, announced major violations in a few days, affecting more than 100 million users. In the case of Marriott, the intrusion into the Starwoods Preferred Guest system occurred and lasted four years. Marriott acquired Starwoods in September 2016, two years after attackers were first infiltrated, but it stayed on Marriott's watch for another two years. The infringement revealed various combinations of personal information, including hundreds of millions of passport numbers, from a total of over 500 million customers, making it one of the top three known violations.

The Future of Data Breaks

Attackers are able to commit most recent privacy breaches relatively easily by exploiting the basic security checks of an institution. This is the case with Home Depot, OPM and Equifax. If companies and other institutions learn of these organizations' mistakes, the number of overall data breaches could be significantly reduced. However, improvements do not result from violations being made impossible. The best improvements result from the assumption of the possibility of a breach and a significant increase in the barrier to entry or the resources required for the removal. This would scare off many attackers, because unskilled hackers (or those just poking around idly) would not find so many obvious vulnerabilities that could easily exploit them.

An important safety concept, however, is the idea of ​​cat and mouse. For determined, motivated and well-equipped attackers, improved defense leads to malevolent innovation. For this reason, security is an endless effort to minimize, limit, or avoid institutions – defenders have to think of everything, while attackers need only make a small mistake. An unpatched web server or an employee who clicks on a malicious link in a phishing e-mail is sufficient.

For this reason, some of the most groundbreaking examples of next-generation hacking come through targeted attacks to survive high-profile individuals and groups – often political candidates, dissidents, activists, or spies trying to infiltrate each other's organizations. Hackers working on such high-priority attacks are developing or paying large sums for so-called zero-day exploits. These consist of two parts: information about an unknown vulnerability in a system, and software programmed to exploit this error to give some form of increased system access or control to the person providing the exploit. A software developer can not defend a vulnerability he does not know, so that zero-day exploits push the limits of what an attacker can do through a secret path into a network or database.

What should institutions do? 19659036] Lock It Down

Users must set up secure, unique passwords and two-factor authentication to access network services.

Keep & # 39; Em Out

Implement access controls so that not everyone can access everything. Users should be able to see only the content and applications they need.

Slice It Up

Segment corporate networks so that sensitive data and operations run in different digital areas and are not accessible from parts of the network that are in a low network -sensitivity.

Update It Fast

Apply software updates as they become available. For real.

More attackers may be forced to use zero-day exploits to carry out future security breaches – and increase the resources they need – as corporate, government and other institutions manage their basic cybersecurity attitudes through initiatives such as consistent patches and attacks Security measures to significantly improve network access control. Enough enough simple targets for the moment so attackers do not have to work very hard or spend a lot of money to commit massive data breaches. Even using publicly available Internet scanning tools can uncover unprotected devices and databases exposing valuable information.

Until that change, US citizens and permanent residents would have more protection against fraud and identity theft if the US government would replace Social Security. These digits have never been intended as universal identifiers, let alone as secure authenticators, and it is impossible for users to keep a number of digits secret when asked to repeatedly share the number over their lifetime. Instead, the US government (like other countries) should offer a dedicated universal identity system that contains many different authenticators. In this way, even when hackers compromise information, people can regain control of their identity.

Ideally, companies and other institutions holding data would forever invest in the rigorous closure of their systems. However, companies always vary between cost, ease of use and risks. There is no easy way to reconcile the three. And even if, there is no perfect safety scheme. So the best way to minimize the impact of a mega-breach is not just to reduce the number of incidents, but to better manage the inevitable fallout.

More information

  • In the cyber attack that shocked the US government [19659049] WIRED's dramatic report on the massive hacker of the Office of Personnel Management. It really is the breakthrough that has gone from basic information and social security numbers to government background data and even fingerprints for millions of people. In addition, Chinese hackers have staged an epic raid.

  • Yahoo Breach Takes 3 Billion Accounts
    Most accounts ever compromised on violations. Good times.

  • Equifax breakthrough was completely avoidable
    The Equifax debacle was a turning point in the history of corporate data breaches as sensitive data was exposed and victims were at high risk for identity theft and other invasive attacks. All this due to inadequate security measures of the companies. WIRED went through how the company could have prevented the disaster.

  • Equifax & # 39; Security overhaul, one year after the epic breakthrough
    One year after Equifax discovered the breach, WIRED checked the company to turn things around and prevent another digital loss of security. And while the overhaul was positive, experts were still skeptical that Equifax would ever be fully trusted again.

  • Marketing firm Exactis loses database with 340 million personal records
    A massive data risk at targeted marketing firm Exactis could occur Hundreds of millions of records are compromised. Although nobody knows if the data was actually stolen, it was easily accessible on the public Internet, and anyone looking for simple targets could have accessed it. The information would have been particularly valuable to an attacker because they contained detailed profiles of the basic information, preferences, and habits of millions of Americans.

  • Startup Breach Exposed Billions of Data Points
    The Apollo breach has exposed billions of records providing a good example of how tempting "aggregated" data hunts are for hackers. When an organization, such as the Apollo or Exactis sales messaging services, collects data from multiple sources in a single repository, it essentially acts as a culprit for them. Everything is in one place, the data is clearly organized and universally searchable. Often, many types of data breaches were already publicly available, but the key advantage for attackers is the one-stop shop.

  • Facebook's First Complete Data Breach Affects Up to 90 Million Accounts
    Facebook is no stranger to controversy over data misuse at this point. However, the data breach that was released in September was particularly noteworthy, as it was the first known example of an attacker exploiting Facebook's architectural bugs to breach users' accounts and steal their data. In contrast to the company's other missteps – which of course were inherently problematic – this was a real violation of the data.

Last updated: December 6, 2018

Do you have this deep Enjoyed the jump? Other wireless manuals.

Source link