AXEL.org

Uncategorized

AXEL News Update

It’s an exciting time for AXEL. Here are our top recent news items:

  • AXEL Secures a New Patent
    • Patent number 11,281,572 is a continuation of our Pervasive Intermediate Network Attached Storage Application patent family. This marks one further step into the realm of innovative and secure digital storage methods.
  • AXEL Partners with the New York City Bar (NYC BAR)
    • Thanks to a new partnership with the NYC BAR, over 25,000 diverse legal professionals now have access to encryption backed by blockchain technology. AXEL Go is a cutting-edge and highly secure method for retrieving, storing, and sharing any amount of sensitive data.
  • AXEL Go launches its $10,000 Data Security Guarantee
    • In response to increased security standards for data among legal professionals, AXEL has launched its $10,000 Data Security Guarantee. This guarantee stipulates a $10,000 payment to a user of AXEL Go that finds themselves subject to a legal malpractice judgement.
  • AXEL completes its integration of AXEL Go into Clio Manage and launches a defensible metadata preservation feature in Secure Fetch.
    • Clio’s 150,000 users can now collect and share files of any size, all within the Clio platform using AXEL Go, the secure file sharing and transfer software. With its metadata preservation feature, AXEL Go is a defensible, cost-effective and easy-to-use option for legal professionals to collect evidence, while preserving crucial metadata and for smaller document collections, AXEL Go eliminates the need for costly forensic examiners.
  • AXEL Announces New Partnership with American Bar Association
    • ABA members part of the Solo, Small Firm and General Practice Division (GPSolo) can now take advantage of exclusive discounts on AXEL Go.
  • AXEL Partners with Cal Bar Affinity and California Lawyers Association (CLA)
    • California’s legal professionals now have access to AXEL Go. Featuring military-grade encryption and blockchain technology, AXEL Go is an economic and highly secure way to collect, store or share any amount of data or files.
  • AXEL Announces Partnership with Phi Alpha Delta Law Fraternity
    • AXEL is excited to provide all 330,000 members of the Phi Alpha Delta Law Fraternity with access to AXEL Go, the most private and secure way to send and receive data. AXEL continues to encourage awareness and education regarding the importance of data privacy and data custody during Cybersecurity Awareness Month.
  • AXEL Go will soon be integrated with Clio Manager
    • AXEL Go will soon be integrated with Clio, a trusted, secure software for law practice management. Featuring AXEL Go’s signature features including Private Share and Secure Fetch, this new integration will offer Clio users unprecendented control of their most important documents.
  • Another New Blockchain Patent for AXEL
    • On the heels of last week’s issuing, AXEL was approved for another new United States patent. This blockchain patent, 11,132,456, relates to being able to share lists of files, a similar function to what we use on AXEL Go with the Create List feature. It is the 17th patent issued to AXEL. An updated link to U.S.P.O. will be given. AXEL has received word that we have another on the way, bringing the total to 18 patents!
  • AXEL Go featured on KTNV’s Morning Blend
    • AXEL’s VP of Marketing, John Svoboda, talks about how AXEL Go, the next-generation cloud storage and file-sharing application used to collect, store, and share files more privately and securely, can keep you safe from cyberterrorism, hacks and ransomware attacks.
  • AXEL Go receives positive review from Lawyerist
    • Rating AXEL Go 4.8/5 stars, Lawyerist called AXEL Go “a great solution” and “a secure way to get confidential documents from … clients with ease.” Read the full review here.

This page will be updated regularly as the company grows and our technology matures. Please check back soon for more AXEL news!

AXEL Events

AXEL regularly hosts events to educate people on topics such as data security, decentralized technology, digital privacy, and more. Upcoming events include:

  • Summit for Corporate Governance – August 12, 9AM PT. AXEL is excited to be a sponsor of the Summit for Corporate Governance. The conference is focused on modern issues facing boards of directors, and includes panels with sitting directors, legal professionals and law school faculty.
  • TECHLAW.FEST – September 22-24. AXEL is virtually attending 2021 TECHLAW.FEST. Learn about new and innovative legal tech and how AXEL offers security solutions to legal professionals with AXEL Go, the secure file-sharing and storage software.

Our most recent past events were:

  • Connecticut Legal ConferenceAXEL sponsored a session at the Connecticut Legal Conference, discussing the importance of data security for all legal professionals.
  • State Bar of Nevada Annual Bar Conference AXEL is proud to be a featured Exhibitor at the State Bar of Nevada’s Annual Bar Conference held in San Diego, California. We highlighted AXEL Go; our secure, private file-sharing and online storage platform. Nevada attorneys saw how they can meet their ethical obligations to data security by using AXEL Go.

A Breakdown of Virginia’s New Privacy Law

On March 2nd, Virginia Governor Ralph Northam signed a comprehensive data privacy bill into law, making it the second state behind California to enact formal privacy regulations[1]. While it’s difficult to argue this development is a bad thing, the fact that it had widespread approval from Big Tech opens it to scrutiny. Here, we look at the law’s provisions, compare it with California’s measures, and assess the areas where it’s lacking.

Who does this affect?

The Virginia Consumer Data Protection Act (VCDPA) will significantly affect entities known as ‘data brokers.’ A data broker can be one of the high-profile corporations from Big Tech (i.e., Google, Amazon, etc.) or the lesser-known companies operating in the shadows that gather, analyze, package, and sell consumers’ personal information. According to the VCDPA, data brokers must hit specific thresholds for the law to apply to them. These stipulations include:

  • “Persons” (remember folks, corporations are people too) must do business in Virginia or sell products and services that target Virginia residents.
  • The organizations have to control the data of at least 100,000 Virginia residents. (This number is decreased to 25,000 residents if the company receives half or more of its revenue from selling personal information)

There are several exemptions, however. For example, organizations do not have to abide by these regulations if:

  • The data they collect from individuals pertains to employment or other commercial information. This means employees aren’t protected from their company’s data collection, and business-to-business data is still a free-for-all.
  • They are in the financial services, research, credit reporting, healthcare, or educational industries.
  • They are a designated non-profit.

So, already there appear to be some loopholes.

What are the new privacy provisions?

The VCDPA outlines new expectations that applicable data brokers must follow.

  • Data brokers must gain explicit consent before processing “sensitive data.” This would include racial makeup, religious beliefs, health records, sexual orientation, genetic data, or a person’s precise geolocation.

It also grants consumers a variety of new data rights.

  • The right of access. Now, Virginians can request to know all the information a company collects on them.
  • The right of correction. Consumers can request a company correct wrong information, and they have to comply.
  • The right of deletion. Individuals can request the deletion of their data.
  • The right to opt-out of targeted advertising, data selling, and profiling.

Unfortunately, there are more exemptions for these too. Organizations can get out of many of these information requests if they feel it cause an “unreasonable burden.” They also do not need to comply if the data collected is pseudonymized (meaning they replaced identifying info with pseudonyms.)

Starting in 2023, any company found in non-compliance with the terms of the VCDPA will have 30 days to correct their course or be subject to a $7,500 fine for each violation.

Compared to the CPRA

California is the other state with data privacy laws on the books. The recently passed California Privacy Rights Act (CPRA) set the national standard. How does the VCDPA stack up? Overall, they’re very similar. There are a few key differences, though:

VCDPA is more limited in scope. It’s a bit semantic, but where the CPRA exempts specific personal data types, the VCDPA exempts entire industries like healthcare and education. This slightly shrinks the net of data protections.

VCDPA doesn’t apply to employees or commercial data. Under the CPRA, employees have the same protection as consumers. Unfortunately for Virginians, the VCDPA explicitly excludes employee or business-to-business data.

VCDPA has no private right of action. This means that residents aren’t allowed to sue offending companies for damages. California’s privacy law enables individuals the right to sue for up to $750 for violations.

Criticism

Privacy groups like the Electronic Frontier Foundation (EFF) levied scathing critiques of the bill[2]. Other than the lack of private right to action as mentioned above, it was also slammed for facilitating ‘pay-for-privacy’ programs, where businesses could charge consumers not to collect and sell their information.

Another complaint is that the law would force consumers to opt-out of collection rather than opt-in. Obviously, this creates an unnecessary barrier to privacy and makes the default invasive. Most people are too busy to go searching for opt-out links. It’s why some privacy advocates believe it protects the interests of companies more than consumers. The fact that Big Tech behemoths Amazon and Microsoft both offered support for the bill[3] backs up this assertion.

Regardless, it’s better than nothing. And, like the CPRA following up the CCPA after only a few years, it is possible to improve on privacy regulations in the future. Nothing is perfect, and in squabbling over the details, sometimes advocacy groups lose sight of the forest for the trees.

Any regulatory improvement is good, and the process is likely to be iterative over time. The VCDPA may not be a giant leap toward the end goal of robust data privacy laws, but it’s a healthy first step. One they can build upon and provide an example to the rest of the country. At some point, federal data privacy laws will be on the table, and having test programs like this will inform lawmakers about what works and what doesn’t.

Building solutions and bringing awareness to data custody

AXEL is committed to providing data custody to its users. We never sell your information to third parties or mine your account for data. Our developers design privacy-based software solutions that keep your content away from the greedy hands of data brokers and Big Tech. AXEL Go is a blockchain-backed file-sharing and storage platform with optional encryption features. You can share and store files online without the worry of who else can see them. Take data privacy into your own hands. Ditch Big Tech and try AXEL Go today.

 

[1] Cat Zakrzewski, “Virginia governor signs nation’s second state consumer privacy bill, The Washington Post, March 2, 2021, https://www.washingtonpost.com/technology/2021/03/02/privacy-tech-data-virgina/

[2] Hayley Tsukayama, “Virginians Deserve Better Than This Empty Privacy Law”, EFF.org, Feb. 12 , 2021, https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law

[3] Cat Zakrzewski, “The Technology 202: Virginia is poised to pass a state privacy law”, The Washington Post, Feb. 11, 2021, https://www.washingtonpost.com/politics/2021/02/11/technology-202-virginia-is-poised-pass-state-privacy-law/

China Hacks the Planet – Part II

Part I of our series on China’s state-sponsored hackers summarized the motivations, methods, and underlying structure of their cyber divisions. In Part II, we delve into some of China’s well-known Advanced Persistent Threat (APT) groups and their high-profile attacks.

APTs

China employs (or has employed) dozens of APT groups over the past decade. They’re so prolific, to cover them all would be outside the scope of this blog. However, here are a few noteworthy examples:

APT 1

As one could guess from its name, APT 1 was the first Advanced Persistent Threat group ever named. The group began operations in 2006 (a year before Apple released the first iPhone). Part of the People’s Liberation Army (PLA) Unit 61398, they were linked directly to the communist government of China. In fact, according to an in-depth report on APT 1 by the cybersecurity firm Mandiant, they received fiber-optic infrastructure provided by a state-owned corporation under the auspices of national defense[1]. This was no two-Yuan hacking unit. Hundreds of hackers worked in the group from 2006-2014.

The majority of their attacks targeted the United States. They stole sensitive information from the country’s IT, aerospace, and engineering sectors, among many others. Using advanced techniques, they infected networks, pilfered data, and left with only small traces of evidence they were ever there. Specialists in phishing, APT 1 hackers disguised .exe and zip files as common Adobe PDF files to avoid suspicion.

High-profile APT 1 attacks

  • The first known attack attributed to the group was against a Japanese wing of the cybersecurity company Symantec. It was unknown at the time, but in 2012 new outlets reported the hackers stole the source code to the Norton antivirus software[2]. With the source code, APT 1 had what they needed to find all the program’s vulnerabilities and exploit them as necessary.
  • In 2012, APT 1 infiltrated Telvent’s network. Telvent was a multinational energy company with operations in the United States, Canada, and Europe[3]. This fits the group’s modus operandi of targeting infrastructure-related organizations. It served as a great way to spy on other country’s energy grids and allowed China to steal proprietary smart grid technology.
  • One of the most interesting cases is the 2011 hacks by the group Anonymous. Anonymous is a famous hacker gang that rose to prominence by carrying out DDoS attacks against the Church of Scientology in 2008. In 2011, the Guy Fawkes mask-donning hacktivists attacked the cybersecurity firm HBGary Federal in retaliation for its investigations into the group. Strangely, the Mandiant report linked above ties APT 1 to these hacks[4]. Is China a significant part of Anonymous? It seems possible.

APT 1 was extremely prolific, with hundreds if not thousands of victims over its active years. After the aforementioned Mandiant report released, the group slunk back into the cyber shadows. Analysts believe it broke up, and its assets distributed to other, more contemporary hacker groups.

In 2018, malware code associated with APT 1 resurfaced in an attack[5]. Most cybersecurity experts do not believe it was the old hacker gang, however. Most likely, a different Chinese APT group used the old code after APT 1 disbanded.

Mustang Panda

Coincidentally, 2014 wasn’t only the year APT 1 went silent; it’s also when Mustang Panda became active. They weren’t noticed until three years later when the cybersecurity firm, Crowdstrike, observed them targeting a U.S. think tank[6].

At first, they mostly set their sights on international non-governmental organizations and targets within the Mongolian government. They soon moved on to bigger fish, however. Recently cybersecurity professionals deemed them responsible for two major incidents.

Coronavirus-based Phishing

The global COVID-19 pandemic provided hacker groups such as Mustang Panda the opportunity to phish unsuspecting victims. While unfortunate, it has proven to be an effective tactic. By using emails with malware attachments and links related to the coronavirus, people are more likely to open them. Mustang Panda is targeting Taiwan and Vietnam specifically with fake emails intended to lure victims wanting information about the pandemic.

The Vatican gets attacked

Unapproved religions are not looked at kindly by the Chinese government. The Catholic Church cut off diplomatic ties with China in 1951, and only recently are the frosty relations beginning to thaw. While dialogue between the Holy See and Chinese officials has started, Mustang Panda recently hacked Vatican officials to gather intel about the Church’s intentions[7]. Not exactly establishing new relationships built on trust.

APT 41

APT 41 is well-known for targeting video game companies in their attacks. Active since at least 2012, they differ from other Chinese hacking groups in that they use custom malware tools typically reserved for espionage for financially-motivated attacks[8]. For example, in 2014, they hacked the Southeast Asian distributor of video games such as League of Legends, FIFA Online, and Path of Exile. They infiltrated their production environments and inserted malware to accumulate millions of dollars in virtual currency. Then, they used money laundering techniques to cash out. Besides video game companies, they also target healthcare, pharmaceuticals, retail, telecoms, education, and other related sectors.

In September of 2020, the United States Department of Justice charged five Chinese citizens affiliated with APT 41 with multiple felonies[9]. They are still at large and are now and thought to be in China.

The tip of the iceberg

There are many more Chinese APT groups out there worth mentioning. There may even be more hacker codename Panda groups than actual pandas in the wild! It’s got to be close. China has the most resources and money out of any of the big state-sponsored hacking institutions. With the amount of success they’ve had, they probably won’t be stopping their activities any time soon. That’s why companies and government organizations worldwide need to be aware of their systems’ dangers and vulnerabilities. Investment in robust cybersecurity protections needs to be standard, not a secondary priority. Protect your data. Protect your company.

Securing data in motion and at rest

AXEL specializes in providing file transfer and storage solutions that prioritize security. Our platform, AXEL Go, utilizes blockchain technology, the InterPlanetary File System (IPFS), and password encryption to keep your important files safe and out of the reach of hacker groups. You can sign up for a free, full-featured Basic account and try it out with 2GB of storage and enough AXEL Tokens to fuel thousands of ordinary shares. Those needing more storage can pay for one of our reasonably-priced premium plans. Stop putting your organization’s sensitive information at risk and use AXEL Go.

 

 

[1] “APT 1 Exposing One of China’s Cyber Espionage Units”, FireEye, 2014, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

[2] Jim Finkle, “Symantec Hack: Company Admits Hackers stole Norton Source Code in 2006”, The Huffington Post, Jan. 17, 2020, https://www.huffpost.com/entry/symantec-hack-norton-source-code_n_1211043

[3] Brian Krebs, “Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent”, Krebs on Security, Dec. 26, 2012, https://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/

[4] Pierluigi Paganini, “Mandiant report links Anonymous 2011 hacks to APT1 campaign”, Security Affairs, Feb. 22, 2013, https://securityaffairs.co/wordpress/12525/hacking/mandiant-report-links-anonymous-2011-hacks-to-apt1-campaign.html

[5] Brian Barrett, “The Mysterious Return of Years-Old Chinese Malware”, Wired, Oct. 10, 2018, https://webcache.googleusercontent.com/search?q=cache:axHpd0d7GZMJ:https://www.wired.com/story/mysterious-return-of-years-old-chinese-malware-apt1/+&cd=1&hl=en&ct=clnk&gl=us

[6] “Threat Group Cards: A Threat Actor Encyclopedia”, Thailand Computer Emergency Response Team, https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Mustang%20Panda%2C%20Bronze%20President&n=1

[7] Shannon Vavra, “Suspected Chinese hackers impersonate Catholic news outlets to gather intel about Vatican diplomacy”, cyberscoop, Nov. 23, 2020, https://www.cyberscoop.com/chinese-hacking-catholic-church-vatican/

[8] “APT41, a dual espionage and cyber crime operation”, FireEye, https://content.fireeye.com/apt-41/rpt-apt41/

[9] Catalin Cimpanu, “US charges five hackers from Chinese state-sponsored group APT41”, ZDNet, Sept. 16, 2020, https://www.zdnet.com/article/us-charges-five-hackers-part-of-chinese-state-sponsored-group-apt41/

A Look into North Korea’s Legion of Cyber Criminals

When it comes to infamous hacker gangs, Russian ones seem to garner the most attention. However, North Korea’s state-sponsored group is just as formidable. Here, we attempt to break down the rogue nation’s cyber army and see how it operates.

Bureau 121

The Reconnaissance General Bureau (RGB) of North Korea is the country’s intelligence agency, consisting of six different “bureaus.” Formed in 1998, Bureau 121 is the cyber warfare sector of the RGB. According to an intelligence report from the United States Army, this branch consists of four subgroups[1]. These include:

The Andarial Group: Andarial members assess targeted computer systems and identify vulnerabilities to use in future attacks.

The Bluenoroff Group: This group focuses on financial crime. Cyber theft is one of North Korea’s biggest revenue streams.

Electronic Warfare Jamming Regiment: They are in charge of jamming enemy computer systems during actual, on-the-ground war scenarios.

The Lazarus Group: The most notorious part of Bureau 121, The Lazarus group is an agent of social chaos. They infiltrate networks and deliver malicious payloads.

The Lazarus Group is often synonymous with the other three units, especially the financial crime division. It is unknown how many individuals comprise Bureau 121, but it is estimated to be thousands. Members often reside in other countries like Russia, China, Belarus, India, and Malaysia. This helps obscure the true origin of attacks and provides more robust electronic infrastructure to the malicious agents. Due to worldwide economic sanctions and a generally low industrial capacity, North Korea itself does not have access to the resources necessary to carry out large attacks.

An elite organization

North Korea’s internal policies and actions are opaque to the international community. However, defector testimony claims that the nation’s top computer science students from the University in Pyong Yang make up Bureau 121. These talented hackers then enjoy special privileges in North Korean society[2]. Instead of rundown tenements or rural farmhouses, they receive relatively posh -by North Korean standards- uptown apartments in the Capitol. With these kinds of unheard-of perks, it’s no wonder that people desire the positions.

Significant revenue generation

North Korea’s illicit digital activities replace a portion of what’s lost due to sanctions and flawed policies. In 2019, a United Nations report concluded that the rogue country gained $2 billion from cyberattacks[3]. Now, that sounds bad, but maybe it’s some sort of Robin Hood situation, where they steal from the rich to provide food and essentials for their ailing citizens? But no, the money actually went to their weapons division, specifically the nuclear weapons program. This makes North Korean hackers a threat to global security.

Notable attacks

2013 South Korea Cyberattack

In March 2013, North Korea unleashed a devastating cyberattack against their neighbors to the South. Utilizing the “DarkSeoul” malware, they infiltrated banking and media institutions throughout the country. Their top two television stations, the Korean Broadcasting System and MBC, suffered widespread computer issues but were able to stay on the air.

Popular banks such as the Shinhan Bank, Jeju, and NongHyup reported outages for their online banking and in-person services alike. Some even had their internal files erased. Luckily, they recovered most of the data from backups and restored operations within a few hours. Although resolved relatively quickly, it was still proof North Korea could cause chaos to their enemies.

The Sony hack

The November 2014 hack of Sony Pictures remains one of the most-publicized cyberattacks in history. It was a massive data breach that exposed a mountain of sensitive info. This ranged from personal information regarding employees and inter-office emails to plans for upcoming films, scripts, and complete cuts of then-unreleased movies.

If anyone doubted whether North Korea was responsible for the attack, it was all but verified when the hackers made their demands. The most adamant requirement was for Sony to nix the release of “The Interview.” For the readers out there unfamiliar with the intricacies of the Seth Rogen/Jame Franco buddy comedy genre, The Interview starred the famous duo attempting to assassinate the Supreme Leader of North Korea, Kim Jong Un. In the face of the hack, and under threats of terrorism by the attackers, Sony pulled the movie from theaters and released it online only.

The Sony hack was a huge deal. It led the United States to bring formal charges against North Korea and increased tensions to the point that it has never really recovered.

WannaCry ransomware

WannaCry is another extremely high-profile cybersecurity incident. In May of 2017, using a Microsoft Windows vulnerability, WannaCry infected hundreds of thousands of computers in less than a day! While only receiving a paltry (by successful ransomware standards) $130,000 in ransoms, the virus made a huge practical impact.

The biggest example of this was the attack on National Health Service hospitals in England and Scotland. Many of them had to turn away non-life-threatening emergencies, and the incident disrupted ambulance service throughout the region.

After the attack, the United States held a Congressional hearing with security professionals to solicit ideas about improving resiliency to such situations.

Recent activity

The hacks above had the most significant impact on global cybersecurity, but that doesn’t mean Bureau 121 slowed down in recent years. On the contrary, they’ve been extremely busy! The increased popularity of cryptocurrency gives entities like the Lazarus Group an easy way to transact with the organizations they attack and launder the ransoms afterward.

They outright target cryptocurrency-related companies too. Research indicates they use the professional social media platform LinkedIn to lure in unsuspecting employees and spear phish to penetrate network vulnerabilities[4]. These underhanded tactics result in lucrative ill-gotten gains. According to the UN report mentioned above, $571 million out of the $2 billion revenue was from cryptocurrency theft.

Phishers target AstraZeneca

Using the LinkedIn phishing method, the Lazarus Group set their sights on pharmaceutical giant AstraZeneca in late November. State agents posing as high-level recruiters flooded their employees with fake job offers. Then, they emailed the targets with malware attachments. Luckily, no one fell for the scheme, but it shows that Bureau 121 isn’t burdened by any moral compass.

AstraZeneca is one of the companies working on a viable COVID-19 vaccine. Cybersecurity researchers believe that North Korea is focusing on COVID-related organizations at the moment[5]. As one of only 11 countries without a reported COVID-19 case[6], perhaps they don’t see the harm in attacking a vaccine maker. For the rest of us, we can only hope they fail.

Protect your data

When you think of state-sponsored hacking groups, you may assume they only attack political targets. However, rogue nations like North Korea gain a considerable portion of their revenue from such endeavors, as you’ve seen. Therefore, assume that any organization with network vulnerabilities and substantial cashflow is susceptible.

Protect your sensitive data from threat actors by using AXEL Go to store and share files. AXEL Go is built on secure blockchain technology and utilizes robust encryption to keep your documents safe and private. It is available on Windows, Mac, iOS, and Android. So, no matter where your platform allegiances lie, you can enjoy secure, private file sharing. Our free basic account offers all the great features of AXEL Go with 2GB of free online storage. Download it now.

 

[1] “North Korean Tactics”, Department of the Army, July 2020, http://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html

[2] Ju-min Park, James Pearson, “In North Korea, hackers are a handpicked, pampered elite”, Reuters, Dec. 4, 2014, https://www.reuters.com/article/us-sony-cybersecurity-northkorea/in-north-korea-hackers-are-a-handpicked-pampered-elite-idUSKCN0JJ08B20141205

[3] Michelle Nichols, “North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report”, Reuters, Aug. 5, 2019, https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX

[4] Anthony Cuthbertson, “North Korean Hackers Use LinkedIn for Cryptocurrency Heist, Report Reveals”, The Independent, Aug. 25, 2020, https://www.independent.co.uk/life-style/gadgets-and-tech/news/north-korea-hackers-lazarus-linkedin-cryptocurrency-a9687086.html

[5] Jack Stubbs, “Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca – sources”, Reuters, Nov. 27, 2020, https://www.reuters.com/article/us-healthcare-coronavirus-astrazeneca-no/exclusive-suspected-north-korean-hackers-targeted-covid-vaccine-maker-astrazeneca-sources-idUSKBN2871A2

[6] Kaia Hubbard, “Countries Without Reported COVID Cases”, U.S. News, Nov. 13, 2020, https://www.usnews.com/news/best-countries/slideshows/countries-without-reported-covid-19-cases?slide=13

Privacy in the Time of Data Breaches: How Blockchain Keeps Information Safe

If you spend much time on the internet, it’s inevitable that you’ll run into the term “blockchain” eventually. It’s usually mentioned in connection with things like Ethereum or Bitcoin – electronic currencies that pride themselves on anonymity. However, blockchain is more than just a fancy form of financial security. The basic tenets of blockchain can be applied to essentially every kind of internet exchange possible.

This includes storing your private information. With so much personal information stored online today, data privacy is a hot-button issue. Data breaches happen daily. From giant corporations down to individual users, mainstream methods of data storage as the exist today leave everyone vulnerable. However, moving to a blockchain-centric method of information storage could help put an end to big data breaches once and for all.

What Causes Data Breaches?

Companies that work with sensitive information typically keep records of this info. Items such as credit card numbers, social security numbers, medical history and more are stored by everyone from hospitals to Amazon to your local grocery store. When it comes to storing information today, there’s one mainstream method: centralized storage.

In the early days of the internet, the speed at which computers could communicate was slow. For companies to work with significant amounts of information, it was mandatory that it be somewhere local. Many companies had their own server banks that stored only their information. These servers were frequently connected to the local network and nothing else. Having to interact with information on the internet was too slow to be useful for everyday business.

As the internet grew, however, two things began to change. First, internet speeds increased. Whereas it used to take hours to download a short video, many people now have the speed to stream movies in high-definition instantly. Second, hosting companies began to emerge. These companies run server banks and take on the cost of the hardware, maintenance, and electricity that storing a lot of information required. With quicker internet and the option to cut their own expenses, most companies outsourced their data hosting. Instead of a bunch of decentralized, disconnected servers, there are a few centralized, highly-connected server farms.

Unfortunately, this new arrangement provides another perfect environment to foster data breaches. Before, getting into a small company’s servers was a lot of work for little payoff. They may not even be accessible through the internet, depending on the business. However, a big server farm that hosts websites for some and databases for others needs to be connected to the web. Getting into the system may be difficult, but the payoff could be the credit card info for thousands or even millions of people. Many hackers think that the time spent is worth the results.

The Equifax breach is a good example of a modern data breach. Equifax maintains records of the financial information of most US citizens. Hackers got access to servers containing 148 million people’s social security numbers by slipping through inadequate security on Equifax’s online complaint portal. Because of security flaws, that portal was connected to other, more important servers. If Equifax did not have such centralized systems, or if they had updated their security, this would not have been possible.

Blockchain: Privacy without Trust

Because most security systems require things like updates, renewed certifications, and passwords, they are subject to a lot of human error. The Equifax breach occurred in part because people stored passwords in plain text and a single encryption key wasn’t updated. By removing the option for human error from the equation, information becomes much more secure.

That’s where decentralized networking comes in.  In decentralized networks, the control of the network is distributed between the nodes (or servers running the blockchain and the network) as opposed to being collocated within the same server center (centralized). This makes it much harder for hackers and others to breach the network.  As an example, if a hacker were to pursue breaching Equifax, they would know to start with Equifax. But to breach a blockchain network that is both decentralized and distributed is a much larger task, and no way of knowing what the payoff would be.

Blockchain networks share the blockchain itself (a public ledger) between each node on the blockchain network. Every node has a copy of the entire blockchain. This means that every node can be sure that every other node has the right chain information because they are all identical.  This is where the trust between nodes in a decentralized network comes into play.  In order for a blockchain to be corrupted, a hacker would need to take control over the majority of the nodes in the network.  Specifically, the hacker would need to control 51% of these nodes (https://www.investopedia.com/terms/1/51-attack.asp) in order to make any changes to the blockchain. Naturally, this is a significant undertaking for any hacker to pursue, especially since they have no way of knowing what their rewards would potentially be as they wouldn’t know what is being managed through the blockchain.

Managing personal data such as files through a decentralized and distributed network also offers security advantages over centralized solutions. Interplanetary File Sharing (IPFS) is one way this can be done. Essentially, every file or document or financial transaction would be given its own cryptographic hash. The files are stored somewhere, and in order to get them out, you must know their exact hash. Without that info, you can never get to the file. That allows for servers around the world to hold information without anyone being able to access the information fraudulently. Instead of relying on centralized server farms and their security, blockchain and IPFS allow for people to host things on small, decentralized servers without worrying.

Where Equifax had its complaints portal running on a centralized server, blockchain would make that unnecessary. Through decentralized apps (dAPPs), everything from websites to games to entire banking systems could be run through decentralized networks. This is the Internet 3.0. It’s the next stage of the web’s evolution. So far, we’ve come from tiny, poorly connected sites (Internet 1.0) to big, centralized sites (Internet 2.0). We can make it to the next step: big, useful, decentralized sites, apps, financial systems, and more.

Blockchain vs. Breaches: A Clear Winner

A big data breach is only possible if many people’s information is stored in one place. Blockchain and decentralization not only make breaches difficult, they make centralization irrelevant. There’s no need to store many things in one central place when you can store it on a network with complete confidence in your privacy. The blockchain process is the next step in the evolution of the internet. From finances to healthcare to social media, blockchain and decentralization will help us all maintain ownership over our own data, no breaches allowed.