AXEL.org

data breach

A Story of Data Custody in the Modern Age: Part I

Meet Lucas

Lucas is a 25-year old tech support specialist for a medium-sized company in Richmond, Virginia. He’s worked there for the last three years and has risen from a junior employee to his current salaried position. Throughout his time at the company, he’s learned a great deal about computing technology and general cybersecurity best practices. He now reads popular cybersecurity blogs to stay up-to-date and knowledgeable about his field.

“To be honest, in college, I never really kept up on cybersecurity trends. I guess I was too busy keeping tabs on who was attending what party. But after I graduated and got my first real job, I started paying more attention.”

While doing this, however, he has discovered some concerning trends.

“That’s when I noticed two things: 1) Hacks and breaches occur WAY more often than I thought; and 2) Companies are tracking, buying, and selling a LOT of personal data.

When you start following these cybersecurity blogs, there are articles almost every day about massive data breaches or hacks fetching million-dollar ransoms. Then, when you get into the details, you see 10 million, 40 million, 200 million personal records breached. It’s crazy!”

Upon further inspection, Lucas found the sheer number of records breached to be less troublesome than other aspects.

“But that’s only the beginning of the rabbit hole. You start to unpack these breaches and find that the company that left hundreds of millions of personal records vulnerable didn’t have hundreds of millions of users. So, where did those records come from?  Well, they bought them from other giant companies that are doing the same thing they’re doing; mining their users for advertising information. It gets really gross. You finally realize that the individual has no clue about who has their data or how it’s being used and sold.”

“And, it’s kind of a sad progression. You go from feeling shocked, to upset, to powerless in a short period of time. It’s difficult to know where to start in the fight against these kinds of data collection policies. You eventually settle into a hopeless feeling of acceptance. The companies responsible make too much money for anything to change.”

The end of the story?

Luckily, this story does not have to end on such a sour note. There are other tech companies out there, fighting for data privacy and protection. You just have to know where to look!

In an upcoming article, we’ll follow Lucas on his journey as he searches for alternative ways to utilize modern technology. Will Lucas have his hope rekindled? Is there a plausible future that treats individuals like people and not statistics? Check back soon to see how the next chapter plays out.

The Effect of COVID-19 on Data Breaches

The ongoing global pandemic has affected nearly all aspects of life as we know it. One area you may not have considered is corporate security. The landscape of data breaches has transformed since the onset of COVID-19. With little hope for a proven vaccine soon, organizations will probably have to deal with these consequences for a while.

A coalescence of factors

COVID-19 has proven to be a perfect storm regarding cybersecurity issues. Many variables have contributed to this.

First, furloughs, layoffs, and sick leave have reduced the human capital organizations have at their disposal. IT departments have not been spared from the chopping block, either[1]. The decrease in cybersecurity professionals combined with the dip in overall revenues for the majority of companies means resources are limited. Prevention systems are weakened, or at least not fortified, providing ample opportunities for malicious agents to prod and pry.

Another important element is the rise of the remote workforce. COVID-19 has accelerated the transition of employees from the office to the home. According to a recent survey by PWC, the percentage of executives who claim that most of their office staff work remotely at least one day per week rose from 39% before the pandemic to 77% after[2]. New security measures may have to be implemented to deal with a flux of new devices, weak remote access policies, and VPN configurations. This is a massive undertaking and further taxes already-strained IT departments.

Finally, general stress and anxiety levels for employees are high. Not only do they have to worry about protecting themselves from a potentially deadly virus, but there is also great economic uncertainty. People aren’t sure whether they’ll have their jobs a month down the line. This may have the unintended effect of making them less focused on maintaining proper cybersecurity protocols.

Data breach trends during COVID-19

Trends have emerged from this strange, new environment.

Perhaps the most insidious is the prevalence of COVID-19-related phishing attacks. Hackers prey on the fears and concerns of everyday people to gain access to networks. According to research from Verizon, people were 30% more likely to click a suspicious link if it was related to the pandemic[3]. Some organizations fared especially bad, with employee click rates ranging between 30-60%. Knowing this, it’s no wonder coronavirus-based spear-phishing attacks have risen in number[4]. Bad actors are utilizing more effective techniques more often.

Another trend is an overall increase in user error. People are adapting to new working conditions and dealing with digital transformation technology they may not be familiar with, all while in the midst of a global health crisis unparalleled in recent times.

Common examples of user error include the misconfiguration of security software, accidental delivery of sensitive documents to unauthorized recipients, or mistakes with file permissions.

Attacks on unsecured remote desktop protocol machines have also spiked since the start of the pandemic[5]. Hackers have more targets now that so many people are working from home on remote desktop software. They use simple brute-force attacks to take over a system. Then, they can install any variety of ransomware, cryptocurrency mining programs, or secret backdoors.

Similarly, Virtual Private Networks (VPNs) are also being targeted[6]. While sometimes mistaken as remote desktops, they are quite different. A VPN creates an encrypted private network on top of a larger network. Remote desktops just allow users to gain access to their computers from a different location. Remote desktops give the user access to the entire computer while VPNs restrict access to the shared folders on a given network.

This, plus the standard encryption make VPNs more secure, generally. It doesn’t mean that VPNs are cannot be hacked, however. A common trend right now is malicious agents using Distributed Denial-of-Service (DDoS) attacks to overwhelm VPN systems, leaving them vulnerable to breaches.

A DDoS attack is when a hacker gains control of a large number of online computers, then uses them to steer traffic to a specific network. The sudden increase in traffic overloads the networks and causes them to crash.

Cloud-based software is being attacked more often as well. Collaborative tools such as Zoom and Slack have seen significant growth in users and therefore, more attention from cyber-thieves. Up to 1350% more attention, depending on the industry[7].

Popular cloud software is usually developed by large corporations you’d assume would be committed to tight security. The truth is, even if the developer devotes considerable resources to security, vulnerabilities remain. For example, large exploits were found in the Microsoft Azure platform that could have allowed threat actors to gain access to other users’ data[8].

Effects on the healthcare industry

Healthcare providers throughout the world have had a rough year. They are on the frontlines in the fight against COVID-19 and have had their capacities tested. You would hope that they would be able to focus most of their attention on that monumental task, but also, they have had to deal with cybersecurity threats.

For example, in June alone, there were 37 confirmed cases of IT-related data breaches in the healthcare sector[9]. Over a million healthcare records were compromised. These attacks are quite common but pose even larger risks during a pandemic.

Imagine if a busy hospital were to undergo a major hack that left important systems or health records inaccessible. This could have disastrous consequences, especially if the area was in the middle of a spike in virus cases. It could lower the hospital’s capability for patient care, or at least divert important resources.

How can companies be more prepared?

It’s impossible to be completely protected from cyber-attacks, but there are ways to mitigate risk.

The first thing to understand is that you’re only as protected as your weakest link. You may need to do a thorough audit of your network and address the troublesome areas. Perhaps your system is rock solid, but if you have suppliers or outside vendors that have access to the system, you still have potential attack points.

You also need to invest in employee education on best practices. Inform them about the stakes of a breach. Train them on common phishing techniques and proper communication protocol. It needs to be made a priority throughout the entire organization if you want to be as protected as possible.

Ensure your IT department has the resources required to mount a worthy defense. Look into new, exciting security technologies that utilize artificial intelligence and blockchain. AI can act as a constant presence, safeguarding your network and quickly informing administrators about attacks. Blockchain solutions can encrypt sensitive data and protect your file systems from being altered.

Securing data at rest and in motion

It’s disappointing that opportunistic hackers are taking advantage of a fragile moment in time, but not surprising. These malicious agents aren’t interested in doing the right thing. They’re only interested in stealing money and information. Hopefully, through a combination of preventative and mitigating techniques, you can keep your most sensitive data safe.

Axel is dedicated to data security. Our platform, Axel Go, uses blockchain encryption to provide the safest file sharing experience available. If you value privacy and security, download Axel Go today for free and get the peace of mind you need.

 

[1] Galen Gruman, “COVID-related U.S. IT job losses tick up as spike in cases creates uncertainty”, COMPUTERWORLD, Jul. 6 2020, https://www.computerworld.com/article/3542681/covid-related-us-it-job-losses-tick-up-as-spike-in-cases-creates-uncertainty.html

[2] “When everyone can work from home, what’s the office for?”, pwc, Jun. 25 2020, https://www.pwc.com/us/en/library/covid-19/us-remote-work-survey.html

[3] “Analyzing the COVID-19 data breach landscape”, Verizon, Aug. 2020, https://enterprise.verizon.com/resources/articles/analyzing-covid-19-data-breach-landscape/

[4] Fleming Shi, “Threat Spotlight: Coronavirus-Related Phishing”, Barracuda, Mar. 26 2020, https://blog.barracuda.com/2020/03/26/threat-spotlight-coronavirus-related-phishing/

[5] Ondrej Kubovic, “Remote access at risk: Pandemic pulls more cyber-crooks into the brute-forcing game”, We Live Security, Jun. 29 2020, https://www.welivesecurity.com/2020/06/29/remote-access-risk-pandemic-cybercrooks-bruteforcing-game/

[6] Sue Poremba, “Increase in Small DDoS Attacks Could Take Down VPNs”, Security Boulevard, Apr. 7 2020, https://securityboulevard.com/2020/04/increase-in-small-ddos-attacks-could-take-down-vpns/

[7] Lucian Constantin, “Use of cloud collaboration tools surges and so do attacks”, CSO, May 26 2020, https://www.csoonline.com/article/3545775/use-of-cloud-collaboration-tools-surges-and-so-do-the-attacks-report-shows.html

[8] Ronen Shustin, “Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure”, Check Point Research, Jan. 30 2020, https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-i/

[9] Steve Alder, “June 2020 Healthcare Data Breach Report” HIPAA Journal, Jul. 24 2020, https://www.hipaajournal.com/june-2020-healthcare-data-breach-report/

Why Data Breaches are so Damaging and how the Law has Failed Consumers

Very few times in history have a group of people sat down with the purpose of writing a set of new laws to improve society. Instead, what usually happens is that laws are written to solve specific problems. This leads to a litany of laws piling up over the decades. While it could always be debated how effective a particular law might be at accomplishing its goal, the rapid pace of technological advancement over the past 20 years – especially as compared to the pace of the lawmaking process – has introduced new challenges as laws become quickly outdated, sometimes even by the time they take effect.

The results of this are acutely apparent in the cross-section between the fields of cybersecurity and consumer protection, namely data breaches.

The magnanimity of consumer protection laws in the United States were written for a society concerned with immediate product safety and compensation for resulting injuries, not for the nebulous and incalculable injuries that may be sustained by potential millions when private records are exposed.

Why are data breaches so damaging?

The unique problem of data breaches stems from the fact that the breach of privacy carries in of itself no specific harm. Instead, it is the later misuse of information that has been breached that may lead to ensuing harm. However, with data breaches occurring on a near-daily basis, the causality of specific financial or reputational damage is nigh impossible to link to a single breach causally; with our laws written around the concept of calculable damages being the source of justified remuneration, we are left constantly and increasingly victimized but unable to seek just compensation.

Some would argue that even more problematic is the irreparable nature of many of the most severe data breaches. Once a name and social security number are leaked, that identity is permanently and irreversibly at risk for being used fraudulently. While one could always apply for a new social security number, the Social Security Administration is extremely reluctant to issue new identities, and while that is a debate for another time, it goes to show just how difficult it can be to recover from a breach. Victims are permanently marred and at increased risk for future injuries resulting from a single breach, no matter how much time has passed.

Because of the damage resulting from a data breach being so far removed temporally and causally from the actual breach itself, adequate compensation is rarely won, if it is even sought. Was it the Equifax breach, the MoviePass breach, or one of the innumerable other breaches this year that resulted in your identity being stolen and used to take out fraudulent loans a decade from now?

Moreover, even if you should find that it was MoviePass’ negligence that leads to your identity being stolen, what compensation can you seek from a company that has been defunct for years? Our laws were not written to address these issues adequately. Our legal system often does not ponder questions of uncertainty and possibility, and that’s the perfect summary of what victims face in the aftermath of a breach; uncertainty and possibilities.

For all the uncertainty victims face, the solutions going forward as a country are equally opaque.

It would be easy to write some draconian law to punish companies for exposing private data, but as is often the case, that could have unintended consequences, such as pushing data overseas where even looser security and weaker privacy laws may exacerbate the problem. Instead, it’s going to take a significant shift in our collective-consciousness over how data is handled.

Laws written for managing telecommunications and transmissions in that era are being used to handle complex cybersecurity and data privacy cases.

This can’t come just from one party though; companies need to seriously consider what data they need to collect, and what information needs to be retained on a long-term basis. Consumers have to take ownership of their data and demand a higher quality of service from corporations and governments over how their data is collected and used.

As a whole, we must recognize the value of data, and the dangers we expose ourselves to by collecting it (and why it might even be best to not collect data at all in many circumstances).

Just like holding valuables such as gold and art entails a security risk, so too does data. If people started treating data like the digital gold it really is, maybe then we could all come together to work out a solution.

But until then, I’ll be keeping my data to myself.

Projects We Love: PrivacyWall

This is part of our series highlighting startups who share our mission of trying to bring data privacy back to users.

You’ve had a rough week, maybe it’s a relationship or health problem, but either way, you’re feeling down. Fortunately, your family is there for you, and reach out to console you through a few private messages on social media.

Mom: “I know it’s expensive, I’m sorry your health care doesn’t cover it, we’ll do what we can to help you pay.”

Dad: “Don’t worry sport, she’s just going through a phase, I’m sure you guys will work through it.”

Friend: “Hey man, let’s meet up for a drink this weekend, cheer up!”

After reading your messages, you lay down in bed to rest and start scrolling through social media to pass the time until you fall asleep, and you’re astounded by what you find.

Ads.

But not just the usual ads for food, or some new tech gadget.

“Lower your healthcare costs now! Save 20% off market rate plans!”

“Relationship trouble? Local family counseling is available!”

“Cheapest beer in town, and half-price shots on Fridays!”

Maybe it’s just coincidence, or maybe every single thing you say or do online is being tracked and sold to advertisers… That “free” social media website has to make money somehow.

And that’s where PrivacyWall comes in- a startup that is returning data privacy and security to users. By blocking unwanted data collection by everyone from Facebook to Google, PrivacyWall puts you back in the driver’s seat.

Why PrivacyWall?

Every website you visit, every search you type in, every message you send and photo you post, it’s all tracked, recorded, and monitored. PrivacyWall is the “off” switch we’ve been waiting for.

By blocking over 3,000+ trackers from many of the largest tech companies in the world you can once again browse the internet without fear of being tracked like the target of a CIA investigation. We expect privacy in our homes, and we should get the same treatment on the internet.

PrivacyWall even blocks Facebook Connect from building a shadow profile of your online activity when you are not on Facebook. If you didn’t know, that convenient “log-in with Facebook” turns that account you just signed up for into another data collection point for Facebook to build a profile on you.

If you didn’t know that, you aren’t alone. And that’s exactly why PrivacyWall blocks threats you don’t even know about yet. Because you shouldn’t have to become a security expert and worry about your private information being leaked just because you used Facebook to sign-up for a food delivery app, or a dating site, or anything.

You deserve privacy, and PrivacyWall is a step towards a more private world.

6 textbook examples of how NOT to respond to a Data Breach (Seriously guys?)

Yahoo: Do nothing and pray it goes away

Why are we surprised at this?! When Yahoo suffered a breach in 2013, it decided to just keep quiet about the 3 billion accounts that were compromised. Surely this would prove to be an effective strategy?

LOL.

The news broke a whole FOUR years later, in 2017, that 3 billion accounts had been hacked, which is more than the company claimed in 2016, which is the first time anyone heard anything about a data breach. We shouldn’t really be surprised, as “do nothing and pray it goes away” has been Yahoo’s MO for quite some time now.

FriendFinder Networks: Take days to respond and then downplay the incident in a vague press release

FriendFinder Networks is a company that you’d reeeally want to keep your data secure. It operates AdultFriendFinder, a “sex and swinger community,” and when it suffered a breach in 2016, the response was slow and the press release was tepid. The company affirmed that it “encourages users to change their passwords,” and appeared to put most of the onus on the users, commenting that it would contact users “to provide them with information and guidance on how they can protect themselves.” Seriously?

This press release came after days of speculation, which is actually forever if you are a user of an adult website waiting to find out if your data has been made public.

Equifax: Fail to patch software, take forever to disclose breach, let execs sell their shares

Equifax has one of the shadiest timelines of this group, and competition was stiff here!! After failing to patch a known vulnerability in March 2017 in widely used open source software Apache Struts, the data of 143 million US customers was potentially exposed in May 2017. Then on July 29th, days after the breach was discovered, executives sold off nearly $1.8M worth of Equifax shares. Hmm….this looks bad, but maybe there’s something we don’t know here. (Read: there’s not. It’s bad.)

Ticketmaster: Pretend it’s not happening

Ticketmaster was alerted to a possible breach in April of 2018, but decided to do its best impression of an ostrich and just pretend it wasn’t happening until it received apparently irrefutable (or un-buryable) evidence on June 23rd. Online bank Monzo released a statement shortly afterward saying it spotted the breach in April, but Ticketmaster said nah after an internal investigation revealed no evidence of any such breach.

I’m confused. Are we just letting companies investigate themselves now? This is not how any of this should work. Anywho….

Facebook: Deny deny deny

Facebook didn’t suffer a breach. Instead, it voluntarily gave away a treasure trove of user data and then informed us that we had all agreed to it in the terms and conditions. Whoops – we should have read those, but they’re just so boring, and no one can recall seeing a line item that said “we will give away all your data, suckers, and there’s nothing you can do about it LOL.” I think I would have remembered that…..

To its credit, Facebook did admit that its data had been “improperly shared,” but didn’t go so far as to call it a breach. They didn’t go so far as to call us suckers either, but that doesn’t mean it isn’t true.

Exactis: Leave us all in suspense as if our data’s safety was a plot point in a Mission Impossible movie

None of this is entertaining, you guys. Apparently there is a “database with pretty much every US citizen in it” floating around the internet, according to security experts. That seems pretty bad.

But even worse, the company associated with the breach has stayed silent for days, which is deeply bumming out 230 million of us who would kindly like to know if our personal information is available online.

The bottom line

Data breaches are inevitable. Attackers are targeting companies on a daily basis. But ignoring the fact that a data breach has occurred, failing to patch a known vulnerability, putting the onus of dealing with a breach on users, and – most obviously of all – selling off your stock when you have insider information of a breach doesn’t help anyone. Companies need to be honest when they think a breach has occurred, or they risk losing their customers’ trust. And as our data multiplied exponentially, trust is becoming scarce.

How Virtual Reality Is Being Used To Put An End To Cyber Attacks

**This is part of our series highlighting startups who share our mission of trying to make people’s lives just a little easier**

The explosion of new technologies has seen a huge rise in the quantity and – more importantly – the quality of cyber hackers out there. Crude attempts to hack into systems are a thing of the past, and instead expert attackers are collaborating with governments and crime syndicates to do questionable things with data.

For digital businesses in particular, this is a big concern. Large, distributed networks that are scattered around the web lend themselves perfectly to cyber-attacks from sophisticated hackers, and those hackers are more savvy than ever before.

New Israel-based startup Illusive Networks was built to stop these attackers in their tracks – literally (albeit digitally).

Malicious hackers will find every entry point they can to wriggle into a network, often bypassing firewalls that companies thought would protect them and their assets. Because of this, Illusive Networks has said goodbye to firewalls and has instead gone for a different method of creating a new world for the hacker to disappear into (and get lost).

If it sounds like something out of Minority Report, you might be onto something. And, if it sounds a bit farfetched, you’re on the same wavelength as us. I mean, creating a whole new world simply to distract potential hackers seems like a lot of extra effort, right?

This is where it gets interesting.

You’ve heard of virtual and augmented reality, right? These are two new technologies that layer an alternate reality over the top of, well, real reality to bring participants new perspectives and new worlds entirely.

Illusive Networks taps into these technologies and creates a false version of a company’s network to either trap the hackers in an alternate “reality” or kick them out completely.

Isn’t Illusive Networks Just Like the Others?

The answer to this question is, of course, yes and no.

Businesses have access to thousands of different security products these days, and there seems to be a new anti-cyberattack startup popping up every single day.

Because of this, business owners and security leaders are resisting adding even more tools to their security arsenal – the last thing people want or need are noisy alerts every time a hacker tries to break through a digital barrier.

“But technologies that truly look at existing problems in new ways and are purpose-built to help companies deal with the unexpected can deliver significant efficiencies that reduce rather than add to the security burden,” says Illusive Networks’ Founder and CEO, Ofer Israeli. “Distributed deception technology is certainly one of them.”

How Illusive Networks Works

On its website, Illusive Networks says that it:

  • Maps potential paths attackers can take to get to the goods (a.k.a. your most important assets)
  • Finds and gets rid of risky areas that help attackers reach your assets
  • Cloaks your system with thousands of high-fidelity deceptions that trigger an alert when one wrong move is detected
  • Offers real-time forensic reports to help response teams stay in control

But what do all these things really mean? And what even is “distributed deception technology”?

“There will always be a phishing or drive-by attack,” says Israeli. “Humans are the weakest link and always will be and will continue to make mistakes. But once the hacker is in, now we have an attacker who needs to orient himself.”

Essentially, distributed deception means creating a series of fake journeys a potential hacker could take. The aim is to confuse, deceive, and catch them red handed.

Illusive Networks creates an “illusive” version of a company’s network (that alternate reality we were talking about earlier). And, once a hacker finds themselves in this parallel universe, the tool identifies the individual and either keeps them shut in there forever or kicks them out for good.

Think about it: to strategically plan a pathway to the main asset, a hacker needs to consider two things. They need to know what options they have for where they can go next, and they need to know how they can access the powers needed to execute that particular move. In the security world, this two-step process is known as orientation and propagation.

You see, to get to the coveted prize, a hacker needs to make a series of hundreds or thousands of tiny moves – something that Illusive Network aims to put a rapid stop to.

Say, for example, there’s a hacker who has the option to take three different paths towards their next step. Illusive Networks then swoops in with a further twenty choices, of which only three are real and the other seventeen are traps. If the hacker takes any of those seventeen options which, let’s face it, is highly likely with the law of probability, the system is alerted to an unwanted intruder.

Likewise, if a hacker needs to gain credentials to make their next move, Illusive Networks will supply them with tens more credentials than they need so that, again, if they pick the wrong choice the system goes into lockdown.

So, rather than shutting out hackers entirely like firewalls do, Illusive Networks deceives them so it’s almost impossible for them to reach their end goal. The startup has even brought several ex-attackers on board who have shared their perspectives to make solutions more realistic and useful.

Perhaps the most advanced thing about the startup is that neither the professionals working for Illusive Networks nor the hackers can see the deceptions until they walk into them head first. This means the deception sensors are only triggered if someone “bumps into them”, but it also means that it only takes a few moves (out of potentially thousands) for an attacker to be detected and kicked out.

What Does This Mean for the Future of Cyber Attacks and Data Breaches?

Illusive Networks plans to bring a new age of security to digital businesses that will see less hackers succeeding despite them getting more and more sophisticated every day.

Data breaches could be a thing of the past, as distributed deception means hackers don’t have to just navigate one obstacle like a firewall. Instead, there are obstacles all around them (think security lasers in a museum as a real-life example), and every wrong move can be quickly detected.

But while it might be comforting to know that our personal data looks to be safer than ever, the technology behind Illusive Networks might not be limited stopping hackers in the future.

What if hackers start using it to their advantage? These are people that are highly skilled in tech-endeavors, so surely they’re buffing up on this new technology as we speak and working out ways they can use it to their benefit? If they’re not, maybe they’re missing a trick.

Systems like the one Illusive Networks is using are groundbreaking in the war against cyber attacks but only time will tell if they’re victorious.