Not a day goes by without hearing about another company being hacked and user information being exposed or stolen. Hackers are getting smarter and more creative and it seems that many companies and users still have that mindset of ‘it won’t happen to me’.
The reality is harsh and every successful breach/hack means that the effort put in by the perpetrator has paid off, leading to an increase in the overall usage of their attack method. Unfortunately, people tend to be complacent about security when hacks and breaches that don’t affect them directly, which is why many attack methods involve direct communication with the victim.
2019 is already on track to be the worst year for data breaches.
- Twitter has experienced yet another hack via their SMS system in which it’s CEO, Jack Dorsey was targeted.
- Facebook exposed millions of users’ profiles publicly.
- British Airways’ e-ticketing system security flaw exposed passengers’ personal data.
- Multiple American facilities and institutions (health services, educational institutions, electrical grids, municipalities) have been compromised.
- Data stolen from a popular health tracking app, MyFitnessPal, containing approximately 150 million users was seen being sold on the Dark Web.
- Garmin SA’s online shopping portal was compromised in September, exposing personal/private client information including credit card and cvv details.
These examples give the general idea of how much stolen data circulates on the open internet for anyone with malicious intent to utilize in their schemes. This year alone has seen a collection of 2.7 billion identity records, consisting of 744 million unique email addresses and 21 million unique passwords posted on the web for sale. Publicly available information from social media used alongside breached data makes for a pretty convincing threat letter or ransom note.
By now, many of you would have received the following emails or similar. Hopefully, these would’ve been sent straight to the junk folder or deleted.
Examples of recent hacks:
‘Undeliverable package’
This is a phishing email which looks to be from DHL, but is not, asking to confirm delivery details for a package that could not be delivered. This is fake as no packages were ordered by the intended recipient.
‘I know your password’
In this second example, an email is received from an unknown sender with the recipient’s password in the subject and body. The email also claims that the recipient’s computer was infected with a RAT (remote administration tool)- type malware, recordings were captured, and should the user not pay their information would be leaked. Again, none of the information in this email is true except for the password. This is a generic threat letter which was scripted years ago but still proves very effective.
With both of the above examples the user’s information, email and password, were exposed in one or more of the many data breaches. Once email addresses are out in the wild, they very quickly get added to spam lists and the users would end up receiving hundreds of spam emails every month. In a worst-case-scenario, the user’s information gets used against them as crucial accounts are targeted and some even suffer from cases of identity theft. The hardest aspect of these breaches is knowing whether you’re affected or not. Luckily, web services like Haveibeenpwned assist in discovering whether any accounts, business or personal, have been exposed. However this web service relies on people actively checking whether their accounts have been compromised and this is where the problem of complacency arises. Many will check the site for whether or not their information was compromised but grow tired of the task after a while. Logically speaking, people have busy lives and don’t always find the time or remember to do regular breach checks. The open source web browser, Mozilla Firefox, recently released a new feature which allows a user to track whether their accounts were breached or not and alert the owner should one be found. The service is free, easy to set up, supports multiple accounts and tracks all the latest public breaches going back to 2007.
Mozilla Firefox breach Monitor
Another new addition to web browsers for improved privacy is DoH or DNS over HTTPS. This is a relatively new web protocol which has only been around for two years. The DoH protocol is designed to perform remote DNS (Domain Name System) resolution via HTTPS (Hypertext Transfer Protocol Secure) which encrypts the transmission data between the DoH client (Device’s web browser) and the DoH-based DNS resolver (e.g. Cloudflare DNS servers). Simply put, it prevents the transferred data between a device’s web browser and the internet (before it reaches its intended website) from being manipulated or eavesdropped upon by man-in-the-middle attacks.
Currently the technology is still in the testing phase and is not completely ready to roll out. When implemented, it’ll add an extra layer of protection when using the internet as hackers will have a much harder time intercepting the traffic. At the same time, it’ll also be difficult for online tracking services like advertising and/or an ISP (internet services provider) to track the websites visited by a user who has DoH enabled. For those who prefer to live a private life on the internet, this may be a very appealing feature. It also makes a lot of sense to use in a business environment where privacy and security are key. The feature is still experimental but is available in Mozilla Firefox and coming soon to Google Chrome.
All in all, privacy should matter to everyone who uses the internet which has grown into a vast forest of inter-connected platforms like online stores, social media, communications, IoT devices, cloud storage, games, business resources, Big Data, advertising companies and many more, with no end in sight. There’s a growing need to privatize the information that spreads across the internet every second and without privacy and security at the forefront, 2019 may only be the tip of the iceberg for data breaches in the future.