When people ask what makes the 2012 LinkedIn data hack and the 2013 Myspace breach different than others, I tell them it shows how little we understand our enemy.
This is obviously because the attacker mind set is constantly evolving, but also because we don’t seem to learn fast enough to check their next move. Anyone remember Sun Tzu’s Art of War? “Know your enemy and know yourself and you can fight a hundred battles without disaster.” Sun Tzu would have made a great IT guy!
Modern hackers are changing – not only are they consistently updating their methods of breaching systems and hijacking data, they’re also becoming more pragmatic and entrepreneurial in the ways they are using stolen data. In essence, attackers are thinking outside the box, while most users don’t even care if the box is there, just so long as it works. This needs to change. When I speak or teach, my goal is to turn people’s thoughts around so they view their information in a way an attacker would.
The highly publicised breach of LinkedIn happened four years ago, while Myspace happened only three, and yet we’re just now seeing the data sold on the market in a remarkably public way. I hear a lot of folks say (or think), “So what? That data is four years old. I only use LinkedIn when I’m looking for a job; I haven’t used Myspace since I graduated high school; they may as well have hacked my Friendster account.”
There are two main problems with this rationale. First you have to ask, what have attackers been doing with your data for the last four years? Was it just sitting stagnant on a zip drive somewhere? Probably not. The odds are an attacker was using your personal data for his or her own illegal purposes, and now that the data is beginning to lose its potency, he or she is offloading it for a price.
The second issue is rooted in how much average users underestimate the shelf life of their own data. There are 167 million emails and corresponding passwords being sold out on the Dark Web, from LinkedIn alone, and while the data is on the latter half of its ‘use-by date,’ it’s still valuable. Why? Because many people are complacent or they think, “it’s not going to happen to me.” But realistically, there are so many accounts to keep track of including email, banking, Wi-Fi and social media passwords; it’s no wonder millions of folks reuse the same password. In fact, out of the 167 million LinkedIn accounts for sale, there will likely be an eight-figure number of credentials that are still valid on LinkedIn, Myspace or on other sites. So while it might not be the same password as your Facebook or Twitter account, it could be the same one you’ve had in your “saved password” chain to unlock your Gmail, iTunes or even your bank account.
According to a 2015 study, the average American has 130 accounts registered to one email address, whether it be for a Pizza Hut account, a free trial of Hulu or just to sign up through Facebook to get free shipping. Our modern approach to password cross-pollination is what puts us at the greatest risk. If one organisation’s data is compromised, odds are there’s a whole row of corresponding dominoes with the same password just waiting to be tipped. But the best protection is also the simplest, yet we can’t seem to get basic security hygiene into our systems.
Not only are they looking at possible “recycled” passwords, but also attackers could use information that you entered “back in the day” to help them engineer more information about who you are today. For example, back when Myspace was “the bomb” and before you knew about over sharing information, what did you post? Did you post anything about your hobbies, places you lived, favorite songs, movies, TV shows, your teacher’s name, your childhood friend, and in the case of my kids, who are now adults, the name of their first pet. Do you see where I’m going with this? Seeing this information could allow an attacker to guess your current password or even know the answer to password reset questions. So while you’re unlikely to ever log back in to your Myspace account, unless you’re trying to track down a post for “Throwback Thursday,” your information is still relevant and dangerous.
As a security professional, one of the most frustrating elements about these incidents is that we haven’t learned from our mistakes. During the September 2015 Ashley Madison hack, one of the most prevalent discoveries was the lack of uninventive challenging passwords. Jump ahead nine months and we’re seeing the same issue with more than 750,000 LinkedIn accounts. In fact, over 170,000 users employed “LinkedIn” as their password for the above-mentioned site, while others used basic passwords like “123456.”
What keeps me up at night, more than the use of simplistic passwords or utilising the same login to order a pizza as you do your finances, is the public’s blasé reaction to this immense data breach, in addition to the blatant openness of those selling the data. Five years ago, a breach like this would have caused an uproar and would spur most to change every password imaginable, albeit to something equally as creative as “654321.” At the same time, the sale of this information would have been hidden in the shadows and sold just as obscurely – but that’s definitely not the case today. We seem to be more upset about things like a 3-hour long wait at a TSA line rather than anonymous attackers selling our personal information to the highest bidder.
Today we’re seeing the data being openly traded on publicly accessible websites. We’re witnessing supposed hackers brag about their exploits and name their next targets over Twitter. In reality, the real issue is that we as consumers are starting to look at these data breaches as an everyday occurrence, ultimately resulting in our defences depleting and making our data even easier to access.
So what can we do to keep our data secure? The first tip is a little counter-intuitive – don’t just change your password, use a password manager. These applications can help you create difficult passwords and keep track of them at the same time. No matter what you decide to use, employing a password manager should be primary the solution for all of your password-protected accounts, including Facebook, online banking, LinkedIn, email, Pizza Hut, and others. The second is to enable two-step verification on all accounts so that there are multiple authentication stages. Many sites already allow for this kind of protective measure, however, it typically must be enabled manually.
Individuals greatly underestimate the power of their data and private information. Keeping it secure should be considered the utmost importance. Even the most modern and technically inclined of IT experts would do well to revisit basic security hygiene. However, in addition to going back to basics, keeping an eye on the latest hacker exploits, trending exploits and security essentials will greatly help IT experts keep both their enterprise and personal systems secure. Personally, I feel as IT professionals, or just digitally inclined individuals, our responsibility is to be ever vigilant in the fight for digital security.