2014 was quite the year for high-profile hackings and puffed-up politicians trying to out-ham each other on who is tougher on cybercrime. I thought I’d assemble some of the year’s worst hits to ring in 2015.
In no particular order:
Home Depot: The 2013 Target breach that leaked around 40 million customer financial records was unceremoniously topped by Home Depot’s breach of over 56 million payment cards and 53 million email addresses in July. Both companies fell prey to similar infiltration tactics: the hackers obtained passwords from a vendor of each retail giant and exploited a vulnerability in the Windows OS to install malware in the firms’ self-checkout lanes that collected customers’ credit card data. Millions of customers became vulnerable to phishing scams and credit card fraud—with the added headache of changing payment card accounts and updating linked services. (Your intrepid blogger was mysteriously locked out of Uber for a harrowing 2 months before realizing that my linked bank account had changed thanks to the Home Depot hack and I had no way to log back in without a tedious customer service call. Yes, I’m still miffed.)
The Fappening: 2014 was a pretty good year for creeps, too. Without warning, the prime celebrity booties of popular starlets like Scarlett Johansson, Kim Kardashian, Kate Upton, and Ariana Grande mysteriously flooded the Internet in the September event crudely immortalized as “The Fappening.” Apple quickly jumped to investigate its iCloud system that hosted the victims’ stolen photographs, announcing shortly thereafter that the “celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions” rather than any flaw in its system. The sheer volume produced and caliber of icons violated suggests this was not the work of a lone wolf, but a chain reaction of leaks collected over time triggered by one larger dump. For what it’s worth, some dude on 4chan claimed the Fappening was the product of an “underground celeb n00d-trading ring that’s existed for years.” While the event prompted a flurry of discussion about online misogyny, content host ethics, and legalistic tugs-of-war over DMCA takedown requests, it unfortunately did not generate a productive conversation about good privacy and security practices like I had initially hoped.
The Snappening: The celebrity-targeted Fappening was followed by the layperson’s “Snappening” in October, when almost 100,000 photos and 10,000 personal videos sent through the popular Snapchat messaging service, some of them including depictions of underage nudity, were leaked online. The hackers did not target Snapchat itself, but instead exploited a third-party client called SnapSave that allowed users to save images and videos that would normally disappear after a certain amount of time on the Snapchat app. (Although Snapchat doesn’t exactly have the best security record anyways: In 2013, contact information for 4.6 million of its users were leaked online before the service landed in hot water with the FTC earlier this year for “deceiving” users about their privacy practices.) The hackers received access to 13GB library of old Snapchat messages and dumped the images on a searchable online directory. As with the Fappening, discussion surrounding the Snappening tended to prioritize scolding service providers over promoting good personal privacy and security practices to consumers.
Continue reading →
News about the Epsilon breach has spread relatively slowly. The breach of data held by an email service provider is bad—no question—but it’s not terribly consequential. Emails aren’t generally kept private.
But the Epsilon story may soon heat up. The presence of an email address on a list creates inferences about aspects of a person’s life that may be sensitive. So it is with GlaxoSmithKline’s lists related to prescriptions. As the Coalition Against Unsolicited Commercial Email points out, correlation between email addresses and interest in particular drugs makes spear-phishing attacks more potent. Fraudulent email that is tailored to a medication a person takes will have a higher uptake than average, and could be used to defraud people on matters relating to their health.
But is it helpful to exaggerate this serious threat? CAUCE titles its post: “Criminals Now Know What Prescriptions You Take.” Thought leaders like Jules Polenetsky have picked up that meme and run with it.
For people who are not data-literate, a likely implication of “criminals know what prescriptions you take” is that criminals have access to lists of the prescriptions they take. A person on ten different medications might think that criminals know each and every prescription he or she takes. That’s more frightening than knowing that an association between one or two prescriptions and an email address is available to criminals. (It’s possible that people have signed up for email relating to each of their prescriptions, all of which are from drug companies who use Epsilon as their email service provider, but I think it is unlikely and rare enough to treat as an irrelevant outlier.)
What criminals know is that people are on lists related to prescriptions. Many do take that prescription. Some used to take that prescription. Some have a loved one who takes it, some sell it, some prescribe it, and so on.
What’s the point of this observation? Not much. But under the rule of media and politics—“if it bleeds, it leads”—we may soon see a media and policy stampede. That stampede will treat an important security issue that deserves careful attention as a
techno-cyber-apocalypse that demands immediate overreaction.
Well, then, this post (via Adam Shostack) is for you!
“Dissent” goes through the numbers revealed in the first year of data breach reporting under the Health Insurance Portability and Accountability Act regulations. The post gives extremely light treatment to the possibility—indeed, the likelihood—of noncompliance with the regulations due to unawareness of breaches or judgments that reporting is more dangerous than not reporting.
But one also must wonder . . . Why does this matter?
Data breach notification is the grown-up version of the schoolyard taunt: “Your epidermis is showing!” The questions are: What part of the epidermis? And what social or economic consequences does it have?
Of course, these statistics may be interesting and relevant to security professionals, but harm is where the rubber hits the road for consumer protection. (See this interesting colloquy recently on Concurring Opinions.) Some data breaches have some relationship to consumer harm, but gross breach statistics don’t seem to be a window onto harm prevention.
Recall a couple of years ago when I lauded Google – and also picked on them – for making customer data “more anonymous”?
“‘Anonymous’ is correctly regarded as an absolute condition,” I wrote. “Like pregnancy, anonymity is either there or it’s not. Modifying the word with a relative adjective like ‘more’ is a curious use of language.”
The challenge of these concepts – “anonymized” or “de-identified” data – is still around, and it’s still a difficult one.
Here’s a sophisticated take on the question:
Information is increasingly difficult to classify as “identified” or “de-identified,” particularly as it is copied, exchanged, or recombined with other information. With rapidly evolving technologies and databases, it is more appropriate to describe a spectrum of “identifiability,” rather than a binary classification of information as identifiable or not. The question could then become not whether deidentified information might be made re-identifiable, but rather which entities would be able to re-identify the information, how much effort they would have to expend, and what limits are placed on their doing so.
And here’s an advocacy group apparently lacking that sophistication. They treat information as flatly “de-identified” in a legal filing about a New Hampshire law that bans the sale of prescription drug data for marketing purposes:
[T]he Prescription Information Law does not implicate patient privacy. While it purports to protect privacy interests, the statute regulates patient de-identified information.
Here’s the thing: Both quotes were issued by the Center for Democracy and Technology. Continue reading →
Earlier this month, Google made news when it announced that its cloud computing productivity suite Google Docs had suffered a technical glitch that temporarily compromised a subset of users’ shared documents. After becoming aware of this glitch, Google notified its users via email and posted an entry to the Official Google Docs Blog that offered a more detailed explanation of what happened.
It turns out that a bug in Google’s permissions code was causing certain documents that had been shared by their author with other users but subsequently unshared to remain visible to those users. By the time Google notified its users, the bug had already been resolved, and Google estimates that only around 0.05% of all documents were vulnerable due to the glitch. As to how many documents were actually viewed by unauthorized parties, it’s unclear at this point.
All in all, the Google Docs glitch, while troubling, seems relatively minor as far as bugs go. Nevertheless, the Electronic Privacy Information Center’s Mark Rotenberg jumped on the chance to attack Google, as he often does when Google makes news for anything privacy-related. Yesterday, EPIC filed a complaint with the Federal Trade Commission that called on the FTC to investigate Google’s privacy safeguards, order Google to shut down all cloud computing services—including Gmail, which has 26 million users—pending a thorough privacy evaluation, and force Google to pay $5 million to a fund that would be setup for “privacy research.”
Watchdog activist groups like EPIC can play a useful role in the public discourse on privacy, helping to publicize unsavory behavior by companies and educating consumers about keeping data secure. Unfortunately, however, these groups’ admirable focus on protecting privacy sometimes edges on the myopic, causing them to overreact to data breaches and sometimes even call for regulatory interventions that are decidedly
anti-consumer. EPIC’s latest complaint about Google is a classic example of this.
Continue reading →
In response to Adam and Berin’s excellent introduction to their Googlephobia series, invaluable TLF commenter Richard Bennett succinctly sums up the rap on Google.
There’s no denying that Google has the capacity to do some pretty heinous things with all the sensitive data stored on its servers. But the relevant question isn’t whether Google could do evil, but whether it realistically will. What incentive is there for Google to do anything but keep private data as secure as humanly possible? Sure, Google could earn a nice chunk of change if it were to sell user search queries to the highest bidder. But why would Google put its entire business on the line for a comparatively insignificant short-term gain?
A major privacy breach is Google’s nightmare scenario. If anything happened to cause users to lose trust in Google, they’d go someplace else for email and search. Advertisers would follow suit, causing Google’s stock price to plummet. Google might never be able to recover from a severe privacy fiasco. Obviously, Google is well aware of its vulnerabilities on privacy, which is why Google has incredibly strong safeguards to ensure that sensitive data can’t be uncovered by a rogue product manager with an itchy trigger finger.
Then there’s the liability issue. The multi-billion dollar lawsuits that would ensue were Google to suffer a data breach or an internal leak would deal a serious financial blow to the company, especially because Google’s privacy policy is more than just a comforting statement—it’s legally binding.
Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.