Cybersecurity in 2018: the bad, the worse and the downright nasty
Here are your instructions. You’ve got 24 hours to complete them and another 24 hours to report back to us. It was hot that morning. The thermometer quickly leveled at 25°C, which, luckily enough for me, was 10 degrees shy of the temperatures we’d had endured earlier that month in Belgium. I had 24 hours ahead of me to pass my OSCP exam, not knowing what challenges I’d face over the next day. A few hours later, I had passed the exam and officially became a hacker. At least on paper. I had a couple of years of hands-on experience, but rather form the side line. I still don’t fully know what exactly triggered me in shifting my security involvement into the next gear, but looking back at 2018, it looks like like my timing couldn’t have been any better.
“Going so far as filing an affidavit before the supreme court saying the data cannot be hacked or breached is a downright lie that puts an entire nation at risk”
Just like in the previous years, 2018 had its fair share of data breaches. However, it’s rather impressive of how those breaches have evolved over those years. Because of the increased awareness, breaches seldomly go unnoticed anymore. And that’s a good thing. It’s still unclear whether the number of breaches itself has actually dramatically increased or if these breaches are simply becoming more apparent.
What’s increasing on the other hand is the size of those breaches. Gone are the days of small, relatively-confined breaches. Cases or over 1 million leaked records are becoming more and more common. This is perfectly illustrated by the most notorious cases such as Quora (100 million), Under Armour (150 million) and Marriott (500 million). To put things into perspective, a study by Gemalto has shown that in the first half of 2018 approximately 4.8 billion records were released into the wild. That’s more than two times the amount of records when compared to the same period in 2017. The increase in severity is illustrated by the fact that more data was disclosed while the amount of incidents slightly decreased.
What worries me personally is that IBM, in the meantime, conducted studies to check the cost of these breaches. How counterintuitive as it sounds however, there doesn’t seem to be a trend in the cost increase when compared to the last years. As years move past, the average cost of a data breach seems to hover somewhere in between 3.5 to 4 million dollars. That’s rather odd though. One would believe that more records would have a higher financial impact, but this doesn’t seem to be the case. Despite the details on cost mitigation and addition, the report remains pretty vague about the evolution. I think these figures deserve a more detailed look.
At the same time, the same study shows that only 48% of the data breaches were caused by a malicious act. The others can either be attributed to human error or a system glitch. While those causes are still pretty vague, it’s safe to say that a lot of data loss nowadays can still be “easily” remedied by taking more care. In other words, more than half of the data breaches could have been avoided. That’s another aspect of data security worth looking into as it surely puts things into perspective.
And then there’s the downright nasty. When you work in the cybersecurity business, you just know that sh** happens. No matter how well-prepared you are, there’s always the chance of being outsmarted. However, when disaster strikes, you’d expect companies to act appropriately. Most of them do. But Facebook isn’t like most companies.
Let’s start with a quick rewind to the Cambridge Analytica scandal. At first, there were reports of “only” 270.000 users being affected, which, by itself, is already pretty bad. Later reports taught us, however, that the initial target group had been (ab)used to mine the data of over 80 million users, all completely unaware of what their data was being used for.
As if things couldn’t get any worse, 50 million users saw their sessions compromised in September. This didn’t just put the private data of those users at risk, but also those of every single connected third party account for people using Facebook as a login provider. The only decent communication from the tech giant was to log out their users. Set apart from information distributed by the international media, victims could simply guess what was actually going on.
At the same time, apparently, a separate issue exposed photos from almost 7 million users to apps that weren’t supposed to see them. Among those photos were images that were uploaded but never posted.
Then there were the six4three mails. This time it wasn’t user data that found its way to the streets, but rather a compelling collection of internal mails, shedding a light on Facebook’s own internal conversations and workings. The contents aren’t pretty really and, to me, these documents were the final convincing argument to permanently wipe and close my Facebook account after 10 years on the platform.
Finally, as I was writing this article, word came out that Facebook handed several companies unrestricted access to its users’ private messages. Just as we thought that the tech giant would learn a couple of lessons in privacy, it simply told the world that there are some convincing arguments why it let other giants dig through our private lives without any restraints.
The downright nasty
Just when you think things can’t get any nastier in terms of cybersecurity, there’s the Aadhaar case. For those unaware of what Aadhaar is, I’ll share a bit of info first. Aadhaar is world’s largest biometric ID system, predominantly aimed towards Indian residents. It contains over 1 billion records and is managed by the Indian UIDAI, which in turn falls under the jurisdiction of the Indian Ministry of Electronics and Information Technology.
If there’s any strong case against the central storage of extremely sensitive information, such as biometrical data or even data that’s indirectly related to biometrics, that case would be Aadhaar. Even though the Indian government persistently claims that the services by itself haven’t been breached in any way, there have been substantial reports of breaches throughout the year.
The most notorious report of them all, published by Gemalto, claimed hundreds of breaches had struck the system in the first months of 2018. Yet it was withdrawn in September, followed by the company offering their sincere apologies to the Indian government. Without taking a speculative stance, that by itself is already pretty strange. Gemalto is a world-class player and one would imagine them verifying claims about data leaks in the first place. Having Gemalto turn the cheek and telling their report was completely wrong is a completely different league. It’s worth noting that the Indian government is a customer of Gemalto, as the company is heavily involved with the country’s electronic driving license program. Needless to say I’m intrigued.
Nevertheless, there are countless other reports on the matter. It is worth noting that Aadhaar isn’t a stand-alone solution. It’s actually a central database, which in turn allows the government and a large crowd of third parties to use the data contained within. And that’s where it gets really gory. Each single endpoint that has access to Aadhaar becomes a potential backdoor by design. Think about it. One poorly designed endpoint, one single exploited flaw and you inherit all the access rights of said endpoint. As a matter of fact, it has happened. Two major documented cases — one by The Tribune, the other by ZDNet — involved both news outlets investigating sources who either sold Aadhaar info on the cheap or found vulnerabilities that went unpatched for months. In both cases, the UIDAI, yet again, denied any security issue and claimed this was just another case of fake news. However, as time goes by, there are more and more claims of leaks and breaches. All have one thing in common: the UIDAI keeps on nodding like a stubborn child even before they possibly could have started any proper investigation.
Even though I have yet to see any leaked record that can be conclusively matched and verified, I listed this case as “downright nasty”. Not because of the scale of the attack, but mostly because of the UIDAI’s attitude towards cyber risk. As Troy Hunt previously pointed out in his view on Aadhaar, there’s no possible way to make any system completely “hack-proof”. Claiming that your system is 100% secure and going so far as filing an affidavit before the supreme court saying the data cannot be hacked or breached is a downright lie that puts an entire nation at risk.
The possible consequences for the people who have been coerced into enrolling by their own government are devastating. Yet here you still have a very stubborn state and its system that is flawed by design, has been highly controversial since the start and contains data that leaves the door wide open for identity theft on a never-seen-before scale.