Cyber Security / Privacy

With all the data hacks that we learn about on a regular basis, coupled with the ones we don’t know about, shouldn’t we just assume that all of our information is out there already. Is it worth taking painstaking and costly measures to try to prevent what may be inevitable? If GDPR and the CCPA were in place at the beginning of the internet age, it could have helped. But it seems to me that the bottle is devoid of genie. Thoughts?

I should clarify that I’m referring to personal privacy concerns of individuals. I’m pretty sure that many corporations and governments have indeed been successful in protecting secrets and intellectual property. If there’s enough value to protect, the investment will be made.

I’m not sure I’d assume everyone’s full data set (SSN, address, DOB, etc.) is all out there, but certainly a goodly percentage of it is. There’s such a glut of people’s Name-Address-SSN available on the criminal market that it’s not worth that much anymore. I think I heard that an individual’s full ID information goes for a couple bucks now. This is one reason why ransomware and cryptojacking are the attacks du jour. My full ID information was compromised back in 2010 or2011, and every year since then someone tries to file a fraudulent tax return in my name. To their credit, the IRS does a decent job of detecting the fraud.

So, yeah, most of your identity information is probably floating around. Probably for most individuals, the most important things to do are protect your logins to financial sites and such (use a password manager, don’t click links in emails, etc.) and to take reasonable anti-malware precautions. I mean, your risk is different if you’re a dissident in an oppressive regime or a high ranking foreign policy wonk or something. I’m a cybersecurity professor. I make sure my devices are patched automatically; I use a password manager (LastPass); I take reasonable endpoint security steps (anti-malware, disable JavaScript in the browser, etc.); and I practice good security hygiene. That’s pretty much it.

Corporations and governments have had a spotty record protecting secrets. Things like intellectual property theft don’t usually require public disclosure, so we don’t really know how prevalent it is. On the government side, the OPM hack a few years ago showed that the government is just as piss-poor at security as the rest of us. And we only knew about that because individuals’ records were compromised and the affected people had to be notified. There’s no telling how often other countries have made off with things like military secrets. I would sort take the opposite view as you when you say, “If there’s enough value to protect, the investment will be made.” If there’s enough value, the bad guys will get it.

I don’t get this “all or nothing” attitude. Not one bit.

My bank has my account number, the balance and a lot of identifying info: name, SSN, address, etc.

So, I may as well just put all that info up on a billboard at a major intersection since the information is “out there” anyway?

This is not logic. And it certainly isn’t how taking steps to protect your data works.

You ALWAYS need to be as cautious as possible. There is a big difference between Facebook knowing you were at a certain store and someone getting your bank account info and emptying your account.

Along with these steps, I recommend multi-factor authentication (MFA) on as many accounts as possible (google/gmail, bank, retirement, Amazon, etc). Many are starting to require it, but go to the effort to turn it on every where you can.

Also, unless you open new lines of credit often, freeze all your credit reports.

Then, if you want to stop the tracking, use a personal VPN for all web browsing and never carry a smart phone. These steps are for the super paranoid.

Yeah, these are great recommendations too. MFA is super important.

Also back up your data in case you get ransomware’d.

Regarding things like Facebook and Google tracking, my feelings go back and forth. Certainly I don’t like the fact that these companies have a huge amount of information on my habits and purchases. And I don’t like that the tracking is so pervasive that it’s essentially impossible to avoid if you interact with the internet at all. I think the harm of micro-targeted ads and media is more to society and culture as a whole rather than to me personally. A criminal steals my identity information and gets a loan in my name – I’m harmed directly and tangibly, and the remedy is a long process of unwinding all the financial effects. Media and ad giants try to mold my perception of the world at large through sophisticated micro-targeting – the harm is intangible, and the remedy is to be aware of it and vigilant and try to seek information from a wide variety of sources. There probably needs to be some regulation of these companies, or possible breakup of some monopolies, but there’s just not a helluva a lot I as an individual can do about it, short of going off the grid.

The CEO of Sun Microsystems said at public event, “You have zero privacy anyway. Get over it.” And that was 21 years ago. I suspect that it’s gotten worse.

MFA via SMS is not secure. Repeat: NOT SECURE. This is getting into security theater territory.

Stick with regular password methods over https connections. They are more secure.

I think it’s more accurate to say MFA over SMS is inadequate. An attacker can do something like a SIM swap or SS7 attack to get the MFA code. This still increases the work effort for the attack so it provides a bit of additional protection compared to password only. It shouldn’t be relied on if other alternatives are available, especially not for people at risk of attack by highly motivated adversaries, but for many people the added layer of defense is sufficient and the simplicity is necessary.

Other forms of MFA, such as use of an authenticator app, are preferable, but even these have limitations. They can be defeated with the use of tools like Muraen and NecroBrowser. These forms of MFA still raise the work effort for the attack and may be sufficient for the use case.

Hardware tokens like the YubiKey are better still, but they’re somewhat more complex, and there’s a cost for them. For many home users, the authenticator or SMS approach might be the most practical approach. I would, for example, recommend my octogenarian mother just stick with SMS rather that a YubiKey.

This all gets at a broader point that security isn’t a binary condition. There really aren’t “secure” or “insecure” technologies as much as technologies that are on a spectrum from “trivial to compromise” to “requires NSA skill to compromise” Which threat actors are you worried about? Common computer criminals or the GRU? Pick your defenses accordingly.

Speaking of the GRU, in the runup to the 2016 election they comprised the DNC and DCCC. These attacks started with credential theft via phishing. They tried to compromise the Clinton campaign’s network but they didn’t succeed. The reason: the campaign systems all required MFA. Certainly the GRU was capable of more sophisticated attacks, but they never bothered to use them, probably because they hit enough of a goldmine at the DNC, DCCC, and John Podesta’s personal email.

You don’t always have to be faster than the bear, if you’re faster than the other campers.

NIST back-pedaled on that shortly after that brouhaha. A regular password over https in conjunction with SMS MFA has the ability to be more secure than a regular password over https on it’s own. As always, there are many caveats.

As Defensive Indifference mentioned, security is not a binary. You can never, ever state “I’m secure”. And if you do, you are wrong.