How vulnerable is our data?

For the first time in human history, we live in an era where more information is stored about us digitally than physically. Your name, picture, date of birth, address and so much more are on a server, in a far away land, in a big building owned by a large conglomerate. This may sound rather full of doom and gloom, but in reality, we also live in a time of huge technological advancement.

We have the latest news and views at our finger tips.

Our closest friends are no longer in the next town or at work; they are just a few taps away.

We can call anyone at any time in any place. Then hang up that call to walk to the counter, pay for our shopping with the same device and use that device to have a car pick us up and take us home. All without ever having to do more than just tap yes.

But that’s the caveat.

We willingly give our data away so that we can use these services and that’s fine. But what about when things happen to our data that we didn’t consent to?

Hacking, data breaches and phishing scams are becoming more and more popular among the criminal element and it’s not just you and me that they are targeting, but tech titans such as Facebook.

The Facebook data breach scandal

In 2016, an app called “thisisyourdigitallife” was created for the Facebook platform; a simple personality test created by Aleksandr Kogan, a Moldovan-born data scientist. The app fell well under Facebook’s terms of use as it was claimed that the data collected was to be used for academic research. This was not the case.

Kogan worked for the UK based company Cambridge Analytica (CA), a political consultancy firm allegedly backed by the Trump campaign. CA used the data collected by the Facebook app to gain information on 87 million users around the globe by using a loop hole in the Facebook security policy. This essentially allowed CA to view the data of anyone who was friends with anyone who used the app and had their privacy settings open.

The effects of this are even more alarming when you look at countries like Australia where only 53 people used the app but over 310,000 accounts where affected due to this spider web affect. It is worth mentioning however that the Australians affected would have also had friends outside the country which compromised their accounts.

This rabbit hole spirals deeper yet. CA allegedly sold the data to provide targeted ads to specific demographics. These propaganda ads were then allegedly used to sway votes in both the US election and the Brexit campaign.

The worst part is not that the breach happened but that it took till 2018 to come to light. Facebook was made aware of what was happening with the data collected and in response contacted CA requesting them to delete the data. Though Facebook did not follow up on this action till early 2018 when reports began to circulate about the scandal leading to the events we saw recently which found Facebook CEO Mark Zuckerberg called to the US congress.

Alongside this scandal, GDPR is here which aims to prevent such events happening again and attempts to make companies more transparent with what happens to our data.  Facebook in preparation for GDPR and in response to the aforementioned data breach are closing access to Facebook’s API’s. Furthermore, they are implementing a Board which will now have to approve new access requests. What this means for you and I is that Facebook themselves can now pick and choose who can view and what the data is used for. This is the complete opposite of what GDPR was trying to achieve.

It’s not just clever politicians

Savvy hackers are becoming shrewder than ever, trying to profit from unsuspecting targets; their techniques are now comparable to something you’d see on Mr Robot.

Last year ransomware by the name of WannaCry was making its way around machines worldwide. This Malware would install itself onto your computer but not before encrypting your files and then demanding payment to decrypt them. It would set a deadline time where it would then delete your files permanently and would also increase the price of the ransom as time progressed to create urgency in an effort to get people to pay up.

WannaCry exploited Windows to infect over 400, 000 computers even spreading on NHS computer systems. It used the SMB vulnerability in Windows to duplicate itself to machines on the same network spreading the WannaCry event further.

Surprisingly the infestation’s spread slowed down unexpectedly when a Twitter user “@MalwareTechBlog” registered a long domain they found in the code for WannaCry. The malware checked the domain was live before continuing to encrypt or spread and luckily the code managed to stop the hack from spreading from that point. Saying this, it would be safe to assume that there are other versions of the malware with different shut off domains.

The vulnerability was first discovered in NSA private files which were stolen by hacking group “Shadow Brokers” along with many other vulnerabilities and exploits that the NSA had collected to use for their own espionage purposes. Microsoft has since released a patch for the vulnerability, so it’s important that you install the latest security updates on your system.

Code name: Spectre and Meltdown

Spectre and Meltdown are the names given to the hardware vulnerability found on almost every computer chip made in the last 20 years. This exploit can be used to attack computers and find information that would otherwise be impossible to retrieve. To understand these vulnerabilities, we must first understand speculative execution.

Speculative execution put as simply as possible is the process of a CPU trying to predict its coming processes so to that it can work faster. If the CPU knows that a program requires many logical branches, it will start working out all of those branches before the program will ever decide between them. For example, if the program says, "If X is true, do A; if X is false, do B", the CPU will start both A and B at the same, before ever knowing if the result of X is true or false. Once it knows if X is true or false, it already has a jump on what is to come. This function makes processing time faster by keeping the results on the CPU cache before they are ever needed. The other way Speculative execution works is if a CPU knows that a program uses the same data often, it will use idle time to run that process before it may be told to. The CPU will then store that possible result in the cache for when it may need it.

Image result for spectre and meltdown

That’s where the vulnerability comes into play. Programs can’t ask the CPU for data cached by other programs. This is called protected memory. But Spectre and Meltdown work around this. Meltdown is called such because it "melts" the security put in place by the hardware. Using Meltdown, a hacker could use a program running on a computer to access data from anywhere on that computer which the program would not usually be able to obtain. This includes data from other programs and data with administrative rights. Meltdown only affects certain Intel CPUs but patches have been been released to address the issue.

Using Spectre, a hacker can force programs to show some of its own data that should have been protected. They would need detailed knowledge of the programs they are trying to exploit and it won’t allow access to other program data but will work on almost any CPU. The name Spectre is a play on speculative execution but similarly links to the fact that it’s hard to detect and prevent  - although patches are coming slowly.

Spectre and Meltdown both open the doors for dangerous attacks. For example, JavaScript on a site could be using Spectre to force a web browser into giving it your personal information such as passwords and card details and anything else that might be stored on your browser. To make matters worse, hackers can take advantage of Meltdown to gain your personal information and the information of any other virtual machine running on the same server. Cloud computing hosts are thankfully rolling out patches to prevent this.

The importance of computer updates

In 2017, USA based credit check company, Equifax had its security breached leading to over 146 million people’s personal information being stolen by hackers. This includes 146 million names and dates of birth, 145 million social security numbers, 99 million addresses and 209,000 payment cards (numbers and expiry dates) being exposed. It was also said that 38,000 American drivers' licenses and 3,200 passport details were stolen.

This was one of the biggest attacks in recent history and the blame all fell on one person. Equifax was running an old version of Apache Struts which was deemed insecure but the employee in charge of keeping this software running and up to date had failed to do so. This simple action of not updating to the latest version cost Equifax $439 million.

The Dark Cloud

The Cloud has become a fundamental part of our modern day digital life. Backing up all our email, contacts, reminders and photos so that we always have them, at any time, at any place on any device. But in 2014 tech giant Apple came under fire when targeted celebrities accounts were hacked into using a brute force attack on a vulnerability found on ‘Find My iPhone’.

Using some simple code hackers were able to get Apple account details by trying various possibilities untill they found the right one. Apple lay at fault because ‘Find My iPhone’ did not limit how many attempts the hackers had. This has since been patched but not before 37 celebrities had their (very) personal images leaked online.

What this means for regular folk

Hacking is becoming more and more prominent and in situations like the ones we’ve looked at above, we might not really be able to protect ourselves.  That doesn’t mean however that we shouldn’t try.

Taking simple precautions such as having different passwords for different services would drastically reduce the fallout if your data becomes compromised.

Password management tools like LastPass are one of the easiest ways to implement this practice.

Going further still and using two factor authentication when possible can make your details theoretically impregnable without detailed knowledge of you.

Just for fun – why not check how secure your password is here?  It might just make you realise how vulnerable your data is.

Added 24-May-2018