The Era of "Steal Everything"

“We’re moving into an era of ‘steal everything’,” said David Emm, a senior security researcher for Kaspersky Labs.

He believes that cyber criminals are now no longer just targeting banks or retailers in the search for financial details, but instead going after social and other networks which encourage the sharing of vast amounts of personal information.

As both data storage and data processing becomes cheaper, more and more data is collected and stored. An unanticipated effect of this is that more and more data can be stolen and used. As the article says, data minimization is the most effective security tool against this sort of thing. But—of course—it’s not in the database owner’s interest to limit the data it collects; it’s in the interests of those whom the data is about.

Tags: cybercrime, externalities, fraud, identity theft, incentives, Kaspersky, privacy, social media

Posted on May 10, 2011 at 6:20 AM • 40 Comments

Comments

AC2 • May 10, 2011 6:34 AM

An interesting comment re data minimisation on the article:

“”The question about, for example, why an organisation asks for a specific date of birth, as opposed to an age band, is at the centre of our work.””

The obvious way is to give fake data where this doesn’t matter… One downside is all the birthday wishes I receive on Facebook on the wrong day!

This can be counter-productive in other ways as well, but yes, why on earth does the shop from where I buy spectacles need to know my date of birth???

David • May 10, 2011 7:01 AM

@AC2 – I agree, it’s amazing just how many websites think I was born on Jan 1st of the oldest year their drop-down list supports!

Hansi • May 10, 2011 7:06 AM

My personal favourite birthday date is 30th Feb. 1984. That will hardly get you any wrong birthday wishes. Yet an astonishing(?) number of websites will accept it…

GreenSquirrel • May 10, 2011 7:08 AM

@AC2 / David

Ditto. Whenever I am presented with a form that asks things I feel are irrelevant, I enter gibberish data. I see no reason why any website needs to know my date of birth accurately – if they are using for age verification, then more fool them.

It infuriates me that companies use all kinds of random means to try and capture user data – UK training provider Firebrand is my main annoyance as to get their course prices they want name, telephone and email. I suspect I have polluted their database quite a bit….

Mike T • May 10, 2011 7:25 AM

@Hansi

I like that one, I’m going to have to give it a shot.

Mike

David • May 10, 2011 7:37 AM

@Hasni the only problem with that date is that it leaves you “under-age” in many jurisdictions

@GreenSquirrel what really annoys me is the sites that insist on a “valid” (ie non web-mail) email address and then permit access based on any gibberish that doesn’t include @hotmail, @gmail or @yahoo in the address

Ian • May 10, 2011 7:51 AM

What irritates me is when they insist on an email address for no good reason but then accept mailinator.com and similar services.

Ian

Mary Arrrr • May 10, 2011 8:20 AM

July 24, 1969 – the date of the Apollo 11 splashdown – is my goto “birthday.”

Ian – my understanding is that the email address is to catch duplicate entries. You just have to have a unique email address for their system. I have a crap/spam email account for this.

IT crowd girl • May 10, 2011 8:34 AM

I think a lot of people don’t see the real problem here. It’s not that the company wasn’t trying to protect their data- but what they thought their IT department was doing. I work at a security company (have for almost a dozen years) and know for a fact our IT sucks. I’m sure we’ve been compromised, but it’s a dirty little secret no one will ever talk about. It happens at all the banks, government sites, etc.

Clive Robinson • May 10, 2011 8:38 AM

I can’t believe it’s taken this long for people to wake up to the fact that criminals will find a use for every piece of data they can.

I have been harping on about it for so long now I could have grown a “Gandalf” sized beard by now 8{)}—

One aspect of this “wood for the trees” issue is that way to many network admins are looking at known inbound attacks not outbound traffic.

The result of this is terabytes of data are walking out the door.

If you think back a year or so ago there was a modified version of Zeus that was aimed at .mil and .gov, it’s sole purpose was to hover up .doc and .pdf files from a users work environment (ie it was not trying to escalate privileges or other “owning” activities). From what was said at the time it was only discovered because somebody noticed the amount of outbound traffic was abnormal.

In all honesty an internet connected organisation should be logging all traffic at it’s front door and on the inside of the firewall, and they should be constantly looking for unknown traffic especially outbound (likewise in larger organisations they should be logging all traffic between different areas of the organisation). Further they should do reverse DNS etc on all IP addresses and flag up any that are new or have unaccountable traffic to them and what internal machine they came from (including white and blacklisting and blocking all WebDNS services). And lets be honest should your organisations DB server box be originating outbound traffic to anywhere in any format?

Simple answer no, internal servers should sit behind their own firewalls with very very restricted rules, with traffic monitoring etc.

People can only steal data if we allow them to (ie by providing either direct access or bridged access to the data source). likewise the amount they can steal and in what form. It might not be easy to stop some small leakages of information but you can flag up odd traffic flow both internally and to the outside world.

Judging by what some of the “China APT” mob are claiming with gigabyte and terabyte data losses from single organisations, few can be watching outbound traffic.

As for compressing data or reducing the amount held there are other mechanisms you can use. For instance you can put encrypted data into database fields if you so wish and many searches etc will work just as well with encrypted data as they will with plaintext. Obviously ordinary wildcard expansion will not work but do you actually need it, more importantly is it an indicator somebody is doing something they should not?

Clive Robinson • May 10, 2011 8:46 AM

I was also surprised that the article did not mention lastpass.com and facebook pages from a mobile network provider in the US getting routed to facebook via China.

App Dev • May 10, 2011 9:01 AM

yea and information “getting routed to China” has been spoken about for so long that people forget that there can be workers at the companies (Facebook et al) themselves that copy the data. Nobody worries about it because it is more exotic to check what China is (supposedly) doing.

vwm • May 10, 2011 9:18 AM

Then again, steeling data that is free and public available might not provide that lucrative on the long run.

Michael Barbere • May 10, 2011 9:31 AM

E-Government projects such as Medicaid Management Information Systems are being shoved out to states throughout the country due to huge amounts of federal dollars subsidizing the projects. These projects are being pushed out hastily in order to meet deadlines and often without a proper security infrastructure to support them. If you believe that corporate America is being irresponsible with PII and PHI wait until one of the states loses CIA on one of these systems.

Roger • May 10, 2011 9:48 AM

@Clive:
“I can’t believe it’s taken this long for people to wake up to the fact that criminals will find a use for every piece of data they can.”

Of course, not all of us have taken so long; some of us have been pointing this out since the early 1990s — and had 20 years of accusations of paranoia, but a consolation of 20 years of seeding the ‘net with false PID.

Roger • May 10, 2011 10:00 AM

@Hansi:
“My personal favourite birthday date is 30th Feb. 1984.”

Too low in entropy. Probably very few people use such an odd date, so it may uniquely identify you by date alone. Even if two or three people are using it, it will take very little extra data to “fingerprint” you.

A much better date is a random one that is a little over 18 years old. The randomness makes it hard to fingerprint. The age range stops odd-ball policies aimed at juveniles, but also means that they won’t be surprised when they don’t get much data matching on the rest of your junk data.

@David:
“the only problem with that date is that it leaves you “under-age” in many jurisdictions”

Hmm? Ignoring for a moment that the date is undefined (and so might give any sort of weird answer when passed through a badly written “calculate age” function) someone born in February 1984 should be 27 years old. I don’t know of any jurisidictions where that is underage. There certainly aren’t “many”. Maybe you dropped a ten?

mince • May 10, 2011 10:19 AM

@Roger

I think the point David was trying to make was that since the 30th of February hasn’t come around again since Hansi was born, that makes him less than 1 year old. 😉

BF Skinner • May 10, 2011 10:50 AM

“Faking personal information on sites ”

But it’s often a use agreement violation.

I too was born on 1/1/10 as far as Sony PSN knows where it thinks I got my CC from I dunno.

How long before ordinary sites begin to background check account holders with data aggregator sites?

“You cannot create the account BiffSkin because your cc is registered to Buckminster Fuller who was not born on 1/1/10.”

SomeGuy • May 10, 2011 10:56 AM

Why is this concern limited to “cyber criminals” when legit corporations want to harvest and sell personal information? I’ve gotten to where every time I see “it’s free!” I run.

Brandioch Conner • May 10, 2011 11:02 AM

Eventually the criminals will discover databases and start targeting the information they need to impersonate you for loans and such.

Being able to empty your bank account is one thing.

But being able to take out a second mortgage on your house?

Or purchase a new car (which is then parted out) as you?

Clive Robinson • May 10, 2011 11:09 AM

@ Roger,

“…and had 20 years of accusations of paranoia, but a consolation of 20 years of seeding the ‘net with false PID.”

Hmm didn’t we once talk about “a bit of badger in the beard” when Bruce changed his top right photo?

With regards the “with false PID”, as I have noted before there are a number of people who look remarkably like me in the real world (in one case sufficient to use my passport by mistake) and at last count something like 7 people with the same name and professional interests, and reasonably close (with 70miles) geoloc.

And I believe three or four of this blogs readers have tried to find me to some level (not sure why but hey that’s the way of the world).

Gratuity Disbeliever • May 10, 2011 11:13 AM

Plz don’t forget the main culprit who infected the internet, business and society with it

http://hss.library.ubc.ca/blog/google-book-settlement-rejected/

Google put itself above the Copyright Law having reversed it in practice to misappropriate “copyrighted material available, the approach taken to ‘orphan works’, and the rights of foreign copyright holders”

Dirk Praet • May 10, 2011 11:28 AM

But it’s been like that forever. The only difference today is that people in their ignorance spread their data all over the net and that many criminal organisations have matured enough to take advantage thereof. Add to that that many enterprises – even big ones and so-called security companies – still manage to get the most basic principles of information technology security wrong, and there you are.

For all practical purposes, I’m a female living at 666, Hell Street, Doomsville, Tajikistan. Never had any questions asked. And I use throw-away email addresses whenever I need to register somewhere once. Even my main email adress is just a forwarder for another mailbox, address of which I never use.

On a related sidenote, it would seem that the Zeus source code is now available to all: http://threatpost.com/en_us/blogs/zeus-source-code-leaked-051011 .

stvs • May 10, 2011 11:44 AM

“You cannot create the account BiffSkin because your cc is registered to Buckminster Fuller who was not born on 1/1/10.”

Well then I’d just hack the PSN …

stylus • May 10, 2011 12:41 PM

@Dirk Praet

But it’s been like that forever. The only difference today is that people in their ignorance spread their data all over the net

Well this is the age of spreading yourself everywhere. Or at least that is what it seems like judging from the reports of sexting that is supposedly being done, not to mention all those naked ladies whose photos are on the internet (I mean on various “pr0n” sites).

What people did in the private in the past is done in the open nowadays.

NZ • May 10, 2011 1:06 PM

Fake birth dates etc may be a useful thing nowadays, but it means one has to lie more, and that is not a good thing: https://secure.wikimedia.org/wikipedia/en/wiki/Broken_window_theory

moo • May 10, 2011 1:27 PM

“You cannot create the account BiffSkin because your cc is registered to Buckminster Fuller who was not born on 1/1/10.”

Is that what the BF stands for? I always thought you were Burrhus Frederic.

moo • May 10, 2011 1:31 PM

@Gratuity Disbeliever:

Google was not the first Internet search engine, it wasn’t even the first good Internet search engine.

If it hadn’t been them, it would have been somebody else.

Don’t shoot the messenger. Just hear the message…

All that personal info that people willingly put out there (or unfortunately, shared with companies that aren’t able to keep it secure) is going to be used against them.

neill • May 10, 2011 1:47 PM

minimization is not the solution, it makes data-mining easier since you have smaller datasets

obfuscation would be better – make up lots of fake numbers (SSN, DL, CC etc) and feed it to “the bad guys”. only you know which set is the correct one, and they’ll trigger alerts running all the fake ones

tommy • May 10, 2011 3:45 PM

“… but instead going after social and other networks which encourage the sharing of vast amounts of personal information.”

One of the grandest coups ever pulled off in mass psychology. In the 1990s-early 2000s, we were being alerted to the dangers of permanent cookie storage, web beacons, posting personal info on the web, etc. Then Twitfacespace et al. somehow convinced about half the US population, and a significant percent of the world’s population, to give out voluntarily everything about themselves that some of us were working so hard to keep private. Wow.

Bruce, maybe this is worth a mention in your work-in-progress book: how social engineering can manipulate honest people and a culture’s values, thus making the task of the dishonest much easier.

btw, my name isn’t tommy, but it works here. Not that it would take much effort to collate different nyms used at different sites, but again, why make it easier? 😉

Dr. T • May 10, 2011 5:05 PM

I don’t give a hoot if the entire world knows my full name, my address, and my date of birth. That info has been public for a long time (I’m a retired but licensed physician, and I live in a state that posts a shitload of information about physicians on a public web site.). What I don’t want floating around are my account numbers, user names, and password linkages. That’s why I get annoyed when, after registering on a web site, the morons send me an unsecure confirmatory e-mail that contains my user name and my password. I also get annoyed when the places I do business fail to secure their database servers. I had to replace my Visa card twice because store accounts were known to have been cracked.

Richard Steven Hack • May 10, 2011 10:36 PM

I’ve got Facebook, Linkedin and Myspace pages.

Guess what? Almost nothing on them. I haven’t even visited them since I created them (well, I did update the MySpace page for a while – but now they might as well be dead anyway compared to Facebook.)

I keep getting emails from Facebook and Linkedin saying, “Hey, haven’t seen you in a while! You have notices!”

Tough. When I get around to it, dudes. Hardly a priority except I should do some service marketing on those things if I want to make any money. None of that requires me giving out personal details.

Otherwise, I don’t care who has my name, address, phone number, email (I have a spam trap Gmail account and another Gmail account that I only use for “legit” purposes.)

I don’t let Firefox save passwords because sixty percent of stolen passwords discovered in botnets come from browse password savers.

I don’t let any program save passwords except Linux for login – and that’s encrypted (somewhat of course). My password is not strong, though. And I re-use it a lot even on the Web. Bad, I know, but it’s worked for the last ten years.

I have zero credit, a low bank account, no house., no car, and no other assets worth chasing other than my ATM card, so my risk profile isn’t very high. Guess there’s an advantage in being poor.

I think even if cyberthieves are going after large amounts of personal data, most of it still has to be personalized to be useful. You can sell a bunch of CC numbers, but a bunch of emails has much less value (except to spammers and phishers). A bunch of street addresses has even less value.

Companies sell CDs and DVDs full of people’s names and addresses and have done for twenty years or more. Some states even sell their entire Motor Vehicle Database on DVD allegedly to “insurance companies” and CC thieves are known to have used them. So snarfing up large amounts of personal info isn’t particularly new.

The problem is more that “computer security” has been revealed to be an oxymoron for just about every organization outside of the CIA/NSA/DIA. And the criminal subculture has determined that, dollar for dollar, computer crime is cheaper, easier and more profitable than running drugs with lot less chance of either getting shot or prison time.

So “steal everything” is more a result of that than just the presence of mass amounts of personal information.

But it does HELP to have massive amounts of personal information available online just as it helps to have Google search results online instead of having to go to the library.

Problem is, that ship has sailed – just as the “computer security is an oxymoron” ship has sailed.

There is no security – or privacy. Suck it up. This is just another human issue that has no solution thanks to human nature.

Richard Steven Hack • May 10, 2011 10:56 PM

A-a-n-n-d-d here we go again!

Facebook caught exposing millions of user credentials
http://www.theregister.co.uk/2011/05/10/facebook_user_credentials_leaked/

Quote:

Facebook has leaked access to millions of users’ photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said.

The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.

The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible.

“There is no good way to estimate how many access tokens have already been leaked since the release [of] Facebook applications back in 2007,” Symantec’s Nishant Doshi wrote in a blog post published on Tuesday. “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”

While many access tokens expire shortly after they’re issued, Facebook also supplies offline access tokens that remain valid indefinitely. Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys.

End Quote

AC2 • May 11, 2011 1:50 AM

@RSH Re Facebook f-up

Depressing…

How the f**k do I do stuff like sharing photos with relatives who live on another continent?
– FB/ Flickr/ Picasa? Not trustworthy/ poor security
– Send by email? Can be viewed by anyone on the chain, unless I use stuff like S/ MIME, which is too painful to setup
– Encrypt, attach and send? Dream up a passphrase for each message/ counter-party and get that across how? And lack of a common, strong encryption tool that is truly cross-platform. I can’t get my dad to install and use OpenPGP, for example.

So I’ve settled on using ZIP files with their weaker encryption, which works across Windows, Linux & Mac. Can’t use the higher grades on encryption available in say WinZip, as they’re not supported in other platforms..

And I send the passphrase by SMS… How secure…

Paeniteo • May 11, 2011 2:48 AM

@AC2: “How … do I do stuff like sharing photos with relatives who live on another continent?”

The good old web 1.0 way: Get some webspace (or, preferably, a litte server at home) and upload them there.
Add encryption layers for transport and storage at will.

Dirk Praet • May 11, 2011 2:57 AM

@ Paeniteo

David • May 11, 2011 6:10 AM

@roger ooops… a couple of reds too late in the evening for my maths brain cells to tell my emotive brain cells that they can’t count!

mea culpa

oh, and (in my dotage) anyone born after 1970 must surely be a juvenile! ~smile~

stvs • May 11, 2011 10:44 AM

“How the f**k do I do stuff like sharing photos with relatives who live on another continent?”

Easy. Just run your own web server with SSL signed by your own root certificates that you distribute to family and ask them to trust. Protect the directory with Digest authentication.

One solution to many of these privacy issues comes down to fragmentation of “the cloud” to everyone having personal servers that handle everything: web, email, vpn, etc., with the added risk doing all this securely yourself.

For those concerned about their online security and privacy, this solution, which effectively turns your model of the web into a distributed and encrypted P2P that cannot be scrapped for data, is available now to anyone with a box and a router.

Doug Coulter • May 11, 2011 1:44 PM

Too bad these companies that seem to require all this data about you before you can do any business with them can’t seem to be contacted with the information
“Why I’m not telling you now, and won’t do business with you in future till you stop asking”.

For one thing, you usually can’t contact them at all (at least not to a human) till you’ve successfully created a login — which requires all that crap, and just lying has issues later on if you DO want to do business with them.

They don’t care, because the majority, or at least, enough of us, are stupid and give them that stuff anyway.

Which they then sell for a profit, to both other companies, and our good old government, who isn’t allowed by law to collect it, but is allowed to buy it from someone else who does. I guess it’s cheaper that way than mere warrant-less wiretapping, it’s all in nicely parseable bits that way.

Total information awareness never died, even though DARPA renamed it a time or two after the furor.

And now, it’s reality, over the stated wishes of both the people and our so-called representatives. Power lies no longer with either one, but with those who have that info, and therefore the ability to blackmail our “representatives” who in general, are a lot more “dirty” than the average person, and with more reason to have it hidden.

You don’t think your average joe was the first, most valuable target, do you?

Doh, think, people. “They” are not utterly stupid. If you could get all kinds of interesting personal info, who would you begin with? How about those who (now are forced to) sign your checks and ask no questions?

And I was once one of “them”. No need for me to wear an imaginary tinfoil hat and make things up.

Ross • May 13, 2011 2:41 PM

While David may have done bad math with a 1984 birth date being underage, that is indeed an issue. I’ve regularly had forums users pick fake birth dates that put them under 13, which automatically locks out their accounts due to built-in restrictions in the tool. I don’t care if people lie about their age, and I’d agree that just stating age (or age range) instead of date is preferable, but sometimes trying to be tricky just gets you into more trouble if you’re not wise about it.