3. 5. 2021

Trend: Clubhouse will become the largest database of voice recordings in the world

Our expert Vlado Palečka in an interview for Trend.

In recent days, we have witnessed several data leaks from social networks. Why is this happening?

The primary reason for almost 90% of all data leaks or attacks on social networks is the financial benefit of the attacker. He/she tries to sell the data to third parties, or even directly blackmail people under the threat of publishing data, photos, information. The price of credit card data on the black market ranges from USD 20 depending on the card, the client’s creditworthiness, etc. Attackers can sell medical data, such as social security numbers, as low as $ 10. However, it is not just about direct financial enrichment. Just remember the great case from 2018, where the British company Cambridge Analytica, which is dedicated to data collection and analysis, led the campaign using data from Facebook, where it obtained information about almost 50 million Facebook users and used them to develop software to support Trump’s election campaign in 2016. According to Reuters, the Cambridge company in 2014 developed a computer program to help predict voters’ preferences and influence their decisions. The company drew on private data without the permission of users. The system was to profile voters and manage the distribution of personalized political advertising accordingly. Here you can see that the use of data from social networks is huge, and it only depends on how and for what purpose the attacker can process them.

The remaining 10% of attacks are more about a personal motive, in an effort to prove that I am able to break security.

The vast majority of people who access social networks do not even realize what digital footprint – indelible – they are leaving behind and how this data can be misused even after several years. E.g. they wouldn’t have to let you into the U.S. a few months ago if you posted / shared information on social media that is directed against the U.S..

An example is the increasingly popular Clubhouse network based on voice messages. Alpha Exploration Co., which launched it, was struggling with poor data security, data sharing, and not always correct processing from the start. People don’t realize that this can be the largest spoken word database in the world in a few years, with accurate identification and data about the users. We have the time of “fake video” and “fake voice” can be misused for voice identification in various institutions (banks, etc.). With the current rapid development of artificial intelligence, this situation may arise sooner than we think.

Therefore, it is necessary to approach these things rationally, consider where we publish what, where we click and, of course, what strong security and passwords we use.

Can we say that this is about insufficient security or is the problem somewhere else entirely?

Every coin have two sides. One of them may be weaker security on the part of social networks. It should be borne in mind that security methods are evolving rapidly, but just as fast, if not faster, by hackers trying to circumvent them.

On the other hand, there are data that these networks send to third parties. These are the companies that, for example, analyze this data, convert it and then resell it. Thus, the leak can occur at any time on the “road” or directly on the servers of these third parties, which may not be the best secured.

In 2019, data leaked by almost 533 mil. Facebook users, where the data protection commission found a violation of the EU directive and Facebook had to paid a record fine of $ 5 billion. However, the investigation is still not complete.

Útoky nemusia smerovať  len priamo na siete, napríklad za zle vyradený hardvér  spoločnosti Morgan Stanley, kde unikli údaje klientov z 2 dátových centier, bola stanovená  pokuta vo výške 60 mil. USD.

But it’s not just social networks where data leaks from. It happens on a daily basis, in various places where personal data is collected. E.g. the Marriott hotel chain was fined $ 124 million, or Uber, a taxi company that was fined $ 150 million in 2016 for unauthorized use of data.

Social networks boast that they are investing huge sums in security. Why are we still witnessing many leaks?

This is a necessity for them. If they didn’t, they would have no clients, no income, and they would cease to exist. But the situation is more complicated. Although companies are investing millions of dollars in security, the human factor may still fail, that part of the technology is not sufficiently protected, that hackers are one step ahead and have found a weakness such as during the recent massive attack on Microsot Exchange servers worldwide (more than 200,000) through a server software bug more than 8 years ago. LinkedIn also used SHA1 for hashing passwords, which security experts have long pointed out that it is not suitable for securing passwords, but they still used it for some time and increased the risk of password cracking.

What are the ways in which personal data is misused by hackers?

If an attacker uses social networks as a reconnaissance tool, he sends a targeted message that entices you to visit a fake website. Its purpose is to steal users’ credentials and money. In a similar way, cybercriminals can manipulate you through chat services. How? Simply. Interesting content in a message from an unknown but good looking gentleman or lady who forces you to open an attachment, but it contains malicious malware. It can serve as a preparation for the arrival of other malicious software, such as advent or spy.

The more we use social networks, the more we simplify the work of cybercriminals and hackers. They like to use these platforms to spread malware, steal personal data, identity and money.

Another risk is identity theft or profile cloning. Criminals steal photos, names and other unique personal information from legal profiles that are shared publicly. They can then use this information to commit fraudulent identity fraud, using a technique known as social engineering to obtain this information. This has happened, for example, in the recent disruption of celebrities’ profiles on Twitter.

What should a social network user do when they learn of a similar data leak?

If possible, change the password to the account or accounts, set up 2-factor authentication, verify whether its data – e.g. email address – was not stolen. Often, however, he does not even know it and only indirectly knows that he sent an e-mail to a friend without his knowledge.

It’s safest not to post anything you wouldn’t post outside of social media. A very simple tool is the idea of your Facebook message board in the real – off-line world. Social networks handle a huge amount of data, they know your name, as well as your age, place of residence, employment, hobbies, friends and family members. They know what you look like, they even know very well where you are. Would you publish this information voluntarily and anywhere?

Some social networks have been fined in the past for data leakage. Do you think that their amount is adequate, can fines solve something?

The fines that companies receive vary depending on the type of leakage in% of turnover, or in global companies as % of worldwide turnover. It is a repressive form, but one of the most effective ones is forcing companies to store data according to the rules, keep it safe and not misuse it.

Facebook was fined more than $ 5 billion, a record amount. But it’s not just social networks that have our data, where those data leak or they have been misused.

For example, in 2013, hackers stole information about user identities – username, email and encrypted passwords of 153 million Adobe account users, with Dropbox it was a similar scenario – 69 million. records.

E.g. Yahoo was fined 85 mil. USD, when in 2013 the company suffered a major security breach that affected its entire database. It was about 3 billion accounts – which at the time was a significant part of the entire population of the site. However, the company did not disclose this information for three years.

Tesco Bank: A retail branch of a UK supermarket chain was fined £ 16.4 million ($ 21.2 million) by the UK Financial Management Authority (FCA) in 2018 after 9,000 customer accounts were stolen in 2016 less than $ 3 million.

Some conspiracy theories say that social networks can work with hackers to access data. Can anything be true about these claims?

If we mean whether they intentionally steal data, we will probably never know the truth. But when we look at the fines that companies operating soc. networks for such detected leaks get, the cooperation does not seem unrealistic, or it would be too risky.

However, if we look at cases where the required amount was paid by a hacker, we can talk about cooperation, but it was certainly not intentional. Rather, it aims to reduce the consequences of hacking.

Lake City hackers encrypted a large amount of important data, blocking access to emails and a payment gateway through which citizens could pay taxes. Despite the fact that the technicians disconnected the computers from the network only a few minutes after the detection of the hacker attack, it was too late to intervene. The city council finally managed to agree with the hackers on a lower ransom. They had to pay in bitcoin – virtual currency for access to the files, which is close to $ 500,000. The city was insured against data loss, but they still have to pay $ 100,000 out of their own pocket.

In 2016, the already mentioned disruption of the Uber application with a database of 600,000 drivers and 57 million user accounts took place. Instead of reporting the incident, the company paid the perpetrator $ 100,000 to keep the attack secret. However, these steps were very expensive for the company in the end. In 2018, she was fined $ 148 million – the largest fine for data breaches in history at the time.

It seems that most people do not care how they handle their personal data, which they leave on social networks and are not discouraged from using even numerous leaks. Why is that so?

Sharing information has become an easy way for many people to let others know what they are doing and share their experiences and feelings. But the more information they send to the online world, the more they run the risk of spreading information that could get us under the attention of cyber-attackers.

I would compare it to insurance. If nothing happens to you, you don’t usually think about it. Although an IT technician calls for data backup in a PC in the company, most do not,  only after when they lose them for whatever reason, but then it is too late. And it is similar with the data on social networks, which we knowingly publish there. It does not occur to us at all where the photo may end, and that the data about us is collected everywhere and how it will be used. I dare say that even after the leak of data from FB, most did not even change the password. Not to mention that most people have the same passwords in various other applications to make them easier to remember. This is already an ideal way for an attacker to access the necessary data.

On the dark web, one can “buy” various services for ridiculous sums – from obtaining data to attacking the system. I note that in this case these are most often illegal contracts.

Do you think we can ever expect people to boycott social networks in large numbers due to the low security of their personal data?

In my opinion, this will not happen, and not at all nowadays, when we all connect mostly online. If a major data leak is detected, or an attack on some soc. network occurs, users will switch to another. Alternatively, they will switch to it due to better functionality, where even today very many people switch from Facebook to other types of social media. networks. So they will not boycott them, but the number of their users will decrease, similar to WhatsApp, where many people have started switching to competing messengers.

It is said that the threat of cyber attacks will increase every year. Are there any concerns about more frequent data leaks from social networks?

Cyber ​​attacks are likely to increase, it’s like a cat and mouse game. Once a hacker is ahead, other times a company. The financial effect will still be in the background, all the more so as there will be more and more data on the Internet and the number of devices connected to the network will continue to increase. There is already 25 billion of devices in IoT alone and by 2025 it should be 45 billion devices in the world, not to mention the 5G network and its capabilities. This includes industrial espionage, data leaks from companies and corporations, website malfunctions, etc. It happens every day, every minute.

Protection against similar types of attacks is difficult because similar groups use sophisticated methods to spread the malware. These methods adapt to the current situation and discovered vulnerabilities in the operating system or its components. Given that the state of cyber security in our country to some extent copies the development in Western Europe and the USA, there is a great presumption that the number of identity thefts and its misuse will increase, most often for the financial benefit or manipulation of the victim.Neznalosť základných bezpečnostných konceptov (napríklad vloženie čísla svojej platobnej karty na neznámu stránku)

The most common mistakes we make

  • Weak passwords or using the same password on multiple systems
  • Missing security updates in applications or systems that have Internet access
  • Too much trust in the case for free stuff (free WiFi, warez, pornography).)
  • Excessive information sharing with a wide range of people, including many unknowns (no one would probably announce on the city radio that he is going on vacation and that he will not be home for a week, but he is willing to provide the same information on the social network for everyone)
  • Improper configuration of applications and devices (most often to try to simplify your work)
  • Ignorance of basic security concepts (for example, inserting your credit card number on an unknown page)
  • Reluctance to learn (just as knowledge of riding a horse does not provide us with knowledge of driving a car, knowledge from this physical world cannot be transferred one to one to the cyber world.Interestingly, people are more likely to transfer harmful habits and knowledge to the digital world than useful ones.)