Our idealistic kindergarten teachers duped us into believing that we’re defined by our character. But we’re now old enough to know that our personally identifiable information (PII) is what really defines us. That’s right; no matter how special we think we are, we’re still just atoms and PII.
Somehow, over the course of billions of years of evolution, the purpose of IT managers and business owners has turned out to be guarding other people’s PII. This destiny is boring. But the second we let our guard down in a stupor of apathy, we wake up to data breaches, public-relations disasters and frantic job searches in hopes of quitting before getting fired.
If that all sounds horrible, it is. But don’t worry. Plenty of other companies have already done the stupid-work for you so you can learn from their mistakes and avoid their embarrassment. Here are five shining examples of what not to do when you’ve got data to protect.
Next time you feel glum, just look into a mirror and try this mantra: “At least I’ve never done something so stupid that federal and state regulations were created for the entire identity-theft protection industry because of it.”
Of course, there’s one guy on the planet who can’t utter that inspiring chant. (I’m looking at you, Todd Davis, former CEO of personal fraud-protection company LifeLock.)
Perhaps you’ve seen Todd’s 2007 ad campaign where he plastered his social-security number all over billboards, TV commercials, the internet and on the side of a truck. Evidently, when you reveal your most sensitive information to the entire population, some people take advantage. Who would’ve known? Besides everybody?
Image Source: boingboing
No one was terribly surprised to learn that Todd Davis has been an identity theft “victim” 13 times between 2007 and 2008. It was also no surprise that his overconfident advertising was deemed “deceptive” by regulators who have since developed laws to prevent such claims in the future.
But the worst thing LifeLock did was provide their clients with an all-too-real definition of irony. Yes, the company claiming to protect PPI actually exposed their clients’ email information.
Anytime a customer chose to unsubscribe from LifeLock’s marketing lists, that customer was sent to a typical-looking unsubscribe page. Like most other unsubscribe pages, it displayed the customer’s email address along with the following directions:
“Use the fields below to unsubscribe [email protected] from LifeLock email communications.”
But LifeLock’s unsubscribe page turned out to contain one small boo-boo. It revealed customer “subscriber keys” right in the unsubscribe page https-address.
By manually changing the subscriber key in the https-address, anyone could bring up different customers’ unsubscribe pages, each displaying a different customer’s email address. Further, the subscriber keys were set up in sequential order without using a GUIDs (globally unique identifiers.) This means it would have been easy to write a code that sequenced the keys and pulled every customer email address from every unsubscribe page. Whoops-a-daisy.
Image source: KrebsonSecurity
LifeLock set every customer up for the easiest email phishing scheme in the world. It would have been simple for a hacker to send fake emails directing customers to make payments through a false website that looked like a LifeLock payment screen.
Fortunately for every LifeLock customer, outside security pros discovered the flaw, put on their good-Samaritan hats and blared alarm bells into LifeLock’s sleepy ears. Crisis averted, for now. (But if you’re a LifeLock customer, I’d keep my eye on their unsubscribe pages if I were you.)
Lessons Learned from LifeLock:
Besides the all-important rule of “don’t be stupid,” it’s also important not to be too trusting. LifeLock’s unsubscribe pages were managed by an outside partner. When shopping vendors that handle your clients’ identities, do your homework. Treat them as skeptically as you treated that dubious jock who wanted to take your daughter to prom. (He said you can trust him. But they all say that.)
If homework never was your thing, here’s a cheat sheet: Janrain is a trusted partner for customer identity and access management (CIAM) needs. They’re like the innocuous brainy student who was picked on but subsequently got beautiful revenge by showing up at the 10-year reunion in a BMW i8. But I digress.
Equifax — the credit reporting agency established to give anyone on earth the ability to judge you like the irresponsible ninnyhammer you are — was exposed as being dumber than the rest of us. Not only did they allow private information of over 145 million Americans to be stolen in September of 2017, but they even tweeted “Happy Friday!” the day after it happened. (Enter thug-life sunglasses here.)
Image source: Twitter
What kinds of information were stolen? Nothing much. Just vast multitudes of names, birthdates, addresses, social-security numbers, driver’s license numbers, credit card information, and a few other odds and ends. So… No biggie…
It was also no biggie when users went totally ape doodies over the revelation that Equifax hired a music major as their chief of security. Or when their ex CEO, Richard Smith, admitted to the House of Energy and Commerce Committee that the entire data breach was caused by the neglect of just one employee.
As Rep. Greg Walden said to Smith when trying to figure out what kind of new legislation could prevent this type of thing from happening again, “I don’t think we can pass a law that fixes stupid.”
A lack of patching happened.
Servers and routers, as well as other devices in a company’s IT environment, need to be routinely patched. For the uninitiated, “patching” means making repairs to system vulnerabilities as they’re discovered.
An Equifax employee didn’t do that. Yeah. It was as simple as that.
Lessons Learned from Equifax:
Keeping an IT environment patched can certainly be labor-intensive. So if your IT employees are anything like the ones Equifax hires (i.e., they’re too busy playing Fortnite at work to worry about keeping your business safe,) let a firm like Cloud Management Suite patch everything for you.
Another lesson is to hire right. Look for candidates with a track record of proven responsibility, and don’t be too stingy with salaries for people who keep your company safe. Sometimes, experience and a little grey hair is more important than a swag company image.
Decentralized Autonomous Organization
As most people know (or claim to know so they can sound smarter than their coworkers,) a decentralized autonomous organization operates on a blockchain.
One such organization was simply called The Decentralized Autonomous Organization (DAO.) It was built on the Ethereum blockchain and served as a venture capital fund using the Ether cryptocurrency. DAO allowed people to pitch their project ideas to the DAO community in hopes of receiving funding.
The Decentralized Autonomous Organization started strong. It accumulated 12.7 million ether, which was worth in the ballpark of $150 million.
The organization grew in membership and funding, and it’s one of the strongest VC firms to this day. Just kidding. The DAO failed miserably.
The Decentralized Autonomous Organization had a dumb weakness. And wherever there are dumb weaknesses, there are grubby hackers.
What was the weakness?
In June 2016, a hacker was able to exploit a bug in the DAO wherein he could repeat the same transaction many, many times before the system would check his balance again.
To illustrate, think of an ATM. ATMs, of course, always check the user’s balance with each withdrawal attempt. When a user slides a bank card in the machine and asks, “Could I have $1,000, please?”, but there’s only $5.00 in the user’s account, the ATM takes a look and either says, “Sure, here you go, kind sir!” or “Sorry, loser… insufficient funds.”
But due to a gaping vulnerability in the DAO’s code, the system failed to check the balance when a hacker requested to withdraw large amounts of Ethereum. So, the hacker’s transaction went something like this:
Hacker: Hi, DAO! Could I withdraw $1,000, please?
DAO: Sure. Here you go.
Hacker: How about another $1,000?
Hacker: And another?
DAO: You betcha.
This silliness continued until $50M worth of ether was drained from the DAO, as illustrated in the image below.
Image source: CCN
Fortunately for the good people of the DAO community, who were undoubtedly mad as a mule chewing on bumblebees, most of the money was returned. But not before a raging digital war between the bad-guy hacker and a brave band of white-hat hackers.
NOTE: The next few paragraphs are best read while listening to a dramatic movie score. This one works nicely. Are your earbuds in? Okay, here we go.
The Hacker Caught a Bug. Just when the hacker (who’s identity remains unknown) was poised to take 100 percent of the DAO’s funds, his/her efforts mysteriously stopped working. The pause in hacking provided time for counter measures.
The Good Guys’ Plan. A small group of good guys, known as “the Robin Hood group,” devised a plan to hack into the DAO, drain its remaining currency and return the funds back to its rightful owners.
Attempt #1: Epic Fail! One of the good guys was about to “push the button” to deploy the counter-hack. But (get this,) his internet went out right before he could deploy the plan. Yes, that actually happened. Worse, the time frame to launch this plan was very short. And the Robin Hood group missed their brief window.
Attempt #2: Success? The bad-guy/girl hacker came back a few days later and was up to his/her old tricks again. But the Robin Hood group was ready. First, they tweeted to the DAO community that they were draining its remaining currency. Then, they commenced draining. Hooray.
Except they couldn’t shout “hooray” just yet, because the bad-guy/girl hacker was still trying to hack the funds back again. (Wow, he/she just never quits, does he/she?) This power struggle could have gone on until Armageddon. But it didn’t. Here’s why.
Rewriting History: The Hard Fork. Finally, the good guys had quite enough of the bad guy/girl’s shenanigans, so they created a “fork” — which was a change to the Ethereum blockchain. The fork initiated a totally new offshoot of the DAO. It rewrote history by restoring the DAO currency (ether) to its pre-hacked state, which enabled its investors to take their money and run.
Rest in peace, DAO.
Could this entire hacking spectacle have been prevented in the first place? Yep! For example, Zeppelin wrote 15 lines of code that would have done the trick.
Lessons Learned from the DAO:
There’s a misconception among some that blockchain makes all things safer. This story is one among many that proves otherwise. Also, this “hack” really wasn’t a hack at all. It was just a neighborhood thief stealing money because the DAO’s back door was left open… with nobody home… and cookies left on the table…
Are there any open doors in your company’s security?
Swedish Transport Agency
Maybe this is a cheap shot, but I can’t fail to mention a government agency in an all-time “dumb” list. So let’s talk about that time in 2015 when the Swedish Transport Agency leaked everything.
No, really. They leaked every possible thing.
- Names of undercover special-intelligence agents
- Sensitive details about rail and maritime infrastructure such as roadways, ports, subway systems, bridges, etc.
- Driver’s license info (including names, addresses and picture IDs) of every Swedish resident
- Information regarding every vehicle in Sweden, including civilian, police and military vehicles
- Information regarding individuals in Sweden’s witness-protection programs
- The identities of Sweden’s air-force pilots
- You know… those kinds of things
According to official reports, it’s “not known” whether the widespread data leak threatened Sweden’s national security. (Translation: “Oh yeah. There’s no way this could be good for Sweden’s national security.”)
In a nutshell, the Swedish Transport Agency allowed IT contractors from outside agencies — and even outside countries — to gain full access to all the information mentioned above.
In 2015, the Swedish Transport Agency outsourced its vehicle and license register to IBM Sweden in an effort to save money. IBM Sweden employed subcontractors located outside of the European Union, in locations such as Romania, Serbia and the Czech Republic.
Besides saving money, the Director General of the Transport Agency also wanted to save time, and therefore decided to ignore several security practices. One of the pesky security precautions the agency ignored was the one that said to keep sensitive information away from anyone without a security clearance.
After the data leak, the agency said it had no indications that the information was viewed by anybody but the IBM contractors. (I bet that was a big consolation to families in witness protection programs.)
Lessons Learned from the Swedish Transport Agency:
Besides the lesson that it’s never okay to get lax about following standard protocols (we seriously haven’t all learned this yet?), we should also remember that our mistakes are our mistakes. Even though IBM employs international contractors, IBM Sweden wasn’t to blame for any of this.
When a company or government agency becomes careless, no amount of finger pointing will satisfy an angry public. In short, doing the right thing is always the right thing, even if it’s expensive or time consuming.
Level One Robotics and Controls
That’s quite the fancy name you’ve got there, Level One Robotics and Controls. It would be a shame if you were to do something un-fancy, like leak 47,000 secret files containing factory data records pertaining to Ford Motors, Toyota, General Motors, Fiat Chrysler Automobiles and even Tesla. Boy, would that be stupid. Oh, wait… you already did that in July of 2018? Sorry to hear that. I’m sure no one noticed.
Okay; now that they’ve left the room, let’s talk freely. Level One Robotics and Controls is a Canadian-based company that provides engineering services. They specialize in automation process and assembly for automotive suppliers. Clearly, they didn’t take the importance of security seriously enough.
The almost 47,000 files were exposed through the rsync transfer protocol. The rsync server was unrestricted and the files could be downloaded to any client with a connection to the rsync port. Worse, the rsync server that housed the files was publicly writeable. This means anyone could have edited the data within the documents, or even load malware into the files.
What was leaked? Contracts, invoices, layouts and blueprints of factories, automation activities, robotics specs and configurations, animations, nondisclosure agreements and more. Basically, there was certainly enough leaked information for bad guys to sabotage things quickly.
Lessons Learned from Level One Robotics and Controls:
First, don’t judge a company by the fanciness of its name. (Enron and Lehman Brothers had cool names, too. Remember them?)
Second, be aware and ever-knowledgeable of your organization’s security strengths and risks factors. Never let your guard down and remember the basics, such as always be monitoring, knowledge is power and expect the unexpected. These clichés have been around forever because they’re true.
Third, and this one is also basic-but-true, keep your data-storage encrypted. A tool like Backblaze encrypts data and data transmission.