Brian MacKenzie: 2017 Was a Notable Year for Cyber Insecurity
January 8th, 2018, 8:00 AM
The writer was a 52nd District Court judge in Novi and assistant state attorney general. He's chief financial officer of the Justice Speakers Institute and a Deadline Detroit contributor.
By Brian MacKenzie
Malware attacks occur every 40 seconds and tend to focus on small businesses, says Southfield attorney Jon Sriro, a cyber law specialist at Jaffe Raitt Heuer & Weiss.
Many virtual attacks use code known as ransomware which restrict in-house access to computer data. The thief then demands a payment to remove the restrictions.
An example in Michigan involved the Lansing Board of Water & Light, which paid $25,000 to unlock its internal communications systems. Last year, ransomware hacks cost almost $5 billion dollars, according to Cybersecurity Ventures, with the average ransom payment around $1,400.
Ransomware attacks were not the only virtual assaults in 2017. As I noted in a recent column, the theft of the data from the Equifax credit reporting agency was the cyber insecurity story of the year.
While it was not the largest in terms of records exposed, the ‘mother of all breaches’ was significant for the type of information stolen. Half of this country had its social security number taken, along with special identifiers like your mother’s maiden name. The company’s failure was exacerbated by it’s inept reaction, which delayed the fix and caused additional problems for individuals trying to protect their privacy.
Accidental Leak of Voter Data
However, the mother lode of all leaks was from the data-analytics firm Deep Root Analytics. They accidentally released personal information of every American voter. This is believed to be the single biggest leak of personal information, involving almost 200 million people. The leak revealed names, birthdates, addresses and phone numbers.
The disclosure revealed personal information about those of us who vote, including our stance on 48 political issues such as abortion, gun control, stem cell research and the environment. What makes this all the more concerning is that the company was not attacked. Apparently someone just pushed the wrong button.
While the Deep Root Analytics was the largest information leak of 2017, Yahoo admitted in October of this year that the massive breach in August 2013 affected over 3 billion user accounts, 2 billion more then had revealed in December of 2016.
The information exposed can be used for large-scale automated attacks called ‘credential stuffing’. Credential stuffing is the automated use of illegally obtained username/password pairs in order to access to a user’s financial accounts, such as banks or credit cards.
2017 was also notable for the high volume of mistaken data releases directly tied to cloud storage. Among the many organizations that accidentally leaked private data into the cloud were Verizon, the Republican National Committee and Accenture. The cause of these disclosures was Amazon storage buckets whose configuration failed to limit access to authorized users.
If you own one of the new popular smart products, including Amazon Echo, Google Home and Samsung's Gear S3, you are exposed to a Bluetooth cyber attack known as Blueborne.
This incursion doesn’t require the user to do anything in order to become a victim; they merely need to have the devices’ Bluetooth turned on and the attackers can pair with it and install their malware. The vulnerability gives the hacker full control of any device running Linux or OS systems derived from Linux, including your cellphone.
Finally the vulnerability your Wi-Fi was highlighted this year. KRACK (Key Reinstallation AttaCK) allows a thief to bypass Wi-Fi security. KRACK doesn’t go after a device, rather it downloads the information you send. So your devices are themselves safe, when you use them to send a credit card number, password, email, or message over Wi-Fi, that data can be stolen.
So, what can you do to protect your online privacy? The answer for individuals unfortunately is very little. You can can your passwords more often and make them more random. You can freeze your credit information and check it on a regular basis. However, as voters we can start telling our representatives that they need to take action to prevent the theft of our personal and financial information.
Congress must pass a law ending the use of our Social Security numbers as the lynch pin of credit reporting. Consumers must be given free access to their credit report at any time and notified of any changes that are made to their credit history. Congress should vote to restore the rules they repealed in March that prohibited Internet service providers from selling your data without your permission.
However, Congress will only act if you as voters make them.