Once again on the same, silent, alarming terms as we have before, we meet again. While it may seem that just only a moment ago, the buoyancy of the Data Broker’s immovable ships were threatened by what was considered an Unprecedented Breach, it appears that the Year of Our Lord two thousand seventeen decidedly challenged the norm, and doubled down hard on shock and awe.
If you weren’t around last year, or were simply uninterested in the flamboyant parade of press releases (albeit some more silent than others) of yesteryear, here is a quaint rundown on the last breach scandals:
River City Media or the “Spammergate” issue
Blue Cross Blue Shield / Anthem
TigerSwan Government Contractor
US Securities and Exchange Commission
The latter 4, I have a particular interest in for a multitude of reasons, as you should too. The good, bad or indifferent last year should have shown us that the house of cards on which these institutions based their competence of digital security, was less than…substantial. But what does the magnitude of these enormous breaches say about us, the consumer? Are we so desensitised that we feel that there is nothing that can be done to better protect the data we hold valuable? And if it seems of little value to us, do we not see the transposed value leveraged by those with nefarious ambitions? Wait, don’t answer that, just let it really sink in first.
For the past 4 years, these questions have baffled me beyond any conceivable logical conclusion. Injecting my realities with this present day dilemma, that I have repeatedly dissected, discussed, and debated at every offered opportunity in conversations relative to Information Security, GDPR or simply on digital privacy through lines. Yet, to this day the problem still sits, patiently with no urgency to remove itself from the equation, as if without a worry in the world. And why should it, when the world itself seems to carry on without a worry of its very existence. Why are we not moving faster, stronger, harder with elevated Authentication Levels as NIST has suggested in her 63 series? Why has the world decided to ignore this monster under the bed of our data when we still hide money under the mattresses of banking institutions?
Or more simply put, what are our lawmakers doing to remedy this reoccurring pain. No pun intended, but the reality of this answer is akin to that which Big Pharma provided in response to the “Pain” problem which in turn left us with an Opioid Epidemic across the heartland. The irony is thicker than our bacon-clogged arteries my friend. Listening to the many Senate hearings, and (thanks to the Electronic Frontier Foundation) watching the play-by-play of the Digital Security hearings, proved to be quite revealing. The home team just isn’t prepared to present its case, simple and plain. I sat a few weeks ago like a proud little brother on the sidelines of one of the many Equifax-related Senate hearings, eagerly waiting for the “Big Guns” to be deployed against the barrage of questions that zeroed in on the Who, What, When, Why, Where of the breach.. .and then felt, but for a small moment, embarrassed to be on that side of the court. The questions were direct, the answers even more succinct, but the follow-through was just simply, awfully, ill-prepared. After consulting with a multitude of privacy lawyers, I found myself in a disarray. The foundation on which I built my faithfully calloused by preconception and battle-hardened sense of self and ego, was simply not a reality. The side of the Consumer (with no direct intention to insult ANYONE who is taking up the good fight) is simply, inexcusably, inexplicably under prepared. But we have a remedy for that, in time. I digress…
It was only 3 years ago, that our leadership was providing strategic advise to an organisation that had come upon 1.2 Billion credentials. That story was released at the RSA conference of ’14 and while the light of the burning torches that followed the scandal lasted longer than anticipated, it fell short of the grandiose defiant storm of an uproar that we had forecasted for all those nights since. There was no Mark Felt to substantiate the claims that were made then, and there certainly are no figures now who will pick up the torch, or give an ounce of weight to the following.
CNN, Courier Journal, FOX, DNC, VISA, Gmail, Army, Navy, CIA, FBI, DTRA
What is interesting about these 1.5 Billion Credentials is that they were found via a torrent NOT on the Darknet, NOT behind some secret encrypted firewall hinged between a missing service and loose vowel. Nope. Not even remotely guarded like a teenager’s snapchat. It’s almost as if the creators of this database wanted the world to know that we had reached a critical mass of obligatory malfeasance. That is to say that the we, the us had become so desensitised by the words breach, leak, hack, and exploit that the utterance of these words have become a blasé cliche.
This story is no different, it serves as a marquee to the fact that we now live in and have been for quite sometime living in the silent clenched grip of a desensitised and over-bored public, most of whom have quickly tired of the melancholic doom-and-gloom attributed to these news reports until a select few found the urgent veracity of the subject, as victims of a violation beyond reproach. As an advisor to interest groups and law firms that represent such victims, I wish this reality on no person. It is painful, humiliating to endure, time-consuming to unearth and relatively uncharted territory for most.
Personally, it has become an anticlimactic rollercoaster of sorts, but this is not why we do this job. Our interpretation of unequivocal universal law supersedes the superficial urge for glamour, fortune and fame. The truth is ultimate, singular and in time her voice will resonate above all with her listeners. Hopefully this occurs in a time frame that will allow for a significant change in how we as a people store, trust and leverage personal identifiable information. When we first took a glance at this database, the obvious search strings were placed in the query box like any other. No big red flags, no glowing signs, not a burning bush in sight. Digging deeper, we searched like kids with a new pirates treasure map for the next big “oh snap” domain (typically ending in .gov or .org and preceded with the latest political scandal related domain like DNC, or GOP). It was like a Nintendo game that you’ve played through level by level, defeating every boss multiple times to the point where you could almost predict the outcome…this was no exception. The rhythm became tangible, and the pattern appeared like invisible ink surfacing. Falling victim to my own force of habit, I called in every major player in my career rolodex to assist, we needed to slow down and possibly put a hold on the impending damage that would befall the institutions that I hold dear. This time, we found it and together managed to hit pause. The name of this undertaking, this magnificent effort and initiative is #NoSecrets, and as the name implies, there shall be none. As we uncover this treasure trove, so shall you too see it in its entirety. It is open and transparent for all to see and for all to contribute to with their own conclusions, adding a drop to the sea of constellations of reasoning and understanding a cavernous breech of such magnitude.
Do your own research, don’t simply take our word for anything. But if you have time to kill, perhaps a gander over at the ICIJ.org website with a specifically keen interest in the Panama Papers will give you a good starting ground to begin your search. I dare you to discover just how connected you are to some of those stories, and uncover a glimpse into the minds and lives of those who’s names are found in this database.
But this isn’t the story, the story that we are all reaching for with this drop is the “Why”.
Why on earth would someone post such a file and make it so accessibly public? Or is the question rather “Why Not”? How many will take this story (unequivocally change their passwords) and then push it through, begin asking the right question to the right people? Or better yet, remember it longer than the runtime on of the latest TMZ advert. In the eternally famous words of one of my favourite Orwellian-style rants from The Network, “Things are bad but this is only the beginning.”
Cyber Insurance companies are drafting up policies to shore up the hollow concerns created by the “institutes that care” in attempts to assuage their clients (that’s you). Its a lovely sentiment that goes like this, “Although there is unfortunately absolutely nothing that you can do about what has already happened, and you have our full condolences for your setback, we assure you that we have your interest. For the love of cookies, don’t take this sugary concern-coated bait. Force your change. Make your mark, and know your worth. But before you wage this war, change your passwords, make them strong, long and nonsensical. Do not rely on them alone, as you can see here the underworld of cyber crime is no longer playing the same game it did a few years ago. Your credentials are the first grab, your identity is the score. 2Factor Authentication should be the minimum requirement for any service that you chose to leverage, on any platform that uses your username and password to gain entry. Change your passwords very frequently. What was once required of seasoned Cyber Security Professionals are not being passed on to you dear citizen. No longer are the days of coddling and catering to your nubile ignorance something we can afford. You must take your privacy seriously if you intend for the companies and agencies that dictate how privacy laws will be enforced to govern them. Your ignorance of what you should demand from lawmakers have been the crux on which many have relied on for quite sometime. Now I urge you to educate yourself, know your enemy and do not go silently-into-the-night! One day you will be upset, or perhaps you will not. Either way the coin drops, you will make a choice on how to digitally protect and arm yourself in this cyber-skirmish that we seem to have found ourselves in.
My answers to this riddle supplant any logical identifier capable of reason, so I will not impose my reality on you. What I do wish however, is that the reader understands the grave nature of this situation. Whether you are in a tango with the latest political conspiracies (blatant facts) or if you simply have a keen eye for historical activities that ironically seem to be repeating themselves. One way or another, you should see that there is something to be said about the sheer number 1.5 Billion of usernames and passwords, in a world where…
We are leveraging email addresses and passwords to access our latest ICO or BITCOIN Exchange. We use email and passwords for just about every online service created to make our lives seemingly easier. The passwords, oh the passwords! While we watch the InfoSec bulletins, we choose for simplicities sake not to make them unique across accounts. Meaning, the likelihood of the password found in this database being used by you on other accounts as well such as your bank account passwords, your One Login Master Password etc are incredibly likely. Do you see the dilemma here? Could you possibly make it any easier? The fact remains that although the “breach climate” is so suffocatingly apparent, it is still never a matter of IF a company will be breached but when.
PS: If you are curious, please have a look at our #nosecrets Project