Showing posts with label Equifax. Show all posts

Monday, October 9, 2017

Privacy and Ethics

Security, Ethics, Privacy and Confidentiality. How's everything related on today's internet.

On a previous post we discussed Security and Ethics. Today we follow up on Ethics and Information Privacy and discuss privacy and ethics.

We're living interesting times. Around 10 years ago, the biggest ad agency of all time started tracking and reading personal information. Now it has expanded from your browser to, basically, everywhere. In case you are not sure what I mean, let's examine where tracking is happening.

Tracking is Everywhere

Tracking today happens on:

E-mail providers: Gmail, Outlook, Yahoo! and everyone else is reading your email. What about you? Are you reading your own emails?
Search Engines: where do you think that Google, Bing, Yahoo!, et al get their money from? But wait! We seem to have an option that does not track you.
Social Networks: every social network these days tracks you and reads your data. And they make a lot of money.
Companies:Google, Apple, Microsoft, Facebook, Amazon and everyone else is tracking you not only by using their services but, if you're using their gadgets, you're probably being tracked there too!
TVs: smart TVs like Samsung TVs are spying on viewers.
Smart devices: Smart devices like these, are tracking users:

Virtual Assistants are tracking us: virtual assistants are also tracking their users:

Mobile Apps are tracking us: Most of the apps today track their users. Even companies like Disney tracks their users. And maybe your car will do too! (I promise I will update this post whenever I see that happening. It won't take long!)
Video Games: even video games are tracking players: Xbox and NSA - maybe your videogame is doing it already
IoT devices: the internet of things? It's full of listeners, everywhere.

Tracking and Privacy

But people are starting to note that privacy invasion is becoming or will become an issue. And that is a good thing!

Maybe this change is happening due to the impacts of the recent very important data leaks on Equifax and Deloitte, or because their personal pictures leaked online or, because their Dropbox, Adobe, LastPass, personal e-mail, mobile operator, and so many other services suffered a leak and they lost confidential information and/or were victim of a scam/phishing/smishing, etc because of those leaks. Who knows? It doesn't matter.

What matters is that the society as a whole needs to be aware of how our privacy is being disrespected and start demanding for a change. Unfortunately, neither governments nor companies are doing their share and remain doing all that's possible to get access to your data - ethically or unethically. But why is that happening?

Remember: If a product is free, you are the product

As we already discussed that on the Security and Ethics post why is this all happening? Why now?

To understand that, we first need to reflect on why would a company give their products for free? Since the majority of them are not charities, maybe this is happening because, they make tons of money out from your data and ads.

For example, here's how Alphabet (Google's parent company) makes money (88% from Ads):

Source: http://www.visualcapitalist.com/chart-5-tech-giants-make-billions/

And here's how Facebook makes money (97% from Ads):

Source: http://www.visualcapitalist.com/chart-5-tech-giants-make-billions/

US$ 106 Billion / year in revenue from Ads

As show in the previous charts, advertising generates 88% and 97% of their revenues to Google and Facebook respectively. That's USD 106.36 Billion per year from your data. All from "free products" like Facebook, Gmail, YouTube, Instagram, Android, Google Docs, etc That's why they say that: if a given product is free you are the product.

All that said, we should be concerned. Not because we're doing stuff we're not supposed to do or because we're being injected too many adds but because your information is being scanned without consent or further notice.

This is not a financial but an ethical decision. It's not about stock prices or revenue per user.

Privacy concerns have reached a limit and people are starting to realize that. You can see by google searches decreasing (more on that later), or increase in utilization of tools like DuckDuckGo (which I recommend using), even by the increase in adoption of free/open software projects like LibreOffice or Firefox that do not track your data. Not because they are better but because they are safer and more trustworthy - If I can read the code, I can trust it.

Privacy - What are our options?

Then where should we be? What should our companies be doing? This is what would like to see: companies that explicitly care about your privacy and how the internet and our lives will be better if everyone cared about that.

Here are my humble suggestions.

Browser

My browser of choice is Firefox. Yes I know there are other options but for my daily use (including development) works very well.

Search Engine

I believe my search engine shouldn't track me. That's why I use and recommend DuckDuckGo.

Operating System

I want privacy in my desktop operating system. That's why I use Fedora Linux.

Phone

I wish a modern phone that respects my privacy and runs all the apps I like. Who knows the Librem 5 or the PinePhone one day doesn't happen? I'm closing monitoring their development and it's getting close, real close!

Final Thoughts

Think about it. Think about the necessity of protecting our privacy, our families' privacy. Think about the impact it can have in 20, 30 years from now. Think how can we make the web and our lives safer for ours and future generations.

Friday, September 8, 2017

Security and Ethics

Understand how reputation, security, ethics are important today and learn how they affect your security online.

Security is important. We also know that there is no such thing as absolute security. But can we do it better?

Of course. We can and should do our best to secure our applications, infrastructure, code, policies, etc - but in the end, security is just another technical requirement. A very important requirement that supports the reputation and the perception of a company. On this post, let's discuss reputation, security, ethics, why they matter, why they are important and how they affect online security on information technology.

Reputation

Reputation is a very important asset companies (and people) should pursue and work hard to keep because once lost, it's hard to gain it back. For example, a recent survey made by The Identity Theft Resource Center (ITRC) found out that 41 percent of surveyed people said they wouldn't do business with the breached company again.

With that said, let's discuss two LastPass and Log Me In before we can jump on insights on the latest Equifax hack.

The LastPass case

I was looking for information on password managers and found this interesting post on Troy Hunt's website describing why he decided to stop using LastPass after it was acquired by LogMeIn:

Then, on the blog post he said :

Companies like LastPass live and die by reputation and incidents like their breach in July that exposed master password hashes are hugely significant due to the impact it has on the perception of the company.

The Equifax case

Now, let's jump to Equifax. According to Wikipedia,

Equifax collects information on over 800 million individual consumers and more than 88 million businesses worldwide. Equifax has US$ 3.1 billion in annual revenue and 9,000 employees in 14 countries.

Not a small company, right? But what about the hack?

In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017, where cybercriminals accessed approximately 143 million U.S. Equifax consumers' personal data, including their full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers.

Equifax also confirmed at least 209,000 consumers' credit card credentials were taken in the attack. The company claims to have discovered the evidence of cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted.

According to Bloomberg and ARS Technica (just to name a few) it's probably "one of the biggest hacks in history". Personally, I couldn't agree more with them. ARS Technica describes:

the Equifax data breach is, "very possibly the work leak of personal info ever." The breach, via a security flaw on the Equifax website, included full names, Social Security numbers, birth dates, addresses, and driver license numbers in some cases. Many of the affected consumers have never even directly done business with the giant consumer credit reporting agency.

A highly problematic solution

If all of that wasn't enough, ARS Technica still reports that the site created to alert users - www.equifaxsecurity2017.com - was "highly problematic for a variety of reasons". For example, it was found on 9/8/2017 9AM PT that the site was leaking data:

Source: ARS Technica

Yes, an open endpoint leaking data on a website created to alert users that everything is supposed to be OK. It was removed a little after but you get it. The company that already had their reputation and perception damaged (because of insecure systems), was trying to calm everyone creating a website full of naive technical defects.

A highly problematic solution - Part Deux

Update: On Sep 17,2017, Brian Krebs reports that researches found an Equifax in Argentina having access to extremely confidential information configured with admin/admin;

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

How critical is that? I think we're seeing a sad pattern here. Hope we don't see any other chapters in this history because the leak is already pretty critical.

A highly problematic solution - Part Trois

Update: On Sep 21,2017 - Yes, it can get worse! According to The Verge:

In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.

Gizmodo captured the tweets:

Source: gizmodo.com

Pretty sure there's way more out there exploring the situation. The level of incompetence is astonishing!

Ethics

And then, if all of that wasn't enough, we get to Ethics. Bloomberg News reports that three Equifax managers sold stock before cyber hack revealed. In fact, Wolf Richter greatly summarized this for us:

Turns out, Equifax got hacked – um, no, not today. Today it disclosed that it had discovered on July 29 – six weeks ago – that it had been hacked sometime between “mid-May through July,” and that key data on 143 million US consumers was stolen. There was no need to notify consumers right away. They’re screwed anyway. But it gave executives enough time to sell 2 million shares between the discovery of the hack and today, when they crashed 13% in late trading.

The interval between the supposed hack and it's public announcement was enough to allow insiders sell 2 million shares. How can a company have its perception improved like that? Probably not going to happen in the near future, especially after more and more bad news about websites misconfigured, data leaks and links to a fake site.

Conclusion

So, that's how security, reputation and ethics converge. Perception derives from those and is highly influenced by them. Security is hard. Ethics in the other hand, can and should be easy - but only if we want to do it. It's about time companies do their best to protect their biggest asset: their customers, their data, their privacy.

And it all can start with us developers by writing safer, better code.