Privacy Extortion
A new type of cyber-crime: From kindergarteners to adulterers
A year ago I was walking on a sunny day with my daughter
in Frankfurt near the Alte Oper. We saw a group of kindergarten
kids walking hand in hand with their teacher. They
were lovely. We couldn’t take our eyes off of them, and my
daughter couldn’t resist taking their picture. She instinctively
raised her smartphone to photograph them, but the teacher
immediately waived her hands, and in a firm tone said: “You
are not allowed to breach these kids’ privacy. Please do not
take any pictures.”
This privacy sensitivity occurred innocently in the physical
world on a beautiful avenue. But, privacy sensitivity can be even
more critical in the virtual world. The cyber world, in a way, knows
more about our inner life, desires, passions, relationships and challenges
than we perhaps know ourselves. Revealing this information
about an individual can cause enormous damage to his or her
professional and personal well-being. As we all have seen, the cyber
world, unlike my daughter with the kindergarteners, is also less respectful
with an individual’s sensitive information.
Uncovering the Dirt
Millions of Ashley Madison members certainly felt a breach into
their private lives recently. I’ll bet they panicked when they found
out that the entire Ashley Madison database was stolen, perhaps
to be publicly revealed.
Unfortunately, stealing confidential data is not new to us. Bigger
services have suffered from data theft before, and while stealing
credit card data is harmful, the damage is basically repairable.
The potential fallout from the breach to the Ashley Madison online
adultery service is quite different. Brought to light, Ashley
Madison membership reflects in a profoundly negative fashion
on the individual, painting their reputation starkly in black, and
risking everything from their family relationships to their social
status and even their career.
Because the Ashley Madison site facilitates adultery, the security
breach has mostly caused a titillated public to react with a
combination of moral judgment and humorous quips. But, this
breach is a cyber-security crime that requires us all to take notice.
The personal details and other juicy descriptions identified
in the Ashley Madison breach create a new kind of cyber security
threat: the potential for massive blackmail.
According to the attackers themselves, the Ashley Madison
hack is targeted at the service provider. It also heralds a new, very
dangerous and troubling form of cyber-crime: the disclosure of
personal secrets, which comes with all kinds of other risks, such
as extortion.
For the hackers, this is an outrageously lucrative business
model. Most (probably all) of the Ashley Madison customers
would be happy to pay a reasonable price to avoid having their
online profile made public. Even if the price were $50 to keep
member profiles private, it would turn the hackers into multimillionaires.
Storing Personal Information
Of course, Ashley Madison is not the only site storing sensitive personal
information. It doesn’t take long to consider other sites where
the registered users wouldn’t want their private lives to be exposed:
medical records and social chatting, to start.
All of us are subject to a “dark secret” in our inner life that we
wouldn’t want to fall into the hands of bad guys. No longer is this
just about big corporations and credit card theft; this is deeply
personal with a Pandora’s Box aura as once the information is
public, it remains so. This is a wake-up call for service providers
to improve the security of their services in the interest of protecting
their users’ secrets.
Security strategies have traditionally revolved around protecting
the endpoints and the network. However, hackers are increasingly
targeting service providers’ databases that reside within the
data center. Databases and web applications in the data center are
open to new attack methods that require a better approach for protection.
For example, web applications, designed to be open and
used by anyone from anywhere, are by definition openly accessible.
Protecting a user’s highly-private information calls for strong
encryption as well as secure cryptographic keys. Today, cryptographic
keys are kept on servers that can
be easily breached, and once breached,
the keys can be stolen and the user’s
secrets exposed. By overlooking the
utmost protection of users’ privacy,
including protecting the keys that encrypt
users’ private information, the
service provider runs the risks of putting
their users in harm’s way and
losing their own businesses. This
far-reaching threat has the dubious
distinction of giving the kindergarteners
and the adulterers
a common cause.
This article originally appeared in the November 2015 issue of Security Today.