I try to post every Tuesday, but find that once again the incessant news of data breaches is out-running me, inducing me to make this impulse-post. Today I read of two such problems, one a new breach, the other a tale of ongoing problems with cryptocurrency exchanges.
What they both have in common is email.
The first concerns the giant accounting firm, Deloitte, which had a leak of client emails that went undiscovered for some 4 months (link). The source of the leak was an email server that was protected by a single factor, a password, that was apparently cracked.
According to Deloitte, very few clients were affected, but that’s not my point and I don’t want to pick on them. My point is that I send and receive lots of email, especially when working. If somebody needs some information or a file, emailing it is the quickest, simplest way. When I’m at a new client’s and getting my accounts set up, it’s common to receive passwords (or links) via email. It’s so much a part of the background that we don’t think about it.
The second article (link), about a month old now, concerns theft of cryptocurrencies from users’ accounts at Coinbase, One route that the thieves were able to take followed a compromised gmail account, from which the attackers learned the user’s mobile number, plus the fact that the user had a Coinbase account. They were able to switch the user’s mobile number to a new device and then request a new password for Coinbase, which was sent by SMS to the user’s (now redirected) mobile number.
Thus, just 2 pieces of personal data (the Coinbase login name and the user’s mobile number), plus some skill at manipulating the mobile operator’s protocols, was enough to mount major theft attacks.
You have mail
I’m beginning to think that email is the biggest security hole in all of IT;
- It’s inherently insecure, having been designed for a trusted, closed, pre-internet network (DARPA).
- It’s ubiquitous, and is used for all sorts of private information, especially sensitive attachments.
- If you have enough users in your email system, there will always be a few who will click on phishing links, or send sensitive files outside of the company, or just hit the ‘reply to all’ button,
- Any local files on PCs that hold our emails, such as archives, have the potential to spill a lot of information, making even PCs attractive targets; how many people do you know who’ve had a laptop stolen?
Non-stop breaches and GDPR
Since GDPR came onto my radar last year, I have been amazed at the casual attitude toward compliance that I’ve seen in many organizations. With some 8 months to go, I see very little activity beyond appointing exploratory committees, often merely adding this duty to people who already have their plates full.
I wonder whether the big impetus for GDPR will be not the big, headline fines, but the business risks involved in a large data breach. Until something changes, I expect an unending stream of depressing news stories and personal worry on the part of those who are (or may be) affected.