The latest disclosure of one billion Yahoo! user records is SHOCKING and begs the question:
Where has all this stolen data gone? If so many identities have been compromised, why haven’t we all lost ‘our shirts’ by now?
More American identities have been compromised than haven’t according to U.S. state tax agencies I’ve spoken with. Some mega bankers go beyond this estimate and tell me that virtually EVERY U.S. identity has been compromised. At first glance, it doesn’t seem that all these stolen identities are being used in illegitimate ways by our adversaries– or are they?
Actually I think every single identity record that’s been stolen is being used by one or more adversaries.
Here’s how I see the threat actor groups – which together often form loose alliances to benefit each other’s work.
Note: If you are a global bank or government agency that disburses monetary benefits, all of these bad actors are attacking your organization. If your organization is in a different sector, at least some of them are.
Stolen data is sliced, sold and resold to all of these actors (except for the hactivists which mainly focus on service disruption and typically not asset theft). This data is used by cybercriminals for financial gain (which consumers directly notice because they see money leave their bank accounts), but more ominously by nation states (e.g. Russia and China) who manipulate our political and economic processes, and/or steal intellectual property and anything else they can get their ‘cyber hands’ on.
How Nation States work with Stolen Data
- Nation state adversaries assemble databases on as many individuals (in the U.S. and elsewhere) as they can. Intelligence has become a data mining exercise and the more information an adversary has on a given population, the easier it is for that threat actor to infiltrate their target and get to their desired outcome — whether it’s stealing intellectual property or infiltrating a democratic political process.
- For example, if they are interested in breaking into a defense contractor to steal its latest radar system blueprints, they first need to identify a user at that company – in this example, an engineer- they can exploit to launch their attack and theft of the blueprint.
- Attacks are almost always launched by socially engineering an identified individual whose account they can take over and use to obtain their ultimate goal. To succeed in the social engineering attempt, the attacker will want to know for example, where the targeted engineer lives, how many children he has, where those children go to school and who their teachers are.
- Armed with this social network information, the attacker can now craft a convincing email pretending to be (or actually) sent from the engineer’s child’s teacher (taken over email account), inviting the engineer parent to school to hear serious (made up) complaints about his child which are documented in a report attached to the phishing email.
- When the engineer clicks on the email (which any concerned parent would do) whalla – malware lands on the engineer’s desktop which eventually finds its way to the radar blueprints through a series of calculated steps.
People Databases and their Use
I first learned about these ‘people databases’ back in 2004. A federal law enforcement officer told me criminals were assembling stolen data into portfolios of full identity information, containing as much data on an individual as they could gather, e.g. email addresses, user ids, passwords, bank accounts, credit cards, social security numbers, drivers licenses, passports, retirement accounts, etc. He told me that this information would be used one day by nation state adversaries with potentially disastrous consequences. I remember wrestling with what he told me that day, and trying to figure out how indeed all that data would be used to wreak havoc on the United States.
Fast forward twelve years and I think it’s pretty clear that we are in the middle of a serious and escalating national cyberwar that we are largely unprepared for. It’s easy to blame individual companies like Yahoo! for lax security but frankly the range and magnitude of today’s cyberthreats is too large for any one company to solve on their own, even if they can afford the cyber-fight and the help of able partners and technology suppliers.
Beyond stealing data, nation-state adversaries and cyber-spies are reportedly planting employees at security and other infrastructure companies so that these employees can write backdoors into these firm’s hardware or software, a tactic widely used by U.S. intelligence agencies in the past though they didn’t have to plant employees to accomplish this goal.
Adversaries have managed to penetrate national grids (see Ted Koppel’s Lights Out), intelligence agencies (ala NSA), nuclear reactors (ala Iran in this case by ‘friendly nations’), and other entities that have spared no expense for cybersecurity. How can we — and should we — expect other less-equipped organizations to fend off these threats all on their own? And does it make sense for individual companies and organizations to keep relying solely on individual efforts when the cyber-threat crisis is of national proportions?
It’s high time for a national cyber-defense system where U.S. Defense agencies help protect national assets and organizations from attacks, and disables the threat actors perpetrating the damage.
We have military branches in the sea, on the ground, and in the air – but not at the right proportion in cyberspace – where the entire national population deserves more protection. But the prospect of having one doesn’t look very good – and that’s an understatement.
What can we do in the meantime? Basically ‘change our passwords’, cross our fingers, close our eyes and hope for the best…. Never a strategy I like to take.