3aIT Blog

WatchedOn December 10th, Google revealed that a flaw was found in their Google Plus network that exposed the details of 52.5 million users to 3rd parties without the users' permission. While there is no evidence that this flaw was actively exploited, it was serious enough that Google have brought forward the date that they're going to shut down the unloved service. This is following an earlier breach in October in which half a million users' details were actually exposed for three years.

This article isn't about this instance in particular, although it is a good case in point. One of the world's biggest companies has exposed millions of people to increased risk of fraud. And yet this barely made the news. Anyone that did so happen to catch a fleeting mention of this will probably have just shrugged and moved on.

These data breaches are now so commonplace that they're almost not newsworthy any more. We've just grown to accept that it's an unavoidable consequence of the convenience of moving most of our lives online. To some degree, this is correct (for now, at least). Any system written by humans is going to contain bugs, as they very quickly reach a size that it's impossible to "see" the whole chain of logic at once. This is then compounded as the system grows in a piecemeal way from that point. Every single change has the potential to introduce a problem.

"Just put it live - we'll sort it later"

This problem is mitigated somewhat by testing. This is a process in which a "draft" version of a system or any change to a system is made available to the client or select group of users in advance of the final rollout in order for them to check it does what it supposed to and, hopefully, find any problems before the final version rolls out. However, this process is not foolproof. Clients sometimes don't appreciate the importance of this step and just wave through a change knowing that problems can be fixed later, not realising that it's this sort of rushed "patching" of code when a problem has been found in a live system that leads to exactly these sorts of more serious flaws.

TestIt's also the true that a business without a multi-million pound budget will not have the expertise or resources to probe a system in a way that someone with malicious intent might. These flaws are often very subtle and highly unlikely to be found by an untrained eye.

It does seem that unless money has been taken out of our bank account, we've collectively decided that we don't really care about these breaches any more. It is true that many of these breaches taken in isolation are not that serious. Many of them only expose email addresses, phone numbers and addresses, so you may well think "so what - these are obviously all known to the world from the past 10 breaches, so what does another one matter?"

Slowly, slowly catchy monkey

However, what may be being missed here is that it isn't necessarily the data itself that is important any more. What is happening is that malicious actors are slowly being able to build a profile about you. With every breach that your details are exposed in, they know something else about you. They might know what shops you frequent, where you live, if you've moved, where you bank...

This then enables them to more effectively target individuals in a socially engineered attack. This has been seen on a large scale recently in the recent spate of emails suggesting that they have footage of you recorded via your webcam. Many of these emails included passwords that had been stolen at some point in the past in an effort to convince people that the threat was genuine.

That is an example of a very crude attack. It's not currently possible to target millions of people at once in a complex way, so these emails are very generic. However, attackers also sometimes opt for a far more targeted, individual attack. As you would expect, the more they know about an individual, the easier it is to convince them that they are genuine and that what they are saying should be taken seriously.

We're doomed!

PadlockSo what should we do then? As already pointed out, these data breaches are inevitable. Unfortunately, the answer is currently "not much". All an individual can do is limit the data they provide to only those services they deem essential. Also, as always, always be on guard when replying to any email asking for details or payments, even if it appears to have come from a trusted source.

We should also collectively try not to shrug off these data breaches. If the companies involved think we don't care any more, then they will commit fewer resources to trying to stop it happening.

Other than that, we just need to hold tight until the point that we've created robots that can create flawless code! Although it would be good if that doesn't happen *too* soon, or we'll be out of a job...