Time to update the adage “She’s a lady in the street and a freak in the sheets.” Let’s just simplify that to: “Actually? We’re all a bunch of freaks in the sheets – thanks, Internet!”
Everyone and everything we do online is at risk.
In March, a lone Darknet user exposed nearly 4 million users' data from their activity on an adult dating site. Independent IT security consultant Bev Robb uncovered the hack and reported it on her site April 13: a “treasure trove of hacked data that appears to be from an adult social networking site...one of the most heavily-trafficked websites in the world, boasting an Alexa U.S. page rank slightly above 747.”
It wasn't until Friday that the site was revealed to be AdultFriendFinder.
Millions of people's sexual preferences, fetishes and personal data including email addresses are now up for grabs — and it's no surprise to security experts.
IMAGE: BEV ROBB
IMAGE: BEV ROBB
Robb tells Mashable she discovered 15 AFF spreadsheet files where a hacker known as ROR[RG] posted his stolen goods. They were living in the “Hell Forum," a hacking forum accessible via the browser Tor, which is special software allowing access to the Darknet. (Robb says, “The Hell Forum was down all morning. It’s now back up but the all the AFF data is gone and the entire thread has been deleted.”)
IMAGE: BEV ROBB
Because extortion was involved, Robb dealt with the matter delicately.
“To be honest, I sat on it for a while because I did not know what the protocol was for reporting this type of data breach, and my confusion over potential ‘extortion’ was something I've never dealt with before,” she says. “I posted the blog in hopes that data breach experts would find the clues [that I carefully laid] and be able to discern the adult site that I was referencing. I was also worried that there could be legal ramifications from my discovery.”
The southern Oregon Internet security specialist first wrote on her site:
If the data breach is genuine (and I am sure it is), there is a ton of personally identifiable information (PII) sitting in a forum on the Darknet that has been viewed 1,756 times. It is unknown how many times the breached data files have been downloaded. Though the files were stripped of credit card data, it is still relatively easy to connect the dots and identify thousands upon thousands of users who subscribe to this adult site.
IMAGE: BEV ROBB
IMAGE: BEV ROBB
FriendFinder Networks announced that it has hired forensics expert Mandiant, which is owned by FireEye, to investigate, along with law firm Holland and Knight and a public relations company specializing in cybersecurity.
An administrator of the Darknet forum mocked the announcement, saying that it “only took 74 days to confirm the breach.”
Asked to comment on the investigation, Kyrksen Storer of FireEye said, “[W]e do not comment on active investigations such as this one.”
An administrator of the Darknet forum mocked the announcement, saying that it “only took 74 days to confirm the breach.”
Asked to comment on the investigation, Kyrksen Storer of FireEye said, “[W]e do not comment on active investigations such as this one.”
(Disclosure: For the past several months, the author has written a regular column for Penthouse, a publication owned by FriendFinder Networks, the same company who owns AdultFriendFinder.)
So what does all of this mean for you and your online sexing?
It means we need to stop pretending this type of breach isn’t going to happen — all the time — as it’s been happening for the past several years, with increasing frequency and sophistication.
“People don't need to be paranoid, but they do need to know that anonymity these days is rare,” says Laura Lorek, a veteran technology writer and founder of Silicon Hills News, a technology news site in Austin, Texas.
It means we need to stop pretending this type of breach isn’t going to happen — all the time — as it’s been happening for the past several years, with increasing frequency and sophistication.
“People don't need to be paranoid, but they do need to know that anonymity these days is rare,” says Laura Lorek, a veteran technology writer and founder of Silicon Hills News, a technology news site in Austin, Texas.
“Always pretend anyone can see what you are doing online.”“Always pretend anyone can see what you are doing online.”
This goes for any sext, any Skype, any weird bit of gossip you write or say online.
Do you want someone to see all of your private maneuvers? Of course not. Would your life be ruined if someone did see reveal private communication or data? Depends how risky you've been.
“In our houses, we have smart meters that track our household appliances, Dropcams to keep tabs on our kids, dogs and belongings, smartphones with geolocation capabilities that track our whereabouts and web cameras in our laptops and desktops,” Lorek says. “And when we walk out our front doors and there are surveillance cameras everywhere. Neighbors have them. Cities use them to track crime and traffic violators and businesses use them. So why should people expect privacy online?”
She points to some of the most famous scandals in recent years as examples of users' naïveté.
“The leaked photos of Anthony Weiner show that any content you create can be redistributed,” Lorek says. “The Sony Pictures hack shows that even email you think is private can make its way to the public domain. And hackers on 4chan released hacked and released nude photos of Jennifer Lawrence and other celebrities last year. So if you have nude photos or salacious emails and texts, beware.”
But Rob Pritchard, founder of The Cyber Security Expert, a London-based consultancy, disagrees that we need to forego our basic expectations of security online.
“I think you should be able to assume some level of privacy online,” he says. “I think the hacked website reveals that too few providers of online services do good security.”
“In our houses, we have smart meters that track our household appliances, Dropcams to keep tabs on our kids, dogs and belongings, smartphones with geolocation capabilities that track our whereabouts and web cameras in our laptops and desktops,” Lorek says. “And when we walk out our front doors and there are surveillance cameras everywhere. Neighbors have them. Cities use them to track crime and traffic violators and businesses use them. So why should people expect privacy online?”
She points to some of the most famous scandals in recent years as examples of users' naïveté.
“The leaked photos of Anthony Weiner show that any content you create can be redistributed,” Lorek says. “The Sony Pictures hack shows that even email you think is private can make its way to the public domain. And hackers on 4chan released hacked and released nude photos of Jennifer Lawrence and other celebrities last year. So if you have nude photos or salacious emails and texts, beware.”
But Rob Pritchard, founder of The Cyber Security Expert, a London-based consultancy, disagrees that we need to forego our basic expectations of security online.
“I think you should be able to assume some level of privacy online,” he says. “I think the hacked website reveals that too few providers of online services do good security.”
Even as hacking increases in frequency, the main point he says is: Hacking is not the victim’s fault.
“I don't think you'd ever do anything online if you thought it would end up public one day,” Pritchard says. “If you are sharing unnecessary private data (as opposed to using an online tax form or something, where you don't have much choice) you should make it as secure as you can. Use a strong, unique password and, if possible, two-factor authentication. That said, that wouldn't have protected the AdultFriendFinder users, where the site itself was hacked.”
Robb wrote an analysis of the AdultFriendFinder data that was hacked:
“I don't think you'd ever do anything online if you thought it would end up public one day,” Pritchard says. “If you are sharing unnecessary private data (as opposed to using an online tax form or something, where you don't have much choice) you should make it as secure as you can. Use a strong, unique password and, if possible, two-factor authentication. That said, that wouldn't have protected the AdultFriendFinder users, where the site itself was hacked.”
Robb wrote an analysis of the AdultFriendFinder data that was hacked:
Quickly glancing over spreadsheet #11, I’ve located Fakeuser@###.com (not his real user account) and see that he is a 54 year old male from St. John’s, Newfoundland. Next, I Google Mr. Fakeuser and see that he is a married man who is blond, blue-eyed, and buff. He also thinks he is a hot male and he is just looking for fun in the form of a one-night-stand with a swinging couple or partner – he is seeking something somewhat discreet. Aha, mind if I er giggle?
In spreadsheet #1, I found Fakeuser2@###.com (not his real user account) and he is a 62-year-old Hispanic male from North Brunswick, NJ who is an advertiser in real life, and has a preference for the subporno forum. By Googling his handle I was able to associate his real name and to locate the social media pages that he manages.
Also in spreadsheet #1 I located a user who spends a lot of money in the BDSM forum. He is a 40-year-old, white male from a small community in Illinois (population: 4,206), and is self-employed…. He will become anybody’s slave and he also lied about his age on the adult site, and depicts himself as a 29-year-old male. Got a leash?
So, who cares if people know some guy likes bondage? Not only could it tarnish a person's reputation, career and family life, that information helps hackers tap further data. As Robb explained in her original post:
Cyber-criminals can take the data breach listed above and go well beyond a simple web search. They could target users of the BDSM forum and design an entirely innocuous-looking phishing campaign replete with social engineering tactics. Masters or slaves that frequent these type of forums could become enticed to click on a provocative link and provide more personal information, providing that the email template is custom-tailored to their fetishes.
You can assume that the hacked database is not simply sitting on one forum – it is probably being shared within other Darknet and I2P forums too. With so much data included in the rooted database(s), and even though the majority of email addresses come from free email accounts such as AOL, Gmail, Live, Hotmail, and Yahoo.com — it should be relatively easy to dox a slew of them.
Robb, who is currently involved in ongoing Darknet research, says she is passionate about understanding the mindset of criminals’ schemes and social engineering tactics. For the average Internet user who has never even heard of the Darknet, she makes the privacy breach very easy to understand:
“If I were to explain it to a layman, I would say, ‘Hey Barney, I just saw your telephone number and address on this spreadsheet that is being passed around in this place beneath our surface web. I see that you spent $900 on that BDSM subscription — so, what's up with that?’”
No matter how cautious users are, anyone revealing private data online is at risk.
No matter how cautious users are, anyone revealing private data online is at risk.
IMAGE: PEW RESEARCH CENTER
But will behavior ever change? While Pew Research shows that 93% of adults “say that being in control of who can get information about them is important,” the measures taken to protect private information are few; only 7% reported at the time of the mid-2014 survey that they had made any changes to their security to try to prevent Internet or cellphone tracking.
“There have been numerous attacks on dating websites over the past several years, and attacks have not just been limited to these types of services,” says Matthew Hickey, principal security consultant at MDSec in London. “Using an alternate or disposal identity is a common practice; however, chances are you may inadvertently leave clues to your real identity. In some countries it may also be illegal to use false details on dating websites, and you should ensure you are compliant with the laws in your country.”
As for protecting yourself, the same best practices that apply for a site like eBay also apply for a site like AdultFriendFinder.
“Ensure the site is using strong end-to-end encryption, choose a strong password, don't publish private information publicly, be careful about who you speak with and don't open attachments or files from strangers,” Hickey says. “Ensure you keep your computer up-to-date with the latest software patches and have the latest anti-virus updates installed.”
Alternately — and more extremely — Lorek says quite simply: Take it offline.
“Ensure the site is using strong end-to-end encryption, choose a strong password, don't publish private information publicly, be careful about who you speak with and don't open attachments or files from strangers,” Hickey says. “Ensure you keep your computer up-to-date with the latest software patches and have the latest anti-virus updates installed.”
Alternately — and more extremely — Lorek says quite simply: Take it offline.
“Any time electronics are involved, there's a chance that someone is recording the activity,” she says.
Or if you’re looking for what’s currently available for identity protection, try one of the many newer services that aims to minimize online footprints.
“Worries about privacy have given rise to Cyberdust, Snapchat, Unseen and other apps that promise anonymity,” Lorek says. “Google also offers incognito browsing. A lot of people are using these services to mask their identity.
Finally, a good update to Lorek's Golden Rule: “I think the big message is that we all live transparent lives now. We have to live our lives authentically and genuinely and, for the most part, openly. Be comfortable with who you are online and offline.”
Until then, protect yourself or take it IRL.
Have something to add to this story? Share it in the comments.
No hay comentarios:
Write comentarios