When security professionals get together these days, it becomes rapidly clear that there are so many threats to privacy, it’s difficult to know exactly where to start.
Adopting stronger security protections may briefly slow the unwanted gathering of personal data, but the sheer number of threats and technology options are very much in favor of the bad actors.
What we learned at the IAPP conference
The sobering reality of the current state of cyber security was recently reinforced during a two-day conference in San Jose, California earlier this month that was organized by the International Association of Privacy Professionals (IAPP) in conjunction with the Cloud Security Alliance (CSA) Congress.
The event included a lineup of speakers in the security field who brought attendees up-to-date on the latest trends in the Darknet, ransomware, drone surveillance, and cloud security, along with ways that major companies such as Google are trying to give users better tools to secure data and protect identities.
As Gerard Eschelbeck, Google’s vice president of privacy and security, told conference attendees, “When you work in security, there is no boring day, because the bad guys are very well organized.”
One of the major marketplaces for identity theft today can be found in the Darknet, a corner of the deep web that is carefully hidden from Google’s search tools.
It has become the supermarket for anything illegal that demands anonymity.
This includes stolen financial accounts, ransomware transactions, drug sales, and even “do it yourself” tools for stealing identities online.
According to a recent InformationWeek report, the current going rate on the Darknet for a “personal information kit” containing name, address, Social Security number and bank account information for a resident in the U.S. is 25 cents.
There are now educational packages to learn the identity theft trade available for purchase as well. A “college-level identity theft course” sells for $9.99.
One of the IAPP conference speakers was Doug Meier, the director of risk and compliance for the music streaming service Pandora.
He presented an overview of the structure and resources available on the Darknet, which can only be accessed through router services (such as TOR) that guard anonymity.
Meier told attendees that the Darknet has evolved into a central market where workshops and chat forums on criminal activity are freely available.
Some vendors in stolen personal information are even bonded. “You won’t be fumbling in the dark on the Darknet if you know what resources to use,” said Meier.
Be aware of ransomware
Another area of concern that emerged from the conference dialogue this month involved the growth of ransomware as a criminal tool to steal valuable personal or corporate files.
Thieves break into a database containing sensitive information and then lock the owner out until they pay a ransom, more often than not in the form of the digital currency bitcoin.
Brenda Sharton, an attorney with the Goodwin law firm, said that the FBI has seen a 300 percent increase in ransomware attacks already in 2016.
One of the attacks even resulted in the payment of a record $500,000 for release of sensitive files.
“The amount of breaches has skyrocketed and the ransoms themselves have changed significantly,” said Sharton.
According to Sharton, the widespread use of bitcoin as the payment of choice by criminals has led some companies to open their own digital currency accounts in anticipation that they will ultimately have to pay to get their files back.
Law enforcement firms and private security firms have improved their ability to trace bitcoin transactions which are commonly posted to a publically distributed ledger called the blockchain.
This has led some criminals to move to a more private crypto currency called Monero, which may yet postpone the ability to close down illegal activity channeled through the Darknet.
Drones and your privacy
Privacy is further threatened by the continued expansion of drone flying which has exploded in the past year as more unmanned aerial vehicles take to the skies.
As of June, the number of registered drones in the U.S. was approaching 500,000.
The issue has gained urgency as local and state governments have been scrambling to deal with the safety and privacy issues being raised by the small flying devices.
“Autonomous flight is coming to very large platforms quickly,” said John Verdi, vice president of policy for the Future of Privacy Forum, during one of the conference panel sessions.
Over the past three years, 31 states have passed laws governing the use of drones, but only 12 of those provide privacy protections.
Lawmakers have been trying to curtail drone use that has involved intrusion on privacy and even stalking.
The potential surveillance capabilities that drones offer are a source of concern for guarding against identity theft.
The public at large is also being increasingly confronted with the prospect that law enforcement is getting pulled into the use of airborne technology to gather large amounts of information on private citizens.
Recent news stories revealed that since the beginning of this year, the Baltimore Police Department has been relying on a small Cessna airplane equipped with sophisticated cameras to continuously circle the city and gather visual data.
The footage gathered was instantly transmitted and stored for future review by law enforcement authorities.
The privately-operated plane had been flying over the Baltimore area for as many as 10 hours per day and the news stories about the surveillance program have sparked an outcry from privacy groups and local residents.
“Ubiquitous surveillance in public places is unconstitutional,” said Jeffrey Rosen, the president of the National Constitution Center, during a keynote speech at the IAPP conference.
Growing use of the “cloud”
Another important trend that is gaining more attention in the security world is the growing migration of large company datasets to the cloud.
The general belief is that placing major amounts of data in a cloud platform is more secure than having one company try to protect it using their own tools in their own datacenter.
“The key factor is economics,” said Jim Reavis, co-founder and CEO of the Cloud Security Alliance, who spoke with this reporter during the IAPP gathering.
Reavis believes that the ability of cloud providers to make major investments in security is helping spur the movement of data from individual company datacenters.
Looming on the horizon is the prospect that banks and major financial institutions, which have traditionally been wary about moving sensitive customer data into the cloud, may soon migrate their information as well.
According to Reavis, if PayPal indeed makes this move “you’re going to see the walls crumble” as more financial groups follow suit.
Despite the security benefits inherent in the cloud platform, there are still vulnerabilities.
The Cloud Security Alliance issued a report earlier this year that highlighted what these could be including denial of service (DDoS) attacks and other weaknesses that can be found in any situation where resources are shared.
Against this backdrop of threats and vulnerabilities, there are companies working behind the scenes to find ways to reduce the risk of identity theft and loss of privacy through new tech tools.
Google’s Eschelbeck described how his company offers Authenticator for the Android and iPhone platform that provides a fresh code every time you need to use your username and password.
This is the latest extension of a growing movement towards “two factor” authentication where users must enter a second code before they can login to a service or site.
A similar extra code-producer can be found with the tiny U2F security key (made by Yubico) that will fit on a keychain.
Google is also working on technology which some believe may end up killing password use for many people.
It’s called Project Abacus and the application is based on a sophisticated analysis of how people use their smartphones.
The company announced in the spring that they would begin trials involving Abacus with several unnamed financial institutions.
The concept behind Project Abacus is that how we type on or speak into our phones can be just as uniquely identifiable as a password.
Elements such as location, movement, voice and facial recognition can all be tracked by the multiple sensors now embedded in smartphones today.
These factors are then calculated using an algorithm that determines if the likelihood is high enough that you are indeed the right person to be granted access.
The attraction for Project Abacus as a solution is a double-barreled benefit.
Users would no longer need passwords to access their device or information, and hackers would no longer have a password to steal.
Google’s Eschelbeck did not offer a precise timetable during the IAPP event for when the new password technology might become more widely available, but speculation is that it could be seen in the first half of next year.
The struggle to secure our private information and lessen the chances for stolen identity is ongoing and conferences like the IAPP gathering this month often amplify the difficulties that security professionals face in finding realistic solutions.
As Monica Lewinsky, famous for the intense public scrutiny she received in the 1990s when her affair with President Bill Clinton became known, told attendees, “The private individual is inching its way towards the endangered species list.”
And she didn’t even own a smartphone.