How the Web Went from Benign to Malvolent & GDPR


The Web has been transformed from benignly hopeful just 25 years ago to an increasingly  dangerous place. There are key players silently vying for control of Web Space – the Nation-State cyber warriors almost all have been  armed primarily by an incompetently vulnerable NSA and CIA.The Cyber Criminals trolling for vast amounts of easy money pickings are also armed to the teeth  by stealings from the CIA and NSA. And then there are the Silicon Valley Privacy Harvesters lead by Facebook, Google, Twitter, Verizon, AT&T and a host of marketing vendors. These sucker-fishers are industriously gleaning all your personal actions and data info that they can as stealthily as possible gather for collection, analysis and sale to the highest bidders.

  • Now more than half the daily traffic on the Web is not human but automated bot traffic;
  • Nearly half of that bot traffic is from BadBots used by hackers, criminals, and cyber-warriors;
  • The cost of Criminal Hacking is now $1.5trillion/year and growing fast;
  • Harvesting your personal data and using it without your consent has become a huge business for Facebook, Google, etc. It is $100 billion in direct profits/year & growing fast;
  • There is almost open warfare going on among nation-states in  the stealth that is the Deep Web.

David Sanger in a telling story in the NYTimes describes the US Intelligence Folly:
“..a cyberarms race of historic but hidden proportions has taken off. In less than a decade, the sophistication of cyberweapons has so improved that many of the attacks that once shocked us — like the denial-of-service attacks Iran mounted against Bank of America, JPMorgan Chase and other banks in 2012, or North Korea’s hacking of Sony in 2014 — look like tiny skirmishes compared with the daily cybercombat of today.

Yet in this arms race, the United States has often been its own worst enemy. Because our government has been so incompetent at protecting its highly sophisticated cyberweapons, those weapons have been stolen out of the electronic vaults of the National Security Agency and the C.I.A. and shot right back at us. That’s what happened with the WannaCry ransomware attack by North Korea last year, which used some of the sophisticated tools the N.S.A. had developed. No wonder the agency has refused to admit that the weapons were made in America: It raised the game of its attackers.”

David Sanger raises another problem – because the President  and his intelligence team are at loggerheads over the Russian interference in the 2016 elections, little Federal action has been taken to curb cyber problems. Likewise in the private sector, there are many compromised positions among the key technology company players. The only arena big business can agree upon worldwide is the need to control criminal hackers.So it begs the question: 

What Can Be Done?

Not a lot in the US until there is regime change in Washington DC. But  there is a small glimmer of hope from Western Europe. The EU launched GDPR – General Data Protection Regulations on May 25th 2018. Yes, GDPR is mostly devoted to protecting personal data privacy for EU citizens. But the bite of the law has three significant incisors.

First, GDPR rules  applies to all websites that deal with European visitors regardless of whether or not the website is based in Europe. Given that the EU has a population of 508 million and the Web is truly worldwide the GDPR tends to apply well beyond the EU borders.

Secnd, the GDPR fines have real bite – $20M or 4% of an organizations revenues. And ask Google with a $1B EU fine if the EU nip hurts.

Third and perhaps most important is Data Hygiene. The Economist, tongue in cheek, has  conceded that GDPR’s emphasis on data hygiene will foster a number of positive cyber security improvements. Data Hygiene is about all the personal and web related practices that improve data security, data privacy and confidence in the data holders. GDPR stipulates that organizations in their privacy policy statement must declare how they will protect the personal data that have been entrusted to them by web visitors.

Not only must organizations guarantee the protection of personal data they hold either directly or through 3rd party Data Processors; but if the data is breached, organizations must inform parties who have had their data stolen promptly and declare what recourse the visitor has. This emphasis on  data security as well as data privacy changes the GDPR equation. It creates substantial incentives not just in Europe but throughout the world for much better data security as well as  data privacy.

Now organizations have to be concerned about how safely visitors use their websites as well as how much security their websites provides for their visitors personal data. Here are some of the data hygiene guidelines that EU and worldwide organizations are now advocating:

  1. Keeping the organization’s own operating systems and software up to date. But likewise asking their web users to do the same – have the latest OS, browser and app software. This is like condoms and sex. Hackers specifically scout for unprotected devices, apps and websites;
  2. Have tough firewalls on their own websites but also encourage users to do the same on their browsers, devices and  websites: These are the moats & defenders against hackers – 30% of all web traffic today is malware and the majority of hack attacks stem from inadequate input validations;
  3. Use passwords on all that matters; use very hard to crack, easy to remember passphrases;
    1. Forgo 2 factor authentication for 5-8 word passphrases. They are hard to break but easier to remember;
    2. Store passphrases on a free vault like LastPass or other free/good password managers;
    3. DO NOT USE browser based Save Password in Chrome or other browser – use LastPass or other Password Vault.
  4. Never download pirated or cracked software: They contain carefully crafted malware. Also be super suspicious of email attachments: open only if it’s a reputable or expected package;
  5. Don’t use public wi-fi hotspots without switching to a VPN (secure) connection. VPN encrypts all transmission to and from Web;
  6. Encrypt everything website with HTTPS, browsing with HTTPS Everywhere, apps & messaging encryption, encrypted email with Thunderbird etc and a variety of secure messaging apps,Encrypt valued data on PCs and mobile devices;
  7. If you want personal privacy, abstain from using personal info on social media sites. Sounds like a contradiction; but not so. Only use social media like Facebook, Twitter, Google+ exclusively for business promotions. Face it – all social data and actions are tracked, harvested and sold to third parties;
  8. Review your financial accounts regularly. Criminals have billions of personal data records courtesy of Yahoo, EquiFax, and some major banks worldwide. Unfortunately banks and credit card vendors are becoming less forgiving of hacking thefts of your funds, so cutoff the siphoning  early;
  9. Use multiple email accounts to insure privacy and spot phishing attacks;
  10. Control access to your PC, devices, Website. Never leave device or websites unprotected. A firewall can be trojanized [it looks solid but now houses malware] and disarmed if entrance is allowed “free of charge”;
  11. Back up on a regular basis; most hosting service provide ample backup choices. But be sure to verify backup process with a for simple recovery test.

Think these data hygiene measures are negligible in the face of well armed criminal hackers and Nation-State sponsored Cyber Warriors? Well there is evidence that Data Hygiene is already having an impact. Wired reports how the swift adoption of SSL has already reduced certain hack attacks. Likewise Cisco’s CyberSecurity Report for 2018 shows a similar deterrence effect in some key hacking trends.

But that very same  Cisco report, shows how quickly one hacking door can be closed and another opened in the fast changing Internet device a nd development markets:
The IoT [Internet of Things – think home or factory security systems, Alexa and the AI connected Personal Assistant, Support appliance and device  monitors, and countless other networks and devices linked to the Web ] is still evolving, but adversaries are already exploiting security weaknesses in IoT devices to gain access to systems—including industrial control systems that support critical infrastructure. Hidden IoT botnets are also growing in both size and power, and are increasingly capable of unleashing powerful attacks that could severely disrupt the Internet.Attackers’ shift toward greater exploitation of the application layer indicates that this is their aim. But many security professionals aren’t aware of, or they dismiss, the threat that IoT botnets pose. Organizations keep adding IoT devices to their IT environments with little or no thought about security, or worse, take no time to assess how many IoT devices are touching their networks. In these ways, they’re making it easy for adversaries to take command of the IoT

Summary

Clearly the Internet is no longer located morally, politically and economically ” in a benevolent Kansas.” And GDPR with its emphasis on improving data privacy and data security through data hygiene will have positive impact in those arenas. But also it is clear that the Internet is also on dangerous boundaries regarding  Nation-State Cyber Warfare, Criminal Cyber-Malfeasance and Grifter Exploitation by the tech sector in its many social media guises.

Leave a Reply

Your email address will not be published. Required fields are marked *