Internet privacy and security course
About translation
Previous Next

Chapter 18

Data leakage

This threat is probably the only one in the course on which the user is not able to impact on significantly and at the same time data leak is really capable of affecting the life of its victim.

What is a leak? Let's have a look at data leak on the example of the history of a simple user Alexander. Alexander used a dating site, posted photos there, had emotional correspondence with interesting people, reported intimate details and was married at the same time. As the time passed, Alexander settled down, deleted the page on the dating site and started living a quiet family life.

However, Alexander did not take into account that deleting a page is nothing more than a visual fiction and all of his photos, data and correspondence are still stored in the database of the site. So, one day hackers hack the dating site, steal the database and upload it for sale on a darknet.

Who is guilty? The dating site system administrator and his management took all the necessary measures: regular independent audit, up-to-date all components’ updating, highly qualified specialists, strict security policy for all employees. But it did not help, as it did not work in many other stories as well.

It is appropriate to recall one statement. Once the Irish militants after the unsuccessful assassination on the former British Prime Minister Margaret Thatcher cynically said: “Today we have been unlucky, but remember, we only need to catch luck once. You need to catch luck all the time.” The similar principle applies to the case of site hacking. According to widespread statistics, every day every site is exposed to thousands of different attacks, most of which are run by a script kiddy searching popular vulnerabilities or unreliable passwords for SSH, these are not dangerous to a well-protected site.

Still there are targeted attacks using zero-day vulnerabilities, against which protection does not exist yet. To be completely honest, the human factor and quite childish mistakes (at least those that could have been avoided) lead to hacking sites much more often.

The consequences of data leaks

Coming back to Alexander, the dating site was hacked, thus what consequences could Alexander expect? Taking for example the real case of the Ashley Madison dating site, this is not just a dating site, where single people can find their love, and not even the one where young ladies can sell their love for money, this is a website for adultery.

The motto of the site is “Life is short. Start an affair”, due to hacking was replaced, but it used to symbolize perfectly the whole philosophy of the project. That is why many were right for not feeling sympathy for the victims, even less sympathy was for the owners of the site, who were caught at creating pages of women bots to attract men.

Immediately as the Ashley Madison base appeared in public access, many extortionists and blackmailers began studying the recipients, searching their profiles in social networks, getting information about their current marital status. If the victim turned out to be an “exemplary family man”, they were contacted with and threatened to inform their family of adultery in case of refusal to pay the ransom.

They were extremely interested in gay men who hid their orientation everywhere except the dating site. Many of them agreed to pay extortioners to keep their sexual preferences in secret, even without any guarantees, especially if they lived in Muslim countries where sharia laws consider homosexual relations as a crime deserving the death penalty.

There were some suicides because of that. A Texas policeman committed suicide when his personal email showed up in the leaked Ashley Madison dating site database. The police captain, who served 25 years in the San Antonio police, could not overcome the reputation loss and public censure. It is known that this is not the only case of suicide due to the data publication.

The media joined the bullying turn and began to make a selection of exemplary family men exposed by the Ashley Madison site database leak. For example, in the media one could find the story of Josh Duggar, a family man who had been married for many years, and according to the social networks, he, his wife and four children were happy.

On Ashley Madison's profile Josh was looking for a girlfriend for sex with toys, oral sex and obscene conversations. When his story became well-known, he published a statement in which he repented of what had happened.

I have been the biggest hypocrite ever. While espousing faith and family values, I have secretly over the last several years been viewing pornography on the internet and this became a secret addiction and I became unfaithful to my wife. I am so ashamed of the double life that I have been living and am grieved for the hurt, pain and disgrace my sin has caused my wife and family, and most of all Jesus and all those who profess faith in Him.
Josh Duggar
 

Dating sites are not the only cases when intimate life details can become public. Sometimes databases of private clinics are hacked and medical records of medical institution clients are publicly available. It is unlikely that someone wants friends, colleagues or even the second half to know about your hemorrhoids, infertility, impotence or other ailments. The data can also serve as material for blackmailers.

For example, not so long ago more than 25 thousand photographs of patients who had plastic surgery appeared on the network. The photos were posted by hackers, who called themselves as Tsar Team, they got ones by hacking into the database of one of the Lithuanian plastic surgery clinics. The most unpleasant for patients (mainly females) is that some of them were naked, some photos included genitals close-up. Remember this story if you have to have a picture without clothes taken in a clinic.

How do leaks happen

There are two main ways. The first one is the hacking, which was described earlier. The database of the site can be hacked, and, having penetrated into the corporate infrastructure of the company, they can get access to the data of internal use. For example, hackers gain access to a hospital's corporate network and steal information about its patients, including their medical records.

The second common leak way is the so-called “drain”, when data goes through the people who have authorized access to them. One of the most notorious examples like that is the leak of the database of the Federal Drug Control Service of Russia.

In 2015 Novaya Gazeta published an article on the sale of the Federal Drug Control Service database containing information about drug addicts, drug dealers, informants, citizens who called the hotline. The database had photos, addresses, operational information, contact details. All of that was available for free from illegal database vendors in Moscow and then on the darknet.

The informers were in the worst situation, as thier names were in the database and the “grateful” drug dealers could have injured and even killed them.

Previous
4953
Next