Connect with us

Data laundering creates privacy and security risks

Published

on

Data laundering is a process in which data obtained illegally (from the dark web or a compromised / stolen database) is subsequently subjected to special processing to make it authentic.

As companies adapt to modern technologies and new ways of doing business, there are additional opportunities for collecting and using data. Therefore, data laundering is becoming an increasingly serious problem.

Chris Ping, PKWARE’s VP of Security and Privacy, explained that data can be obtained in several ways: purchased from a merchant on the darknet, downloaded from a company website, or obtained through malware, phishing by email, or even a MITM attack. …

“Once they get the data, attackers usually run it through a randomizer, which is a data cleansing tool that helps randomize missing or valuable information to make the data more legitimate for potential buyers,” Ping said.

Data laundering problem

The problem with data laundering is that unsuspecting buyers can acquire stolen data, also becoming part of the laundering process.

“Let’s take a look at what happens after an organization purchases stolen data. Like any other data, it will be stored somewhere, such as a database, “explained Ping.” Storage and system resources are a big investment in and of themselves. To process more data, the company is forced to increase its resources accordingly. In addition to the repository, the organization applies all available security controls, detection, data management, and so on to this illegal data. ”

It’s at this stage that things get really bad, Ping said. After all, the IT organization has done everything possible to get the business to start incorporating such a dataset into AI, machine learning, and other automated decision-making processes.

“Your organization may be planning marketing campaigns, regional product or trend research, and more. The problem is that the laundered data can contain a lot of inaccuracies and lead the business to losses due to decisions based on false data. Moreover, this is only the business side of the problem, ”said Ping.

On the other hand, illegal data carries huge risks. Failure to confirm the legitimacy of the data (or lack of it) will make the organization’s position vulnerable in the event of litigation.

“If your company starts selling stolen emails, consumers will immediately have a number of questions about where you got the emails from and why you did it,” explained Ping. “Since you cannot answer these questions, consumers will have a basis to file an individual claim, even a class action claim may be filed.”

For Pin, data-traders need to have complete confidence in their sources.

Supply chain tracking

In addition, data providers also need to be confident in their sources. Therefore, it is necessary to track the entire supply chain to ensure the accuracy of the data, as well as the legality of the data exchange.

Ping is confident that privacy laws will catch up over time. Tracking the storage chain will become a must for organizations and federal agencies.

Andrew Barratt, managing director of solutions and investigations at Coalfire, a cybersecurity advisory services provider, explained that data laundering is nothing new and has long been seen as a problem in the “selling of data.”

“Laundering data is not as difficult as many people think,” Barratt said. “Cybercriminals use both small manipulations with Excel and special cleanup algorithms in large-scale collection of data breaches, thus removing all information for attribution of the source.”

Barratt explained that once the list of names, addresses, and emails has been broken down, it is nearly impossible to determine the source of their origin. Only the presence of special ‘canary’ entries in the dataset helps against such a procedure.

How to fight data laundering

To combat data laundering, privacy laws must continue to evolve in line with GDPR and California CPA standards, requiring companies to delete data at the request of citizens, Barratt said.

The GDPR has come a long way, he said, establishing high-level rights for data subjects in the UK and EU, and the US is also moving in that direction from state to state.

“At the federal level, the Constitution and Bill of Rights do not explicitly give citizens the right to privacy, although there are various case laws that argue for privacy,” Barratt said.

Unfortunately, from a security standpoint, if the records are taken from compromised datasets, “the horse has already escaped and the ship has sailed away,” he said. Such recordings will continue to pose a privacy issue as well as inconvenience to users. Owners of compromised

data will be flooded with marketing spam, targeted advertising, etc.

“Depending on the context of the data, there may also be personal security issues associated with the loss of names and addresses, social security information and medical records,” Barratt warned.

John Bambenek, Threat Intelligence Advisor at Netenrich, also pointed out that the primary regulatory target should be the companies that acquire the data to ensure the reliability of the suppliers and the collection of data only for legitimate purposes.

“It would be better if the consumer data belonged to the consumer. All purchases and sales should only be made with the consent of the consumer. But unfortunately, in the United States, we are far from that, ”he said.

Bambenek noted that any action that encourages or monetizes criminal activity contributes to its continuation. Many companies that buy questionable data are likely deliberately looking in the wrong direction.

“Unlike ransomware, there is no reason to give money to such criminal gangs. Companies should not use the services of cybercriminal mercenaries to download their information machines, ”says Banbenek.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Want to learn how to work with cloud databases and take the DP-900 certification exam for free?

Published

on

Take a two-day training session from Microsoft on October 25 and 26.

From Microsoft experts, you will learn about the key principles of Azure services, proven approaches, and the specifics of working with relational and non-relational data.

Have time sign up for training

Continue Reading

Security

Women and minorities are more likely to be cyberattacks than other people

Published

on

Women are more likely than men to receive messages from unknown numbers containing potentially malicious links.

Demographics play a large role in how often people are victims of cybercrime. Low-income and vulnerable populations are disproportionately affected by cybercrime. As the results showed poll 5 thousand people in Germany, the UK and the US, conducted by experts from Malwarebytes, Digitunity and Cybercrime Support Network, minorities, as well as groups of people with low income and low educational level, are more likely to be victims of a cyber attack. Some groups are much more likely to face online threats.

For example, women are much more likely to receive text messages from unknown numbers containing potentially malicious links than men (79% versus 73%). Almost half (46%) of women said their social media accounts had been hacked, compared with 37% of men.

Black, Indigenous and People of Color (BIPOC) social media accounts are more likely to be attacked than whites (45% versus 40%); BIPOC populations are also more likely to experience identity theft (21% versus 15%). In fact, only 47% of BIPOC respondents escaped the financial consequences of cybercriminals.

Age is also an important factor. 36% of people aged 65 and over have been victims of credit card information theft.

21% of women and 23% of BIPOC respondents experienced “significant” stress when faced with suspicious online activity.

According to the report, the statistics are linked to the overall sense of security (or lack thereof) in cyberspace. While half of all respondents do not feel secure online and 31% do not feel safe online, the numbers are different for women. Women feel the least private online (53% versus 47% of men) and the least secure (35% versus 27% of men).

Socioeconomic class also matters. People with higher incomes (51%) feel more secure online than people with lower incomes (40%). The same is true for educational attainment – users with the highest educational attainment feel more secure (48%) than those who graduated only from college (44%) or high school (40%).

Continue Reading

Security

The United States launched a program to replace network equipment Huawei and ZTE

Published

on

The US government allocated $ 1.9 billion for the implementation of the program.

On Monday, September 28, the US Federal Communications Commission (FCC) announced the launch of a program to replace network equipment of telecom operators in rural areas. The government allocated $ 1.9 billion to implement the program, writes Reuters.

The program was approved in July 2021, and applications for participation in it will open on October 29 and will last until January 14, 2022. Its goal is to remove from the networks of American telecom operators equipment manufactured by Chinese companies recognized in the United States as a threat to national security, in particular Huawei and ZTE.

Last year, the FCC recognized Huawei and ZTE as a threat to national security, thereby depriving US companies of the ability to use the $ 8.3 billion government fund to buy equipment from them. In December, the FCC passed regulations requiring carriers using ZTE and Huawei equipment to “dispose of and replace” it.

The requirement is a big problem for telecom operators in rural areas, which do not have the financial ability to purchase new equipment and find specialists who are able to carry out such a replacement.

The latest FCC ruling expands the program from telecom operators with 2 million or less subscribers to operators with 10 million or less subscribers.

Continue Reading

Most Popular