Facebook Data Public Disclosure and the disturbing feeling of addiction to the data breach

(To Alessandro Oteri)
12/04/21

Technology is no exception, as every other area of ​​society has its arguments and some magic words that are on everyone's lips.

Cyber ​​security in the last two decades is right on the podium among the topics that are dominating the international technological panorama. A phenomenon observable not only in the laboratories of hardware and software manufacturers, it also had great prominence in the salons where international socio-political strategies are discussed.

In fact, since 2016 one of the topics that has occupied the most thoughts, and for some the sleepless nights, has been the correct management of personal data with the now famous and only partially digested General Regulations for the Protection of Personal Data European in short GDPR. 

This regulation has played the role of a launch pad for a whole other series of attentions including the imposition of applying adequate security measures to systems and personal data. Obligation that is closely linked to the phenomenon of data theft which at the same time has become increasingly pressing nightmare for information security managers around the world.

With the sensitization of legislative powers and IT experts, the media also began to sense the interest that these aspects could have aroused on the general public and for this reason many were born format who have ridden the cybersecurity phenomenon. There are now several films, documentaries, TV series and various vertical specials that have been broadcast on national networks par excellence.

This broad premise intends to introduce what is only the latest news that has affected the network and the means of communication that has as its protagonist the social networks for excellence: Facebook.

I'm talking about the socialization portal that has unequivocally marked the beginning of a new social life and has probably irreversibly changed the way people know each other.

In fact, an impressive data archive has been available for a few days, which seems to be around 15GB, which contains all the data that had been stolen by the systems of the aforementioned site in the not so distant 2019. Inside this archive there is a lot of information relevant such as the telephone number of the users used for confirming the accounts, names, surnames, e-mail address.

The news has actually become of global interest these days because once these data have lost any economic value someone has decided to make them available for free to everyone.

However, the cornerstone of this event should not be overlooked, the stolen data was first of all put up for sale on the famous "dark Web". It doesn't take too much imagination to guess who would be the ideal customer for this product. Organizations interested in a large list of contacts to whom "communicate" information for advertising purposes, for example.

Worse still, these types of databases are very useful for malicious organizations that carry out attacks of various kinds. They are excellent sources for launching campaigns Phishing, "spray attack" campaigns and given the large amount of data, it would not be surprising if it were possible to carry out "data mining" activities by finding optimal attack patterns for social engineering.

Finally, telephone numbers are excellent means of attack for "smishing" and ideal to sell to telemarketing companies all over the world.

Once the entire pool of possible buyers of this product is exhausted, the time has come to leave this information at the mercy of the whole network so that even those who do not have sufficient financial resources or interests to invest in it can use it as they prefer. .

However, what may be interesting to observe is that this event is only the latest in a very long series of "data breaches" that have occurred in recent years, on our site we have an article that includes those of 2020: one year of hacking (v.articolo)

Giants of all kinds have been impacted, to mention just a few: the longest-running and most famous online auction site eBay, the leading job posting portal and professional social network LinkedIN, some of the most important hotel chains around the world such as Marriot, game developers and software companies such as Sony e Nintendo.

If you would like to find out if your data was part of one of these incidents and consequent disclosure of stolen data, you can use the site "'; - have i been pwned?" reachable at the address https://haveibeenpwned.com/. Within this page you can find out, through a very simple search window with your e-mail address, telephone number or password, if you are among the victims of a "data breach".

Returning to the focus of the article, millions of records have been stolen in each of these major incidents and every time one of these "data breaches" has occurred, the echo it has generated in the insiders has always been less. Even the media have begun to give less and less prominence to these news almost as if they were not real news after all.

Perhaps the news is therefore that by now we are all a bit "addicted" to the reality of data theft and that for our society the data breach are just one of the many normal events we are used to.

Even the same COVID has taught us that after more than a year of pandemic, the daily numbers that rattle infected and, unfortunately, deceased are declassified in small articles on the news.

In the first moments instead of the emergency, real marathons were held that treated every single number with great zeal. Unfortunately this type of addiction can create risky dynamics in someone's mind, because it could ignite the psychological dynamic of stating something like: "If it happens to everyone why should I care more than others?".

Instead, what is our mission, as we believe it should be everyone's civic duty, is to keep public awareness always vigilant on the fact that the impacts connected to a "data breach" are proportionally directly and exponentially linked to the quantity and criticality of the data that are stolen.

The world we have created and which thanks to the digital acceleration from a pandemic is increasingly establishing itself is totally founded on simple and complex databases. 

This trend always requires to be compensated by the awareness that databases are to be protected as far as possible and that they must be managed respecting the principles of information security, in particular the minimum privilege and the “need to know”. It is a social balance that goes far beyond technology. 

The thing that is no longer surprising is that these thefts are perpetrated because a digital identity that serves as an entrance is violated. And keep in mind that for the first steps of the attackers' entry phases, high-privileged credentials are not required.

Much more frequently than imagined, they are very normal users with whom the first phases of the attack are carried out, the famous “footprinting”. Once you have collected valuable information thanks to those users it is possible for the attackers to start planning the next steps in a much more sensible way. They will no longer move in the dark trying here and there with trivial attempts at brute force, they will have directions and strategies perfectly woven for the target on duty. 

You can make an imaginary parallel with action films in which the gang of thieves before starting the heist takes care of gathering information about the target to rob. The map of the building, the patrols of the security corps, names of the guards etc etc. This information is then used to reach the loot, which in the case of information attacks are the databases themselves. 

Ultimately I would like to draw your attention to the ransomware phenomenon. Often they are considered in themselves the real problem, especially from the point of view of IT security. To tell the truth, more often than you think they are more useful to cover the traces of the attackers than to actually have the ransom required to "free" the data.

This is because today the sensitivity towards these risks has become strong and more and more companies make “back up” copies of the data and therefore are less and less forced to pay the ransoms to have the data re-decoded. 

All that remains is to continue talking about these phenomena in order to sensitize those who govern processes and nations towards a philosophy of sustainable and conscious technological evolution.

If you would like more information about the attack received by facebook, please refer to the Wired article https://www.wired.com/story/facebook-data-leak-500-million-users-phone-n... .