Here’s a joke: what does Equifax have in common with the Russian troll farm that’s working to destabilize Western democracies by interfering in their online discourse?
Tough. Scratch your head. One’s a credit reference an checking business with $3.1 billion annual revenue. The other is basically the KGB saying ‘LOL.’
But they do have one point of commonality: they are terrible, I mean terrible, at security.
This has always struck me as ironic. Equifax basically exists to ensure financial security: it’s there, at least in theory, so you don’t ruin yourself with a loan you can’t pay back and lenders don’t ruin themselves with loans they can never get back. It’s a safety feature of the financial system.
Meanwhile, the intentions of the Kremlin-backed troll farm whose centre of operations was until recently at Savushkina 55, St Petersburg, were a little less hifalutin. Their aim was always to destabilize democracy, especially in America but also in western Europe, by propaganda and concerted trolling. These are modern-day spies, back-room boys doing the equivalent of feeding the press false information.
So: since one of these organizations is concerned with financial security and the other with national security, and since both do basically the vast majority of their business online now, how come they can’t keep a handle on their data?
Equifax is the stuff of legend now. Type ‘equifax’ into Google and the autosuggest box looks like this:
Not a great look.
Last summer, about 14 million Equifax customers had their personal information stolen in a catastrophic hack.
The company eventually admitted that it had happened, after obfuscating for weeks. Now it faces the humiliation of admitting to an additional 2.4 million customers that the hack affects them too. It’s not the first time the company has been obliged to revise the estimate upwards; they’ve added two million here, three million there since the initial leak, destroying trust and credibility with each new version of the facts.
Financial information held by Equifax is valuable if you’re trying to do identity theft, phishing attacks on businesses those people own or work at, or even blackmail.
Meanwhile, in the Kremlin. The troll farm the Kremlin used to disrupt America’s 2016 presidential election is part of the Internet Research Agency – an innocuous-sounding name for a concerted campaign to attack democracy, though it shares its acronym with the Irish Republican Army.
But they can’t hang on to their data either.
News broke today that a cache of internal documents labelled ‘Savushkina 55’ (after the organization’s St Petersburg address) was being offered for sale on a site called Joker.buzz, where often-stolen information is auctioned off.
The cache had lain, undiscovered and with no bids, on Joker.Buzz since this time last year – meaning it was there a good seven months before Facebook and Twitter publicly began acknowledging IRA use of their platforms. It was discovered by reporters from the Daily Beast just a few hours ago.
There’s personal data on IRA employees, login details of Twitter and Facebook accounts used by IRA agents, IP addresses of their proxy server network, evidence that the organization is deeply involved on Reddit and Tumblr as well, and – well, all the embarassing detail you’d expect when a spy agency leaves the keys in the ignition.
What’s the point here?
These are organizations with national-level strategic aims (IRA) or multibillion revenues and international user bases (Equifax) – and when it comes to digital security they are exactly as bad as any random with a 123456 password that he uses for everything.
So, how can you avoid having a cybersecurity presence like these awe-inspiring professionals?
Start where they didn’t. Spend a little time covering your bases. If you’re talking about personal security, here’s the deal: 99% of attacks will either happen through third parties, or against people who get the basics wrong.
So: nail the basics. Get a VPN, one that doesn’t keep logs and doesn’t leak, and use it. Get strong passwords and change them often.
If you don’t want to use a password generator or a pinned Word file on your desktop, try using album-track song lyrics or fragments of quotations interspersed with dots and dashes; the point is these are way harder than most people’s passwords to guess, but fairly easy to remember. They let you do a good enough job at the basics. Your door lock and burglar alarm don’t need to be invincible; just inconvenient.
When it comes to third parties – Equifax, Yahoo – it’s trickier. These guys have shown they can’t be trusted – they lose data and they’re only as honest about it as reporters force them to be. So be cagy, give them as little data as you can, and consider paid-for secure alternatives to webmail and cloud storage.
If you’re a business, you have only one thing to worry about: your employees. Ditch time-consuming ‘security protocols’ urged by security pros. (You think the IRA didn’t have any security pros?) People bypass or ignore them. Instead, teach your employees to cover their bases the way you cover yours. Be prepared for leaks, and keep the data you really can’t afford to lose off the main system.
Can you do a perfect job? No. Can you do better than to have all your information on sale to the highest bidder on the Russian web? Yes you can.
Start with a VPN – stop yourself getting tracked around the internet, leaking personal data as you go. We’ve reviewed the best ones for you!