Sophos Cloud Optix
Privacy has always been a hot topic for us at Naked Security, but recently the news seems to have gone from bad to worse.
We’ve seen a steady onslaught of disclosures about data breaches at retailers, ranging in size from 50 locations of The UPS Store, to the as-yet-unknown, but potentially very large number of Home Depot stores.
It’s an unhappy coincidence then that these data breaches are coming out into the open just as we name Target’s data breach last year as the “most epic privacy failure.”
It’s been a rough year for Target, whose breach last December has come to define the recent spate of payment card data thefts at retailers around the US.
We selected Target along with four other big-time privacy fails and put the question to Naked Security readers – what’s the most epic privacy failure of the past year?
In response to our poll, readers picked Target with 37.3% of the votes.
Second-place Adobe – which suffered a data breach in October 2013 that compromised 150 million customer records – gathered 32.1% of votes.
Our other contenders for the most epic privacy fail were:
- Snapchat’s big lie in promising that “snaps” taken with the app would “disappear forever” got 13.2% of the votes
- The Google “Glasshole” who recorded non-consenting patrons at a San Francisco bar – people that asked not to be recorded – and shared the recording with the world, got 9% of votes
- And the misinformed frenzy over fictitious predators lurking within the children’s app Talking Angela got 5% of votes
Some readers of our poll – about 3% – submitted an assortment of other privacy issues. The NSA received multiple mentions, not only for breaching our privacy, but also for allowing its own privacy to be breached by Edward Snowden.
How we picked the Top 5
We heard from some readers who questioned our inclusion of the Talking Angela hoax in our list.
To understand our reasoning, you could think about it this way: the Talking Angela freak-out was a collective failure to understand the real privacy risks we face today.
When millions of people put aside common sense and swallow the absurd idea that there is a pedophile hidden in the eyes of the cat in the Talking Angela app, a false-positive privacy fail of epic proportions is under way.
The victims of this hoax were the developers of Talking Angela, who were accused of abetting child abuse.
The other choices presented in our poll should be more obvious.
Adobe’s breach could easily be considered the most epic, because the list of its bad practices in storing user passwords was about as long as Target’s list of missed opportunities to prevent its own data breach.
And because Adobe leaked names, crackable passwords and unencrypted password hints, any cracked passwords could be used again and again by criminals looking to break into victims’ online accounts.
Snapchat’s sin was its lack of transparency and outright lying to make users think they were safely sharing private messages when those messages were anything but secure.
The Glass-wearing woman who showed such disdain for the privacy rights of others is an appropriate stand-in for any company or individual who thinks consent before sharing (or “opting in”) is an outdated concept.
And then there’s Target.
Is Target’s fail a fair choice?
Target has suffered extensively for the security blunders and missed warnings that contributed to the data heist.
The company has paid out more than $236 million to recover from the breach – and that doesn’t include the price of lost profits or declining stock value.
One after another the data breaches come, and the popular question becomes “is it the next Target?” and “was this the same crew that hit Target?”
Target’s massive breach of 40 million payment card numbers and 70 million other customer records has become a measuring stick for the larger problem of data insecurity and consumers’ shrinking privacy.
Is it fair to single out one failure among a list of many similar breaches?
We think Target is a worthy choice because the company had many opportunities to secure customer data and missed them until it was too late.
Even so, the privacy failures keep mounting, with some biggies in recent weeks.
Home Depot’s recent data breach might turn out to be bigger than Target’s, seeing that the company has more stores than Target, and may well have been breached for a lot longer.
And, in the wake of stolen nude photos from celebrities’ iCloud accounts, Apple has urged us all to secure our iCloud data by turning on two-step verification (2SV) – even though Apple’s own documentation makes it clear that 2SV doesn’t apply to iCloud access at all.
There’s plenty of fail to go around.
That’s why we think it’s time to stop and take notice of the different ways those whom we entrust with our privacy can fail us, and the ways we can fail ourselves.
5 tips to protect your privacy and identity
- Create unique, strong passwords for all your online accounts: use at least 14 characters, including a mix of letters, numbers, special characters, and upper/lowercase. Better yet, use a password manager like LastPass to generate random passwords. Remember to password-protect your mobile devices as well.
- Use two-factor authentication (also called two-step verification) where possible to add an extra layer of security for your accounts.
- Go over your bank statements the same week you receive them in case of any rogue charges.
- Review your Facebook settings to make sure you aren’t sharing more than you thought with people you don’t know.
- Log out of websites (yes, including Facebook and Twitter!) when you aren’t using them to reduce the chance of being tricked into posting or liking by mistake.
Want to know more about the Home Depot breach and other hot privacy topics in the news? Listen to our latest security podcast, featuring Sophos experts and Naked Security writers Chester Wisniewski and Paul Ducklin.
(Audio player above not working? Download the MP3, or listen on Soundcloud.)
Image of target with darts courtesy of Shutterstock.
I think Home Depot might now trump Target. It would see that Home Depot learned nothing from Target and just let it happen.
Just a couple of questions regarding your suggested tips…
1. Regarding the use of a 14 character PW. I use a 12 and always thought myself a bit of a zealot using that length. We recently tested various length PW’s against several major password online strength testers, including Steve Gibsons. Almost each tester site shows a 10 character PW using a mix of all 4 character types, will take years to crack with a normal PC. A large botnet could crack it in months, but by then one assumes the PW would have changed anyway. It seems the mix is more important than the length. Your reasons and technical proof of the value of 14 characters is appreciated… love to learn new stuff.
Not a Facebook user, so as part of the ‘great unwashed’, this question should be treated as such…
5. Sorry, but how can one be tricked into posting something, if one is not using the site? Something seems to be missing here….
#5 is known as a cross-site request forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Basically everything on the web is done via HTTP requests and you can think of ‘clinking on a link’ and ‘making an HTTP request’ as more or less synonymous.
Loading a page from Naked Security into your browser is done using an HTTP request, so is transferring money via your bank and so is making a Facebook status update.
If I can trick your browser into ‘clicking’ a link that does one of those things (something that can happen silently, without you even being aware of it) then it will do it with whatever your access rights are in that moment.
If you don’t log out of online services after you use them then you still have the access rights you need to use those services, even if you’re looking at something else.
If I trick your browser into clicking a link that triggers a status update then it will do it with your user rights. If you’re logged in, it will succeed, if you aren’t, it won’t.
14 is as much art as science. Thing is that most people don’t choose randomly from the character mix. in other words, 10 chars chosen from A-Z, a-z, 0-9 and punctuations is in theory about 64 choices to the power of 10, or 260. Except that you probably don’t pick from a true 64 choices in each position. I reckon lots of people go for digits like 4 and 3 only for one or two As and Es in the password; they don’t choose unpronounceable strings of characters; they tend to have a punctuation in the middle and maybe another at the end; they most likely have a majority of lower case letters with some uppers just to comply with complexity rules, etc.
In short, mix and length both help force you into less bruteforceable passwords…