With so many of the services we use on a daily basis depending on the Internet and so much of our personal data stored in the cloud, we rely heavily on our interactions over the web to be secure. Security bugs, hacks and data leaks are becoming more and more frequent in the news, and since the personal data of an unlucky 34,000 users of gaming retail platform Steam were leaked on Christmas Day (a.k.a last month), what better time to talk about the issues of security and data breaches?
In Update Episode 4 we discuss their causes, their consequences and what we can do to help prevent them in the future.
Users are malicious
The first unfortunate event to happen to the Steam store on Christmas day was a distributed denial of service (DDoS) attack. This is a coordinated attack by a collection of machines continually making requests to a resource (in this case, the Steam store), swamping its servers and making it unavailable for genuine users. Valve (the company behind Steam) reported that traffic increased 2000% above average. This kind of attack is a fairly common occurrence on the web, and there are plenty of articles online discussing how to defend against them. But if the attack is large enough there’s little that can be done to stop its effects reaching users.
In the podcast we also discuss the breaches that happened at Sony and Ashley Madison, both of which were the result of attackers.
Developers make mistakes
There’s no denying that hackers can be a nuisance, but they’re not always behind these leaks. The data leak on the Steam store was actually the result of a mistake in the caching system of the website. In short, what happened was that pages intended for certain logged in users were being shown to other users. These pages may have contained email addresses, account funds, and the last four digits of phone numbers among other pieces of private data.
Another topic we discuss in the podcast is the Heartbleed bug. This bug in the OpenSSL cryptography library enabled malicious users to read more data from the victim server than would normally be allowed. Perhaps the most worrying thing about this is that the flaw went unnoticed for around two years. Or did it? Perhaps someone had been quietly stealing data ever since the protocol was brought in? Whether or not that happened, we might never know.
These things just happen all the time... Right?
This excellent visualisation of data breaches over the past decade shows that the number of breaches and the amount of data leaked due to hacks has only been growing, and it doesn’t look like they’re stopping any time soon.
With this trend in mind, combined with the possibility of security flaws in online systems and the large numbers of hackers in the information age, are we doomed? Are all of our online security systems destined to fail? Should we accept that all our data is at the mercy of hackers? Well, probably not. Luckily, many people who discover a security flaw in a website will safely disclose its presence to the website owners who will often be quick to respond with a fix. Some companies will even offer an incentive to be told about any security weaknesses in their systems. And for the developers out there, my advice would be to think like an attacker as you are building your system. Think about the possible ways can you break it and how to defend against malicious behaviour. Crucially, you should never dismiss any potential exploits as something that will “probably never happen” - if Sod’s law is anything to go by, it’ll happen when you’re least expecting it!
Written by Alan Chung