When the best are breached: Learning from the Yahoo, DNC, and Sony attacks

The most damaging cyber attacks in recent memory have been focused on servers.  While there certainly been prominent attacks on individuals, servers are an attractive target precisely because they’re centralized data repositories for many users.

 

In the cases of the Democratic National Committee and Sony, email servers were compromised, presumably by foreign actors, and the damage was significant.   The private communications of party officials and studio executives were stolen and then made public.  People lost their jobs. Reputations were harmed.

 

The LinkedIn and Yahoo attacks were different but no less damaging.  In these cases, accounts for hundreds of millions of users were accessed.  In some instances, passwords were stolen; in all of them users’ private information was compromised.

 

Some observations:

 

  • All of these examples include large, professional organizations with the technical expertise and resources to protect their information, yet the attackers succeeded.
  • Security isn’t just for traditional “sensitive” information, like financial and medical records. Most communication amongst businesses and individuals isn’t designed to be plastered over the Internet; it’s private.  Even everyday emails need to be protected.
  • Passwords can be liabilities, especially when stored centrally. People often use the same passwords across multiple accounts.  So an attacker getting access to a trove of user passwords on one server may be able to access user accounts for many other services.

 

What’s common to these situations, and many others, is centralization of private information.  Clearly, storing information on servers – both inside and organization and in the cloud – offers enormous benefits.  The question is how to protect this information?

 

The classic approach is to “build secure walls” around the data center.  Technology plays a role in securing servers, including firewalls, deep-packet-inspection, threat detection tools.  Administrative processes also play a role.  But attackers still prevail.

 

An alternative approach is to simply assume that attackers will breach servers.  How can important information be protected even if a server is compromised?

 

The answer is end-to-end encryption, where everything stored on the server is encrypted, and decryption only occurs in users’ devices.  It’s important that the server never has access to the unencrypted data or the encryption keys to this data. If the server can ever see the unencrypted data, then attackers could see it too.

 

Note that most major cloud services can’t pass this simple test.  Major cloud-based services from Google, Yahoo, Microsoft, and others will set up secure encryption tunnels between a user’s device and their cloud servers.  This prevents an attacker from watching Internet traffic and discovering users’ data.  But once information reaches their servers, these providers decrypt and analyze personal data for targeted marketing. Since these cloud providers have visibility to the unencrypted data, a successful attack on their servers can be and is devastating.  More on this in another post.

 

PreVeil takes a different approach, providing end-to-end encryption for email, files, and more.  Emails and documents are encrypted in users’ devices with each object encrypted under its own unique key.  The cloud server can neither see the unencrypted data nor the encryption keys, so user information is protected even when the cloud is compromised.  All of this sophisticated encryption and key management takes place automatically, so PreVeil is very easy to use. Users continue to use their existing  email addresses and mail apps like Apple Mail and Outlook. PreVeil can be accessed using a browser on Mac and Windows PCs.  There’s an iPhone app as well.

 

Sign up for a free beta version at www.preveil.com.