ax
ax

Information warfare and Data Leaks

Information warfare systematically collects insights from data leaks on publicly available social profiles. The Trump campaign by Cambridge Analytica showcased how easy identity theft can happen. The story started as a well-executed campaign but ended as a moral disaster for Facebook and Cambridge Analytica.

Table of Contents

What is information Warfare?

The process of Information Warfare comes in four simple steps. The procedure is neither complicated nor very expensive. While Steps 1 to 3 are standard processes in digital advertising, the intention and execution are against any code of conduct. Step 4 means that bot armies pump deceptive content into online information systems on a large scale. The dark art of  listening services uses bots to feed and share faked media.  

Step 1: 👉 Gather Metadata.

Step 2: 👉 Build Profiles and Triggers.

Step 3: 👉 Create Campaigns.

Step 4: 👉 Run Campaigns

The information Warfare Attack Chain

the-information-warfare-attack-chain

What did Cambridge Analytica do?

Cambridge Analytica worked with the winning Brexit campaign, harvested millions of social media profiles and data leaks, and used them to build a powerful software program to predict and influence choices at the ballot box. They use the same methodology as we would to predict buying intent for a consumer product.

Cambridge Analytica used scraping techniques to collect and compute profiles from social networks. Scraping networks stand for automatically collecting data from publicly available social profiles and is an established practice. Cambridge Analytica worked with Donald Trump’s election team and the winning Brexit campaign harvested millions of social media profiles of US voters and used them to build a powerful software program to predict and influence choices at the ballot box.

Information Warfare by Cambridge Analytica used scraping and scoring to collect and compute profiles from social networks. Scraping networks stand for automatically collecting data from publicly available social profiles and is an established practice. Cambridge Analytica worked with Donald Trump’s election team. The winning Brexit campaign harvested millions of social media profiles of US voters. It used them to build a powerful software program to predict and influence choices at the ballot box. Cambridge Analytica’s marketing combined Behavioral Science, Big Data analysis, and personalized advertising.

Cambridge Analytica’s marketing is based on a combination of three elements: behavioral science, Big Data analysis, and ad targeting. Ad targeting, defined as personalized advertising, aligned as accurately as possible to the personality of an individual consumer

Cambridge Analytica CEO Alexander Nix

Other data leaks

According to the Kaspersky Report – “Can you keep a secret? A plethora of secrets, unprotected” we are facing a problem.  While 81% of the respondents believe that everyone has a secret they don’t want to reveal to others. And  75% think that in today’s connected world, keeping secrets private is more important than ever.  But, only 31% of respondents have strengthened their passwords. Only 37% have up-to-date security protection on all their devices

LinkedIn data leak

LinkedIn allows users to create profiles and then establish connections with other users. Users create a profile on the site; they can choose from various levels of privacy protection. They can keep their faces entirely private or make them viewable by their direct connections to a broader network of relationships with all other LinkedIn members or the entire public. When users choose the last option, their profiles are viewable by anyone online. LinkedIn also allows access to public profiles via search engines such as Google. Competitive Monitoring systematically reads data from LinkedIn.

Data analyst hiQ tells employers which of their employees are at the most significant being recruited away. The company sells information that hiQ generates through LinkedIn users” publicly available profiles.  HiQ could also make data from users available even after those users have removed it from their profiles or deleted their profiles altogether.

LinkedIn allows users to create profiles and then establish connections with other users. Users create a profile on the site; they can choose from various levels of privacy protection. They can keep their faces entirely private or make them viewable by their direct connections to a broader network of relationships with all other LinkedIn members or the entire public. When users choose the last option, their profiles are viewable by anyone online. LinkedIn also allows access to public profiles via vertical search engines. Competitive Monitoring listens to LinkedIn

  • LinkedIn points to the interest that some users may have in preventing employers or other parties from tracking changes they have made to their profiles. LinkedIn posts that when a user updates his countenance, that action may signal to his employer that he is looking for a new position.
  • LinkedIn states that over 50 million LinkedIn members have used a “Do Not Broadcast” feature that prevents the site from notifying other users when a member makes profile changes. This feature is available even when a profile is public.
  • LinkedIn also points to specific user complaints it has received objecting to the use of data by third parties. In particular, two users complained that they had previously featured on their profile but subsequently removed, remained viewable via third parties.
  • LinkedIn argues that both it and its users, therefore, face substantial harm absent an injunction; if hiQ can continue its data collection.

Yahoo data leak

Yahoo! affirmed in October 2017 that all 3 billion of its user accounts were impacted, considered the largest discovered data breach in the history of the Internet. McMillan, Robert; Knutson, Ryan (October 3, 2017). “Yahoo Triples Estimate of Breached Accounts to 3 Billion”. The Wall Street Journal. Retrieved October 3, 2017. Marissa Mayer, the person in charge, showed little awareness of security policies.

2012 Data Security Intrusions (Wall Street Journal) 

January through April 2012, malicious actors accessed Yahoo’s internal systems.

2013 Data Breach: In August 2013, malicious actors were able to gain access to Yahoo’s user database and took records for all existing Yahoo accounts—approximately three billion accounts worldwide. The documents taken included the names, email addresses, telephone numbers, birth dates, passwords, and Yahoo account holders’ security questions and answers. As a result, the actors may have also gained access to the contents of breached Yahoo accounts and, thus, private information in users’ emails, calendars, and contacts.

2014 Data Breach: In November 2014, malicious actors were able to gain access to Yahoo’s user database and take records of approximately 500 million user accounts worldwide.

2015 and 2016 Data Breach: From 2015 to September 2016, malicious actors could use cookies instead of a password to gain access to approximately 32 million Yahoo email accounts.

The Court granted final approval to the Yahoo! class action settlement and entered its judgment on July 22, 2020. In the order approving the settlement, the Court also awarded attorneys’ fees, costs, and expenses and service awards to the class representatives who brought the suit on behalf of the class.

What you should do

Do not share your personal information with strangers over the phone, email, or even text messages. These types of requests could very well be scams. A breached company should send you a data breach notification. However, if unusual notices via email or in the mail arrive under a different name, that can be a sign that you are a victim of identity theft.

  • Unique account, unique password: Creating strong and unique passwords for every account is the best first step to protecting yourself against a breach. Use a password generator to create passwords for you. Unique passwords ensure that a violation at one website doesn’t result in a stolen account at another.
  • Protect your email: If a hacker has access to your email account, they can use password resets at most sites to get into other accounts. Consider creating an alternate email address for online signups. And be sure to turn on multi-factor authentication for your email account.
  • Give fake answers to security questions: You know those silly security questions companies ask you so you can “prove” who you are? Don’t give real answers. Use the password generator to create random replies that you can then store in LastPass or similar tools.

Share this post

Share on twitter
Share on linkedin