Data Security is Physical Security

This blog was originally published by Authomize here.

Written by Gabriel Avner, Authomize.

Online streaming platform Twitch was hacked last week and the memes were fantastic.

In case you missed it, a hacker reportedly stole 125 GB of valuable data from the Amazon-owned streaming service. The stolen goods included source code and tools, but also records for how much their creators get paid.

The days following the leak were filled with less successful streamers laughing at how little they make on the platform, and more than a few memes.

Thankfully for Twitch, the hacker appears to have not gotten their hands on any customer data.

But all joking aside, this story raises a very real issue that can come along with data leaks.

When thefts of a company’s IP or even customer payment data like credit card numbers, social security numbers, or other bits of information that can be used for fraud occur, it’s a problem. In most cases, nobody gets hurt. At least not physically.

Then there are cases where the stolen data can lead to people being targeted, robbed, or even killed.

Robbing Banks Because That’s Where the Money Is

Cryptocurrency exchanges have unsurprisingly become prime targets for hackers.

And why wouldn’t they be? It’s where the money is.

Thefts from these exchanges happen fairly regularly. Their employees are sometimes even kidnapped.

These exchanges are where people buy and sell their digital currencies, and offer hackers a great opportunity for hackers to steal some of the coins passing by. Platforms like Binance ($200B?) and Coinbase ($52.59B) have racked up massive valuations.

But they don’t only hold cryptocurrencies. The legally operating exchanges also have their users’ personal data for Know Your Customer (KYC) purposes just like any other financial organization. These details often include things like the person’s real name, address, and other identifying information that can be used to identify them and tie them to their funds.

In the right hands, this data can be used to restrict criminal activity. In the wrong hands they can be used to track down a user of one of these exchanges and rob them.

If you manage to track down a user that you know to have a lot of cryptocurrency in their accounts, then it doesn’t matter how good many of your other security measures are.

The thieves will find ways to get their victims to give up the funds. Violence is always an option.

Left for Dead Over a Cryptocurrency Robbery

In one recent case, a guy in Russia claimed that he was kidnapped and forced to send the robbers ~$500k in cryptocurrencies from his Binance account. While difficult to verify, he claims that the criminals then strangled him and left him for dead in the woods.

Luckily for him, he says that the crew that robbed him had also drugged him, slowing his heartbeat to an undetectable level and letting him survive the incident.

It is difficult to say if this guy was targeted because he was outed as a holder of significant quantities of cryptocurrencies, or just because assaults of this type aren’t exactly rare in eastern Europe. But it isn’t that hard to make a possible connection with data leaks from the cryptocurrency exchanges.

Binance was one of the exchanges that was named in a possible theft of KYC records back in 2019. A hacker later took credit for the breach, claiming to have stolen personal data containing drivers licenses, passports, and other useful bits of identifiable information.

To their credit, Binance seems to be taking security measures to protect their customers. In November they paid out $200k to a team of investigators that helped them get a crew of hackers indicted in the US. That’s a good start, but if companies like Binance are going to have tens of billions of dollars traded around daily on their platforms, they are going to have to take serious steps to secure themselves and their customers.

3 Tips for Keeping Users’ Data Safer

Breaches happen. That’s a statistical fact that every organization has to contend with as they grow.

The more people in their organization, the more chances that someone’s credentials will get popped or that a phishing link will get clicked on.

The question that these organizations handling sensitive information need to consider is how to mitigate their risk and limit damage when those breaches occur.

Here are a couple of places to start.

1. Identify Sensitive Assets (Crown Jewels Analysis)

The first step before figuring out how to keep your sensitive data secure is to understand what you have and what is really in need of extra protection. Not all assets are created equal and your team has limited bandwidth to spend on defending against attackers. Use automated tools to help tag and flag assets that are higher risk. These are going to be your financial documents, core IP, and other assets that would make for a very bad day if they get taken.Once you know what is really valuable, start limiting who can access those assets and what they can do with them. Make sure that people (especially admins) need MFA to access.This is not to say that you should be slacking on security elsewhere, but it helps to know where to start.

2. You’ve Gotta Keep Them Separated

Two things stuck out to me in the Twitch hack. First is that you don’t leak your stolen data on 4Chan if your reasoning for attacking Twitch is that they haven’t done enough to stop abuse of minorities/vulnerable streamers on the platform. This feels like a massive troll but we’ll never really know.The second is that the attacker got to Twitch’s source code, security testing tools, and financial data. Compromise one set of data, shame on you. Compromise data from multiple departments, shame on me. Numerous compliance regimes require that organizations enforce a Segregation of Duties to ensure that employees cannot carry out significant actions on their own. The classic example of this is if the person making payments is the same as the one approving them. In our case here, we are taking the same segregation concept to say that there is no good reason why someone who is dealing with the source code has any reason to know how much streamers are being paid. Therefore, there should be fairly strong barriers between the groups of people that can access one data resource from accessing the other. For organizations to be effective at segregating groups of users, they need to have the visibility to know what assets those users can access.

3. If You Don’t Need It, Get Rid of It

More organizations are showing signs of understanding the risk of holding onto customer data. But many are still playing catch up. The hack of T-Mobile earlier this year where data belonging to former customers was also stolen means that we have a long way to go.The best way to avoid having data stolen is to not have it in the first place. With cloud storage making it so easy to open up an S3 and just dump data into a bucket, organizations are falling behind on clearing out irrelevant records that they have no business holding onto. If you are managing InfoSec in your org, make sure that everyone knows that customer data is a double-edged sword. Sure it’s great for marketing purposes, but it is also your responsibility to protect. In many cases, you might find that it simply isn’t worth the effort.

Maintain the Principle of Least Privilege

Anyone who works in Identity Management or InfoSec will already be familiar with this mantra.

Only grant folks permission to the minimal selection of assets that they need to do their jobs. Supplying them with additional privileges will only expand your org’s threat surface.

Over-privileging a user just so that they don’t have to come back and ask for additional access later may sound like a time saver, but it just adds to the risk. If that user’s identity is compromised, then their access becomes the attackers.

Finally, keep your access entitlements limited and use the automated tools for understanding how to right size permissions so that everyone has access to what they need.

No more, and no less.