How Lulzsec cracked MilitarySingles.com
And the price you and other people pay for letting go of your data…
There is enough, at least, that researchers at Carnegie Mellon University were able to guess social security numbers from online information with up to 90 per cent accuracy. Such troves of information are tempting targets for hackers.
"If users (or customers) feel their data is vulnerable, they will move elsewhere, which no business wants," says Auletta. "The problem is that hackers can be very inventive in finding ways to invade."
Ken Auletta:
"The problem is that hackers can be very inventive in finding ways to invade. "
In the past, criminals would typically hold websites to ransom, taking them offline and demanding money. "But over time," Rachwald says, "companies started transacting more and more data inside their website. As a consequence, the value of data went up, and people started going after credit card numbers, personal identification numbers. The game changed dramatically because you no longer make money by taking down a website but by taking data from a website."
Sometimes the motives are political, as they appear to have been with MilitarySingles. But the real rewards are in an underground information economy that mirrors the legitimate one that sustains Google, Facebook and other web companies.
If you're a Canadian with a Visa card, your details might only be worth $3 on the black market. But those of an EU citizen with a Discover card were fetching $8 each last October.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
That may not sound like much, but credit card details like those held by Apple's AppleID service, Amazon, or the infamously compromised Sony are bought and sold in blocks of thousands – ironically through black market social networks and criminal Craigslist analogues. Facebook username and passwords, meanwhile, will set you back $6, according to one advert posted on a hacker website.
Yet this pales next to the value Facebook places on the data contained in each account. On May 18, Forbes estimated that each Facebook user is worth an average of $91.44 to advertisers, going by the stock price at the time. The online privacy company Abine, meanwhile, has made a free calculator that they claim can estimate your value to Facebook.
As in the black market, prices vary; I cost over $250, but a Latin American who rarely clicks 'like' and has fewer than 100 friends is worth a mere $46. Google offers money to users for allowing the company to track their browser data – though only in the form of $5 Amazon gift cards. You could get a better price from the hackers.
According to Rachwald, the two industries are two sides of the same coin: "One could say that the hackers did it first. They were very good at collecting personal details and monetising them; Facebook just did it legally."
In fact, the industries share plenty. "There's a fair bit of overlap," says Rachwald. "If you go for hacker forums you will see that a lot of security professionals clearly participate… if you look at the approach taken by certain hackers in certain campaigns, it mimics a lot of what we call white hat hackers do in order to test a website for vulnerabilities."
Imperva:
"If Google had first asked for permission from newspapers or publishers, they never would have launched search in 1998."
Facebook even offers bounties on a special 'White Hat' visa debit card to hackers who can find and inform them of security bugs, and hired some of them as interns. Famously, the site began when Mark Zuckerberg broke into a variety of Harvard websites to download hundreds of pictures of fellow students.
Auletta says the hacker mentality runs deep in Silicon Valley. "New, disruptive companies don't ask for permission before they act. If Google had first asked for permission from newspapers or publishers, they never would have launched search in 1998."
Ultimately, Rachwald believes, social networking and the public sector do not mix. Such sites pose "a significant security threat" for government employees. "MilitarySingles wasn't even sponsored by the government, and now there's a ton of publicly available information on various military personnel."
While Imperva's report recommends militaries impose social media rules on their members, Rachwald thinks training is key: "Military and government agencies need to tell their employees how to use social networking and give them guidelines on how details can be used. I don't think they understand how much information an adversary might be able to get."
When Rachwald visits local schools to teach them about social networking, he tells them to "treat it as a game" – use a fake name, a fake data of birth, fake details, and make things difficult for anyone trying to find you. The bottom line? "Don't trust social networks, because they don't respect your privacy."
"We're living in the age of social networking. It's a big new factor that won't go away, and it needs to be treated with a great degree of respect."