GREAT UN­KNOWNS

How long did it take Equifax hack­ers to steal 143 mil­lion cus­tomer records? Based on how long it took me to trans­fer 200 Hawai­ian va­ca­tion pho­tos, it must have taken them months. How did no one no­tice?

Popular Mechanics (South Africa) - - How your world works -

WE’LL GET TO your an­swer, but wait a sec: You took only 200 pho­tos on your Hawai­ian va­ca­tion? You ei­ther pos­sess an un­com­monly dis­ci­plined shut­ter fin­ger, or you’re ex­tremely dif­fi­cult to im­press. Steam­ing vol­ca­noes? Shim­mer­ing sands? Swivel­ing hula dancers? For us, 200 pic­tures is ad­e­quate cov­er­age of a three-year-old’s birth­day party. Not in­clud­ing the cake. Your pho­to­graphic par­si­mony aside, the time it takes hack­ers to down­load records de­pends on how large the files are. A photo con­tains a heck of a lot of data; a text file list­ing your name, ad­dress, so­cial se­cu­rity num­ber, etc., would be far smaller – es­pe­cially given that the data could be com­pressed. “If the name ‘Sam’ ap­pears a mil­lion times, I don’t need to store it ev­ery time,” ex­plains Vyas Sekar, an as­so­ci­ate pro­fes­sor of elec­tri­cal and com­puter engi­neer­ing at Carnegie Mel­lon Univer­sity. “I can just store one and say, ‘Ev­ery­thing here refers to ‘Sam.’ ” Poor Sam. We asked three ex­perts to guess how large the files might be, and how long it would take Boris J. Hack­er­vich to siphon off 143 mil­lion records. Sekar sug­gested a file size of 20 kilo­bytes per record, which he con­sid­ered gen­er­ous. Col­lec­tively, he said, the stolen data would equate to about 800 Net­flix movies, which could slip out the back door in about two and a half days. Herb Lin, se­nior re­search scholar at the Cen­ter for In­ter­na­tional Se­cu­rity and Co­op­er­a­tion at Stan­ford Univer­sity, went with a more mod­est in­di­vid­ual file size of 1 KB, which would wrap ev­ery­thing up in about a day. On the other end of the spec­trum is Thomas Kil­bride, a se­cu­rity con­sul­tant at Ioac­tive, a cy­ber­se­cu­rity firm that re­cently made head­lines by hack­ing a per­sonal-as­sis­tant ro­bot and turn­ing it into a stab­bing ma­chine. Kil­bride used a worst-case es­ti­mate of 250 KB per record, com­ing up with a down­load time of 38 days.

What­ever the file size, it’s clear that the full data theft couldn’t take place within a sin­gle It-se­cu­rity-of­fi­cer’s smoke break. How can hack­ers con­ceal such long-term larce­nies? They might re­frain from tak­ing all the data from one place. “They prob­a­bly divvy it up among mul­ti­ple ma­chines so each one’s send­ing a small chunk,” Sekar says. “At no sin­gle point will it ac­tu­ally look like an anom­aly.” Lin adds that they might choose to ex­tend the theft over a pe­riod to avoid de­tec­tion: “Let’s say you spread it out over 100 days,” he says. “Now you’re only trans­fer­ring 1 gi­ga­byte a day, and that’s just not very much.”

More­over, Kil­bride says, “An at­tacker may en­crypt the out­bound traf­fic to make it dif­fi­cult to dis­tin­guish from le­git­i­mate traf­fic.” Trans­fer­ring a small file wouldn’t look that dif­fer­ent from up­load­ing some­thing to Drop­box. “As a se­cu­rity ad­min­is­tra­tor, if I start flag­ging ev­ery­body who’s send­ing some­thing to Google Drive, I’ll get a ton of false pos­i­tives and have a lot of an­gry users,” Sekar says. Then again, if you let cy­ber­crooks saunter off with sen­si­tive data on al­most half the peo­ple in the coun­try, you’re go­ing to have a lot of an­gry cus­tomers. It’s a dif­fi­cult trade-off, of course, and one that too many com­pa­nies ap­pear to mis­cal­cu­late. We might as well all un­plug, move to Hawaii, and try a lit­tle harder to ad­e­quately doc­u­ment our new sur­round­ings.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.