21 Apr 2018

Is “Security by Obscurity” an Obsolete Concept?

The term “security by obscurity” has been around for a long time. Traditionally, this has referred to the idea that the best way to keep a system safe is to keep its design (and any potential vulnerabilities) a secret. To many, “security by obscurity” has also represented the idea that there is safety in numbers, such as on a social media network that has hundreds of millions of users. One might argue that the intersection of social media, online platforms that gather and sometimes sell (for legitimate purposes) personal data, and peoples’ addiction to electronic communication convenience, may call for a new way of thinking about one’s own (or a client’s) security by obscurity.

Consider how the most prominent targets are being hacked

Sure, there are news stories of hackers targeting large companies – a recent one is a report of a Russian hacker targeting 48 major law firms focused on mergers and acquisitions with the aim of gaining pre-public information to trade on in advance of news announcements. This hacker targeted hardened corporate IT departments, but there are certainly easier targets available.

For most hackers, the easiest target is you, the business user

Today, hackers can easily use sophisticated data mining techniques to target YOU, a business email user. Hackers sometimes purchase personal data from marketing companies, multiple listing services, real estate platforms, and LinkedIn business recruiting tools (“See full profile details on any LinkedIn member, zero in on the right person with 20+ Premium search filters…” — LinkedIn) for back-end access to study a target’s job title and relationships, Facebook or Google data, and more. One tactic for the more experienced hacker is to set up fake companies to subscribe to tools that title insurance companies and credit departments legitimately use to learn about your financial dealings.

Recently, hackers have been successful at this — to the tune of more than $1.2 billion reported stolen in average increments of $6,000 from individuals and $130,000 from businesses, according to the FBI, by spending some additional up-front research time to learn about their targets.

2018 may be the beginning of the “Hacker Goldrush”

Once a hacker identifies his list of targets, it is not hard for him to gather the information required to trick someone into sending money to the hacker’s imposter bank account. The target may be someone who saved their money for years to purchase a new house, a lawyer or other trusted client advisor, a realtor, an insurance broker, a registered investment advisor or an accountant. Click here to read about some of the recent scenarios uncovered through RPost interviews.

New targets and new tactics are identified every day

The latest scheme uncovered and reported by The Guardian, is based on a flaw in the underlying Signaling System No 7 (SS7) mobile communications protocols. With a little technical sophistication and the mobile phone number of the hacker’s target, the hacker can listen in on telephone calls, siphon off photos and other text messages sent and received, and track a target’s location.

To identify targets, the hackers often monitor the professional advisors as individuals (not even bothering a hack into their corporate networks like what was reported to happen with the Panama law firm Mossack Foncesa). The information gleaned may lead to other hacker opportunities, in terms of selling (or exposing) the data to regulators, adverse parties in litigation, or threatening to expose it and asking for ransom. All of this has consequences that attorney-client privilege arguments do not protect against. The US government, for example, has announced it will use the hacker-leaked data from the firm Mossack Foncesa, to initiate investigations against certain people.

What can you do about all of this?

There is not one single solution. One major recommendation is to use email encryption when sending sensitive personal or business information. However, the most important defense may be to simply take the time to learn a little about what is happening in Internet security and to use those tools that make it easy to maintain privacy and security when using the Internet and email.

We also recommend that you invite your colleagues to subscribe to this Tech Essentials Cyber-security Email Series, offered in partnership with bar, law, real estate, insurance, and other leading industry associations. Click here to subscribe to Tech Essentials.