Brother
Professional
- Messages
- 2,590
- Reaction score
- 497
- Points
- 83
Data laundering is a process by which data obtained illegally (from the dark web or a hacked / stolen database)
subsequently, they undergo special processing to impart authenticity.
As companies adapt to modern technologies and new ways of doing business, there are additional opportunities for collecting and using data. Therefore, data laundering is becoming an increasingly serious problem.
Chris Ping, PKWARE's VP of Security and Privacy, explained that data can be obtained in several ways: purchased from a merchant on the darknet, downloaded from a company website, or obtained through malware, phishing by email, or even a MITM attack. ...
“Once they get the data, attackers usually run it through a randomizer, which is a data cleansing tool that helps randomize missing or valuable information to make the data more legitimate for potential buyers,” Ping said.
“Let's take a look at what happens after an organization purchases stolen data. Like any other data, it will be stored somewhere, such as a database, "explained Ping." Storage and system resources are a big investment in and of themselves. To process more data, the company is forced to increase its resources accordingly. In addition to the repository, the organization applies all available security controls, detection, data management, etc. to this illegal data. "
It’s at this stage that things get really bad, Ping said. After all, the IT organization has done everything possible to get the business to start incorporating such a dataset into AI, machine learning, and other automated decision-making processes.
“Your organization may be planning marketing campaigns, regional product or trend research, and more. The problem is that laundered data can contain a lot of inaccuracies and lead to business losses due to decisions based on false data. Moreover, this is only the business side of the problem, ”said Ping.
On the other hand, illegal data carries huge risks. Failure to confirm the legitimacy of the data (or lack of it) will make the organization's position vulnerable in the event of litigation.
“If your company starts selling stolen emails, consumers will immediately have a number of questions about where you got the emails from and why you did it,” explained Ping. "Since you cannot answer these questions, consumers will have a basis to file an individual claim, even a class action may be filed."
For Pin, data-traders need to have complete confidence in their sources.
Ping is confident that privacy laws will catch up over time. Tracking the storage chain will become a must for organizations and federal agencies.
Andrew Barratt, managing director of solutions and investigations at Coalfire, a cybersecurity advisory service provider, explained that data laundering is nothing new and has long been seen as a problem in the "selling of data."
“Laundering data is not as difficult as many people think,” Barratt said. "Cybercriminals use both small manipulations with Excel and special cleanup algorithms in large-scale collection of data breaches, thus removing all information for attribution of the source."
Barratt explained that once the list of names, addresses, and emails has been broken down, it is nearly impossible to determine the source of their origin. Only the presence of special 'canary' records in the dataset helps against such a procedure.
The GDPR has come a long way, he said, establishing high-level rights for data subjects in the UK and EU, and the US is also moving in that direction from state to state.
“At the federal level, the Constitution and Bill of Rights do not explicitly give citizens the right to privacy, although there are various case laws that argue for privacy,” Barratt said.
Unfortunately, from a security standpoint, if the records are taken from compromised datasets, “the horse has already escaped and the ship has sailed away,” he said. Such recordings will continue to pose a privacy issue as well as inconvenience to users. The owners of compromised data will be inundated with marketing spam, targeted advertising, etc.
“Depending on the context of the data, there may also be personal security issues associated with the loss of names and addresses, social security information and medical records,” Barratt warned.
John Bambenek, Threat Intelligence Advisor at Netenrich, also pointed out that the primary regulatory target should be the companies that acquire the data to ensure the reliability of the suppliers and the collection of data only for legitimate purposes.
“It would be better if the consumer data belonged to the consumer. All purchases and sales should only be made with the consent of the consumer. But unfortunately, in the United States, we are far from that, ”he said.
Bambenek noted that any action that encourages or monetizes criminal activity contributes to its continuation. Many companies that buy questionable data are likely deliberately looking in the wrong direction.
“Unlike ransomware, there is no reason to give money to such criminal gangs. Companies should not use the services of cybercriminal mercenaries to download their information machines, ”says Banbenek.
subsequently, they undergo special processing to impart authenticity.
As companies adapt to modern technologies and new ways of doing business, there are additional opportunities for collecting and using data. Therefore, data laundering is becoming an increasingly serious problem.
Chris Ping, PKWARE's VP of Security and Privacy, explained that data can be obtained in several ways: purchased from a merchant on the darknet, downloaded from a company website, or obtained through malware, phishing by email, or even a MITM attack. ...
“Once they get the data, attackers usually run it through a randomizer, which is a data cleansing tool that helps randomize missing or valuable information to make the data more legitimate for potential buyers,” Ping said.
Data laundering problem
The problem with data laundering is that unsuspecting buyers can acquire stolen data, also becoming part of the laundering process.“Let's take a look at what happens after an organization purchases stolen data. Like any other data, it will be stored somewhere, such as a database, "explained Ping." Storage and system resources are a big investment in and of themselves. To process more data, the company is forced to increase its resources accordingly. In addition to the repository, the organization applies all available security controls, detection, data management, etc. to this illegal data. "
It’s at this stage that things get really bad, Ping said. After all, the IT organization has done everything possible to get the business to start incorporating such a dataset into AI, machine learning, and other automated decision-making processes.
“Your organization may be planning marketing campaigns, regional product or trend research, and more. The problem is that laundered data can contain a lot of inaccuracies and lead to business losses due to decisions based on false data. Moreover, this is only the business side of the problem, ”said Ping.
On the other hand, illegal data carries huge risks. Failure to confirm the legitimacy of the data (or lack of it) will make the organization's position vulnerable in the event of litigation.
“If your company starts selling stolen emails, consumers will immediately have a number of questions about where you got the emails from and why you did it,” explained Ping. "Since you cannot answer these questions, consumers will have a basis to file an individual claim, even a class action may be filed."
For Pin, data-traders need to have complete confidence in their sources.
Supply chain tracking
In addition, data providers also need to be confident in their sources. Therefore, it is necessary to track the entire supply chain to ensure the accuracy of the data, as well as the legality of the data exchange.Ping is confident that privacy laws will catch up over time. Tracking the storage chain will become a must for organizations and federal agencies.
Andrew Barratt, managing director of solutions and investigations at Coalfire, a cybersecurity advisory service provider, explained that data laundering is nothing new and has long been seen as a problem in the "selling of data."
“Laundering data is not as difficult as many people think,” Barratt said. "Cybercriminals use both small manipulations with Excel and special cleanup algorithms in large-scale collection of data breaches, thus removing all information for attribution of the source."
Barratt explained that once the list of names, addresses, and emails has been broken down, it is nearly impossible to determine the source of their origin. Only the presence of special 'canary' records in the dataset helps against such a procedure.
How to fight data laundering
To combat data laundering, privacy laws must continue to evolve in line with GDPR and California CPA standards, requiring companies to delete data at the request of citizens, Barratt said.The GDPR has come a long way, he said, establishing high-level rights for data subjects in the UK and EU, and the US is also moving in that direction from state to state.
“At the federal level, the Constitution and Bill of Rights do not explicitly give citizens the right to privacy, although there are various case laws that argue for privacy,” Barratt said.
Unfortunately, from a security standpoint, if the records are taken from compromised datasets, “the horse has already escaped and the ship has sailed away,” he said. Such recordings will continue to pose a privacy issue as well as inconvenience to users. The owners of compromised data will be inundated with marketing spam, targeted advertising, etc.
“Depending on the context of the data, there may also be personal security issues associated with the loss of names and addresses, social security information and medical records,” Barratt warned.
John Bambenek, Threat Intelligence Advisor at Netenrich, also pointed out that the primary regulatory target should be the companies that acquire the data to ensure the reliability of the suppliers and the collection of data only for legitimate purposes.
“It would be better if the consumer data belonged to the consumer. All purchases and sales should only be made with the consent of the consumer. But unfortunately, in the United States, we are far from that, ”he said.
Bambenek noted that any action that encourages or monetizes criminal activity contributes to its continuation. Many companies that buy questionable data are likely deliberately looking in the wrong direction.
“Unlike ransomware, there is no reason to give money to such criminal gangs. Companies should not use the services of cybercriminal mercenaries to download their information machines, ”says Banbenek.
