Overview of Exactis Data Breach

Exactis is considered as a data aggregation and marketing firm, which is located in Palm Coast, Florida. The website is based on selling of consumer data and premium business. The breach of data within the organisational data was mainly discovered in June 2018. With the help of a search tool known as Shodan, a security researcher named as Troia had uncovered 7000 databases on different servers that were publicly accessible [2]. The primary function of the Florida based firm is to collect and trade consumer data for the purpose of refining the accuracy within various form of target based advertisements.

Exactis was also responsible for exposing nearly 340 million consumer records. The company had claimed that although credit card data and Social Security Numbers (SSN) were not revealed. The data that was hacked consisted of 2 terabytes of data that included personal information of American adults and other business persons [3]. The leaked data of customers had included the personal phone numbers of people, email and home addresses, number, age, gender and particular interests. Based on the attack, there were several customer reports that had been collected in order to gain an idea about the number of persons who were affected during the attack.

The alleged breach at Exactis had been reported to contain vital form of personal information that included phone numbers of people, email and home addresses, number, age and particular interests of people. However, after this breach the officials within the company had reported that social security numbers and credit card information have not been leaked [4]. The data breach within the company should be considered as noteworthy because of the depth of information that the records contain about the people.

The target based advertisements are the main reason, which helps in making the breach of data to be crucial. The exposed information of the public is highly personal. The behavioural data that has been involved within the leak is the main reason that is responsible for making the data breach to be highly concerning. The gain of this form of information could lead to the criminals to extract further kind of information [5]. Different security experts have also confirmed that with the rise of efficient modes of technology, cyber criminals can enable high form of personalized attacks against the consumers. After the cyber experts had confirmed about the breach of the incident, they had also asked the management department to erase their data from the records of the company.

Impact of Exactis Data Breach

Conclusion

Based on the discussion from the above report, it could be concluded that the Exactis case was a highly planned and massive attack over the customer data. Although the breach of data was discovered ultimately and secured with proper measures, the number of days taken by the hacker to gain an access over the data has not been discovered. From the conclusions drawn from the attack, the security team at Exactis had sought different kind of actions in order to secure their data. The data protection solution that is newly offered by the company streamlines the needs and challenges that is faced by the organization. These kind of security solutions help in preventing data breaches in real-time environments. Based on implementing different kind of security measures, the company would be able to protect the consumer data and thus prevent such kind of security incidents in the future.

Based on the conclusions drawn from the report, it could be recommended that the company should take some high kind of security measures in order to prevent such kind of incidents in the future. The traditional form of services based on credit monitoring are responsible for monitoring different credit-based accounts. Although the credit score and report should be monitored on a frequent basis, it would not be able to protect the security of data. Hence, the user should implement a quality identity protection service that would be able to send alert to customers based in changes in their address, updates on password and various other forms of questionable posts on social media.

Another recommendation that should be followed is that the customer should be able to check for fraudulent emails and messages. Cyber criminals can send phishing based emails and messages to different people, which can be a trap for them. The customers should not click on such kind of emails and thus reply to them. A fraud alert should be set in order to provide an alert to the customer in case of detection of fraud incidents. The company should also install a wide number of security software solutions such as McAfee Identity Theft Protection that would allow the users to embed a proactive approach for the protection of identities. This kind of software would encrypt the data of customers and thus help in preventing the major cases of hacking of account or breach within the user data.

The major advantage of any form of operating system that is comprised of fence register is the capability to relocate. This form of characteristic is mainly used within a multi-user environment. When two or more user would work within a single system, none of them would know in advance about the location of the program and the place that would be loaded for execution [6]. The relocation register would be helpful in solving the problem. This would be done by providing a certain base or ensuring a starting address. Each of the address present inside programs could be defined as offsets that are derived from base address. A variable fence register could be defined as a base register.

Recommendations for Preventing Similar Attacks

The fence register helps in providing a lower bound but does not provide an upper bound. The upper bound could be useful in gaining an idea about the amount of space that could be allocated [7]. The upper bound would also be useful for checking of overflows in different forbidden areas. In order to overcome the problem, a second register could be often added. The second register, which is known as a bound register can be defined as an upper address limit. Each of the program address could be forced to remain above the base address. This is due to the content of the base register that would be added to the address.

The technique would be helpful for protecting a program address from the modification made by another user. Whenever, the execution of a user program would change, the operating system should change the base content and bound register in order to reflect the true address space [8]. By having a base/bound register, a user would be protected from any outside user.

This problem could be solved by implementing another pair of base/bound register. One of the base/bound register would comprise of data space and the other would contain the instruction for the program. After the allocation of a pair of base/bound registers, only the instruction fetches would be relocated and then it would be further be checked based on a comparison of the first register pair [9]. The access to data would be relocated and then checked with the second pair of register. Though the two different pair of registers would not be able to prevent the entire list of errors in program, they would limit the effect of data that would be manipulating the instruction within the data space.

The discussed features would be responsible for calling for making use of more than three registers. These include: one for writing the code, one for reading the code and the other to modify the value of data. The two pair of registers can be defined as the limit for design of a practical computer [10]. For each of the additional pair of registers, there should be some form of indication about which of the relocation pair could be used for addressing the way in which the instruction would operand. With the inclusion of more than two pairs of base/bound registers, each of the instruction would be able to specify one or more than one form of data spaces [11]. With the inclusion of only two pairs of base/bound registers, the decision taken by the set of instructions could be defined as to be automatic.

Overview of the 2011 Playstation Network Outage

The 2011 PlayStation Network outage can be defined as the result of some form of external intrusion on the network of Sony Playstation services. During the incident, it was reported that the personal details of more than 77 million accounts of gamers were being compromised [15]. With the compromise based on network usage, it had prevented the users of Sony Playstation 3 and other consoles of PlayStation Portable to assess the wide number of services. This attack had primarily occurred April 17 and April 19 in the year 2011 [13]. The Sony Company had confirmed that personally identifiable information of each of the accounts of 77 million people had been exposed. It was further reported that the network outage had lasted for 23 days.

During the time of network outage, a count of 77 million of users were reported to have registered in the accounts of PlayStation network. The network outage and the consequent breaches within data security is defined as the biggest form of breach in history. After the initial period of 7 days after the breach, the company had finally announced that the PlayStation network outage was mainly the result of a massive attack [16]. This breach on the data had exposed the names, emails, birthdays, security questions, passwords and credit card details of the linked accounts of PlayStation users.

In 2011, Sony had confirmed the news that the attack based on hacking was mainly intended for blaming the PlayStation network to be taken offline [12]. The company further had reported that they had lowered the services of PlayStation during conducting the investigation about the data breach [17]. The system was made unavailable for a duration of 7 days after the incident of hack had been discovered [1]. The users who were unaware of the incident and had tried to connect within the system were facing error messages that had further stated that the network was undergoing maintenance or had been temporarily been suspended.

The primary users within the PlayStation network were the owners of PlayStation portable machines and PS3 [18]. The primary purpose of using the PlayStation machines were to download games, music and films. This gaming platform was also used by different users to play online with friends [14]. As per a certain report by Sony Corporation, it had been reported that nearly 70 million accounts had been registered on a worldwide basis. The users had mainly been affected as they were unable to make use of the network system [13]. The children who had their accounts that were established by their parents had also faced that their data had been exposed.

Impact of Playstation Network Outage

Conclusion

The intrusion in the network of Sony Corporation is considered as one of the biggest form of network outage. The hackers had mainly conducted this attack as they knew that the company had a huge store of credit cards. The discussion in the report puts focus on the data breach incident that had leaked the data of many users who had registered into the Sony network. The intrusion within the network had mainly occurred due to the installation of a custom firmware that had been installed within the network.

After the incident had occurred, the Sony Corporation had reported the incident to their users and warned them not to access the network or make any kind of transaction. The company had also reported that there was no such instance where it was reported that credit card number had been revealed. Sony had also hired a security firm in order to perform investigation over the incident. The company should also hire security experts in order to gain control over the entire incident and thus ensure that the breach activity would not be reported further. With the inclusion of many kind of security measures, it would be easier to keep a track over each of the activities occurring within the network and thus prevent such kind of future incidents within the company.

From the conclusions drawn from the discussion over the Sony network outage, it could be recommended that there should have been certain kind of measures that should be taken. During the incident of data breach, it had been reported that users would needed to submit their credit card information and different other personal details for the purpose of playing online games and downloading different music, films and software. Hence, in order to protect the systems and improve future outcomes, it could be recommended that PlayStation members should be aware of such kind of breach on their emails and telephone. They should only upload their credit card information and other important private details only if necessary. They should also implement a software system that would be able to track their activities. Any kind of suspicious activity, if detected within the system would be reported to the concerned user and then they could take proactive measures in order to prevent themselves from such kind of future implications. On the other hand, the company should also be able to implement a varied range of security measures within their network in order to detect any kind of situation of system outage on an early basis. This would majorly help the company in notifying their users about data breach incidents and thus securing themselves against future incidents of fraud.

References

[1] “PlayStation outage caused by hack”, BBC News, 2019. [Online]. Available: https://www.bbc.com/news/technology-13169518. [Accessed: 28- Mar- 2019].

[2] G. Davis, T. Birdsong, T. Birdsong and R. Sarang, “The Exactis Data Breach: What Consumers Need to Know | McAfee Blogs”, McAfee Blogs, 2019. [Online]. Available: https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/exactis-data-breach/. [Accessed: 28- Mar- 2019].

[3] D. Horne and S. Nair. A New Privacy-Enhanced Technology for Fair Matchmaking With Identity Linked Wishes. IEEE Systems Journal, 2019.

[4] A.Y. Vladova and Y.R. Vladov, Data integrating approaches for oil pipelines maintenance.

[5] B.M. Ramilevich, V.Y. Savvich, Z.A. Borisovich and S.A. Nikolaevich, A Data Center as a Scientific and Reference Information Storage Facility.

[6] J. Becla, Lessons learned from managing a petabyte (No. SLAC-PUB-10963). SLAC National Accelerator Lab., Menlo Park, CA (United States), 2018.

[7] J.C.L. López, P.A.Á. Carrillo, D.A.G. Chavira, and J.J.S. Noriega, A web-based group decision support system for multicriteria ranking problems. Operational Research, 17(2), pp.499-534, 2017.

[8] K. Arya, Y. Baskakov, and A. Garthwaite, Tesseract: reconciling guest I/O and hypervisor swapping in a VM. In Acm Sigplan Notices (Vol. 49, No. 7, pp. 15-28). ACM, 2014, March.

[9] D. Jeong, Y. Lee, and J.S. Kim, Boosting quasi-asynchronous I/O for better responsiveness in mobile devices. In 13th {USENIX} Conference on File and Storage Technologies ({FAST} 15) (pp. 191-202), 2015.

[10] S. Kim, H. Kim, J. Lee, and J. Jeong, Enlightening the I/O path: a holistic approach for application performance. In 15th {USENIX} Conference on File and Storage Technologies ({FAST} 17) (pp. 345-358), 2017.

[11] M. Aiash, G. Mapp, and O. Gemikonakli, Secure live virtual machines migration: issues and solutions. In 2014 28th International Conference on Advanced Information Networking and Applications Workshops (pp. 160-165). IEEE, 2014, May.

[12] S. Goode, H. Hoehle, V. Venkatesh, and S.A. Brown, User compensation as a data breach recovery action: An investigation of the Sony PlayStation network breach. MIS Quarterly, 41(3), 2017.

[13] P. Galison, The pyramid and the ring: A physics indifferent to ontology. In Research objects in their technological setting (pp. 27-38). Routledge, 2017.

[14] S. Haggard, and J.R. Lindsay, North Korea and the Sony hack: Exporting instability through cyberspace, 2015.

[15] J. Ahlste?n, A comparative case study of Sony Computer Entertainment’s crisis communication efforts during two PlayStation Network crises, 2015.

[16] C. Milburn, Long live play: The PlayStation Network and technogenic life. In Research Objects in their Technological Setting (pp. 117-134). Routledge, 2017.

[17] N. Horton and A. DeSimone, Sony’s Nightmare before Christmas: The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace (No. NSAD-R-17-045). JHUAPL Laurel United States, 2018.

[18] S.H.S. Huang, H. Zhang, and M. Phay, Detecting Stepping-stone intruders by identifying crossover packets in SSH connections. In 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA) (pp. 1043-1050). IEEE, 2016, March.