Richard Beck | 5 October 2015
In order to operate the devices we use to access the Internet we transmit additional information prior to, during, and after we send and receive our data.
Nefarious sources are able to identify the devices and networks we communicate on, the software and hardware being used, the dates and times and much, much more.
Collectively, this information when collated is commonly referred to as your digital footprint. Information desired by criminals, marketing companies, authorities, journalists, social media sites and many others.
Your digital footprint can be targeted by cyber criminals, the bigger your footprint the larger your individual personal ‘attack surface’!
Criminals will always come up with more elaborate ways of extracting our data from us, our machines and the networks we connect to: malware, fake websites, compromised websites, phishing e-mails, fake-downloads and other such tricks can easily compromise our data.
We have to accept that we will never be 100% safe whilst online, but we can take many steps to limit our exposure to others.
Be aware, that you make digital connections that leak data every day. Sometimes this is unavoidable but what you do online and the tenuous connections you make, intentionally or otherwise, with colleagues and friends, and in-turn their associates can increase your personal attack surface.
Your devices can tell a story
Everything you do online leaves a trail. Send an email, browse a website, play a game online, tweet or re-tweet, use an enabled app, update a blog or contribute to a forum.
It’s not just ourselves that reveal data:
Friends, marketing companies, business that we trust with our information, advertising agencies.
Social media sites hold a vast amount of personal minutiae. Including birthdays, school/work gossip, photos, movies watched, songs liked, plans discussed etc.
The more information you share online, the greater the risk of it becoming attractive to cyber criminals and it’s much easier to profile your online habits.
What happens online stays online!
The data we place online can easily be harvested and added to the data that others place online about us, which can lead to a very big picture – your personal attack surface.
Take care, think about the footprints being left behind.
Facebook has been top dog in the social network for many years with the most recent statistics showing 1.39 billion active users per month.
With 1.3 billion users every month posting, liking, replying, uploading, poking and sharing information, just imagine the sheer volume of data Facebook has access to.
This offers a great deal of potential for advertisers, but also to fraudsters, so it’s imperative that we understand how sites like this operate and how to enjoy such sites carefully without giving too much away.
It's not always people you have to think about either. What apps have access to your account? What access do companies you've "liked" have to your data?
There's a lot to consider about security when it involves a website whose business model relies on sharing data.
Allowing friends to see your e-mail address, photo, status and musical tastes is fine.
We suggest you review your search privacy, particularly that which allows search engines and advertisers to scour your timeline & profile. As some search engines cache information, your timeline and profile preview will be available for some time, (although archived forever) even though you’ve turned the public search off.
Apps & your Privacy
WhatsApp is a great messenger app, owned by Facebook. However it is widely acknowledged that this app has become the target of cyber criminals due to its popularity. Despite recent security updates to this app, there are still many reasons to be careful when using the service.
Did you know that WhatsApp when installed on an Android device needs access to other data and services on your phone that you may consider private?
The app automatically uses your address book to add people you know , which in itself is not an issue, but it can share your contacts using WhatsApp automatically.
A privacy issue if you consider the fact that WhatsApp defaults, unless (and then until) you change them, will show your details (profile pictures, status) to those unwanted contacts.
Why does the app ask for your phone number - to subscribe on premium services or to send you spam perhaps? One thing is certain: the majority of social media services aim to collect information that can be used for marketing and advertising purposes. When misused, this results in you receiving SPAM
People, processes and technology
World-leading security technologist Bruce Schneier popularised the above phrase in 1999 as a way of getting people to understand that Information Security is more than just relying on IT security systems.
In many cases, security breaches start off by attacking the human who sits behind the IT systems.
If the cyber criminals or fraudsters can get staff to divulge information over the phone, click on a phishing link in an email or entice staff to visit a malicious website, sometimes called a watering hole, the bad guys win!
Threats come in many different forms. Some of the most common threats today are software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion.
Phishing attacks are a common examples of a low cost attacks.
The theft of intellectual property has also been an extensive issue for many organisations.
Identity theft is the attempt to act as someone else usually to obtain that person's personal information or to take advantage of their access to vital information.
Theft of equipment or information is becoming more prevalent today due to the fact that many devices today are mobile. Mobile phones are prone to theft and have also become far more desirable as the amount of data capacity and device capability increases. Your whole life, personal and business, is on your mobile device!
Sabotage usually consists of the destruction or disablement of an organisation's website or services in an attempt to cause loss of confidence to its customers.
Information extortion or Ransomware consists of theft of a company's property or personal information as an attempt to receive a payment in exchange for returning the information or property back to its owner.
When you look at these examples of threats, it becomes apparent that in the digital age, many attacks are pitted against the IT systems we use.
In most cases they are aimed against the people using the IT systems as well as being set against the business processes being followed.
If it can happen to them...
November 2014. Sony Pictures Entertainment (SPE) discovers it has been the victim of one of the worst corporate hacks in history. Since nearly all aspects of Sony’s internal system had been compromised, the repercussions were going to last months, even years.
On November 22nd. Skulls appear on employees’ computer screens along with a message threatening to expose company ‘secrets’.
Sony’s computers were crippled and employers were forced to work with pen and paper. They even had to use the fax machine.
Initially, Sony reported the attack as an, ‘IT matter’ but then acknowledges the security breach to staff, calling it a, “brazen attack,” comprised of, ‘malicious criminal acts’ The group #GOP – who were later identified as the Guardians of Peace claimed responsibility for the attack, prompting an FBI investigation. Speculation that North Korea were involved because of Sony’s movie, The Interview, featuring a thinly-veiled parody of their leader, Kim Jongun.
North Korea denies culpability but calls the attack a, “righteous deed.” Even so, the US media quotes anonymous officials linking the attacks to North Korea.
At the end of 2014, Sony asked the media to cease coverage of the attack, threatening legal action against Twitter if it did not suspend the accounts of those posting hacked material.
Aaron Sorkin, screenwriter of A Few Good Men and The Social Network, wrote an open letter for The New York Times where he accused the media of being complicit in the attack.
Closer to home
August 2015. Carphone Warehouse breach!
Hackers reportedly swamped Carphone Warehouse with junk traffic as a smokescreen, before breaking into systems and stealing the personal details of 2.4m customers.
Up to 90,000 customers may also have had their encrypted credit card details accessed, the UK-based mobile phone reseller admitted at the weekend.
Customers with accounts at OneStopPhoneShop.com, e2save.com and mobiles.co.uk are understood to have been potentially affected by the data breach.