Personal Security and Privacy
May 15, 2016
We learn about privacy at a very young age. Theoretically, these lessons can even happen while we are still in the womb — I’m talking about the physical side of privacy, you know, when a stranger tries to touch the belly of an expectant mother. This action is often met with shock and awe. And it should be.
This is an invasion of personal space as well as unwanted physical contact. We may or may not learn anything directly in utero — I would welcome a medical professional’s opinion on the effect that an unwanted touch by a stranger on a pregnant mother has on an unborn child. To me, it makes sense, that if an unborn child can respond to familiar voices they can also respond to an unwanted touch.
Privacy and security are continuous learning processes. As young as toddlers we learn to use the toilet with the door closed, to not talk strangers, knock before you enter, be aware of your surroundings and to not share private information with others. There are levels to each of these, I know, but I am sure that you get my meaning.
If we learn these lessons from an early age, why do we become so cavalier with our privacy and security later in life? At what point did it become OK for us to give up our privacy and security? I can’t tell you why we freely give our information out to everyone. I also can’t tell you why we sacrifice some of our security — again, I would defer to a professional, maybe a mental health professional or psychiatrist for a theory as to why.
What I can tell you is that the devolution of personal privacy and security has a deep impact on our modern lives. This is largely due to the need for immediate information consumption and attention we receive from “likes.” I think we are all guilty of verifying a cameo appearance in a move at the dinner table or the pleasure of knowing that people not only saw the picture we posted, but they acknowledged that it is cool by clicking the like icon.
We freely give out out information about ourselves — sometimes the most intimate of details and this becomes data. Your life, experiences, likes and dislikes, friends, associations, political opinions, relationships and so on, all become data.
Our data is being used for everything from delivering us the weather in our current location (or intended location if we are traveling) to generating targeted ads for us. We have now been targeted as consumers, a revenue stream. Because of the free distribution of data about us.
We entrust our medical, financial, educational records to doctors, schools and banks under the assumption that they are securing our private data. We store things locally on an unsecured computer where we also shop, research, share and communicate with a connected world. Largely we do this in random order and with no knowledge of our own security.
Protection from Ourselves
Surprisingly, we are also delivering information about how we use our devices. The way we use everything including our computers, smartphones, tablets, wearables, home automation, automobiles and even our home appliances are being tracked and monitored. Mostly, these are monitored by app developers and product manufacturers for notifications, content delivery and even reminders to order more coffee (yes, our coffee makers will soon be watching us, if they aren’t already).
One of the more surprising parts of all of this use monitoring is that this data is fed into Analytics engines that use advanced machine learning, artificial intelligence and other algorithms to determine when it is best to target us for notifications, reminders and the like.
Scarier still is that “they” know if it is you or your three year old using the service, device or application. So, umm, yeah they are targeting our beautiful offspring for future content. I would wager that there are Analytics platforms that are measuring youth usage to determine their future consumer value and potential market space (they exist, trust me). Think about it, they watch Curious George 100 times a day for 3 years — they may one day be the perfect consumer targets for yellow hats. Is this theory so far fetched?
Then There Are The Bad Guys
Beyond the things the we willingly exchange for convenience, there are the behaviors that “invite” the bad guys. I cannot keep track of how often I hear from a non InfoSec friend, family member or acquaintance how they were infected with something or how they were “hacked.” Typically, when I ask how this happened, the explanation is “I don’t know,” or “they broke into my system,” or some type of “it wasn’t my fault” response (my favorite is “I never watch porn”). It really wasn’t their fault. Largely, this happens because they either weren’t taught how to protect themselves or when they were taught, they didn’t pay attention or forgot the lesson.
The problem is that computing is still new to a lot of people and the Internet is constantly evolving. There is a constant stream of new applications, services, tools, sites, devices, information and information delivery systems that we embrace and use every day. We add these features and functions of the Internet to our daily routine without thought, because by our very own nature, we trust that they are secure and useful.
Common Methods of Infection
At a high level, infection occurs in three very basic ways. There is the unknown device infection, where we plug in a device without scanning or even knowing where it came from. We do have the ability to scan these devices — most of us have basic antivirus. But, we live in a time where immediate gratification is the norm and we aren’t thinking about security. We impatiently disable our AV in order to access the data as fast as possible. Also, we don’t update our AV software leaving us open to newer infections. Additionally, there are ways to circumvent anti-virus technology and it is very common for a system breach to occur using advanced attack techniques built into malware that can be installed on these devices (this however, is the least of your worries).
As it relates to these situations, exercising caution should become commonplace. There is a need to learn that a little bit of delay will create a newer sense of gratification in the knowledge that we are just a tiny bit safer (because we haven’t installed malware). When you are handed a device by a coworker, friend or family member, let your AV do its job and scan the device. If you don’t have some type of Anti-Virus, get one and install it on every system (http://bfy.tw/5lb1 — search for free antivirus).
There is also a need to learn to avoid the random USB device. Just walk away. There are tools that add some protection from the advanced techniques that could be sitting on the device you just plugged in, we will cover these a little later. Take this quote from the movie Elf and apply it to devices — “Well, there are some things you should know. First off, you see gum on the street, leave it there. It isn’t free candy.”
Another method of infection is the opening of an unsolicited email from an unknown source and clicking on embedded links or files. This can also happen with texts. These are called phishing and smishing, respectively. When these occur, make sure that you know the sender. If you aren’t expecting an email with a link or you haven’t heard from someone via an email address that they haven’t used in a decade, don’t click on the link. The same goes for a file. Apply this thought process to all of your email and texts and you can avoid a large percentage of problems.
The third basic method of infection for most people is careless internet browsing. This can range from going to shady sites all the way to downloading unknown software. We rely on our brains and eyes to make quick decisions and they can and do fail us at times. There are some things to look for that can prove to be more trustworthy than others.
In addition to anti-virus software, you should install anti-malware software. We use MalwareBytes across all of my systems. We pay for it in my house, but there are free and trial versions (http://bit.ly/1TU1K9o). There are several anti malware tools on the market and you can get a lot of the for little to no money at all (http://bfy.tw/5lbB)
When shopping on line, make sure that you are using a site that employs encryption. You will notice the difference in the location bar, if there is a lock and the url starts with https, you can feel more secure. Second, if you are shopping at a known site, look at the url. does it say Amazon.com or is it Amaazon.com? Third, if a site attempts to install something, decline.
Social networking can also add to infection via careless browsing. We love the salacious story, we are enticed to click on that link and see the video or read the article. “You’ll never guess what this father did to his daughter after…” will peak most people’s curiosity. If you don’t have advanced malware protection or updated AV, I wouldn’t risk it (I generally wouldn’t visit these links because of the add bombardment). The best case scenario is that the story is going to be stupid, the site will be laced with ads that will take forever to load and you will end up feeling like you just waited 10 minutes to see a video that never loads. Just pass it by and look at the pictures of the butterfly that Sue just posted, it may even have a cute inspirational quote that leads to some enjoyable eye rolling.
A Little Awareness Goes a Long Way
There are behaviors that we can adopt, software we can use and features that we can be aware of right now that will enhance our privacy and security posture. Remember, this is a barter system — we trade our information for convenience. Some of the following suggestions may make trades that may create some discomfort, this is ok. It is perfectly fine if you can life with or without the discomfort, no judgment.
Lets start with Brian Krebs’ 3 Basic Rules for Online Security (link below). This will apply to a lot of what was previously mentions. First, if you didn’t go looking for it, don’t install it. Second, if you installed it, update it. Third, if you no longer need it, remove it.
Don’t install something that you either didn’t actively try to install or was being forced to you through some less-than-careful browsing. Often we will hit a site for research or though a series of links. These installs may or may not do harm, but there is no value in accepting something that you don’t want.
Updating the software that you use on a regular basis, including your operating system, is one of the most important things you can do to protect yourself. Turn on automatic updates for your desktop or laptop and software whenever possible. Do this for your antivirus, word processors, spreadsheet and presentation applications, basically anything that you can update, update. This is easy and important. Check for updates for your smartphone and tablet. Check with your carrier if your phone is branded with a custom OS, they will often stop issuing updates on older smartphones. Update your apps as well.
Keeping Our Data Private
In schools today, all the way down to grade schools, teachers and administrators are seen as the “parents” during the time that they are the custodian of the students. In the schools in my district, they can ask for smartphones and freely view all of the content on the devices. Everything from texts, app data and photos all the way to social media and phone history. They can look at everything. This is all under the umbrella of anti-bullying. They are not, however, limited to looking for evidence of bullying. These custodians of our children can and do look at everything.
Can this lead to a child being forced to provide their fingerprint to unlock their phone in school? If so, what are the repercussions of anything found on their phone that may be considered an offense of school rules or even worse, part of a crime. I have encouraged all of my family, friends, and acquaintances to let go of the convenience of TouchID and the use of a fingerprint to log in. Instead, I have encouraged all of my family to use a complicated password and to set their device to wipe the data after a number of failed attempts. And, if their device is requested (by anyone — teacher, administration or police), lock it and never provide your password. Authoritative figures can request your password, but you are under no obligation to comply.
Another side of privacy is the willingness to share our location with everyone. Location services has become a default for all of us and we are quick to allow it for every application on every device. This provides, at times, some helpful information like restaurants, weather and services close to you. It can also be used to track you.
Take, as an example, Google’s Location History (http://bit.ly/1TgY2Xa). When using google maps, it conveniently stores the locations where you used the app. This is an example of a trade off, basically mapping out a timeline of dates, addresses and places visited in exchange for using the app as a GPS. It can be convenient, but if your account is somehow compromised a stalker can track your history and current whereabouts.
Google has a host of information about you and your online behavior that it collects from you use of google apps, your browsing history and what you do with your mobile devices. I would urge everyone to take some time and familiarize themselves with your personal settings. You can find them at http://bit.ly/1OuOxj8, this is a more comprehensive view of all of your google information. You can find ad settings, device data, audio usage and you can change some of these settings as well.
Most applications that you use can track you. All social network apps, shopping, review, dining, delivery, and utilities like word processors, spreadsheets and presentation apps can geotag you. Though most are not set by default, but as previously mentioned, because of carelessness, laziness or the impression that we may need location services for any of these apps to function, we enable geo location services. This is easily remedied by turning off location services on your devices, Lifehacker.com has a quick article as to how to do this on most devices (http://bit.ly/2510HNC).
Personal VPN and Free WiFi
A VPN (Virtual Private Network) is a very common use in most corporate environments. It is used to create a secure tunnel between you and the resource you are accessing. It does the same for personal use. It creates a secure tunnel between you and the Internet and protects you and your data.
For normal everyday use in a corporate or home environment, a personal VPN isn’t completely necessary as the private environment you are working in should be relatively safe. In the wild, with the availability of free public WiFi, the safety of your communications is not guaranteed. New York City has recently made free WiFi available all over. This is incredibly powerful for low income residents.
Existing phone booths in every corner of every borough have been adapted to provide free WiFi and charging stations as well as tablet kiosks for public use. This is a blessing and a curse at the same time. A blessing because everyone will have free internet access. This will reduce the data charges from your carrier and provide access to the resources that you typically use (is it really worth it to use Facebook and Instagram?). A curse because of the danger of using an easily broken public wifi access point. There are several reasons why we should be cautious when accessing free WiFi (hotels, cities and municipalities, coffee shops , barbers, etc…) and HowToGeek.com has a great article on why to be leery of free WiFi (http://bit.ly/1rNOASe).
In an effort to protect the data on devices that will take advantage of these free resources, a Personal VPN should be used. This provides an additional layer of security that isn’t available using WiFi and HTTPS alone. You basically connect your device to the wireless network and turn on your personal VPN. It makes you just a little bit safer. Again, a Personal VPN costs little to no money (Opera now includes Free VPN functionality) and again, I’ll Google that for you, http://bfy.tw/5mL1.
Authentication and Verification
The human brain is an amazing evolutionary marvel, it can store information and details about experiences and associate these details with words, sounds, scents, colors and recall this information as needed. The power of the human brain has not reached its full capacity and use yet and thus is constantly evolving. This creates a problem for all of the information that we are required to prioritize for daily use.
We are subscribed to multiple services, use multiple applications and are required to use and remember multiple sets of credentials to access all of these helpful resources. My last count of credentials was nearing 60 sets of authentication credentials.
I can use the same username and password for most, but as an InfoSec professional, I would lose what little respect I currently enjoy. I make use of password manager. This helps me create strong and distinct passwords for every resource I use. My credentials are stored in an encrypted “locker” and are secured with an even stronger password to decrypt and access the credentials when I need them. This provides me with one password that I have to remember.
Password managers should be used by everyone. As with Anti-Virus and Anti-Malware there are plenty available and they often available for little to no monetary cost (http://bfy.tw/5ldg). Some of these can be combined with a physical authentication device, some can store your encrypted “locker” on a cloud share so that it can sync across all of your devices and most can be integrated with browsers via an extension in order to autofill your credentials. These are significantly helpful and reduce the need to remember and write down your credentials on a post affixed to your monitor. They can also be used to generate a strong password (www.laughingminds.com has a detailed article on passwords http://bit.ly/1ZS0Cot). The stronger your password, the longer it takes to crack it and the more secure you are (as long as you protect your password and never share it).
Adding two factor authentication (2FA) where you can will further aid in your security. 2FA basically means something you have and something you know. The something you have is your mobile device that can receive a one time pin, has authentication software or is a physical device. These physical devices can be authentication tokens with a unique code that is only good for a short period of time or a physical device with a unique key that can be plugged into a device for an added layer of authentication. The something you know, is your credentials for the resource you are accessing.
If you combine your really strong password with a password manager and 2FA, you will increase your security immensely. My family uses these practices, my family and friends have been encouraged to do so as well.
In closing, there is a need for all of us — not just those of us working in the InfoSec community — to take a proactive approach with our security and privacy. I would encourage any reader to make sure you have the software to protect, make sure that the software and your OS are patched and then take a some time to learn the basics of security. Look at how your applications are set and make the necessary configurations to protect yourself. Security personal privacy and security is everyone’s business, take the time to educate yourself on it, you will not be sorry.
On a side note, If any of my family or friends have read this, please don’t call me if you become the victim of a breach, malware, ransomeware or some kind of identity theft.
Joseph Pizzo is a veteran of the InfoSec industry with over 20 years of experience and currently serves as Director of Security Solutions of the Securonix Engineering Team. Prior to Securonix, Joseph served as a leader on the Norse Field Engineering Team and Threat Intel SME. Joseph previously worked in varying engineering roles for RSA Security, AccessData, HBGary and Guidance Software. Joseph spent a significant time working with multiple global organizations to assist with their security infrastructure and is a valued and trusted resource for a large portion of Fortune 500 Corporations. Joseph’s education includes Devry and Columbia University.
Joseph is a regular contributor and often sought out for print, web and broadcast media, and has recently contributed to articles for American Banker, CIO Online, TheVerge, SecurityFocus, SC Magazine and SC Magazine UK.
Reach me on Twitter @josephpizzo
References:
Brian Krebs — 3 Basic Rules for Online Security —
http://bit.ly/1Xb9I0r
Lifehacker.com — PSA: Your Phone Logs Everywhere You Go. Here’s How to Turn It Off —
http://bit.ly/2510HNC
Laughingminds.com — A Password White Paper —
http://bit.ly/1ZS0Cot
HowToGeek.com — Why Using a Public Wi-Fi Network Can Be Dangerous, Even When Accessing Encrypted Websites —
http://bit.ly/1rNOASe
