Dave Henderson at BlueFort Security describes some of the threats to our privacy that are easy to miss.
Our privacy is under attack. As it stands today almost everyone is being tracked and monitored 24/7 with cameras recording our expressions and speech to determine what we might be thinking, where we are going and who we are meeting. If you are picking up tones of George Orwell’s famous novel, 1984, then you’d be right to do so.
When it comes to protecting the privacy of our data, it is a difficult task and it’s only getting harder. With rapidly evolving security and privacy risks, and super determined cyber criminals, there are always more privacy threats than users can possibly track.
When it comes to privacy mishaps, plain old human error is often to blame. We all know about the importance of using hard-to-guess passwords and saying yes to the multi-factor authentication option. However, the deployment of Artificial Intelligence and sophisticated automation technologies means that some of today’s more sinister threats are easy to miss.
Here are some examples that can easily fly under the radar:
Web Browsers and Apps
Before smartphones existed, “apps” did not exist. Anything accessed now through an app was before accessed through an internet browser. The web browser on our smartphones is “sandboxed,” meaning it cannot access general data on the system or control hardware.
An installed app, however, can be coded to do anything it wants to gain access to any hardware the user has control of. When accessed via the browser on a smartphone, many sites prompt the user to download the app. Often, if you don’t download the app you can’t access the site. But by agreeing to download the app, you are forced to give you personal information, or give the app access to your camera or microphone.
When we finally get back to travelling, you might tag your latest whereabouts in an Instagram story, or tweet about culinary adventures in a new restaurant. The reason you can post your location is a useful feature called geotagging, which adds your GPS-location metadata to a video, photo, and other media content. It’s one of several convenient ways people document their travel. If you share photos on a regular basis, you can effectively be sharing a detailed trail of your movements.
If we want to get serious, law enforcement regularly uses image metadata to locate unwitting criminals. And it’s worth considering that hackers could use geotagged posts to track people too. With the amount of data, location-based search tools, and services available, vulnerable people, such as domestic violence victims, can be at risk if they’re unintentionally added to a geotagged photo. That said, most social platforms will strip out the metadata from uploaded photos but glitches happen - and this could result in an image’s metadata being accessible.
Some websites can contain a very large amount of invaluable data. Web scraping is the process by which bots extract content from a website, usually without permission of the website owner. This activity in itself is not illegal or harmful but like many things, if used in the wrong way, it could result in sensitive user information falling into the wrong hands. Take a user’s credentials, for example. Stolen credentials are one of the most sought after prizes for cyber criminals. Verizon’s latest DBIR found that 67% of breaches were caused by compromised credentials and social attacks.
In this scenario the sum is definitely worth more than the individual parts. Cross-correlation risk is where a cyber criminal is able to build a detailed picture of a person by gathering together individual bits of seemingly harmless data. Giving your email address to a retailer to receive an emailed receipt rather than having a paper one may seem innocuous, but when that email is looked up on third-party marketing lists, and then combined with leaked lists of voter registrations, it can now be used to identify where you live, how you vote, your health issues, your movements, and whom you communicate with on social media. This profile of you can then also be sold over and over again.
At the forefront of these next-generation risks is IoT, big data, and third party/cloud, all of which are really just getting going. The sheer scale of what’s possible is a lot for most people to process. However, it’s not all doom and gloom. Cybersecurity professionals understand the cat and mouse game that’s played with cyber criminals. As much as the cyber criminals consider AI their new power weapon of choice, the reality is that it is being used equally (if not more) successfully by defenders to identify and mitigate against these threats.
What’s needed from us all is awareness that these threats are out there, and then we proceed with caution. This slightly paraphrased quote from George Orwell’s novel, 1984, sums it up well I think...“You have to live–from habit that became instinct—in the assumption that every sound you made was overheard, and, every moment scrutinized.”
Dave Henderson is co-founder BlueFort Security. Dave has a wealth of cyber security expertise after spending more than two decades helping many of the world’s leading enterprises defend their digital assets. As Co-Founder of BlueFort Security since 2007, David and his partner have been working with household names and central and local government to strengthen, optimise and mature their cyber security solutions.
Main image courtesy of iStockPhoto.com