October is Cyber Security Awareness Month
We have touched on Updates and Passwords already, and last week we rambled about securing devices. If you missed it, find the previous posts. This week I want you to focus on what information you keep online. To be aware about what information is out there, what you share, and how you share it.
So, I made a bit of a mistake.
Now at the time it didn’t feel like a mistake. I thought what I did would be really useful, I thought it would help me connect to friends and relatives. I thought it would be secure. It wasn’t.
What am I talking about? I stored my mobile phone number with a highly used social media platform, and before you all come at me, it was set so that it was only visible to me. The thought here was that somewhere in the backend, when someone with my phone number already in their contacts list would sign into ‘not myspace’, I’d be listed as a recommendation to be added amongst their friends. I thought somewhere along the line this would be encrypted, protected, hey after all I had set it to the highest privacy I could, right… Well, that was my mistake. It wasn’t the highest privacy setting I could have chosen, there was one level higher. Not having the number stored at all. When this highly used social media platform had its data leaked, if I hadn’t stored it there, my mobile phone number would not have been a part of it. I also believe I would not be getting as many calls from ‘Telstra Support’ or SMS’s from various freight companies telling me my Amazon package has been delayed.
So, I ask you, does it need to be there? What information am I giving away, and how can that information be used. Think about this in both a normal use context, and an ‘Oh no, the company I stored all my photos with has had a data leak and the photograph of my password is now in someone else’s hands…’ Ok so that’s a tad dramatic, but I think the message is clear.
Public Data: When it comes to publicly accessible data there are two questions you need to ask yourself. What information have I provided which can compromise me (used to attack you), what information have I provided which can compromise others (used to impersonate you). This encompasses anything you or anyone else has published about you. Any of this information can be gathered by Open Source Intelligence (OSINT) and should be treated as vulnerable. Information of this type shouldn’t be used for passwords, secret questions, or relied on for determining if a person is actually that friend of a friend.
Private Data: So what about information which isn’t freely accessible, things which we believe to be more safe. Be sure you aren’t poking holes in your secure platforms or putting trust in platforms which inherently are not as secure as they seem. Storing a document in a cloud service, we share out a link to that file. Did you set any sort of conditional access to that link, or is it available to anybody who it’s shared with at any point in the future. Do you have an easy way to rescind access when it is no longer appropriate for that file to be shared with the initially intended recipient or anyone who has that link. It is almost always better to do this on link creation that forgetting to do it later. How about eMail, that’s secure right.. Well, only to a certain extent. Most email is now secured whilst in transport, but that doesn’t mean its encrypted at the senders or receivers end. It is also not hidden from the email servers. It’s not where I would recommend keeping sensitive data, nor use to send critically secure communications.
Curating your Data: It’s up to you to recognise and evaluate your risk. A great way to reduce your risk is to cut down the value attackers might get from gaining access to your accounts. This means it’s time to clear out that inbox and archive old folders containing valuable information. Sure this makes it less convenient to check how much you paid for gas back in 2016 but hey, how often are you checking that anyway? Go through your social media profiles, check the data you have stored with them. Any you are no longer active on, shut them down, reduce your footprint. Does your social media profile really need your actual birthday, or that picture from 2005?
On Security Questions. Your bank knows them, so does your mum, and so does her 5 closest friends: Think about your security questions for your bank account. Your mother’s maiden name, the name of your first pet, the school you attended in third grade. These are all standard questions and in most cases can be discovered by skimming over your social media profiles. When it comes to security questions, it’s good to lie to your bank. I actively encourage it, think up imaginative answers and store the question prompts and their answers in your secure password manager of choice. Once again, be aware of what information of yours is out there.
‘Not Geocities either’ has patched the vulnerability which enabled my mobile number to be leaked. My mobile number is still listed on my profile with the access permission set to only me. The damage has been done and I either need to wait this out or get a new number, and I figure it’s better the devil you know. But the simple fact remains, if I hadn’t stored it on my profile the scammers I’m getting calls from would likely have to pickup a phone book. Yes, you too can order this fairly well curated list of personal data, delivered, direct to your door from https://www.directoryselect.com.au/ or search it online at https://www.whitepages.com.au/residential. Are your details still listed?
More reading:
https://www.cyber.gov.au/acsc/view-all-content/guidance/personal-cyber-security-first-steps-guide
https://www.cyber.gov.au/acsc/view-all-content/guidance/personal-cyber-security-next-steps-guide
https://www.cyber.gov.au/acsc/view-all-content/guidance/personal-cyber-security-advanced-steps-guide
Cyber security tips this month are taken from https://www.cyber.gov.au/acsc/view-all-content/advice/personal-security-guides which is a really good read
