Sign in Subscribe
CYBERSEC

Guide: Why The Biggest Threat To Your Security & Privacy Is You

This article is for anyone who may have an active interest in protecting their digital life as well as their physical one.

Guise Bule

13 min read
Guide: Why The Biggest Threat To Your Security & Privacy Is You

The title is quite clear, so I won't bother too much to write a super catchy explanation. Instead, I ask of you to share this article with people that might not be as tech savvy as you are and who may have an active interest in protecting their digital life as well as their physical one. The information provided in this article is basic, so if you work in infosec you might find this article really boring :)

Precaution/Warning

Every time I write an article, I try my best to be as technically accurate as possible, while not overcomplicating subjects. As I can't keep both sides up though, I might have to compromise on some aspects. These blogposts are generally meant to be educating, while not being too dry so you fall into a synthetic coma. I'm personally trying to achieve a good mix of entertainment and education. Some things written in this blogpost might change overtime, but are as accurate as I'm aware of at the time of writing. Usually I provide simple explanations of topics I address in these blogposts and sources along them, if after all you still have question though, feel free to message me at [email protected] . You may use the content provided in this article in a non commercial context. Thank you.

How Are You Your Own Biggest Threat?

Quite easily, because you put out all the important information about yourself. Sure, your close contacts also most likely put your information at risk, but you yourself are still the closest to yourself than it can get. You yourself visit all the websites, register for some service that tracks you throughout the whole internet, or connect your bank card to online services and whatnot. Worry not any longer though, for this blogpost is going to show you, how you can protect your privacy better, get a better security posture and reclaim both.

It's Like Smoking

Being careless about your security and privacy is a bit like smoking. It affects you directly of course, but also the people around you and potentially makes you impotent and could give you lung cancer. Okay, maybe not the two last ones, but I think you get what I'm trying to say. It's generally not a good idea to be careless about your private stuff, even if you're just a regular person. All the data gathered about you, could potentially end up in a data breach from some service that you signed up for whatever reason or be used against you by criminals in a case of identity theft.

This could be potentially even worse, when you're working for your local government, in the health sector or any other critical infrastructure. Believe me, you don't wanna be the reason why your whole hospital got extorted in one way or another.

But I Have Nothing To Hide

Sigh yes, yes. You have nothing to hide. Should tell that to the folks in mainland China, or Russia. Even if you don't live in countries that have these sort of totalitarian governments, you should still be more careful and cautious. As previously said, you can potentially harm other people that might care about their privacy, or you could become victim of a crime. The list is endless and I'm not going to read all the potential things that could happen to you. If you're not convinced by these two things, I guess nothing will convince you or a certain person, that you might want to explain the stupidity of this sentence.

Evaluate Your Potential Threats

So, now that we have that out of the way what are your potential threats? In short, who are you? Are you maybe someone that experienced stalking from some abusive ex partner or similar? Maybe you're someone high profile in the business sector just trying to protect your assets? Or perhaps you're just a middle aged mom in her midlife crisis, sharing "inspirational" photos on social media or Whatsapp, while only really use your internet browser to get the latest diet recipes?

In any way, you have some sort of potential threat or threats. Even if you should happen to be similar to the latter option, you shouldn't underestimate your value. Scammers, "normal" burglars and others have some real interest in your information that you share on social media or anywhere on the internet really.

Privacy ≠ Security, But It's Knitted Together

Something you shouldn't forget, while reading this article is that privacy ≠ security at first. It's good to keep it in mind, first off because some people like mixing it together and you can really save some time knowing the difference, so you don't need to have a everlasting talk with other people about the difference wink. These self proclaimed smart asses, which are going to lecture everyone about the fact, that there's a difference between privacy and security tend to forget the intersection and close relationship of these two topics.

If you've read the text so far thoroughly and took some time to think more about, you'll already have noticed, that while I'm talking about security, privacy plays an important role and the other way around.

This is mostly (but not only) due to one of the biggest security threats. So called "Social Engineering" and "Phishing". Social Engineering takes the advantage of humans and their psychology, either of you directly, or of a company worker at some service you registered for.

Most of the time, a "social engineer" will write/call you or a company that you have affiliations with and for example get access to your mobile number, or they can request your bank to send a new card to a given address. Of course, these scenarios are only potential for now and might not happen or have happened to everybody reading this, but similar scenarios have occurred and most likely will occur in the future as well.

Phishing is similar to social engineering, in the sense of taking advantage of the human psyche, but usually you call something phishing, when you get a suspicious e-mail about some millionaire who needs just a small bit of your money, to be able to access his money. That's an old story and "phishing" attacks have become way more subtle and smarter over the years, but in the spirit they've stayed the same.

Nowadays a phishing e-mail, might look like a letter from your bank telling you to reset your password, because they got hacked or something. Additionally they might provide a link in their e-mail, which leads to a website that looks similar or identical to the one of your bank.

Now that you're a bit smarter, about these topics you shouldn't be falling as easily for these things anymore. Still be cautious though, mistakes happen to the best of us.

Finding Yourself, While Evading Scammers

I hope I got the message across, that both your online privacy and security are important for you in real life. Speaking of real life though, malicious people online can also use the information you might've thought should be offline, but aren't. The most common cases from people I've experienced, are phone books. You know, these old things that some people from your local city still put their name and phone number in, so some people can find them more easily? Turns out, most if not all of these phone books get uploaded digitally nowadays. Just try searching for your local one. Put in "your city name" + "phone book" into Google, or any other search engine and see the results pop up.

This "privacy suicide" as I like to call it, doesn't end here though. There are so many other different ways, your information can turn up online. It's really the best, if you just google yourself. Might not work that well, if you have a common name or share the same name with a celebrity or similar, but you can search for other so called "parameters". Big word, but no worry. What I mean with "parameter" in this context, is just information that generally belongs to you. So instead of searching for your name, you could look up something more unique, like your e-mail address, mobile number or standard phone number.  You'll know best what to look for.

After you've found all the information about you, that you really don't want out there you should start taking it offline. Since you can't just turn off the internet and burn it though, we'll have to use different methods. Luckily, most websites that process your information or search engines have forms you can fill out, to revoke or take down your information. Alternatively, if the certain website provider or company doesn't have such a form, you can give them a nice call and I'm sure they'll comply. One can only hope in that case.

Finally as a result, if all your personal information which can be found using search engines is revoked, your life should be a bit easier. Mostly you don't have to worry about calls or e-mails from suspicious people. Besides, someone committing identity theft with you being the victim has just become far less likely.

What You Can Do To Protect Yourself

Along the way to this paragraph, you might have noticed that most security and privacy threats aren't that technical, but heavily rely on the human factor. While this is absolutely true, we also shouldn't forget that there are other ways your privacy and security can be compromised. Now, we're leaning a bit more into what you can do on the technical side of things, with some legal stuff along the way.

Turn Off WiFi/Bluetooth/Mobile Connections When Not In Use

Something easy to do, but also as easy to forget. Turn off the stuff you're using, when you don't need it. Leaving WiFi and Bluetooth really lets your privacy suffer, since when you leave WiFi/Bluetooth on they're basically screaming into the open air, when they are not connected. More detailed, they scream for familiar devices so things like your WiFi router or your subwoofer, which supports Bluetooth. Imagine constantly having a baby with you, that screams because it misses its toys. It gets worse though, as mentioned WiFi and Bluetooth "scream out" for familiar devices. As you might know, not every WiFi router has the same name, the same goes for Bluetooth devices. "Funnily" enough, supermarket chains for example use this free information your phone provides, by placing Bluetooth scanners in their shops.

Thanks to the fact, that your smartphone doesn't just scream for any devices, but always the same ones your smartphone and in that sense you can be easily tracked throughout the whole shop and they know when you go there, how long you stay there and which aisles you go through. Essentially, they just use this for data gathering, optimization and analytics, but do you really want anyone handling your data and observing every step you make?

Alright, we talked about Bluetooth, but what about WiFi and the other things? Well, WiFi is pretty technically similar in that case, though not as many businesses analyze WiFi signals than they analyze Bluetooth signals. In contrast to Bluetooth signals though, there are many projects which openly analyze WiFi routers around the world. Don't worry, they don't do it 24/7 and not every router gets scanned, but it's bad enough as it already is.

Let's say you connected to the WiFi of your local McDonalds, Starbucks and maybe some other random company. Anybody near you, analyzing the WiFi signals could see, that your smartphone screams out for these WiFi connections to your local McDonalds, Starbucks etc.

If, whoever is analyzing that data also looks up the WiFi connections your smartphone is screaming out for, they can easily find out what town/city you live in. It only really gets nasty, when you physically move around, they have access to a nearby security camera and can correlate the given WiFi data with the video footage of yours. Obviously they'll only have to analyze the WiFi data, when you're in a crowded space. If you're one of the only few people there, you've lost even without much movement.

Get A Password Manager

Password managers are one of the easiest things to improve your security. Given you use the good ones and you use them correctly of course. So, let me give you a bit of an explanation.

So called password reuse is a really bad threat to your security. Password reuse (as the name implies) means you using the same password over and over again. It's really bad, when your passwords should somehow be leaked, because of a security incident. Just like with keys, you don't use the same key over and over. It's not quite as directly comparable to this digital scenario here, but it's easier to imagine for now.

What (in my opinion) you should look out for, is a so called "local password manager". This just means, that your password gets stored directly on a device you own. Meaning, you have full control over the data.

You might ask yourself now, but why would I want to store my sensitive passwords on my smartphone that isn't as highly secured as a special password manager service? Quite easy. These password manager services, while being probably better secured than you are, also experience more high profile attacks. Either from some smart malicious individuals or whole gangs. After all, these services contain up to hundreds of thousands passwords that have to be protected. Imagine all the bank login details you could obtain from them.

Now that we have that out of the way, you can also control your data and you are in charge of it. Of course you also have all the responsibility for keeping your own data safe and secure, but I guess that's something you can live with. If your smartphone gets hacked or someone gains access to it, they can get access to your passwords anyways. No matter if you use an online password manager, or a local one. Online password managers are really more meant for the comfort of use and protecting the masses, not you as an individual.

Register your E-Mail Adress/es On HIBP

HIBP is an acronym, standing for Have I Been Pwned. It's a free service that's basically a massive database of all big e-mail and password leaks. If you ever were in such a leak, or should happen to appear in one sometime you're going to get an e-mail, that notifies you about the incident. That way, you can change your password, after the leak and essentially the leaked data is worthless against you.

But don't worry, just because your password is in there, doesn't necessarily mean everybody can see it or for that matter use it to login into other services connected with your e-mail address and the same password. Usually websites and services, that let you create an account and store passwords use something called hashing. In short, hashing takes your password and scrambles it. This scrambling can't be undone, or it's unknown how it's supposed to be undone. Important thing is though, the same text will always give the same scrambled result. It's a bit like a smoothie mixer, as long as you keep putting the same amount of fruits and the same types of fruits into the mixer, your smoothie will always be the same, even though it's unknown what exactly and how much you put in there. Mathematically/Cryptographically you can't obviously taste the difference that easily, but that's another topic for itself.

GDPR Rocks

GDPR has become an acronym with quite a bad reputation, but it really saves your day sometimes. It lawfully regulates service providers in the European Union, so you can choose which data the services you use are allowed to gather and process. Depending on which country, state or whatever you live in, you might not be protected by GDPR but something similar jurisdictionally speaking. Since I can't list all of the data & privacy regulations for every country here, I advice you to do your own research on that topic. The sheer diversity and complexity of medical related privacy acts are worse enough. Looking at you HIPAA, United Kingdom’s Data Protection Act etc.

The Obvious, But Forgotten

Now onto the very end of this blogpost, measurements you can take or ways to behave which are quite obvious. This is going to be a short list instead of an overcomplicated mess of words.

  • Don't give people online information which in the given context is unnecessary.
  • If someone's contacting you (either via. e-mail or phone) and they're telling you they're from law enforcement, your bank or something similar, you should contact law enforcement/your bank etc. directly.
  • The MP60 rule. MP60 stands for: Male, Pedophile, 60 years old. Meaning you should only give as much information to an unknown person online, as if you knew they were identical to said description. Alternatively you can also apply this rule to everything you put out there and can be googled about you. (Yes, I came up with this rule.)
  • Don't download any app, not from the playstore or appstore. Meaning, no matter if you use Android or an Apple product. Only download apps, which are generally trusted or from people/companies that are trustworthy.

Conclusion

The Internet can be a scary, confusing and evil space. Nobody is completely hopeless though, there are many things to keep yourself save. In case you want a follow up blogpost, leave me an e-mail or click here. Stay safe and have a nice day. Cheers.

Sources

These sources are in no particular order and I didn't copy content from them in any way. Some things I just remembered throughout the years and searched them while writing this blogpost on search engines. In that sense, the sources presented here are merely a verification, that what I talk about is in fact reality and not something I'm just imagining or similar.

Bluetooth trackers: https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html

Have I Been Pwned: https://haveibeenpwned.com/

Phone books & how scammers get your info: https://www.aarp.org/money/scams-fraud/info-2019/identity-mistakes.html

Hospital social engineering: https://healthitsecurity.com/news/hackers-targeting-healthcare-with-social-engineering-email-spoofing

Healthcare: Recognize Social Engineering Techniques
Healthcare social engineering: don’t let human hackers disorient your employees. Not all hackers or data breaches exist on the Internet. Some happen in person. I’m not talking about theft. I’m talking about human hacking. A social engineer is basically a hacker that exploits workforce members (your…
SecurityMetrics: Brand Barney

Search for yourself: https://www.sans.org/security-awareness-training/resources/search-yourself-online

Learn More About The Images We Choose

Today we are celebrating the work of artist Zaki Abdelmounim and joining him in his hunt for what's left of Hong Kong's iconic neon signs, an essential element of this cityscape's visual culture, covering HK's streets for years with glow. We will roam the dazzling roads aimlessly reminiscing about a dystopian past that only existed in neo-noire cult fiction movies like Blade Runner, trying to burn these lively picturesque streets into our memories before they vanish, all while figuring out how to thrive creatively in this organized chaos. Hopefully this vaporwave stylized series of street photography will bring as much joy as it did to us.

The beautiful image used in this article was created by Zaki Abdelmounim.