The Cybersafe Alert: 2019

Monday 9 December 2019

CyberSafe Alert 2019 Edition 10

What will Santa’s little hackers bring you for Christmas?

‘Twas the day after Christmas when all through the house, Not a creature was stirring, not even a mouse...

But the hackers were watching, and listening, and stealing, because of all the brand new internet connected gadgets, toys, and appliances that had been bought for Christmas presents.

In this edition of the CyberSafe alert we’ll talk about something that not many people stop and think about amid the excitement of the Christmas holidays, and that’s how much you’re exposing yourself to cyberattacks through the presents you buy for yourself and your loved ones.

There are too many ways you can suffer a cyber attack to cover in a CyberSafe alert, so I’ll focus on some of the main ones. If you want to find even more ways to protect yourself online this Christmas you can always read the Cybersafe book.

Don’t get your data pocket picked while shopping

During this silly shopping season, millions of us are shopping online to fill our loved ones gift sacks. But did you know that at the same time, you are filling the online retailers' sacks full of interesting tidbits of data about you and your spending habits?

Let me tell you a little bit about how they may be collecting data on you. As well as the usual data collected from you when you make a purchase on their sites, some retailers are also using tools that can track your browsing histories to see what pages you are visiting. If you visited their competitor, they know about it. This is not necessarily illegal, but how is it possible? Well. millions of people around the world opt-in to (at least so they think) anonymously share their web browsing history. This can be done with seemingly innocent things like browser extensions you’ve installed that note in their terms of service (read the small print) that they may share user data with third-parties.

At this point, you may be asking yourself: So, what’s the big deal? Isn’t this how all cookie tracking works? Well, yes and no.

Some tools that retailers use can show third-parties all the URL's a user has visited, and some of those URLs can lead to non-password-protected pages a regular user browsing the internet wouldn’t be able to find. These could be things like order confirmation pages, private PDF attachments, and other pages intended for that specific user’s eyes that sometimes aren’t protected by a login screen, but instead, are “blocked” by a set of “tokens” or a series of characters that would be difficult to guess.

The use of these tools has already lead to the unintentional sharing of sensitive data, including:

Home and business surveillance videos hosted on Nest or other security platforms
Information on recently purchased vehicles, including the vehicle identification number, and the name and address of the buyer
Sensitive documents posted on Microsoft OneDrive and other cloud-based business platforms, like tax returns, business documents, billing invoices, and presentation slides
Patient names, doctors they visited, and other details surrounding their appointment cloud-based patient care platforms
Travel itineraries on Priceline, Booking.com, and other airline services

Even in cases where the page was password-protected, sometimes the URL and page title gave away enough information to give context into private data. The kinds of protected data exposed included:

URLs referencing car dealership subdomains that aren’t reachable by the outside Internet. Sometimes, the URLs or page titles included vehicle identification numbers of specific cars that were experiencing issues—or they discussed vehicle products or features that had not yet been made public
Internal URLs for pharmaceutical companies like Amgen, Merck, Pfizer, and Roche; health providers AthenaHealth and Epic Systems; security companies like FireEye, Symantec, Palo Alto Networks, and Trend Micro
URLs for JIRA, a project management service provided by Atlassian, that showed Blue Origin (Jeff Bezos’ aerospace manufacturer and sub-orbital spaceflight services company), discussing a competitor and the failure of speed sensors, calibration equipment, and manifolds

Advice for SMEs

Many companies (one hopes) make an effort to keep their website hacker-free, but the examples above demonstrate a big loophole that may have been previously unknown. So as a small business, here are some things you can do to protect yourself and your customers:

Make sure that you are password-protecting any pages that contain any information that you don’t want accessible by the public. This includes order confirmations, attachments, or anything else not intended for general visitors to find.
If you have password protected pages, ensure that URL path and page titles are just as secure. Even if a link expires after a certain amount of time, it can still leave private data vulnerable.
Take a look at your website pixels, employee browser extensions, or anything else that could result in unwanted data sharing.

It’s Child's Play

Now that you’ve navigated the jungle of e-commerce and bought your little angel a brand new toy, you should also be aware of the cyber risks that can come with it. If you’ve gone the analogue route, you’re in the clear - woohoo. If you haven’t, and your child's toy can connect to the internet (you’d be surprised at how many can!) then you should take a few precautions to protect you and your child.

Now some security experts say the only way to prevent a hack is to not keep the toy. We say bah humbug, it’s Christmas and you don’t want to be scrooge so if you decide to let your kids unwrap play with it, here are some ways to reduce the risks:

Research, research, research

Before opening a toy (and if you’re buying it yourself, then before you buy the toy), search for it online and read reviews to see if there are any complaints or past security problems. If there have been previous issues, you may want to rethink keeping it.

Reputable companies will explain how information is collected from the toy or device, how that data is stored, and who has access to it. Usually that type of information is found on the company’s website under its privacy policy. If you can’t find it, call the company. If there isn’t a policy, that’s a red flag. My advice would be not to use it. You should also be aware that companies can change their privacy policies, so read them again if you’re notified of a change.

Use secure Wi-Fi

Make sure the Wi-Fi the toy will be connected to is secure and has a hard-to-guess password. if the toy itself allows you to create a password, do it. Don’t settle for the default password as not only can they be easy to guess, but there are plenty of sites like this one - https://proprivacy.com/guides/default-router-login-details - in the public domain that will have details of the default password.

Power it off

When the toy is not being used, shut it off or unplug it so it stops collecting data. If the toy has a camera, face it toward a wall or cover it with a piece of tape when it’s not being used. Toys with microphones can be thrown in a chest or drawer where it’s harder to hear conversations.

Register, but don’t give away info

With some toys, you may be asked to register so you can receive software or firmware updates over the web. You absolutely should do this, as a software update may fix security flaws that have been discovered. But, when you do register, keep the information you supply to the bare minimum required. If the registration requires personal information you’d rather not give, such as your child’s birthday, make one up. You’re not under oath!

Be vigilant

If the toy allows kids to chat with other people playing with the same toy or game, explain to your child that they shouldn’t give out personal information.

Reputable companies that make toys with microphones will offer ways for parents to review and delete stored information. Make sure you take advantage of that.

Report breaches

If a toy was compromised by a hacker, the FBI recommends reporting it online through its internet crime complaint center at IC3.gov. You can also use this site to check on any breaches with your particular toy.

Something for the Grown ups

It’s not just the kids that need to be wary though. After all, Christmas is for adults as well, and after a few egg nogs too many, you may be feeling a bit frisky. The kids have been put to bed (or maybe you don’t have kids to worry about), and it’s time for the adults to unwrap their presents. Well, the adult industry is never one to be left behind, and they're now playing catchup in the cyber/Internet of Things space as well. Once upon a time, you could rely on your favourite sex toy to be a discreet, standalone pleasure to be enjoyed solely in the privacy of your own home. With the coming stampede of internet connected intimate adult accessories, that privacy is being challenged. Because adult toy manufacturers are coming in relatively late to the online arena, most sex tech devices and associated software are awful from a privacy, and often security, perspective. They collect too much sensitive data, such as who you’re having sex with, and aren’t doing enough to protect it. Lots of them don’t even use basic security to encrypt communications.

One adult toymaker recently had to pay a settlement of £3 million, to its customers, after it was revealed the company’s connected vibrator collected sensitive user data, including when they were used, vibration settings, and more, linking it all to user email addresses.

On the security side, researchers have revealed connected sex toys are easy to hack, making that data collection all the more problematic. But it’s not only hacked or leaked information that is an issue. A larger one is that if the infrastructure is hacked, then attackers could manipulate partner match ups, and someone else might be controlling devices that you and your partner use! And if your connected adult toy also comes with a camera, well I don’t need to go into detail about that scenario...

Are you the watcher or are you being watched?

Once you’ve overdosed on festive food and drink, opened your presents and had your Christmas fun, you’re probably going to want to put your feet up in front of the TV. So here’s the thing. Is it your new Smart TV purchase that you’ve made? Have you connected it to the internet? If so, you may want to take a few precautions before you get too comfortable.

Like anything that connects to the internet, smart TVs are susceptible to the usual online security vulnerabilities, including hackers. Similar to the adult toys mentioned earlier, because smart TVs are a relatively new concept, manufacturers have not caught up with the levels of digital security as devices such as computers for example. This security flaw could potentially give hackers a gateway into your home. For example, a hacker may not be able to access your (if you’ve been following the advice in Cybersafe) securely locked down computer, but they may be able to find a backdoor through to your router through your unsecured smart TV. Infact there have been documented examples of hackers gaining access to Google Chromecast sticks and streaming random content to unsuspecting viewers. Other jolly japes a hacker might indulge in on your smart TV include cranking the volume up and down, knocking your TV off the Wi-Fi network, quickly changing channels, or forcing your TV to play questionable YouTube content.

While hackers are potentially an issue, hacking smart TVs still takes a bit of know-how and is illegal so that dissuades most casual hackers. What is arguably a bigger issue is the perfectly legal (so far) tracking of your data collected by smart TV manufacturers. Smart TVs use a technology known as automated content recognition (ACR) to constantly track what you are watching and then relaying it back to the manufacturer and/or its business partners.

ACR helps the TV recommend other shows you might enjoy watching but can also be used to target your families with advertising. The data can also be combined with other aspects of your personal information to help build profiles on your behavior that are sold to other marketers. If you read the Cybersafe alert on doxxing, you’ll recognise this as one of the ways doxxers can get hold of your data.

So what are some ways that you can improve the digital security around your smart TV? Well, options include placing black tape over an unused smart TV camera, and following the usual advice in Cybersafe, which is to keep your smart TV up-to-date with the latest patches and fixes, and to read the privacy policy to better understand what your smart TV is capable of.

While it may be inconvenient for most users, and possibly negate the main reason for buying a smart TV, the most secure smart TV is one that isn’t connected to the internet at all.

I hope this Cybersafe alert hasn’t ruined your Christmas and has instead (as intended) made it a (digitally) safe and secure one instead for you and your loved ones.

Following the advice in CyberSafe should go a long way to keeping you safe online. As we like to say at the CyberSafe alert - Don’t Be Scared; Be Prepared.

Don’t forget to share this important information with someone you care about.

Are you new to the cybersafe alert? If so you’ve missed out on some great information to keep you and your family and business safe online. Here’s what you have missed so far this year:

Edition 1 - Are your toys spying on you?
Edition 2 - The unhackable password
Edition 3 - Is It Safe To Hit 'Send' Now?
Edition 4 - WhatsApp Hacked!? Here's What To Do About It
Edition 5 - Is the new “Sign in with Apple” button a game changer?
Edition 6 - Why your personal calls are not personal anymore
Edition 7 - Has your wallet been hacked?
Edition 8 - Your personal data may have been breached - Take action now!
Edition 9 - Have you been Doxxed? What it is and how do you avoid it?

Want a regular briefing about the newest Cyber threats? Subscribe to the Cybersafe Alert now!

https://my.sendinblue.com/users/subscribe/js_id/2kpcr/id/1

If you can't wait for the next CyberSafe Alert to tell you how to protect yourself online, get CyberSafe the book. It's packed with the useful information and strategies you need to keep yourself, your family, and your business safe online.

Disclaimer

Every effort has been made to ensure that the content provided in this post is accurate and helpful for our readers. However, this is not an exhaustive treatment of the subjects. No liability is assumed for losses or damages due to the information provided. You are responsible for your own choices, actions, and results.

Friday 15 November 2019

CyberSafe Alert 2019 Edition 9

Have you been Doxxed? What it is and how do you avoid it

There have been a lot of headlines recently about Doxxing (no, not boxing, although there have been a few headlines about that as well). So to enlighten you about what it means and how you may be at risk, In this edition of the CyberSafe alert you’ll find out what doxxing is, and how to avoid falling victim to it.

Click HERE to Tweet this

So what exactly is doxxing?

Doxxing (also written as “doxing”) has been around in the hacker community since the 1990s, but recently it has emerged generally to become a threat to anyone who uses the internet. In the early years of doxxing, hackers would dox a rival out of spite. In these cases, the doxxing focused on identifying the hacker and their misdeeds then turning those details over to the authorities to get them arrested.

The term “doxxing” itself comes from a hacker word for “documents.” “Documents” became “docs” and then “dox.” When you “dox” someone, you are documenting their personal information. The important pieces of information you can find out are a person’s social security number, their address, telephone number, email address, social media profile names, place of work, details of relatives, partners and children, and so on.

Doxing isn’t usually illegal, though it does violate many sites’ terms of service and may result in a ban. Depending on your jurisdiction, it may also be illegal under laws designed to fight stalking, harassment, threats, etc.

How does it work?

Doxxing involves researching the details of people’s lives, usually with the purpose of embarrassing the victim, to draw criticism towards them, or to cause them physical harm.

Some doxxing attacks lead to a mass campaign of public shaming, or harassment, as seen in Hong Kong during recent protests when police officers accused of brutality were doxxed.

Mob attacks launched by doxxers also include prank phone calls, overwhelming amounts of abusive email, network-swamping quantities of text messages and even physical attacks on the individual. The effects can cause people to lose their jobs, their families, their homes, and in some extreme cases, even their lives. Targets of major doxxing attacks have been forced into hiding and have had to delete all of their online accounts and change their identities. In other words, doxxing takes cyberbullying to the next level.

Where do doxxers get the information from?

Social media profiles that are open to the public are goldmines of data. While a lot of information can be gleaned from social media and other forums that you post to, there are also some public sources of information that doxxers can also get your information from. Listed below are three of the most common ones.

Data brokers

Many places on the web hold your personal information. Businesses (commonly known as data brokers) profit from storing, collating and in some instances sharing and selling your information. They buy customer lists from other businesses that you would have given your data to. So, for example, if you buy a car, the dealership may put you on a list that they sell to a data broker, unless you have asked them not to.

If you fill in a survey about your favorite soap or enter an online competition you may be inadvertently giving the company the right to store and/or sell the information that you put on the form, unless you opt-out. Selling your information is often a way to help pay for the prize that they offer you.

Once this information is in the hands of data brokers, although they may not deliberately leak it (it does impact their bottom line after all if it’s available for free!), hackers may target them and steal data in bulk.

WHOIS

If you run your own website, or you have a website for your business, the registration information that you filled in to get that domain name is made public to all the world through the WHOIS database.

IP address

Every connection you make on the internet has to carry your internet address on it. This is called an IP address. Doxxers can use an IP logger to trace your online activities and expose your identity by combining it with searches on membership of certain sites.

How to protect yourself against doxxing

The practice of doxxing is on the increase so you need to be cautious about the information that you make available online. Regular readers of the Cybersafe Alert know that we don’t just provide the alert, but actionable steps to help you protect yourself. This issue is no different, so keep reading to find out what you can do to prevent, or at least make it harder to be doxxed.

As with many things on the internet, getting complete protection can be prohibitively expensive and complicated. However, there are ways you can make it much more difficult for you to be doxxed. If you are concerned about doxxing, here are some of the steps you can take to avoid it.

Social media

The more you write on forums and message boards, the higher your chances become of accidentally revealing personal information about you.

If you’ve read the Cybersafe book, you’ll know that there are so many different ways we give away far too much information on social media. Not checking privacy settings, accepting friend requests from anyone just to boost our followers, the list goes on. Suffice to say, some simple advice is to only allow people that you know very well to be your friends on Facebook. Also consider changing your privacy settings so that only friends can see your posts.

Avoid posting details about where you work, or where your children go to school. My personal opinion is that you shouldn’t put any identifying information about your kids on social media at all. After all, they haven’t consented to it, and that information will be a permanent record on the internet when they grow up. Although it’s great posting your fun family moments on social media, it is safer to enforce a policy of not posting photos of your children, and ask anyone else who takes pictures of them at events not to post them online. If you absolutely must post, make the photos as anonymous as possible. I.e. no face shots, names, or identifying locations.

Protect your internet communications

This one’s an easy one to write. If you must use public Wi-Fi, use a VPN! Nuff said, and readers of Cybersafe will be very familiar with the whys and wherefores of this advice.

Protect the data on your computer

Stop hackers from stealing your personal information by installing anti-malware. There are lots of good packages on the market, and these are just as important as the firewall on your computer.

Remove your personal data from your software you install

A lot of times we innocently add personal data into the software we use. Sometimes just for convenience. For example in the properties of Microsoft Office products you can include your name on the documents. This means that every document that goes out from you will have your name (and any other information you’ve added) embedded in it.

You should also check out the settings your gadgets. Is your personal information stored on your camera, your webcam, your set top box or your gaming consoles? Do you allow your camera to store location and other metadata that could be exposed?

Protect your email identity

If you need to sign up to websites and are not sure of their privacy policies, or you don’t want to use your usual email address to sign up to them, then you should use a temporary or burner email address. In addition, consider using a secure email service to encrypt your emails. You can find some recommendations and more details in Cybersafe, or on this list of secure online services if you are unsure what to use.

Vary usernames and passwords

If you have a penchant for visiting ahem..questionable (but legal) sites, you may want to consider using a different user name and also to vary your passwords. That way if one user ID is compromised, it won’t necessarily compromise your entire online presence.

Get your information removed online

In the EU, you have the right to be forgotten. This legislation particularly relates to search engine results. If you get search engines to delist information on you, doxxers will have a lot more difficulty tracking your data.

To do this, You can fill out a form on Google, Bing, or Yahoo to get them to remove search results that relate to you.

In the USA, You can get a quick rundown on where hackers can find you at We Leak Info. Similar to the EU, you can also ask Google to remove information about you. In addition, here’s a selection of sites that you can ask to remove your data.

BeenVerified: https://www.beenverified.com/faq/opt-out/
CheckPeople: http://www.checkpeople.com/optout
FamilyTreeNow: http://www.familytreenow.com/contact
Instant Checkmate: https://www.instantcheckmate.com/optout/
Intelius: https://www.intelius.com/optout.php
Nuwber: https://nuwber.com/removal/link
OneRep: https://onerep.com/optout
PeekYou: http://www.peekyou.com/about/contact/optout/index.php
PeopleFinders: http://www.peoplefinders.com/manage/
PeopleSmart: https://www.peoplesmart.com/optout-signup
Pipl: https://pipl.com/directory/remove/
PrivateEye: http://secure.privateeye.com/help/default.aspx#26
PublicRecords360: http://www.publicrecords360.com/optout.html
Radaris: http://radaris.com/page/how-to-remove
Spokeo: http://www.spokeo.com/opt_out/new
TruthFinder.com: https://www.truthfinder.com/opt-out/
USA People Search: http://www.usa-people-search.com/manage/default.aspx

If you don’t have the time or inclination to go through this entire list, you can take a look at Privacy Duck and DeleteMe, who can help identify information about you in the USA and get it removed.

If you want to find out how much information Google has on you, try typing https://myactivity.google.com/myactivity in your browser when logged in to a Google account. Google knows your location as well – you can find your personal Google map with all the places you have visited at the https://www.google.com/maps/timeline URL.

WHOIS

As mentioned earlier, If you run your own website, or you have a website for your business, the registration information that you filled in to get that domain name is made public to all the world through the WHOIS database. However, You don’t have to give your personal information to get a website. Some domain brokers offer you the option of obscuring this information. However, you can get this privacy for free by entering a webmail email address, putting a fake telephone number in the form and giving a made up company name. Although technically false this information rarely gets verified.

Do a regular app and browser cleanse

Mobile apps and browser extensions are known to collect personal data, often without your knowledge or consent - who reads the privacy small print after all? Because of this, it’s worth regularly cleansing apps and browser extensions you use and removing the ones you don’t.

If you have the Cybersafe book, double check the chapter on secure browsing,

Avoid Online Quizzes

We all like to show how clever we are right? And anyway, what’s wrong with a little harmless quiz fun? Well, did you know that some quizzes ask a lot of seemingly random questions, which are actually the answers to common security questions? Plus, it gives attackers more data to work with. Supplying an email address or name to go along with results makes it even easier to associate information from other data sources.

Don’t Login With Facebook or Google

Finally (and I hope I’m hoping this isn’t news to anyone with Cybersafe), when you come across websites and apps that allow users to register using the “Login with Google”, “Login with Facebook”, or “Login with Twitter” buttons please consider using email (see the section on email in this blog post), or the "sign in with Apple" button (if available) instead. Understandably, these services provide a level of convenience by enabling you to complete the registration process with the email you used for your Google, Facebook, or Twitter accounts. However, the downside of using them is that you’ll automatically give the information attached to your Google/Facebook/Twitter accounts to the website. If you still yearn for this convenience, take a look at the Cybersafe alert Edition five, also listed at the end of this blog post for a potential alternative.

Remember, although it’s an odious practice, doxxing is not illegal per se. Hopefully, laws will catch up with that situation soon. Until then, following the advice in CyberSafe should go a long way to keeping you safe online. As we like to say at the CyberSafe alert - Don’t Be Scared; Be Prepared.

Click HERE to Tweet this...

Are you new to the Cybersafe Alert? If so you’ve missed out on some great information to keep you and your family and business safe online. Here’s what you have missed so far this year:

Want a regular briefing about the newest Cyber threats? Subscribe to the Cybersafe Alert now!

Disclaimer