Individuals and businesses unknowingly expose themselves to security and privacy threats, as experts explain here.
“We can opt out of providing our information to content, app, and social media providers.”
Ari Trachtenberg, Gianluca Stringhini, and Ran Canetti of Boston University offer some best-practices for protecting yourself and those around you:
How can we protect ourselves in a connected world?
Trachtenberg: Smart devices quietly nestle well within our comfort zones and into our most private spaces: bedrooms, bathrooms, doctor’s offices, etc. At the same time, they are filled with all kinds of sensors that allow them to record and permanently store all kinds of information about our most private moments.
The best way to protect yourself is to be aware of this, and keep all smart devices away from your most intimate environments. I, for example, keep most smart devices (TVs, speakers, etc.) out of my home; the few I cannot avoid (smartphones), I keep in a designated location that does not have access to my private areas.
How are we putting our personal information at risk when using social media?
Trachtenberg: I think that many users don’t realize that they are not only putting their own information at risk when they’re using social media, but also the information of their friends and acquaintances. For example, when you put up a picture of you with a friend at a location, you are sharing with the social media company (and, quite possibly, all of their third party affiliates) your connection to the location—and your friend’s connection to the location—whether or not your friend wants ad agencies to know this.
The same thing goes for messages you leave on your friends’ social media accounts, or, potentially, even “private messages” that you send to them through social platforms.
In short, when you are using a “free” service online, always ask yourself—how is this service making the money to pay its engineers and maintain their hardware? Often the answer is that they’re selling information about you and your friends.
Canetti: We provide online service, app, and content providers with detailed information about our whereabouts, our thoughts, our feelings, our moods, and our life patterns. Our every move is recorded, and aggregated with the moves of others. These content, social platform, and app providers sell this data to third parties who can weaponize it against us—catching us at our weak moments and manipulating our thoughts and behavior.
What are the consequences of this behavior?
Trachtenberg: I think that the top security threat today is not directly from overtly malicious actors, but rather from the huge amount of information that is accumulated about each and every one of us through all the devices that we use regularly. This information, inevitably, leaks to actors with very different interests than us (including malicious actors), and it can be harnessed very effectively to cause damage.
What can we do to avoid this risk, while still being active on social media?
Canetti: We can opt out of providing our information to content, app, and social media providers. This cuts them off from the ability to leverage our data, and share with advertisers and other third parties. This might cost a small price, but it’s more than worth it.
What is the top security threat you anticipate employees will face on the horizon? What are the repercussions for both the employee and the businesses they work for?
Stringhini: Ransomware is currently the golden standard of cybercrime. Unlike other cybercrime schemes like fraud and spam, the criminals are not trying to convince their victims to purchase some sketchy good, but instead offer them to give them access to their data back in exchange for money.
Unfortunately, often victims have no choice but to pay their extorters. This significantly increases the return on investment for cybercriminals, and has serious repercussions for both private citizens and companies, who are constantly being targeted.
Trachtenberg: There are many truly frightening ways to malicious actors can exploit our digital trails in the workplace. For businesses, a serious example is CEO fraud, wherein criminals imitate the email or phone call of a CEO/CFO in requesting large transfers of money, or possibly the businesses’ network and data.
Both of these are exacerbated by the emergence of “deep fakes,” wherein machine learning techniques are used to craft messages that look or sound identical to the person being scammed (i.e., from a few samples of a CEO’s speech, it is sometimes possible to realistically craft different speech, that the CEO has not stated, in the CEOs voice).
Is there an easy fix for this security risk that employees and businesses should adopt?
Stringhini: To mitigate the risk of being hit by ransomware, users should constantly keep backups of their data. This can be automated, for example scheduled to happen once a week.
Trachtenberg: It is very hard for an individual to protect themselves from CEO fraud and deep fake vulnerabilities, much like it is hard for an unarmed civilian to successfully defend against an armed criminal. Individuals should always be skeptical about any unsolicited information that they are given, and companies should have established, secure mechanisms for making significant transfers. They should also put in place pre-specified protocols for dealing with and responding to security emergencies.
What is the most overlooked security feature?
Stringhini: Enabling two-factor authentication can help people keep their online accounts safe. With two-factor authentication enabled, it is not enough for an attacker to know an account’s password to log into it, but they also need to get a hold of a second token, which is usually sent to the user’s mobile phone. This significantly raises the bar for attackers to successfully compromise online attacks, and protects users from the consequences of large data breaches and phishing attacks.
What is the most important “cyber hygiene” routine everyone needs to adopt (that is easy to keep up with) to achieve better security?
Stringhini: Once a weakness is discovered in a program, the developer usually fixes it rather quickly. Keeping your software constantly updated drastically reduces the chances of getting compromised. Most programs nowadays provide automated updates, which is a great way for people to stay secure while at the same time not having to remember to constantly update their computers.
Trachtenberg: Actually, it is what we teach our engineering students throughout their study—understand the basis for the information that you are receiving, and be skeptical of any claims that are not substantiated in a manner that you can reproduce.
Source: Boston University