Telecom News Hubb
Advertisement
  • Home
  • News
  • Telecom
  • Contact us
No Result
View All Result
  • Home
  • News
  • Telecom
  • Contact us
No Result
View All Result
Telecom News Hubb
No Result
View All Result
Home News

Locking the Back Door (Part 4 of ‘Why Don’t You Go Dox Yourself?’)

admin by admin
November 2, 2022
in News


by Cisco Systems • Nov 2, 2022

With passwords and MFA out of the way, let’s next look at connected apps or services that are tied to our priority accounts. When you log into other sites on the web through Facebook, Google, or another social account, as well as when you install social media apps or games, you are sharing information about those accounts with those services. This may be as limited as the email address and username on file, or may include much more information like your friends list, contacts, likes/subscriptions, or more.

A well-known example of this data-harvesting method is the Cambridge Analytica story, where installing a social media app opened up access to much more information than users realized. (Note: as mentioned in the linked article, Facebook added protective measures to limit the amount of data available to app developers, but connected accounts can still present a liability if misused.)

Locking the Back Door(s)

With this in mind, look under the Security or Privacy section of each of your account’s settings, and review where you have either used this account to log into a third-party website or allowed access when installing an app. Here are some handy links to some of the most common services to check:

If you aren’t going to use the app again or don’t want to share any details, remove them. Once you’ve checked your accounts, repeat this process with all the apps installed on your phone.

Just like connecting a social account to a third-party game can share information like your contact info and friend’s list, installing an app on your mobile device can share information including your contacts, camera roll and more. Fortunately, mobile OSes have gotten much better at notifying users before installation on what information is shared, so you should be able to see which apps might be nosier than you’re comfortable with.

Finally — and this is really for the nerds and techies out there — check if you have any API (short for “application programming interface”) keys or browser extensions connected to your accounts. API keys are commonly used to let different apps or services “talk” between one another. They let you use services like Zapier or IFTTT to do things like have your Spotify favorites automatically saved to a Google Sheet, or check Weather Underground to send a daily email with the forecast.

Browser extensions let you customize a web browser and integrate services, like quickly clicking to save an article for review on a “read it later” service like Instapaper. Even if you trust the developer when installing these apps, they may pose a risk later on if they are recovered or taken over by an attacker. These “zombie extensions” rely on a broad install base from a legitimate service which can later be misused to gather information or launch attacks by a malicious developer.

A Link to Your Past

We’ve made great progress already, and taken steps to help defend your accounts from prying eyes going forward – now it’s time to lock down your previous activities on social media. Rather than enumerate every option on every service, I’ll highlight some common tools and privacy settings you’ll want to check:

  • See yourself through a stranger’s eyes. You can quickly see what information in a social media profile is visible to someone outside your friends list by opening an incognito/private tab in your web browser and visiting your profile’s page. Some services have more granular tools that will allow you to view as a stranger or even as a specific profile.
  • Make your past more mysterious. Most social media services have an option to bulk change privacy settings on your previous content, typically listed as something like “Limit Past Posts” (as shown for Facebook below), “Protect Your Posts,” or “Make Private.” You can always re-share pinned content or your favorite posts with the world, but moving that review from an “opt-out” rather than “opt-in” process will give you a huge head start. While we’re in your post settings, change the default setting for your future posts to your social circles by default.

  • Set clear boundaries. Where supported, taking the time to build sublists/groups for your friends list based on context (work, school, your *shudder* improv group),will make it easier to fine-tune the audience for your future posts. You can set boundaries on what your friends can share about you, including requiring your approval before allowing tags or whether your friend’s friends can search for your profile. And while you’re taking a look at that friends list, ask yourself…
  • Where do you know them from? You’ve just seen the difference between how much information a friend can see on your profile compared to a friend – which means you want to keep your friends close, and randos the heck out of your business! Don’t be shy about removing contacts you don’t recognize, or asking for context when receiving a new friend request that doesn’t ring a bell.
  • Don’t contact us, we’ll contact you. When you’re setting up a new profile, odds are you’ve seen a request to share access to your contacts or the option to search for someone by their phone number or email address. You may want to enable this after we dedicate a “public” email address (more on that in just a moment), otherwise you can disable these options as well.

Before moving on to email, I’ll add another plug for the NYT Social Media Security and Privacy Checklists if you, like me, would rather have a series of boxes to mark off while going through each step above.

You Gotta Keep ‘Em Separated

Security experts know that you can’t erase the possibility of risk, and it can be counterproductive to build a plan to that expectation. What is realistic and achievable is identifying risk so you know what you’re up against, mitigating risk by following security best practices, and isolating risk where possible so that in the event of an incident, one failure doesn’t have a domino effect affecting other resources. If that seems a bit abstract, let’s take a look at a practical example.

Tech journalist Mat Honan was the unlucky victim of a targeted hack, which resulted in a near-complete lockout from his digital life requiring a Herculean effort to recover. Fortunately for us, Mat documented his experience in the Wired story, “How Apple and Amazon Security Flaws Led to My Epic Hacking,” which offers an excellent summary of exactly the type of domino effect I described. I encourage you to read the full article, but for a CliffsNotes version sufficient for our needs here:

  1. The attacker started their research using Honan’s Twitter account, @mat. From there, they found his personal website which included his personal Gmail address.
  2. By entering that email and clicking the “Forgot Your Password” recovery link, the attacker was able to see a partially obscured version of his Apple ID which was used as his secondary email: m****[email protected]. From here it was pretty easy to figure out the full Apple ID.
  3. Now the attacker focused on gaining access to that Apple ID with the knowledge that (at the time) Apple support would validate an account with the billing address and last four digits of the credit card on file. The address was harvested from a WHOIS lookup of his personal site, which searches public registration info available for websites.
  4. The last four digits of the credit card were gathered by exploiting a flaw in Amazon’s tech support, which involved using everything collected so far to add a new card and email to Mat’s account, then using these new “approved” details to reset his Amazon password. From there, it was easy to find the last four digits of the credit card used on previous orders, and a safe guess he likely used the same with Apple.
  5. With both address and digits in hand, the attacker then called Apple Support and used their collected info to gain access to Mat’s Apple ID through a password reset.
  6. Once they got access to this Apple ID, the domino effect really picked up speed. As the iCloud address was the reset email for Google, they were able to gain access there and then use the Google address to reset his Twitter account password. To slow down his attempts to regain access, for good measure they used the Find My Mac feature to remotely wipe and lock his Apple devices making it much harder to reach support.

Honan’s article goes into much more detail, including some of the changes made by the services exploited to prevent similar incidents in the future. The key takeaway is that having a couple of emails without strong authentication tied to all his most important accounts, including the recovery of these email accounts themselves, meant that the compromise of his Amazon account quickly snowballed into something much bigger.

We’re going to learn from that painful lesson, and do some segmentation on our email channels based on the priority and how public we want that account to be. (“Segmentation” is an industry term that can be mostly boiled down to “don’t put all your eggs in one basket”, and keep critical or vulnerable resources separate from each other.) I would suggest setting up a few different emails, listed here from least- to most-public:

  • Recovery Email: Only used for password resets when a backup address is allowed, and nowhere else.
  • High-Priority Email: This would include anything with payment, financial, health, or other sensitive information. This email is only used for these sensitive accounts, and I would encourage you to opt out of any sharing/advertisement consent options to minimize its footprint.
  • Social Email: Think of this as your “calling card” – when you want to be found by a personal contact. For instance, if you wanted the option for your friends to connect their contacts to an account to find friends, this is the address you’d use.
  • Low-Priority Email: This is for…everywhere else you have to provide an email address for one-time or trivial purposes. Want to sign up for a newsletter, receive coupons/sale notifications, or create an account to reply to someone’s comment on a news website? While you can always use “disposable” email services to create a single-use email account, many websites will block these temp account services from registration and you may someday need to re-access the email you used. For this reason, I recommend setting up a dedicated address. Some email services like Gmail even allow you to create task-specific versions of your email address using a “[email protected]” format. This way, if that tagged email shows up in another message or on another site, you’ve got a good idea who shared your information!

For all of the above, of course, we’ll create strong passwords and set up 2FA. And speaking of 2FA, you can use the same split-channel approach we followed for email to set up a dedicated verification number (using a VOIP service or something like Google Voice) when sending a passcode by SMS is the only option supported. Keeping these recovery numbers separate from your main phone number reduces the risk of them being leaked, sold, or captured in an unrelated breach.

Good news: We’re almost done with doxxing ourselves! In the next section, we’ll sweep out those unused accounts to avoid leaving data-filled loose ends and take a look at how data brokers profit off of your personal information and what you can do to opt-out.


Written by Zoe Lindsay. Guest blog courtesy of Cisco Systems. Read more Cisco guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.



Source link

Previous Post

Comcast’s big rival to Roku and the smart TV is called… Xumo

Next Post

AMD offsets weak PC sales with strong data center growth

Next Post

AMD offsets weak PC sales with strong data center growth

Recommended

The 30 best Mother’s Day gifts for moms in 2023

May 3, 2023

Ericsson announces new solutions to boost 5G indoor capacity

February 10, 2023

Huawei’s latest watch is a jab at the Apple Watch Ultra

April 3, 2023

Catching Up With Rob Rae, Pax8’s Newest VP

February 6, 2023

Asus’ ROG Ally handheld gaming PC doesn’t look like an April Fools’ joke

April 2, 2023

Don't miss it

News

MSP M&A: Meriplex Acquires Systems Solution, Inc

May 30, 2023
News

League of Legends esports players voted ‘overwhelmingly’ for a walkout

May 30, 2023
Telecom

Taco Bell Hack Promises Customers Chicken Quesadilla Discount

May 29, 2023
News

Recover Your Systems and Data From Disaster With Confidence

May 29, 2023
News

Dolphin says Nintendo blocked a Steam release of its Wii and GameCube emulator

May 29, 2023
Telecom

Worker ‘Hacks’ His Resume to Bypass Hiring Filters

May 28, 2023
Telecomm-white

© Telecomm News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Telecom
  • Contact us

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Telecom
  • Contact us

© 2022 Telecomm News Hubb All rights reserved.