Many years ago, I worked with healthcare organizations to install infrastructure to support the modernization of their information systems. As I traversed hospitals – both in public and private sectors – I was often struck by one particular best practice: the privacy reminders were ubiquitous. If I stepped into an elevator or walked down a hallway, there was signage to remind everyone about patient privacy. Nothing was left to chance or interpretation. This was also pre-social media, so the concerns ranged from public conversations or inappropriate use of email, to leaving a document on a public printer.
Fast forward to 2019. Our society and culture have changed. We are much freer with our personal information on social media. We talk openly about our lives and post pictures and family information in the wild. We are less concerned about our privacy, as we use these platforms to connect with others – a connection we might be denied given our busy lives. However, as has oft been written, these platforms can be a cache of riches for someone seeking to steal your identity or compromise your email and other accounts. This same type of free flow of information is also following us to other parts of our lives and making it easier for the bad guys to attack and profit. Let me explain with a few examples.
I travel a bit (okay, a lot). While my global travel is mostly for work, this provides an informative world lens for people watching and listening. I am often between flights in an airport reading or catching up on email and overhear a wide variety of conversations – without even trying. Recently, I was in the U.S., delayed at the Chicago O’Hare airport for several hours as “there is (was) weather in Chicago,” the worst phrase in the US travel industry. I overheard a man on the phone discussing his declined credit card in detail, including his full name, billing ZIP code, card number, expiration date, and so on. My shock quickly faded when I started thinking about how many other times I was in public and overheard things that could lead to financial or IP or other loss for an individual or company. The number is non-trivial. That’s when I decided to tweet some simple advice, and solicit input via my twitter feed.
The results were equally horrifying and amusing. Some even thought my post was an attempt in social engineering. Overall, the response convinced me to write a blog as the evidence I gathered suggests this isn’t a small problem. Rather, it’s a real problem. So let me start by sharing some examples and then make some suggestions (which may seem obvious to many of you) on how to protect your privacy and security.
Notes from the airport lounge: social engineering is a thing … a really big thing. Please protect your personal information (like credit card numbers, sensitive customer information etc).
— Ann Johnson (@ajohnsocyber) April 15, 2019
I've overheard people many times talking in lounges about confidential info re: unannounced acquisitions.
— Orion (@OrionListug) April 15, 2019
And a few drinks later I’ve learned about unannounced acquisitions… marriage infidelities, the amount of debt someone owes, passwords pulled up from a word doc. pic.twitter.com/pPDDZd6xq7
— root (@rootsecdev) April 15, 2019
My favorite are people who have had their credit card disabled because their travel inadvertently flagged fraud prevention.
So they are in the middle of the airport, reciting all their personal info to the bank to get the card turned back on.
— Andy Mallon (@AMtwo) April 17, 2019
How you never lock your system when you walk away because it's so inconvenient to enter your credentials. o_o. // How people on the CTA hold their phone outward and call utility companies and banks and provide information loudly. >_<
— Christopher Clai (@ChrisClai) April 17, 2019
At one of my first IT gigs we kinda beat each other out of the first one by changing people's desktop backgrounds to annoying memes. (I got to the point of using a bluetooth dongle and my almost-smart phone to autolock it lol)
— Chris (@tuba_man) April 17, 2019
I recently interacted with a thread where it asked individuals for the security weaknesses that they recognized in their orgs and felt would be critical if not fixed. I’m sure if people didn’t warn against accurately responding might in fact harm their org if used by attacker.
— C:…Security (@chris_foulon) April 17, 2019
So how do you protect yourself from theft of personal or proprietary company information in public? The super obvious, somewhat flippant answer is: don’t share any of this type of information in public. But, at times, this is easier said than done. If you travel as much as I do, it becomes impossible to refrain from conducting some confidential business whilst you are on the road. So how do you actually protect yourself?
Many people will read this blog and say, “well that’s obvious,” but sadly it is not, based on what I have personally observed and the feedback I received in preparation for this post. When in these types of situations, my recommendations are:
- Use privacy screens on your laptop and your phone when in public, in meetings, and on airplanes. I cannot tell you how much confidential information I could have obtained just sitting behind someone on a plane.
- Do not discuss confidential information in a public place: restaurant, club, elevator, airplane, etc. Based on the Twitter solicited feedback, people somehow think planes are cones of silence.
- If you must conduct personal/confidential business on the road, wait until you arrive at your hotel or find a quiet place in the airport/club/restaurant where your back is to a wall and you can see anyone who is located by you. Use your best judgment.
- Never give anyone your password. I don’t know how to say this more strongly. Do not ever give anyone your password.
- Use a password manager. Don’t reuse passwords. This way if someone does obtain one of your passwords, you limit your exposure.
- Be cognizant of what you put on social media. I am very active on social media but, remember, your information can and will be used against you. Be careful of when and how you post to avoid advertising when your home will be vacant for vacation or any personally identifiable information that could expose your passwords.
- If someone calls you claiming to be from your bank, the IRS, the police, your company, a tech support organization, offer to call them back from a number that is published on their legitimate website or the back of your credit card, etc. Do not give any confidential information to an inbound caller.
- Use encryption for sensitive data and sensitive communications.
- If you must install IoT devices at home, segment them to a unique network.
- If you are renting a private vacation home, there are some very good apps to scan the network to make certain you have privacy (e.g., cameras in a location that was not disclosed by the owner)
- I am not a fan – at all – of listening devices at home, but if you do have one, remember there is a possibility we will find out all of your conversations were recorded. Be aware of what you say….
The world is quickly evolving as we embrace more technology. The onus is largely on users to protect yourselves. While this blog is just a high-level discussion on social engineering and privacy, using common sense is always your best defense.