AXEL.org

infosec

How To Sound Like A Cybersecurity Expert

Cybersecurity is a buzzy topic these days. Everyone seems to be clamoring for tips on how to stay safe online, and you read in a listicle somewhere that cybersecurity is currently one of the fastest growing fields. So how can you get a piece of the respect and professional prestige that a cybersecurity expert might have? Simply follow these tips.

Warn people about social media

Inform people that by posting photos of their brunch on social media, they are giving hackers and state actors the tools necessary to take you down.

But actually, that’s too specific and information-y to remember, and it’s kind of a downer. Make your warnings vague, as in, “that Facebook is up to no good!” or “be careful about Twitter!” This way, when the next terrible Facebook or Twitter thing happens, people will recognize your prescience.

Bring encryption up often

Now, you may not know what encryption is, and I certainly don’t, but what we do know is that it’s somehow important to cybersecurity experts. Talk about it a lot, and if you encounter someone whose knowledge on encryption is more advanced than yours, simply run away.

Make a big deal out of the dark web

Studies have shown that people love hearing about the dark web. Take advantage of this fact to improve your social standing by making a huge honkin’ deal out of the dark web whenever you can.

If you see someone holding a credit card, mention that there’s lots of stolen credit card information on the dark web. This will confuse them into thinking you can help them keep their credit card information off the dark web.

Extra points if you can explain to people what TOR stands for. But if someone actually asks you how it works, this is again the moment to simply run away.

Loudly proclaim that quantum computing is the future of cybersecurity

This is certainly true. Don’t ask me why.

If someone asks you to elaborate on your claims, run away.

Chant “identity, not perimeter” to anyone in your general vicinity

The idea here is that perimeter security, or the mighty firewall as some call it, will be overtaken by identity and access management security, which allows for more granular permissions to be set, and ensures that even if someone does breach the firewall, they won’t have access to everything.

But that’s sort of a long thing to remember, so just remember the chant. If anyone asks questions about the chant, tell them to stop interrupting the chant.

Start a group chat to share cybersecurity articles you don’t understand

You’re not legit until you’re sharing articles saying common facts that we all know about like “phishing is a thing,” and “hackers have our data.”

To solidify your standing as a thought leader, however, you need to take it one step further. Sharing articles about concepts you don’t understand will allow you to rise to the top of the cybersecurity fake expert field. Look for a title like “why you NEED quantum encryption TOR identity blockchain security NOW.” If someone asks you what that means, tell them it’s too late for them if they don’t know.

Do Your Apps Know Too Much About You?

Two years ago something incredible happened.

A simple computer game brought the world together and got gamers out and about into the big wide world. But after the immediate rush of excitement about “catching ‘em all”, users started to realize something a little more sinister about the Pokemon Go app.

As well as letting them throw imaginary Pokeballs in real-life locations, the iOS version of the app was caught accessing almost all of users’ Google account information – everything from emails down to photos.

Two years later, Mark Zuckerberg made a statement about the vague data collection techniques apps were using through Facebook. He was keen to iterate that Facebook does use sound clips from videos recorded directly onto Facebook to serve relevant ads after questions around this became louder and louder.

But his statement wasn’t exhaustive enough in covering what exactly our apps know about us.

This is because of the ambiguous nature of app permissions.

They tend to be oversimplified so as not to overwhelm the user, but below the simple sentences and soothing reassurances they can gather a huge amount of data with every single interaction.

Of course, some data collected is absolutely necessary for the apps to work in the first place. For example, a photo app won’t work if it can’t access your photos, and Uber needs your location information so it can pick you up in the right place – duh.

But once you give apps that need information access to your data, they can start to worm their way under the surface to dig out more and more information about you and your behavior.

Take location access as an example.

Once you give away your location, app makers are then able to use that information to figure out what floor of a high-rise you live on or the places you visit the most.

Why Apps Want Your Data

Data is gold for app makers. With information about their user base, apps can perform all sorts of other actions, like:

  • This is the key activity app makers do with the data they’ve gathered. Knowing everything about you means they can serve up relevant ads and charge advertisers more and more for being so highly targeted.
  • Curated content. This keeps users sticking around for more. If they’re seeing more of what they like, they’re more likely to engage with the content and keep coming back for more.
  • App development. Data can be really useful for knowing what users do and don’t like, which can be used in the future to improve the app or make another app altogether.

A whopping one-third of consumers don’t think advertisers collect data from them.

App Permissions: What Do Your Apps Know About You?

Now you know why your apps might want to scrape together the digital breadcrumbs of you, let’s take a look at what they actually know about you, because it can be easy to jump to conclusions and envision a Big Brother type scenario which often isn’t the case.

Your smartphone is actually packed full of sensors which can decipher your whereabouts, what speed you’re traveling at (including what form of transport you’re traveling on), and which way up you’re using your phone.

But you’re not completely powerless.

This is where app permissions come in, a.k.a. the “barrier” between app makers and the data stored in your phone. When a pop-up shows up on your phone with a permission request, it’s up to you to decide how much data you pour into the hands of the app maker.

However, this is easier said than done, and that’s because very few apps give detailed explanations about what information they’re going to collect and use.

Many app makers do this in the interest of their users; they don’t want to overwhelm them with technical drivel, so they keep it simple. But this means that a lot of users don’t actually know the full extent of what they’ve agreed to.

If you want to know exactly what an app can and can’t see about you, there’s a way.

On an Android device:

  • Open the settings app
  • Go to the Apps & Notifications center
  • Choose an app and click Permissions

On an iOS device:

  • Go to the Settings app
  • Choose an app
  • See the Permissions that are listed

On both kinds of devices, you can usually switch off permissions with a toggle button to pick and choose what data can and can’t be collected (though bear in mind that some apps need certain permissions in order to run).

And, though this is a good starting point to find out what your apps know about you, it doesn’t always give you the full story.

Take the incident with Uber recently, where it was discovered that the app was secretly recording screen activity on iPhones. The company hit back that this was to improve functionality with the Apple Watch app, but it just goes to show that even if you think you know what an app can find out about you, there might be something more sinister going on.

How Are Things Changing When It Comes to Apps and Data?

Phone providers are now cracking down on what app makers can and can’t do when it comes to permissions – particularly location permissions.

When requesting location access, app makers now have to adhere to the “only when using the app” rule, which means they can’t track users when they’re not inside the app.

But while control settings are getting tighter, they’re also getting more and more convoluted. App makers are starting to bundle permission choices together and still aren’t quite there with letting their users know exactly what they’ll be using data for.

Apps that require users to “unlock” a particular permission in order to use the app as it’s supposed to be used are doing so without giving away whether they might share it with marketers and advertisers too.

What it boils down to is this: people have every right to choose what they do and don’t want apps to access, but there’s not much they can do if the app in question needs their location or access to their photos to work as they’re supposed to.

In these instances, it’s up to the user to decide whether they want to continue to use the app or give it up entirely.

And, until app makers get clearer with what they use data for, many users will remain in the dark about what data app companies are collecting about them and what they’re doing with that information.

A Beginner’s Guide to Staying Safe Online

Every week it seems a new security breach is hitting the headlines so we can be forgiven for thinking the online world is a dangerous place.

Earlier this year, Facebook was lambasted for sharing user data with third party apps, while those with Androids were shocked to learn that their mobile was tracking their every move thanks to built-in location tracking tacked onto Maps and Photos.

And then there was the Amazon Echo incident, where customers realized their every interaction was being gathered together to build a case about who they are and their shopping habits.

So yes, we’d be forgiven for thinking the online world is a scary place.

Sure, the internet has impacted our lives in amazing ways, but there is a dark side just like with everything else.

But because we’ve been so eager to dip our toes into the countless benefits that the internet brings (being able to communicate with anyone, anywhere is pretty priceless), we’ve lost some of our personal privacy along the way. It’s kind of an exchange – we let you do this in exchange for this information about yourself.

This isn’t about to stop anytime soon.

We like the freedom to contact someone on the other side of the world with the click of a button. We like being able to next-day-deliver something we’ve coveted for all of five minutes. We like being able to read our favorite news stories without having to shell out for a hard copy.

Handing over our data for online freedom is the price we pay. Everything we do on the web leaves a digital trail that can be swept up and used by corporations and governments.

The problem is in the transparency of it all. Legalese in tiny fonts that are unreadable with the naked eye pull the wool over users’ eyes. We want to sign up to Twitter so we can see what everyone’s saying about the latest celebrity scandal, so we blindly tick the “yes” box without really agreeing to have our data scraped through and sold on for who knows what purpose.

Giving away even the tiniest snippets of data about yourself can leave you at risk from less-than-stellar companies, but there are steps you can take to limit how much data is siphoned from your internet activity.

If you’re not tech savvy and don’t know how to navigate the ins and outs of the World Wide Web, let us help you out.

Encrypt Your Email

Email is not going anywhere anytime soon. In 2017, more than 270 billion emails were sent, a number that’s set to increase to 320 billion by 2020.

We hear all the time about email accounts getting hacked, and this form of online communication has been hailed as the absolute worst for security. This is because a single email message gets passed around several different servers before it reaches its final destination.

You can keep the content of your messages private with encryption. Some email providers already offer this as standard, but for others you might need to download an add-on or a plugin. When it comes to the metadata that accompanies your emails though (the sender, receiver, time stamps etc), there’s nothing you can do as the internet routing system needs this information to do its job.

Hide Your History

We often get sucked into a wormhole on the internet and find ourselves knee deep in cute cat videos when all we wanted was to find a review for the new washing machine we’ve got our eye on.

It’s hard to believe that anyone would be interested in the meandering trail we took to get to the cat videos, but this information can be used by companies to know what sites we visit the most and how we get from one to the other.

This log of sites you visit is known as your “clickstream”, and you can take a look right now at the online journey you’ve taken over the past day by simply clicking “History” and then “Full Browsing History” when your browser is open.

This information isn’t private unless you always browse the web in Incognito mode so the sites don’t retain your Cookies (watch the video below to understand what Cookies are), or to download a free tool that obscures your clickstream.

Video:

Get Savvy with Your Social

It always seems to be social media sites hitting the headlines with privacy concerns (we’re looking at you, Facebook), and that’s because social channels are filled with a bounty of information about their users; from date of birth to restaurants you regularly check into and your closest friends, these sites literally have an incredible low-down on you.

But again, it’s the price we pay to stay in the loop and to share filtered pics with our nearest and dearest.

The best advice here for eliminating any chance of your data being scraped and used elsewhere is to delete all of your social media accounts.

If that seems too drastic, give yourself peace of mind by having your accounts on the highest security settings possible (here’s a great guide to help you do that) and leaving out any identifying information like your date of birth or your home town.

We can’t control what others post on social media (and sometimes they’ll post stuff about us that disappears into the ether), but we can control what we hand over to the grasping hands of big corporations.

Leave Your Location Out of It

There’s something thrilling about checking into a new place, whether we’re humblebragging about visiting the latest high-end restaurant or simply want people to know that we’re Out There Having Fun.

But location data can be incredibly valuable if it falls into the right hands.

Think about it: not only are you providing information about where you are and what you’re doing there, you’re handing over data like what time of day you like to do that activity, and you’re even giving nearby locations the chance to target you with ads while you’re in the vicinity.

The answer here is simple: turn off your location when you don’t need it and avoid using sites that require you to “check in” or need location information.

Other Things You Can Do

Encrypting your email, being elusive with your social media information, and avoiding the lure of “checking in” are good starting points for protecting your online data privacy.

But, taking it further, you can ensure that your password across everything is not something that can easily be guessed. Instead of having a password, go for a passphrase that is made up of multiple words, numbers, and symbols.

And, when it comes to your search engine habits, be ruthless.

Many of the big search engines make a note of your searches and build a profile of you to serve up relevant ads. If you want to avoid this, you need to avoid the big guys and instead use a search engine that doesn’t track your every search term (the oddly-named DuckDuckGo is good for this).

Protecting online data is a big concern for most internet users, but for the tech-phobic it can be truly terrifying, especially if you don’t even know how to start protecting yourself.

Hopefully these tips will point you in the right direction and help you get your privacy back under control, pronto.

The Growth of Privacy – VPNs and Beyond

We all expect to have our private matters kept away from the prying eyes of strangers. Recent years have seen a flurry of wild reports on the grapevine, from federal agencies spying on telephonic conversations to personal data being stolen from the cloud and used for unintended means. As far fetched as they may seem to the average personal internet user, many of them are true.

The gravity of the situation truly came to light in 2017 when the US Congress and Senate approved the decision to remove privacy protection for internet users. This was no doubt backed by corporate powerhouses looking to sell and buy data. USA, the land of dreams, fell prey to prying and spying, and was criticized by many for selling out the privacy of its own citizens.

In the thick of things: Telcos

Telecommunication companies, or telcos, are right at the center of the storm. Increasingly under scrutiny due to the rapid increase in cellular users, these companies actively trade-off between the multipolar attraction of user privacy, revenues off data sharing, and network exploitation.

Verizon is one of four cellular service providers who have agreed to halt the selling of user location to data brokers.  This is a direct result of increasing pressure from regulators to protect cell phone users.

However, regardless of the role that Telcos eventually adopt, users too are adopting safe measures for the protection of their data. The data security market is expected to be worth $22.85 billion by 2020. As for today, there are an array of commercial off-the-shelf (COTS) and personalised solutions to the classic problems of privacy.

With this in mind, we thought it would pertinent to give a 101 of the most popular option; one that helps create a virtual bubble to protect our privacy from prying eyes.

What are VPNs?

VPNs are rapidly gaining popularity with both corporations and individuals.

The term stands for Virtual Private Network and basically allows users:

  • to access private networks securely
  • remotely share data through public networks.

In other words, it allows an individual / firm to protect their identity, and data, from unauthorized users online.

What VPNs do

  • They secure sensitive data online and during transfer/use.
  • They encrypt data – even if data gets stolen, encryption makes it of little use to the average hacker.
  • Bypassing of content filters becomes possible; this can be godsend in countries such as China, where whole stratas of the internet are blocked due to stringent internet policies.
  • Data can be shared for an extended period.
  • You can browse the web in complete anonymity. Continuing from the Chinese example above, you would not want the government to go through your ‘How to launch an Arab Spring’ reading list.
  • Implementation of a VPN system increases bandwidth and efficiency.

Given all the benefits of VPNs, it does come to mind that the setting up and running of a VPN would be a complicated process. Surprisingly, with the help of COTS solutions, it is as simple as typing in a password and username. VPNs work on the basis of protocols that are constantly being upgraded and improved. The most common are:

  1. PPTP

PPTP stands for Point to Point Tunneling Protocol and has been around since the 1990s. PPTP works by encapsulating the data pocket rather than encrypting the information. This particular system owes its popularity to its adaptability towards almost every operating system. With the advent of stronger and more secure protocols, the credibility of PPTP has been called into question. It is still a strong VPN, just not the most secure option available.

  1. L2TP/IPsec

L2TP and IPsec are actually two different protocols that are often used in combination. This is because pairing the two adds their most coveted properties together to form a reinforced security. L2TP is unable to encrypt data so it generates a secure tunnel, while simultaneously IPsec takes charge of encryption channel security as well as data integrity to ensure that the channel of communication remains uncompromised.

  1. Open VPN

Open VPN has gained immense popularity. This is largely due to the fact that it is freely available and thus the cost factor, which might otherwise weigh heavily, is completely eradicated.

Treasuring your Privacy

Data protection can be expensive: most good data privacy services cost a good deal of money. Here are some tips to make sure you get the most bang for your buck.

  • KillSwitch works to ensure that the data remains safe in case the connection drops.
    There are two main types; one blocks internet traffic in case the VPN drops while the other shuts down applications.
  • Use P2P servers to download torrents.
  • Make sure the settings of the VPN are set to protect against any data leaks.
  • Use the VPN service diligently on your mobile phones, especially when visiting countries with strict data theft records, such as China and the UAE.

VPNs have multitudes of benefits that have been mentioned above. However, like every other thing, they also have disadvantages.

  • With rising awareness about the threats to  personal privacy comes a larger demand for VPNs. Wherever there will be an increased demand for a particular service, it gives corporations the incentive to step in and exploit that demand through commercialization.
  • Free VPNs are opted for by most – since they are free, of course. However, “free” VPNs that are used to access blocked sites and such often allow or fall prey to malicious third parties. Even more regrettable is the fact that many of these popular solutions may come with their own set of adware and spyware, thereby granting the developer access to sensitive information.

In the grand scheme of things, many individuals consider the loss of their data inconsequential: “what would anyone achieve by accessing our personal information?” Despite the growth of the privacy industry, this fatal error is not so uncommon. Businesses, on the other hand, with decades of lessons learned behind them, are unlikely to make the same mistake.

Reference Links

https://www.forbes.com/sites/forbestechcouncil/2018/07/10/the-future-of-the-vpn-market/#22a967602e4d

https://www.forbes.com/sites/enriquedans/2017/03/29/the-upcoming-spread-of-vpns/#423a6b4679a3

https://gizmodo.com/5990192/vpns-what-they-do-how-they-work-and-why-youre-dumb-for-not-using-one

https://www.ibvpn.com/2010/02/8-advantages-of-using-vpn/

Protect Data Privacy by NOT Collecting Data at All

In Hansel and Gretel, the two siblings sprinkle breadcrumbs as they venture into the woods in order to find their way home.

When we browse the internet, we sprinkle metaphorical breadcrumbs of information about ourselves as we go. Unlike the fairytale, where Hansel and Gretel knew what they were doing, the vast majority of internet users are unaware of just how much information they’re giving away on their journey around the web.

Unless you’ve got blockers installed up to your ears, the tracking starts as soon as you open up an internet browser. From that moment, your digital footprints carve a route around the web that can be traced back to you at any moment.

Sites you visit can use these footprints (or breadcrumbs, if we’re sticking with the fairytale theme) to recognize who you are and serve you a more personalized experience.

That sounds great, right?

In one study, 71% of consumers said they’d prefer a personalized experience with ads, while some even expected it from brands. And the easiest way for sites to personalize those experiences is to track the interests and online behaviors of visitors.

From that perspective it works; the consumer gets a personalized experience and brands get to give their customers what they want. It’s a win-win situation.

But is it really that simple?

I mean, we’re not talking epic government data mining expeditions here; we’re simply talking about brands using specific information to better target content to their users. It’s all above board and totally legal.

So what kind of data can these companies get from you?

It can be anything from your current location and the device you’re using to specific links you’re clicking on and the actions you take on certain sites. It all starts with your browser and your IP address – the moment you pop up online, a unique number that identifies the device you’re using is recorded, marking the moment you entered the internet and where you were when you went online.

At the same time, your browser is logged as well as other uniquely identifying information like the system you’re running the browser on, the display resolution, and even the battery level of your device. Even if you haven’t clicked your mouse or typed anything in yet, you’re already being tracked.

Who Benefits from Collecting Data?

I mentioned earlier that data collection can be mutually beneficial. Consumers don’t have to see ads that they’d never buy from in a million years, while websites can get more information on their visitors to make experiences more personalized and, therefore, get more sales.

But who is it really more beneficial for? If we really get down to the bottom of it, who is really getting the most out of the dissemination of data?

Personalized experiences are nice, right? But are they worth the data breaches that happen and the inevitability that brands will sell that data to completely unrelated companies just to make a quick buck?

Let’s face it: most sites are eager to scrape as much information as they can about their visitors with the sole purpose of making more money. Sure, the thought process might be there to make experiences more enjoyable by personalizing them, but really the goal here is to target more.

Look at Facebook. The data it collects as you browse the site can determine when you’re expecting your firstborn, the exact names and addresses of the companies you’ve worked for in the past, and even your political leaning.

And guess what?

It doesn’t just collect this data to get to know you better as if you’re on some kind of weird, digital first date. It collects it to sell to companies to make money through advertising.

So yes, there are benefits to the consumer; you might not have to pick a particular city every time you want to get the weather because it’s remembered your past choices, or you might not have to shop again for those items you left in your online basket last week, but these benefits are minor compared to the massive benefits companies and sites get from tracking your every move.

Where the Lines Get Hazy…

Of course there are browser security protocols in place that mean sites can’t just go around scraping all sorts of stuff about you. In fact, for the most part, sites can only access the data they’ve collected – as in, they can only see the information you’ve “given” them while you’ve been on their site.

However, something called third-party cookies muddy the waters. These aren’t associated with any particular site, but instead get spread across a number of different pages in, say, an ad network.

Princeton University ran a study that found cross-site trackers embedded in 482 of the top 50,000 sites on the web. It might not seem like a lot in the great scheme of things, but once these third-party trackers have consumer information they can then sell it to even more people.

While the most sensitive data is redacted from these apps, consumers are still having to put their trust into a nameless, faceless brand.

But what about the data that consumers are handing over willingly?

Things like Google searches and checking into venues on Facebook?

While sites might be collecting information like which browser you’re using and what your shopping preferences are, you’ve probably handed over more sensitive information like your birth date and exact location without even giving it a second thought.

Does the Future Lie in NO Data Collection?

In May this year, the GDPR (General Data Protection Regulation) came into play in Europe. It means that brands now have to explicitly state to their users exactly what information they are collecting and exactly what they will be doing with it.

Users now have to actively opt-in to providing their information; sites can’t just take it for nothing. Already countries outside of Europe are considering this new method because, well, it just seems like the right thing to do.

But what does it mean for the future of data collection?

Now that users are more aware of their rights when it comes to data collection and have to actively “opt-in” with their information, they are becoming less and less inclined to do so.

If there’s an option to not sell your firstborn, it’s kind of a given that you’re going to go for that, right?

In this instance, the future of data collection looks bleak – especially for sites and brands. If their users aren’t giving up the goods, they’ve got nothing to work with and essentially have to go back to the drawing board.

This might invite new ways of collecting data or a more collaborative approach between consumers and brands so that information can travel between the two in an open and honest way.

The future of data privacy is uncertain for now, especially so soon after GDPR has risen its head. What we do know is that the power will be distributed more evenly between internet users and brands, and sites will no longer be able to take, take, take without building more of a relationship with their visitors.

It sounds quite nice, actually.

But would a world without any data tracking or collection be good? If every person who went online immediately went incognito, leaving not a single trace of who they are or what they’re doing, how would the digital world evolve? How would companies know what their consumers want? How would internet users cope with having to start from scratch every time they went back online?

The questions remain endless, but it’ll be interesting to see which path data collection goes down from here on out.