By Shelby Cunningham, Marcelle Drakes-Ruffin, and Ashley Rae Tolbert
Shelby Cunningham, Marcelle Drakes-Ruffin, and Ashley Rae Tolbert are graduate students in the Master of Science in Information Security Policy and Management (MSISPM) program at Heinz College, Carnegie Mellon University.
When Target fell victim to hackers seeking credit-card numbers, we were shocked to learn that it started with a social engineering attack against an HVAC company they used. Surely, nobody would try to breach a retail giant through people who personally held nothing of value. But the teenager who fell for a fake MySpace login in 2006 could have grown up to become an employee who gives information to a fake colleague. Social engineering — manipulating human nature to get sensitive data — can expose anyone to attack. The good news? Simple strategies offer protection against attackers.
Social Engineering
Humans operate under a set of schemas that give them predictable patterns for behaving in the real world. Hackers exploit these schemas by applying them to inappropriate situations. Everyone knows to type their usernames and passwords into fields asking for that information. It's part of the schema of using the Internet! Hackers use this popular situation frequently to harvest user account information. Stopping and thinking before falling into a familiar pattern can make the difference between becoming a target and averting a breach.
The Solution: Use Healthy Skepticism
- Be as vigilant as you can and utilize sensible skepticism.
- Before giving out confidential information, be sure to first verify the identity and the need of the person asking.
Common Data Privacy Mistakes
Cybercriminals do not always have to lure their targets into a trap. Some people actually make it easy for attackers to compromise their privacy. In many instances, cybercriminals merely capitalize on the bad practices that computer users apply to formulating passwords, using web-enabled devices, and interacting on social networking websites. Exploiting these vulnerabilities presents hackers with means, opportunity, and motive (MOM) to perpetrate an attack.
Password Blunders
Some companies require employees to create a different "strong" password every 60 days for each corporate application. Many users find this practice annoying. Instead, they construct a single password by incrementing the digits in their previous passwords and apply that security measure to each corporate account. For instance, password001 becomes password002 with relatively no effort. They often apply the same practice to personal e-mail accounts. What a horrible mistake! Even the strongest password is rendered weak when used on multiple accounts.
Another popular practice is switching out characters for similarly formed symbols to make the password seemingly more complex; for instance, switching "s" with "$" and "a" with "@." While incorporating symbols does help make passwords stronger, the usefulness of this technique is negated when computer users fall victim to another widespread password practice — using "password" as a password! Selecting one of the most frequently used, easy-to-guess authentication strings essentially transforms the promise of a strong password into trivial symbol swapping. There is a common misconception that hackers do not know these password tricks, but in reality hackers are already well aware of these maneuvers and count on people using them.
The security implications of weak passwords are exacerbated when consumers conduct transactions electronically. Online shoppers pay little attention to the passwords that guard their payment information, depending on e-vendors to protect private data. Unfortunately, some e-commerce websites do little to prevent security breaches. A recent study conducted by password management website Dashlane found that 86% of sites have inadequate password policies, which make them susceptible to hacking.1 In response to consumers creating accounts on new websites, Dashlane's CEO pointed out, "If you give this new website the same password you've been using everywhere else, it's essentially equivalent to giving the keys to your house to someone you've never met."
The Solution: Adopt Good Password Habits
- Avoid common words, or even real words, if possible. Typing nonsense sounds like a silly idea, but it makes your password far less guessable.
- Consider using a random character generator if you have difficulty creating a password.
- Use a free password manager, such as LastPass or Dashlane, to organize and secure passwords.
- Enable two-factor authentication where available as an additional security mechanism.
Insecure Devices
Chances are you have a smartphone, a tablet, and/or an e-reader. According to the findings of a recent Pew Internet Project Research report, 90% of Americans have a cellphone, and 58%, 32%, and 42% respectively have a smartphone, e-reader, and tablet.2 If you invested in a protective case for these devices to guard against damage from falls and bumps, that takes care of the physical protection, but what about protecting data and identity? Are you making well-informed decisions about the types of applications downloaded onto your smartphone?
Every downloaded app manipulates your privacy settings by demanding access to various elements of your phone, including location, contacts, identity, photos/media/files, and device ID and call information. The popular game Angry Birds, for instance, needs access to most of these items. If you decide not to accept the terms, you can't install the application. Why does any of this matter? All apps are not legitimate. An app that seems innocuous might actually be a malicious program waiting to infect your device and steal your data.
The Solution: Protect the Physical Device and its Stored Data
- Verify privacy and security settings on your device.
- Disallow automatic app installations.
- Use a numeric passcode to lock the phone, including a SIM card lock.
- Apply passwords to check e-mail.
- Encrypt your device, including accounts, settings, downloaded applications, and associated data and media files.
- Install security policy updates for your device.
- Turn off Wi-Fi, Bluetooth, and near-field communication (NFC) after use.
Social Networking
Speaking of devices, how much time did you spend posting on social networking sites from your mobile device today? Social networking has become commonplace. Through these interactions, users stay in touch with friends and family, build professional connections to land that dream job, and share life-changing moments. But do we possibly share too many details?
Posting photos that provide information about your location, possessions, or other details that hackers may find interesting can be used as a means of attack. For instance, sharing photos of your current three-week vacation in Jamaica, after posting a photo of the equipment in your home office on a social networking website, may seem harmless; to a hacker, however, it is the perfect opportunity to plan an attack. Why? You informed the hacker that you are not at home and provided a general description of the equipment to hack.
A recent article in USA Today visited studies on using social networking sites for research. Author Sharon Jayson referenced a study conducted by Assistant Professor Ilka Gleibs at the London School of Economics: "'Facebook is transformed from a public space to a behavioral laboratory,' says the study, which cites a Harvard-based research project of 1,700 college-based Facebook users in which it became possible to 'deanonymize parts of the data set,' or cross-reference anonymous data to make student identification possible."
Do not rely on social/professional networking websites to protect your data. During the LinkedIn hack in 2012, approximately 6.5 million user passwords were exposed. Additionally, a browser extension called Sell Hack once allowed anyone to view any LinkedIn user's email address, even if that user was not in their network.4
Though newer, Instagram is not immune to security breaches. A security researcher recently publicized a flaw in Instagram's software that permits hacking of accounts. According to the report, Facebook and Twitter were once prone to similar attacks through a Firefox extension, Firesheep.5
Twitter is not just a real-time blogging site, and it generates revenue from more than just advertising. According to a Wall Street Journal report, "$47.5 million came from selling off its data to a fast-growing group of companies that analyze the data for insights into news events and trends."6 Yes, Twitter, like Facebook, makes a profit by sharing users' data with third parties for analytical purposes.
The Solution: Caution
- Only post what you are comfortable sharing publicly.
- Do not add "friends" that you don't know to your network.
- Change your password often, and do not automatically sign in to social networking sites.
- Share only the necessary information. Avoid posting your birth date, if possible.
Finding Help and Advice
Information security is everyone’s responsibility. Learn how to protect yourself, your friends and family, and your devices with resources provided by the National Cyber Security Alliance (NCSA), STOP. THINK. CONNECT., and OnGuardOnline. For students, faculty, and staff at colleges and universities, your IT department and Information Security office are great local resources.
Notes
- Marcy Bonebright, "Study: 86 percent of websites have weak password policies," guest blog, Christian Science Monitor, June 3, 2014.
- "Mobile Technology Fact Sheet," as of January 2014, Pew Research Internet Project.
- Sharon Jayson, "Social media research raises privacy and ethics issues," USA Today, March 12, 2014.
- Lisa Eadicicco, "You Can Find Anyone's Email Address on LinkedIn Using This Tool," Business Insider, April 1, 2014.
- Paul Ducklin, "How anyone can hack your Instagram Account," Naked Security from Sophos, October 10, 2014.
- Elizabeth Dwoskin, "Twitter's Data Business Proves Lucrative," Wall Street Journal, October 7, 2013.
- Melanie Pinola, “How Can I Protect Against Social Engineering Hacks?,” Lifehacker, August 8, 2012.
© 2014 Shelby Cunningham, Marcelle Drakes-Ruffin, and Ashley Rae Tolbert