So, You Keep Getting Hacked?

Which one was it this time?  Your Instagram?  Snap Chat?  Gmail?  Bank accounts?  Let me guess, you recently received notice that <insert brand here> had a little mishap and some data may have been compromised?  Or, your data got stolen during the OPM hack.  Or the Equifax hack.  Or the Yahoo hack.  Whatever it is, somehow, somewhere, your information was stolen.  P.S. if you want a really good listen to what hackers can do, listen to this episode from the podcast /Reply-All/. 

But you say, I was using two-factor authentication!  I promise.  That’s great, it really is, but unfortunately in today’s world, that doesn’t mean you’re safe anymore.  I’ll talk about that in a bit. 

Maybe you’re just sharing too much information on social media. 

Maybe the hacker got lucky.  Probably not. 

So let’s talk through a few different areas where I see people making mistakes. 

Scenario 1

Girl on Instagram (not naming names here) posts on her Instagram stories that two of her accounts got hacked.  She goes on t1o say that many of her accounts all had some variation of the same password and she has no idea how she got hacked.  I didn’t ask her what that password was, nor did she share that information (smart), but I spent some time going back and forth with her, giving her tips of what to do. 

The thing is, this is more common than it should be, but it seems like most people are too worried or nervous to talk about it, same as in the commercial world (think about all these big box stores or companies that take months if not longer to come out about a compromise).  How do we change this?  Well one, it’s not a death sentence if you’re hacked, and two, it’s not something you should be embarrassed about.  Hackers are getting better, and we’re all sharing more information on the internet than ever before. 

If you’re an influencer or are aspiring to be an influencer, you’re probably posting a lot.  Well, what are you posting about?  Pictures of where you live?  Places you frequent?  Your family?  Throwbacks from high school?  Embarrassing stories?  Now take a second to think about how compiling all that information could paint a pretty substantial file on you.  Look through the last few weeks or month of your Instagram posts and stories, your blog posts, your Facebook.. Now think about it from an outsider’s point of view.  If you were someone else looking into your life from the outside, what kind of story are you telling?  Do your pictures have any sensitive information (address, delivery boxes, favorite coffee shops, and don’t laugh, I’ve seen it all)?  You might ask how your favorite coffee shop could be considered sensitive.  Well, if you go there every Saturday morning at 11am, and then again every Tuesday afternoon at 2pm, you’re setting a pattern for yourself.  All I have to do is set up shop an hour before you get there and look busy.  Then I can use a multitude of tools in an attempt to hi-jack your information, or I could just strike up a conversation with you based on the information I already have.  You say you don’t talk to strangers?  Well what if I know your favorite obscure band or sports team and I happen to have that shirt on?  You’re probably going to be more inclined to at least have a short conversation with me now aren’t you? 

Scenario 2

Now let’s think about those security questions we’ve answered again and again when we set up an account so if we lose our password we can still get in.  What city were you born in?  What was your first pet’s name?  What was your first car?  What is your mother’s maiden name?  What is your paternal grandfather’s first name?  What is your best friends first name?  What is your favorite color?  What is your favorite food?

Now remember when the quarantine started and everyone was posting quizzes on Facebook and Instagram?  Let’s take a second and think about what kind of questions they were asking. 

I’ll give you a couple minutes.

Now what kind of information are we seeing here?  They are a lot of the same questions, aren’t they?

How many times did you see something like this go around? Well, I’m glad that at least went somewhat viral because it’s true.  Yes, of course that isn’t a real quiz, they’re just making light of the fact many of these quizzes are indeed allowing the bad guy to learn a lot of information about you. 

I’ve talked a little about phishing and social engineering, both here and on the podcast, but it’s worth repeating.  People share a lot of information about themselves on the internet.  We all have a desire to be liked, to be respected, to fit in.  Social media makes that a lot easier, but it also raises the risk of what information people can use when they are targeting someone or something.  You can change your privacy settings to avoid public posts, but what happens when you get a new friend request from an attractive individual you may or may not have met at the bar last weekend?  Do you blindly accept it?  This is another way that attackers are able to bypass the “friends only” settings.  Again, we all want to be liked and to have friends.  It’s not a bad thing, as long as we recognize it as a potential bias or flaw at times. 

Scenario 3

Sometimes I join random groups on Facebook so I can get an idea of what the non-tech world is doing. Sometime last week someone posted this in one of those groups:

My first reaction was confusion, then a little bit of shock, then a lot more confusion.  Maybe it’s a generational thing, but then again I’m not that old and I still can’t get behind TikTok either.  Or maybe I’m just paranoid because I work in cybersecurity. 

By the end of the day I think there were over 100 comments on this, many of them showing pictures that they’ve airdropped to strangers in Target, or have received themselves, waiting in line at the grocery store or walking through the airport.  What?!  Airdrop is really handy at times, I get it.  I’ve used it a handful of times, but my airdrop is usually turned off, and when it’s on, I have it so only contacts can send to me.  I also don’t have many contacts, so it might as well be off 😉

I then did a quick google search of airdrop attacks, I’m talking two minutes total here.  There’s this one from December 2019 where hackers can block iPhones and iPads via Airdrop attacks.  There was this one in August of 2019 that would show your phone number and passwords to malicious third parties.  Oh and don’t forget, you can also hide malware inside images using an old technique known as steganography. 

Can we see why hacking might be occurring more and more? 

Here’s an experiment, influencer or not.  Look back at the last few months of your posts across your most used social media outlet.  Or even better, look back to your first Facebook or Instagram pictures and posts.  What kind of information are you finding? 

How about some potential good news.  In 2016, Norton released a report where they surveyed 21,000 people in 21 countries.  According to this report, 76% reported sharing passwords and engaging in risky behaviors despite knowing they need to actively protect themselves; 44% said they felt overwhelmed by the sheer amount of information they’re responsible to safeguard (raises hand, guilty); and 35% have at least one unprotected device.  Does it get better with the more recent 2019 report?  Depends on how you define this word “better”.  A little over 10,000 individuals from 10 countries were polled, with 66% saying they have chosen not to download an app or use a service based on its privacy policy (good!); 84% reporting taking at least one step to protect their online activities; 60% saying it is impossible to protect their privacy or that it is too late to do so because their information is already out there; and 66% that are worried their identity will be stolen. 

There’s still a lot to do, we are seeing a little progress between 2016 and now, but we can see there is still a lot of fear out there.  The 84% that reported taking steps to protecting their online activities is huge, but it was also reported that these were very basic activities such as clearing cookies or limiting information shared online, not using VPNs, using anonymous payment methods, or even going so far as to delete social media accounts.  Progress is progress though.  Little by little I hope people will start to see they don’t have to lock down their entire lives, but they can take steps to make it more secure at least. 

Do you want help in securing things?  Let me know, I can try and help out.