Many years ago, I worked with healthcare organizations to install infrastructure to support the modernization of their information systems. As I traversed hospitals – both in public and private sectors – I was often struck by one particular best practice: the privacy reminders were ubiquitous. If I stepped into an elevator or walked down a hallway, there was signage to remind everyone about patient privacy. Nothing was left to chance or interpretation. This was also pre-social media, so the concerns ranged from public conversations or inappropriate use of email, to leaving a document on a public printer.
Fast forward to 2019. Our society and culture have changed. We are much freer with our personal information on social media. We talk openly about our lives and post pictures and family information in the wild. We are less concerned about our privacy, as we use these platforms to connect with others – a connection we might be denied given our busy lives. However, as has oft been written, these platforms can be a cache of riches for someone seeking to steal your identity or compromise your email and other accounts. This same type of free flow of information is also following us to other parts of our lives and making it easier for the bad guys to attack and profit. Let me explain with a few examples.
I travel a bit (okay, a lot). While my global travel is mostly for work, this provides an informative world lens for people watching and listening. I am often between flights in an airport reading or catching up on email and overhear a wide variety of conversations – without even trying. Recently, I was in the U.S., delayed at the Chicago O’Hare airport for several hours as “there is (was) weather in Chicago,” the worst phrase in the US travel industry. I overheard a man on the phone discussing his declined credit card in detail, including his full name, billing ZIP code, card number, expiration date, and so on. My shock quickly faded when I started thinking about how many other times I was in public and overheard things that could lead to financial or IP or other loss for an individual or company. The number is non-trivial. That’s when I decided to tweet some simple advice, and solicit input via my twitter feed.
The results were equally horrifying and amusing. Some even thought my post was an attempt in social engineering. Overall, the response convinced me to write a blog as the evidence I gathered suggests this isn’t a small problem. Rather, it’s a real problem. So let me start by sharing some examples and then make some suggestions (which may seem obvious to many of you) on how to protect your privacy and security.
> Notes from the airport lounge: social engineering is a thing … a really big thing. Please protect your personal information (like credit card numbers, sensitive customer information etc). > > -- Ann Johnson (@ajohnsocyber) April 15, 2019
> I've overheard people many times talking in lounges about confidential info re: unannounced acquisitions. > > -- Orion (@OrionListug) April 15, 2019
> And a few drinks later I’ve learned about unannounced acquisitions… marriage infidelities, the amount of debt someone owes, passwords pulled up from a word doc. pic.twitter.com/pPDDZd6xq7 > > -- root (@rootsecdev) April 15, 2019
> My favorite are people who have had their credit card disabled because their travel inadvertently flagged fraud prevention.
So they are in the middle of the airport, reciting all their personal info to the bank to get the card turned back on. > > -- Andy Mallon (@AMtwo) April 17, 2019
> How you never lock your system when you walk away because it's so inconvenient to enter your credentials. o_o. // How people on the CTA hold their phone outward and call utility companies and banks and provide information loudly. >_< > > -- Christopher Clai (@ChrisClai) April 17, 2019
> At one of my first IT gigs we kinda beat each other out of the first one by changing people's desktop backgrounds to annoying memes. (I got to the point of using a bluetooth dongle and my almost-smart phone to autolock it lol) > > -- Chris (@tuba_man) April 17, 2019
> I recently interacted with a thread where it asked individuals for the security weaknesses that they recognized in their orgs and felt would be critical if not fixed. I’m sure if people didn’t warn against accurately responding might in fact harm their org if used by attacker. > > -- C:…Security (@chris_foulon) April 17, 2019
So how do you protect yourself from theft of personal or proprietary company information in public? The super obvious, somewhat flippant answer is: don’t share any of this type of information in public. But, at times, this is easier said than done. If you travel as much as I do, it becomes impossible to refrain from conducting some confidential business whilst you are on the road. So how do you actually protect yourself?
Many people will read this blog and say, “well that’s obvious,” but sadly it is not, based on what I have personally observed and the feedback I received in preparation for this post. When in these types of situations, my recommendations are:
The world is quickly evolving as we embrace more technology. The onus is largely on users to protect yourselves. While this blog is just a high-level discussion on social engineering and privacy, using common sense is always your best defense.
The post Oversharing and safety in the age of social media appeared first on [Microsoft Security.