“The group knew its victim, knew what it needed from a campaign, and once that objective was achieved, the target was abandoned.” Michael Mimoso, Threatpost.com, Jan. 14, 2014.
In the quote above, Mimoso is talking about a targeted espionage attack on defence contractors and tech companies. But his statement could apply to many cyber crimes. It doesn’t take much for criminals to pick you as a target, turn your life upside down, and then forget about you. In today’s cyber world, one of the safest and easiest ways for the criminals to gain information about you, your habits, and your net worth is social engineering. And most of us make it far to easy for them.
What drives people to put their valuable information online? In most cases, it’s a momentary lapse in concentration. You’re signing up for a social media network, and you don’t stop to think before answering all those questions they ask you. They’re very persuasive: Yes, we need your username and password. Yes, we need your email address. Look, we really need your date of birth, and while you’re at it, can we have your address, phone number and a set of fingerprints?
The social media sites can be very sneaky. They add some guilt into the mix, saying that your friends will not be able to find you if you do not put all of that information in your profile. Once you have completed the process of putting in that information, they then use it to target you with adverts that they think you will be interested in—but that’s a problem for another post.
So the sites you use have loads of information about you. Now we also have the single sign-on, with other websites using your Facebook or Twitter logon to verify your credentials. So the simple security step of unique passwords for different sites goes straight out the window. What’s to stop the criminals from infecting that site with malware and capturing the information going between the two locations? Sorry, but not much!
There are other ways bad guys can access your “secure” accounts. How many of us use actual correct answers to the security questions on sites like Gmail? Maybe you type in your mother’s maiden name, Smith, and your mother puts “née Smith” somewhere in her Facebook or LinkedIn profile. Or how about “first pet’s name,” and you have pictures of the dog on your Facebook page? A dedicated hacker can make the connection. Think that sounds strange? I’ve seen it done.
In both cases, you need to come up with a standard answer to these questions that does not reflect the truth, and that no one would guess you’d use. Like your mother’s maiden name = yellow, and your first pet’s name = chair. This makes it very hard even for people who actually know you to gain access to your digital information. Think no one you know could be so devious? Some of your Facebook “friends” are probably people you’ve barely met. And some of your loved ones might not be your loved ones in a year or two. Think separation, divorce and massive argument here!
The bad guys—including people that you know—are always looking for ways to get in. In most cases, once they are in they steal everything they can, ruin your good name, expose your private life to the internet and then move on, leaving in their wake a smouldering version of your life.
Too often, we’re left hoping that someone else is protecting the information that we have given them from the bad guys. Their motivation to do that is weak. Before we give information away, we should tell ourselves, “It is still my information and it is my problem to make sure that it is safe.”
When it comes to protecting yourself, keep two things in the back of your mind. Be paranoid, and be very aware. Do not allow others to protect you, do it yourself.