Knowing the true cost of your SOC—including capital, payroll, recurring expenses, and care—prevents wasteful spending and keeps your operation lean. Our dedicated information security experts can show you how careful planning and wise use of resources can keep your data secure and your bottom line healthy—two things previously thought to be mutually exclusive.
Now, make an even greater impact with Rapid Advanced Detection and Response (RADAR)—our managed information security service that combines monitoring and detection technology with skilled expertise to accelerate incident response, reduce blind spots, and minimize false positives.Read more...
The Internet has become the world’s largest information exchange. Given a phone number, email address, license plate, LinkedIn Profile, Instagram username, or just about any other single piece of identifying information, and odds are an attacker can find the other pieces.
The sad part is, we’ve all knowingly (and in some cases unknowingly) helped contribute to this data depot in one way or another over the years and it’s only in hindsight that we realize we may not have made the best decisions. So now that the data is out there, what can we do about? Well, it depends on your intentions. Do you want to completely disappear, or just minimize that digital footprint? In this blog post, BTB’s Senior Security Consultant Matt Barnett provides some guidance on staging your own disappearing act. First a disclaimer: much of the content in this blog post is related from the amazingly comprehensive work compiled by Michael Bazzell and Justin Carroll in The Complete Privacy and Security Desk Reference (https://www.amazon.com/Complete-Privacy-Security-Desk-Reference/dp/152277890X/). It’s a must-read for anyone taking their disappearing act seriously since this post cannot effectively cover all facets of the topic.
No, I’m not talking about the higher path to self-enlightenment here. Before we can begin to know where to start our scrubbing process, we need to get an idea of what’s out there. Let’s start with some basic reconnaissance. The links provided in this section will help you determine what information is publicly accessible about you.
For those not looking to perform a complete vanishing act (assuming it were even possible), this section will help provide some useful links to improve the security of your online presence. We need to be mindful of what information we share with our digital friends and family as well as what information we make public to anyone that may be curious.
Complete Disappearing Acts
So you’ve decided to go rogue. Completely off the grid. Respectable choice. This section will provide a few helpful to aid in eliminating your digital footprint.
I’ll offer a few pro tips in this section that you should consider during your visits to the Internet. These tips draw from the experience of professional hackers that use these techniques to remain stealthy during client engagements. There are also a few staple tools-of-the-trade that I’ll touch on. The tools will help protect you and preserve your anonymity online.
To Like or Not to Like:
The first tip is to avoid using the “Like” button on your favorite social media site(s). I know this is going to be hard one. Allow me to explain. Even if your profile is private, the user posting the content you “Like” may not be. Searching through posts and images you “Like” may be a way to build a profile about your hobbies, interests, political views/affiliations, etc. Some court cases have even allowed these “Like”s to be introduced into evidence or used to bias jurors in civil cases. Think before you click!
Tag You’re It
Allowing others to tag you in photos has similar risks as the previous tip. Imagine how your boss would feel if he saw you doing that keg-stand with your old college buddies on Friday night when you called out sick earlier that morning.
Speaking of Photos
Have you ever seen this site (http://exif.regex.info/exif.cgi). Upload a photo from that iPhone of yours and see what happens (or Android if you’re on the dark side). Photos contain metadata, or data about the picture, known as EXIF data. This data is embedded by default on cameras and smartphones. It contains date/time information, source, GPS position, and more; this data can be harvested from any site you upload it to. Note: many social media sites (e.g., Facebook) strip this data before the picture is posted (Flickr does not), but that doesn’t guarantee that they aren’t capturing (and storing/selling) the EXIF data in the process. Better check those terms of service again. I’ve posted a link for a tool that will strip this data for you below.
Nothing Lasts Forever, Except on the Internet
My final tip is to always be mindful that what you put online will live there forever. There are companies that make it their work to archive the Internet (https://archive.org/web/). Once the content is up there and cached by an archiving site, it will be available in perpetuity. The more we move to a digital society, the more important controlling our digital footprint becomes. Think job interviews and future in-laws.
Many of these will help you avoid the tracking techniques used by companies and keep your data private/anonymous.
VPN Software: https://www.privateinternetaccess.com/ : VPNs (Virtual Private Networks) create a tunnel from your computer to the VPN provider and encrypt all of your traffic along the way. Your ISP (e.g., Comcast, Verizon) will only “see” you communicating with the VPN company, while the sites you visit will only see the IP address of the VPN company, thus making you disappear like Batman after he says something really cool. There a numerous VPN providers, I personally like PIA for its ease of use, low fees ($30/yr), and lack of log retention. Be sure to read the terms of service on any vendor you are considering. Your smartphone can also use VPN technology.
Photo EXIF Data Removal : http://verexif.com/en : As mentioned above, this tool will strip the metadata in your photos, removing things such as date, time, GPS position, camera source, etc.
Google Alerts : https://google.com/alerts : Google allows you to configure alerts around specific keywords (e.g., your name, place of business) and will send you and email whenever a new search result matches your query. This can help you stay informed about when your private information hits the public Internet. (This service is free but requires a Gmail account).
Start Page : https://startpage.com : Google is an amazingly powerful search engine but it comes with a few strings. Tracking. All Google queries are logged and saved. If you’re searching for something you’d rather not keep record of consider using Start Page. Start Page will make the search request on your behalf—preserving your anonymity while allowing you to use all the features of Google’s powerful searching algorithm.
Signal : https://signal.org : Signal provides end-to-end encryption for your text messages and phone calls. To use this, both parties need to have the app installed on their smart device.
We’ve covered a lot of ground today and despite that fact, this is still a very incomplete list of resources, tools, and knowledge. It should be a great start for beginning privacy aficionados looking to dissipate that digital footprint—or at a minimum, at least stop some of those spam calls. BTB Security is constantly researching new tools, techniques, and services that help protect customer’s privacy, improve security, and reduce inadvertent information disclosures. We’re always here to help so feel free to drop us a line if you have any questions. A big thank you to Michael Bazzell and Justin Carroll for their extensive research in this field and making searchable resources available at https://inteltechniques.com. Be safe out there and think before you click!Read more...
In the wake of the Yahoo, Equifax, Whole Foods, Sonic Drive-in, Deloitte, Securities Exchange Commission, Viacom, Vevo… all in the last month, btw. I feel confident in predicting the future, there will be another major data breach this year.
Ok, so maybe those words aren't as surprising as they once were, and you're already annoyed about the clickbait title. Good. That means we've progressed in terms of our collective consciousness with respect to the realities of attacks and InfoSec risks. Just a few years ago, most of the organizations I worked with felt fairly confident in saying, "I have a firewall" or "we've never had an incident here." Times have changed. Good.
However, what hasn't changed, at all, are the commonalities amongst the majority of breaches, be they highly publicized or not. There's fundamental control breakdowns that inevitably exist, are eventually reported on, and debated at nauseum on CNN, Fox News, or whatever your favorite talking head platform may be. Here's where I earn my Doctorate in Fortune Telling. This next breach WILL involve:
Time and time again these same issues come up as root 'contributors' if not outright causes. Why? The momentum is shifting in many organizations towards a more proactive approach that would address these fundamental issues, we haven't hit a critical mass, not yet. Each incident the general public rightfully asks, "How could this happen?" or "How could this happen at BIG COMPANY?" The C-suite of the breach victim will release statements or make public appearances to re-assure us that this breach was unavoidable, that all reasonable measures had been taken, that these magical hackers are just too darn good, that it's not their fault. Negative.
Advanced Persistent Threats (APT) and Nation State actors absolutely exist, and at times may play a role in some of the well-publicized breaches, but overwhelming evidence points to these basic blocking and tackling functions as being on the critical path to a breach. To be clear, I'm not advocating you completely ignore the potential APT attack, rather I'm challenging your organization to more effectively prioritize the boring but important or the simple not easy risks. Many organizations fall victim to the line of thinking where if only they had the next latest and greatest tool/solution, they would be secure. The focus on Technology alone stands as the flaw in the approach. People, Process, and Technology. All must work in concert to meaningfully reduce breach risk.
In the midst of Cybersecurity Awareness month, consider my prediction and take action. Refuse to accept that your organization will be the next victim, that this new normal is inevitable and therefore pointless to fight against. Avoid chasing the next latest and greatest solution at the expense of the fundamentals. Invest your scarce resources smartly. Some quick wins you can execute on today:
With quick wins comes an energy which you can then employ to viciously execute your strategic plan… you do have a strategic, comprehensive, prioritized, InfoSec plan… right?Read more...