Certain online habits can leave users vulnerable to hacking, tracking or identity theft. Connecting to the nearest public Wi-Fi network, opening the wrong email link or choosing a simple password for an Amazon account can yield disastrous consequences.
inewsource hosted a panel discussion Tuesday focusing on privacy threats today and in the not-too-distant future, as well as tools and techniques everyone can use to better protect themselves.
The event’s panelists were: Elaine Harwell, who leads the cyber law practice at Selman Breitman where she is a partner; Ashton Mozano, chief technology officer at Circadence, where he leads the development of cutting edge artificial intelligence technologies in cybersecurity and malware detection; and Tony Anscombe, a Global Security Evangelist for ESET, which makes antivirus products and other cybersecurity solutions.
inewsource reporters Brad Racino and Brandon Quester moderated the event.
A summary of the discussion is below. For a cheat-sheet of tools and techniques discussed during the event, click here.
How this relates to investigative journalism
Racino and Quester opened the discussion by explaining why cyber security matters to news organizations like inewsource. In the course of an investigation, we always consider the inherent risks to privacy. For example, a whistleblower may want to share sensitive documents that expose government malfeasance.
Reporters first offer to protect a whistleblower’s privacy by offering to meet in person, Quester said. If that’s not possible, he said, “We create a suite of tools that we will then give to that source so we can communicate with them securely.’”
Some of those tools include secure phone call and messaging apps, document-sharing techniques and encrypted email.
Cashing in on your personal information
Companies such as Amazon, Apple, Google and Facebook use your purchasing and online browsing data for many reasons, including refining and targeting their advertisements. Lesser known is that an actual dollar value is associated with your email address, Social Security number, medical record, credit card number and other personal information.
Harwell provided a list showing the dollar value of stolen accounts. Examples include user accounts from big banking institutions such as Bank of America, Chase, and Wells Fargo; retail stores such as Target, Sears, and Kmart; and online companies such as Ticketmaster, Netflix and LinkedIn.
This data is often bought and sold on something called the dark web – a place “where things go on that we as average consumers don’t necessarily want to get involved in, or see, or be involved in,” Harwell said.
Mozano added that Social Security numbers and date of birth information are sold for a lot of money on the black market.
“Why? Because if you take a newborn, you probably have a good 18 years where you can commit all kinds of fraud in their names,” he said. “So then imagine this 18-year-old is about to go into the real world and open up an account and realize that they’re actually bankrupted many times over. This is not a joke. This is an actual massive marketplace.”
What does a Barbie, fridge and TV have in common?
Amazon’s Alexa, a virtual assistant that can connect to other wireless devices in your home such as a thermostat, scale, refrigerator or TV, is a prime example.
A vulnerability in one of those devices can provide access to all the others. Imagine someone “hacking” into your bathroom scale, using that to connect to Alexa, which is connected to your Amazon account, which stores your credit card information. Or someone getting into your Smart TV, accessing its built-in camera and remotely surveilling the inside of your house.
Anscombe told attendees about a recent project where he exploited vulnerabilities in Alexa.
“How you could exploit these devices wasn’t the scary part. It was the fact that Amazon knew everything,” he said. “Google Home, too … It’s not just one device.”
Harwell, who has children, shared one of her favorite examples of this technology involving a common toy.
“There is an internet-connected, WiFi-enabled Barbie doll who will talk to your child,” she said. “And all the conversation that your child is having with this Barbie doll is uploaded into the cloud. It’s analyzed, it’s maintained by these companies and likely going to be used in some fashion.”
And you may never know how that data is used.
“Right now the companies don’t have necessarily an obligation to tell you what they’re doing with it,” Harwell said, though “California is actually very good. We’re a leader in this country with regard to privacy laws.”
Yet there are ways around even the most stringent laws. Mozano held up his phone to the audience and explained its ability to detect orientation through accelerometers, gyroscopes and other means. “There’s not a single app out there that has to get your permission to access those things,” he said.
Mozano said that’s important because it’s possible to do a “frequency analysis,” which maps out the location of keys you press based on the tiny vibrations your finger makes when typing, to near-perfect accuracy.
“And guess what? Advertisers have been using that for a while now. It’s just that the consumer public is not really fed that information because … people freak out,” he said.
Basic steps to stay safe (and sane)
First, said Anscombe, “Make sure you have anti-malware software turned on on the device – phones, laptops, Macs – they’re all susceptible.”
He said, “Any platform that gets close to 10 percent market share starts to actually attract cyber criminals.”
When searching online, consider search engines that don’t collect or share your personal information. One example is the site DuckDuckGo, which operates differently than Google.
Anscombe gave an example of how much Google tracks your activity by asking everyone in the audience to find their Google history.
“About an hour later you’ll be locking down and coming off the internet,” he joked. “It will take you back in five, 10 years, however long you’ve been using it. It will show you from all the places you’ve logged on geographically. It will show you everything.”
There is a way to stop Google from tracking your history. Log in to your Gmail account, go to this link and “pause” all the activities listed, such as Web & App activity, location history and voice and audio activity. Then delete your history.
“You can actually remove all this,” Anscombe said. “If you look at my Google history, it’s completely empty.”
Harwell also recommended using a password manager to generate and store complicated passwords for your accounts. There are several of these managers available online, such as LastPass, Dashlane, Roboform, KeePass Password Safe, Sticky Password, and 1Password.
In addition to keeping multiple passwords, panelists recommend creating multiple email accounts.
“Create fake email accounts if you need to, and then delete them after you’re done with them so there’s no trail,” Mozano said. “There’s absolutely no need for you to use your real name or information to go sign up for a bunch of random stuff.”
Anscombe asked how many people in the crowd knew about two-factor authentication. About a third raised their hands.
“Every one of you use it,” he said, explaining that an ATM card is a prime example. It’s the combination of two factors – something physical, like a card, and something you know, like a PIN number. One is useless without the other.
Most common email services, such as Gmail, Yahoo and Outlook, offer two-factor authentication. After signing in with your password (one factor), a text message is then sent to your phone (two factors). Only after typing in that text message can you access your account.
To set it up yourself, just Google “how to set up two-factor” and the name of your email service.
Keeping it all in perspective
The cyber security conversation ranged from funny to terrifying – panelists joked about dumb privacy mistakes they’ve made and shared predictions about smart cars of the future holding kids ransom for access to bank accounts.
Mozano returned often to the question of cost-benefit analysis, holding up his phone to the crowd.
“Are you willing to do away with this?” he asked. “I’m not. It’s kind of my life.”
“We all live in this society with lots of technology. I love technology. I embrace it. But I also want to know what’s going on and find out where my information is going, as well.”
Anscombe ended the panel discussion with this perspective:
“As much as we all sit up here and we scare you,” he said, “and you walk away thinking the internet is a scary place – it’s not. It’s actually one of the most wonderful things that man has ever created. …I consider when I went to school and I sat there with textbooks and I learned very boringly. You go into a school today where they have Smart Boards, and they take a 360-degree tour of the Taj Mahal when they’re learning about India, and all the homework is submitted electronically, and the kids are all communicating in real time, helping each other. You know, the internet is actually an awesome place.
“So let’s not lose sight of something we’ve created that actually is really, really good for society.”
To sign up for alerts about future inewsource stories or events like this one, enter your email below (it’s cyber secure, don’t worry)
We’ll let you know when big things happen.