The Threat Landscape
Around seventy percent of Americans use social media to connect with one another, engage with news content, and share information. Further, users typically access social media platforms and consume content on their smartphone, which over 80 percent of Americans report owning. Smartphones are just one of the billions of smart devices that monitor our health, fitness and sleep, secure our homes, tell us the weather and cue up our favorite songs, shows, and movies. However, the convenience of smart phones and instant connectivity of the internet and social media come at a price. Are there security risks hiding within our favorite applications and devices?
In honor of National Cybersecurity Awareness Month (NCSAM), an annual initiative spearheaded by the Department of Homeland Security to raise awareness about the importance of cybersecurity, we asked Boston University’s privacy and security experts Ari Trachtenberg, Gianluca Stringhini and Ran Canetti to shed light on the top vulnerabilities we need to know about. They covered security and privacy threats consumers and businesses unknowingly expose themselves to, and outlined best-practices for protection in the Q&A below.
Smart Devices and Social Media
How can we protect ourselves in a connected world?
“Smart devices quietly nestle well within our comfort zones and into our most private spaces: bedrooms, bathrooms, doctor’s offices, etc. At the same time, they are filled with all kinds of sensors that allow them to record and permanently store all kinds of information about our most private moments. The best way to protect yourself is to be aware of this, and keep all smart devices away from your most intimate environments. I, for example, keep most smart devices (TVs, speakers, etc.) out of my home; the few I cannot avoid (smartphones), I keep in a designated location that does not have access to my private areas.” — Ari Trachtenberg
How are we putting our personal information at risk when using social media?
“I think that many users don’t realize that they are not only putting their own information at risk when they’re using social media, but also the information of their friends and acquaintances. For example, when you put up a picture of you with a friend at a location, you are sharing with the social media company (and, quite possibly, all of their third party affiliates) your connection to the location — and your friend’s connection to the location — whether or not your friend wants ad agencies to know this.
The same thing goes for messages you leave on your friends’ social media accounts, or, potentially, even ‘private messages’ that you send to them through social platforms. In short, when you are using a ‘free’ service online, always ask yourself — how is this service making the money to pay its engineers and maintain their hardware? Often the answer is that they’re selling information about you and your friends.” — Ari Trachtenberg
“We provide online service, app and content providers with detailed information about our whereabouts, our thoughts, our feelings, our moods and our life patterns. Our every move is recorded, and aggregated with the moves of others. These content, social platform, and app providers sell this data to third parties who can weaponize it against us — catching us at our weak moments and manipulating our thoughts and behavior.” — Ran Canetti
What are the consequences of this behavior?
“I think that the top security threat today is not directly from overtly malicious actors, but rather from the huge amount of information that is accumulated about each and every one of us through all the devices that we use regularly. This information, inevitably, leaks to actors with very different interests than us (including malicious actors), and it can be harnessed very effectively to cause damage.” — Ari Trachtenberg
What can we do to avoid this risk, while still being active on social media?
“We can opt out of providing our information to content, app, and social media providers. This cuts them off from the ability to leverage our data, and share with advertisers and other third parties. This might cost a small price, but it’s more than worth it.” — Ran Canetti
What is the top security threat you anticipate employees will face on the horizon? What are the repercussions for both the employee and the businesses they work for?
“Ransomware is currently the golden standard of cybercrime. Unlike other cybercrime schemes like fraud and spam, the criminals are not trying to convince their victims to purchase some sketchy good, but instead offer them to give them access to their data back in exchange for money.
Unfortunately, often victims have no choice but to pay their extorters. This significantly increases the return on investment for cybercriminals, and has serious repercussions for both private citizens and companies, who are constantly being targeted.” — Gianluca Stringhini
“There are many truly frightening ways malicious actors can exploit our digital trails in the workplace. For businesses, a serious example is CEO fraud, wherein criminals imitate the email or phone call of a CEO/CFO in requesting large transfers of money, or possibly the businesses’ network and data.
Both of these are exacerbated by the emergence of ‘deep fakes,’ wherein machine learning techniques are used to craft messages that look or sound identical to the person being scammed (i.e., from a few samples of a CEO’s speech, it is sometimes possible to realistically craft different speech, that the CEO has not stated, in the CEOs voice).” — Ari Trachtenberg
Is there an easy fix for this security risk that employees and businesses should adopt?
“To mitigate the risk of being hit by ransomware, users should constantly keep backups of their data. This can be automated, for example scheduled to happen once a week.” — Gianluca Stringhini
“It is very hard for an individual to protect themselves from CEO fraud and deep fake vulnerabilities, much like it is hard for an unarmed civilian to successfully defend against an armed criminal. Individuals should always be skeptical about any unsolicited information that they are given, and companies should have established, secure mechanisms for making significant transfers. They should also put in place pre-specified protocols for dealing with and responding to security emergencies.” — Ari Trachtenberg
Best-Practices for Protection
What is the most overlooked security feature?
“Enabling two-factor authentication can help people keep their online accounts safe. With two-factor authentication enabled, it is not enough for an attacker to know an account’s password to log into it, but they also need to get a hold of a second token, which is usually sent to the user’s mobile phone. This significantly raises the bar for attackers to successfully compromise online attacks, and protects users from the consequences of large data breaches and phishing attacks.” — Gianluca Stringhini
What is the most important “cyber hygiene” routine everyone needs to adopt (that is easy to keep up with) to achieve better security?
“Once a weakness is discovered in a program, the developer usually fixes it rather quickly. Keeping your software constantly updated drastically reduces the chances of getting compromised. Most programs nowadays provide automated updates, which is a great way for people to stay secure while at the same time not having to remember to constantly update their computers.” — Gianluca Stringhini
“Actually, it is what we teach our engineering students throughout their study — understand the basis for the information that you are receiving, and be skeptical of any claims that are not substantiated in a manner that you can reproduce.” — Ari Trachtenberg
For additional commentary by Boston University experts, follow us on Twitter at @BUexperts. You can follow Boston University College of Engineering at @BUCollegeofENG, Boston University Department of Computer Science at @BUCompSci and Boston University Hariri Institute for Computing at @BU_Computing on Twitter.