The Art of Privacy – Part 2

The biggest threat to privacy is the attitude of “AH, what would someone do with my email address, phone number or social security number”. Thanks to the awareness in security and security terminology becoming a fad and the names of attacks becoming more and more attractive, non-security savvy people are starting to somewhat understand the tricks malicious attackers use to lure people into giving out their private information.

Unfortunately, this isn’t enough. Privacy threat actors range from a 13 year old sitting on a computer to state sponsored hackers to law enforcement to advertising agencies, which technically are working within the bounds of the law and aren’t doing anything illegal.

The problem, which I have been talking for ages, is that there is so much unprotected personal information available on the internet that you cannot pin point and blame a specific person for taking the data and using it. We then have a problem of data leaks, for example the recent Equifax data leak. Data leaks and public dumps are a recent trend. In the early 2000’s there were more breaches because, well SQL Injection was new, even now SQL injection is almost 50% of the times, the reason of a breach, imagine when it was new, and google dorking was new, how many databases would have been dumped and would have roamed around in the underground but they never made the news or they weren’t available for anyone to download.

The dumps of emails and passwords leaked from Linkedin, Twitter etc. are now on several websites. As an example, please find the two websites below:

Technically they do not show you the password for anyone else but just tell you if your email is in the hacked databases list, but they have all the raw data so…

I have been using a website called Pastebin for years now, which is quite valuable when it comes to find your leaked information. Google is also a very well-known platform for finding leaked information using google dorks.

Well, if we talk about data leaks, one can argue that it is not an individual’s fault that the data got leaked. It was because of an Apache Struts (Unpatched, though the patch was released like ages ago) vulnerability, 🙂 that the server got pwned! Yes, so that is not the individual’s fault. It is the individual’s fault when he is in the military and gives the whole detail about what he is doing and on which technology, so that anyone can track him down. What happens when people do that, you ask? ICWATCH happens!!!! It is also the individual’s fault, when he puts all his/her pictures public on Facebook or Instagram or any other social networking website. What someone can do with my picture from Facebook, you ask, it is not a social security number or your phone number, you say? I would just give an example, or two, of what they can do, apart from selling your picture to advertisers or a bad bad man getting a hold of your pictures, extracting the GPS location embedded into the pictures, thank you smartphones, and get your home address:

Example: So let’s talk about cryptocurrency, Bitcoin and the whole shebang. Oh, so, cryptocurrency is untraceable? Right? What do we do? Well, what the high end exchanges now do is that they require your picture taken from a camera and any photo-ID, for you to be able to get registered to that exchange and setup a wallet and so on. After that whatever transaction you do can be chained back to your account and inevitably to you. Unless you are using Monero!! So, about the attack, let’s call the attacker, “Evil Joe”! Evil Joe gets you selfie picture from Facebook which he/she conveniently finds online as it is public. Uses that picture for first round of verification and in the second round, uses a different picture and photoshops it onto a photo-ID, scans it and uploads it. Next, sets his username and password and boom, he has stolen your Face identity. Now whatever transaction he does, comes back to your face and as most law enforcement agencies have facial recognition, they will contact you and you are in trouble, at least until they are sure that you weren’t involved.

One, other scenario that I would like to briefly describe is that for example you have facial recognition on your Samsung S8. A thief steals your phone or purse (Ladies), what he can do with it, search your name on the internet, on Facebook, if he finds your public picture somewhere, where your face is prominent, he can use that to unlock your phone.

There are many other attacks, social engineering being the most effective, but for that I would refer to different books as this has been covered thoroughly by many people.

Recently, I saw a very well renowned political figure of A country, on twitter. She shared a picture of a document where she did not think of removing the name, phone number and social security number of another government official. I think that was because she has no concept of why exposing social security number is a very bad thing.

In the third part, I would explain how to protect yourself from these threat actors and how to be anonymous and invisible to prying eyes.