Cybersecurity For Dummies. Joseph Steinberg
Читать онлайн книгу.
is it for a bank's loan officer to find online databases of court filings related to bankruptcies by doing a simple Google search and then looking into such databases for information relevant to a prospective borrower? Or to see whether any foreclosure records from any time are associated with a name matching that of someone seeking a loan? Doing either takes just seconds, and no laws prohibit such databases from including records old enough to be gone from credit reports, and, at least in the United States, none prohibit Google from showing links to such databases when someone searches on the name of someone involved with such activities decades earlier.
Expunged records are no longer really expunged
The justice system has various laws that, in many cases, allow young people to keep minor offenses off of their permanent criminal records. Likewise, our laws afford judges the ability to seal certain files and to expunge other forms of information from people’s records. Such laws help people start over; it is not a secret that many wonderful, productive members of modern society may not have turned out as they did without these protections.
But what good are such laws if a prospective employer can find the supposedly purged information within seconds by doing a Google search on a candidate’s name? Google returns results from local police blotters and court logs published in local newspapers that are now archived online. People who were cited for minor offenses and then had all the charges against them dropped can still suffer professional and personal repercussions decades later — even though they were never indicted, tried, or found guilty of any offense.
Social Security numbers
A generation ago, it was common to use Social Security numbers as college ID numbers. The world was so different back then that for privacy reasons, many schools even posted people's grades using Social Security numbers rather than using students’ names! Yes, seriously.
Should all students who went to college in the 1970s, 1980s, or early 1990s really have their Social Security numbers exposed to the public because college materials that were created in the pre-web world have now been archived online and are indexed in some search engines? To make matters worse, some parties authenticate users by asking for the last four digits of people’s phone numbers, which can often be found in a fraction of a second via a cleverly crafted Google or Bing search. If it is common knowledge that such information has been rendered insecure by previously acceptable behaviors, why does the government still utilize Social Security numbers and treat them as if they were still private?
Likewise, online archives of church, synagogue, and other community newsletters often contain birth announcements listing not only the name of the baby and the baby’s parents, but the hospital in which the child was born, the date of birth, and the grandparents’ names. How many security questions for a particular user of a computer system can be undermined by a crook finding just one such announcement? All of these examples show how advances in technology can undermine our privacy and cybersecurity — even legally undermining laws that have been established to protect us.
Social media platforms
One group of technology businesses that generate serious risks to cybersecurity are social media platforms. Cybercriminals increasingly scan social media — sometimes with automated tools — to find information that they can use against companies and their employees. Attackers then leverage the information that they find to craft all sorts of attacks, such as one involving the delivery of ransomware. For example, they may craft highly effective spear-phishing emails credible enough to trick employees into clicking on URLs to ransomware-delivering websites or into opening ransomware-infected attachments.
The number of virtual kidnapping scams — in which criminals contact the family of a person who is off the grid due to being on a flight or the like and demand a ransom in exchange for releasing the person they claim to have kidnapped — has skyrocketed in the era of social media, as criminals often can discern from looking at users’ social media posts both when to act and whom to contact.
Google’s all-knowing computers
One of the ways computer systems verify that people are who they claim to be is by asking questions to which few people other than the legitimate party would know the correct answers. In many cases, someone who can successfully answer “How much is your current mortgage payment?” and “Who was your seventh grade science teacher?” is more likely to be the authentic party than an impersonator.
But the all-knowing Google engine undermines such authentication. Many pieces of information that were difficult to obtain quickly just a few year ago can now be obtained almost instantaneously via a Google search. In many cases, the answers to security questions used by various websites to help authenticate users are, for criminals, “just one click away.”
While more advanced sites may consider the answer to security questions to be wrong if entered more than a few seconds after the question is posed, most sites impose no such restrictions — meaning that anyone who knows how to use Google can undermine many modern authentication systems.
Mobile device location tracking
Likewise, Google itself can correlate all sorts of data that it obtains from phones running Android or its Maps and Waze applications — which likely means from the majority of people in the Western World. Of course, the providers of other apps that run on millions of phones and that have permission to access location data can do the same as well. Any party that tracks where a person is and for how long that person is there may have created a database that can be used for all sorts of nefarious purposes — including undermining knowledge-based authentication, facilitating social engineering attacks, undermining the confidentiality of secret projects, and so on. Even if the firm that creates the database has no malicious intent, rogue employees or hackers who gain access to, or steal, the database pose serious threats.
Such tracking also undermines privacy. Google knows, for example, who is regularly going into a chemotherapy facility, where people sleep (for most people, the time that they are asleep is the only time that their phones do not move at all for many hours) and who else is sleeping near them when they do, and various other information from which all sorts of sensitive extrapolations can be made.
Defending against These Attackers
Rather than 100 percent cybersecurity, we must pursue adequate cybersecurity, which is defined by understanding what risks exist, which ones are adequately mitigated, and which ones persist.
Defenses that are adequate to shield against some risks and attackers are inadequate to protect against others. What may suffice for reasonably protecting a home computer, for example, may be wildly inadequate to shield an online banking server. The same is true of risks that are based on who uses a system: A cellphone used by the President of the United States to speak to advisors, for example, obviously requires better security than the cellphone used by the average sixth grader.
Part 2
Improving Your Own Personal Security
IN THIS PART …
Understand why you may be less cybersecure than you think.
Find