NCSAM Security Crash Diet, Week 2: Social and Travel

Last updated at Thu, 21 Dec 2023 17:43:32 GMT

Oh hello, it’s Olivia again! Time for week two of my month of Security Diets for National Cyber Security Awareness Month. I’m here to tighten my belt, metaphorically speaking, when it comes to different security practices. I’ll be testing out various security recommendations to decipher what’s realistic, what’s really helping, and what’s reserved only for the leanest, meanest security machines. Week one was all about maintenance – software updates, passwords, and backin’ it all up – aka all the semi-tedious, yet impactful chores that shrink your internet footprint. Read about it here.

“If a tree falls in the forest and nobody hears it, did it make a sound?” Except replace your ears with thumbs and the forest with an airport and you’ve got this week’s two-for-one special: travelling and social media. The two are pretty closely linked as far as use and sharing, so I’m going to consider them together this week.

In the days of yesteryear, taxis and hotels were the standard. In 2017, the millennial era of travel, it’s all about ride sharing (Uber, Lyft, and other local options) and Airbnb. I opted for both of these relatively new services to give a security comparison to the still omnipresent standards of yore.

Getting There

When I think about taking a taxi vs. a ride share service, my first concern is physical security. For me, the untraceable nature of a taxi is much more frightening to me than an Uber or Lyft. I love that there’s a record of where my car’s been, if anything were to happen. However, using a ridesharing app means… a record of where I’ve been. That location data paints a pretty obvious picture of where I spend my time. For me, it’s worth the trade-off for physical safety.

That said, if you use a more local ridesharing app while travelling, it doesn’t hurt to delete the app and its data when you’re back home.

WWW: Wi-Fi While Wandering

Almost cliché at this point is the chorus of “what’s the Wi-Fi password” immediately upon entering cafes, restaurants, bars, friends’ houses, you name it. Politics of establishments feeling obligated to pay for shared Wi-Fi at the cost of a coffee/shaming patrons who want to cut down on their data usage aside… the reality of the situation is that we live in a connected society. And when travelling without access to home Wi-Fi, the need is really real. But how do you stay safe while staying productive?

Hotel Wi-Fi is pretty universally dicey (same goes for most public spaces). Almost all have public Wi-Fi and “private” Wi-Fi you log into from your room… either of which can be easily spoofed, meaning mimicked convincingly so you think you’re logging into theirs, but are really making friends with an evil access point full of DNS poison. Again, unless you’re die hard and jet-setting with your own router, hard to avoid these networks. So, use bar rules when in Rome, a hotel, or an actual bar – be smart, be careful, and forget (networks) quickly.

The most secure option for using Wi-Fi for important information is a VPN, a Virtual Private Network. This creates a direct, secure connection on top of any, especially questionable, networks. I have one for my my work laptop (security company, duh). There are also several services that you can use for private laptops and phones. Private Internet Access is a delightful and affordable choice, but there are tons out there to choose from.

Breaking news: The KRACK Wi-Fi vulnerability was just announced, and we’ve got a full breakdown of that, as well as some recommendations on how to avoid exposing yourself. It’s like your own extreme security diet: Wi-Fi edition… until the vuln is fixed. Read up on that here.

Social Sharing

For the social sharing diet, the goal was to cut down on the risk associated with personal posting. Tod broke the exposure from indiscriminate social posting down into three motivations:

1. Please rob me – whether on vacation or out for the night, if you’re a live poster on open social media, you’re also creating a minute-to-minute guide for potential thieves. When you’re at work, when you’re on vacation, what valuables you have… the list goes on. All the better to steal your stuff, my dear.
2. Stalkers – no, this does not mean “omg I’m such a stalker” because you looked at the Instagram of a new acquaintance/ interview candidate/ ex’s best friend’s sister. While it may be the same basic exposure, the real risk is stalking with purpose of intimidation, fear, and potential harm.
3. Spam & Bots – having an account private gets rid of the Bexckyxx69 follows and diet pill DMs, or at least makes them request your attention.

1 and 2 are somewhat rare and not intended to induce paranoia, and 3 is irritating but not sinister (even if you do think marketing is ‘evil’). Like all security measures, social sharing is a trade-off between security/privacy and ease of use. Ultimately the choice is yours, so I reviewed my accounts with a max security lens to make it easier (if not at least entertaining) for you.

Instagram and Twitter, while different media, are largely the same as far as sharing goes. First of all, I made both of those accounts private since both were publicly scrollable. While it’s easier to keep pithy observations and retweets vague to avoid pinpointing location, photos often contain richer, identifiable detail. To address the “please rob me” concern, despite all the boomerangs, sunset pics, and concert videos I took while travelling, they’ll all be posted #tbt now that I’m back home. I wouldn’t say either of my accounts are incredibly personal, but it would definitely be possible to piece together my life in alarming detail by perusing my 140-character thoughts and filtered photos. Rather not. Turning location sharing off in the settings for these apps is almost not worth mentioning, but there it is, mentioned.

On Snapchat, where the only option is real-time sharing (no #tbt here), there wasn’t a ton of concern for me since the audience is limited to approved friends. For the sake of the diet, I did go through my address book and weeded out people with whom I don’t interact and definitely don’t need to be privy to my singing along with All I Want for Christmas is You.

My Facebook was already pretty locked down, but turns out when you search photos of me, tagged photos of me from an aunt – even ones that I’ve declined to add to my profile – show up for anyone. Pretty benign as far as things go, although it’s not ideal to have anyone be able to see a catalogue of semi-embarrassing photos of me.... And yet, the only way to address this is with a quick, maybe uncomfy conversation, and some education on FB security preferences.

How Hackable am I?

This is obviously a question we’re exploring together this month (so glad you, yes you, are along for the ride)! Be that as it may, Rapid7 also just released a “security personality” quiz in partnership with the NBC’s The Today Show. I’m a ‘Discerning Technologist,’ according to the quiz. The description, pasted here for your reading pleasure, is pretty spot on except for that my cursive is smoothy-smooth and not at all “rusty.” Take it and let me know what you get below. Where my fellow Discerning Technologists at?