Isolate and protect: how to reduce reputational damage, privacy loss and security risks

By Nil Ortiz, Carolina Fernández, Jordi Guijarro and Shuaib Siddiqui, i2CAT

Identity types

We tend to have multiple identities on the Internet: from social media accounts to talk with friends or family to business-related profiles in business social networks. Every time we construct an identity we present part of our real identity (and disclose specific information) to participate in different communities. In the end, we apply a separation of concerns.

Professional identities (or even those relating to a subset of lines of work we are involved in) are one example. Typically, these identities expose our work and academic curriculum, merits and other related activities, events or information of interest on specific professional or academic areas. On the other hand, personal identities are constructed for less formal and more diverse interactions, involving contacting friends or family, exchanging interests and hobbies or managing administrative procedures, among others.

Common problems (damage to reputation, privacy, security)

However, the management of these identities has to be taken separately to avoid undesired interferences. The same way we may want some opinions to be anonymous or fully private, we may not want to share some facets of us into a totally unrelated community. Applying some caution at every interaction helps with this: isolating facets in different accounts and protecting them with sufficient security levels is part of this.

Separating identities and protecting them has a direct impact on reputation, privacy, and security purposes. A typical online reputational damage occurs when mixing business and personal identities or, in extreme scenarios, even after keeping them separate but still able to be correlated. In the first case, applications submitted by a candidate which are currently supervised by HHRR and/or administration teams could suffer if some specifically undesired trait is exposed about the candidate; which can happen with a CV or online business profile that mixes business with personal data. This can also happen when these teams perform a background check on alternative online profiles for the candidate. In this case, the facility to correlate personal and business identities is an obstacle towards the real separation of identities (or concerns) and also affects privacy – as the personal sphere is invaded by someone in the business one. For example, we have seen cases where people lost their jobs based on their political opinions, hobbies, sexual preference, religion and other personal demeanour which should not have any impact in the work environment. Furthermore, the organisation’s reputational damage takes place at very different organisations, also occurring in research centres. This occurs when an employee either owns an insecure online identity that is compromised to spread undesirable messages or, alternatively, the employee itself publishes some controversial content in their personal account; which can easily be correlated to their real identity and which often backfires on the employee [THCONV2022]. The latter is the case of a person who lost an internship at NASA due to her activity on Twitter, where an inappropriate tweet sparked a difficult interaction with another member of NASA. Once the community sparked things out and went viral, her internship was terminated [BUZZFE2018].

Security can also be at stake when sharing accounts for different identities. Attackers, for once, are benefited: they find it easier to gather all information for social engineering attacks, having both the work and social dimensions available to gather data when profiling a victim. Nowadays there are plenty of automated tools which can easily find and extract social media activity given an e-mail address, phone or name. Even if we set the maximum degree of privacy for our social media accounts, it is still possible to extract information from them correlating the activity of our contacts who do not use high privacy policies on their accounts. This information can then be used by attackers to impersonate our contacts with credible stories, like a friend sharing a (malicious) link with the photos you liked on Facebook from last time, or a recruiter from a company you liked sending you an amazing job opportunity within a (malicious) pdf file… The possibilities are countless. Hackers can not only use the information found on our related accounts to perform more precise social engineering attacks, but also use that information as seed to perform brute-force attacks on passwords; as a significant number of people use their pet name, birthday and other commonly shared personal information as part of their password. This enables attackers to reduce the complexity of cracking said passwords. Similarly, a lot of people also use security questions which have this type of personal information as answers – thus we need to be mindful of which information we share on social media and how it might be used; specially information that combines both personal and work-related environments like passport, flight details [TESSIAN2022] or login details for restricted conference access [BBCDJGE2020].

Platform and service owners are also beneficiaries from gathering much more data within the same profile. Even if the identities are separated but loaded on the same browser, they could extract data from the connection (IP) or browser (via browser fingerprinting techniques [PNBGBF2020]) to later correlate identities. In this regard, it is useful to obtain some basic notions on how your web browser can be leaking small amounts of significant data and make you identifiable (even across identities, if sharing the same browser instance) [PIXPRIV2022] and use some verification tools like [EFFCTR2022] to determine your exposure in a fine-grained fashion. Finally, even loading different-purpose identities on the same device can pose a security risk if one of them is attacked. In this case, the victim can receive a communication with a compromising link, downloading malicious content that could check the filesystem for plaintext credentials (long-lived passwords or authorisation tokens) or even scan the memory for any loaded sensitive data, potentially from another identity.

Best practices and tips

Having a tight grip on them is paramount to preserve the privacy of part of our identities, maintain the security of our data and devices and protect us (and our organisation). What are the best practices, then?

• Separate your business and personal identities with different accounts. Ideally also in different browsers.
• Consider, per identity, the feasibility of correlating them (e.g. if sharing the same name, or essentially the same across them) and the risk associated with that, given your sharing and publication patterns.
• Avoid storing credentials and personal information in the browser with the autocomplete function. Instead, use a password manager like KeePass2. After all, the extra 10 seconds saved by the autocomplete will likely not be life-changing.
• Keep your phone applications with the minimum privileges. If possible, only grant these when the app is running. Not every application needs to access your contacts, location, files, SMS, and/or calls.
• Harden your browser and operating system settings to minimise the amount of potentially leaked bits of data that help to uniquely identify your device.
• Be mindful about your presence on social media and what you share, especially in business-related environments.

References

• [THCONV2022] The Conversation, “Who really gets fired over social media posts? We studied hundreds of cases to find out”
• [BUZZFE2018] BuzzFeedNews, “A Woman Was Fired From NASA After They Saw Her Tweet: “Suck My Dick And Balls I’m Working At NASA”
• [TESSIAN2022] Tessian, “How Hackers Use Social Media For Phishing Attacks”
• [BBCDJGE2020] BBC, “Dutch journalist gatecrashes EU defence video conference”
• [PNBGBF2020] Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, Gildas Avoine. Browser Fingerprinting: A Survey. ACM Transactions on the Web, http://tweb.acm.org/, 2020, 14 (2), pp.1-33. ff10.1145/3386040ff. Ffhal02864872
• [PIXPRIV2022] PixelPrivacy, “What Is Browser Fingerprinting? What It Is And How To Stop It”
• [EFFCTR2022] Electronic Frontier Foundation, “Cover Your Tracks: See how trackers view your browser”

About the authors

Nil Ortiz (nil.ortiz[at]i2cat.net) is Cybersecurity Innovation Expert at i2CAT, Internet Research Centre. Nil has a Computer Science Engineering degree from the Autonomous University of Barcelona (UAB) and a Master’s in Cybersecurity from Camilo José Cela University (UCJC). Expert in incident response and threat intelligence, Nil has experience in multiple EU countries within multiple environments (financial, manufacture, public..). He has also participated in EU H2020 Research & Innovation Projects.

Carolina Fernández (carolina.fernandez[at]i2cat.net) has participated in the technical implementation of 10+ research projects in multiple frameworks (FP7, H2020, GÉANT FPA) related to networking, virtualisation and security. Her practical experience spans the design, architecture, development, integration as well as in the operation and management of physical systems and virtual stacks. She holds a Computer Science Engineering degree from the Autonomous University of Barcelona (UAB, 2011). Her research interest areas include identity management, zero trust, NG-SDN, NFV and OAV.

Jordi Guijarro (jordi.guijarro[at]i2cat.net) is Cybersecurity Innovation Manager at i2CAT, Internet Research Centre, Jordi has Computer Science Engineering degree from the Open University of Catalonia (UOC) and Master in ICT management from Ramon Llull University (URL). Expert in cloud and cybersecurity services, Jordi managed CERT/CSIRT teams employing proactive, reactive and value-added security services. He has also participated in EU FP7/H2020 Research & Innovation Projects and collaborates with UOC and UPC as an associate.

Shuaib Siddiqui (shuaib.siddiqui[at]i2cat.net), Shuaib Siddiqui has 10+ years experience working in the academic, research and industry of ICT sector. At present, he is a senior researcher at i2CAT Foundation where he is also the Area Manager for Software Networks research lab. Since he joined i2CAT Foundation in 2015, he has been active in 5G related projects (under H2020) on the topics of control, management, & orchestration platforms based on SDN/NFV, network slicing, and NFV/SDN security. He holds a Ph.D. in Computer Science from Technical University of Catalonia (UPC) (Spain), M.Sc. in Communication Systems (2007) from École Polytechnique Fédérale de Lausanne (EPFL), Switzerland, and B.Sc. in Computer Engineering (2004) from King Fahd University of Petroleum & Minerals (KFUPM), Saudi Arabia.

Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022