Words: Michele Pinassi, consultant of Cybersecurity at the University of Siena.
You are walking toward the bus stop, at a brisk pace. You were late this morning, because on your way out of your house you realised that you had forgotten your smartphone, which has become indispensable. At some point, you feel it vibrate. A notification. What will it be? You pick it up and scroll your thumb across the screen. It’s an email from Meta, Facebook: your personal page, via which you share your passion for dogs, does not meet some requirements. You are invited to click on a link for verification.
You click on the link.
The browser opens, Facebook login screen appears. You enter your Facebook credentials, as usual.
On the other side of the planet, a cybercriminal has just gained a new Facebook account. Time, now, is critical. The cybercriminal immediately logs in and changes your password and recovery information, disconnecting all active sessions. It just kicks you out of your Facebook account and from all your personal information saved here.
All it takes is one click on a link at the wrong time and, all of a sudden, our daily lives can change.
Just think how much personal and confidential information a cybercriminal can acquire about us by accessing our Facebook profile. As well as that of any other social network, including WhatsApp (through SIM swap attacks, for example). Not to mention all the other attacks, from financial scams to instant messaging scams (“hi mom, this is my new phone number…”), passing through the infamous infostealers, malware designed to steal access information stored on the victim system (passwords, cookies…), including the desktop screenshot, spread mainly through the channels of illegal software and “pirated” streaming services.
To which, of no less importance, we add all the data leaks resulting from attacks on companies and institutions with which we have entrusted, for various reasons, our data: I am especially talking about ransomware attacks, where exfiltrated data is offered for sale and, in many cases, released freely on the web. We are talking about data that is often sensitive and confidential, such as that resulting from attacks on health, education, and institutional entities.
And then, the smartphone: an electronic device that has become indispensable and intimately personal, where we store photos and videos of our daily lives, personal and confidential information, conversations, access to home banking and financial/institutional tools, the data automatically collected by the sensors with which it is equipped (gyroscope, compass, gps…) and much more. The loss of a smartphone can prove to be a privacy disaster, especially if not properly protected. According to some data, we are talking about 70 million smartphones lost, or stolen, each year worldwide. Have you set the PIN on your SIM card? Have you activated the automatic lock on inactivity? Have you protected, with encryption, internal and removable storage devices?
Finally, have you ever thought about the consequences of private video surveillance? I am talking about the thousands of webcams and cameras placed outside and inside private buildings, our homes, that constantly keep watch over the territory. Cyber devices for all intents and purposes, in the IoT category, if not properly protected and configured risk exposing even images that should never be exposed to prying eyes. All it takes is a tour of Shodan.io with a trivial filter to obtain hundreds of audio/video streams of interiors and exteriors of private homes, stores, warehouses: a real godsend for “burglars,” as well as for private investigators and various onlookers.
We are talking about an ocean of personal data, sensitive and confidential information, at the mercy of anyone, used as leverage to carry out other attacks on unsuspecting and unwitting citizens.
The potential consequences are disastrous, as you can easily imagine.
We are all potential targets, because each of us collects data not only about ourselves but also about everyone around us: our network of friends, whose contact information we store, our work colleagues and business partners, with whom we exchange sometimes strategic business information, our family, school, doctors, and so on.
Protecting oneself from these threats is difficult, and what any of us can do is to try to mitigate, as best as we can, the consequences. Clearly, the first step is awareness: the classic “I have nothing to hide,” “there is nothing of value here anyway,” and other similar excuses do not work, as we have seen. Each of us must commit to implementing security measures commensurate with the risk context, just as we are already used to doing for physical security. A safe for precious things, a security door for our home, a regular lock for the basement. In the digital world, we can mitigate the consequences of an attack first by adopting cyber-hygiene strategies such as different login credentials for each service, enabling multi-factor authentication where possible, jealously guarding passwords (a password manager is the best choice), enabling a credential breach alert service such as haveibeenpwned.com, monitor.firefox.com or similar, learning not to give one’s personal information to just anyone on the web (e.g., web services of dubious reputation).
As already pointed out, adequately protect all personal devices, from the ever-present smartphone to the laptop and PC at home, using encryption on mass storage devices and secure keys to unlock their use (P.S. do you have any idea how much information can be easily recovered from a hard drive without cryptographic protection thrown in the rubbish?).
Also, avoid installing illegal or dubious applications and software, as well as visiting pirated streaming websites that might contain malicious code, especially on the same devices where you store personal information, banking credentials, accounts and institutional materials.
As customers, moreover, we can and should give preference to companies that take special care of our personal data, starting with the principle of minimisation (also required by the GDPR): if I buy a pair of shoes, what do you need to know about my profession or sexual orientation?
For companies and institutions, on the other hand, attention to the issue of protecting users’ personal data must be an organisational and procedural priority, as well as a documentary one. Adequate resources, reasonable budgets, and internal structures managed by CISOs reporting directly to the Board or General Manager need to be allocated: cybersecurity is (no longer) a purely technical issue, as we have seen, but embraces all business processes, including external suppliers (ever heard of supply-chain attacks?).
We are all targets and will be targets more and more, in a world where information is a very valuable resource both financially and politically. Let us, therefore, try not to make life too easy for cybercriminals.
Michele Pinassi is a consultant of Cybersecurity at the University of Siena. He holds a master’s degree in Data Protection, Cybersecurity, and Digital Forensics from the University of Perugia and has been working in the ICT field for over 20 years. He has always been keen on issues related to privacy and digital civil rights, and through his blog www.zerozone.it and the free awareness project cittadinomedio.it, he strives to raise awareness among citizens on these topics.
Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Become A Cyber Hero‘. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm23